1 /*
2 * SSL/TLS interface functions for OpenSSL
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #ifndef CONFIG_SMARTCARD
12 #ifndef OPENSSL_NO_ENGINE
13 #ifndef ANDROID
14 #define OPENSSL_NO_ENGINE
15 #endif
16 #endif
17 #endif
18
19 #include <openssl/ssl.h>
20 #include <openssl/err.h>
21 #include <openssl/opensslv.h>
22 #include <openssl/pkcs12.h>
23 #include <openssl/x509v3.h>
24 #ifndef OPENSSL_NO_ENGINE
25 #include <openssl/engine.h>
26 #endif /* OPENSSL_NO_ENGINE */
27 #ifndef OPENSSL_NO_DSA
28 #include <openssl/dsa.h>
29 #endif
30 #ifndef OPENSSL_NO_DH
31 #include <openssl/dh.h>
32 #endif
33
34 #include "common.h"
35 #include "crypto.h"
36 #include "sha1.h"
37 #include "sha256.h"
38 #include "tls.h"
39 #include "tls_openssl.h"
40 #ifdef CONFIG_OHOS_CERTMGR
41 #include "wpa_evp_key.h"
42 #endif
43
44 #define OH_PREFIX "oh:"
45
46 #if !defined(CONFIG_FIPS) && \
47 (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
48 defined(EAP_SERVER_FAST))
49 #define OPENSSL_NEED_EAP_FAST_PRF
50 #endif
51
52 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
53 defined(EAP_SERVER_FAST) || defined(EAP_TEAP) || \
54 defined(EAP_SERVER_TEAP)
55 #define EAP_FAST_OR_TEAP
56 #endif
57
58
59 #if defined(OPENSSL_IS_BORINGSSL)
60 /* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */
61 typedef size_t stack_index_t;
62 #else
63 typedef int stack_index_t;
64 #endif
65
66 #ifdef SSL_set_tlsext_status_type
67 #ifndef OPENSSL_NO_TLSEXT
68 #define HAVE_OCSP
69 #include <openssl/ocsp.h>
70 #endif /* OPENSSL_NO_TLSEXT */
71 #endif /* SSL_set_tlsext_status_type */
72
73 #if (OPENSSL_VERSION_NUMBER < 0x10100000L || \
74 (defined(LIBRESSL_VERSION_NUMBER) && \
75 LIBRESSL_VERSION_NUMBER < 0x20700000L)) && \
76 !defined(BORINGSSL_API_VERSION)
77 /*
78 * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL
79 * 1.1.0 and newer BoringSSL revisions. Provide compatibility wrappers for
80 * older versions.
81 */
82
SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen)83 static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
84 size_t outlen)
85 {
86 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
87 return 0;
88 os_memcpy(out, ssl->s3->client_random, SSL3_RANDOM_SIZE);
89 return SSL3_RANDOM_SIZE;
90 }
91
92
SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen)93 static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
94 size_t outlen)
95 {
96 if (!ssl->s3 || outlen < SSL3_RANDOM_SIZE)
97 return 0;
98 os_memcpy(out, ssl->s3->server_random, SSL3_RANDOM_SIZE);
99 return SSL3_RANDOM_SIZE;
100 }
101
102
103 #ifdef OPENSSL_NEED_EAP_FAST_PRF
SSL_SESSION_get_master_key(const SSL_SESSION *session, unsigned char *out, size_t outlen)104 static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
105 unsigned char *out, size_t outlen)
106 {
107 if (!session || session->master_key_length < 0 ||
108 (size_t) session->master_key_length > outlen)
109 return 0;
110 if ((size_t) session->master_key_length < outlen)
111 outlen = session->master_key_length;
112 os_memcpy(out, session->master_key, outlen);
113 return outlen;
114 }
115 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
116
117 #endif
118
119 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
120 (defined(LIBRESSL_VERSION_NUMBER) && \
121 LIBRESSL_VERSION_NUMBER < 0x20700000L)
122 #ifdef CONFIG_SUITEB
RSA_bits(const RSA *r)123 static int RSA_bits(const RSA *r)
124 {
125 return BN_num_bits(r->n);
126 }
127 #endif /* CONFIG_SUITEB */
128
129
ASN1_STRING_get0_data(const ASN1_STRING *x)130 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
131 {
132 return ASN1_STRING_data((ASN1_STRING *) x);
133 }
134 #endif
135
136 #ifdef ANDROID
137 #include <openssl/pem.h>
138 #include <keystore/keystore_get.h>
139
BIO_from_keystore(const char *key)140 static BIO * BIO_from_keystore(const char *key)
141 {
142 BIO *bio = NULL;
143 uint8_t *value = NULL;
144 int length = keystore_get(key, strlen(key), &value);
145 if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL)
146 BIO_write(bio, value, length);
147 free(value);
148 return bio;
149 }
150
151
tls_add_ca_from_keystore(X509_STORE *ctx, const char *key_alias)152 static int tls_add_ca_from_keystore(X509_STORE *ctx, const char *key_alias)
153 {
154 BIO *bio = BIO_from_keystore(key_alias);
155 STACK_OF(X509_INFO) *stack = NULL;
156 stack_index_t i;
157
158 if (bio) {
159 stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
160 BIO_free(bio);
161 }
162
163 if (!stack) {
164 wpa_printf(MSG_WARNING, "TLS: Failed to parse certificate: %s",
165 key_alias);
166 return -1;
167 }
168
169 for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
170 X509_INFO *info = sk_X509_INFO_value(stack, i);
171
172 if (info->x509)
173 X509_STORE_add_cert(ctx, info->x509);
174 if (info->crl)
175 X509_STORE_add_crl(ctx, info->crl);
176 }
177
178 sk_X509_INFO_pop_free(stack, X509_INFO_free);
179
180 return 0;
181 }
182
183
tls_add_ca_from_keystore_encoded(X509_STORE *ctx, const char *encoded_key_alias)184 static int tls_add_ca_from_keystore_encoded(X509_STORE *ctx,
185 const char *encoded_key_alias)
186 {
187 int rc = -1;
188 int len = os_strlen(encoded_key_alias);
189 unsigned char *decoded_alias;
190
191 if (len & 1) {
192 wpa_printf(MSG_WARNING, "Invalid hex-encoded alias: %s",
193 encoded_key_alias);
194 return rc;
195 }
196
197 decoded_alias = os_malloc(len / 2 + 1);
198 if (decoded_alias) {
199 if (!hexstr2bin(encoded_key_alias, decoded_alias, len / 2)) {
200 decoded_alias[len / 2] = '\0';
201 rc = tls_add_ca_from_keystore(
202 ctx, (const char *) decoded_alias);
203 }
204 os_free(decoded_alias);
205 }
206
207 return rc;
208 }
209
210 #endif /* ANDROID */
211
212 static int tls_openssl_ref_count = 0;
213 static int tls_ex_idx_session = -1;
214
215 struct tls_context {
216 void (*event_cb)(void *ctx, enum tls_event ev,
217 union tls_event_data *data);
218 void *cb_ctx;
219 int cert_in_cb;
220 char *ocsp_stapling_response;
221 };
222
223 static struct tls_context *tls_global = NULL;
224
225
226 struct tls_data {
227 SSL_CTX *ssl;
228 unsigned int tls_session_lifetime;
229 int check_crl;
230 int check_crl_strict;
231 char *ca_cert;
232 unsigned int crl_reload_interval;
233 struct os_reltime crl_last_reload;
234 char *check_cert_subject;
235 };
236
237 struct tls_connection {
238 struct tls_context *context;
239 struct tls_data *data;
240 SSL_CTX *ssl_ctx;
241 SSL *ssl;
242 BIO *ssl_in, *ssl_out;
243 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
244 ENGINE *engine; /* functional reference to the engine */
245 EVP_PKEY *private_key; /* the private key if using engine */
246 #endif /* OPENSSL_NO_ENGINE */
247 char *subject_match, *altsubject_match, *suffix_match, *domain_match;
248 char *check_cert_subject;
249 int read_alerts, write_alerts, failed;
250
251 tls_session_ticket_cb session_ticket_cb;
252 void *session_ticket_cb_ctx;
253
254 /* SessionTicket received from OpenSSL hello_extension_cb (server) */
255 u8 *session_ticket;
256 size_t session_ticket_len;
257
258 unsigned int ca_cert_verify:1;
259 unsigned int cert_probe:1;
260 unsigned int server_cert_only:1;
261 unsigned int invalid_hb_used:1;
262 unsigned int success_data:1;
263 unsigned int client_hello_generated:1;
264 unsigned int server:1;
265
266 u8 srv_cert_hash[32];
267
268 unsigned int flags;
269
270 X509 *peer_cert;
271 X509 *peer_issuer;
272 X509 *peer_issuer_issuer;
273 char *peer_subject; /* peer subject info for authenticated peer */
274
275 unsigned char client_random[SSL3_RANDOM_SIZE];
276 unsigned char server_random[SSL3_RANDOM_SIZE];
277
278 u16 cipher_suite;
279 int server_dh_prime_len;
280 };
281
282
tls_context_new(const struct tls_config *conf)283 static struct tls_context * tls_context_new(const struct tls_config *conf)
284 {
285 struct tls_context *context = os_zalloc(sizeof(*context));
286 if (context == NULL)
287 return NULL;
288 if (conf) {
289 context->event_cb = conf->event_cb;
290 context->cb_ctx = conf->cb_ctx;
291 context->cert_in_cb = conf->cert_in_cb;
292 }
293 return context;
294 }
295
296
297 #ifdef CONFIG_NO_STDOUT_DEBUG
298
_tls_show_errors(void)299 static void _tls_show_errors(void)
300 {
301 unsigned long err;
302
303 while ((err = ERR_get_error())) {
304 /* Just ignore the errors, since stdout is disabled */
305 }
306 }
307 #define tls_show_errors(l, f, t) _tls_show_errors()
308
309 #else /* CONFIG_NO_STDOUT_DEBUG */
310
tls_show_errors(int level, const char *func, const char *txt)311 static void tls_show_errors(int level, const char *func, const char *txt)
312 {
313 unsigned long err;
314
315 wpa_printf(level, "OpenSSL: %s - %s %s",
316 func, txt, ERR_error_string(ERR_get_error(), NULL));
317
318 while ((err = ERR_get_error())) {
319 wpa_printf(MSG_INFO, "OpenSSL: pending error: %s",
320 ERR_error_string(err, NULL));
321 }
322 }
323
324 #endif /* CONFIG_NO_STDOUT_DEBUG */
325
326
tls_crl_cert_reload(const char *ca_cert, int check_crl)327 static X509_STORE * tls_crl_cert_reload(const char *ca_cert, int check_crl)
328 {
329 int flags;
330 X509_STORE *store;
331
332 store = X509_STORE_new();
333 if (!store) {
334 wpa_printf(MSG_DEBUG,
335 "OpenSSL: %s - failed to allocate new certificate store",
336 __func__);
337 return NULL;
338 }
339
340 if (ca_cert && X509_STORE_load_locations(store, ca_cert, NULL) != 1) {
341 tls_show_errors(MSG_WARNING, __func__,
342 "Failed to load root certificates");
343 X509_STORE_free(store);
344 return NULL;
345 }
346
347 flags = check_crl ? X509_V_FLAG_CRL_CHECK : 0;
348 if (check_crl == 2)
349 flags |= X509_V_FLAG_CRL_CHECK_ALL;
350
351 X509_STORE_set_flags(store, flags);
352
353 return store;
354 }
355
356
357 #ifdef CONFIG_NATIVE_WINDOWS
358
359 /* Windows CryptoAPI and access to certificate stores */
360 #include <wincrypt.h>
361
362 #ifdef __MINGW32_VERSION
363 /*
364 * MinGW does not yet include all the needed definitions for CryptoAPI, so
365 * define here whatever extra is needed.
