1 /* 2 * SSL/TLS interface functions for OpenSSL 3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #ifdef CONFIG_TESTING_OPTIONS 11 #include <fcntl.h> 12 #endif /* CONFIG_TESTING_OPTIONS */ 13 14 #ifndef CONFIG_SMARTCARD 15 #ifndef OPENSSL_NO_ENGINE 16 #ifndef ANDROID 17 #define OPENSSL_NO_ENGINE 18 #endif 19 #endif 20 #endif 21 22 #ifndef OPENSSL_NO_ENGINE 23 /* OpenSSL 3.0 has moved away from the engine API */ 24 #define OPENSSL_SUPPRESS_DEPRECATED 25 #include <openssl/engine.h> 26 #endif /* OPENSSL_NO_ENGINE */ 27 #include <openssl/ssl.h> 28 #include <openssl/err.h> 29 #include <openssl/opensslv.h> 30 #include <openssl/pkcs12.h> 31 #include <openssl/x509v3.h> 32 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 33 #include <openssl/core_names.h> 34 #include <openssl/decoder.h> 35 #include <openssl/param_build.h> 36 #include <openssl/store.h> 37 #include <openssl/provider.h> 38 #else /* OpenSSL version >= 3.0 */ 39 #ifndef OPENSSL_NO_DSA 40 #include <openssl/dsa.h> 41 #endif 42 #ifndef OPENSSL_NO_DH 43 #include <openssl/dh.h> 44 #endif 45 #endif /* OpenSSL version >= 3.0 */ 46 47 #include "common.h" 48 #include "utils/list.h" 49 #include "crypto.h" 50 #include "sha1.h" 51 #include "sha256.h" 52 #include "tls.h" 53 #include "tls_openssl.h" 54 55 #if !defined(CONFIG_FIPS) && \ 56 (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \ 57 defined(EAP_SERVER_FAST)) 58 #define OPENSSL_NEED_EAP_FAST_PRF 59 #endif 60 61 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \ 62 defined(EAP_SERVER_FAST) || defined(EAP_TEAP) || \ 63 defined(EAP_SERVER_TEAP) 64 #define EAP_FAST_OR_TEAP 65 #endif 66 67 68 #if defined(OPENSSL_IS_BORINGSSL) 69 /* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */ 70 typedef size_t stack_index_t; 71 #else 72 typedef int stack_index_t; 73 #endif 74 75 #ifdef SSL_set_tlsext_status_type 76 #ifndef OPENSSL_NO_TLSEXT 77 #define HAVE_OCSP 78 #include <openssl/ocsp.h> 79 #endif /* OPENSSL_NO_TLSEXT */ 80 #endif /* SSL_set_tlsext_status_type */ 81 82 #if OPENSSL_VERSION_NUMBER < 0x10100000L && \ 83 !defined(BORINGSSL_API_VERSION) 84 /* 85 * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL 86 * 1.1.0 and newer BoringSSL revisions. Provide compatibility wrappers for 87 * older versions. 88 */ 89 SSL_get_client_random(const SSL * ssl,unsigned char * out,size_t outlen)90 static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, 91 size_t outlen) 92 { 93 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE) 94 return 0; 95 os_memcpy(out, ssl->s3->client_random, SSL3_RANDOM_SIZE); 96 return SSL3_RANDOM_SIZE; 97 } 98 99 SSL_get_server_random(const SSL * ssl,unsigned char * out,size_t outlen)100 static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, 101 size_t outlen) 102 { 103 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE) 104 return 0; 105 os_memcpy(out, ssl->s3->server_random, SSL3_RANDOM_SIZE); 106 return SSL3_RANDOM_SIZE; 107 } 108 109 110 #ifdef OPENSSL_NEED_EAP_FAST_PRF SSL_SESSION_get_master_key(const SSL_SESSION * session,unsigned char * out,size_t outlen)111 static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, 112 unsigned char *out, size_t outlen) 113 { 114 if (!session || session->master_key_length < 0 || 115 (size_t) session->master_key_length > outlen) 116 return 0; 117 if ((size_t) session->master_key_length < outlen) 118 outlen = session->master_key_length; 119 os_memcpy(out, session->master_key, outlen); 120 return outlen; 121 } 122 #endif /* OPENSSL_NEED_EAP_FAST_PRF */ 123 124 #endif 125 126 #if OPENSSL_VERSION_NUMBER < 0x10100000L ASN1_STRING_get0_data(const ASN1_STRING * x)127 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x) 128 { 129 return ASN1_STRING_data((ASN1_STRING *) x); 130 } 131 #endif 132 133 #ifdef ANDROID 134 #include <openssl/pem.h> 135 #include <keystore/keystore_get.h> 136 BIO_from_keystore(const char * key)137 static BIO * BIO_from_keystore(const char *key) 138 { 139 BIO *bio = NULL; 140 uint8_t *value = NULL; 141 int length = keystore_get(key, strlen(key), &value); 142 if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL) 143 BIO_write(bio, value, length); 144 free(value); 145 return bio; 146 } 147 148 tls_add_ca_from_keystore(X509_STORE * ctx,const char * key_alias)149 static int tls_add_ca_from_keystore(X509_STORE *ctx, const char *key_alias) 150 { 151 BIO *bio = BIO_from_keystore(key_alias); 152 STACK_OF(X509_INFO) *stack = NULL; 153 stack_index_t i; 154 155 if (bio) { 156 stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL); 157 BIO_free(bio); 158 } 159 160 if (!stack) { 161 wpa_printf(MSG_WARNING, "TLS: Failed to parse certificate: %s", 162 key_alias); 163 return -1; 164 } 165 166 for (i = 0; i < sk_X509_INFO_num(stack); ++i) { 167 X509_INFO *info = sk_X509_INFO_value(stack, i); 168 169 if (info->x509) 170 X509_STORE_add_cert(ctx, info->x509); 171 if (info->crl) 172 X509_STORE_add_crl(ctx, info->crl); 173 } 174 175 sk_X509_INFO_pop_free(stack, X509_INFO_free); 176 177 return 0; 178 } 179 180 tls_add_ca_from_keystore_encoded(X509_STORE * ctx,const char * encoded_key_alias)181 static int tls_add_ca_from_keystore_encoded(X509_STORE *ctx, 182 const char *encoded_key_alias) 183 { 184 int rc = -1; 185 int len = os_strlen(encoded_key_alias); 186 unsigned char *decoded_alias; 187 188 if (len & 1) { 189 wpa_printf(MSG_WARNING, "Invalid hex-encoded alias: %s", 190 encoded_key_alias); 191 return rc; 192 } 193 194 decoded_alias = os_malloc(len / 2 + 1); 195 if (decoded_alias) { 196 if (!hexstr2bin(encoded_key_alias, decoded_alias, len / 2)) { 197 decoded_alias[len / 2] = '\0'; 198 rc = tls_add_ca_from_keystore( 199 ctx, (const char *) decoded_alias); 200 } 201 os_free(decoded_alias); 202 } 203 204 return rc; 205 } 206 207 #endif /* ANDROID */ 208 209 static int tls_openssl_ref_count = 0; 210 static int tls_ex_idx_session = -1; 211 212 struct tls_session_data { 213 struct dl_list list; 214 struct wpabuf *buf; 215 }; 216 217 struct tls_context { 218 void (*event_cb)(void *ctx, enum tls_event ev, 219 union tls_event_data *data); 220 void *cb_ctx; 221 int cert_in_cb; 222 char *ocsp_stapling_response; 223 struct dl_list sessions; /* struct tls_session_data */ 224 }; 225 226 static struct tls_context *tls_global = NULL; 227 228 229 struct tls_data { 230 SSL_CTX *ssl; 231 unsigned int tls_session_lifetime; 232 int check_crl; 233 int check_crl_strict; 234 char *ca_cert; 235 unsigned int crl_reload_interval; 236 struct os_reltime crl_last_reload; 237 char *check_cert_subject; 238 char *openssl_ciphers; 239 }; 240 241 struct tls_connection { 242 struct tls_context *context; 243 struct tls_data *data; 244 SSL_CTX *ssl_ctx; 245 SSL *ssl; 246 BIO *ssl_in, *ssl_out; 247 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE) 248 ENGINE *engine; /* functional reference to the engine */ 249 #endif /* OPENSSL_NO_ENGINE */ 250 EVP_PKEY *private_key; /* the private key if using engine/provider */ 251 char *subject_match, *altsubject_match, *suffix_match, *domain_match; 252 char *check_cert_subject; 253 int read_alerts, write_alerts, failed; 254 255 tls_session_ticket_cb session_ticket_cb; 256 void *session_ticket_cb_ctx; 257 258 /* SessionTicket received from OpenSSL hello_extension_cb (server) */ 259 u8 *session_ticket; 260 size_t session_ticket_len; 261 262 unsigned int ca_cert_verify:1; 263 unsigned int cert_probe:1; 264 unsigned int server_cert_only:1; 265 unsigned int invalid_hb_used:1; 266 unsigned int success_data:1; 267 unsigned int client_hello_generated:1; 268 unsigned int server:1; 269 270 u8 srv_cert_hash[32]; 271 272 unsigned int flags; 273 274 X509 *peer_cert; 275 X509 *peer_issuer; 276 X509 *peer_issuer_issuer; 277 char *peer_subject; /* peer subject info for authenticated peer */ 278 279 unsigned char client_random[SSL3_RANDOM_SIZE]; 280 unsigned char server_random[SSL3_RANDOM_SIZE]; 281 282 u16 cipher_suite; 283 int server_dh_prime_len; 284 }; 285 286 tls_context_new(const struct tls_config * conf)287 static struct tls_context * tls_context_new(const struct tls_config *conf) 288 { 289 struct tls_context *context = os_zalloc(sizeof(*context)); 290 if (context == NULL) 291 return NULL; 292 dl_list_init(&context->sessions); 293 if (conf) { 294 context->event_cb = conf->event_cb; 295 context->cb_ctx = conf->cb_ctx; 296 context->cert_in_cb = conf->cert_in_cb; 297 } 298 return context; 299 } 300 301 302 #ifdef CONFIG_NO_STDOUT_DEBUG 303 _tls_show_errors(void)304 static void _tls_show_errors(void) 305 { 306 unsigned long err; 307 308 while ((err = ERR_get_error())) { 309 /* Just ignore the errors, since stdout is disabled */ 310 } 311 } 312 #define tls_show_errors(l, f, t) _tls_show_errors() 313 314 #else /* CONFIG_NO_STDOUT_DEBUG */ 315 tls_show_errors(int level,const char * func,const char * txt)316 static void tls_show_errors(int level, const char *func, const char *txt) 317 { 318 unsigned long err; 319 320 wpa_printf(level, "OpenSSL: %s - %s %s", 321 func, txt, ERR_error_string(ERR_get_error(), NULL)); 322 323 while ((err = ERR_get_error())) { 324 wpa_printf(MSG_INFO, "OpenSSL: pending error: %s", 325 ERR_error_string(err, NULL)); 326 } 327 } 328 329 #endif /* CONFIG_NO_STDOUT_DEBUG */ 330 331 tls_crl_cert_reload(const char * ca_cert,int check_crl)332 static X509_STORE * tls_crl_cert_reload(const char *ca_cert, int check_crl) 333 { 334 int flags; 335 X509_STORE *store; 336 337 store = X509_STORE_new(); 338 if (!store) { 339 wpa_printf(MSG_DEBUG, 340 "OpenSSL: %s - failed to allocate new certificate store", 341 __func__); 342 return NULL; 343 } 344 345 if (ca_cert && X509_STORE_load_locations(store, ca_cert, NULL) != 1) { 346 tls_show_errors(MSG_WARNING, __func__, 347 "Failed to load root certificates"); 348 X509_STORE_free(store); 349 return NULL; 350 } 351 352 flags = check_crl ? X509_V_FLAG_CRL_CHECK : 0; 353 if (check_crl == 2) 354 flags |= X509_V_FLAG_CRL_CHECK_ALL; 355 356 X509_STORE_set_flags(store, flags); 357 358 return store; 359 } 360 361 362 #ifdef OPENSSL_NO_ENGINE 363 364 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 365 static OSSL_PROVIDER *openssl_pkcs11_provider = NULL; 366 #endif /* OpenSSL version >= 3.0 */ 367 openssl_load_pkcs11_provider(void)368 static void openssl_load_pkcs11_provider(void) 369 { 370 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 371 if (openssl_pkcs11_provider) 372 return; 373 374 openssl_pkcs11_provider = OSSL_PROVIDER_try_load(NULL, "pkcs11", 1); 375 if (!openssl_pkcs11_provider) 376 wpa_printf(MSG_WARNING, "PKCS11 provider not present"); 377 #endif /* OpenSSL version >= 3.0 */ 378 } 379 380 openssl_unload_pkcs11_provider(void)381 static void openssl_unload_pkcs11_provider(void) 382 { 383 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 384 if (openssl_pkcs11_provider) { 385 OSSL_PROVIDER_unload(openssl_pkcs11_provider); 386 openssl_pkcs11_provider = NULL; 387 } 388 #endif /* OpenSSL version >= 3.0 */ 389 } 390 391 openssl_can_use_provider(const char * engine_id,const char * req)392 static bool openssl_can_use_provider(const char *engine_id, const char *req) 393 { 394 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 395 if (!os_strcmp(engine_id, "pkcs11") && openssl_pkcs11_provider) 396 return true; 397 398 wpa_printf(MSG_ERROR, 399 "Cannot find OpenSSL provider for '%s' (missing '%s')", 400 req, engine_id); 401 #endif /* OpenSSL version >= 3.0 */ 402 return false; 403 } 404 405 provider_load_key(const char * uri)406 static EVP_PKEY * provider_load_key(const char *uri) 407 { 408 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 409 OSSL_STORE_CTX *store; 410 OSSL_STORE_INFO *info; 411 EVP_PKEY *key = NULL; 412 413 if (!uri) { 414 tls_show_errors(MSG_ERROR, __func__, 415 "Invalid NULL uri for key"); 416 goto err_key; 417 } 418 419 store = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL); 420 if (!store) { 421 wpa_printf(MSG_DEBUG, "Bad uri for private key:%s", uri); 422 423 tls_show_errors(MSG_ERROR, __func__, 424 "Failed to open key store"); 425 goto err_key; 426 } 427 428 if (os_strncmp(uri, "pkcs11:", 7) && 429 os_strstr(uri, "type=private") == NULL) { 430 /* This is a workaround for OpenSSL < 3.2.0 where the code fails 431 * to correctly source public keys unless explicitly requested 432 * via an expect hint. */ 433 if (OSSL_STORE_expect(store, OSSL_STORE_INFO_PUBKEY) != 1) { 434 tls_show_errors(MSG_ERROR, __func__, 435 "Failed to expect Public Key File"); 436 goto err_store; 437 } 438 } 439 440 while (!OSSL_STORE_eof(store)) { 441 info = OSSL_STORE_load(store); 442 if ((OSSL_STORE_INFO_get_type(info)) == OSSL_STORE_INFO_PKEY) 443 key = OSSL_STORE_INFO_get1_PKEY(info); 444 445 OSSL_STORE_INFO_free(info); 446 if (key) 447 break; 448 } 449 450 err_store: 451 OSSL_STORE_close(store); 452 err_key: 453 if (!key) 454 wpa_printf(MSG_ERROR, "OpenSSL: Failed to load key from URI"); 455 456 return key; 457 #else /* OpenSSL version >= 3.0 */ 458 return NULL; 459 #endif /* OpenSSL version >= 3.0 */ 460 } 461 462 provider_load_cert(const char * cert_id)463 static X509 * provider_load_cert(const char *cert_id) 464 { 465 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 466 OSSL_STORE_CTX *store; 467 OSSL_STORE_INFO *info; 468 X509 *cert = NULL; 469 470 if (!cert_id) { 471 tls_show_errors(MSG_ERROR, __func__, "Invalid NULL uri"); 472 goto err_cert; 473 } 474 475 store = OSSL_STORE_open(cert_id, NULL, NULL, NULL, NULL); 476 if (!store) { 477 tls_show_errors(MSG_ERROR, __func__, "Failed to open store"); 478 goto err_cert; 479 } 480 481 while (!OSSL_STORE_eof(store)) { 482 info = OSSL_STORE_load(store); 483 if ((OSSL_STORE_INFO_get_type(info)) == OSSL_STORE_INFO_CERT) 484 cert = OSSL_STORE_INFO_get1_CERT(info); 485 486 OSSL_STORE_INFO_free(info); 487 if (cert) 488 break; 489 } 490 OSSL_STORE_close(store); 491 492 err_cert: 493 if (!cert) 494 tls_show_errors(MSG_ERROR, __func__, 495 "Failed to load cert from URI"); 496 return cert; 497 #else /* OpenSSL version >= 3.0 */ 498 return NULL; 499 #endif /* OpenSSL version >= 3.0 */ 500 } 501 502 #endif /* OPENSSL_NO_ENGINE */ 503 504 505 #ifdef CONFIG_NATIVE_WINDOWS 506 507 /* Windows CryptoAPI and access to certificate stores */ 508 #include <wincrypt.h> 509 510 #ifdef __MINGW32_VERSION 511 /* 512 * MinGW does not yet include all the needed definitions for CryptoAPI, so 513 * define here whatever extra is needed. 514 */ 515 #define CERT_SYSTEM_STORE_CURRENT_USER (1 << 16) 516 #define CERT_STORE_READONLY_FLAG 0x00008000 517 #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000 518 519 #endif /* __MINGW32_VERSION */ 520 521 522 struct cryptoapi_rsa_data { 523 const CERT_CONTEXT *cert; 524 HCRYPTPROV crypt_prov; 525 DWORD key_spec; 526 BOOL free_crypt_prov; 527 }; 528 529 cryptoapi_error(const char * msg)530 static void cryptoapi_error(const char *msg) 531 { 532 wpa_printf(MSG_INFO, "CryptoAPI: %s; err=%u", 533 msg, (unsigned int) GetLastError()); 534 } 535 536 cryptoapi_rsa_pub_enc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)537 static int cryptoapi_rsa_pub_enc(int flen, const unsigned char *from, 538 unsigned char *to, RSA *rsa, int padding) 539 { 540 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__); 541 return 0; 542 } 543 544 cryptoapi_rsa_pub_dec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)545 static int cryptoapi_rsa_pub_dec(int flen, const unsigned char *from, 546 unsigned char *to, RSA *rsa, int padding) 547 { 548 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__); 549 return 0; 550 } 551 552 cryptoapi_rsa_priv_enc(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)553 static int cryptoapi_rsa_priv_enc(int flen, const unsigned char *from, 554 unsigned char *to, RSA *rsa, int padding) 555 { 556 struct cryptoapi_rsa_data *priv = 557 (struct cryptoapi_rsa_data *) rsa->meth->app_data; 558 HCRYPTHASH hash; 559 DWORD hash_size, len, i; 560 unsigned char *buf = NULL; 561 int ret = 0; 562 563 if (priv == NULL) { 564 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 565 ERR_R_PASSED_NULL_PARAMETER); 566 return 0; 567 } 568 569 if (padding != RSA_PKCS1_PADDING) { 570 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 571 RSA_R_UNKNOWN_PADDING_TYPE); 572 return 0; 573 } 574 575 if (flen != 16 /* MD5 */ + 20 /* SHA-1 */) { 576 wpa_printf(MSG_INFO, "%s - only MD5-SHA1 hash supported", 577 __func__); 578 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 579 RSA_R_INVALID_MESSAGE_LENGTH); 580 return 0; 581 } 582 583 if (!CryptCreateHash(priv->crypt_prov, CALG_SSL3_SHAMD5, 0, 0, &hash)) 584 { 585 cryptoapi_error("CryptCreateHash failed"); 586 return 0; 587 } 588 589 len = sizeof(hash_size); 590 if (!CryptGetHashParam(hash, HP_HASHSIZE, (BYTE *) &hash_size, &len, 591 0)) { 592 cryptoapi_error("CryptGetHashParam failed"); 593 goto err; 594 } 595 596 if ((int) hash_size != flen) { 597 wpa_printf(MSG_INFO, "CryptoAPI: Invalid hash size (%u != %d)", 598 (unsigned) hash_size, flen); 599 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, 600 RSA_R_INVALID_MESSAGE_LENGTH); 601 goto err; 602 } 603 if (!CryptSetHashParam(hash, HP_HASHVAL, (BYTE * ) from, 0)) { 604 cryptoapi_error("CryptSetHashParam failed"); 605 goto err; 606 } 607 608 len = RSA_size(rsa); 609 buf = os_malloc(len); 610 if (buf == NULL) { 611 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE); 612 goto err; 613 } 614 615 if (!CryptSignHash(hash, priv->key_spec, NULL, 0, buf, &len)) { 616 cryptoapi_error("CryptSignHash failed"); 617 goto err; 618 } 619 620 for (i = 0; i < len; i++) 621 to[i] = buf[len - i - 1]; 622 ret = len; 623 624 err: 625 os_free(buf); 626 CryptDestroyHash(hash); 627 628 return ret; 629 } 630 631 cryptoapi_rsa_priv_dec(int flen,const unsigned char * from,unsigned char * to,RSA * rsa,int padding)632 static int cryptoapi_rsa_priv_dec(int flen, const unsigned char *from, 633 unsigned char *to, RSA *rsa, int padding) 634 { 635 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__); 636 return 0; 637 } 638 639 cryptoapi_free_data(struct cryptoapi_rsa_data * priv)640 static void cryptoapi_free_data(struct cryptoapi_rsa_data *priv) 641 { 642 if (priv == NULL) 643 return; 644 if (priv->crypt_prov && priv->free_crypt_prov) 645 CryptReleaseContext(priv->crypt_prov, 0); 646 if (priv->cert) 647 CertFreeCertificateContext(priv->cert); 648 os_free(priv); 649 } 650 651 cryptoapi_finish(RSA * rsa)652 static int cryptoapi_finish(RSA *rsa) 653 { 654 cryptoapi_free_data((struct cryptoapi_rsa_data *) rsa->meth->app_data); 655 os_free((void *) rsa->meth); 656 rsa->meth = NULL; 657 return 1; 658 } 659 660 cryptoapi_find_cert(const char * name,DWORD store)661 static const CERT_CONTEXT * cryptoapi_find_cert(const char *name, DWORD store) 662 { 663 HCERTSTORE cs; 664 const CERT_CONTEXT *ret = NULL; 665 666 cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0, 667 store | CERT_STORE_OPEN_EXISTING_FLAG | 668 CERT_STORE_READONLY_FLAG, L"MY"); 669 if (cs == NULL) { 670 cryptoapi_error("Failed to open 'My system store'"); 671 return NULL; 672 } 673 674 if (strncmp(name, "cert://", 7) == 0) { 675 unsigned short wbuf[255]; 676 MultiByteToWideChar(CP_ACP, 0, name + 7, -1, wbuf, 255); 677 ret = CertFindCertificateInStore(cs, X509_ASN_ENCODING | 678 PKCS_7_ASN_ENCODING, 679 0, CERT_FIND_SUBJECT_STR, 680 wbuf, NULL); 681 } else if (strncmp(name, "hash://", 7) == 0) { 682 CRYPT_HASH_BLOB blob; 683 int len; 684 const char *hash = name + 7; 685 unsigned char *buf; 686 687 len = os_strlen(hash) / 2; 688 buf = os_malloc(len); 689 if (buf && hexstr2bin(hash, buf, len) == 0) { 690 blob.cbData = len; 691 blob.pbData = buf; 692 ret = CertFindCertificateInStore(cs, 693 X509_ASN_ENCODING | 694 PKCS_7_ASN_ENCODING, 695 0, CERT_FIND_HASH, 696 &blob, NULL); 697 } 698 os_free(buf); 699 } 700 701 CertCloseStore(cs, 0); 702 703 return ret; 704 } 705 706 tls_cryptoapi_cert(SSL * ssl,const char * name)707 static int tls_cryptoapi_cert(SSL *ssl, const char *name) 708 { 709 X509 *cert = NULL; 710 RSA *rsa = NULL, *pub_rsa; 711 struct cryptoapi_rsa_data *priv; 712 RSA_METHOD *rsa_meth; 713 714 if (name == NULL || 715 (strncmp(name, "cert://", 7) != 0 && 716 strncmp(name, "hash://", 7) != 0)) 717 return -1; 718 719 priv = os_zalloc(sizeof(*priv)); 720 rsa_meth = os_zalloc(sizeof(*rsa_meth)); 721 if (priv == NULL || rsa_meth == NULL) { 722 wpa_printf(MSG_WARNING, "CryptoAPI: Failed to allocate memory " 723 "for CryptoAPI RSA method"); 724 os_free(priv); 725 os_free(rsa_meth); 726 return -1; 727 } 728 729 priv->cert = cryptoapi_find_cert(name, CERT_SYSTEM_STORE_CURRENT_USER); 730 if (priv->cert == NULL) { 731 priv->cert = cryptoapi_find_cert( 732 name, CERT_SYSTEM_STORE_LOCAL_MACHINE); 733 } 734 if (priv->cert == NULL) { 735 wpa_printf(MSG_INFO, "CryptoAPI: Could not find certificate " 736 "'%s'", name); 737 goto err; 738 } 739 740 cert = d2i_X509(NULL, 741 (const unsigned char **) &priv->cert->pbCertEncoded, 742 priv->cert->cbCertEncoded); 743 if (cert == NULL) { 744 wpa_printf(MSG_INFO, "CryptoAPI: Could not process X509 DER " 745 "encoding"); 746 goto err; 747 } 748 749 if (!CryptAcquireCertificatePrivateKey(priv->cert, 750 CRYPT_ACQUIRE_COMPARE_KEY_FLAG, 751 NULL, &priv->crypt_prov, 752 &priv->key_spec, 753 &priv->free_crypt_prov)) { 754 cryptoapi_error("Failed to acquire a private key for the " 755 "certificate"); 756 goto err; 757 } 758 759 rsa_meth->name = "Microsoft CryptoAPI RSA Method"; 760 rsa_meth->rsa_pub_enc = cryptoapi_rsa_pub_enc; 761 rsa_meth->rsa_pub_dec = cryptoapi_rsa_pub_dec; 762 rsa_meth->rsa_priv_enc = cryptoapi_rsa_priv_enc; 763 rsa_meth->rsa_priv_dec = cryptoapi_rsa_priv_dec; 764 rsa_meth->finish = cryptoapi_finish; 765 rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK; 766 rsa_meth->app_data = (char *) priv; 767 768 rsa = RSA_new(); 769 if (rsa == NULL) { 770 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, 771 ERR_R_MALLOC_FAILURE); 772 goto err; 773 } 774 775 if (!SSL_use_certificate(ssl, cert)) { 776 RSA_free(rsa); 777 rsa = NULL; 778 goto err; 779 } 780 pub_rsa = cert->cert_info->key->pkey->pkey.rsa; 781 X509_free(cert); 782 cert = NULL; 783 784 rsa->n = BN_dup(pub_rsa->n); 785 rsa->e = BN_dup(pub_rsa->e); 786 if (!RSA_set_method(rsa, rsa_meth)) 787 goto err; 788 789 if (!SSL_use_RSAPrivateKey(ssl, rsa)) 790 goto err; 791 RSA_free(rsa); 792 793 return 0; 794 795 err: 796 if (cert) 797 X509_free(cert); 798 if (rsa) 799 RSA_free(rsa); 800 else { 801 os_free(rsa_meth); 802 cryptoapi_free_data(priv); 803 } 804 return -1; 805 } 806 807 tls_cryptoapi_ca_cert(SSL_CTX * ssl_ctx,SSL * ssl,const char * name)808 static int tls_cryptoapi_ca_cert(SSL_CTX *ssl_ctx, SSL *ssl, const char *name) 809 { 810 HCERTSTORE cs; 811 PCCERT_CONTEXT ctx = NULL; 812 X509 *cert; 813 char buf[128]; 814 const char *store; 815 #ifdef UNICODE 816 WCHAR *wstore; 817 #endif /* UNICODE */ 818 819 if (name == NULL || strncmp(name, "cert_store://", 13) != 0) 820 return -1; 821 822 store = name + 13; 823 #ifdef UNICODE 824 wstore = os_malloc((os_strlen(store) + 1) * sizeof(WCHAR)); 825 if (wstore == NULL) 826 return -1; 827 wsprintf(wstore, L"%S", store); 828 cs = CertOpenSystemStore(0, wstore); 829 os_free(wstore); 830 #else /* UNICODE */ 831 cs = CertOpenSystemStore(0, store); 832 #endif /* UNICODE */ 833 if (cs == NULL) { 834 wpa_printf(MSG_DEBUG, "%s: failed to open system cert store " 835 "'%s': error=%d", __func__, store, 836 (int) GetLastError()); 837 return -1; 838 } 839 840 while ((ctx = CertEnumCertificatesInStore(cs, ctx))) { 841 cert = d2i_X509(NULL, 842 (const unsigned char **) &ctx->pbCertEncoded, 843 ctx->cbCertEncoded); 844 if (cert == NULL) { 845 wpa_printf(MSG_INFO, "CryptoAPI: Could not process " 846 "X509 DER encoding for CA cert"); 847 continue; 848 } 849 850 X509_NAME_oneline(X509_get_subject_name(cert), buf, 851 sizeof(buf)); 852 wpa_printf(MSG_DEBUG, "OpenSSL: Loaded CA certificate for " 853 "system certificate store: subject='%s'", buf); 854 855 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx), 856 cert)) { 857 tls_show_errors(MSG_WARNING, __func__, 858 "Failed to add ca_cert to OpenSSL " 859 "certificate store"); 860 } 861 862 X509_free(cert); 863 } 864 865 if (!CertCloseStore(cs, 0)) { 866 wpa_printf(MSG_DEBUG, "%s: failed to close system cert store " 867 "'%s': error=%d", __func__, name + 13, 868 (int) GetLastError()); 869 } 870 871 return 0; 872 } 873 874 875 #else /* CONFIG_NATIVE_WINDOWS */ 876 tls_cryptoapi_cert(SSL * ssl,const char * name)877 static int tls_cryptoapi_cert(SSL *ssl, const char *name) 878 { 879 return -1; 880 } 881 882 #endif /* CONFIG_NATIVE_WINDOWS */ 883 884 ssl_info_cb(const SSL * ssl,int where,int ret)885 static void ssl_info_cb(const SSL *ssl, int where, int ret) 886 { 887 const char *str; 888 int w; 889 890 wpa_printf(MSG_DEBUG, "SSL: (where=0x%x ret=0x%x)", where, ret); 891 w = where & ~SSL_ST_MASK; 892 if (w & SSL_ST_CONNECT) 893 str = "SSL_connect"; 894 else if (w & SSL_ST_ACCEPT) 895 str = "SSL_accept"; 896 else 897 str = "undefined"; 898 899 if (where & SSL_CB_LOOP) { 900 wpa_printf(MSG_DEBUG, "SSL: %s:%s", 901 str, SSL_state_string_long(ssl)); 902 } else if (where & SSL_CB_ALERT) { 903 struct tls_connection *conn = SSL_get_app_data((SSL *) ssl); 904 wpa_printf(MSG_INFO, "SSL: SSL3 alert: %s:%s:%s", 905 where & SSL_CB_READ ? 