366 */
367 #define CERT_SYSTEM_STORE_CURRENT_USER (1 << 16)
368 #define CERT_STORE_READONLY_FLAG 0x00008000
369 #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
370
371 #endif /* __MINGW32_VERSION */
372
373
374 struct cryptoapi_rsa_data {
375 const CERT_CONTEXT *cert;
376 HCRYPTPROV crypt_prov;
377 DWORD key_spec;
378 BOOL free_crypt_prov;
379 };
380
381
cryptoapi_error(const char *msg)382 static void cryptoapi_error(const char *msg)
383 {
384 wpa_printf(MSG_INFO, "CryptoAPI: %s; err=%u",
385 msg, (unsigned int) GetLastError());
386 }
387
388
cryptoapi_rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)389 static int cryptoapi_rsa_pub_enc(int flen, const unsigned char *from,
390 unsigned char *to, RSA *rsa, int padding)
391 {
392 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
393 return 0;
394 }
395
396
cryptoapi_rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)397 static int cryptoapi_rsa_pub_dec(int flen, const unsigned char *from,
398 unsigned char *to, RSA *rsa, int padding)
399 {
400 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
401 return 0;
402 }
403
404
cryptoapi_rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)405 static int cryptoapi_rsa_priv_enc(int flen, const unsigned char *from,
406 unsigned char *to, RSA *rsa, int padding)
407 {
408 struct cryptoapi_rsa_data *priv =
409 (struct cryptoapi_rsa_data *) rsa->meth->app_data;
410 HCRYPTHASH hash;
411 DWORD hash_size, len, i;
412 unsigned char *buf = NULL;
413 int ret = 0;
414
415 if (priv == NULL) {
416 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
417 ERR_R_PASSED_NULL_PARAMETER);
418 return 0;
419 }
420
421 if (padding != RSA_PKCS1_PADDING) {
422 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
423 RSA_R_UNKNOWN_PADDING_TYPE);
424 return 0;
425 }
426
427 if (flen != 16 /* MD5 */ + 20 /* SHA-1 */) {
428 wpa_printf(MSG_INFO, "%s - only MD5-SHA1 hash supported",
429 __func__);
430 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
431 RSA_R_INVALID_MESSAGE_LENGTH);
432 return 0;
433 }
434
435 if (!CryptCreateHash(priv->crypt_prov, CALG_SSL3_SHAMD5, 0, 0, &hash))
436 {
437 cryptoapi_error("CryptCreateHash failed");
438 return 0;
439 }
440
441 len = sizeof(hash_size);
442 if (!CryptGetHashParam(hash, HP_HASHSIZE, (BYTE *) &hash_size, &len,
443 0)) {
444 cryptoapi_error("CryptGetHashParam failed");
445 goto err;
446 }
447
448 if ((int) hash_size != flen) {
449 wpa_printf(MSG_INFO, "CryptoAPI: Invalid hash size (%u != %d)",
450 (unsigned) hash_size, flen);
451 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,
452 RSA_R_INVALID_MESSAGE_LENGTH);
453 goto err;
454 }
455 if (!CryptSetHashParam(hash, HP_HASHVAL, (BYTE * ) from, 0)) {
456 cryptoapi_error("CryptSetHashParam failed");
457 goto err;
458 }
459
460 len = RSA_size(rsa);
461 buf = os_malloc(len);
462 if (buf == NULL) {
463 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, ERR_R_MALLOC_FAILURE);
464 goto err;
465 }
466
467 if (!CryptSignHash(hash, priv->key_spec, NULL, 0, buf, &len)) {
468 cryptoapi_error("CryptSignHash failed");
469 goto err;
470 }
471
472 for (i = 0; i < len; i++)
473 to[i] = buf[len - i - 1];
474 ret = len;
475
476 err:
477 os_free(buf);
478 CryptDestroyHash(hash);
479
480 return ret;
481 }
482
483
cryptoapi_rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)484 static int cryptoapi_rsa_priv_dec(int flen, const unsigned char *from,
485 unsigned char *to, RSA *rsa, int padding)
486 {
487 wpa_printf(MSG_DEBUG, "%s - not implemented", __func__);
488 return 0;
489 }
490
491
cryptoapi_free_data(struct cryptoapi_rsa_data *priv)492 static void cryptoapi_free_data(struct cryptoapi_rsa_data *priv)
493 {
494 if (priv == NULL)
495 return;
496 if (priv->crypt_prov && priv->free_crypt_prov)
497 CryptReleaseContext(priv->crypt_prov, 0);
498 if (priv->cert)
499 CertFreeCertificateContext(priv->cert);
500 os_free(priv);
501 }
502
503
cryptoapi_finish(RSA *rsa)504 static int cryptoapi_finish(RSA *rsa)
505 {
506 cryptoapi_free_data((struct cryptoapi_rsa_data *) rsa->meth->app_data);
507 os_free((void *) rsa->meth);
508 rsa->meth = NULL;
509 return 1;
510 }
511
512
cryptoapi_find_cert(const char *name, DWORD store)513 static const CERT_CONTEXT * cryptoapi_find_cert(const char *name, DWORD store)
514 {
515 HCERTSTORE cs;
516 const CERT_CONTEXT *ret = NULL;
517
518 cs = CertOpenStore((LPCSTR) CERT_STORE_PROV_SYSTEM, 0, 0,
519 store | CERT_STORE_OPEN_EXISTING_FLAG |
520 CERT_STORE_READONLY_FLAG, L"MY");
521 if (cs == NULL) {
522 cryptoapi_error("Failed to open 'My system store'");
523 return NULL;
524 }
525
526 if (strncmp(name, "cert://", 7) == 0) {
527 unsigned short wbuf[255];
528 MultiByteToWideChar(CP_ACP, 0, name + 7, -1, wbuf, 255);
529 ret = CertFindCertificateInStore(cs, X509_ASN_ENCODING |
530 PKCS_7_ASN_ENCODING,
531 0, CERT_FIND_SUBJECT_STR,
532 wbuf, NULL);
533 } else if (strncmp(name, "hash://", 7) == 0) {
534 CRYPT_HASH_BLOB blob;
535 int len;
536 const char *hash = name + 7;
537 unsigned char *buf;
538
539 len = os_strlen(hash) / 2;
540 buf = os_malloc(len);
541 if (buf && hexstr2bin(hash, buf, len) == 0) {
542 blob.cbData = len;
543 blob.pbData = buf;
544 ret = CertFindCertificateInStore(cs,
545 X509_ASN_ENCODING |
546 PKCS_7_ASN_ENCODING,
547 0, CERT_FIND_HASH,
548 &blob, NULL);
549 }
550 os_free(buf);
551 }
552
553 CertCloseStore(cs, 0);
554
555 return ret;
556 }
557
558
tls_cryptoapi_cert(SSL *ssl, const char *name)559 static int tls_cryptoapi_cert(SSL *ssl, const char *name)
560 {
561 X509 *cert = NULL;
562 RSA *rsa = NULL, *pub_rsa;
563 struct cryptoapi_rsa_data *priv;
564 RSA_METHOD *rsa_meth;
565
566 if (name == NULL ||
567 (strncmp(name, "cert://", 7) != 0 &&
568 strncmp(name, "hash://", 7) != 0))
569 return -1;
570
571 priv = os_zalloc(sizeof(*priv));
572 rsa_meth = os_zalloc(sizeof(*rsa_meth));
573 if (priv == NULL || rsa_meth == NULL) {
574 wpa_printf(MSG_WARNING, "CryptoAPI: Failed to allocate memory "
575 "for CryptoAPI RSA method");
576 os_free(priv);
577 os_free(rsa_meth);
578 return -1;
579 }
580
581 priv->cert = cryptoapi_find_cert(name, CERT_SYSTEM_STORE_CURRENT_USER);
582 if (priv->cert == NULL) {
583 priv->cert = cryptoapi_find_cert(
584 name, CERT_SYSTEM_STORE_LOCAL_MACHINE);
585 }
586 if (priv->cert == NULL) {
587 wpa_printf(MSG_INFO, "CryptoAPI: Could not find certificate "
588 "'%s'", name);
589 goto err;
590 }
591
592 cert = d2i_X509(NULL,
593 (const unsigned char **) &priv->cert->pbCertEncoded,
594 priv->cert->cbCertEncoded);
595 if (cert == NULL) {
596 wpa_printf(MSG_INFO, "CryptoAPI: Could not process X509 DER "
597 "encoding");
598 goto err;
599 }
600
601 if (!CryptAcquireCertificatePrivateKey(priv->cert,
602 CRYPT_ACQUIRE_COMPARE_KEY_FLAG,
603 NULL, &priv->crypt_prov,
604 &priv->key_spec,
605 &priv->free_crypt_prov)) {
606 cryptoapi_error("Failed to acquire a private key for the "
607 "certificate");
608 goto err;
609 }
610
611 rsa_meth->name = "Microsoft CryptoAPI RSA Method";
612 rsa_meth->rsa_pub_enc = cryptoapi_rsa_pub_enc;
613 rsa_meth->rsa_pub_dec = cryptoapi_rsa_pub_dec;
614 rsa_meth->rsa_priv_enc = cryptoapi_rsa_priv_enc;
615 rsa_meth->rsa_priv_dec = cryptoapi_rsa_priv_dec;
616 rsa_meth->finish = cryptoapi_finish;
617 rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK;
618 rsa_meth->app_data = (char *) priv;
619
620 rsa = RSA_new();
621 if (rsa == NULL) {
622 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE,
623 ERR_R_MALLOC_FAILURE);
624 goto err;
625 }
626
627 if (!SSL_use_certificate(ssl, cert)) {
628 RSA_free(rsa);
629 rsa = NULL;
630 goto err;
631 }
632 pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
633 X509_free(cert);
634 cert = NULL;
635
636 rsa->n = BN_dup(pub_rsa->n);
637 rsa->e = BN_dup(pub_rsa->e);
638 if (!RSA_set_method(rsa, rsa_meth))
639 goto err;
640
641 if (!SSL_use_RSAPrivateKey(ssl, rsa))
642 goto err;
643 RSA_free(rsa);
644
645 return 0;
646
647 err:
648 if (cert)
649 X509_free(cert);
650 if (rsa)
651 RSA_free(rsa);
652 else {
653 os_free(rsa_meth);
654 cryptoapi_free_data(priv);
655 }
656 return -1;
657 }
658
659
tls_cryptoapi_ca_cert(SSL_CTX *ssl_ctx, SSL *ssl, const char *name)660 static int tls_cryptoapi_ca_cert(SSL_CTX *ssl_ctx, SSL *ssl, const char *name)
661 {
662 HCERTSTORE cs;
663 PCCERT_CONTEXT ctx = NULL;
664 X509 *cert;
665 char buf[128];
666 const char *store;
667 #ifdef UNICODE
668 WCHAR *wstore;
669 #endif /* UNICODE */
670
671 if (name == NULL || strncmp(name, "cert_store://", 13) != 0)
672 return -1;
673
674 store = name + 13;
675 #ifdef UNICODE
676 wstore = os_malloc((os_strlen(store) + 1) * sizeof(WCHAR));
677 if (wstore == NULL)
678 return -1;
679 wsprintf(wstore, L"%S", store);
680 cs = CertOpenSystemStore(0, wstore);
681 os_free(wstore);
682 #else /* UNICODE */
683 cs = CertOpenSystemStore(0, store);
684 #endif /* UNICODE */
685 if (cs == NULL) {
686 wpa_printf(MSG_DEBUG, "%s: failed to open system cert store "
687 "'%s': error=%d", __func__, store,
688 (int) GetLastError());
689 return -1;
690 }
691
692 while ((ctx = CertEnumCertificatesInStore(cs, ctx))) {
693 cert = d2i_X509(NULL,
694 (const unsigned char **) &ctx->pbCertEncoded,
695 ctx->cbCertEncoded);
696 if (cert == NULL) {
697 wpa_printf(MSG_INFO, "CryptoAPI: Could not process "
698 "X509 DER encoding for CA cert");
699 continue;
700 }
701
702 X509_NAME_oneline(X509_get_subject_name(cert), buf,
703 sizeof(buf));
704 wpa_printf(MSG_DEBUG, "OpenSSL: Loaded CA certificate for "
705 "system certificate store: subject='%s'", buf);
706
707 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
708 cert)) {
709 tls_show_errors(MSG_WARNING, __func__,
710 "Failed to add ca_cert to OpenSSL "
711 "certificate store");
712 }
713
714 X509_free(cert);
715 }
716
717 if (!CertCloseStore(cs, 0)) {
718 wpa_printf(MSG_DEBUG, "%s: failed to close system cert store "
719 "'%s': error=%d", __func__, name + 13,
720 (int) GetLastError());
721 }
722
723 return 0;
724 }
725
726
727 #else /* CONFIG_NATIVE_WINDOWS */
728
tls_cryptoapi_cert(SSL *ssl, const char *name)729 static int tls_cryptoapi_cert(SSL *ssl, const char *name)
730 {
731 return -1;
732 }
733
734 #endif /* CONFIG_NATIVE_WINDOWS */
735
736
ssl_info_cb(const SSL *ssl, int where, int ret)737 static void ssl_info_cb(const SSL *ssl, int where, int ret)
738 {
739 const char *str;
740 int w;
741
742 wpa_printf(MSG_EXCESSIVE, "SSL: (where=0x%x ret=0x%x)", where, ret);
743 w = where & ~SSL_ST_MASK;
744 if (w & SSL_ST_CONNECT)
745 str = "SSL_connect";
746 else if (w & SSL_ST_ACCEPT)
747 str = "SSL_accept";
748 else
749 str = "undefined";
750
751 if (where & SSL_CB_LOOP) {
752 wpa_printf(MSG_DEBUG, "SSL: %s:%s",
753 str, SSL_state_string_long(ssl));
754 } else if (where & SSL_CB_ALERT) {
755 struct tls_connection *conn = SSL_get_app_data((SSL *) ssl);
756 wpa_printf(MSG_INFO, "SSL: SSL3 alert: %s:%s:%s",
757 where & SSL_CB_READ ?
758 "read (remote end reported an error)" :
759 "write (local SSL3 detected an error)",
760 SSL_alert_type_string_long(ret),
761 SSL_alert_desc_string_long(ret));
762 if ((ret >> 8) == SSL3_AL_FATAL) {
763 if (where & SSL_CB_READ)
764 conn->read_alerts++;
765 else
766 conn->write_alerts++;
767 }
768 if (conn->context->event_cb != NULL) {
769 union tls_event_data ev;
770 struct tls_context *context = conn->context;
771 os_memset(&ev, 0, sizeof(ev));
772 ev.alert.is_local = !(where & SSL_CB_READ);
773 ev.alert.type = SSL_alert_type_string_long(ret);
774 ev.alert.description = SSL_alert_desc_string_long(ret);
775 context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
776 }
777 } else if (where & SSL_CB_EXIT && ret <= 0) {
778 wpa_printf(MSG_DEBUG, "SSL: %s:%s in %s",
779 str, ret == 0 ? "failed" : "error",
780 SSL_state_string_long(ssl));
781 }
782 }
783
784
785 #ifndef OPENSSL_NO_ENGINE
786 /**
787 * tls_engine_load_dynamic_generic - load any openssl engine
788 * @pre: an array of commands and values that load an engine initialized
789 * in the engine specific function
790 * @post: an array of commands and values that initialize an already loaded
791 * engine (or %NULL if not required)
792 * @id: the engine id of the engine to load (only required if post is not %NULL
793 *
794 * This function is a generic function that loads any openssl engine.
795 *
796 * Returns: 0 on success, -1 on failure
797 */
tls_engine_load_dynamic_generic(const char *pre[], const char *post[], const char *id)798 static int tls_engine_load_dynamic_generic(const char *pre[],
799 const char *post[], const char *id)
800 {
801 ENGINE *engine;
802 const char *dynamic_id = "dynamic";
803
804 engine = ENGINE_by_id(id);
805 if (engine) {
806 wpa_printf(MSG_DEBUG, "ENGINE: engine '%s' is already "
807 "available", id);
808 /*
809 * If it was auto-loaded by ENGINE_by_id() we might still
810 * need to tell it which PKCS#11 module to use in legacy
811 * (non-p11-kit) environments. Do so now; even if it was
812 * properly initialised before, setting it again will be
813 * harmless.
814 */
815 goto found;
816 }
817 ERR_clear_error();
818
819 engine = ENGINE_by_id(dynamic_id);
820 if (engine == NULL) {
821 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]",
822 dynamic_id,
823 ERR_error_string(ERR_get_error(), NULL));
824 return -1;
825 }
826
827 /* Perform the pre commands. This will load the engine. */
828 while (pre && pre[0]) {
829 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", pre[0], pre[1]);
830 if (ENGINE_ctrl_cmd_string(engine, pre[0], pre[1], 0) == 0) {
831 wpa_printf(MSG_INFO, "ENGINE: ctrl cmd_string failed: "
832 "%s %s [%s]", pre[0], pre[1],
833 ERR_error_string(ERR_get_error(), NULL));
834 ENGINE_free(engine);
835 return -1;
836 }
837 pre += 2;
838 }
839
840 /*
841 * Free the reference to the "dynamic" engine. The loaded engine can
842 * now be looked up using ENGINE_by_id().
843 */
844 ENGINE_free(engine);
845
846 engine = ENGINE_by_id(id);
847 if (engine == NULL) {
848 wpa_printf(MSG_INFO, "ENGINE: Can't find engine %s [%s]",
849 id, ERR_error_string(ERR_get_error(), NULL));
850 return -1;
851 }
852 found:
853 while (post && post[0]) {
854 wpa_printf(MSG_DEBUG, "ENGINE: '%s' '%s'", post[0], post[1]);
855 if (ENGINE_ctrl_cmd_string(engine, post[0], post[1], 0) == 0) {
856 wpa_printf(MSG_DEBUG, "ENGINE: ctrl cmd_string failed:"
857 " %s %s [%s]", post[0], post[1],
858 ERR_error_string(ERR_get_error(), NULL));
859 ENGINE_remove(engine);
860 ENGINE_free(engine);
861 return -1;
862 }
863 post += 2;
864 }
865 ENGINE_free(engine);
866
867 return 0;
868 }
869
870
871 /**
872 * tls_engine_load_dynamic_pkcs11 - load the pkcs11 engine provided by opensc
873 * @pkcs11_so_path: pksc11_so_path from the configuration
874 * @pcks11_module_path: pkcs11_module_path from the configuration
875 */
tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path, const char *pkcs11_module_path)876 static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path,
877 const char *pkcs11_module_path)
878 {
879 char *engine_id = "pkcs11";
880 const char *pre_cmd[] = {
881 "SO_PATH", NULL /* pkcs11_so_path */,
882 "ID", NULL /* engine_id */,
883 "LIST_ADD", "1",
884 /* "NO_VCHECK", "1", */
885 "LOAD", NULL,
886 NULL, NULL
887 };
888 const char *post_cmd[] = {
889 "MODULE_PATH", NULL /* pkcs11_module_path */,
890 NULL, NULL
891 };
892
893 if (!pkcs11_so_path)
894 return 0;
895
896 pre_cmd[1] = pkcs11_so_path;
897 pre_cmd[3] = engine_id;
898 if (pkcs11_module_path)
899 post_cmd[1] = pkcs11_module_path;
900 else
901 post_cmd[0] = NULL;
902
903 wpa_printf(MSG_DEBUG, "ENGINE: Loading pkcs11 Engine from %s",
904 pkcs11_so_path);
905
906 return tls_engine_load_dynamic_generic(pre_cmd, post_cmd, engine_id);
907 }
908
909
910 /**
911 * tls_engine_load_dynamic_opensc - load the opensc engine provided by opensc
912 * @opensc_so_path: opensc_so_path from the configuration
913 */
tls_engine_load_dynamic_opensc(const char *opensc_so_path)914 static int tls_engine_load_dynamic_opensc(const char *opensc_so_path)
915 {
916 char *engine_id = "opensc";
917 const char *pre_cmd[] = {
918 "SO_PATH", NULL /* opensc_so_path */,
919 "ID", NULL /* engine_id */,
920 "LIST_ADD", "1",
921 "LOAD", NULL,
922 NULL, NULL
923 };
924
925 if (!opensc_so_path)
926 return 0;
927
928 pre_cmd[1] = opensc_so_path;
929 pre_cmd[3] = engine_id;
930
931 wpa_printf(MSG_DEBUG, "ENGINE: Loading OpenSC Engine from %s",
932 opensc_so_path);
933
934 return tls_engine_load_dynamic_generic(pre_cmd, NULL, engine_id);
935 }
936 #endif /* OPENSSL_NO_ENGINE */
937
938
remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)939 static void remove_session_cb(SSL_CTX *ctx, SSL_SESSION *sess)
940 {
941 struct wpabuf *buf;
942
943 if (tls_ex_idx_session < 0)
944 return;
945 buf = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
946 if (!buf)
947 return;
948 wpa_printf(MSG_DEBUG,
949 "OpenSSL: Free application session data %p (sess %p)",
950 buf, sess);
951 wpabuf_free(buf);
952
953 SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, NULL);
954 }
955
956
tls_init(const struct tls_config *conf)957 void * tls_init(const struct tls_config *conf)