906 "read (remote end reported an error)" : 907 "write (local SSL3 detected an error)", 908 SSL_alert_type_string_long(ret), 909 SSL_alert_desc_string_long(ret)); 910 if ((ret >> 8) == SSL3_AL_FATAL) { 911 if (where & SSL_CB_READ) 912 conn->read_alerts++; 913 else 914 conn->write_alerts++; 915 } 916 if (conn->context->event_cb != NULL) { 917 union tls_event_data ev; 918 struct tls_context *context = conn->context; 919 os_memset(&ev, 0, sizeof(ev)); 920 ev.alert.is_local = !(where & SSL_CB_READ); 921 ev.alert.type = SSL_alert_type_string_long(ret); 922 ev.alert.description = SSL_alert_desc_string_long(ret); 923 context->event_cb(context->cb_ctx, TLS_ALERT, &ev); 924 } 925 } else if (where & SSL_CB_EXIT && ret <= 0) { 926 wpa_printf(MSG_DEBUG, "SSL: %s:%s in %s", 927 str, ret == 0 ? "failed" : "error", 928 SSL_state_string_long(ssl)); 929 } 930 } 931 932 933 #ifndef OPENSSL_NO_ENGINE 934 /** 935 * tls_engine_load_dynamic_generic - load any openssl engine 936 * @pre: an array of commands and values that load an engine initialized 937 * in the engine specific function 938 * @post: an array of commands and values that initialize an already loaded 939 * engine (or %NULL if not required) 940 * @id: the engine id of the engine to load (only required if post is not %NULL 941 * 942 * This function is a generic function that loads any openssl engine. 943 * 944 * Returns: 0 on success, -1 on failure 945 */ tls_engine_load_dynamic_generic(const char * pre[],const char * post[],const char * id)946 static int tls_engine_load_dynamic_generic(const char *pre[], 947 const char *post[], const char *id) 948 { 949 ENGINE *engine; 950 const char *dynamic_id = "dynamic"; 951 952 engine = ENGINE_by_id(id); 953 if (engine) { 954 wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already " 955 "available", id); 956 /* 957 * If it was auto-loaded by ENGINE_by_id() we might still 958 * need to tell it which PKCS#11 module to use in legacy 959 * (non-p11-kit) environments. Do so now; even if it was 960 * properly initialised before, setting it again will be 961 * harmless. 962 */ 963 goto found; 964 } 965 ERR_clear_error(); 966 967 engine = ENGINE_by_id(dynamic_id); 968 if (engine == NULL) { 969 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]", 970 dynamic_id, 971 ERR_error_string(ERR_get_error(), NULL)); 972 return -1; 973 } 974 975 /* Perform the pre commands. This will load the engine. */ 976 while (pre && pre[0]) { 977 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", pre[0], pre[1]); 978 if (ENGINE_ctrl_cmd_string(engine, pre[0], pre[1], 0) == 0) { 979 wpa_printf(MSG_INFO, "ENGINE: ctrl cmd_string failed: " 980 "%s %s [%s]", pre[0], pre[1], 981 ERR_error_string(ERR_get_error(), NULL)); 982 ENGINE_free(engine); 983 return -1; 984 } 985 pre += 2; 986 } 987 988 /* 989 * Free the reference to the "dynamic" engine. The loaded engine can 990 * now be looked up using ENGINE_by_id(). 991 */ 992 ENGINE_free(engine); 993 994 engine = ENGINE_by_id(id); 995 if (engine == NULL) { 996 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]", 997 id, ERR_error_string(ERR_get_error(), NULL)); 998 return -1; 999 } 1000 found: 1001 while (post && post[0]) { 1002 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", post[0], post[1]); 1003 if (ENGINE_ctrl_cmd_string(engine, post[0], post[1], 0) == 0) { 1004 wpa_printf(MSG_DEBUG, "ENGINE: ctrl cmd_string failed:" 1005 " %s %s [%s]", post[0], post[1], 1006 ERR_error_string(ERR_get_error(), NULL)); 1007 ENGINE_remove(engine); 1008 ENGINE_free(engine); 1009 return -1; 1010 } 1011 post += 2; 1012 } 1013 ENGINE_free(engine); 1014 1015 return 0; 1016 } 1017 1018 1019 /** 1020 * tls_engine_load_dynamic_pkcs11 - load the pkcs11 engine provided by opensc 1021 * @pkcs11_so_path: pksc11_so_path from the configuration 1022 * @pcks11_module_path: pkcs11_module_path from the configuration 1023 */ tls_engine_load_dynamic_pkcs11(const char * pkcs11_so_path,const char * pkcs11_module_path)1024 static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path, 1025 const char *pkcs11_module_path) 1026 { 1027 char *engine_id = "pkcs11"; 1028 const char *pre_cmd[] = { 1029 "SO_PATH", NULL /* pkcs11_so_path */, 1030 "ID", NULL /* engine_id */, 1031 "LIST_ADD", "1", 1032 /* "NO_VCHECK", "1", */ 1033 "LOAD", NULL, 1034 NULL, NULL 1035 }; 1036 const char *post_cmd[] = { 1037 "MODULE_PATH", NULL /* pkcs11_module_path */, 1038 NULL, NULL 1039 }; 1040 1041 if (!pkcs11_so_path) 1042 return 0; 1043 1044 pre_cmd[1] = pkcs11_so_path; 1045 pre_cmd[3] = engine_id; 1046 if (pkcs11_module_path) 1047 post_cmd[1] = pkcs11_module_path; 1048 else 1049 post_cmd[0] = NULL; 1050 1051 wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s", 1052 pkcs11_so_path); 1053 1054 return tls_engine_load_dynamic_generic(pre_cmd, post_cmd, engine_id); 1055 } 1056 1057 1058 /** 1059 * tls_engine_load_dynamic_opensc - load the opensc engine provided by opensc 1060 * @opensc_so_path: opensc_so_path from the configuration 1061 */ tls_engine_load_dynamic_opensc(const char * opensc_so_path)1062 static int tls_engine_load_dynamic_opensc(const char *opensc_so_path) 1063 { 1064 char *engine_id = "opensc"; 1065 const char *pre_cmd[] = { 1066 "SO_PATH", NULL /* opensc_so_path */, 1067 "ID", NULL /* engine_id */, 1068 "LIST_ADD", "1", 1069 "LOAD", NULL, 1070 NULL, NULL 1071 }; 1072 1073 if (!opensc_so_path) 1074 return 0; 1075 1076 pre_cmd[1] = opensc_so_path; 1077 pre_cmd[3] = engine_id; 1078 1079 wpa_printf(MSG_DEBUG, "ENGINE: Loading OpenSC Engine from %s", 1080 opensc_so_path); 1081 1082 return tls_engine_load_dynamic_generic(pre_cmd, NULL, engine_id); 1083 } 1084 #endif /* OPENSSL_NO_ENGINE */ 1085 1086 get_session_data(struct tls_context * context,const struct wpabuf * buf)1087 static struct tls_session_data * get_session_data(struct tls_context *context, 1088 const struct wpabuf *buf) 1089 { 1090 struct tls_session_data *data; 1091 1092 dl_list_for_each(data, &context->sessions, struct tls_session_data, 1093 list) { 1094 if (data->buf == buf) 1095 return data; 1096 } 1097 1098 return NULL; 1099 } 1100 1101 remove_session_cb(SSL_CTX * ctx,SSL_SESSION * sess)1102 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess) 1103 { 1104 struct wpabuf *buf; 1105 struct tls_context *context; 1106 struct tls_session_data *found; 1107 1108 wpa_printf(MSG_DEBUG, 1109 "OpenSSL: Remove session %p (tls_ex_idx_session=%d)", sess, 1110 tls_ex_idx_session); 1111 1112 if (tls_ex_idx_session < 0) 1113 return; 1114 buf = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session); 1115 if (!buf) 1116 return; 1117 1118 context = SSL_CTX_get_app_data(ctx); 1119 SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, NULL); 1120 found = get_session_data(context, buf); 1121 if (!found) { 1122 wpa_printf(MSG_DEBUG, 1123 "OpenSSL: Do not free application session data %p (sess %p)", 1124 buf, sess); 1125 return; 1126 } 1127 1128 dl_list_del(&found->list); 1129 os_free(found); 1130 wpa_printf(MSG_DEBUG, 1131 "OpenSSL: Free application session data %p (sess %p)", 1132 buf, sess); 1133 wpabuf_free(buf); 1134 } 1135 1136 tls_init(const struct tls_config * conf)1137 void * tls_init(const struct tls_config *conf) 1138 { 1139 struct tls_data *data; 1140 SSL_CTX *ssl; 1141 struct tls_context *context; 1142 const char *ciphers; 1143 #ifndef OPENSSL_NO_ENGINE 1144 #ifdef CONFIG_OPENSC_ENGINE_PATH 1145 char const * const opensc_engine_path = CONFIG_OPENSC_ENGINE_PATH; 1146 #else /* CONFIG_OPENSC_ENGINE_PATH */ 1147 char const * const opensc_engine_path = 1148 conf ? conf->opensc_engine_path : NULL; 1149 #endif /* CONFIG_OPENSC_ENGINE_PATH */ 1150 #ifdef CONFIG_PKCS11_ENGINE_PATH 1151 char const * const pkcs11_engine_path = CONFIG_PKCS11_ENGINE_PATH; 1152 #else /* CONFIG_PKCS11_ENGINE_PATH */ 1153 char const * const pkcs11_engine_path = 1154 conf ? conf->pkcs11_engine_path : NULL; 1155 #endif /* CONFIG_PKCS11_ENGINE_PATH */ 1156 #ifdef CONFIG_PKCS11_MODULE_PATH 1157 char const * const pkcs11_module_path = CONFIG_PKCS11_MODULE_PATH; 1158 #else /* CONFIG_PKCS11_MODULE_PATH */ 1159 char const * const pkcs11_module_path = 1160 conf ? conf->pkcs11_module_path : NULL; 1161 #endif /* CONFIG_PKCS11_MODULE_PATH */ 1162 #endif /* OPENSSL_NO_ENGINE */ 1163 1164 if (tls_openssl_ref_count == 0) { 1165 void openssl_load_legacy_provider(void); 1166 1167 openssl_load_legacy_provider(); 1168 #ifdef OPENSSL_NO_ENGINE 1169 openssl_load_pkcs11_provider(); 1170 #endif /* OPENSSL_NO_ENGINE */ 1171 1172 tls_global = context = tls_context_new(conf); 1173 if (context == NULL) 1174 return NULL; 1175 #ifdef CONFIG_FIPS 1176 #ifdef OPENSSL_FIPS 1177 if (conf && conf->fips_mode) { 1178 static int fips_enabled = 0; 1179 1180 if (!fips_enabled && !FIPS_mode_set(1)) { 1181 wpa_printf(MSG_ERROR, "Failed to enable FIPS " 1182 "mode"); 1183 ERR_load_crypto_strings(); 1184 ERR_print_errors_fp(stderr); 1185 os_free(tls_global); 1186 tls_global = NULL; 1187 return NULL; 1188 } else { 1189 wpa_printf(MSG_INFO, "Running in FIPS mode"); 1190 fips_enabled = 1; 1191 } 1192 } 1193 #else /* OPENSSL_FIPS */ 1194 if (conf && conf->fips_mode) { 1195 wpa_printf(MSG_ERROR, "FIPS mode requested, but not " 1196 "supported"); 1197 os_free(tls_global); 1198 tls_global = NULL; 1199 return NULL; 1200 } 1201 #endif /* OPENSSL_FIPS */ 1202 #endif /* CONFIG_FIPS */ 1203 #if OPENSSL_VERSION_NUMBER < 0x10100000L 1204 SSL_load_error_strings(); 1205 SSL_library_init(); 1206 #ifndef OPENSSL_NO_SHA256 1207 EVP_add_digest(EVP_sha256()); 1208 #endif /* OPENSSL_NO_SHA256 */ 1209 /* TODO: if /dev/urandom is available, PRNG is seeded 1210 * automatically. If this is not the case, random data should 1211 * be added here. */ 1212 1213 #ifdef PKCS12_FUNCS 1214 #ifndef OPENSSL_NO_RC2 1215 /* 1216 * 40-bit RC2 is commonly used in PKCS#12 files, so enable it. 1217 * This is enabled by PKCS12_PBE_add() in OpenSSL 0.9.8 1218 * versions, but it looks like OpenSSL 1.0.0 does not do that 1219 * anymore. 1220 */ 1221 EVP_add_cipher(EVP_rc2_40_cbc()); 1222 #endif /* OPENSSL_NO_RC2 */ 1223 PKCS12_PBE_add(); 1224 #endif /* PKCS12_FUNCS */ 1225 #endif /* < 1.1.0 */ 1226 } else { 1227 context = tls_context_new(conf); 1228 if (context == NULL) 1229 return NULL; 1230 } 1231 tls_openssl_ref_count++; 1232 1233 data = os_zalloc(sizeof(*data)); 1234 if (data) 1235 ssl = SSL_CTX_new(SSLv23_method()); 1236 else 1237 ssl = NULL; 1238 if (ssl == NULL) { 1239 tls_show_errors(MSG_INFO, "SSL_CTX_new", "init"); 1240 tls_openssl_ref_count--; 1241 if (context != tls_global) 1242 os_free(context); 1243 if (tls_openssl_ref_count == 0) { 1244 os_free(tls_global); 1245 tls_global = NULL; 1246 } 1247 os_free(data); 1248 return NULL; 1249 } 1250 data->ssl = ssl; 1251 if (conf) { 1252 data->tls_session_lifetime = conf->tls_session_lifetime; 1253 data->crl_reload_interval = conf->crl_reload_interval; 1254 } 1255 1256 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); 1257 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); 1258 1259 SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY); 1260 1261 #ifdef SSL_MODE_NO_AUTO_CHAIN 1262 /* Number of deployed use cases assume the default OpenSSL behavior of 1263 * auto chaining the local certificate is in use. BoringSSL removed this 1264 * functionality by default, so we need to restore it here to avoid 1265 * breaking existing use cases. */ 1266 SSL_CTX_clear_mode(ssl, SSL_MODE_NO_AUTO_CHAIN); 1267 #endif /* SSL_MODE_NO_AUTO_CHAIN */ 1268 1269 SSL_CTX_set_info_callback(ssl, ssl_info_cb); 1270 SSL_CTX_set_app_data(ssl, context); 1271 if (data->tls_session_lifetime > 0) { 1272 SSL_CTX_set_quiet_shutdown(ssl, 1); 1273 /* 1274 * Set default context here. In practice, this will be replaced 1275 * by the per-EAP method context in tls_connection_set_verify(). 1276 */ 1277 SSL_CTX_set_session_id_context(ssl, (u8 *) "hostapd", 7); 1278 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_SERVER); 1279 SSL_CTX_set_timeout(ssl, data->tls_session_lifetime); 1280 SSL_CTX_sess_set_remove_cb(ssl, remove_session_cb); 1281 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && \ 1282 !defined(LIBRESSL_VERSION_NUMBER) && \ 1283 !defined(OPENSSL_IS_BORINGSSL) 1284 /* One session ticket is sufficient for EAP-TLS */ 1285 SSL_CTX_set_num_tickets(ssl, 1); 1286 #endif 1287 } else { 1288 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_OFF); 1289 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && \ 1290 !defined(LIBRESSL_VERSION_NUMBER) && \ 1291 !defined(OPENSSL_IS_BORINGSSL) 1292 SSL_CTX_set_num_tickets(ssl, 0); 1293 #endif 1294 } 1295 1296 if (tls_ex_idx_session < 0) { 1297 tls_ex_idx_session = SSL_SESSION_get_ex_new_index( 1298 0, NULL, NULL, NULL, NULL); 1299 if (tls_ex_idx_session < 0) { 1300 tls_deinit(data); 1301 return NULL; 1302 } 1303 } 1304 1305 #ifndef OPENSSL_NO_ENGINE 1306 wpa_printf(MSG_DEBUG, "ENGINE: Loading builtin engines"); 1307 ENGINE_load_builtin_engines(); 1308 1309 if (opensc_engine_path || pkcs11_engine_path || pkcs11_module_path) { 1310 if (tls_engine_load_dynamic_opensc(opensc_engine_path) || 1311 tls_engine_load_dynamic_pkcs11(pkcs11_engine_path, 1312 pkcs11_module_path)) { 1313 tls_deinit(data); 1314 return NULL; 1315 } 1316 } 1317 #endif /* OPENSSL_NO_ENGINE */ 1318 1319 if (conf && conf->openssl_ciphers) 1320 ciphers = conf->openssl_ciphers; 1321 else 1322 ciphers = TLS_DEFAULT_CIPHERS; 1323 if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) { 1324 wpa_printf(MSG_ERROR, 1325 "OpenSSL: Failed to set cipher string '%s'", 1326 ciphers); 1327 tls_deinit(data); 1328 return NULL; 1329 } 1330 1331 return data; 1332 } 1333 1334 tls_deinit(void * ssl_ctx)1335 void tls_deinit(void *ssl_ctx) 1336 { 1337 struct tls_data *data = ssl_ctx; 1338 SSL_CTX *ssl = data->ssl; 1339 struct tls_context *context = SSL_CTX_get_app_data(ssl); 1340 struct tls_session_data *sess_data; 1341 1342 if (data->tls_session_lifetime > 0) { 1343 wpa_printf(MSG_DEBUG, "OpenSSL: Flush sessions"); 1344 SSL_CTX_flush_sessions(ssl, 0); 1345 wpa_printf(MSG_DEBUG, "OpenSSL: Flush sessions - done"); 1346 } 1347 while ((sess_data = dl_list_first(&context->sessions, 1348 struct tls_session_data, list))) { 1349 wpa_printf(MSG_DEBUG, 1350 "OpenSSL: Freeing not-flushed session data %p", 1351 sess_data->buf); 1352 wpabuf_free(sess_data->buf); 1353 dl_list_del(&sess_data->list); 1354 os_free(sess_data); 1355 } 1356 if (context != tls_global) 1357 os_free(context); 1358 os_free(data->ca_cert); 1359 SSL_CTX_free(ssl); 1360 1361 tls_openssl_ref_count--; 1362 if (tls_openssl_ref_count == 0) { 1363 #ifdef OPENSSL_NO_ENGINE 1364 openssl_unload_pkcs11_provider(); 1365 #endif /* OPENSSL_NO_ENGINE */ 1366 #if OPENSSL_VERSION_NUMBER < 0x10100000L 1367 #ifndef OPENSSL_NO_ENGINE 1368 ENGINE_cleanup(); 1369 #endif /* OPENSSL_NO_ENGINE */ 1370 CRYPTO_cleanup_all_ex_data(); 1371 ERR_remove_thread_state(NULL); 1372 ERR_free_strings(); 1373 EVP_cleanup(); 1374 #endif /* < 1.1.0 */ 1375 os_free(tls_global->ocsp_stapling_response); 1376 tls_global->ocsp_stapling_response = NULL; 1377 os_free(tls_global); 1378 tls_global = NULL; 1379 } 1380 1381 os_free(data->check_cert_subject); 1382 os_free(data->openssl_ciphers); 1383 os_free(data); 1384 } 1385 1386 1387 #ifndef OPENSSL_NO_ENGINE 1388 1389 /* Cryptoki return values */ 1390 #define CKR_PIN_INCORRECT 0x000000a0 1391 #define CKR_PIN_INVALID 0x000000a1 1392 #define CKR_PIN_LEN_RANGE 0x000000a2 1393 1394 /* libp11 */ 1395 #define ERR_LIB_PKCS11 ERR_LIB_USER 1396 tls_is_pin_error(unsigned int err)1397 static int tls_is_pin_error(unsigned int err) 1398 { 1399 return ERR_GET_LIB(err) == ERR_LIB_PKCS11 && 1400 (ERR_GET_REASON(err) == CKR_PIN_INCORRECT || 1401 ERR_GET_REASON(err) == CKR_PIN_INVALID || 1402 ERR_GET_REASON(err) == CKR_PIN_LEN_RANGE); 1403 } 1404 1405 #endif /* OPENSSL_NO_ENGINE */ 1406 1407 1408 #ifdef ANDROID 1409 /* EVP_PKEY_from_keystore comes from system/security/keystore-engine. */ 1410 EVP_PKEY * EVP_PKEY_from_keystore(const char *key_id); 1411 #endif /* ANDROID */ 1412 tls_engine_init(struct tls_connection * conn,const char * engine_id,const char * pin,const char * key_id,const char * cert_id,const char * ca_cert_id)1413 static int tls_engine_init(struct tls_connection *conn, const char *engine_id, 1414 const char *pin, const char *key_id, 1415 const char *cert_id, const char *ca_cert_id) 1416 { 1417 #if defined(ANDROID) && defined(OPENSSL_IS_BORINGSSL) 1418 #if !defined(OPENSSL_NO_ENGINE) 1419 #error "This code depends on OPENSSL_NO_ENGINE being defined by BoringSSL." 1420 #endif 1421 if (!key_id) 1422 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED; 1423 conn->engine = NULL; 1424 conn->private_key = EVP_PKEY_from_keystore(key_id); 1425 if (!conn->private_key) { 1426 wpa_printf(MSG_ERROR, 1427 "ENGINE: cannot load private key with id '%s' [%s]", 1428 key_id, 1429 ERR_error_string(ERR_get_error(), NULL)); 1430 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED; 1431 } 1432 #endif /* ANDROID && OPENSSL_IS_BORINGSSL */ 1433 1434 #ifndef OPENSSL_NO_ENGINE 1435 int ret = -1; 1436 if (engine_id == NULL) { 1437 wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set"); 1438 return -1; 1439 } 1440 1441 ERR_clear_error(); 1442 #ifdef ANDROID 1443 ENGINE_load_dynamic(); 1444 #endif 1445 conn->engine = ENGINE_by_id(engine_id); 1446 if (!conn->engine) { 1447 wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]", 1448 engine_id, ERR_error_string(ERR_get_error(), NULL)); 1449 goto err; 1450 } 1451 if (ENGINE_init(conn->engine) != 1) { 1452 wpa_printf(MSG_ERROR, "ENGINE: engine init failed " 1453 "(engine: %s) [%s]", engine_id, 1454 ERR_error_string(ERR_get_error(), NULL)); 1455 goto err; 1456 } 1457 wpa_printf(MSG_DEBUG, "ENGINE: engine initialized"); 1458 1459 #ifndef ANDROID 1460 if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) { 1461 wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]", 1462 ERR_error_string(ERR_get_error(), NULL)); 1463 goto err; 1464 } 1465 #endif 1466 if (key_id) { 1467 /* 1468 * Ensure that the ENGINE does not attempt to use the OpenSSL 1469 * UI system to obtain a PIN, if we didn't provide one. 1470 */ 1471 struct { 1472 const void *password; 1473 const char *prompt_info; 1474 } key_cb = { "", NULL }; 1475 1476 /* load private key first in-case PIN is required for cert */ 1477 conn->private_key = ENGINE_load_private_key(conn->engine, 1478 key_id, NULL, 1479 &key_cb); 1480 if (!conn->private_key) { 1481 unsigned long err = ERR_get_error(); 1482 1483 wpa_printf(MSG_ERROR, 1484 "ENGINE: cannot load private key with id '%s' [%s]", 1485 key_id, 1486 ERR_error_string(err, NULL)); 1487 if (tls_is_pin_error(err)) 1488 ret = TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN; 1489 else 1490 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED; 1491 goto err; 1492 } 1493 } 1494 1495 /* handle a certificate and/or CA certificate */ 1496 if (cert_id || ca_cert_id) { 1497 const char *cmd_name = "LOAD_CERT_CTRL"; 1498 1499 /* test if the engine supports a LOAD_CERT_CTRL */ 1500 if (!ENGINE_ctrl(conn->engine, ENGINE_CTRL_GET_CMD_FROM_NAME, 1501 0, (void *)cmd_name, NULL)) { 1502 wpa_printf(MSG_ERROR, "ENGINE: engine does not support" 1503 " loading certificates"); 1504 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED; 1505 goto err; 1506 } 1507 } 1508 1509 return 0; 1510 1511 err: 1512 if (conn->engine) { 1513 ENGINE_free(conn->engine); 1514 conn->engine = NULL; 1515 } 1516 1517 if (conn->private_key) { 1518 EVP_PKEY_free(conn->private_key); 1519 conn->private_key = NULL; 1520 } 1521 1522 return ret; 1523 #else /* OPENSSL_NO_ENGINE */ 1524 conn->private_key = provider_load_key(key_id); 1525 if (!conn->private_key) 1526 return -1; 1527 1528 return 0; 1529 #endif /* OPENSSL_NO_ENGINE */ 1530 } 1531 1532 tls_engine_deinit(struct tls_connection * conn)1533 static void tls_engine_deinit(struct tls_connection *conn) 1534 { 1535 if (conn->private_key) { 1536 EVP_PKEY_free(conn->private_key); 1537 conn->private_key = NULL; 1538 } 1539 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE) 1540 wpa_printf(MSG_DEBUG, "ENGINE: engine deinit"); 1541 if (conn->engine) { 1542 #if !defined(OPENSSL_IS_BORINGSSL) 1543 ENGINE_finish(conn->engine); 1544 #endif /* !OPENSSL_IS_BORINGSSL */ 1545 conn->engine = NULL; 1546 } 1547 #endif /* ANDROID || !OPENSSL_NO_ENGINE */ 1548 } 1549 1550 tls_get_errors(void * ssl_ctx)1551 int tls_get_errors(void *ssl_ctx) 1552 { 1553 int count = 0; 1554 unsigned long err; 1555 1556 while ((err = ERR_get_error())) { 1557 wpa_printf(MSG_INFO, "TLS - SSL error: %s", 1558 ERR_error_string(err, NULL)); 1559 count++; 1560 } 1561 1562 return count; 1563 } 1564 1565 openssl_content_type(int content_type)1566 static const char * openssl_content_type(int content_type) 1567 { 1568 switch (content_type) { 1569 case 20: 1570 return "change cipher spec"; 1571 case 21: 1572 return "alert"; 1573 case 22: 1574 return "handshake"; 1575 case 23: 1576 return "application data"; 1577 case 24: 1578 return "heartbeat"; 1579 case 256: 1580 return "TLS header info"; /* pseudo content type */ 1581 case 257: 1582 return "inner content type"; /* pseudo content type */ 1583 default: 1584 return "?"; 1585 } 1586 } 1587 1588 openssl_handshake_type(int content_type,const u8 * buf,size_t len)1589 static const char * openssl_handshake_type(int content_type, const u8 *buf, 1590 size_t len) 1591 { 1592 if (content_type == 257 && buf && len == 1) 1593 return openssl_content_type(buf[0]); 1594 if (content_type != 22 || !buf || len == 0) 1595 return ""; 1596 switch (buf[0]) { 1597 case 0: 1598 return "hello request"; 1599 case 1: 1600 return "client hello"; 1601 case 2: 1602 return "server hello"; 1603 case 3: 1604 return "hello verify request"; 1605 case 4: 1606 return "new session ticket"; 1607 case 5: 1608 return "end of early data"; 1609 case 6: 1610 return "hello retry request"; 1611 case 8: 1612 return "encrypted extensions"; 1613 case 11: 1614 return "certificate"; 1615 case 12: 1616 return "server key exchange"; 1617 case 13: 1618 return "certificate request"; 1619 case 14: 1620 return "server hello done"; 1621 case 15: 1622 return "certificate verify"; 1623 case 16: 1624 return "client key exchange"; 1625 case 20: 1626 return "finished"; 1627 case 21: 1628 return "certificate url"; 1629 case 22: 1630 return "certificate status"; 1631 case 23: 1632 return "supplemental data"; 1633 case 24: 1634 return "key update"; 1635 case 254: 1636 return "message hash"; 1637 default: 1638 return "?"; 1639 } 1640 } 1641 1642 1643 #ifdef CONFIG_SUITEB 1644 check_server_hello(struct tls_connection * conn,const u8 * pos,const u8 * end)1645 static void check_server_hello(struct tls_connection *conn, 1646 const u8 *pos, const u8 *end) 1647 { 1648 size_t payload_len, id_len; 1649 1650 /* 1651 * Parse ServerHello to get the selected cipher suite since OpenSSL does 1652 * not make it cleanly available during handshake and we need to know 1653 * whether DHE was selected. 1654 */ 1655 1656 if (end - pos < 3) 1657 return; 1658 payload_len = WPA_GET_BE24(pos); 1659 pos += 3; 1660 1661 if ((size_t) (end - pos) < payload_len) 1662 return; 1663 end = pos + payload_len; 1664 1665 /* Skip Version and Random */ 1666 if (end - pos < 2 + SSL3_RANDOM_SIZE) 1667 return; 1668 pos += 2 + SSL3_RANDOM_SIZE; 1669 1670 /* Skip Session ID */ 1671 if (end - pos < 1) 1672 return; 1673 id_len = *pos++; 1674 if ((size_t) (end - pos) < id_len) 1675 return; 1676 pos += id_len; 1677 1678 if (end - pos < 2) 1679 return; 1680 conn->cipher_suite = WPA_GET_BE16(pos); 1681 wpa_printf(MSG_DEBUG, "OpenSSL: Server selected cipher suite 0x%x", 1682 conn->cipher_suite); 1683 } 1684 1685 check_server_key_exchange(SSL * ssl,struct tls_connection * conn,const u8 * pos,const u8 * end)1686 static void check_server_key_exchange(SSL *ssl, struct tls_connection *conn, 1687 const u8 *pos, const u8 *end) 1688 { 1689 size_t payload_len; 1690 u16 dh_len; 1691 BIGNUM *p; 1692 int bits; 1693 1694 if (!(conn->flags & TLS_CONN_SUITEB)) 1695 return; 1696 1697 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */ 1698 if (conn->cipher_suite != 0x9f) 1699 return; 1700 1701 if (end - pos < 3) 1702 return; 1703 payload_len = WPA_GET_BE24(pos); 1704 pos += 3; 1705 1706 if ((size_t) (end - pos) < payload_len) 1707 return; 1708 end = pos + payload_len; 1709 1710 if (end - pos < 2) 1711 return; 1712 dh_len = WPA_GET_BE16(pos); 1713 pos += 2; 1714 1715 if ((size_t) (end - pos) < dh_len) 1716 return; 1717 p = BN_bin2bn(pos, dh_len, NULL); 1718 if (!p) 1719 return; 1720 1721 bits = BN_num_bits(p); 1722 BN_free(p); 1723 1724 conn->server_dh_prime_len = bits; 1725 wpa_printf(MSG_DEBUG, "OpenSSL: Server DH prime length: %d bits", 1726 conn->server_dh_prime_len); 1727 } 1728 1729 #endif /* CONFIG_SUITEB */ 1730 1731 tls_msg_cb(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg)1732 static void tls_msg_cb(int write_p, int version, int content_type, 1733 const void *buf, size_t len, SSL *ssl, void *arg) 1734 { 1735 struct tls_connection *conn = arg; 1736 const u8 *pos = buf; 1737 1738 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 1739 if ((SSL_version(ssl) == TLS1_VERSION || 1740 SSL_version(ssl) == TLS1_1_VERSION) && 1741 SSL_get_security_level(ssl) > 0) { 1742 wpa_printf(MSG_DEBUG, 1743 "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm"); 1744 SSL_set_security_level(ssl, 0); 1745 } 1746 #endif /* OpenSSL version >= 3.0 */ 1747 if (write_p == 2) { 1748 wpa_printf(MSG_DEBUG, 1749 "OpenSSL: session ver=0x%x content_type=%d", 1750 version, content_type); 1751 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Data", buf, len); 1752 return; 1753 } 1754 1755 wpa_printf(MSG_DEBUG, "OpenSSL: %s ver=0x%x content_type=%d (%s/%s)", 1756 write_p ? "TX" : "RX", version, content_type, 1757 openssl_content_type(content_type), 1758 openssl_handshake_type(content_type, buf, len)); 1759 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Message", buf, len); 1760 if (content_type == 24 && len >= 3 && pos[0] == 1) { 1761 size_t payload_len = WPA_GET_BE16(pos + 1); 1762 if (payload_len + 3 > len) { 1763 wpa_printf(MSG_ERROR, "OpenSSL: Heartbeat attack detected"); 1764 conn->invalid_hb_used = 1; 1765 } 1766 } 1767 1768 #ifdef CONFIG_SUITEB 1769 /* 1770 * Need to parse these handshake messages to be able to check DH prime 1771 * length since OpenSSL does not expose the new cipher suite and DH 1772 * parameters during handshake (e.g., for cert_cb() callback). 1773 */ 1774 if (content_type == 22 && pos && len > 0 && pos[0] == 2) 1775 check_server_hello(conn, pos + 1, pos + len); 1776 if (content_type == 22 && pos && len > 0 && pos[0] == 12) 1777 check_server_key_exchange(ssl, conn, pos + 1, pos + len); 1778 #endif /* CONFIG_SUITEB */ 1779 } 1780 1781 1782 #ifdef CONFIG_TESTING_OPTIONS 1783 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) 1784 /* 1785 * By setting the environment variable SSLKEYLOGFILE to a filename keying 1786 * material will be exported that you may use with Wireshark to decode any 1787 * TLS flows. Please see the following for more details: 1788 * 1789 * https://gitlab.com/wireshark/wireshark/-/wikis/TLS#tls-decryption 1790 * 1791 * Example logging sessions are (you should delete the file on each run): 1792 * 1793 * rm -f /tmp/sslkey.log 1794 * env SSLKEYLOGFILE=/tmp/sslkey.log hostapd ... 1795 * 1796 * rm -f /tmp/sslkey.log 1797 * env SSLKEYLOGFILE=/tmp/sslkey.log wpa_supplicant ... 1798 * 1799 * rm -f /tmp/sslkey.log 1800 * env SSLKEYLOGFILE=/tmp/sslkey.log eapol_test ... 1801 */ tls_keylog_cb(const SSL * ssl,const char * line)1802 static void tls_keylog_cb(const SSL *ssl, const char *line) 1803 { 1804 int fd; 1805 const char *filename; 1806 struct iovec iov[2]; 1807 1808 filename = getenv("SSLKEYLOGFILE"); 1809 if (!filename) 1810 return; 1811 1812 fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR); 1813 if (fd < 0) { 1814 wpa_printf(MSG_ERROR, 1815 "OpenSSL: Failed to open keylog file %s: %s", 1816 filename, strerror(errno)); 1817 return; 1818 } 1819 1820 /* Assume less than _POSIX_PIPE_BUF (512) where writes are guaranteed 1821 * to be atomic for O_APPEND. */ 1822 iov[0].iov_base = (void *) line; 1823 iov[0].iov_len = os_strlen(line); 1824 iov[1].iov_base = "\n"; 1825 iov[1].iov_len = 1; 1826 1827 if (writev(fd, iov, ARRAY_SIZE(iov)) < 01) { 1828 wpa_printf(MSG_DEBUG, 1829 "OpenSSL: Failed to write to keylog file %s: %s", 1830 filename, strerror(errno)); 1831 } 1832 1833 close(fd); 1834 } 1835 #endif 1836 #endif /* CONFIG_TESTING_OPTIONS */ 1837 1838 tls_connection_init(void * ssl_ctx)1839 struct tls_connection * tls_connection_init(void *ssl_ctx) 1840 { 1841 struct tls_data *data = ssl_ctx; 1842 SSL_CTX *ssl = data->ssl; 1843 struct tls_connection *conn; 1844 long options; 1845 X509_STORE *new_cert_store; 1846 struct os_reltime now; 1847 struct tls_context *context = SSL_CTX_get_app_data(ssl); 1848 1849 /* Replace X509 store if it is time to update CRL. */ 1850 if (data->crl_reload_interval > 0 && os_get_reltime(&now) == 0 && 1851 os_reltime_expired(&now, &data->crl_last_reload, 1852 data->crl_reload_interval)) { 1853 wpa_printf(MSG_INFO, 1854 "OpenSSL: Flushing X509 store with ca_cert file"); 1855 new_cert_store = tls_crl_cert_reload(data->ca_cert, 1856 data->check_crl); 1857 if (!new_cert_store) { 1858 wpa_printf(MSG_ERROR, 1859 "OpenSSL: Error replacing X509 store with ca_cert file"); 1860 } else { 1861 /* Replace old store */ 1862 SSL_CTX_set_cert_store(ssl, new_cert_store); 1863 data->crl_last_reload = now; 1864 } 1865 } 1866 1867 conn = os_zalloc(sizeof(*conn)); 1868 if (conn == NULL) 1869 return NULL; 1870 conn->data = data; 1871 conn->ssl_ctx = ssl; 1872 conn->ssl = SSL_new(ssl); 1873 if (conn->ssl == NULL) { 1874 tls_show_errors(MSG_INFO, __func__, 1875 "Failed to initialize new SSL connection"); 1876 os_free(conn); 1877 return NULL; 1878 } 1879 1880 conn->context = context; 1881 SSL_set_app_data(conn->ssl, conn); 1882 SSL_set_msg_callback(conn->ssl, tls_msg_cb); 1883 SSL_set_msg_callback_arg(conn->ssl, conn); 1884 options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | 1885 SSL_OP_SINGLE_DH_USE; 1886 #ifdef SSL_OP_NO_COMPRESSION 1887 options |= SSL_OP_NO_COMPRESSION; 1888 #endif /* SSL_OP_NO_COMPRESSION */ 1889 SSL_set_options(conn->ssl, options); 1890 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT 1891 /* Hopefully there is no need for middlebox compatibility mechanisms 1892 * when going through EAP authentication. */ 1893 SSL_clear_options(conn->ssl, SSL_OP_ENABLE_MIDDLEBOX_COMPAT); 1894 #endif 1895 1896 #ifdef CONFIG_TESTING_OPTIONS 1897 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) 1898 /* Set the keylog file if the admin requested it. */ 1899 if (getenv("SSLKEYLOGFILE")) 1900 SSL_CTX_set_keylog_callback(conn->ssl_ctx, tls_keylog_cb); 1901 #endif 1902 #endif /* CONFIG_TESTING_OPTIONS */ 1903 1904 conn->ssl_in = BIO_new(BIO_s_mem()); 1905 if (!conn->ssl_in) { 1906 tls_show_errors(MSG_INFO, __func__, 1907 "Failed to create a new BIO for ssl_in"); 1908 SSL_free(conn->ssl); 1909 os_free(conn); 1910 return NULL; 1911 } 1912 1913 conn->ssl_out = BIO_new(BIO_s_mem()); 1914 if (!conn->ssl_out) { 1915 tls_show_errors(MSG_INFO, __func__, 1916 "Failed to create a new BIO for ssl_out"); 1917 SSL_free(conn->ssl); 1918 BIO_free(conn->ssl_in); 1919 os_free(conn); 1920 return NULL; 1921 } 1922 1923 SSL_set_bio(conn->ssl, conn->ssl_in, conn->ssl_out); 1924 1925 return conn; 1926 } 1927 1928 tls_connection_deinit(void * ssl_ctx,struct tls_connection * conn)1929 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn) 1930 { 1931 if (conn == NULL) 1932 return; 1933 if (conn->success_data) { 1934 /* 1935 * Make sure ssl_clear_bad_session() does not remove this 1936 * session. 1937 */ 1938 SSL_set_quiet_shutdown(conn->ssl, 1); 1939 SSL_shutdown(conn->ssl); 1940 } 1941 SSL_free(conn->ssl); 1942 tls_engine_deinit(conn); 1943 os_free(conn->subject_match); 1944 os_free(conn->altsubject_match); 1945 os_free(conn->suffix_match); 1946 os_free(conn->domain_match); 1947 os_free(conn->check_cert_subject); 1948 os_free(conn->session_ticket); 1949 os_free(conn->peer_subject); 1950 os_free(conn); 1951 } 1952 1953 tls_connection_established(void * ssl_ctx,struct tls_connection * conn)1954 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn) 1955 { 1956 return conn ? SSL_is_init_finished(conn->ssl) : 0; 1957 } 1958 1959 tls_connection_peer_serial_num(void * tls_ctx,struct tls_connection * conn)1960 char * tls_connection_peer_serial_num(void *tls_ctx, 1961 struct tls_connection *conn) 1962 { 1963 ASN1_INTEGER *ser; 1964 char *serial_num; 1965 size_t len; 1966 1967 if (!conn->peer_cert) 1968 return NULL; 1969 1970 ser = X509_get_serialNumber(conn->peer_cert); 1971 if (!ser) 1972 return NULL; 1973 1974 len = ASN1_STRING_length(ser) * 2 + 1; 1975 serial_num = os_malloc(len); 1976 if (!serial_num) 1977 return NULL; 1978 wpa_snprintf_hex_uppercase(serial_num, len, 1979 ASN1_STRING_get0_data(ser), 1980 ASN1_STRING_length(ser)); 1981 return serial_num; 1982 } 1983 1984 tls_connection_shutdown(void * ssl_ctx,struct tls_connection * conn)1985 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn) 1986 { 1987 if (conn == NULL) 1988 return -1; 1989 1990 /* Shutdown previous TLS connection without notifying the peer 1991 * because the connection was already terminated in practice 1992 * and "close notify" shutdown alert would confuse AS. */ 1993 SSL_set_quiet_shutdown(conn->ssl, 1); 1994 SSL_shutdown(conn->ssl); 1995 return SSL_clear(conn->ssl) == 1 ? 0 : -1; 1996 } 1997 1998 tls_match_altsubject_component(X509 * cert,int type,const char * value,size_t len)1999 static int tls_match_altsubject_component(X509 *cert, int type, 2000 const char *value, size_t len) 2001 { 2002 GENERAL_NAME *gen; 2003 void *ext; 2004 int found = 0; 2005 stack_index_t i; 2006 2007 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); 2008 2009 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) { 2010 gen = sk_GENERAL_NAME_value(ext, i); 2011 if (gen->type != type) 2012 continue; 2013 if (os_strlen((char *) gen->d.ia5->data) == len && 2014 os_memcmp(value, gen->d.ia5->data, len) == 0) 2015 found++; 2016 } 2017 2018 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free); 2019 2020 return found; 2021 } 2022 2023 tls_match_altsubject(X509 * cert,const char * match)2024 static int tls_match_altsubject(X509 *cert, const char *match) 2025 { 2026 int type; 2027 const char *pos, *end; 2028 size_t len; 2029 2030 pos = match; 2031 do { 2032 if (os_strncmp(pos, "EMAIL:", 6) == 0) { 2033 type = GEN_EMAIL; 2034 pos += 6; 2035 } else if (os_strncmp(pos, "DNS:", 4) == 0) { 2036 type = GEN_DNS; 2037 pos += 4; 2038 } else if (os_strncmp(pos, "URI:", 4) == 0) { 2039 type = GEN_URI; 2040 pos += 4; 2041 } else { 2042 wpa_printf(MSG_INFO, "TLS: Invalid altSubjectName " 2043 "match '%s'", pos); 2044 return 0; 2045 } 2046 end = os_strchr(pos, ';'); 2047 while (end) { 2048 if (os_strncmp(end + 1, "EMAIL:", 6) == 0 || 2049 os_strncmp(end + 1, "DNS:", 4) == 0 || 2050 os_strncmp(end + 1, "URI:", 4) == 0) 2051 break; 2052 end = os_strchr(end + 1, ';'); 2053 } 2054 if (end) 2055 len = end - pos; 2056 else 2057 len = os_strlen(pos); 2058 if (tls_match_altsubject_component(cert, type, pos, len) > 0) 2059 return 1; 2060 if (!end) 2061 break; 2062 pos = end + 1; 2063 } while (end); 2064 2065 return 0; 2066 } 2067 2068 2069 #ifndef CONFIG_NATIVE_WINDOWS domain_suffix_match(const u8 * val,size_t len,const char * match,size_t match_len,int full)2070 static int domain_suffix_match(const u8 *val, size_t len, const char *match, 2071 size_t match_len, int full) 2072 { 2073 size_t i; 2074 2075 /* Check for embedded nuls that could mess up suffix matching */ 2076 for (i = 0; i < len; i++) { 2077 if (val[i] == '\0') { 2078 wpa_printf(MSG_DEBUG, "TLS: Embedded null in a string - reject"); 2079 return 0; 2080 } 2081 } 2082 2083 if (match_len > len || (full && match_len != len)) 2084 return 0; 2085 2086 if (os_strncasecmp((const char *) val + len - match_len, match, 2087 match_len) != 0) 2088 return 0; /* no match */ 2089 2090 if (match_len == len) 2091 return 1; /* exact match */ 2092 2093 if (val[len - match_len - 1] == '.') 2094 return 1; /* full label match completes suffix match */ 2095 2096 wpa_printf(MSG_DEBUG, "TLS: Reject due to incomplete label match"); 2097 return 0; 2098 } 2099 #endif /* CONFIG_NATIVE_WINDOWS */ 2100 2101 2102 struct tls_dn_field_order_cnt { 2103 u8 cn; 2104 u8 c; 2105 u8 l; 2106 u8 st; 2107 u8 o; 2108 u8 ou; 2109 u8 email; 2110 }; 2111 2112 get_dn_field_index(const struct tls_dn_field_order_cnt * dn_cnt,int nid)2113 static int get_dn_field_index(const struct tls_dn_field_order_cnt *dn_cnt, 2114 int nid) 2115 { 2116 switch (nid) { 2117 case NID_commonName: 2118 return dn_cnt->cn; 2119 case NID_countryName: 2120 return dn_cnt->c; 2121 case NID_localityName: 2122 return dn_cnt->l; 2123 case NID_stateOrProvinceName: 2124 return dn_cnt->st; 2125 case NID_organizationName: 2126 return dn_cnt->o; 2127 case NID_organizationalUnitName: 2128 return dn_cnt->ou; 2129 case NID_pkcs9_emailAddress: 2130 return dn_cnt->email; 2131 default: 2132 wpa_printf(MSG_ERROR, 2133 "TLS: Unknown NID '%d' in check_cert_subject", 2134 nid); 2135 return -1; 2136 } 2137 } 2138 2139 2140 /** 2141 * match_dn_field - Match configuration DN field against Certificate DN field 2142 * @cert: Certificate 2143 * @nid: NID of DN field 2144 * @field: Field name 2145 * @value DN field value which is passed from configuration 2146 * e.g., if configuration have C=US and this argument will point to US. 2147 * @dn_cnt: DN matching context 2148 * Returns: 1 on success and 0 on failure 2149 */ match_dn_field(const X509 * cert,int nid,const char * field,const char * value,const struct tls_dn_field_order_cnt * dn_cnt)2150 static int match_dn_field(const X509 *cert, int nid, const char *field, 2151 const char *value, 2152 const struct tls_dn_field_order_cnt *dn_cnt) 2153 { 2154 int i, ret = 0, len, config_dn_field_index, match_index = 0; 2155 X509_NAME *name; 2156 2157 len = os_strlen(value); 2158 name = X509_get_subject_name((X509 *) cert); 2159 2160 /* Assign incremented cnt for every field of DN to check DN field in 2161 * right order */ 2162 config_dn_field_index = get_dn_field_index(dn_cnt, nid); 2163 if (config_dn_field_index < 0) 2164 return 0; 2165 2166 /* Fetch value based on NID */ 2167 for (i = -1; (i = X509_NAME_get_index_by_NID(name, nid, i)) > -1;) { 2168 X509_NAME_ENTRY *e; 2169 ASN1_STRING *cn; 2170 2171 e = X509_NAME_get_entry(name, i); 2172 if (!e) 2173 continue; 2174 2175 cn = X509_NAME_ENTRY_get_data(e); 2176 if (!cn) 2177 continue; 2178 2179 match_index++; 2180 2181 /* check for more than one DN field with same name */ 2182 if (match_index != config_dn_field_index) 2183 continue; 2184 2185 /* Check wildcard at the right end side */ 2186 /* E.g., if OU=develop* mentioned in configuration, allow 'OU' 2187 * of the subject in the client certificate to start with 2188 * 'develop' */ 2189 if (len > 0 && value[len - 1] == '*') { 2190 /* Compare actual certificate DN field value with 2191 * configuration DN field value up to the specified 2192 * length. */ 2193 ret = ASN1_STRING_length(cn) >= len - 1 && 2194 os_memcmp(ASN1_STRING_get0_data(cn), value, 2195 len - 1) == 0; 2196 } else { 2197 /* Compare actual certificate DN field value with 2198 * configuration DN field value */ 2199 ret = ASN1_STRING_length(cn) == len && 2200 os_memcmp(ASN1_STRING_get0_data(cn), value, 2201 len) == 0; 2202 } 2203 if (!ret) { 2204 wpa_printf(MSG_ERROR, 2205 "OpenSSL: Failed to match %s '%s' with certificate DN field value '%s'", 2206 field, value, ASN1_STRING_get0_data(cn)); 2207 } 2208 break; 2209 } 2210 2211 return ret; 2212 } 2213 2214 2215 /** 2216 * get_value_from_field - Get value from DN field 2217 * @cert: Certificate 2218 * @field_str: DN field string which is passed from configuration file (e.g., 2219 * C=US) 2220 * @dn_cnt: DN matching context 2221 * Returns: 1 on success and 0 on failure 2222 */ get_value_from_field(const X509 * cert,char * field_str,struct tls_dn_field_order_cnt * dn_cnt)2223 static int get_value_from_field(const X509 *cert, char *field_str, 2224 struct tls_dn_field_order_cnt *dn_cnt) 2225 { 2226 int nid; 2227 char *context = NULL, *name, *value; 2228 2229 if (os_strcmp(field_str, "*") == 0) 2230 return 1; /* wildcard matches everything */ 2231 2232 name = str_token(field_str, "=", &context); 2233 if (!name) 2234 return 0; 2235 2236 /* Compare all configured DN fields and assign nid based on that to 2237 * fetch correct value from certificate subject */ 2238 if (os_strcmp(name, "CN") == 0) { 2239 nid = NID_commonName; 2240 dn_cnt->cn++; 2241 } else if(os_strcmp(name, "C") == 0) { 2242 nid = NID_countryName; 2243 dn_cnt->c++; 2244 } else if (os_strcmp(name, "L") == 0) { 2245 nid = NID_localityName; 2246 dn_cnt->l++; 2247 } else if (os_strcmp(name, "ST") == 0) { 2248 nid = NID_stateOrProvinceName; 2249 dn_cnt->st++; 2250 } else if (os_strcmp(name, "O") == 0) { 2251 nid = NID_organizationName; 2252 dn_cnt->o++; 2253 } else if (os_strcmp(name, "OU") == 0) { 2254 nid = NID_organizationalUnitName; 2255 dn_cnt->ou++; 2256 } else if (os_strcmp(name, "emailAddress") == 0) { 2257 nid = NID_pkcs9_emailAddress; 2258 dn_cnt->email++; 2259 } else { 2260 wpa_printf(MSG_ERROR, 2261 "TLS: Unknown field '%s' in check_cert_subject", name); 2262 return 0; 2263 } 2264 2265 value = str_token(field_str, "=", &context); 2266 if (!value) { 2267 wpa_printf(MSG_ERROR, 2268 "TLS: Distinguished Name field '%s' value is not defined in check_cert_subject", 2269 name); 2270 return 0; 2271 } 2272 2273 return match_dn_field(cert, nid, name, value, dn_cnt); 2274 } 2275 2276 2277 /** 2278 * tls_match_dn_field - Match subject DN field with check_cert_subject 2279 * @cert: Certificate 2280 * @match: check_cert_subject string 2281 * Returns: Return 1 on success and 0 on failure 2282 */ tls_match_dn_field(X509 * cert,const char * match)2283 static int tls_match_dn_field(X509 *cert, const char *match) 2284 { 2285 const char *token, *last = NULL; 2286 char field[256]; 2287 struct tls_dn_field_order_cnt dn_cnt; 2288 2289 os_memset(&dn_cnt, 0, sizeof(dn_cnt)); 2290 2291 /* Maximum length of each DN field is 255 characters */ 2292 2293 /* Process each '/' delimited field */ 2294 while ((token = cstr_token(match, "/", &last))) { 2295 if (last - token >= (int) sizeof(field)) { 2296 wpa_printf(MSG_ERROR, 2297 "OpenSSL: Too long DN matching field value in '%s'", 2298 match); 2299 return 0; 2300 } 2301 os_memcpy(field, token, last - token); 2302 field[last - token] = '\0'; 2303 2304 if (!get_value_from_field(cert, field, &dn_cnt)) { 2305 wpa_printf(MSG_DEBUG, "OpenSSL: No match for DN '%s'", 2306 field); 2307 return 0; 2308 } 2309 } 2310 2311 return 1; 2312 } 2313 2314 2315 #ifndef CONFIG_NATIVE_WINDOWS tls_match_suffix_helper(X509 * cert,const char * match,size_t match_len,int full)2316 static int tls_match_suffix_helper(X509 *cert, const char *match, 2317 size_t match_len, int full) 2318 { 2319 GENERAL_NAME *gen; 2320 void *ext; 2321 int i; 2322 stack_index_t j; 2323 int dns_name = 0; 2324 X509_NAME *name; 2325 2326 wpa_printf(MSG_DEBUG, "TLS: Match domain against %s%s", 2327 full ? "": "suffix ", match); 2328 2329 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); 2330 2331 for (j = 0; ext && j < sk_GENERAL_NAME_num(ext); j++) { 2332 gen = sk_GENERAL_NAME_value(ext, j); 2333 if (gen->type != GEN_DNS) 2334 continue; 2335 dns_name++; 2336 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName", 2337 gen->d.dNSName->data, 2338 gen->d.dNSName->length); 2339 if (domain_suffix_match(gen->d.dNSName->data, 2340 gen->d.dNSName->length, 2341 match, match_len, full) == 1) { 2342 wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found", 2343 full ? "Match" : "Suffix match"); 2344 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free); 2345 return 1; 2346 } 2347 } 2348 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free); 2349 2350 if (dns_name) { 2351 wpa_printf(MSG_DEBUG, "TLS: None of the dNSName(s) matched"); 2352 return 0; 2353 } 2354 2355 name = X509_get_subject_name(cert); 2356 i = -1; 2357 for (;;) { 2358 X509_NAME_ENTRY *e; 2359 ASN1_STRING *cn; 2360 2361 i = X509_NAME_get_index_by_NID(name, NID_commonName, i); 2362 if (i == -1) 2363 break; 2364 e = X509_NAME_get_entry(name, i); 2365 if (e == NULL) 2366 continue; 2367 cn = X509_NAME_ENTRY_get_data(e); 2368 if (cn == NULL) 2369 continue; 2370 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName", 2371 cn->data, cn->length); 2372 if (domain_suffix_match(cn->data, cn->length, 2373 match, match_len, full) == 1) { 2374 wpa_printf(MSG_DEBUG, "TLS: %s in commonName