958 {
959 struct tls_data *data;
960 SSL_CTX *ssl;
961 struct tls_context *context;
962 const char *ciphers;
963 #ifndef OPENSSL_NO_ENGINE
964 #ifdef CONFIG_OPENSC_ENGINE_PATH
965 char const * const opensc_engine_path = CONFIG_OPENSC_ENGINE_PATH;
966 #else /* CONFIG_OPENSC_ENGINE_PATH */
967 char const * const opensc_engine_path =
968 conf ? conf->opensc_engine_path : NULL;
969 #endif /* CONFIG_OPENSC_ENGINE_PATH */
970 #ifdef CONFIG_PKCS11_ENGINE_PATH
971 char const * const pkcs11_engine_path = CONFIG_PKCS11_ENGINE_PATH;
972 #else /* CONFIG_PKCS11_ENGINE_PATH */
973 char const * const pkcs11_engine_path =
974 conf ? conf->pkcs11_engine_path : NULL;
975 #endif /* CONFIG_PKCS11_ENGINE_PATH */
976 #ifdef CONFIG_PKCS11_MODULE_PATH
977 char const * const pkcs11_module_path = CONFIG_PKCS11_MODULE_PATH;
978 #else /* CONFIG_PKCS11_MODULE_PATH */
979 char const * const pkcs11_module_path =
980 conf ? conf->pkcs11_module_path : NULL;
981 #endif /* CONFIG_PKCS11_MODULE_PATH */
982 #endif /* OPENSSL_NO_ENGINE */
983
984 if (tls_openssl_ref_count == 0) {
985 void openssl_load_legacy_provider(void);
986
987 openssl_load_legacy_provider();
988
989 tls_global = context = tls_context_new(conf);
990 if (context == NULL)
991 return NULL;
992 #ifdef CONFIG_FIPS
993 #ifdef OPENSSL_FIPS
994 if (conf && conf->fips_mode) {
995 static int fips_enabled = 0;
996
997 if (!fips_enabled && !FIPS_mode_set(1)) {
998 wpa_printf(MSG_ERROR, "Failed to enable FIPS "
999 "mode");
1000 ERR_load_crypto_strings();
1001 ERR_print_errors_fp(stderr);
1002 os_free(tls_global);
1003 tls_global = NULL;
1004 return NULL;
1005 } else {
1006 wpa_printf(MSG_INFO, "Running in FIPS mode");
1007 fips_enabled = 1;
1008 }
1009 }
1010 #else /* OPENSSL_FIPS */
1011 if (conf && conf->fips_mode) {
1012 wpa_printf(MSG_ERROR, "FIPS mode requested, but not "
1013 "supported");
1014 os_free(tls_global);
1015 tls_global = NULL;
1016 return NULL;
1017 }
1018 #endif /* OPENSSL_FIPS */
1019 #endif /* CONFIG_FIPS */
1020 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
1021 (defined(LIBRESSL_VERSION_NUMBER) && \
1022 LIBRESSL_VERSION_NUMBER < 0x20700000L)
1023 SSL_load_error_strings();
1024 SSL_library_init();
1025 #ifndef OPENSSL_NO_SHA256
1026 EVP_add_digest(EVP_sha256());
1027 #endif /* OPENSSL_NO_SHA256 */
1028 /* TODO: if /dev/urandom is available, PRNG is seeded
1029 * automatically. If this is not the case, random data should
1030 * be added here. */
1031
1032 #ifdef PKCS12_FUNCS
1033 #ifndef OPENSSL_NO_RC2
1034 /*
1035 * 40-bit RC2 is commonly used in PKCS#12 files, so enable it.
1036 * This is enabled by PKCS12_PBE_add() in OpenSSL 0.9.8
1037 * versions, but it looks like OpenSSL 1.0.0 does not do that
1038 * anymore.
1039 */
1040 EVP_add_cipher(EVP_rc2_40_cbc());
1041 #endif /* OPENSSL_NO_RC2 */
1042 PKCS12_PBE_add();
1043 #endif /* PKCS12_FUNCS */
1044 #endif /* < 1.1.0 */
1045 } else {
1046 context = tls_context_new(conf);
1047 if (context == NULL)
1048 return NULL;
1049 }
1050 tls_openssl_ref_count++;
1051
1052 data = os_zalloc(sizeof(*data));
1053 if (data)
1054 ssl = SSL_CTX_new(SSLv23_method());
1055 else
1056 ssl = NULL;
1057 if (ssl == NULL) {
1058 tls_openssl_ref_count--;
1059 if (context != tls_global)
1060 os_free(context);
1061 if (tls_openssl_ref_count == 0) {
1062 os_free(tls_global);
1063 tls_global = NULL;
1064 }
1065 os_free(data);
1066 return NULL;
1067 }
1068 data->ssl = ssl;
1069 if (conf) {
1070 data->tls_session_lifetime = conf->tls_session_lifetime;
1071 data->crl_reload_interval = conf->crl_reload_interval;
1072 }
1073
1074 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
1075 SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
1076
1077 SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
1078
1079 #ifdef SSL_MODE_NO_AUTO_CHAIN
1080 /* Number of deployed use cases assume the default OpenSSL behavior of
1081 * auto chaining the local certificate is in use. BoringSSL removed this
1082 * functionality by default, so we need to restore it here to avoid
1083 * breaking existing use cases. */
1084 SSL_CTX_clear_mode(ssl, SSL_MODE_NO_AUTO_CHAIN);
1085 #endif /* SSL_MODE_NO_AUTO_CHAIN */
1086
1087 SSL_CTX_set_info_callback(ssl, ssl_info_cb);
1088 SSL_CTX_set_app_data(ssl, context);
1089 if (data->tls_session_lifetime > 0) {
1090 SSL_CTX_set_quiet_shutdown(ssl, 1);
1091 /*
1092 * Set default context here. In practice, this will be replaced
1093 * by the per-EAP method context in tls_connection_set_verify().
1094 */
1095 SSL_CTX_set_session_id_context(ssl, (u8 *) "hostapd", 7);
1096 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_SERVER);
1097 SSL_CTX_set_timeout(ssl, data->tls_session_lifetime);
1098 SSL_CTX_sess_set_remove_cb(ssl, remove_session_cb);
1099 } else {
1100 SSL_CTX_set_session_cache_mode(ssl, SSL_SESS_CACHE_OFF);
1101 }
1102
1103 if (tls_ex_idx_session < 0) {
1104 tls_ex_idx_session = SSL_SESSION_get_ex_new_index(
1105 0, NULL, NULL, NULL, NULL);
1106 if (tls_ex_idx_session < 0) {
1107 tls_deinit(data);
1108 return NULL;
1109 }
1110 }
1111
1112 #ifndef OPENSSL_NO_ENGINE
1113 wpa_printf(MSG_DEBUG, "ENGINE: Loading builtin engines");
1114 ENGINE_load_builtin_engines();
1115
1116 if (opensc_engine_path || pkcs11_engine_path || pkcs11_module_path) {
1117 if (tls_engine_load_dynamic_opensc(opensc_engine_path) ||
1118 tls_engine_load_dynamic_pkcs11(pkcs11_engine_path,
1119 pkcs11_module_path)) {
1120 tls_deinit(data);
1121 return NULL;
1122 }
1123 }
1124 #endif /* OPENSSL_NO_ENGINE */
1125
1126 if (conf && conf->openssl_ciphers)
1127 ciphers = conf->openssl_ciphers;
1128 else
1129 ciphers = TLS_DEFAULT_CIPHERS;
1130 if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
1131 wpa_printf(MSG_ERROR,
1132 "OpenSSL: Failed to set cipher string '%s'",
1133 ciphers);
1134 tls_deinit(data);
1135 return NULL;
1136 }
1137
1138 return data;
1139 }
1140
1141
tls_deinit(void *ssl_ctx)1142 void tls_deinit(void *ssl_ctx)
1143 {
1144 wpa_printf(MSG_INFO, "Enter tls_deinit");
1145 struct tls_data *data = ssl_ctx;
1146 SSL_CTX *ssl = data->ssl;
1147 struct tls_context *context = SSL_CTX_get_app_data(ssl);
1148 if (context != tls_global && context != NULL) {
1149 os_free(context);
1150 context = NULL;
1151 }
1152 if (data->tls_session_lifetime > 0)
1153 SSL_CTX_flush_sessions(ssl, 0);
1154 os_free(data->ca_cert);
1155 if (ssl) {
1156 SSL_CTX_free(ssl);
1157 ssl = NULL;
1158 }
1159
1160 tls_openssl_ref_count--;
1161 if (tls_openssl_ref_count == 0) {
1162 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
1163 (defined(LIBRESSL_VERSION_NUMBER) && \
1164 LIBRESSL_VERSION_NUMBER < 0x20700000L)
1165 #ifndef OPENSSL_NO_ENGINE
1166 ENGINE_cleanup();
1167 #endif /* OPENSSL_NO_ENGINE */
1168 CRYPTO_cleanup_all_ex_data();
1169 ERR_remove_thread_state(NULL);
1170 ERR_free_strings();
1171 EVP_cleanup();
1172 #endif /* < 1.1.0 */
1173 os_free(tls_global->ocsp_stapling_response);
1174 tls_global->ocsp_stapling_response = NULL;
1175 os_free(tls_global);
1176 tls_global = NULL;
1177 }
1178
1179 os_free(data->check_cert_subject);
1180 data->check_cert_subject = NULL;
1181 os_free(data);
1182 data = NULL;
1183 wpa_printf(MSG_INFO, "Leave tls_deinit");
1184 }
1185
1186
1187 #ifndef OPENSSL_NO_ENGINE
1188
1189 /* Cryptoki return values */
1190 #define CKR_PIN_INCORRECT 0x000000a0
1191 #define CKR_PIN_INVALID 0x000000a1
1192 #define CKR_PIN_LEN_RANGE 0x000000a2
1193
1194 /* libp11 */
1195 #define ERR_LIB_PKCS11 ERR_LIB_USER
1196
tls_is_pin_error(unsigned int err)1197 static int tls_is_pin_error(unsigned int err)
1198 {
1199 return ERR_GET_LIB(err) == ERR_LIB_PKCS11 &&
1200 (ERR_GET_REASON(err) == CKR_PIN_INCORRECT ||
1201 ERR_GET_REASON(err) == CKR_PIN_INVALID ||
1202 ERR_GET_REASON(err) == CKR_PIN_LEN_RANGE);
1203 }
1204
1205 #endif /* OPENSSL_NO_ENGINE */
1206
1207
1208 #ifdef ANDROID
1209 /* EVP_PKEY_from_keystore comes from system/security/keystore-engine. */
1210 EVP_PKEY * EVP_PKEY_from_keystore(const char *key_id);
1211 #endif /* ANDROID */
1212
tls_engine_init(struct tls_connection *conn, const char *engine_id, const char *pin, const char *key_id, const char *cert_id, const char *ca_cert_id)1213 static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
1214 const char *pin, const char *key_id,
1215 const char *cert_id, const char *ca_cert_id)
1216 {
1217 #if defined(ANDROID) && defined(OPENSSL_IS_BORINGSSL)
1218 #if !defined(OPENSSL_NO_ENGINE)
1219 #error "This code depends on OPENSSL_NO_ENGINE being defined by BoringSSL."