found", 2375 full ? "Match" : "Suffix match"); 2376 return 1; 2377 } 2378 } 2379 2380 wpa_printf(MSG_DEBUG, "TLS: No CommonName %smatch found", 2381 full ? "": "suffix "); 2382 return 0; 2383 } 2384 #endif /* CONFIG_NATIVE_WINDOWS */ 2385 2386 tls_match_suffix(X509 * cert,const char * match,int full)2387 static int tls_match_suffix(X509 *cert, const char *match, int full) 2388 { 2389 #ifdef CONFIG_NATIVE_WINDOWS 2390 /* wincrypt.h has conflicting X509_NAME definition */ 2391 return -1; 2392 #else /* CONFIG_NATIVE_WINDOWS */ 2393 const char *token, *last = NULL; 2394 2395 /* Process each match alternative separately until a match is found */ 2396 while ((token = cstr_token(match, ";", &last))) { 2397 if (tls_match_suffix_helper(cert, token, last - token, full)) 2398 return 1; 2399 } 2400 2401 return 0; 2402 #endif /* CONFIG_NATIVE_WINDOWS */ 2403 } 2404 2405 openssl_tls_fail_reason(int err)2406 static enum tls_fail_reason openssl_tls_fail_reason(int err) 2407 { 2408 switch (err) { 2409 case X509_V_ERR_CERT_REVOKED: 2410 return TLS_FAIL_REVOKED; 2411 case X509_V_ERR_CERT_NOT_YET_VALID: 2412 case X509_V_ERR_CRL_NOT_YET_VALID: 2413 return TLS_FAIL_NOT_YET_VALID; 2414 case X509_V_ERR_CERT_HAS_EXPIRED: 2415 case X509_V_ERR_CRL_HAS_EXPIRED: 2416 return TLS_FAIL_EXPIRED; 2417 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: 2418 case X509_V_ERR_UNABLE_TO_GET_CRL: 2419 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: 2420 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: 2421 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: 2422 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 2423 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: 2424 case X509_V_ERR_CERT_CHAIN_TOO_LONG: 2425 case X509_V_ERR_PATH_LENGTH_EXCEEDED: 2426 case X509_V_ERR_INVALID_CA: 2427 return TLS_FAIL_UNTRUSTED; 2428 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: 2429 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: 2430 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: 2431 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: 2432 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: 2433 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: 2434 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: 2435 case X509_V_ERR_CERT_UNTRUSTED: 2436 case X509_V_ERR_CERT_REJECTED: 2437 return TLS_FAIL_BAD_CERTIFICATE; 2438 default: 2439 return TLS_FAIL_UNSPECIFIED; 2440 } 2441 } 2442 2443 get_x509_cert(X509 * cert)2444 static struct wpabuf * get_x509_cert(X509 *cert) 2445 { 2446 struct wpabuf *buf; 2447 u8 *tmp; 2448 2449 int cert_len = i2d_X509(cert, NULL); 2450 if (cert_len <= 0) 2451 return NULL; 2452 2453 buf = wpabuf_alloc(cert_len); 2454 if (buf == NULL) 2455 return NULL; 2456 2457 tmp = wpabuf_put(buf, cert_len); 2458 i2d_X509(cert, &tmp); 2459 return buf; 2460 } 2461 2462 openssl_tls_fail_event(struct tls_connection * conn,X509 * err_cert,int err,int depth,const char * subject,const char * err_str,enum tls_fail_reason reason)2463 static void openssl_tls_fail_event(struct tls_connection *conn, 2464 X509 *err_cert, int err, int depth, 2465 const char *subject, const char *err_str, 2466 enum tls_fail_reason reason) 2467 { 2468 union tls_event_data ev; 2469 struct wpabuf *cert = NULL; 2470 struct tls_context *context = conn->context; 2471 2472 if (context->event_cb == NULL) 2473 return; 2474 2475 cert = get_x509_cert(err_cert); 2476 os_memset(&ev, 0, sizeof(ev)); 2477 ev.cert_fail.reason = reason != TLS_FAIL_UNSPECIFIED ? 2478 reason : openssl_tls_fail_reason(err); 2479 ev.cert_fail.depth = depth; 2480 ev.cert_fail.subject = subject; 2481 ev.cert_fail.reason_txt = err_str; 2482 ev.cert_fail.cert = cert; 2483 context->event_cb(context->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev); 2484 wpabuf_free(cert); 2485 } 2486 2487 openssl_cert_tod(X509 * cert)2488 static int openssl_cert_tod(X509 *cert) 2489 { 2490 CERTIFICATEPOLICIES *ext; 2491 stack_index_t i; 2492 char buf[100]; 2493 int res; 2494 int tod = 0; 2495 2496 ext = X509_get_ext_d2i(cert, NID_certificate_policies, NULL, NULL); 2497 if (!ext) 2498 return 0; 2499 2500 for (i = 0; i < sk_POLICYINFO_num(ext); i++) { 2501 POLICYINFO *policy; 2502 2503 policy = sk_POLICYINFO_value(ext, i); 2504 res = OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 0); 2505 if (res < 0 || (size_t) res >= sizeof(buf)) 2506 continue; 2507 wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf); 2508 if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0) 2509 tod = 1; /* TOD-STRICT */ 2510 else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod) 2511 tod = 2; /* TOD-TOFU */ 2512 } 2513 sk_POLICYINFO_pop_free(ext, POLICYINFO_free); 2514 2515 return tod; 2516 } 2517 2518 openssl_tls_cert_event(struct tls_connection * conn,X509 * err_cert,int depth,const char * subject)2519 static void openssl_tls_cert_event(struct tls_connection *conn, 2520 X509 *err_cert, int depth, 2521 const char *subject) 2522 { 2523 struct wpabuf *cert = NULL; 2524 union tls_event_data ev; 2525 struct tls_context *context = conn->context; 2526 char *altsubject[TLS_MAX_ALT_SUBJECT]; 2527 int alt, num_altsubject = 0; 2528 GENERAL_NAME *gen; 2529 void *ext; 2530 stack_index_t i; 2531 ASN1_INTEGER *ser; 2532 char serial_num[128]; 2533 #ifdef CONFIG_SHA256 2534 u8 hash[32]; 2535 #endif /* CONFIG_SHA256 */ 2536 2537 if (context->event_cb == NULL) 2538 return; 2539 2540 os_memset(&ev, 0, sizeof(ev)); 2541 if (conn->cert_probe || (conn->flags & TLS_CONN_EXT_CERT_CHECK) || 2542 context->cert_in_cb) { 2543 cert = get_x509_cert(err_cert); 2544 ev.peer_cert.cert = cert; 2545 } 2546 #ifdef CONFIG_SHA256 2547 if (cert) { 2548 const u8 *addr[1]; 2549 size_t len[1]; 2550 addr[0] = wpabuf_head(cert); 2551 len[0] = wpabuf_len(cert); 2552 if (sha256_vector(1, addr, len, hash) == 0) { 2553 ev.peer_cert.hash = hash; 2554 ev.peer_cert.hash_len = sizeof(hash); 2555 } 2556 } 2557 #endif /* CONFIG_SHA256 */ 2558 ev.peer_cert.depth = depth; 2559 ev.peer_cert.subject = subject; 2560 2561 ser = X509_get_serialNumber(err_cert); 2562 if (ser) { 2563 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num), 2564 ASN1_STRING_get0_data(ser), 2565 ASN1_STRING_length(ser)); 2566 ev.peer_cert.serial_num = serial_num; 2567 } 2568 2569 ext = X509_get_ext_d2i(err_cert, NID_subject_alt_name, NULL, NULL); 2570 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) { 2571 char *pos; 2572 2573 if (num_altsubject == TLS_MAX_ALT_SUBJECT) 2574 break; 2575 gen = sk_GENERAL_NAME_value(ext, i); 2576 if (gen->type != GEN_EMAIL && 2577 gen->type != GEN_DNS && 2578 gen->type != GEN_URI) 2579 continue; 2580 2581 pos = os_malloc(10 + gen->d.ia5->length + 1); 2582 if (pos == NULL) 2583 break; 2584 altsubject[num_altsubject++] = pos; 2585 2586 switch (gen->type) { 2587 case GEN_EMAIL: 2588 os_memcpy(pos, "EMAIL:", 6); 2589 pos += 6; 2590 break; 2591 case GEN_DNS: 2592 os_memcpy(pos, "DNS:", 4); 2593 pos += 4; 2594 break; 2595 case GEN_URI: 2596 os_memcpy(pos, "URI:", 4); 2597 pos += 4; 2598 break; 2599 } 2600 2601 os_memcpy(pos, gen->d.ia5->data, gen->d.ia5->length); 2602 pos += gen->d.ia5->length; 2603 *pos = '\0'; 2604 } 2605 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free); 2606 2607 for (alt = 0; alt < num_altsubject; alt++) 2608 ev.peer_cert.altsubject[alt] = altsubject[alt]; 2609 ev.peer_cert.num_altsubject = num_altsubject; 2610 2611 ev.peer_cert.tod = openssl_cert_tod(err_cert); 2612 2613 context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev); 2614 wpabuf_free(cert); 2615 for (alt = 0; alt < num_altsubject; alt++) 2616 os_free(altsubject[alt]); 2617 } 2618 2619 debug_print_cert(X509 * cert,const char * title)2620 static void debug_print_cert(X509 *cert, const char *title) 2621 { 2622 #ifndef CONFIG_NO_STDOUT_DEBUG 2623 BIO *out; 2624 size_t rlen; 2625 char *txt; 2626 int res; 2627 2628 if (wpa_debug_level > MSG_DEBUG) 2629 return; 2630 2631 out = BIO_new(BIO_s_mem()); 2632 if (!out) 2633 return; 2634 2635 X509_print(out, cert); 2636 rlen = BIO_ctrl_pending(out); 2637 txt = os_malloc(rlen + 1); 2638 if (txt) { 2639 res = BIO_read(out, txt, rlen); 2640 if (res > 0) { 2641 txt[res] = '\0'; 2642 wpa_printf(MSG_DEBUG, "OpenSSL: %s\n%s", title, txt); 2643 } 2644 os_free(txt); 2645 } 2646 2647 BIO_free(out); 2648 #endif /* CONFIG_NO_STDOUT_DEBUG */ 2649 } 2650 2651 tls_verify_cb(int preverify_ok,X509_STORE_CTX * x509_ctx)2652 static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) 2653 { 2654 char buf[256]; 2655 X509 *err_cert; 2656 int err, depth; 2657 SSL *ssl; 2658 struct tls_connection *conn; 2659 struct tls_context *context; 2660 char *match, *altmatch, *suffix_match, *domain_match; 2661 const char *check_cert_subject; 2662 const char *err_str; 2663 2664 err_cert = X509_STORE_CTX_get_current_cert(x509_ctx); 2665 if (!err_cert) 2666 return 0; 2667 2668 err = X509_STORE_CTX_get_error(x509_ctx); 2669 depth = X509_STORE_CTX_get_error_depth(x509_ctx); 2670 ssl = X509_STORE_CTX_get_ex_data(x509_ctx, 2671 SSL_get_ex_data_X509_STORE_CTX_idx()); 2672 os_snprintf(buf, sizeof(buf), "Peer certificate - depth %d", depth); 2673 debug_print_cert(err_cert, buf); 2674 X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf)); 2675 2676 conn = SSL_get_app_data(ssl); 2677 if (conn == NULL) 2678 return 0; 2679 2680 if (depth == 0) 2681 conn->peer_cert = err_cert; 2682 else if (depth == 1) 2683 conn->peer_issuer = err_cert; 2684 else if (depth == 2) 2685 conn->peer_issuer_issuer = err_cert; 2686 2687 context = conn->context; 2688 match = conn->subject_match; 2689 altmatch = conn->altsubject_match; 2690 suffix_match = conn->suffix_match; 2691 domain_match = conn->domain_match; 2692 2693 if (!preverify_ok && !conn->ca_cert_verify) 2694 preverify_ok = 1; 2695 if (!preverify_ok && depth > 0 && conn->server_cert_only) 2696 preverify_ok = 1; 2697 if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) && 2698 (err == X509_V_ERR_CERT_HAS_EXPIRED || 2699 err == X509_V_ERR_CERT_NOT_YET_VALID)) { 2700 wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity " 2701 "time mismatch"); 2702 preverify_ok = 1; 2703 } 2704 if (!preverify_ok && !conn->data->check_crl_strict && 2705 (err == X509_V_ERR_CRL_HAS_EXPIRED || 2706 err == X509_V_ERR_CRL_NOT_YET_VALID)) { 2707 wpa_printf(MSG_DEBUG, 2708 "OpenSSL: Ignore certificate validity CRL time mismatch"); 2709 preverify_ok = 1; 2710 } 2711 2712 err_str = X509_verify_cert_error_string(err); 2713 2714 #ifdef CONFIG_SHA256 2715 /* 2716 * Do not require preverify_ok so we can explicity allow otherwise 2717 * invalid pinned server certificates. 2718 */ 2719 if (depth == 0 && conn->server_cert_only) { 2720 struct wpabuf *cert; 2721 cert = get_x509_cert(err_cert); 2722 if (!cert) { 2723 wpa_printf(MSG_DEBUG, "OpenSSL: Could not fetch " 2724 "server certificate data"); 2725 preverify_ok = 0; 2726 } else { 2727 u8 hash[32]; 2728 const u8 *addr[1]; 2729 size_t len[1]; 2730 addr[0] = wpabuf_head(cert); 2731 len[0] = wpabuf_len(cert); 2732 if (sha256_vector(1, addr, len, hash) < 0 || 2733 os_memcmp(conn->srv_cert_hash, hash, 32) != 0) { 2734 err_str = "Server certificate mismatch"; 2735 err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; 2736 preverify_ok = 0; 2737 } else if (!preverify_ok) { 2738 /* 2739 * Certificate matches pinned certificate, allow 2740 * regardless of other problems. 2741 */ 2742 wpa_printf(MSG_DEBUG, 2743 "OpenSSL: Ignore validation issues for a pinned server certificate"); 2744 preverify_ok = 1; 2745 } 2746 wpabuf_free(cert); 2747 } 2748 } 2749 #endif /* CONFIG_SHA256 */ 2750 2751 openssl_tls_cert_event(conn, err_cert, depth, buf); 2752 2753 if (!preverify_ok) { 2754 if (depth > 0) { 2755 /* Send cert event for the peer certificate so that 2756 * the upper layers get information about it even if 2757 * validation of a CA certificate fails. */ 2758 STACK_OF(X509) *chain; 2759 2760 chain = X509_STORE_CTX_get1_chain(x509_ctx); 2761 if (chain && sk_X509_num(chain) > 0) { 2762 char buf2[256]; 2763 X509 *cert; 2764 2765 cert = sk_X509_value(chain, 0); 2766 X509_NAME_oneline(X509_get_subject_name(cert), 2767 buf2, sizeof(buf2)); 2768 2769 openssl_tls_cert_event(conn, cert, 0, buf2); 2770 } 2771 if (chain) 2772 sk_X509_pop_free(chain, X509_free); 2773 } 2774 2775 wpa_printf(MSG_WARNING, "TLS: Certificate verification failed," 2776 " error %d (%s) depth %d for '%s'", err, err_str, 2777 depth, buf); 2778 openssl_tls_fail_event(conn, err_cert, err, depth, buf, 2779 err_str, TLS_FAIL_UNSPECIFIED); 2780 return preverify_ok; 2781 } 2782 2783 wpa_printf(MSG_DEBUG, "TLS: tls_verify_cb - preverify_ok=%d " 2784 "err=%d (%s) ca_cert_verify=%d depth=%d buf='%s'", 2785 preverify_ok, err, err_str, 2786 conn->ca_cert_verify, depth, buf); 2787 check_cert_subject = conn->check_cert_subject; 2788 if (!check_cert_subject) 2789 check_cert_subject = conn->data->check_cert_subject; 2790 if (check_cert_subject) { 2791 if (depth == 0 && 2792 !tls_match_dn_field(err_cert, check_cert_subject)) { 2793 preverify_ok = 0; 2794 openssl_tls_fail_event(conn, err_cert, err, depth, buf, 2795 "Distinguished Name", 2796 TLS_FAIL_DN_MISMATCH); 2797 } 2798 } 2799 if (depth == 0 && match && os_strstr(buf, match) == NULL) { 2800 wpa_printf(MSG_WARNING, "TLS: Subject '%s' did not " 2801 "match with '%s'", buf, match); 2802 preverify_ok = 0; 2803 openssl_tls_fail_event(conn, err_cert, err, depth, buf, 2804 "Subject mismatch", 2805 TLS_FAIL_SUBJECT_MISMATCH); 2806 } else if (depth == 0 && altmatch && 2807 !tls_match_altsubject(err_cert, altmatch)) { 2808 wpa_printf(MSG_WARNING, "TLS: altSubjectName match " 2809 "'%s' not found", altmatch); 2810 preverify_ok = 0; 2811 openssl_tls_fail_event(conn, err_cert, err, depth, buf, 2812 "AltSubject mismatch", 2813 TLS_FAIL_ALTSUBJECT_MISMATCH); 2814 } else if (depth == 0 && suffix_match && 2815 !tls_match_suffix(err_cert, suffix_match, 0)) { 2816 wpa_printf(MSG_WARNING, "TLS: Domain suffix match '%s' not found", 2817 suffix_match); 2818 preverify_ok = 0; 2819 openssl_tls_fail_event(conn, err_cert, err, depth, buf, 2820 "Domain suffix mismatch", 2821 TLS_FAIL_DOMAIN_SUFFIX_MISMATCH); 2822 } else if (depth == 0 && domain_match && 2823 !tls_match_suffix(err_cert, domain_match, 1)) { 2824 wpa_printf(MSG_WARNING, "TLS: Domain match '%s' not found", 2825 domain_match); 2826 preverify_ok = 0; 2827 openssl_tls_fail_event(conn, err_cert, err, depth, buf, 2828 "Domain mismatch", 2829 TLS_FAIL_DOMAIN_MISMATCH); 2830 } 2831 2832 if (conn->cert_probe && preverify_ok && depth == 0) { 2833 wpa_printf(MSG_DEBUG, "OpenSSL: Reject server certificate " 2834 "on probe-only run"); 2835 preverify_ok = 0; 2836 openssl_tls_fail_event(conn, err_cert, err, depth, buf, 2837 "Server certificate chain probe", 2838 TLS_FAIL_SERVER_CHAIN_PROBE); 2839 } 2840 2841 #ifdef CONFIG_SUITEB 2842 if (conn->flags & TLS_CONN_SUITEB) { 2843 EVP_PKEY *pk; 2844 int len = -1; 2845 2846 pk = X509_get_pubkey(err_cert); 2847 if (pk) { 2848 len = EVP_PKEY_bits(pk); 2849 EVP_PKEY_free(pk); 2850 } 2851 2852 if (len >= 0) { 2853 wpa_printf(MSG_DEBUG, 2854 "OpenSSL: RSA modulus size: %d bits", len); 2855 if (len < 3072) { 2856 preverify_ok = 0; 2857 openssl_tls_fail_event( 2858 conn, err_cert, err, 2859 depth, buf, 2860 "Insufficient RSA modulus size", 2861 TLS_FAIL_INSUFFICIENT_KEY_LEN); 2862 } 2863 } 2864 } 2865 #endif /* CONFIG_SUITEB */ 2866 2867 #ifdef OPENSSL_IS_BORINGSSL 2868 if (depth == 0 && (conn->flags & TLS_CONN_REQUEST_OCSP) && 2869 preverify_ok) { 2870 enum ocsp_result res; 2871 2872 res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert, 2873 conn->peer_issuer, 2874 conn->peer_issuer_issuer); 2875 if (res == OCSP_REVOKED) { 2876 preverify_ok = 0; 2877 openssl_tls_fail_event(conn, err_cert, err, depth, buf, 2878 "certificate revoked", 2879 TLS_FAIL_REVOKED); 2880 if (err == X509_V_OK) 2881 X509_STORE_CTX_set_error( 2882 x509_ctx, X509_V_ERR_CERT_REVOKED); 2883 } else if (res != OCSP_GOOD && 2884 (conn->flags & TLS_CONN_REQUIRE_OCSP)) { 2885 preverify_ok = 0; 2886 openssl_tls_fail_event(conn, err_cert, err, depth, buf, 2887 "bad certificate status response", 2888 TLS_FAIL_UNSPECIFIED); 2889 } 2890 } 2891 #endif /* OPENSSL_IS_BORINGSSL */ 2892 2893 if (depth == 0 && preverify_ok && context->event_cb != NULL) 2894 context->event_cb(context->cb_ctx, 2895 TLS_CERT_CHAIN_SUCCESS, NULL); 2896 2897 if (depth == 0 && preverify_ok) { 2898 os_free(conn->peer_subject); 2899 conn->peer_subject = os_strdup(buf); 2900 } 2901 2902 return preverify_ok; 2903 } 2904 2905 2906 #ifndef OPENSSL_NO_STDIO tls_load_ca_der(struct tls_data * data,const char * ca_cert)2907 static int tls_load_ca_der(struct tls_data *data, const char *ca_cert) 2908 { 2909 SSL_CTX *ssl_ctx = data->ssl; 2910 X509_LOOKUP *lookup; 2911 int ret = 0; 2912 2913 lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(ssl_ctx), 2914 X509_LOOKUP_file()); 2915 if (lookup == NULL) { 2916 tls_show_errors(MSG_WARNING, __func__, 2917 "Failed add lookup for X509 store"); 2918 return -1; 2919 } 2920 2921 if (!X509_LOOKUP_load_file(lookup, ca_cert, X509_FILETYPE_ASN1)) { 2922 unsigned long err = ERR_peek_error(); 2923 tls_show_errors(MSG_WARNING, __func__, 2924 "Failed load CA in DER format"); 2925 if (ERR_GET_LIB(err) == ERR_LIB_X509 && 2926 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) { 2927 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring " 2928 "cert already in hash table error", 2929 __func__); 2930 } else 2931 ret = -1; 2932 } 2933 2934 return ret; 2935 } 2936 #endif /* OPENSSL_NO_STDIO */ 2937 2938 tls_connection_ca_cert(struct tls_data * data,struct tls_connection * conn,const char * ca_cert,const u8 * ca_cert_blob,size_t ca_cert_blob_len,const char * ca_path)2939 static int tls_connection_ca_cert(struct tls_data *data, 2940 struct tls_connection *conn, 2941 const char *ca_cert, const u8 *ca_cert_blob, 2942 size_t ca_cert_blob_len, const char *ca_path) 2943 { 2944 SSL_CTX *ssl_ctx = data->ssl; 2945 X509_STORE *store; 2946 2947 /* 2948 * Remove previously configured trusted CA certificates before adding 2949 * new ones. 2950 */ 2951 store = X509_STORE_new(); 2952 if (store == NULL) { 2953 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new " 2954 "certificate store", __func__); 2955 return -1; 2956 } 2957 SSL_CTX_set_cert_store(ssl_ctx, store); 2958 2959 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); 2960 conn->ca_cert_verify = 1; 2961 2962 if (ca_cert && os_strncmp(ca_cert, "probe://", 8) == 0) { 2963 wpa_printf(MSG_DEBUG, "OpenSSL: Probe for server certificate " 2964 "chain"); 2965 conn->cert_probe = 1; 2966 conn->ca_cert_verify = 0; 2967 return 0; 2968 } 2969 2970 if (ca_cert && os_strncmp(ca_cert, "hash://", 7) == 0) { 2971 #ifdef CONFIG_SHA256 2972 const char *pos = ca_cert + 7; 2973 if (os_strncmp(pos, "server/sha256/", 14) != 0) { 2974 wpa_printf(MSG_DEBUG, "OpenSSL: Unsupported ca_cert " 2975 "hash value '%s'", ca_cert); 2976 return -1; 2977 } 2978 pos += 14; 2979 if (os_strlen(pos) != 32 * 2) { 2980 wpa_printf(MSG_DEBUG, "OpenSSL: Unexpected SHA256 " 2981 "hash length in ca_cert '%s'", ca_cert); 2982 return -1; 2983 } 2984 if (hexstr2bin(pos, conn->srv_cert_hash, 32) < 0) { 2985 wpa_printf(MSG_DEBUG, "OpenSSL: Invalid SHA256 hash " 2986 "value in ca_cert '%s'", ca_cert); 2987 return -1; 2988 } 2989 conn->server_cert_only = 1; 2990 wpa_printf(MSG_DEBUG, "OpenSSL: Checking only server " 2991 "certificate match"); 2992 return 0; 2993 #else /* CONFIG_SHA256 */ 2994 wpa_printf(MSG_INFO, "No SHA256 included in the build - " 2995 "cannot validate server certificate hash"); 2996 return -1; 2997 #endif /* CONFIG_SHA256 */ 2998 } 2999 3000 if (ca_cert_blob) { 3001 X509 *cert = d2i_X509(NULL, 3002 (const unsigned char **) &ca_cert_blob, 3003 ca_cert_blob_len); 3004 if (cert == NULL) { 3005 BIO *bio = BIO_new_mem_buf(ca_cert_blob, 3006 ca_cert_blob_len); 3007 3008 if (bio) { 3009 cert = PEM_read_bio_X509(bio, NULL, NULL, NULL); 3010 BIO_free(bio); 3011 } 3012 3013 if (!cert) { 3014 tls_show_errors(MSG_WARNING, __func__, 3015 "Failed to parse ca_cert_blob"); 3016 return -1; 3017 } 3018 3019 while (ERR_get_error()) { 3020 /* Ignore errors from DER conversion. */ 3021 } 3022 } 3023 3024 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx), 3025 cert)) { 3026 unsigned long err = ERR_peek_error(); 3027 tls_show_errors(MSG_WARNING, __func__, 3028 "Failed to add ca_cert_blob to " 3029 "certificate store"); 3030 if (ERR_GET_LIB(err) == ERR_LIB_X509 && 3031 ERR_GET_REASON(err) == 3032 X509_R_CERT_ALREADY_IN_HASH_TABLE) { 3033 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring " 3034 "cert already in hash table error", 3035 __func__); 3036 } else { 3037 X509_free(cert); 3038 return -1; 3039 } 3040 } 3041 X509_free(cert); 3042 wpa_printf(MSG_DEBUG, "OpenSSL: %s - added ca_cert_blob " 3043 "to certificate store", __func__); 3044 return 0; 3045 } 3046 3047 #ifdef ANDROID 3048 /* Single alias */ 3049 if (ca_cert && os_strncmp("keystore://", ca_cert, 11) == 0) { 3050 if (tls_add_ca_from_keystore(SSL_CTX_get_cert_store(ssl_ctx), 3051 &ca_cert[11]) < 0) 3052 return -1; 3053 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); 3054 return 0; 3055 } 3056 3057 /* Multiple aliases separated by space */ 3058 if (ca_cert && os_strncmp("keystores://", ca_cert, 12) == 0) { 3059 char *aliases = os_strdup(&ca_cert[12]); 3060 const char *delim = " "; 3061 int rc = 0; 3062 char *savedptr; 3063 char *alias; 3064 3065 if (!aliases) 3066 return -1; 3067 alias = strtok_r(aliases, delim, &savedptr); 3068 for (; alias; alias = strtok_r(NULL, delim, &savedptr)) { 3069 if (tls_add_ca_from_keystore_encoded( 3070 SSL_CTX_get_cert_store(ssl_ctx), alias)) { 3071 wpa_printf(MSG_WARNING, 3072 "OpenSSL: %s - Failed to add ca_cert %s from keystore", 3073 __func__, alias); 3074 rc = -1; 3075 break; 3076 } 3077 } 3078 os_free(aliases); 3079 if (rc) 3080 return rc; 3081 3082 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); 3083 return 0; 3084 } 3085 #endif /* ANDROID */ 3086 3087 #ifdef CONFIG_NATIVE_WINDOWS 3088 if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) == 3089 0) { 3090 wpa_printf(MSG_DEBUG, "OpenSSL: Added CA certificates from " 3091 "system certificate store"); 3092 return 0; 3093 } 3094 #endif /* CONFIG_NATIVE_WINDOWS */ 3095 3096 if (ca_cert || ca_path) { 3097 #ifndef OPENSSL_NO_STDIO 3098 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, ca_path) != 3099 1) { 3100 tls_show_errors(MSG_WARNING, __func__, 3101 "Failed to load root certificates"); 3102 if (ca_cert && 3103 tls_load_ca_der(data, ca_cert) == 0) { 3104 wpa_printf(MSG_DEBUG, "OpenSSL: %s - loaded " 3105 "DER format CA certificate", 3106 __func__); 3107 } else 3108 return -1; 3109 } else { 3110 wpa_printf(MSG_DEBUG, "TLS: Trusted root " 3111 "certificate(s) loaded"); 3112 tls_get_errors(data); 3113 } 3114 #else /* OPENSSL_NO_STDIO */ 3115 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", 3116 __func__); 3117 return -1; 3118 #endif /* OPENSSL_NO_STDIO */ 3119 } else { 3120 /* No ca_cert configured - do not try to verify server 3121 * certificate */ 3122 conn->ca_cert_verify = 0; 3123 } 3124 3125 return 0; 3126 } 3127 3128 tls_global_ca_cert(struct tls_data * data,const char * ca_cert)3129 static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert) 3130 { 3131 SSL_CTX *ssl_ctx = data->ssl; 3132 3133 if (ca_cert) { 3134 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1) 3135 { 3136 tls_show_errors(MSG_WARNING, __func__, 3137 "Failed to load root certificates"); 3138 return -1; 3139 } 3140 3141 wpa_printf(MSG_DEBUG, "TLS: Trusted root " 3142 "certificate(s) loaded"); 3143 3144 #ifndef OPENSSL_NO_STDIO 3145 /* Add the same CAs to the client certificate requests */ 3146 SSL_CTX_set_client_CA_list(ssl_ctx, 3147 SSL_load_client_CA_file(ca_cert)); 3148 #endif /* OPENSSL_NO_STDIO */ 3149 3150 os_free(data->ca_cert); 3151 data->ca_cert = os_strdup(ca_cert); 3152 } 3153 3154 return 0; 3155 } 3156 3157 tls_global_set_verify(void * ssl_ctx,int check_crl,int strict)3158 int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict) 3159 { 3160 int flags; 3161 3162 if (check_crl) { 3163 struct tls_data *data = ssl_ctx; 3164 X509_STORE *cs = SSL_CTX_get_cert_store(data->ssl); 3165 if (cs == NULL) { 3166 tls_show_errors(MSG_INFO, __func__, "Failed to get " 3167 "certificate store when enabling " 3168 "check_crl"); 3169 return -1; 3170 } 3171 flags = X509_V_FLAG_CRL_CHECK; 3172 if (check_crl == 2) 3173 flags |= X509_V_FLAG_CRL_CHECK_ALL; 3174 X509_STORE_set_flags(cs, flags); 3175 3176 data->check_crl = check_crl; 3177 data->check_crl_strict = strict; 3178 os_get_reltime(&data->crl_last_reload); 3179 } 3180 return 0; 3181 } 3182 3183 tls_connection_set_subject_match(struct tls_connection * conn,const char * subject_match,const char * altsubject_match,const char * suffix_match,const char * domain_match,const char * check_cert_subject)3184 static int tls_connection_set_subject_match(struct tls_connection *conn, 3185 const char *subject_match, 3186 const char *altsubject_match, 3187 const char *suffix_match, 3188 const char *domain_match, 3189 const char *check_cert_subject) 3190 { 3191 os_free(conn->subject_match); 3192 conn->subject_match = NULL; 3193 if (subject_match) { 3194 conn->subject_match = os_strdup(subject_match); 3195 if (conn->subject_match == NULL) 3196 return -1; 3197 } 3198 3199 os_free(conn->altsubject_match); 3200 conn->altsubject_match = NULL; 3201 if (altsubject_match) { 3202 conn->altsubject_match = os_strdup(altsubject_match); 3203 if (conn->altsubject_match == NULL) 3204 return -1; 3205 } 3206 3207 os_free(conn->suffix_match); 3208 conn->suffix_match = NULL; 3209 if (suffix_match) { 3210 conn->suffix_match = os_strdup(suffix_match); 3211 if (conn->suffix_match == NULL) 3212 return -1; 3213 } 3214 3215 os_free(conn->domain_match); 3216 conn->domain_match = NULL; 3217 if (domain_match) { 3218 conn->domain_match = os_strdup(domain_match); 3219 if (conn->domain_match == NULL) 3220 return -1; 3221 } 3222 3223 os_free(conn->check_cert_subject); 3224 conn->check_cert_subject = NULL; 3225 if (check_cert_subject) { 3226 conn->check_cert_subject = os_strdup(check_cert_subject); 3227 if (!conn->check_cert_subject) 3228 return -1; 3229 } 3230 3231 return 0; 3232 } 3233 3234 3235 #ifdef CONFIG_SUITEB suiteb_cert_cb(SSL * ssl,void * arg)3236 static int suiteb_cert_cb(SSL *ssl, void *arg) 3237 { 3238 struct tls_connection *conn = arg; 3239 3240 /* 3241 * This cert_cb() is not really the best location for doing a 3242 * constraint check for the ServerKeyExchange message, but this seems to 3243 * be the only place where the current OpenSSL sequence can be 3244 * terminated cleanly with an TLS alert going out to the server. 