1220 #endif
1221 if (!key_id)
1222 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1223 conn->engine = NULL;
1224 conn->private_key = EVP_PKEY_from_keystore(key_id);
1225 if (!conn->private_key) {
1226 wpa_printf(MSG_ERROR,
1227 "ENGINE: cannot load private key with id '%s' [%s]",
1228 key_id,
1229 ERR_error_string(ERR_get_error(), NULL));
1230 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1231 }
1232 #endif /* ANDROID && OPENSSL_IS_BORINGSSL */
1233
1234 #ifndef OPENSSL_NO_ENGINE
1235 int ret = -1;
1236 if (engine_id == NULL) {
1237 wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
1238 return -1;
1239 }
1240
1241 ERR_clear_error();
1242 #ifdef ANDROID
1243 ENGINE_load_dynamic();
1244 #endif
1245 conn->engine = ENGINE_by_id(engine_id);
1246 if (!conn->engine) {
1247 wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]",
1248 engine_id, ERR_error_string(ERR_get_error(), NULL));
1249 goto err;
1250 }
1251 if (ENGINE_init(conn->engine) != 1) {
1252 wpa_printf(MSG_ERROR, "ENGINE: engine init failed "
1253 "(engine: %s) [%s]", engine_id,
1254 ERR_error_string(ERR_get_error(), NULL));
1255 goto err;
1256 }
1257 wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
1258
1259 #ifndef ANDROID
1260 if (pin && ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
1261 wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
1262 ERR_error_string(ERR_get_error(), NULL));
1263 goto err;
1264 }
1265 #endif
1266 if (key_id) {
1267 /*
1268 * Ensure that the ENGINE does not attempt to use the OpenSSL
1269 * UI system to obtain a PIN, if we didn't provide one.
1270 */
1271 struct {
1272 const void *password;
1273 const char *prompt_info;
1274 } key_cb = { "", NULL };
1275
1276 /* load private key first in-case PIN is required for cert */
1277 conn->private_key = ENGINE_load_private_key(conn->engine,
1278 key_id, NULL,
1279 &key_cb);
1280 if (!conn->private_key) {
1281 unsigned long err = ERR_get_error();
1282
1283 wpa_printf(MSG_ERROR,
1284 "ENGINE: cannot load private key with id '%s' [%s]",
1285 key_id,
1286 ERR_error_string(err, NULL));
1287 if (tls_is_pin_error(err))
1288 ret = TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN;
1289 else
1290 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1291 goto err;
1292 }
1293 }
1294
1295 /* handle a certificate and/or CA certificate */
1296 if (cert_id || ca_cert_id) {
1297 const char *cmd_name = "LOAD_CERT_CTRL";
1298
1299 /* test if the engine supports a LOAD_CERT_CTRL */
1300 if (!ENGINE_ctrl(conn->engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
1301 0, (void *)cmd_name, NULL)) {
1302 wpa_printf(MSG_ERROR, "ENGINE: engine does not support"
1303 " loading certificates");
1304 ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
1305 goto err;
1306 }
1307 }
1308
1309 return 0;
1310
1311 err:
1312 if (conn->engine) {
1313 ENGINE_free(conn->engine);
1314 conn->engine = NULL;
1315 }
1316
1317 if (conn->private_key) {
1318 EVP_PKEY_free(conn->private_key);
1319 conn->private_key = NULL;
1320 }
1321
1322 return ret;
1323 #else /* OPENSSL_NO_ENGINE */
1324 return 0;
1325 #endif /* OPENSSL_NO_ENGINE */
1326 }
1327
1328
tls_engine_deinit(struct tls_connection *conn)1329 static void tls_engine_deinit(struct tls_connection *conn)
1330 {
1331 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
1332 wpa_printf(MSG_DEBUG, "ENGINE: engine deinit");
1333 if (conn->private_key) {
1334 EVP_PKEY_free(conn->private_key);
1335 conn->private_key = NULL;
1336 }
1337 if (conn->engine) {
1338 #if !defined(OPENSSL_IS_BORINGSSL)
1339 ENGINE_finish(conn->engine);
1340 #endif /* !OPENSSL_IS_BORINGSSL */
1341 conn->engine = NULL;
1342 }
1343 #endif /* ANDROID || !OPENSSL_NO_ENGINE */
1344 }
1345
1346
tls_get_errors(void *ssl_ctx)1347 int tls_get_errors(void *ssl_ctx)
1348 {
1349 int count = 0;
1350 unsigned long err;
1351
1352 while ((err = ERR_get_error())) {
1353 wpa_printf(MSG_INFO, "TLS - SSL error: %s",
1354 ERR_error_string(err, NULL));
1355 count++;
1356 }
1357
1358 return count;
1359 }
1360
1361
openssl_content_type(int content_type)1362 static const char * openssl_content_type(int content_type)
1363 {
1364 switch (content_type) {
1365 case 20:
1366 return "change cipher spec";
1367 case 21:
1368 return "alert";
1369 case 22:
1370 return "handshake";
1371 case 23:
1372 return "application data";
1373 case 24:
1374 return "heartbeat";
1375 case 256:
1376 return "TLS header info"; /* pseudo content type */
1377 case 257:
1378 return "inner content type"; /* pseudo content type */
1379 default:
1380 return "?";
1381 }
1382 }
1383
1384
openssl_handshake_type(int content_type, const u8 *buf, size_t len)1385 static const char * openssl_handshake_type(int content_type, const u8 *buf,
1386 size_t len)
1387 {
1388 if (content_type == 257 && buf && len == 1)
1389 return openssl_content_type(buf[0]);
1390 if (content_type != 22 || !buf || len == 0)
1391 return "";
1392 switch (buf[0]) {
1393 case 0:
1394 return "hello request";
1395 case 1:
1396 return "client hello";
1397 case 2:
1398 return "server hello";
1399 case 3:
1400 return "hello verify request";
1401 case 4:
1402 return "new session ticket";
1403 case 5:
1404 return "end of early data";
1405 case 6:
1406 return "hello retry request";
1407 case 8:
1408 return "encrypted extensions";
1409 case 11:
1410 return "certificate";
1411 case 12:
1412 return "server key exchange";
1413 case 13:
1414 return "certificate request";
1415 case 14:
1416 return "server hello done";
1417 case 15:
1418 return "certificate verify";
1419 case 16:
1420 return "client key exchange";
1421 case 20:
1422 return "finished";
1423 case 21:
1424 return "certificate url";
1425 case 22:
1426 return "certificate status";
1427 case 23:
1428 return "supplemental data";
1429 case 24:
1430 return "key update";
1431 case 254:
1432 return "message hash";
1433 default:
1434 return "?";
1435 }
1436 }
1437
1438
1439 #ifdef CONFIG_SUITEB
1440
check_server_hello(struct tls_connection *conn, const u8 *pos, const u8 *end)1441 static void check_server_hello(struct tls_connection *conn,
1442 const u8 *pos, const u8 *end)
1443 {
1444 size_t payload_len, id_len;
1445
1446 /*
1447 * Parse ServerHello to get the selected cipher suite since OpenSSL does
1448 * not make it cleanly available during handshake and we need to know
1449 * whether DHE was selected.
1450 */
1451
1452 if (end - pos < 3)
1453 return;
1454 payload_len = WPA_GET_BE24(pos);
1455 pos += 3;
1456
1457 if ((size_t) (end - pos) < payload_len)
1458 return;
1459 end = pos + payload_len;
1460
1461 /* Skip Version and Random */
1462 if (end - pos < 2 + SSL3_RANDOM_SIZE)
1463 return;
1464 pos += 2 + SSL3_RANDOM_SIZE;
1465
1466 /* Skip Session ID */
1467 if (end - pos < 1)
1468 return;
1469 id_len = *pos++;
1470 if ((size_t) (end - pos) < id_len)
1471 return;
1472 pos += id_len;
1473
1474 if (end - pos < 2)
1475 return;
1476 conn->cipher_suite = WPA_GET_BE16(pos);
1477 wpa_printf(MSG_DEBUG, "OpenSSL: Server selected cipher suite 0x%x",
1478 conn->cipher_suite);
1479 }
1480
1481
check_server_key_exchange(SSL *ssl, struct tls_connection *conn, const u8 *pos, const u8 *end)1482 static void check_server_key_exchange(SSL *ssl, struct tls_connection *conn,
1483 const u8 *pos, const u8 *end)
1484 {
1485 size_t payload_len;
1486 u16 dh_len;
1487 BIGNUM *p;
1488 int bits;
1489
1490 if (!(conn->flags & TLS_CONN_SUITEB))
1491 return;
1492
1493 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
1494 if (conn->cipher_suite != 0x9f)
1495 return;
1496
1497 if (end - pos < 3)
1498 return;
1499 payload_len = WPA_GET_BE24(pos);
1500 pos += 3;
1501
1502 if ((size_t) (end - pos) < payload_len)
1503 return;
1504 end = pos + payload_len;
1505
1506 if (end - pos < 2)
1507 return;
1508 dh_len = WPA_GET_BE16(pos);
1509 pos += 2;
1510
1511 if ((size_t) (end - pos) < dh_len)
1512 return;
1513 p = BN_bin2bn(pos, dh_len, NULL);
1514 if (!p)
1515 return;
1516
1517 bits = BN_num_bits(p);
1518 BN_free(p);
1519
1520 conn->server_dh_prime_len = bits;
1521 wpa_printf(MSG_DEBUG, "OpenSSL: Server DH prime length: %d bits",
1522 conn->server_dh_prime_len);
1523 }
1524
1525 #endif /* CONFIG_SUITEB */
1526
1527
tls_msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)1528 static void tls_msg_cb(int write_p, int version, int content_type,
1529 const void *buf, size_t len, SSL *ssl, void *arg)
1530 {
1531 struct tls_connection *conn = arg;
1532 const u8 *pos = buf;
1533
1534 if (write_p == 2) {
1535 wpa_printf(MSG_DEBUG,
1536 "OpenSSL: session ver=0x%x content_type=%d",
1537 version, content_type);
1538 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Data", buf, len);
1539 return;
1540 }
1541
1542 wpa_printf(MSG_EXCESSIVE, "OpenSSL: %s ver=0x%x content_type=%d (%s/%s)",
1543 write_p ? "TX" : "RX", version, content_type,
1544 openssl_content_type(content_type),
1545 openssl_handshake_type(content_type, buf, len));
1546 wpa_hexdump_key(MSG_MSGDUMP, "OpenSSL: Message", buf, len);
1547 if (content_type == 24 && len >= 3 && pos[0] == 1) {
1548 size_t payload_len = WPA_GET_BE16(pos + 1);
1549 if (payload_len + 3 > len) {
1550 wpa_printf(MSG_ERROR, "OpenSSL: Heartbeat attack detected");
1551 conn->invalid_hb_used = 1;
1552 }
1553 }
1554
1555 #ifdef CONFIG_SUITEB
1556 /*
1557 * Need to parse these handshake messages to be able to check DH prime
1558 * length since OpenSSL does not expose the new cipher suite and DH
1559 * parameters during handshake (e.g., for cert_cb() callback).