3245 */ 3246 3247 if (!(conn->flags & TLS_CONN_SUITEB)) 3248 return 1; 3249 3250 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */ 3251 if (conn->cipher_suite != 0x9f) 3252 return 1; 3253 3254 if (conn->server_dh_prime_len >= 3072) 3255 return 1; 3256 3257 wpa_printf(MSG_DEBUG, 3258 "OpenSSL: Server DH prime length (%d bits) not sufficient for Suite B RSA - reject handshake", 3259 conn->server_dh_prime_len); 3260 return 0; 3261 } 3262 #endif /* CONFIG_SUITEB */ 3263 3264 tls_set_conn_flags(struct tls_connection * conn,unsigned int flags,const char * openssl_ciphers)3265 static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, 3266 const char *openssl_ciphers) 3267 { 3268 SSL *ssl = conn->ssl; 3269 3270 #ifdef SSL_OP_NO_TICKET 3271 if (flags & TLS_CONN_DISABLE_SESSION_TICKET) 3272 SSL_set_options(ssl, SSL_OP_NO_TICKET); 3273 else 3274 SSL_clear_options(ssl, SSL_OP_NO_TICKET); 3275 #endif /* SSL_OP_NO_TICKET */ 3276 3277 #ifdef SSL_OP_LEGACY_SERVER_CONNECT 3278 if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION) 3279 SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); 3280 #endif /* SSL_OP_LEGACY_SERVER_CONNECT */ 3281 3282 #ifdef SSL_OP_NO_TLSv1 3283 if (flags & TLS_CONN_DISABLE_TLSv1_0) 3284 SSL_set_options(ssl, SSL_OP_NO_TLSv1); 3285 else 3286 SSL_clear_options(ssl, SSL_OP_NO_TLSv1); 3287 #endif /* SSL_OP_NO_TLSv1 */ 3288 #ifdef SSL_OP_NO_TLSv1_1 3289 if (flags & TLS_CONN_DISABLE_TLSv1_1) 3290 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1); 3291 else 3292 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_1); 3293 #endif /* SSL_OP_NO_TLSv1_1 */ 3294 #ifdef SSL_OP_NO_TLSv1_2 3295 if (flags & TLS_CONN_DISABLE_TLSv1_2) 3296 SSL_set_options(ssl, SSL_OP_NO_TLSv1_2); 3297 else 3298 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2); 3299 #endif /* SSL_OP_NO_TLSv1_2 */ 3300 #ifdef SSL_OP_NO_TLSv1_3 3301 if (flags & TLS_CONN_DISABLE_TLSv1_3) 3302 SSL_set_options(ssl, SSL_OP_NO_TLSv1_3); 3303 else 3304 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3); 3305 #endif /* SSL_OP_NO_TLSv1_3 */ 3306 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 3307 if (flags & (TLS_CONN_ENABLE_TLSv1_0 | 3308 TLS_CONN_ENABLE_TLSv1_1 | 3309 TLS_CONN_ENABLE_TLSv1_2)) { 3310 int version = 0; 3311 3312 /* Explicit request to enable TLS versions even if needing to 3313 * override systemwide policies. */ 3314 if (flags & TLS_CONN_ENABLE_TLSv1_0) 3315 version = TLS1_VERSION; 3316 else if (flags & TLS_CONN_ENABLE_TLSv1_1) 3317 version = TLS1_1_VERSION; 3318 else if (flags & TLS_CONN_ENABLE_TLSv1_2) 3319 version = TLS1_2_VERSION; 3320 if (!version) { 3321 wpa_printf(MSG_DEBUG, 3322 "OpenSSL: Invalid TLS version configuration"); 3323 return -1; 3324 } 3325 3326 if (SSL_set_min_proto_version(ssl, version) != 1) { 3327 wpa_printf(MSG_DEBUG, 3328 "OpenSSL: Failed to set minimum TLS version"); 3329 return -1; 3330 } 3331 } 3332 #endif /* >= 1.1.0 */ 3333 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ 3334 !defined(LIBRESSL_VERSION_NUMBER) && \ 3335 !defined(OPENSSL_IS_BORINGSSL) 3336 { 3337 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 3338 int need_level = 0; 3339 #else 3340 int need_level = 1; 3341 #endif 3342 3343 if ((flags & 3344 (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) && 3345 SSL_get_security_level(ssl) > need_level) { 3346 /* 3347 * Need to drop to security level 1 (or 0 with OpenSSL 3348 * 3.0) to allow TLS versions older than 1.2 to be used 3349 * when explicitly enabled in configuration. 3350 */ 3351 SSL_set_security_level(conn->ssl, need_level); 3352 } 3353 } 3354 #endif 3355 3356 if (!openssl_ciphers) 3357 openssl_ciphers = conn->data->openssl_ciphers; 3358 3359 #ifdef CONFIG_SUITEB 3360 #ifdef OPENSSL_IS_BORINGSSL 3361 /* Start with defaults from BoringSSL */ 3362 SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, NULL, 0); 3363 #endif /* OPENSSL_IS_BORINGSSL */ 3364 if (flags & TLS_CONN_SUITEB_NO_ECDH) { 3365 const char *ciphers = "DHE-RSA-AES256-GCM-SHA384"; 3366 3367 if (openssl_ciphers) { 3368 wpa_printf(MSG_DEBUG, 3369 "OpenSSL: Override ciphers for Suite B (no ECDH): %s", 3370 openssl_ciphers); 3371 ciphers = openssl_ciphers; 3372 } 3373 if (SSL_set_cipher_list(ssl, ciphers) != 1) { 3374 wpa_printf(MSG_INFO, 3375 "OpenSSL: Failed to set Suite B ciphers"); 3376 return -1; 3377 } 3378 } else if (flags & TLS_CONN_SUITEB) { 3379 #if OPENSSL_VERSION_NUMBER < 0x30000000L 3380 EC_KEY *ecdh; 3381 #endif 3382 const char *ciphers = 3383 "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"; 3384 int nid[1] = { NID_secp384r1 }; 3385 3386 if (openssl_ciphers) { 3387 wpa_printf(MSG_DEBUG, 3388 "OpenSSL: Override ciphers for Suite B: %s", 3389 openssl_ciphers); 3390 ciphers = openssl_ciphers; 3391 } 3392 if (SSL_set_cipher_list(ssl, ciphers) != 1) { 3393 wpa_printf(MSG_INFO, 3394 "OpenSSL: Failed to set Suite B ciphers"); 3395 return -1; 3396 } 3397 3398 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 3399 if (SSL_set1_groups(ssl, nid, 1) != 1) { 3400 wpa_printf(MSG_INFO, 3401 "OpenSSL: Failed to set Suite B groups"); 3402 return -1; 3403 } 3404 3405 #else 3406 if (SSL_set1_curves(ssl, nid, 1) != 1) { 3407 wpa_printf(MSG_INFO, 3408 "OpenSSL: Failed to set Suite B curves"); 3409 return -1; 3410 } 3411 3412 ecdh = EC_KEY_new_by_curve_name(NID_secp384r1); 3413 if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) { 3414 EC_KEY_free(ecdh); 3415 wpa_printf(MSG_INFO, 3416 "OpenSSL: Failed to set ECDH parameter"); 3417 return -1; 3418 } 3419 EC_KEY_free(ecdh); 3420 #endif 3421 } 3422 if (flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) { 3423 #ifdef OPENSSL_IS_BORINGSSL 3424 uint16_t sigalgs[3] = { SSL_SIGN_RSA_PKCS1_SHA384 }; 3425 int num = 1; 3426 3427 if (!(flags & TLS_CONN_DISABLE_TLSv1_3)) { 3428 #ifdef SSL_SIGN_ECDSA_SECP384R1_SHA384 3429 sigalgs[num++] = SSL_SIGN_ECDSA_SECP384R1_SHA384; 3430 #endif 3431 #ifdef SSL_SIGN_RSA_PSS_RSAE_SHA384 3432 sigalgs[num++] = SSL_SIGN_RSA_PSS_RSAE_SHA384; 3433 #endif 3434 } 3435 3436 if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs, 3437 num) != 1) { 3438 wpa_printf(MSG_INFO, 3439 "OpenSSL: Failed to set Suite B sigalgs"); 3440 return -1; 3441 } 3442 #else /* OPENSSL_IS_BORINGSSL */ 3443 /* ECDSA+SHA384 if need to add EC support here */ 3444 const char *algs = "RSA+SHA384"; 3445 3446 if (!(flags & TLS_CONN_DISABLE_TLSv1_3)) 3447 algs = "RSA+SHA384:ecdsa_secp384r1_sha384:rsa_pss_rsae_sha384"; 3448 if (SSL_set1_sigalgs_list(ssl, algs) != 1) { 3449 wpa_printf(MSG_INFO, 3450 "OpenSSL: Failed to set Suite B sigalgs"); 3451 return -1; 3452 } 3453 #endif /* OPENSSL_IS_BORINGSSL */ 3454 3455 SSL_set_options(ssl, SSL_OP_NO_TLSv1); 3456 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1); 3457 SSL_set_cert_cb(ssl, suiteb_cert_cb, conn); 3458 } 3459 3460 #ifdef OPENSSL_IS_BORINGSSL 3461 if (openssl_ciphers && os_strcmp(openssl_ciphers, "SUITEB192") == 0) { 3462 uint16_t sigalgs[1] = { SSL_SIGN_ECDSA_SECP384R1_SHA384 }; 3463 int nid[1] = { NID_secp384r1 }; 3464 3465 if (SSL_set1_curves(ssl, nid, 1) != 1) { 3466 wpa_printf(MSG_INFO, 3467 "OpenSSL: Failed to set Suite B curves"); 3468 return -1; 3469 } 3470 3471 if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs, 3472 1) != 1) { 3473 wpa_printf(MSG_INFO, 3474 "OpenSSL: Failed to set Suite B sigalgs"); 3475 return -1; 3476 } 3477 } 3478 #else /* OPENSSL_IS_BORINGSSL */ 3479 if (!(flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) && 3480 openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) { 3481 wpa_printf(MSG_INFO, 3482 "OpenSSL: Failed to set openssl_ciphers '%s'", 3483 openssl_ciphers); 3484 return -1; 3485 } 3486 #endif /* OPENSSL_IS_BORINGSSL */ 3487 #else /* CONFIG_SUITEB */ 3488 if (openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) { 3489 wpa_printf(MSG_INFO, 3490 "OpenSSL: Failed to set openssl_ciphers '%s'", 3491 openssl_ciphers); 3492 return -1; 3493 } 3494 #endif /* CONFIG_SUITEB */ 3495 3496 if (flags & TLS_CONN_TEAP_ANON_DH) { 3497 #ifndef TEAP_DH_ANON_CS 3498 #define TEAP_DH_ANON_CS \ 3499 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:" \ 3500 "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:" \ 3501 "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:" \ 3502 "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" \ 3503 "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:" \ 3504 "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" \ 3505 "ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:" \ 3506 "ADH-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA:ADH-AES128-SHA" 3507 #endif 3508 static const char *cs = TEAP_DH_ANON_CS; 3509 3510 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ 3511 !defined(LIBRESSL_VERSION_NUMBER) && \ 3512 !defined(OPENSSL_IS_BORINGSSL) 3513 /* 3514 * Need to drop to security level 0 to allow anonymous 3515 * cipher suites for EAP-TEAP. 3516 */ 3517 SSL_set_security_level(conn->ssl, 0); 3518 #endif 3519 3520 wpa_printf(MSG_DEBUG, 3521 "OpenSSL: Enable cipher suites for anonymous EAP-TEAP provisioning: %s", 3522 cs); 3523 if (SSL_set_cipher_list(conn->ssl, cs) != 1) { 3524 tls_show_errors(MSG_INFO, __func__, 3525 "Cipher suite configuration failed"); 3526 return -1; 3527 } 3528 } 3529 3530 return 0; 3531 } 3532 3533 tls_connection_set_verify(void * ssl_ctx,struct tls_connection * conn,int verify_peer,unsigned int flags,const u8 * session_ctx,size_t session_ctx_len)3534 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, 3535 int verify_peer, unsigned int flags, 3536 const u8 *session_ctx, size_t session_ctx_len) 3537 { 3538 static int counter = 0; 3539 struct tls_data *data = ssl_ctx; 3540 3541 if (conn == NULL) 3542 return -1; 3543 3544 if (verify_peer == 2) { 3545 conn->ca_cert_verify = 1; 3546 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER | 3547 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb); 3548 } else if (verify_peer) { 3549 conn->ca_cert_verify = 1; 3550 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER | 3551 SSL_VERIFY_FAIL_IF_NO_PEER_CERT | 3552 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb); 3553 } else { 3554 conn->ca_cert_verify = 0; 3555 SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); 3556 } 3557 3558 if (tls_set_conn_flags(conn, flags, NULL) < 0) 3559 return -1; 3560 conn->flags = flags; 3561 3562 SSL_set_accept_state(conn->ssl); 3563 3564 if (data->tls_session_lifetime == 0) { 3565 /* 3566 * Set session id context to a unique value to make sure 3567 * session resumption cannot be used either through session 3568 * caching or TLS ticket extension. 3569 */ 3570 counter++; 3571 SSL_set_session_id_context(conn->ssl, 3572 (const unsigned char *) &counter, 3573 sizeof(counter)); 3574 } else if (session_ctx) { 3575 SSL_set_session_id_context(conn->ssl, session_ctx, 3576 session_ctx_len); 3577 } 3578 3579 return 0; 3580 } 3581 3582 tls_connection_client_cert(struct tls_connection * conn,const char * client_cert,const u8 * client_cert_blob,size_t client_cert_blob_len)3583 static int tls_connection_client_cert(struct tls_connection *conn, 3584 const char *client_cert, 3585 const u8 *client_cert_blob, 3586 size_t client_cert_blob_len) 3587 { 3588 if (client_cert == NULL && client_cert_blob == NULL) 3589 return 0; 3590 3591 #ifdef PKCS12_FUNCS 3592 #ifdef LIBRESSL_VERSION_NUMBER 3593 /* 3594 * Clear previously set extra chain certificates, if any, from PKCS#12 3595 * processing in tls_parse_pkcs12() to allow LibreSSL to build a new 3596 * chain properly. 3597 */ 3598 SSL_CTX_clear_extra_chain_certs(conn->ssl_ctx); 3599 #endif /* LIBRESSL_VERSION_NUMBER */ 3600 #endif /* PKCS12_FUNCS */ 3601 3602 if (client_cert_blob && 3603 SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob, 3604 client_cert_blob_len) == 1) { 3605 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_ASN1 --> " 3606 "OK"); 3607 return 0; 3608 } else if (client_cert_blob) { 3609 #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20901000L 3610 tls_show_errors(MSG_DEBUG, __func__, 3611 "SSL_use_certificate_ASN1 failed"); 3612 #else 3613 BIO *bio; 3614 X509 *x509; 3615 3616 tls_show_errors(MSG_DEBUG, __func__, 3617 "SSL_use_certificate_ASN1 failed"); 3618 bio = BIO_new(BIO_s_mem()); 3619 if (!bio) 3620 return -1; 3621 BIO_write(bio, client_cert_blob, client_cert_blob_len); 3622 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); 3623 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) { 3624 X509_free(x509); 3625 BIO_free(bio); 3626 return -1; 3627 } 3628 X509_free(x509); 3629 wpa_printf(MSG_DEBUG, 3630 "OpenSSL: Found PEM encoded certificate from blob"); 3631 while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))) { 3632 wpa_printf(MSG_DEBUG, 3633 "OpenSSL: Added an additional certificate into the chain"); 3634 SSL_add0_chain_cert(conn->ssl, x509); 3635 } 3636 BIO_free(bio); 3637 return 0; 3638 #endif 3639 } 3640 3641 if (client_cert == NULL) 3642 return -1; 3643 3644 #ifdef ANDROID 3645 if (os_strncmp("keystore://", client_cert, 11) == 0) { 3646 BIO *bio = BIO_from_keystore(&client_cert[11]); 3647 X509 *x509 = NULL; 3648 int ret = -1; 3649 if (bio) { 3650 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); 3651 } 3652 if (x509) { 3653 if (SSL_use_certificate(conn->ssl, x509) == 1) 3654 ret = 0; 3655 X509_free(x509); 3656 } 3657 3658 /* Read additional certificates into the chain. */ 3659 while (bio) { 3660 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); 3661 if (x509) { 3662 /* Takes ownership of x509 */ 3663 SSL_add0_chain_cert(conn->ssl, x509); 3664 } else { 3665 BIO_free(bio); 3666 bio = NULL; 3667 } 3668 } 3669 return ret; 3670 } 3671 #endif /* ANDROID */ 3672 3673 #ifndef OPENSSL_NO_STDIO 3674 if (SSL_use_certificate_file(conn->ssl, client_cert, 3675 SSL_FILETYPE_ASN1) == 1) { 3676 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (DER)" 3677 " --> OK"); 3678 return 0; 3679 } 3680 3681 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ 3682 !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) 3683 if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) { 3684 ERR_clear_error(); 3685 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file" 3686 " --> OK"); 3687 return 0; 3688 } 3689 #else 3690 if (SSL_use_certificate_file(conn->ssl, client_cert, 3691 SSL_FILETYPE_PEM) == 1) { 3692 ERR_clear_error(); 3693 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)" 3694 " --> OK"); 3695 return 0; 3696 } 3697 #endif 3698 3699 tls_show_errors(MSG_DEBUG, __func__, 3700 "SSL_use_certificate_file failed"); 3701 #else /* OPENSSL_NO_STDIO */ 3702 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__); 3703 #endif /* OPENSSL_NO_STDIO */ 3704 3705 return -1; 3706 } 3707 3708 tls_global_client_cert(struct tls_data * data,const char * client_cert)3709 static int tls_global_client_cert(struct tls_data *data, 3710 const char *client_cert) 3711 { 3712 #ifndef OPENSSL_NO_STDIO 3713 SSL_CTX *ssl_ctx = data->ssl; 3714 3715 if (client_cert == NULL) 3716 return 0; 3717 3718 if (SSL_CTX_use_certificate_file(ssl_ctx, client_cert, 3719 SSL_FILETYPE_ASN1) != 1 && 3720 SSL_CTX_use_certificate_chain_file(ssl_ctx, client_cert) != 1 && 3721 SSL_CTX_use_certificate_file(ssl_ctx, client_cert, 3722 SSL_FILETYPE_PEM) != 1) { 3723 tls_show_errors(MSG_INFO, __func__, 3724 "Failed to load client certificate"); 3725 return -1; 3726 } 3727 return 0; 3728 #else /* OPENSSL_NO_STDIO */ 3729 if (client_cert == NULL) 3730 return 0; 3731 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__); 3732 return -1; 3733 #endif /* OPENSSL_NO_STDIO */ 3734 } 3735 3736 3737 #ifdef PKCS12_FUNCS tls_parse_pkcs12(struct tls_data * data,SSL * ssl,PKCS12 * p12,const char * passwd)3738 static int tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12, 3739 const char *passwd) 3740 { 3741 EVP_PKEY *pkey; 3742 X509 *cert; 3743 STACK_OF(X509) *certs; 3744 int res = 0; 3745 char buf[256]; 3746 3747 pkey = NULL; 3748 cert = NULL; 3749 certs = NULL; 3750 if (!passwd) 3751 passwd = ""; 3752 if (!PKCS12_parse(p12, passwd, &pkey, &cert, &certs)) { 3753 tls_show_errors(MSG_DEBUG, __func__, 3754 "Failed to parse PKCS12 file"); 3755 PKCS12_free(p12); 3756 return -1; 3757 } 3758 wpa_printf(MSG_DEBUG, "TLS: Successfully parsed PKCS12 data"); 3759 3760 if (cert) { 3761 X509_NAME_oneline(X509_get_subject_name(cert), buf, 3762 sizeof(buf)); 3763 wpa_printf(MSG_DEBUG, "TLS: Got certificate from PKCS12: " 3764 "subject='%s'", buf); 3765 if (ssl) { 3766 if (SSL_use_certificate(ssl, cert) != 1) 3767 res = -1; 3768 } else { 3769 if (SSL_CTX_use_certificate(data->ssl, cert) != 1) 3770 res = -1; 3771 } 3772 X509_free(cert); 3773 } 3774 3775 if (pkey) { 3776 wpa_printf(MSG_DEBUG, "TLS: Got private key from PKCS12"); 3777 if (ssl) { 3778 if (SSL_use_PrivateKey(ssl, pkey) != 1) 3779 res = -1; 3780 } else { 3781 if (SSL_CTX_use_PrivateKey(data->ssl, pkey) != 1) 3782 res = -1; 3783 } 3784 EVP_PKEY_free(pkey); 3785 } 3786 3787 if (certs) { 3788 #ifndef LIBRESSL_VERSION_NUMBER 3789 if (ssl) 3790 SSL_clear_chain_certs(ssl); 3791 else 3792 SSL_CTX_clear_chain_certs(data->ssl); 3793 while ((cert = sk_X509_pop(certs)) != NULL) { 3794 X509_NAME_oneline(X509_get_subject_name(cert), buf, 3795 sizeof(buf)); 3796 wpa_printf(MSG_DEBUG, "TLS: additional certificate" 3797 " from PKCS12: subject='%s'", buf); 3798 if ((ssl && SSL_add1_chain_cert(ssl, cert) != 1) || 3799 (!ssl && SSL_CTX_add1_chain_cert(data->ssl, 3800 cert) != 1)) { 3801 tls_show_errors(MSG_DEBUG, __func__, 3802 "Failed to add additional certificate"); 3803 res = -1; 3804 X509_free(cert); 3805 break; 3806 } 3807 X509_free(cert); 3808 } 3809 if (!res) { 3810 /* Try to continue anyway */ 3811 } 3812 sk_X509_pop_free(certs, X509_free); 3813 #ifndef OPENSSL_IS_BORINGSSL 3814 if (ssl) 3815 res = SSL_build_cert_chain( 3816 ssl, 3817 SSL_BUILD_CHAIN_FLAG_CHECK | 3818 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR); 3819 else 3820 res = SSL_CTX_build_cert_chain( 3821 data->ssl, 3822 SSL_BUILD_CHAIN_FLAG_CHECK | 3823 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR); 3824 if (!res) { 3825 tls_show_errors(MSG_DEBUG, __func__, 3826 "Failed to build certificate chain"); 3827 } else if (res == 2) { 3828 wpa_printf(MSG_DEBUG, 3829 "TLS: Ignore certificate chain verification error when building chain with PKCS#12 extra certificates"); 3830 } 3831 #endif /* OPENSSL_IS_BORINGSSL */ 3832 /* 3833 * Try to continue regardless of result since it is possible for 3834 * the extra certificates not to be required. 3835 */ 3836 res = 0; 3837 #else /* LIBRESSL_VERSION_NUMBER */ 3838 SSL_CTX_clear_extra_chain_certs(data->ssl); 3839 while ((cert = sk_X509_pop(certs)) != NULL) { 3840 X509_NAME_oneline(X509_get_subject_name(cert), buf, 3841 sizeof(buf)); 3842 wpa_printf(MSG_DEBUG, "TLS: additional certificate" 3843 " from PKCS12: subject='%s'", buf); 3844 /* 3845 * There is no SSL equivalent for the chain cert - so 3846 * always add it to the context... 3847 */ 3848 if (SSL_CTX_add_extra_chain_cert(data->ssl, cert) != 1) 3849 { 3850 X509_free(cert); 3851 res = -1; 3852 break; 3853 } 3854 } 3855 sk_X509_pop_free(certs, X509_free); 3856 #endif /* LIBRSESSL_VERSION_NUMBER */ 3857 } 3858 3859 PKCS12_free(p12); 3860 3861 if (res < 0) 3862 tls_get_errors(data); 3863 3864 return res; 3865 } 3866 #endif /* PKCS12_FUNCS */ 3867 3868 tls_read_pkcs12(struct tls_data * data,SSL * ssl,const char * private_key,const char * passwd)3869 static int tls_read_pkcs12(struct tls_data *data, SSL *ssl, 3870 const char *private_key, const char *passwd) 3871 { 3872 #ifdef PKCS12_FUNCS 3873 FILE *f; 3874 PKCS12 *p12; 3875 3876 f = fopen(private_key, "rb"); 3877 if (f == NULL) 3878 return -1; 3879 3880 p12 = d2i_PKCS12_fp(f, NULL); 3881 fclose(f); 3882 3883 if (p12 == NULL) { 3884 tls_show_errors(MSG_INFO, __func__, 3885 "Failed to use PKCS#12 file"); 3886 return -1; 3887 } 3888 3889 return tls_parse_pkcs12(data, ssl, p12, passwd); 3890 3891 #else /* PKCS12_FUNCS */ 3892 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot read " 3893 "p12/pfx files"); 3894 return -1; 3895 #endif /* PKCS12_FUNCS */ 3896 } 3897 3898 tls_read_pkcs12_blob(struct tls_data * data,SSL * ssl,const u8 * blob,size_t len,const char * passwd)3899 static int tls_read_pkcs12_blob(struct tls_data *data, SSL *ssl, 3900 const u8 *blob, size_t len, const char *passwd) 3901 { 3902 #ifdef PKCS12_FUNCS 3903 PKCS12 *p12; 3904 3905 p12 = d2i_PKCS12(NULL, (const unsigned char **) &blob, len); 3906 if (p12 == NULL) { 3907 tls_show_errors(MSG_INFO, __func__, 3908 "Failed to use PKCS#12 blob"); 3909 return -1; 3910 } 3911 3912 return tls_parse_pkcs12(data, ssl, p12, passwd); 3913 3914 #else /* PKCS12_FUNCS */ 3915 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot parse " 3916 "p12/pfx blobs"); 3917 return -1; 3918 #endif /* PKCS12_FUNCS */ 3919 } 3920 3921 3922 #ifndef OPENSSL_NO_ENGINE tls_engine_get_cert(struct tls_connection * conn,const char * cert_id,X509 ** cert)3923 static int tls_engine_get_cert(struct tls_connection *conn, 3924 const char *cert_id, 3925 X509 **cert) 3926 { 3927 /* this runs after the private key is loaded so no PIN is required */ 3928 struct { 3929 const char *cert_id; 3930 X509 *cert; 3931 } params; 3932 params.cert_id = cert_id; 3933 params.cert = NULL; 3934 3935 if (!ENGINE_ctrl_cmd(conn->engine, "LOAD_CERT_CTRL", 3936 0, ¶ms, NULL, 1)) { 3937 unsigned long err = ERR_get_error(); 3938 3939 wpa_printf(MSG_ERROR, "ENGINE: cannot load client cert with id" 3940 " '%s' [%s]", cert_id, 3941 ERR_error_string(err, NULL)); 3942 if (tls_is_pin_error(err)) 3943 return TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN; 3944 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED; 3945 } 3946 if (!params.cert) { 3947 wpa_printf(MSG_ERROR, "ENGINE: did not properly cert with id" 3948 " '%s'", cert_id); 3949 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED; 3950 } 3951 *cert = params.cert; 3952 return 0; 3953 } 3954 #endif /* OPENSSL_NO_ENGINE */ 3955 3956 tls_connection_engine_client_cert(struct tls_connection * conn,const char * cert_id)3957 static int tls_connection_engine_client_cert(struct tls_connection *conn, 3958 const char *cert_id) 3959 { 3960 X509 *cert; 3961 3962 #ifndef OPENSSL_NO_ENGINE 3963 if (tls_engine_get_cert(conn, cert_id, &cert)) 3964 return -1; 3965 #else /* OPENSSL_NO_ENGINE */ 3966 cert = provider_load_cert(cert_id); 3967 if (!cert) 3968 return -1; 3969 #endif /* OPENSSL_NO_ENGINE */ 3970 3971 if (!SSL_use_certificate(conn->ssl, cert)) { 3972 tls_show_errors(MSG_ERROR, __func__, 3973 "SSL_use_certificate failed"); 3974 X509_free(cert); 3975 return -1; 3976 } 3977 X509_free(cert); 3978 wpa_printf(MSG_DEBUG, "ENGINE/provider: SSL_use_certificate --> " 3979 "OK"); 3980 return 0; 3981 } 3982 3983 tls_connection_engine_ca_cert(struct tls_data * data,struct tls_connection * conn,const char * ca_cert_id)3984 static int tls_connection_engine_ca_cert(struct tls_data *data, 3985 struct tls_connection *conn, 3986 const char *ca_cert_id) 3987 { 3988 X509 *cert; 3989 SSL_CTX *ssl_ctx = data->ssl; 3990 X509_STORE *store; 3991 3992 #ifndef OPENSSL_NO_ENGINE 3993 if (tls_engine_get_cert(conn, ca_cert_id, &cert)) 3994 return -1; 3995 #else /* OPENSSL_NO_ENGINE */ 3996 cert = provider_load_cert(ca_cert_id); 3997 if (!cert) 3998 return -1; 3999 #endif /* OPENSSL_NO_ENGINE */ 4000 4001 /* start off the same as tls_connection_ca_cert */ 4002 store = X509_STORE_new(); 4003 if (store == NULL) { 4004 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new " 4005 "certificate store", __func__); 4006 X509_free(cert); 4007 return -1; 4008 } 4009 SSL_CTX_set_cert_store(ssl_ctx, store); 4010 if (!X509_STORE_add_cert(store, cert)) { 4011 unsigned long err = ERR_peek_error(); 4012 tls_show_errors(MSG_WARNING, __func__, 4013 "Failed to add CA certificate from engine/provider " 4014 "to certificate store"); 4015 if (ERR_GET_LIB(err) == ERR_LIB_X509 && 4016 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) { 4017 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring cert" 4018 " already in hash table error", 4019 __func__); 4020 } else { 4021 X509_free(cert); 4022 return -1; 4023 } 4024 } 4025 X509_free(cert); 4026 wpa_printf(MSG_DEBUG, 4027 "OpenSSL: %s - added CA certificate from engine/provider to certificate store", 4028 __func__); 4029 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); 4030 conn->ca_cert_verify = 1; 4031 4032 return 0; 4033 } 4034 4035 tls_connection_engine_private_key(struct tls_connection * conn)4036 static int tls_connection_engine_private_key(struct tls_connection *conn) 4037 { 4038 if (SSL_use_PrivateKey(conn->ssl, conn->private_key) != 1) { 4039 tls_show_errors(MSG_ERROR, __func__, 4040 "ENGINE/provider: cannot use private key for TLS"); 4041 return -1; 4042 } 4043 if (!SSL_check_private_key(conn->ssl)) { 4044 tls_show_errors(MSG_INFO, __func__, 4045 "Private key failed verification"); 4046 return -1; 4047 } 4048 return 0; 4049 } 4050 4051 4052 #ifndef OPENSSL_NO_STDIO tls_passwd_cb(char * buf,int size,int rwflag,void * password)4053 static int tls_passwd_cb(char *buf, int size, int rwflag, void *password) 4054 { 4055 if (!password) 4056 return 0; 4057 os_strlcpy(buf, (const char *) password, size); 4058 return os_strlen(buf); 4059 } 4060 #endif /* OPENSSL_NO_STDIO */ 4061 4062 tls_use_private_key_file(struct tls_data * data,SSL * ssl,const char * private_key,const char * private_key_passwd)4063 static int tls_use_private_key_file(struct tls_data *data, SSL *ssl, 4064 const char *private_key, 4065 const char *private_key_passwd) 4066 { 4067 #ifndef OPENSSL_NO_STDIO 4068 BIO *bio; 4069 EVP_PKEY *pkey; 4070 int ret; 4071 4072 /* First try ASN.1 (DER). */ 4073 bio = BIO_new_file(private_key, "r"); 4074 if (!bio) 4075 return -1; 4076 pkey = d2i_PrivateKey_bio(bio, NULL); 4077 BIO_free(bio); 4078 4079 if (pkey) { 4080 wpa_printf(MSG_DEBUG, "OpenSSL: %s (DER) --> loaded", __func__); 4081 } else { 4082 /* Try PEM with the provided password. */ 4083 bio = BIO_new_file(private_key, "r"); 4084 if (!bio) 4085 return -1; 4086 pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_passwd_cb, 4087 (void *) private_key_passwd); 4088 BIO_free(bio); 4089 if (!pkey) 4090 return -1; 4091 wpa_printf(MSG_DEBUG, "OpenSSL: %s (PEM) --> loaded", __func__); 4092 /* Clear errors from the previous failed load. */ 4093 ERR_clear_error(); 4094 } 4095 4096 if (ssl) 4097 ret = SSL_use_PrivateKey(ssl, pkey); 4098 else 4099 ret = SSL_CTX_use_PrivateKey(data->ssl, pkey); 4100 4101 EVP_PKEY_free(pkey); 4102 return ret == 1 ? 0 : -1; 4103 #else /* OPENSSL_NO_STDIO */ 4104 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__); 4105 return -1; 4106 #endif /* OPENSSL_NO_STDIO */ 4107 } 4108 4109 tls_connection_private_key(struct tls_data * data,struct tls_connection * conn,const char * private_key,const char * private_key_passwd,const u8 * private_key_blob,size_t private_key_blob_len)4110 static int tls_connection_private_key(struct tls_data *data, 4111 struct tls_connection *conn, 4112 const char *private_key, 4113 const char *private_key_passwd, 4114 const u8 *private_key_blob, 4115 size_t private_key_blob_len) 4116 { 4117 BIO *bio; 4118 int ok; 4119 4120 if (private_key == NULL && private_key_blob == NULL) 4121 return 0; 4122 4123 ok = 0; 4124 while (private_key_blob) { 4125 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, conn->ssl, 4126 (u8 *) private_key_blob, 4127 private_key_blob_len) == 1) { 4128 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_" 4129 "ASN1(EVP_PKEY_RSA) --> OK"); 4130 ok = 1; 4131 break; 4132 } 4133 4134 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA, conn->ssl, 4135 (u8 *) private_key_blob, 4136 private_key_blob_len) == 1) { 4137 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_" 4138 "ASN1(EVP_PKEY_DSA) --> OK"); 4139 ok = 1; 4140 break; 4141 } 4142 4143 #ifndef OPENSSL_NO_EC 4144 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, conn->ssl, 4145 (u8 *) private_key_blob, 4146 private_key_blob_len) == 1) { 4147 wpa_printf(MSG_DEBUG, 4148 "OpenSSL: SSL_use_PrivateKey_ASN1(EVP_PKEY_EC) --> OK"); 4149 ok = 1; 4150 break; 4151 } 4152 #endif /* OPENSSL_NO_EC */ 4153 4154 #if OPENSSL_VERSION_NUMBER < 0x30000000L 4155 if (SSL_use_RSAPrivateKey_ASN1(conn->ssl, 4156 (u8 *) private_key_blob, 4157 private_key_blob_len) == 1) { 4158 wpa_printf(MSG_DEBUG, "OpenSSL: " 4159 "SSL_use_RSAPrivateKey_ASN1 --> OK"); 4160 ok = 1; 4161 break; 4162 } 4163 #endif 4164 4165 bio = BIO_new_mem_buf((u8 *) private_key_blob, 4166 private_key_blob_len); 4167 if (bio) { 4168 EVP_PKEY *pkey; 4169 4170 pkey = PEM_read_bio_PrivateKey( 4171 bio, NULL, tls_passwd_cb, 4172 (void *) private_key_passwd); 4173 if (pkey) { 4174 if (SSL_use_PrivateKey(conn->ssl, pkey) == 1) { 4175 wpa_printf(MSG_DEBUG, 4176 "OpenSSL: SSL_use_PrivateKey --> OK"); 4177 ok = 1; 4178 EVP_PKEY_free(pkey); 4179 BIO_free(bio); 4180 break; 4181 } 4182 EVP_PKEY_free(pkey); 4183 } 4184 BIO_free(bio); 4185 } 4186 4187 if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob, 4188 private_key_blob_len, 4189 private_key_passwd) == 0) { 4190 wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> " 4191 "OK"); 4192 ok = 1; 4193 break; 4194 } 4195 4196 break; 4197 } 4198 4199 while (!ok && private_key) { 4200 if (tls_use_private_key_file(data, conn->ssl, private_key, 4201 private_key_passwd) == 0) { 4202 ok = 1; 4203 break; 4204 } 4205 4206 if (tls_read_pkcs12(data, conn->ssl, private_key, 4207 private_key_passwd) == 0) { 4208 wpa_printf(MSG_DEBUG, "OpenSSL: Reading PKCS#12 file " 4209 "--> OK"); 4210 ok = 1; 4211 break; 4212 } 4213 4214 if (tls_cryptoapi_cert(conn->ssl, private_key) == 0) { 4215 wpa_printf(MSG_DEBUG, "OpenSSL: Using CryptoAPI to " 4216 "access certificate store --> OK"); 4217 ok = 1; 4218 break; 4219 } 4220 4221 break; 4222 } 4223 4224 if (!ok) { 4225 tls_show_errors(MSG_INFO, __func__, 4226 "Failed to load private key"); 4227 return -1; 4228 } 4229 ERR_clear_error(); 4230 4231 if (!SSL_check_private_key(conn->ssl)) { 4232 tls_show_errors(MSG_INFO, __func__, "Private key failed " 4233 "verification"); 4234 return -1; 4235 } 4236 4237 wpa_printf(MSG_DEBUG, "SSL: Private key loaded successfully"); 4238 return 0; 4239 } 4240 4241 tls_global_private_key(struct tls_data * data,const char * private_key,const char * private_key_passwd)4242 static int tls_global_private_key(struct tls_data *data, 4243 const char *private_key, 4244 const char *private_key_passwd) 4245 { 4246 SSL_CTX *ssl_ctx = data->ssl; 4247 4248 if (private_key == NULL) 4249 return 0; 4250 4251 if (tls_use_private_key_file(data, NULL, private_key, 4252 private_key_passwd) && 4253 tls_read_pkcs12(data, NULL, private_key, private_key_passwd)) { 4254 tls_show_errors(MSG_INFO, __func__, 4255 "Failed to load private key"); 4256 ERR_clear_error(); 4257 return -1; 4258 } 4259 ERR_clear_error(); 4260 4261 if (!SSL_CTX_check_private_key(ssl_ctx)) { 4262 tls_show_errors(MSG_INFO, __func__, 4263 "Private key failed verification"); 4264 return -1; 4265 } 4266 4267 return 0; 4268 } 4269 4270 4271 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 4272 #ifndef OPENSSL_NO_DH 4273 #ifndef OPENSSL_NO_DSA 4274 /* This is needed to replace the deprecated DSA_dup_DH() function */ openssl_dsa_to_dh(EVP_PKEY * dsa)4275 static EVP_PKEY * openssl_dsa_to_dh(EVP_PKEY *dsa) 4276 { 4277 OSSL_PARAM_BLD *bld = NULL; 4278 OSSL_PARAM *params = NULL; 4279 BIGNUM *p = NULL, *q = NULL, *g = NULL; 4280 EVP_PKEY_CTX *ctx = NULL; 4281 EVP_PKEY *pkey = NULL; 4282 4283 if (!EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_P, &p) || 4284 !EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_Q, &q) || 4285 !EVP_PKEY_get_bn_param(dsa, OSSL_PKEY_PARAM_FFC_G, &g) || 4286 !(bld = OSSL_PARAM_BLD_new()) || 4287 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p) || 4288 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_Q, q) || 4289 !OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g) || 4290 !(params = OSSL_PARAM_BLD_to_param(bld)) || 4291 !(ctx = EVP_PKEY_CTX_new_from_name(NULL, "DHX", NULL)) || 4292 EVP_PKEY_fromdata_init(ctx) != 1 || 4293 EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, 4294 params) != 1) 4295 wpa_printf(MSG_INFO, 4296 "TLS: Failed to convert DSA parameters to DH parameters"); 4297 4298 EVP_PKEY_CTX_free(ctx); 4299 OSSL_PARAM_free(params); 4300 OSSL_PARAM_BLD_free(bld); 4301 BN_free(p); 4302 BN_free(q); 4303 BN_free(g); 4304 return pkey; 4305 } 4306 #endif /* !OPENSSL_NO_DSA */ 4307 #endif /* OPENSSL_NO_DH */ 4308 #endif /* OpenSSL version >= 3.0 */ 4309 tls_global_dh(struct tls_data * data,const char * dh_file)4310 static int tls_global_dh(struct tls_data *data, const char *dh_file) 4311 { 4312 #ifdef OPENSSL_NO_DH 4313 if (dh_file == NULL) 4314 return 0; 4315 wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but " 4316 "dh_file specified"); 4317 return -1; 4318 #else /* OPENSSL_NO_DH */ 4319 #if OPENSSL_VERSION_NUMBER >= 0x30000000L 4320 SSL_CTX *ssl_ctx = data->ssl; 4321 BIO *bio; 4322 OSSL_DECODER_CTX *ctx = NULL; 4323 EVP_PKEY *pkey = NULL, *tmpkey = NULL; 4324 bool dsa = false; 4325 4326 if (!ssl_ctx) 4327 return -1; 4328 if (!dh_file) { 4329 SSL_CTX_set_dh_auto(ssl_ctx, 1); 4330 return 0; 4331 } 4332 4333 bio = BIO_new_file(dh_file, "r"); 4334 if (!bio) { 4335 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s", 4336 dh_file, ERR_error_string(ERR_get_error(), NULL)); 4337 return -1; 4338 } 4339 ctx = OSSL_DECODER_CTX_new_for_pkey( 4340 &tmpkey, "PEM", NULL, NULL, 4341 OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS, NULL, NULL); 4342 if (!ctx || 4343 OSSL_DECODER_from_bio(ctx, bio) != 1) { 4344 wpa_printf(MSG_INFO, 4345 "TLS: Failed to decode domain parameters from '%s': %s", 4346 dh_file, ERR_error_string(ERR_get_error(), NULL)); 4347 BIO_free(bio); 4348 OSSL_DECODER_CTX_free(ctx); 4349 return -1; 4350 } 4351 OSSL_DECODER_CTX_free(ctx); 4352 BIO_free(bio); 4353 4354 if (!tmpkey) { 4355 wpa_printf(MSG_INFO, "TLS: Failed to load domain parameters"); 4356 return -1; 4357 } 4358 4359 #ifndef OPENSSL_NO_DSA 4360 if (EVP_PKEY_is_a(tmpkey, "DSA")) { 4361 pkey = openssl_dsa_to_dh(tmpkey); 4362 EVP_PKEY_free(tmpkey); 4363 if (!pkey) 4364 return -1; 4365 dsa = true; 4366 } 4367 #endif /* !OPENSSL_NO_DSA */ 4368 if (!dsa) { 4369 if (EVP_PKEY_is_a(tmpkey, "DH") || 4370 EVP_PKEY_is_a(tmpkey, "DHX")) { 4371 } else { 4372 wpa_printf(MSG_INFO, 4373 "TLS: No DH parameters found in %s", 4374 dh_file); 4375 EVP_PKEY_free(tmpkey); 4376 return -1; 4377 } 4378 pkey = tmpkey; 4379 tmpkey = NULL; 4380 } 4381 4382 if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, pkey) != 1) { 4383 wpa_printf(MSG_INFO, 4384 "TLS: Failed to set DH params from '%s': %s", 4385 dh_file, ERR_error_string(ERR_get_error(), NULL)); 4386 EVP_PKEY_free(pkey); 4387 return -1; 4388 } 4389 return 0; 4390 #else /* OpenSSL version >= 3.0 */ 4391 SSL_CTX *ssl_ctx = data->ssl; 4392 DH *dh; 4393 BIO *bio; 4394 4395 if (!ssl_ctx) 4396 return -1; 4397 if (!dh_file) { 4398 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(OPENSSL_IS_BORINGSSL) 4399 SSL_CTX_set_dh_auto(ssl_ctx, 1); 4400 #endif 4401 return 0; 4402 } 4403 4404 bio = BIO_new_file(dh_file, "r"); 4405 if (bio == NULL) { 4406 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s", 4407 dh_file, ERR_error_string(ERR_get_error(), NULL)); 4408 return -1; 4409 } 4410 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); 4411 BIO_free(bio); 4412 #ifndef OPENSSL_NO_DSA 4413 while (dh == NULL) { 4414 DSA *dsa; 4415 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -" 4416 " trying to parse as DSA params", dh_file, 4417 ERR_error_string(ERR_get_error(), NULL)); 4418 bio = BIO_new_file(dh_file, "r"); 4419 if (bio == NULL) 4420 break; 4421 dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL); 4422 BIO_free(bio); 4423 if (!dsa) { 4424 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file " 4425 "'%s': %s", dh_file, 4426 ERR_error_string(ERR_get_error(), NULL)); 4427 break; 4428 } 4429 4430 wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format"); 4431 dh = DSA_dup_DH(dsa); 4432 DSA_free(dsa); 4433 if (dh == NULL) { 4434 wpa_printf(MSG_INFO, "TLS: Failed to convert DSA " 4435 "params into DH params"); 4436 break; 4437 } 4438 break; 4439 } 4440 #endif /* !OPENSSL_NO_DSA */ 4441 if (dh == NULL) { 4442 wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file " 4443 "'%s'", dh_file); 4444 return -1; 4445 } 4446 4447 if (SSL_CTX_set_tmp_dh(ssl_ctx, dh) != 1) { 4448 wpa_printf(MSG_INFO, "TLS: Failed to set DH params from '%s': " 4449 "%s", dh_file, 4450 ERR_error_string(ERR_get_error(), NULL)); 4451 DH_free(dh); 4452 return -1; 4453 } 4454 DH_free(dh); 4455 return 0; 4456 #endif /* OpenSSL version >= 3.0 */ 4457 #endif /* OPENSSL_NO_DH */ 4458 } 4459 4460 tls_connection_get_random(void * ssl_ctx,struct tls_connection * conn,struct tls_random * keys)4461 int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn, 4462 struct tls_random *keys) 4463 { 4464 SSL *ssl; 4465 4466 if (conn == NULL || keys == NULL) 4467 return -1; 4468 ssl = conn->ssl; 4469 if (ssl == NULL) 4470 return -1; 4471 4472 os_memset(keys, 0, sizeof(*keys)); 4473 keys->client_random = conn->client_random; 4474 keys->client_random_len = SSL_get_client_random( 4475 ssl, conn->client_random, sizeof(conn->client_random)); 4476 keys->server_random = conn->server_random; 4477 keys->server_random_len = SSL_get_server_random( 4478 ssl, conn->server_random, sizeof(conn->server_random)); 4479 4480 return 0; 4481 } 4482 4483 4484 #ifdef OPENSSL_NEED_EAP_FAST_PRF openssl_get_keyblock_size(SSL * ssl)4485 static int openssl_get_keyblock_size(SSL *ssl) 4486 { 4487 #if OPENSSL_VERSION_NUMBER < 0x10100000L 4488 const EVP_CIPHER *c; 4489 const EVP_MD *h; 4490 int md_size; 4491 4492 if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL || 4493 ssl->read_hash == NULL) 4494 return -1; 4495 4496 c = ssl->enc_read_ctx->cipher; 4497 h = EVP_MD_CTX_md(ssl->read_hash); 4498 if (h) 4499 md_size = EVP_MD_size(h); 4500 else if (ssl->s3) 4501 md_size = ssl->s3->tmp.new_mac_secret_size; 4502 else 4503 return -1; 4504 4505 wpa_printf(MSG_DEBUG, "OpenSSL: keyblock size: key_len=%d MD_size=%d " 4506 "IV_len=%d", EVP_CIPHER_key_length(c), md_size, 4507 EVP_CIPHER_iv_length(c)); 4508 return 2 * (EVP_CIPHER_key_length(c) + 4509 md_size + 4510 EVP_CIPHER_iv_length(c)); 4511 #else 4512 const SSL_CIPHER *ssl_cipher; 4513 int cipher, digest; 4514 const EVP_CIPHER *c; 4515 const EVP_MD *h; 4516 int mac_key_len, enc_key_len, fixed_iv_len; 4517 4518 ssl_cipher = SSL_get_current_cipher(ssl); 4519 if (!ssl_cipher) 4520 return -1; 4521 cipher = SSL_CIPHER_get_cipher_nid(ssl_cipher); 4522 digest = SSL_CIPHER_get_digest_nid(ssl_cipher); 4523 wpa_printf(MSG_DEBUG, "OpenSSL: cipher nid %d digest nid %d", 4524 cipher, digest); 4525 if (cipher < 0 || digest < 0) 4526 return -1; 4527 if (cipher == NID_undef) { 4528 wpa_printf(MSG_DEBUG, "OpenSSL: no cipher in use?!"); 4529 return -1; 4530 } 4531 c = EVP_get_cipherbynid(cipher); 4532 if (!c) 4533 return -1; 4534 enc_key_len = EVP_CIPHER_key_length(c); 4535 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE || 4536 EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) 4537 fixed_iv_len = 4; /* only part of IV from PRF */ 4538 else 4539 fixed_iv_len = EVP_CIPHER_iv_length(c); 4540 if (digest == NID_undef) { 4541 wpa_printf(MSG_DEBUG, "OpenSSL: no digest in use (e.g., AEAD)"); 4542 mac_key_len = 0; 4543 } else { 4544 h = EVP_get_digestbynid(digest); 4545 if (!h) 4546 return -1; 4547 mac_key_len = EVP_MD_size(h); 4548 } 4549 4550 wpa_printf(MSG_DEBUG, 4551 "OpenSSL: keyblock size: mac_key_len=%d enc_key_len=%d fixed_iv_len=%d", 4552 mac_key_len, enc_key_len, fixed_iv_len); 4553 return 2 * (mac_key_len + enc_key_len + fixed_iv_len); 4554 #endif 4555 } 4556 #endif /* OPENSSL_NEED_EAP_FAST_PRF */ 4557 4558 tls_connection_export_key(void * tls_ctx,struct tls_connection * conn,const char * label,const u8 * context,size_t context_len,u8 * out,size_t out_len)4559 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, 4560 const char *label, const u8 *context, 4561 size_t context_len, u8 *out, size_t out_len) 4562 { 4563 if (!conn || 4564 SSL_export_keying_material(conn->ssl, out, out_len, label, 4565 os_strlen(label), context, context_len, 4566 context != NULL) != 1) 4567 return -1; 4568 return 0; 4569 } 4570 4571 tls_connection_get_eap_fast_key(void * tls_ctx,struct tls_connection * conn,u8 * out,size_t out_len)4572 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn, 4573 u8 *out, size_t out_len) 4574 { 4575 #ifdef OPENSSL_NEED_EAP_FAST_PRF 4576 SSL *ssl; 4577 SSL_SESSION *sess; 4578 u8 *rnd; 4579 int ret = -1; 4580 int skip = 0; 4581 u8 *tmp_out = NULL; 4582 u8 *_out = out; 4583 unsigned char client_random[SSL3_RANDOM_SIZE]; 4584 unsigned char server_random[SSL3_RANDOM_SIZE]; 4585 unsigned char master_key[64]; 4586 size_t master_key_len; 4587 const char *ver; 4588 4589 /* 4590 * TLS library did not support EAP-FAST key generation, so get the 4591 * needed TLS session parameters and use an internal implementation of 4592 * TLS PRF to derive the key. 4593 */ 4594 4595 if (conn == NULL) 4596 return -1; 4597 ssl = conn->ssl; 4598 if (ssl == NULL) 4599 return -1; 4600 ver = SSL_get_version(ssl); 4601 sess = SSL_get_session(ssl); 4602 if (!ver || !sess) 4603 return -1; 4604 4605 skip = openssl_get_keyblock_size(ssl); 4606 if (skip < 0) 4607 return -1; 4608 tmp_out = os_malloc(skip + out_len); 4609 if (!tmp_out) 4610 return -1; 4611 _out = tmp_out; 4612 4613 rnd = os_malloc(2 * SSL3_RANDOM_SIZE); 4614 if (!rnd) { 4615 os_free(tmp_out); 4616 return -1; 4617 } 4618 4619 SSL_get_client_random(ssl, client_random, sizeof(client_random)); 4620 SSL_get_server_random(ssl, server_random, sizeof(server_random)); 4621 master_key_len = SSL_SESSION_get_master_key(sess, master_key, 4622 sizeof(master_key)); 4623 4624 os_memcpy(rnd, server_random, SSL3_RANDOM_SIZE); 4625 os_memcpy(rnd + SSL3_RANDOM_SIZE, client_random, SSL3_RANDOM_SIZE); 4626 4627 if (os_strcmp(ver, "TLSv1.2") == 0) { 4628 tls_prf_sha256(master_key, master_key_len, 4629 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE, 4630 _out, skip + out_len); 4631 ret = 0; 4632 } else if (tls_prf_sha1_md5(master_key, master_key_len, 4633 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE, 4634 _out, skip + out_len) == 0) { 4635 ret = 0; 4636 } 4637 forced_memzero(master_key, sizeof(master_key)); 4638 os_free(rnd); 4639 if (ret == 0) 4640 os_memcpy(out, _out + skip, out_len); 4641 bin_clear_free(tmp_out, skip); 4642 4643 return ret; 4644 #else /* OPENSSL_NEED_EAP_FAST_PRF */ 4645 wpa_printf(MSG_ERROR, 4646 "OpenSSL: EAP-FAST keys cannot be exported in FIPS mode"); 4647 return -1; 4648 #endif /* OPENSSL_NEED_EAP_FAST_PRF */ 4649 } 4650 4651 4652 static struct wpabuf * openssl_handshake(struct tls_connection * conn,const struct wpabuf * in_data)4653 openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) 4654 { 4655 struct tls_context *context = conn->context; 4656 int res; 4657 struct wpabuf *out_data; 4658 4659 /* 4660 * Give TLS handshake data from the server (if available) to OpenSSL 4661 * for processing. 