1560 */
1561 if (content_type == 22 && pos && len > 0 && pos[0] == 2)
1562 check_server_hello(conn, pos + 1, pos + len);
1563 if (content_type == 22 && pos && len > 0 && pos[0] == 12)
1564 check_server_key_exchange(ssl, conn, pos + 1, pos + len);
1565 #endif /* CONFIG_SUITEB */
1566 }
1567
1568
tls_connection_init(void *ssl_ctx)1569 struct tls_connection * tls_connection_init(void *ssl_ctx)
1570 {
1571 struct tls_data *data = ssl_ctx;
1572 SSL_CTX *ssl = data->ssl;
1573 struct tls_connection *conn;
1574 long options;
1575 X509_STORE *new_cert_store;
1576 struct os_reltime now;
1577 struct tls_context *context = SSL_CTX_get_app_data(ssl);
1578
1579 /* Replace X509 store if it is time to update CRL. */
1580 if (data->crl_reload_interval > 0 && os_get_reltime(&now) == 0 &&
1581 os_reltime_expired(&now, &data->crl_last_reload,
1582 data->crl_reload_interval)) {
1583 wpa_printf(MSG_INFO,
1584 "OpenSSL: Flushing X509 store with ca_cert file");
1585 new_cert_store = tls_crl_cert_reload(data->ca_cert,
1586 data->check_crl);
1587 if (!new_cert_store) {
1588 wpa_printf(MSG_ERROR,
1589 "OpenSSL: Error replacing X509 store with ca_cert file");
1590 } else {
1591 /* Replace old store */
1592 SSL_CTX_set_cert_store(ssl, new_cert_store);
1593 data->crl_last_reload = now;
1594 }
1595 }
1596
1597 conn = os_zalloc(sizeof(*conn));
1598 if (conn == NULL)
1599 return NULL;
1600 conn->data = data;
1601 conn->ssl_ctx = ssl;
1602 conn->ssl = SSL_new(ssl);
1603 if (conn->ssl == NULL) {
1604 tls_show_errors(MSG_INFO, __func__,
1605 "Failed to initialize new SSL connection");
1606 os_free(conn);
1607 return NULL;
1608 }
1609
1610 conn->context = context;
1611 SSL_set_app_data(conn->ssl, conn);
1612 SSL_set_msg_callback(conn->ssl, tls_msg_cb);
1613 SSL_set_msg_callback_arg(conn->ssl, conn);
1614 options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
1615 SSL_OP_SINGLE_DH_USE;
1616 #ifdef SSL_OP_NO_COMPRESSION
1617 options |= SSL_OP_NO_COMPRESSION;
1618 #endif /* SSL_OP_NO_COMPRESSION */
1619 SSL_set_options(conn->ssl, options);
1620 #ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
1621 /* Hopefully there is no need for middlebox compatibility mechanisms
1622 * when going through EAP authentication. */
1623 SSL_clear_options(conn->ssl, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
1624 #endif
1625
1626 conn->ssl_in = BIO_new(BIO_s_mem());
1627 if (!conn->ssl_in) {
1628 tls_show_errors(MSG_INFO, __func__,
1629 "Failed to create a new BIO for ssl_in");
1630 SSL_free(conn->ssl);
1631 os_free(conn);
1632 return NULL;
1633 }
1634
1635 conn->ssl_out = BIO_new(BIO_s_mem());
1636 if (!conn->ssl_out) {
1637 tls_show_errors(MSG_INFO, __func__,
1638 "Failed to create a new BIO for ssl_out");
1639 SSL_free(conn->ssl);
1640 BIO_free(conn->ssl_in);
1641 os_free(conn);
1642 return NULL;
1643 }
1644
1645 SSL_set_bio(conn->ssl, conn->ssl_in, conn->ssl_out);
1646
1647 return conn;
1648 }
1649
1650
tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)1651 void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
1652 {
1653 if (conn == NULL)
1654 return;
1655 if (conn->success_data) {
1656 /*
1657 * Make sure ssl_clear_bad_session() does not remove this
1658 * session.
1659 */
1660 SSL_set_quiet_shutdown(conn->ssl, 1);
1661 SSL_shutdown(conn->ssl);
1662 }
1663 SSL_free(conn->ssl);
1664 tls_engine_deinit(conn);
1665 os_free(conn->subject_match);
1666 os_free(conn->altsubject_match);
1667 os_free(conn->suffix_match);
1668 os_free(conn->domain_match);
1669 os_free(conn->check_cert_subject);
1670 os_free(conn->session_ticket);
1671 os_free(conn->peer_subject);
1672 os_free(conn);
1673 }
1674
1675
tls_connection_established(void *ssl_ctx, struct tls_connection *conn)1676 int tls_connection_established(void *ssl_ctx, struct tls_connection *conn)
1677 {
1678 return conn ? SSL_is_init_finished(conn->ssl) : 0;
1679 }
1680
1681
tls_connection_peer_serial_num(void *tls_ctx, struct tls_connection *conn)1682 char * tls_connection_peer_serial_num(void *tls_ctx,
1683 struct tls_connection *conn)
1684 {
1685 ASN1_INTEGER *ser;
1686 char *serial_num;
1687 size_t len;
1688
1689 if (!conn->peer_cert)
1690 return NULL;
1691
1692 ser = X509_get_serialNumber(conn->peer_cert);
1693 if (!ser)
1694 return NULL;
1695
1696 len = ASN1_STRING_length(ser) * 2 + 1;
1697 serial_num = os_malloc(len);
1698 if (!serial_num)
1699 return NULL;
1700 wpa_snprintf_hex_uppercase(serial_num, len,
1701 ASN1_STRING_get0_data(ser),
1702 ASN1_STRING_length(ser));
1703 return serial_num;
1704 }
1705
1706
tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)1707 int tls_connection_shutdown(void *ssl_ctx, struct tls_connection *conn)
1708 {
1709 if (conn == NULL)
1710 return -1;
1711
1712 /* Shutdown previous TLS connection without notifying the peer
1713 * because the connection was already terminated in practice
1714 * and "close notify" shutdown alert would confuse AS. */
1715 SSL_set_quiet_shutdown(conn->ssl, 1);
1716 SSL_shutdown(conn->ssl);
1717 return SSL_clear(conn->ssl) == 1 ? 0 : -1;
1718 }
1719
1720
tls_match_altsubject_component(X509 *cert, int type, const char *value, size_t len)1721 static int tls_match_altsubject_component(X509 *cert, int type,
1722 const char *value, size_t len)
1723 {
1724 GENERAL_NAME *gen;
1725 void *ext;
1726 int found = 0;
1727 stack_index_t i;
1728
1729 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
1730
1731 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
1732 gen = sk_GENERAL_NAME_value(ext, i);
1733 if (gen->type != type)
1734 continue;
1735 if (os_strlen((char *) gen->d.ia5->data) == len &&
1736 os_memcmp(value, gen->d.ia5->data, len) == 0)
1737 found++;
1738 }
1739
1740 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
1741
1742 return found;
1743 }
1744
1745
tls_match_altsubject(X509 *cert, const char *match)1746 static int tls_match_altsubject(X509 *cert, const char *match)
1747 {
1748 int type;
1749 const char *pos, *end;
1750 size_t len;
1751
1752 pos = match;
1753 do {
1754 if (os_strncmp(pos, "EMAIL:", 6) == 0) {
1755 type = GEN_EMAIL;
1756 pos += 6;
1757 } else if (os_strncmp(pos, "DNS:", 4) == 0) {
1758 type = GEN_DNS;
1759 pos += 4;
1760 } else if (os_strncmp(pos, "URI:", 4) == 0) {
1761 type = GEN_URI;
1762 pos += 4;
1763 } else {
1764 wpa_printf(MSG_INFO, "TLS: Invalid altSubjectName "
1765 "match '%s'", pos);
1766 return 0;
1767 }
1768 end = os_strchr(pos, ';');
1769 while (end) {
1770 if (os_strncmp(end + 1, "EMAIL:", 6) == 0 ||
1771 os_strncmp(end + 1, "DNS:", 4) == 0 ||
1772 os_strncmp(end + 1, "URI:", 4) == 0)
1773 break;
1774 end = os_strchr(end + 1, ';');
1775 }
1776 if (end)
1777 len = end - pos;
1778 else
1779 len = os_strlen(pos);
1780 if (tls_match_altsubject_component(cert, type, pos, len) > 0)
1781 return 1;
1782 pos = end + 1;
1783 } while (end);
1784
1785 return 0;
1786 }
1787
1788
1789 #ifndef CONFIG_NATIVE_WINDOWS
domain_suffix_match(const u8 *val, size_t len, const char *match, size_t match_len, int full)1790 static int domain_suffix_match(const u8 *val, size_t len, const char *match,
1791 size_t match_len, int full)
1792 {
1793 size_t i;
1794
1795 /* Check for embedded nuls that could mess up suffix matching */
1796 for (i = 0; i < len; i++) {
1797 if (val[i] == '\0') {
1798 wpa_printf(MSG_DEBUG, "TLS: Embedded null in a string - reject");
1799 return 0;
1800 }
1801 }
1802
1803 if (match_len > len || (full && match_len != len))
1804 return 0;
1805
1806 if (os_strncasecmp((const char *) val + len - match_len, match,
1807 match_len) != 0)
1808 return 0; /* no match */
1809
1810 if (match_len == len)
1811 return 1; /* exact match */
1812
1813 if (val[len - match_len - 1] == '.')