4662 */ 4663 if (in_data && wpabuf_len(in_data) > 0 && 4664 BIO_write(conn->ssl_in, wpabuf_head(in_data), wpabuf_len(in_data)) 4665 < 0) { 4666 tls_show_errors(MSG_INFO, __func__, 4667 "Handshake failed - BIO_write"); 4668 return NULL; 4669 } 4670 4671 /* Initiate TLS handshake or continue the existing handshake */ 4672 if (conn->server) 4673 res = SSL_accept(conn->ssl); 4674 else 4675 res = SSL_connect(conn->ssl); 4676 if (res != 1) { 4677 int err = SSL_get_error(conn->ssl, res); 4678 if (err == SSL_ERROR_WANT_READ) 4679 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want " 4680 "more data"); 4681 else if (err == SSL_ERROR_WANT_WRITE) 4682 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to " 4683 "write"); 4684 else { 4685 unsigned long error = ERR_peek_last_error(); 4686 4687 tls_show_errors(MSG_INFO, __func__, "SSL_connect"); 4688 4689 if (context->event_cb && 4690 ERR_GET_LIB(error) == ERR_LIB_SSL && 4691 ERR_GET_REASON(error) == 4692 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) { 4693 context->event_cb( 4694 context->cb_ctx, 4695 TLS_UNSAFE_RENEGOTIATION_DISABLED, 4696 NULL); 4697 } 4698 conn->failed++; 4699 if (!conn->server && !conn->client_hello_generated) { 4700 /* The server would not understand TLS Alert 4701 * before ClientHello, so simply terminate 4702 * handshake on this type of error case caused 4703 * by a likely internal error like no ciphers 4704 * available. */ 4705 wpa_printf(MSG_DEBUG, 4706 "OpenSSL: Could not generate ClientHello"); 4707 conn->write_alerts++; 4708 return NULL; 4709 } 4710 } 4711 } 4712 4713 if (!conn->server && !conn->failed) 4714 conn->client_hello_generated = 1; 4715 4716 #ifdef CONFIG_SUITEB 4717 if ((conn->flags & TLS_CONN_SUITEB) && !conn->server && 4718 os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 && 4719 conn->server_dh_prime_len < 3072) { 4720 /* 4721 * This should not be reached since earlier cert_cb should have 4722 * terminated the handshake. Keep this check here for extra 4723 * protection if anything goes wrong with the more low-level 4724 * checks based on having to parse the TLS handshake messages. 4725 */ 4726 wpa_printf(MSG_DEBUG, 4727 "OpenSSL: Server DH prime length: %d bits", 4728 conn->server_dh_prime_len); 4729 4730 if (context->event_cb) { 4731 union tls_event_data ev; 4732 4733 os_memset(&ev, 0, sizeof(ev)); 4734 ev.alert.is_local = 1; 4735 ev.alert.type = "fatal"; 4736 ev.alert.description = "insufficient security"; 4737 context->event_cb(context->cb_ctx, TLS_ALERT, &ev); 4738 } 4739 /* 4740 * Could send a TLS Alert to the server, but for now, simply 4741 * terminate handshake. 4742 */ 4743 conn->failed++; 4744 conn->write_alerts++; 4745 return NULL; 4746 } 4747 #endif /* CONFIG_SUITEB */ 4748 4749 /* Get the TLS handshake data to be sent to the server */ 4750 res = BIO_ctrl_pending(conn->ssl_out); 4751 wpa_printf(MSG_DEBUG, "SSL: %d bytes pending from ssl_out", res); 4752 out_data = wpabuf_alloc(res); 4753 if (out_data == NULL) { 4754 wpa_printf(MSG_DEBUG, "SSL: Failed to allocate memory for " 4755 "handshake output (%d bytes)", res); 4756 if (BIO_reset(conn->ssl_out) < 0) { 4757 tls_show_errors(MSG_INFO, __func__, 4758 "BIO_reset failed"); 4759 } 4760 return NULL; 4761 } 4762 res = res == 0 ? 0 : BIO_read(conn->ssl_out, wpabuf_mhead(out_data), 4763 res); 4764 if (res < 0) { 4765 tls_show_errors(MSG_INFO, __func__, 4766 "Handshake failed - BIO_read"); 4767 if (BIO_reset(conn->ssl_out) < 0) { 4768 tls_show_errors(MSG_INFO, __func__, 4769 "BIO_reset failed"); 4770 } 4771 wpabuf_free(out_data); 4772 return NULL; 4773 } 4774 wpabuf_put(out_data, res); 4775 4776 return out_data; 4777 } 4778 4779 4780 static struct wpabuf * openssl_get_appl_data(struct tls_connection * conn,size_t max_len)4781 openssl_get_appl_data(struct tls_connection *conn, size_t max_len) 4782 { 4783 struct wpabuf *appl_data; 4784 int res; 4785 4786 appl_data = wpabuf_alloc(max_len + 100); 4787 if (appl_data == NULL) 4788 return NULL; 4789 4790 res = SSL_read(conn->ssl, wpabuf_mhead(appl_data), 4791 wpabuf_size(appl_data)); 4792 if (res < 0) { 4793 int err = SSL_get_error(conn->ssl, res); 4794 if (err == SSL_ERROR_WANT_READ || 4795 err == SSL_ERROR_WANT_WRITE) { 4796 wpa_printf(MSG_DEBUG, "SSL: No Application Data " 4797 "included"); 4798 } else { 4799 tls_show_errors(MSG_INFO, __func__, 4800 "Failed to read possible " 4801 "Application Data"); 4802 } 4803 wpabuf_free(appl_data); 4804 return NULL; 4805 } 4806 4807 wpabuf_put(appl_data, res); 4808 wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application Data in Finished " 4809 "message", appl_data); 4810 4811 return appl_data; 4812 } 4813 4814 4815 static struct wpabuf * openssl_connection_handshake(struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4816 openssl_connection_handshake(struct tls_connection *conn, 4817 const struct wpabuf *in_data, 4818 struct wpabuf **appl_data) 4819 { 4820 struct wpabuf *out_data; 4821 4822 if (appl_data) 4823 *appl_data = NULL; 4824 4825 out_data = openssl_handshake(conn, in_data); 4826 if (out_data == NULL) 4827 return NULL; 4828 if (conn->invalid_hb_used) { 4829 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response"); 4830 wpabuf_free(out_data); 4831 return NULL; 4832 } 4833 4834 if (SSL_is_init_finished(conn->ssl)) { 4835 wpa_printf(MSG_DEBUG, 4836 "OpenSSL: Handshake finished - resumed=%d", 4837 tls_connection_resumed(conn->ssl_ctx, conn)); 4838 if (conn->server) { 4839 char *buf; 4840 size_t buflen = 2000; 4841 4842 buf = os_malloc(buflen); 4843 if (buf) { 4844 if (SSL_get_shared_ciphers(conn->ssl, buf, 4845 buflen)) { 4846 buf[buflen - 1] = '\0'; 4847 wpa_printf(MSG_DEBUG, 4848 "OpenSSL: Shared ciphers: %s", 4849 buf); 4850 } 4851 os_free(buf); 4852 } 4853 } 4854 if (appl_data && in_data) 4855 *appl_data = openssl_get_appl_data(conn, 4856 wpabuf_len(in_data)); 4857 } 4858 4859 if (conn->invalid_hb_used) { 4860 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response"); 4861 if (appl_data) { 4862 wpabuf_free(*appl_data); 4863 *appl_data = NULL; 4864 } 4865 wpabuf_free(out_data); 4866 return NULL; 4867 } 4868 4869 return out_data; 4870 } 4871 4872 4873 struct wpabuf * tls_connection_handshake(void * ssl_ctx,struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4874 tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn, 4875 const struct wpabuf *in_data, 4876 struct wpabuf **appl_data) 4877 { 4878 return openssl_connection_handshake(conn, in_data, appl_data); 4879 } 4880 4881 tls_connection_server_handshake(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data,struct wpabuf ** appl_data)4882 struct wpabuf * tls_connection_server_handshake(void *tls_ctx, 4883 struct tls_connection *conn, 4884 const struct wpabuf *in_data, 4885 struct wpabuf **appl_data) 4886 { 4887 conn->server = 1; 4888 return openssl_connection_handshake(conn, in_data, appl_data); 4889 } 4890 4891 tls_connection_encrypt(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data)4892 struct wpabuf * tls_connection_encrypt(void *tls_ctx, 4893 struct tls_connection *conn, 4894 const struct wpabuf *in_data) 4895 { 4896 int res; 4897 struct wpabuf *buf; 4898 4899 if (conn == NULL) 4900 return NULL; 4901 4902 /* Give plaintext data for OpenSSL to encrypt into the TLS tunnel. */ 4903 if ((res = BIO_reset(conn->ssl_in)) < 0 || 4904 (res = BIO_reset(conn->ssl_out)) < 0) { 4905 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed"); 4906 return NULL; 4907 } 4908 res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data)); 4909 if (res < 0) { 4910 tls_show_errors(MSG_INFO, __func__, 4911 "Encryption failed - SSL_write"); 4912 return NULL; 4913 } 4914 4915 /* Read encrypted data to be sent to the server */ 4916 buf = wpabuf_alloc(wpabuf_len(in_data) + 300); 4917 if (buf == NULL) 4918 return NULL; 4919 res = BIO_read(conn->ssl_out, wpabuf_mhead(buf), wpabuf_size(buf)); 4920 if (res < 0) { 4921 tls_show_errors(MSG_INFO, __func__, 4922 "Encryption failed - BIO_read"); 4923 wpabuf_free(buf); 4924 return NULL; 4925 } 4926 wpabuf_put(buf, res); 4927 4928 return buf; 4929 } 4930 4931 tls_connection_decrypt(void * tls_ctx,struct tls_connection * conn,const struct wpabuf * in_data)4932 struct wpabuf * tls_connection_decrypt(void *tls_ctx, 4933 struct tls_connection *conn, 4934 const struct wpabuf *in_data) 4935 { 4936 int res; 4937 struct wpabuf *buf; 4938 4939 /* Give encrypted data from TLS tunnel for OpenSSL to decrypt. */ 4940 res = BIO_write(conn->ssl_in, wpabuf_head(in_data), 4941 wpabuf_len(in_data)); 4942 if (res < 0) { 4943 tls_show_errors(MSG_INFO, __func__, 4944 "Decryption failed - BIO_write"); 4945 return NULL; 4946 } 4947 if (BIO_reset(conn->ssl_out) < 0) { 4948 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed"); 4949 return NULL; 4950 } 4951 4952 /* Read decrypted data for further processing */ 4953 /* 4954 * Even though we try to disable TLS compression, it is possible that 4955 * this cannot be done with all TLS libraries. Add extra buffer space 4956 * to handle the possibility of the decrypted data being longer than 4957 * input data. 4958 */ 4959 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3); 4960 if (buf == NULL) 4961 return NULL; 4962 res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf)); 4963 if (res < 0) { 4964 int err = SSL_get_error(conn->ssl, res); 4965 4966 if (err == SSL_ERROR_WANT_READ) { 4967 wpa_printf(MSG_DEBUG, 4968 "SSL: SSL_connect - want more data"); 4969 res = 0; 4970 } else { 4971 tls_show_errors(MSG_INFO, __func__, 4972 "Decryption failed - SSL_read"); 4973 wpabuf_free(buf); 4974 return NULL; 4975 } 4976 } 4977 wpabuf_put(buf, res); 4978 4979 if (conn->invalid_hb_used) { 4980 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response"); 4981 wpabuf_free(buf); 4982 return NULL; 4983 } 4984 4985 return buf; 4986 } 4987 4988 tls_connection_resumed(void * ssl_ctx,struct tls_connection * conn)4989 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn) 4990 { 4991 return conn ? SSL_session_reused(conn->ssl) : 0; 4992 } 4993 4994 tls_connection_set_cipher_list(void * tls_ctx,struct tls_connection * conn,u8 * ciphers)4995 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, 4996 u8 *ciphers) 4997 { 4998 char buf[500], *pos, *end; 4999 u8 *c; 5000 int ret; 5001 5002 if (conn == NULL || conn->ssl == NULL || ciphers == NULL) 5003 return -1; 5004 5005 buf[0] = '\0'; 5006 pos = buf; 5007 end = pos + sizeof(buf); 5008 5009 c = ciphers; 5010 while (*c != TLS_CIPHER_NONE) { 5011 const char *suite; 5012 5013 switch (*c) { 5014 case TLS_CIPHER_RC4_SHA: 5015 suite = "RC4-SHA"; 5016 break; 5017 case TLS_CIPHER_AES128_SHA: 5018 suite = "AES128-SHA"; 5019 break; 5020 case TLS_CIPHER_RSA_DHE_AES128_SHA: 5021 suite = "DHE-RSA-AES128-SHA"; 5022 break; 5023 case TLS_CIPHER_ANON_DH_AES128_SHA: 5024 suite = "ADH-AES128-SHA"; 5025 break; 5026 case TLS_CIPHER_RSA_DHE_AES256_SHA: 5027 suite = "DHE-RSA-AES256-SHA"; 5028 break; 5029 case TLS_CIPHER_AES256_SHA: 5030 suite = "AES256-SHA"; 5031 break; 5032 default: 5033 wpa_printf(MSG_DEBUG, "TLS: Unsupported " 5034 "cipher selection: %d", *c); 5035 return -1; 5036 } 5037 ret = os_snprintf(pos, end - pos, ":%s", suite); 5038 if (os_snprintf_error(end - pos, ret)) 5039 break; 5040 pos += ret; 5041 5042 c++; 5043 } 5044 if (!buf[0]) { 5045 wpa_printf(MSG_DEBUG, "OpenSSL: No ciphers listed"); 5046 return -1; 5047 } 5048 5049 wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1); 5050 5051 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) 5052 #ifdef EAP_FAST_OR_TEAP 5053 if (os_strstr(buf, ":ADH-")) { 5054 /* 5055 * Need to drop to security level 0 to allow anonymous 5056 * cipher suites for EAP-FAST. 5057 */ 5058 SSL_set_security_level(conn->ssl, 0); 5059 } else if (SSL_get_security_level(conn->ssl) == 0) { 5060 /* Force at least security level 1 */ 5061 SSL_set_security_level(conn->ssl, 1); 5062 } 5063 #endif /* EAP_FAST_OR_TEAP */ 5064 #endif 5065 5066 if (SSL_set_cipher_list(conn->ssl, buf + 1) != 1) { 5067 tls_show_errors(MSG_INFO, __func__, 5068 "Cipher suite configuration failed"); 5069 return -1; 5070 } 5071 5072 return 0; 5073 } 5074 5075 tls_get_version(void * ssl_ctx,struct tls_connection * conn,char * buf,size_t buflen)5076 int tls_get_version(void *ssl_ctx, struct tls_connection *conn, 5077 char *buf, size_t buflen) 5078 { 5079 const char *name; 5080 if (conn == NULL || conn->ssl == NULL) 5081 return -1; 5082 5083 name = SSL_get_version(conn->ssl); 5084 if (name == NULL) 5085 return -1; 5086 5087 os_strlcpy(buf, name, buflen); 5088 return 0; 5089 } 5090 5091 tls_get_cipher(void * ssl_ctx,struct tls_connection * conn,char * buf,size_t buflen)5092 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn, 5093 char *buf, size_t buflen) 5094 { 5095 const char *name; 5096 if (conn == NULL || conn->ssl == NULL) 5097 return -1; 5098 5099 name = SSL_get_cipher(conn->ssl); 5100 if (name == NULL) 5101 return -1; 5102 5103 os_strlcpy(buf, name, buflen); 5104 return 0; 5105 } 5106 5107 tls_connection_enable_workaround(void * ssl_ctx,struct tls_connection * conn)5108 int tls_connection_enable_workaround(void *ssl_ctx, 5109 struct tls_connection *conn) 5110 { 5111 SSL_set_options(conn->ssl, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); 5112 5113 return 0; 5114 } 5115 5116 5117 #ifdef EAP_FAST_OR_TEAP 5118 /* ClientHello TLS extensions require a patch to openssl, so this function is 5119 * commented out unless explicitly needed for EAP-FAST in order to be able to 5120 * build this file with unmodified openssl. */ tls_connection_client_hello_ext(void * ssl_ctx,struct tls_connection * conn,int ext_type,const u8 * data,size_t data_len)5121 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn, 5122 int ext_type, const u8 *data, 5123 size_t data_len) 5124 { 5125 if (conn == NULL || conn->ssl == NULL || ext_type != 35) 5126 return -1; 5127 5128 if (SSL_set_session_ticket_ext(conn->ssl, (void *) data, 5129 data_len) != 1) 5130 return -1; 5131 5132 return 0; 5133 } 5134 #endif /* EAP_FAST_OR_TEAP */ 5135 5136 tls_connection_get_failed(void * ssl_ctx,struct tls_connection * conn)5137 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn) 5138 { 5139 if (conn == NULL) 5140 return -1; 5141 return conn->failed; 5142 } 5143 5144 tls_connection_get_read_alerts(void * ssl_ctx,struct tls_connection * conn)5145 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn) 5146 { 5147 if (conn == NULL) 5148 return -1; 5149 return conn->read_alerts; 5150 } 5151 5152 tls_connection_get_write_alerts(void * ssl_ctx,struct tls_connection * conn)5153 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn) 5154 { 5155 if (conn == NULL) 5156 return -1; 5157 return conn->write_alerts; 5158 } 5159 5160 5161 #ifdef HAVE_OCSP 5162 ocsp_debug_print_resp(OCSP_RESPONSE * rsp)5163 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp) 5164 { 5165 #ifndef CONFIG_NO_STDOUT_DEBUG 5166 BIO *out; 5167 size_t rlen; 5168 char *txt; 5169 int res; 5170 5171 if (wpa_debug_level > MSG_DEBUG) 5172 return; 5173 5174 out = BIO_new(BIO_s_mem()); 5175 if (!out) 5176 return; 5177 5178 OCSP_RESPONSE_print(out, rsp, 0); 5179 rlen = BIO_ctrl_pending(out); 5180 txt = os_malloc(rlen + 1); 5181 if (!txt) { 5182 BIO_free(out); 5183 return; 5184 } 5185 5186 res = BIO_read(out, txt, rlen); 5187 if (res > 0) { 5188 txt[res] = '\0'; 5189 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP Response\n%s", txt); 5190 } 5191 os_free(txt); 5192 BIO_free(out); 5193 #endif /* CONFIG_NO_STDOUT_DEBUG */ 5194 } 5195 5196 ocsp_resp_cb(SSL * s,void * arg)5197 static int ocsp_resp_cb(SSL *s, void *arg) 5198 { 5199 struct tls_connection *conn = arg; 5200 const unsigned char *p; 5201 int len, status, reason, res; 5202 OCSP_RESPONSE *rsp; 5203 OCSP_BASICRESP *basic; 5204 OCSP_CERTID *id; 5205 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update; 5206 X509_STORE *store; 5207 STACK_OF(X509) *certs = NULL; 5208 5209 len = SSL_get_tlsext_status_ocsp_resp(s, &p); 5210 if (!p) { 5211 #if OPENSSL_VERSION_NUMBER >= 0x10101000L 5212 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L 5213 if (SSL_version(s) == TLS1_3_VERSION && SSL_session_reused(s)) { 5214 /* TLS 1.3 sends the OCSP response with the server 5215 * Certificate message. Since that Certificate message 5216 * is not sent when resuming a session, there can be no 5217 * new OCSP response. Allow this since the OCSP response 5218 * was validated when checking the initial certificate 5219 * exchange. */ 5220 wpa_printf(MSG_DEBUG, 5221 "OpenSSL: Allow no OCSP response when using TLS 1.3 and a resumed session"); 5222 return 1; 5223 } 5224 #endif 5225 #endif 5226 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received"); 5227 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1; 5228 } 5229 5230 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len); 5231 5232 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 5233 if (!rsp) { 5234 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response"); 5235 return 0; 5236 } 5237 5238 ocsp_debug_print_resp(rsp); 5239 5240 status = OCSP_response_status(rsp); 5241 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { 5242 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)", 5243 status, OCSP_response_status_str(status)); 5244 return 0; 5245 } 5246 5247 basic = OCSP_response_get1_basic(rsp); 5248 if (!basic) { 5249 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse"); 5250 return 0; 5251 } 5252 5253 store = SSL_CTX_get_cert_store(conn->ssl_ctx); 5254 if (conn->peer_issuer) { 5255 debug_print_cert(conn->peer_issuer, "Add OCSP issuer"); 5256 5257 if (X509_STORE_add_cert(store, conn->peer_issuer) != 1) { 5258 tls_show_errors(MSG_INFO, __func__, 5259 "OpenSSL: Could not add issuer to certificate store"); 5260 } 5261 certs = sk_X509_new_null(); 5262 if (certs) { 5263 X509 *cert; 5264 cert = X509_dup(conn->peer_issuer); 5265 if (cert && !sk_X509_push(certs, cert)) { 5266 tls_show_errors( 5267 MSG_INFO, __func__, 5268 "OpenSSL: Could not add issuer to OCSP responder trust store"); 5269 X509_free(cert); 5270 sk_X509_free(certs); 5271 certs = NULL; 5272 } 5273 if (certs && conn->peer_issuer_issuer) { 5274 cert = X509_dup(conn->peer_issuer_issuer); 5275 if (cert && !sk_X509_push(certs, cert)) { 5276 tls_show_errors( 5277 MSG_INFO, __func__, 5278 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store"); 5279 X509_free(cert); 5280 } 5281 } 5282 } 5283 } 5284 5285 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER); 5286 sk_X509_pop_free(certs, X509_free); 5287 if (status <= 0) { 5288 tls_show_errors(MSG_INFO, __func__, 5289 "OpenSSL: OCSP response failed verification"); 5290 OCSP_BASICRESP_free(basic); 5291 OCSP_RESPONSE_free(rsp); 5292 return 0; 5293 } 5294 5295 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded"); 5296 5297 if (!conn->peer_cert) { 5298 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check"); 5299 OCSP_BASICRESP_free(basic); 5300 OCSP_RESPONSE_free(rsp); 5301 return 0; 5302 } 5303 5304 if (!conn->peer_issuer) { 5305 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check"); 5306 OCSP_BASICRESP_free(basic); 5307 OCSP_RESPONSE_free(rsp); 5308 return 0; 5309 } 5310 5311 id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer); 5312 if (!id) { 5313 wpa_printf(MSG_DEBUG, 5314 "OpenSSL: Could not create OCSP certificate identifier (SHA256)"); 5315 OCSP_BASICRESP_free(basic); 5316 OCSP_RESPONSE_free(rsp); 5317 return 0; 5318 } 5319 5320 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at, 5321 &this_update, &next_update); 5322 if (!res) { 5323 OCSP_CERTID_free(id); 5324 id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer); 5325 if (!id) { 5326 wpa_printf(MSG_DEBUG, 5327 "OpenSSL: Could not create OCSP certificate identifier (SHA1)"); 5328 OCSP_BASICRESP_free(basic); 5329 OCSP_RESPONSE_free(rsp); 5330 return 0; 5331 } 5332 5333 res = OCSP_resp_find_status(basic, id, &status, &reason, 5334 &produced_at, &this_update, 5335 &next_update); 5336 } 5337 5338 if (!res) { 5339 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s", 5340 (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" : 5341 " (OCSP not required)"); 5342 OCSP_CERTID_free(id); 5343 OCSP_BASICRESP_free(basic); 5344 OCSP_RESPONSE_free(rsp); 5345 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1; 5346 } 5347 OCSP_CERTID_free(id); 5348 5349 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) { 5350 tls_show_errors(MSG_INFO, __func__, 5351 "OpenSSL: OCSP status times invalid"); 5352 OCSP_BASICRESP_free(basic); 5353 OCSP_RESPONSE_free(rsp); 5354 return 0; 5355 } 5356 5357 OCSP_BASICRESP_free(basic); 5358 OCSP_RESPONSE_free(rsp); 5359 5360 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s", 5361 OCSP_cert_status_str(status)); 5362 5363 if (status == V_OCSP_CERTSTATUS_GOOD) 5364 return 1; 5365 if (status == V_OCSP_CERTSTATUS_REVOKED) 5366 return 0; 5367 if (conn->flags & TLS_CONN_REQUIRE_OCSP) { 5368 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required"); 5369 return 0; 5370 } 5371 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue"); 5372 return 1; 5373 } 5374 5375 ocsp_status_cb(SSL * s,void * arg)5376 static int ocsp_status_cb(SSL *s, void *arg) 5377 { 5378 char *tmp; 5379 char *resp; 5380 size_t len; 5381 5382 if (tls_global->ocsp_stapling_response == NULL) { 5383 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - no response configured"); 5384 return SSL_TLSEXT_ERR_OK; 5385 } 5386 5387 resp = os_readfile(tls_global->ocsp_stapling_response, &len); 5388 if (resp == NULL) { 5389 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - could not read response file"); 5390 /* TODO: Build OCSPResponse with responseStatus = internalError 5391 */ 5392 return SSL_TLSEXT_ERR_OK; 5393 } 5394 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - send cached response"); 5395 tmp = OPENSSL_malloc(len); 5396 if (tmp == NULL) { 5397 os_free(resp); 5398 return SSL_TLSEXT_ERR_ALERT_FATAL; 5399 } 5400 5401 os_memcpy(tmp, resp, len); 5402 os_free(resp); 5403 SSL_set_tlsext_status_ocsp_resp(s, tmp, len); 5404 5405 return SSL_TLSEXT_ERR_OK; 5406 } 5407 5408 #endif /* HAVE_OCSP */ 5409 5410 max_str_len(const char ** lines)5411 static size_t max_str_len(const char **lines) 5412 { 5413 const char **p; 5414 size_t max_len = 0; 5415 5416 for (p = lines; *p; p++) { 5417 size_t len = os_strlen(*p); 5418 5419 if (len > max_len) 5420 max_len = len; 5421 } 5422 5423 return max_len; 5424 } 5425 5426 match_lines_in_file(const char * path,const char ** lines)5427 static int match_lines_in_file(const char *path, const char **lines) 5428 { 5429 FILE *f; 5430 char *buf; 5431 size_t bufsize; 5432 int found = 0, is_linestart = 1; 5433 5434 bufsize = max_str_len(lines) + sizeof("\r\n"); 5435 buf = os_malloc(bufsize); 5436 if (!buf) 5437 return 0; 5438 5439 f = fopen(path, "r"); 5440 if (!f) { 5441 os_free(buf); 5442 return 0; 5443 } 5444 5445 while (!found && fgets(buf, bufsize, f)) { 5446 int is_lineend; 5447 size_t len; 5448 const char **p; 5449 5450 len = strcspn(buf, "\r\n"); 5451 is_lineend = buf[len] != '\0'; 5452 buf[len] = '\0'; 5453 5454 if (is_linestart && is_lineend) { 5455 for (p = lines; !found && *p; p++) 5456 found = os_strcmp(buf, *p) == 0; 5457 } 5458 is_linestart = is_lineend; 5459 } 5460 5461 fclose(f); 5462 bin_clear_free(buf, bufsize); 5463 5464 return found; 5465 } 5466 5467 is_tpm2_key(const char * path)5468 static int is_tpm2_key(const char *path) 5469 { 5470 /* Check both new and old format of TPM2 PEM guard tag */ 5471 static const char *tpm2_tags[] = { 5472 "-----BEGIN TSS2 PRIVATE KEY-----", 5473 "-----BEGIN TSS2 KEY BLOB-----", 5474 NULL 5475 }; 5476 5477 return match_lines_in_file(path, tpm2_tags); 5478 } 5479 5480 tls_connection_set_params(void * tls_ctx,struct tls_connection * conn,const struct tls_connection_params * params)5481 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, 5482 const struct tls_connection_params *params) 5483 { 5484 struct tls_data *data = tls_ctx; 5485 int ret; 5486 unsigned long err; 5487 int can_pkcs11 = 0; 5488 const char *key_id = params->key_id; 5489 const char *cert_id = params->cert_id; 5490 const char *ca_cert_id = params->ca_cert_id; 5491 const char *engine_id = params->engine ? params->engine_id : NULL; 5492 const char *ciphers; 5493 5494 if (conn == NULL) 5495 return -1; 5496 5497 if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) { 5498 wpa_printf(MSG_INFO, 5499 "OpenSSL: ocsp=3 not supported"); 5500 return -1; 5501 } 5502 5503 /* 5504 * If the engine isn't explicitly configured, and any of the 5505 * cert/key fields are actually PKCS#11 URIs, then automatically 5506 * use the PKCS#11 ENGINE. 