1814 return 1; /* full label match completes suffix match */
1815
1816 wpa_printf(MSG_DEBUG, "TLS: Reject due to incomplete label match");
1817 return 0;
1818 }
1819 #endif /* CONFIG_NATIVE_WINDOWS */
1820
1821
1822 struct tls_dn_field_order_cnt {
1823 u8 cn;
1824 u8 c;
1825 u8 l;
1826 u8 st;
1827 u8 o;
1828 u8 ou;
1829 u8 email;
1830 };
1831
1832
get_dn_field_index(const struct tls_dn_field_order_cnt *dn_cnt, int nid)1833 static int get_dn_field_index(const struct tls_dn_field_order_cnt *dn_cnt,
1834 int nid)
1835 {
1836 switch (nid) {
1837 case NID_commonName:
1838 return dn_cnt->cn;
1839 case NID_countryName:
1840 return dn_cnt->c;
1841 case NID_localityName:
1842 return dn_cnt->l;
1843 case NID_stateOrProvinceName:
1844 return dn_cnt->st;
1845 case NID_organizationName:
1846 return dn_cnt->o;
1847 case NID_organizationalUnitName:
1848 return dn_cnt->ou;
1849 case NID_pkcs9_emailAddress:
1850 return dn_cnt->email;
1851 default:
1852 wpa_printf(MSG_ERROR,
1853 "TLS: Unknown NID '%d' in check_cert_subject",
1854 nid);
1855 return -1;
1856 }
1857 }
1858
1859
1860 /**
1861 * match_dn_field - Match configuration DN field against Certificate DN field
1862 * @cert: Certificate
1863 * @nid: NID of DN field
1864 * @field: Field name
1865 * @value DN field value which is passed from configuration
1866 * e.g., if configuration have C=US and this argument will point to US.
1867 * @dn_cnt: DN matching context
1868 * Returns: 1 on success and 0 on failure
1869 */
match_dn_field(const X509 *cert, int nid, const char *field, const char *value, const struct tls_dn_field_order_cnt *dn_cnt)1870 static int match_dn_field(const X509 *cert, int nid, const char *field,
1871 const char *value,
1872 const struct tls_dn_field_order_cnt *dn_cnt)
1873 {
1874 int i, ret = 0, len, config_dn_field_index, match_index = 0;
1875 X509_NAME *name;
1876
1877 len = os_strlen(value);
1878 name = X509_get_subject_name((X509 *) cert);
1879
1880 /* Assign incremented cnt for every field of DN to check DN field in
1881 * right order */
1882 config_dn_field_index = get_dn_field_index(dn_cnt, nid);
1883 if (config_dn_field_index < 0)
1884 return 0;
1885
1886 /* Fetch value based on NID */
1887 for (i = -1; (i = X509_NAME_get_index_by_NID(name, nid, i)) > -1;) {
1888 X509_NAME_ENTRY *e;
1889 ASN1_STRING *cn;
1890
1891 e = X509_NAME_get_entry(name, i);
1892 if (!e)
1893 continue;
1894
1895 cn = X509_NAME_ENTRY_get_data(e);
1896 if (!cn)
1897 continue;
1898
1899 match_index++;
1900
1901 /* check for more than one DN field with same name */
1902 if (match_index != config_dn_field_index)
1903 continue;
1904
1905 /* Check wildcard at the right end side */
1906 /* E.g., if OU=develop* mentioned in configuration, allow 'OU'
1907 * of the subject in the client certificate to start with
1908 * 'develop' */
1909 if (len > 0 && value[len - 1] == '*') {
1910 /* Compare actual certificate DN field value with
1911 * configuration DN field value up to the specified
1912 * length. */
1913 ret = ASN1_STRING_length(cn) >= len - 1 &&
1914 os_memcmp(ASN1_STRING_get0_data(cn), value,
1915 len - 1) == 0;
1916 } else {
1917 /* Compare actual certificate DN field value with
1918 * configuration DN field value */
1919 ret = ASN1_STRING_length(cn) == len &&
1920 os_memcmp(ASN1_STRING_get0_data(cn), value,
1921 len) == 0;
1922 }
1923 if (!ret) {
1924 wpa_printf(MSG_ERROR,
1925 "OpenSSL: Failed to match %s '%s' with certificate DN field value '%s'",
1926 field, value, ASN1_STRING_get0_data(cn));
1927 }
1928 break;
1929 }
1930
1931 return ret;
1932 }
1933
1934
1935 /**
1936 * get_value_from_field - Get value from DN field
1937 * @cert: Certificate
1938 * @field_str: DN field string which is passed from configuration file (e.g.,
1939 * C=US)
1940 * @dn_cnt: DN matching context
1941 * Returns: 1 on success and 0 on failure
1942 */
get_value_from_field(const X509 *cert, char *field_str, struct tls_dn_field_order_cnt *dn_cnt)1943 static int get_value_from_field(const X509 *cert, char *field_str,
1944 struct tls_dn_field_order_cnt *dn_cnt)
1945 {
1946 int nid;
1947 char *context = NULL, *name, *value;
1948
1949 if (os_strcmp(field_str, "*") == 0)
1950 return 1; /* wildcard matches everything */
1951
1952 name = str_token(field_str, "=", &context);
1953 if (!name)
1954 return 0;
1955
1956 /* Compare all configured DN fields and assign nid based on that to
1957 * fetch correct value from certificate subject */
1958 if (os_strcmp(name, "CN") == 0) {
1959 nid = NID_commonName;
1960 dn_cnt->cn++;
1961 } else if(os_strcmp(name, "C") == 0) {
1962 nid = NID_countryName;
1963 dn_cnt->c++;
1964 } else if (os_strcmp(name, "L") == 0) {
1965 nid = NID_localityName;
1966 dn_cnt->l++;
1967 } else if (os_strcmp(name, "ST") == 0) {
1968 nid = NID_stateOrProvinceName;
1969 dn_cnt->st++;
1970 } else if (os_strcmp(name, "O") == 0) {
1971 nid = NID_organizationName;
1972 dn_cnt->o++;
1973 } else if (os_strcmp(name, "OU") == 0) {
1974 nid = NID_organizationalUnitName;
1975 dn_cnt->ou++;
1976 } else if (os_strcmp(name, "emailAddress") == 0) {
1977 nid = NID_pkcs9_emailAddress;
1978 dn_cnt->email++;
1979 } else {
1980 wpa_printf(MSG_ERROR,
1981 "TLS: Unknown field '%s' in check_cert_subject", name);
1982 return 0;
1983 }
1984
1985 value = str_token(field_str, "=", &context);
1986 if (!value) {
1987 wpa_printf(MSG_ERROR,
1988 "TLS: Distinguished Name field '%s' value is not defined in check_cert_subject",
1989 name);
1990 return 0;
1991 }
1992
1993 return match_dn_field(cert, nid, name, value, dn_cnt);
1994 }
1995
1996
1997 /**
1998 * tls_match_dn_field - Match subject DN field with check_cert_subject
1999 * @cert: Certificate
2000 * @match: check_cert_subject string
2001 * Returns: Return 1 on success and 0 on failure
2002 */
tls_match_dn_field(X509 *cert, const char *match)2003 static int tls_match_dn_field(X509 *cert, const char *match)
2004 {
2005 const char *token, *last = NULL;
2006 char field[256];
2007 struct tls_dn_field_order_cnt dn_cnt;
2008
2009 os_memset(&dn_cnt, 0, sizeof(dn_cnt));
2010
2011 /* Maximum length of each DN field is 255 characters */
2012
2013 /* Process each '/' delimited field */
2014 while ((token = cstr_token(match, "/", &last))) {
2015 if (last - token >= (int) sizeof(field)) {
2016 wpa_printf(MSG_ERROR,
2017 "OpenSSL: Too long DN matching field value in '%s'",
2018 match);
2019 return 0;
2020 }
2021 os_memcpy(field, token, last - token);
2022 field[last - token] = '\0';
2023
2024 if (!get_value_from_field(cert, field, &dn_cnt)) {
2025 wpa_printf(MSG_DEBUG, "OpenSSL: No match for DN '%s'",
2026 field);
2027 return 0;
2028 }
2029 }
2030
2031 return 1;
2032 }
2033
2034
2035 #ifndef CONFIG_NATIVE_WINDOWS
tls_match_suffix_helper(X509 *cert, const char *match, size_t match_len, int full)2036 static int tls_match_suffix_helper(X509 *cert, const char *match,
2037 size_t match_len, int full)
2038 {
2039 GENERAL_NAME *gen;
2040 void *ext;
2041 int i;
2042 stack_index_t j;
2043 int dns_name = 0;
2044 X509_NAME *name;
2045
2046 wpa_printf(MSG_DEBUG, "TLS: Match domain against %s%s",
2047 full ? "": "suffix ", match);
2048
2049 ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
2050
2051 for (j = 0; ext && j < sk_GENERAL_NAME_num(ext); j++) {
2052 gen = sk_GENERAL_NAME_value(ext, j);
2053 if (gen->type != GEN_DNS)
2054 continue;
2055 dns_name++;
2056 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName",
2057 gen->d.dNSName->data,
2058 gen->d.dNSName->length);
2059 if (domain_suffix_match(gen->d.dNSName->data,
2060 gen->d.dNSName->length,
2061 match, match_len, full) == 1) {
2062 wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found",
2063 full ? "Match" : "Suffix match");
2064 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2065 return 1;
2066 }
2067 }
2068 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2069
2070 if (dns_name) {
2071 wpa_printf(MSG_DEBUG, "TLS: None of the dNSName(s) matched");
2072 return 0;
2073 }
2074
2075 name = X509_get_subject_name(cert);
2076 i = -1;
2077 for (;;) {
2078 X509_NAME_ENTRY *e;
2079 ASN1_STRING *cn;
2080
2081 i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
2082 if (i == -1)
2083 break;
2084 e = X509_NAME_get_entry(name, i);
2085 if (e == NULL)
2086 continue;
2087 cn = X509_NAME_ENTRY_get_data(e);
2088 if (cn == NULL)
2089 continue;
2090 wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName",
2091 cn->data, cn->length);
2092 if (domain_suffix_match(cn->data, cn->length,
2093 match, match_len, full) == 1) {
2094 wpa_printf(MSG_DEBUG, "TLS: %s in commonName found",
2095 full ? "Match" : "Suffix match");
2096 return 1;
2097 }
2098 }
2099
2100 wpa_printf(MSG_DEBUG, "TLS: No CommonName %smatch found",
2101 full ? "": "suffix ");
2102 return 0;
2103 }
2104 #endif /* CONFIG_NATIVE_WINDOWS */
2105
2106
tls_match_suffix(X509 *cert, const char *match, int full)2107 static int tls_match_suffix(X509 *cert, const char *match, int full)
2108 {
2109 #ifdef CONFIG_NATIVE_WINDOWS
2110 /* wincrypt.h has conflicting X509_NAME definition */
2111 return -1;
2112 #else /* CONFIG_NATIVE_WINDOWS */
2113 const char *token, *last = NULL;
2114
2115 /* Process each match alternative separately until a match is found */
2116 while ((token = cstr_token(match, ";", &last))) {
2117 if (tls_match_suffix_helper(cert, token, last - token, full))
2118 return 1;
2119 }
2120
2121 return 0;
2122 #endif /* CONFIG_NATIVE_WINDOWS */
2123 }
2124
2125
openssl_tls_fail_reason(int err)2126 static enum tls_fail_reason openssl_tls_fail_reason(int err)
2127 {
2128 switch (err) {
2129 case X509_V_ERR_CERT_REVOKED:
2130 return TLS_FAIL_REVOKED;
2131 case X509_V_ERR_CERT_NOT_YET_VALID:
2132 case X509_V_ERR_CRL_NOT_YET_VALID:
2133 return TLS_FAIL_NOT_YET_VALID;
2134 case X509_V_ERR_CERT_HAS_EXPIRED:
2135 case X509_V_ERR_CRL_HAS_EXPIRED:
2136 return TLS_FAIL_EXPIRED;
2137 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
2138 case X509_V_ERR_UNABLE_TO_GET_CRL:
2139 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
2140 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
2141 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
2142 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
2143 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
2144 case X509_V_ERR_CERT_CHAIN_TOO_LONG:
2145 case X509_V_ERR_PATH_LENGTH_EXCEEDED:
2146 case X509_V_ERR_INVALID_CA:
2147 return TLS_FAIL_UNTRUSTED;
2148 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
2149 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
2150 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
2151 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
2152 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
2153 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
2154 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
2155 case X509_V_ERR_CERT_UNTRUSTED:
2156 case X509_V_ERR_CERT_REJECTED:
2157 return TLS_FAIL_BAD_CERTIFICATE;
2158 default:
2159 return TLS_FAIL_UNSPECIFIED;
2160 }
2161 }
2162
2163
get_x509_cert(X509 *cert)2164 static struct wpabuf * get_x509_cert(X509 *cert)
2165 {
2166 struct wpabuf *buf;
2167 u8 *tmp;
2168
2169 int cert_len = i2d_X509(cert, NULL);
2170 if (cert_len <= 0)
2171 return NULL;
2172
2173 buf = wpabuf_alloc(cert_len);
2174 if (buf == NULL)
2175 return NULL;
2176
2177 tmp = wpabuf_put(buf, cert_len);
2178 i2d_X509(cert, &tmp);
2179 return buf;
2180 }
2181
2182
openssl_tls_fail_event(struct tls_connection *conn, X509 *err_cert, int err, int depth, const char *subject, const char *err_str, enum tls_fail_reason reason)2183 static void openssl_tls_fail_event(struct tls_connection *conn,
2184 X509 *err_cert, int err, int depth,
2185 const char *subject, const char *err_str,
2186 enum tls_fail_reason reason)
2187 {
2188 union tls_event_data ev;
2189 struct wpabuf *cert = NULL;
2190 struct tls_context *context = conn->context;
2191
2192 if (context->event_cb == NULL)
2193 return;
2194
2195 cert = get_x509_cert(err_cert);
2196 os_memset(&ev, 0, sizeof(ev));
2197 ev.cert_fail.reason = reason != TLS_FAIL_UNSPECIFIED ?