5507 */ 5508 if (!engine_id || os_strcmp(engine_id, "pkcs11") == 0) 5509 can_pkcs11 = 1; 5510 5511 if (!key_id && params->private_key && can_pkcs11 && 5512 os_strncmp(params->private_key, "pkcs11:", 7) == 0) { 5513 can_pkcs11 = 2; 5514 key_id = params->private_key; 5515 } 5516 5517 if (!cert_id && params->client_cert && can_pkcs11 && 5518 os_strncmp(params->client_cert, "pkcs11:", 7) == 0) { 5519 can_pkcs11 = 2; 5520 cert_id = params->client_cert; 5521 } 5522 5523 if (!ca_cert_id && params->ca_cert && can_pkcs11 && 5524 os_strncmp(params->ca_cert, "pkcs11:", 7) == 0) { 5525 can_pkcs11 = 2; 5526 ca_cert_id = params->ca_cert; 5527 } 5528 5529 /* If we need to automatically enable the PKCS#11 ENGINE, do so. */ 5530 if (can_pkcs11 == 2 && !engine_id) 5531 engine_id = "pkcs11"; 5532 5533 /* If private_key points to a TPM2-wrapped key, automatically enable 5534 * tpm2 engine and use it to unwrap the key. */ 5535 if (params->private_key && 5536 (!engine_id || os_strcmp(engine_id, "tpm2") == 0) && 5537 is_tpm2_key(params->private_key)) { 5538 wpa_printf(MSG_DEBUG, "OpenSSL: Found TPM2 wrapped key %s", 5539 params->private_key); 5540 key_id = key_id ? key_id : params->private_key; 5541 engine_id = engine_id ? engine_id : "tpm2"; 5542 } 5543 5544 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) 5545 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) 5546 if (params->flags & TLS_CONN_EAP_FAST) { 5547 wpa_printf(MSG_DEBUG, 5548 "OpenSSL: Use TLSv1_method() for EAP-FAST"); 5549 if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) { 5550 tls_show_errors(MSG_INFO, __func__, 5551 "Failed to set TLSv1_method() for EAP-FAST"); 5552 return -1; 5553 } 5554 } 5555 #endif 5556 #if OPENSSL_VERSION_NUMBER >= 0x10101000L 5557 #ifdef SSL_OP_NO_TLSv1_3 5558 if (params->flags & TLS_CONN_EAP_FAST) { 5559 /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1 5560 * refuses to start the handshake with the modified ciphersuite 5561 * list (no TLS v1.3 ciphersuites included) for EAP-FAST. */ 5562 wpa_printf(MSG_DEBUG, "OpenSSL: Disable TLSv1.3 for EAP-FAST"); 5563 SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_3); 5564 } 5565 #endif /* SSL_OP_NO_TLSv1_3 */ 5566 #endif 5567 #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */ 5568 5569 while ((err = ERR_get_error())) { 5570 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s", 5571 __func__, ERR_error_string(err, NULL)); 5572 } 5573 5574 if (tls_set_conn_flags(conn, params->flags, 5575 params->openssl_ciphers) < 0) 5576 return -1; 5577 5578 if (engine_id) { 5579 wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s", 5580 engine_id); 5581 ret = tls_engine_init(conn, engine_id, params->pin, 5582 key_id, cert_id, ca_cert_id); 5583 if (ret) 5584 return ret; 5585 } 5586 if (tls_connection_set_subject_match(conn, 5587 params->subject_match, 5588 params->altsubject_match, 5589 params->suffix_match, 5590 params->domain_match, 5591 params->check_cert_subject)) 5592 return -1; 5593 5594 if (engine_id && ca_cert_id) { 5595 #ifdef OPENSSL_NO_ENGINE 5596 if (!openssl_can_use_provider(engine_id, ca_cert_id)) 5597 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED; 5598 #endif /* OPENSSL_NO_ENGINE */ 5599 if (tls_connection_engine_ca_cert(data, conn, ca_cert_id)) 5600 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED; 5601 } else if (tls_connection_ca_cert(data, conn, params->ca_cert, 5602 params->ca_cert_blob, 5603 params->ca_cert_blob_len, 5604 params->ca_path)) 5605 return -1; 5606 5607 if (engine_id && cert_id) { 5608 #ifdef OPENSSL_NO_ENGINE 5609 if (!openssl_can_use_provider(engine_id, cert_id)) 5610 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED; 5611 #endif /* OPENSSL_NO_ENGINE */ 5612 if (tls_connection_engine_client_cert(conn, cert_id)) 5613 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED; 5614 } else if (tls_connection_client_cert(conn, params->client_cert, 5615 params->client_cert_blob, 5616 params->client_cert_blob_len)) 5617 return -1; 5618 5619 if (engine_id && key_id) { 5620 #ifdef OPENSSL_NO_ENGINE 5621 if (!openssl_can_use_provider(engine_id, key_id)) 5622 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED; 5623 #endif /* OPENSSL_NO_ENGINE */ 5624 wpa_printf(MSG_DEBUG, 5625 "TLS: Using private key from engine/provider"); 5626 if (tls_connection_engine_private_key(conn)) 5627 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED; 5628 } else if (tls_connection_private_key(data, conn, 5629 params->private_key, 5630 params->private_key_passwd, 5631 params->private_key_blob, 5632 params->private_key_blob_len)) { 5633 wpa_printf(MSG_INFO, "TLS: Failed to load private key '%s'", 5634 params->private_key); 5635 return -1; 5636 } 5637 5638 ciphers = params->openssl_ciphers; 5639 #ifdef CONFIG_SUITEB 5640 #ifdef OPENSSL_IS_BORINGSSL 5641 if (ciphers && os_strcmp(ciphers, "SUITEB192") == 0) { 5642 /* BoringSSL removed support for SUITEB192, so need to handle 5643 * this with hardcoded ciphersuite and additional checks for 5644 * other parameters. */ 5645 ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384"; 5646 } 5647 #endif /* OPENSSL_IS_BORINGSSL */ 5648 #endif /* CONFIG_SUITEB */ 5649 if (ciphers && SSL_set_cipher_list(conn->ssl, ciphers) != 1) { 5650 wpa_printf(MSG_INFO, 5651 "OpenSSL: Failed to set cipher string '%s'", 5652 ciphers); 5653 return -1; 5654 } 5655 5656 if (!params->openssl_ecdh_curves) { 5657 #ifndef OPENSSL_IS_BORINGSSL 5658 #ifndef OPENSSL_NO_EC 5659 #if OPENSSL_VERSION_NUMBER < 0x10100000L 5660 if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) { 5661 wpa_printf(MSG_INFO, 5662 "OpenSSL: Failed to set ECDH curves to auto"); 5663 return -1; 5664 } 5665 #endif /* < 1.1.0 */ 5666 #endif /* OPENSSL_NO_EC */ 5667 #endif /* OPENSSL_IS_BORINGSSL */ 5668 } else if (params->openssl_ecdh_curves[0]) { 5669 #ifdef OPENSSL_IS_BORINGSSL 5670 wpa_printf(MSG_INFO, 5671 "OpenSSL: ECDH configuration not supported"); 5672 return -1; 5673 #else /* !OPENSSL_IS_BORINGSSL */ 5674 #ifndef OPENSSL_NO_EC 5675 if (SSL_set1_curves_list(conn->ssl, 5676 params->openssl_ecdh_curves) != 1) { 5677 wpa_printf(MSG_INFO, 5678 "OpenSSL: Failed to set ECDH curves '%s'", 5679 params->openssl_ecdh_curves); 5680 return -1; 5681 } 5682 #else /* OPENSSL_NO_EC */ 5683 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported"); 5684 return -1; 5685 #endif /* OPENSSL_NO_EC */ 5686 #endif /* OPENSSL_IS_BORINGSSL */ 5687 } 5688 5689 #ifdef OPENSSL_IS_BORINGSSL 5690 if (params->flags & TLS_CONN_REQUEST_OCSP) { 5691 SSL_enable_ocsp_stapling(conn->ssl); 5692 } 5693 #else /* OPENSSL_IS_BORINGSSL */ 5694 #ifdef HAVE_OCSP 5695 if (params->flags & TLS_CONN_REQUEST_OCSP) { 5696 SSL_CTX *ssl_ctx = data->ssl; 5697 SSL_set_tlsext_status_type(conn->ssl, TLSEXT_STATUSTYPE_ocsp); 5698 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb); 5699 SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn); 5700 } 5701 #else /* HAVE_OCSP */ 5702 if (params->flags & TLS_CONN_REQUIRE_OCSP) { 5703 wpa_printf(MSG_INFO, 5704 "OpenSSL: No OCSP support included - reject configuration"); 5705 return -1; 5706 } 5707 if (params->flags & TLS_CONN_REQUEST_OCSP) { 5708 wpa_printf(MSG_DEBUG, 5709 "OpenSSL: No OCSP support included - allow optional OCSP case to continue"); 5710 } 5711 #endif /* HAVE_OCSP */ 5712 #endif /* OPENSSL_IS_BORINGSSL */ 5713 5714 conn->flags = params->flags; 5715 5716 tls_get_errors(data); 5717 5718 return 0; 5719 } 5720 5721 openssl_debug_dump_cipher_list(SSL_CTX * ssl_ctx)5722 static void openssl_debug_dump_cipher_list(SSL_CTX *ssl_ctx) 5723 { 5724 SSL *ssl; 5725 int i; 5726 5727 ssl = SSL_new(ssl_ctx); 5728 if (!ssl) 5729 return; 5730 5731 wpa_printf(MSG_DEBUG, 5732 "OpenSSL: Enabled cipher suites in priority order"); 5733 for (i = 0; ; i++) { 5734 const char *cipher; 5735 5736 cipher = SSL_get_cipher_list(ssl, i); 5737 if (!cipher) 5738 break; 5739 wpa_printf(MSG_DEBUG, "Cipher %d: %s", i, cipher); 5740 } 5741 5742 SSL_free(ssl); 5743 } 5744 5745 5746 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION) 5747 openssl_pkey_type_str(const EVP_PKEY * pkey)5748 static const char * openssl_pkey_type_str(const EVP_PKEY *pkey) 5749 { 5750 if (!pkey) 5751 return "NULL"; 5752 switch (EVP_PKEY_type(EVP_PKEY_id(pkey))) { 5753 case EVP_PKEY_RSA: 5754 return "RSA"; 5755 case EVP_PKEY_DSA: 5756 return "DSA"; 5757 case EVP_PKEY_DH: 5758 return "DH"; 5759 case EVP_PKEY_EC: 5760 return "EC"; 5761 default: 5762 return "?"; 5763 } 5764 } 5765 5766 openssl_debug_dump_certificate(int i,X509 * cert)5767 static void openssl_debug_dump_certificate(int i, X509 *cert) 5768 { 5769 char buf[256]; 5770 EVP_PKEY *pkey; 5771 ASN1_INTEGER *ser; 5772 char serial_num[128]; 5773 5774 if (!cert) 5775 return; 5776 5777 X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); 5778 5779 ser = X509_get_serialNumber(cert); 5780 if (ser) 5781 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num), 5782 ASN1_STRING_get0_data(ser), 5783 ASN1_STRING_length(ser)); 5784 else 5785 serial_num[0] = '\0'; 5786 5787 pkey = X509_get_pubkey(cert); 5788 wpa_printf(MSG_DEBUG, "%d: %s (%s) %s", i, buf, 5789 openssl_pkey_type_str(pkey), serial_num); 5790 EVP_PKEY_free(pkey); 5791 } 5792 5793 openssl_debug_dump_certificates(SSL_CTX * ssl_ctx)5794 static void openssl_debug_dump_certificates(SSL_CTX *ssl_ctx) 5795 { 5796 STACK_OF(X509) *certs; 5797 5798 wpa_printf(MSG_DEBUG, "OpenSSL: Configured certificate chain"); 5799 if (SSL_CTX_get0_chain_certs(ssl_ctx, &certs) == 1) { 5800 int i; 5801 5802 for (i = sk_X509_num(certs); i > 0; i--) 5803 openssl_debug_dump_certificate(i, sk_X509_value(certs, 5804 i - 1)); 5805 } 5806 openssl_debug_dump_certificate(0, SSL_CTX_get0_certificate(ssl_ctx)); 5807 } 5808 5809 #endif 5810 5811 openssl_debug_dump_certificate_chains(SSL_CTX * ssl_ctx)5812 static void openssl_debug_dump_certificate_chains(SSL_CTX *ssl_ctx) 5813 { 5814 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION) 5815 int res; 5816 5817 for (res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST); 5818 res == 1; 5819 res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_NEXT)) 5820 openssl_debug_dump_certificates(ssl_ctx); 5821 5822 SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST); 5823 #endif 5824 } 5825 5826 openssl_debug_dump_ctx(SSL_CTX * ssl_ctx)5827 static void openssl_debug_dump_ctx(SSL_CTX *ssl_ctx) 5828 { 5829 openssl_debug_dump_cipher_list(ssl_ctx); 5830 openssl_debug_dump_certificate_chains(ssl_ctx); 5831 } 5832 5833 tls_global_set_params(void * tls_ctx,const struct tls_connection_params * params)5834 int tls_global_set_params(void *tls_ctx, 5835 const struct tls_connection_params *params) 5836 { 5837 struct tls_data *data = tls_ctx; 5838 SSL_CTX *ssl_ctx = data->ssl; 5839 unsigned long err; 5840 5841 while ((err = ERR_get_error())) { 5842 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s", 5843 __func__, ERR_error_string(err, NULL)); 5844 } 5845 5846 os_free(data->check_cert_subject); 5847 data->check_cert_subject = NULL; 5848 if (params->check_cert_subject) { 5849 data->check_cert_subject = 5850 os_strdup(params->check_cert_subject); 5851 if (!data->check_cert_subject) 5852 return -1; 5853 } 5854 5855 if (tls_global_ca_cert(data, params->ca_cert) || 5856 tls_global_client_cert(data, params->client_cert) || 5857 tls_global_private_key(data, params->private_key, 5858 params->private_key_passwd) || 5859 tls_global_client_cert(data, params->client_cert2) || 5860 tls_global_private_key(data, params->private_key2, 5861 params->private_key_passwd2) || 5862 tls_global_dh(data, params->dh_file)) { 5863 wpa_printf(MSG_INFO, "TLS: Failed to set global parameters"); 5864 return -1; 5865 } 5866 5867 os_free(data->openssl_ciphers); 5868 if (params->openssl_ciphers) { 5869 data->openssl_ciphers = os_strdup(params->openssl_ciphers); 5870 if (!data->openssl_ciphers) 5871 return -1; 5872 } else { 5873 data->openssl_ciphers = NULL; 5874 } 5875 if (params->openssl_ciphers && 5876 SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) { 5877 wpa_printf(MSG_INFO, 5878 "OpenSSL: Failed to set cipher string '%s'", 5879 params->openssl_ciphers); 5880 return -1; 5881 } 5882 5883 if (!params->openssl_ecdh_curves) { 5884 #ifndef OPENSSL_IS_BORINGSSL 5885 #ifndef OPENSSL_NO_EC 5886 #if OPENSSL_VERSION_NUMBER < 0x10100000L 5887 if (SSL_CTX_set_ecdh_auto(ssl_ctx, 1) != 1) { 5888 wpa_printf(MSG_INFO, 5889 "OpenSSL: Failed to set ECDH curves to auto"); 5890 return -1; 5891 } 5892 #endif /* < 1.1.0 */ 5893 #endif /* OPENSSL_NO_EC */ 5894 #endif /* OPENSSL_IS_BORINGSSL */ 5895 } else if (params->openssl_ecdh_curves[0]) { 5896 #ifdef OPENSSL_IS_BORINGSSL 5897 wpa_printf(MSG_INFO, 5898 "OpenSSL: ECDH configuration not supported"); 5899 return -1; 5900 #else /* !OPENSSL_IS_BORINGSSL */ 5901 #ifndef OPENSSL_NO_EC 5902 #if OPENSSL_VERSION_NUMBER < 0x10100000L 5903 SSL_CTX_set_ecdh_auto(ssl_ctx, 1); 5904 #endif 5905 if (SSL_CTX_set1_curves_list(ssl_ctx, 5906 params->openssl_ecdh_curves) != 5907 1) { 5908 wpa_printf(MSG_INFO, 5909 "OpenSSL: Failed to set ECDH curves '%s'", 5910 params->openssl_ecdh_curves); 5911 return -1; 5912 } 5913 #else /* OPENSSL_NO_EC */ 5914 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported"); 5915 return -1; 5916 #endif /* OPENSSL_NO_EC */ 5917 #endif /* OPENSSL_IS_BORINGSSL */ 5918 } 5919 5920 #ifdef SSL_OP_NO_TICKET 5921 if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET) 5922 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET); 5923 else 5924 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TICKET); 5925 #endif /* SSL_OP_NO_TICKET */ 5926 5927 #ifdef HAVE_OCSP 5928 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_status_cb); 5929 SSL_CTX_set_tlsext_status_arg(ssl_ctx, ssl_ctx); 5930 os_free(tls_global->ocsp_stapling_response); 5931 if (params->ocsp_stapling_response) 5932 tls_global->ocsp_stapling_response = 5933 os_strdup(params->ocsp_stapling_response); 5934 else 5935 tls_global->ocsp_stapling_response = NULL; 5936 #endif /* HAVE_OCSP */ 5937 5938 openssl_debug_dump_ctx(ssl_ctx); 5939 5940 return 0; 5941 } 5942 5943 5944 #ifdef EAP_FAST_OR_TEAP 5945 /* Pre-shared secred requires a patch to openssl, so this function is 5946 * commented out unless explicitly needed for EAP-FAST in order to be able to 5947 * build this file with unmodified openssl. */ 5948 5949 #if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) tls_sess_sec_cb(SSL * s,void * secret,int * secret_len,STACK_OF (SSL_CIPHER)* peer_ciphers,const SSL_CIPHER ** cipher,void * arg)5950 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len, 5951 STACK_OF(SSL_CIPHER) *peer_ciphers, 5952 const SSL_CIPHER **cipher, void *arg) 5953 #else /* OPENSSL_IS_BORINGSSL */ 5954 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len, 5955 STACK_OF(SSL_CIPHER) *peer_ciphers, 5956 SSL_CIPHER **cipher, void *arg) 5957 #endif /* OPENSSL_IS_BORINGSSL */ 5958 { 5959 struct tls_connection *conn = arg; 5960 int ret; 5961 5962 #if OPENSSL_VERSION_NUMBER < 0x10100000L 5963 if (conn == NULL || conn->session_ticket_cb == NULL) 5964 return 0; 5965 5966 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx, 5967 conn->session_ticket, 5968 conn->session_ticket_len, 5969 s->s3->client_random, 5970 s->s3->server_random, secret); 5971 #else 5972 unsigned char client_random[SSL3_RANDOM_SIZE]; 5973 unsigned char server_random[SSL3_RANDOM_SIZE]; 5974 5975 if (conn == NULL || conn->session_ticket_cb == NULL) 5976 return 0; 5977 5978 SSL_get_client_random(s, client_random, sizeof(client_random)); 5979 SSL_get_server_random(s, server_random, sizeof(server_random)); 5980 5981 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx, 5982 conn->session_ticket, 5983 conn->session_ticket_len, 5984 client_random, 5985 server_random, secret); 5986 #endif 5987 5988 os_free(conn->session_ticket); 5989 conn->session_ticket = NULL; 5990 5991 if (ret <= 0) 5992 return 0; 5993 5994 *secret_len = SSL_MAX_MASTER_KEY_LENGTH; 5995 return 1; 5996 } 5997 5998 tls_session_ticket_ext_cb(SSL * s,const unsigned char * data,int len,void * arg)5999 static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data, 6000 int len, void *arg) 6001 { 6002 struct tls_connection *conn = arg; 6003 6004 if (conn == NULL || conn->session_ticket_cb == NULL) 6005 return 0; 6006 6007 wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len); 6008 6009 os_free(conn->session_ticket); 6010 conn->session_ticket = NULL; 6011 6012 wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket " 6013 "extension", data, len); 6014 6015 conn->session_ticket = os_memdup(data, len); 6016 if (conn->session_ticket == NULL) 6017 return 0; 6018 6019 conn->session_ticket_len = len; 6020 6021 return 1; 6022 } 6023 #endif /* EAP_FAST_OR_TEAP */ 6024 6025 tls_connection_set_session_ticket_cb(void * tls_ctx,struct tls_connection * conn,tls_session_ticket_cb cb,void * ctx)6026 int tls_connection_set_session_ticket_cb(void *tls_ctx, 6027 struct tls_connection *conn, 6028 tls_session_ticket_cb cb, 6029 void *ctx) 6030 { 6031 #ifdef EAP_FAST_OR_TEAP 6032 conn->session_ticket_cb = cb; 6033 conn->session_ticket_cb_ctx = ctx; 6034 6035 if (cb) { 6036 if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb, 6037 conn) != 1) 6038 return -1; 6039 SSL_set_session_ticket_ext_cb(conn->ssl, 6040 tls_session_ticket_ext_cb, conn); 6041 } else { 6042 if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1) 6043 return -1; 6044 SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL); 6045 } 6046 6047 return 0; 6048 #else /* EAP_FAST_OR_TEAP */ 6049 return -1; 6050 #endif /* EAP_FAST_OR_TEAP */ 6051 } 6052 6053 tls_get_library_version(char * buf,size_t buf_len)6054 int tls_get_library_version(char *buf, size_t buf_len) 6055 { 6056 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) 6057 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s", 6058 OPENSSL_VERSION_TEXT, 6059 OpenSSL_version(OPENSSL_VERSION)); 6060 #else 6061 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s", 6062 OPENSSL_VERSION_TEXT, 6063 SSLeay_version(SSLEAY_VERSION)); 6064 #endif 6065 } 6066 6067 tls_connection_set_success_data(struct tls_connection * conn,struct wpabuf * data)6068 void tls_connection_set_success_data(struct tls_connection *conn, 6069 struct wpabuf *data) 6070 { 6071 SSL_SESSION *sess; 6072 struct wpabuf *old; 6073 struct tls_session_data *sess_data = NULL; 6074 6075 if (tls_ex_idx_session < 0) 6076 goto fail; 6077 sess = SSL_get_session(conn->ssl); 6078 if (!sess) 6079 goto fail; 6080 old = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session); 6081 if (old) { 6082 struct tls_session_data *found; 6083 6084 found = get_session_data(conn->context, old); 6085 wpa_printf(MSG_DEBUG, 6086 "OpenSSL: Replacing old success data %p (sess %p)%s", 6087 old, sess, found ? "" : " (not freeing)"); 6088 if (found) { 6089 dl_list_del(&found->list); 6090 os_free(found); 6091 wpabuf_free(old); 6092 } 6093 } 6094 6095 sess_data = os_zalloc(sizeof(*sess_data)); 6096 if (!sess_data || 6097 SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, data) != 1) 6098 goto fail; 6099 6100 sess_data->buf = data; 6101 dl_list_add(&conn->context->sessions, &sess_data->list); 6102 wpa_printf(MSG_DEBUG, "OpenSSL: Stored success data %p (sess %p)", 6103 data, sess); 6104 conn->success_data = 1; 6105 return; 6106 6107 fail: 6108 wpa_printf(MSG_INFO, "OpenSSL: Failed to store success data"); 6109 wpabuf_free(data); 6110 os_free(sess_data); 6111 } 6112 6113 tls_connection_set_success_data_resumed(struct tls_connection * conn)6114 void tls_connection_set_success_data_resumed(struct tls_connection *conn) 6115 { 6116 wpa_printf(MSG_DEBUG, 6117 "OpenSSL: Success data accepted for resumed session"); 6118 conn->success_data = 1; 6119 } 6120 6121 6122 const struct wpabuf * tls_connection_get_success_data(struct tls_connection * conn)6123 tls_connection_get_success_data(struct tls_connection *conn) 6124 { 6125 SSL_SESSION *sess; 6126 6127 if (tls_ex_idx_session < 0 || 6128 !(sess = SSL_get_session(conn->ssl))) 6129 return NULL; 6130 return SSL_SESSION_get_ex_data(sess, tls_ex_idx_session); 6131 } 6132 6133 tls_connection_remove_session(struct tls_connection * conn)6134 void tls_connection_remove_session(struct tls_connection *conn) 6135 { 6136 SSL_SESSION *sess; 6137 6138 sess = SSL_get_session(conn->ssl); 6139 if (!sess) 6140 return; 6141 6142 if (SSL_CTX_remove_session(conn->ssl_ctx, sess) != 1) 6143 wpa_printf(MSG_DEBUG, 6144 "OpenSSL: Session was not cached"); 6145 else 6146 wpa_printf(MSG_DEBUG, 6147 "OpenSSL: Removed cached session to disable session resumption"); 6148 } 6149 6150 tls_get_tls_unique(struct tls_connection * conn,u8 * buf,size_t max_len)6151 int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len) 6152 { 6153 size_t len; 6154 int reused; 6155 6156 reused = SSL_session_reused(conn->ssl); 6157 if ((conn->server && !reused) || (!conn->server && reused)) 6158 len = SSL_get_peer_finished(conn->ssl, buf, max_len); 6159 else 6160 len = SSL_get_finished(conn->ssl, buf, max_len); 6161 6162 if (len == 0 || len > max_len) 6163 return -1; 6164 6165 return len; 6166 } 6167 6168 tls_connection_get_cipher_suite(struct tls_connection * conn)6169 u16 tls_connection_get_cipher_suite(struct tls_connection *conn) 6170 { 6171 const SSL_CIPHER *cipher; 6172 6173 cipher = SSL_get_current_cipher(conn->ssl); 6174 if (!cipher) 6175 return 0; 6176 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) 6177 return SSL_CIPHER_get_protocol_id(cipher); 6178 #else 6179 return SSL_CIPHER_get_id(cipher) & 0xFFFF; 6180 #endif 6181 } 6182 6183 tls_connection_get_peer_subject(struct tls_connection * conn)6184 const char * tls_connection_get_peer_subject(struct tls_connection *conn) 6185 { 6186 if (conn) 6187 return conn->peer_subject; 6188 return NULL; 6189 } 6190 6191 tls_connection_get_own_cert_used(struct tls_connection * conn)6192 bool tls_connection_get_own_cert_used(struct tls_connection *conn) 6193 { 6194 if (conn) 6195 return SSL_get_certificate(conn->ssl) != NULL; 6196 return false; 6197 } 6198