2198 reason : openssl_tls_fail_reason(err);
2199 ev.cert_fail.depth = depth;
2200 ev.cert_fail.subject = subject;
2201 ev.cert_fail.reason_txt = err_str;
2202 ev.cert_fail.cert = cert;
2203 context->event_cb(context->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
2204 wpabuf_free(cert);
2205 }
2206
2207
openssl_cert_tod(X509 *cert)2208 static int openssl_cert_tod(X509 *cert)
2209 {
2210 CERTIFICATEPOLICIES *ext;
2211 stack_index_t i;
2212 char buf[100];
2213 int res;
2214 int tod = 0;
2215
2216 ext = X509_get_ext_d2i(cert, NID_certificate_policies, NULL, NULL);
2217 if (!ext)
2218 return 0;
2219
2220 for (i = 0; i < sk_POLICYINFO_num(ext); i++) {
2221 POLICYINFO *policy;
2222
2223 policy = sk_POLICYINFO_value(ext, i);
2224 res = OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 0);
2225 if (res < 0 || (size_t) res >= sizeof(buf))
2226 continue;
2227 wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf);
2228 if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0)
2229 tod = 1; /* TOD-STRICT */
2230 else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod)
2231 tod = 2; /* TOD-TOFU */
2232 }
2233 sk_POLICYINFO_pop_free(ext, POLICYINFO_free);
2234
2235 return tod;
2236 }
2237
2238
openssl_tls_cert_event(struct tls_connection *conn, X509 *err_cert, int depth, const char *subject)2239 static void openssl_tls_cert_event(struct tls_connection *conn,
2240 X509 *err_cert, int depth,
2241 const char *subject)
2242 {
2243 struct wpabuf *cert = NULL;
2244 union tls_event_data ev;
2245 struct tls_context *context = conn->context;
2246 char *altsubject[TLS_MAX_ALT_SUBJECT];
2247 int alt, num_altsubject = 0;
2248 GENERAL_NAME *gen;
2249 void *ext;
2250 stack_index_t i;
2251 ASN1_INTEGER *ser;
2252 char serial_num[128];
2253 #ifdef CONFIG_SHA256
2254 u8 hash[32];
2255 #endif /* CONFIG_SHA256 */
2256
2257 if (context->event_cb == NULL)
2258 return;
2259
2260 os_memset(&ev, 0, sizeof(ev));
2261 if (conn->cert_probe || (conn->flags & TLS_CONN_EXT_CERT_CHECK) ||
2262 context->cert_in_cb) {
2263 cert = get_x509_cert(err_cert);
2264 ev.peer_cert.cert = cert;
2265 }
2266 #ifdef CONFIG_SHA256
2267 if (cert) {
2268 const u8 *addr[1];
2269 size_t len[1];
2270 addr[0] = wpabuf_head(cert);
2271 len[0] = wpabuf_len(cert);
2272 if (sha256_vector(1, addr, len, hash) == 0) {
2273 ev.peer_cert.hash = hash;
2274 ev.peer_cert.hash_len = sizeof(hash);
2275 }
2276 }
2277 #endif /* CONFIG_SHA256 */
2278 ev.peer_cert.depth = depth;
2279 ev.peer_cert.subject = subject;
2280
2281 ser = X509_get_serialNumber(err_cert);
2282 if (ser) {
2283 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num),
2284 ASN1_STRING_get0_data(ser),
2285 ASN1_STRING_length(ser));
2286 ev.peer_cert.serial_num = serial_num;
2287 }
2288
2289 ext = X509_get_ext_d2i(err_cert, NID_subject_alt_name, NULL, NULL);
2290 for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
2291 char *pos;
2292
2293 if (num_altsubject == TLS_MAX_ALT_SUBJECT)
2294 break;
2295 gen = sk_GENERAL_NAME_value(ext, i);
2296 if (gen->type != GEN_EMAIL &&
2297 gen->type != GEN_DNS &&
2298 gen->type != GEN_URI)
2299 continue;
2300
2301 pos = os_malloc(10 + gen->d.ia5->length + 1);
2302 if (pos == NULL)
2303 break;
2304 altsubject[num_altsubject++] = pos;
2305
2306 switch (gen->type) {
2307 case GEN_EMAIL:
2308 os_memcpy(pos, "EMAIL:", 6);
2309 pos += 6;
2310 break;
2311 case GEN_DNS:
2312 os_memcpy(pos, "DNS:", 4);
2313 pos += 4;
2314 break;
2315 case GEN_URI:
2316 os_memcpy(pos, "URI:", 4);
2317 pos += 4;
2318 break;
2319 }
2320
2321 os_memcpy(pos, gen->d.ia5->data, gen->d.ia5->length);
2322 pos += gen->d.ia5->length;
2323 *pos = '\0';
2324 }
2325 sk_GENERAL_NAME_pop_free(ext, GENERAL_NAME_free);
2326
2327 for (alt = 0; alt < num_altsubject; alt++)
2328 ev.peer_cert.altsubject[alt] = altsubject[alt];
2329 ev.peer_cert.num_altsubject = num_altsubject;
2330
2331 ev.peer_cert.tod = openssl_cert_tod(err_cert);
2332
2333 context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
2334 wpabuf_free(cert);
2335 for (alt = 0; alt < num_altsubject; alt++)
2336 os_free(altsubject[alt]);
2337 }
2338
2339
debug_print_cert(X509 *cert, const char *title)2340 static void debug_print_cert(X509 *cert, const char *title)
2341 {
2342 #ifndef CONFIG_NO_STDOUT_DEBUG
2343 BIO *out;
2344 size_t rlen;
2345 char *txt;
2346 int res;
2347
2348 if (wpa_debug_level > MSG_DEBUG)
2349 return;
2350
2351 out = BIO_new(BIO_s_mem());
2352 if (!out)
2353 return;
2354
2355 X509_print(out, cert);
2356 rlen = BIO_ctrl_pending(out);
2357 txt = os_malloc(rlen + 1);
2358 if (txt) {
2359 res = BIO_read(out, txt, rlen);
2360 if (res > 0) {
2361 txt[res] = '\0';
2362 wpa_printf(MSG_DEBUG, "OpenSSL: %s\n%s", title, txt);
2363 }
2364 os_free(txt);
2365 }
2366
2367 BIO_free(out);
2368 #endif /* CONFIG_NO_STDOUT_DEBUG */
2369 }
2370
2371
tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)2372 static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
2373 {
2374 char buf[256];
2375 X509 *err_cert;
2376 int err, depth;
2377 SSL *ssl;
2378 struct tls_connection *conn;
2379 struct tls_context *context;
2380 char *match, *altmatch, *suffix_match, *domain_match;
2381 const char *check_cert_subject;
2382 const char *err_str;
2383
2384 err_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
2385 if (!err_cert)
2386 return 0;
2387
2388 err = X509_STORE_CTX_get_error(x509_ctx);
2389 depth = X509_STORE_CTX_get_error_depth(x509_ctx);
2390 ssl = X509_STORE_CTX_get_ex_data(x509_ctx,
2391 SSL_get_ex_data_X509_STORE_CTX_idx());
2392 os_snprintf(buf, sizeof(buf), "Peer certificate - depth %d", depth);
2393 debug_print_cert(err_cert, buf);
2394 X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
2395
2396 conn = SSL_get_app_data(ssl);
2397 if (conn == NULL)
2398 return 0;
2399
2400 if (depth == 0)
2401 conn->peer_cert = err_cert;
2402 else if (depth == 1)
2403 conn->peer_issuer = err_cert;
2404 else if (depth == 2)
2405 conn->peer_issuer_issuer = err_cert;
2406
2407 context = conn->context;
2408 match = conn->subject_match;
2409 altmatch = conn->altsubject_match;
2410 suffix_match = conn->suffix_match;
2411 domain_match = conn->domain_match;
2412
2413 if (!preverify_ok && !conn->ca_cert_verify)
2414 preverify_ok = 1;
2415 if (!preverify_ok && depth > 0 && conn->server_cert_only)
2416 preverify_ok = 1;
2417 if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
2418 (err == X509_V_ERR_CERT_HAS_EXPIRED ||
2419 err == X509_V_ERR_CERT_NOT_YET_VALID)) {
2420 wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
2421 "time mismatch");
2422 preverify_ok = 1;
2423 }
2424 if (!preverify_ok && !conn->data->check_crl_strict &&
2425 (err == X509_V_ERR_CRL_HAS_EXPIRED ||
2426 err == X509_V_ERR_CRL_NOT_YET_VALID)) {
2427 wpa_printf(MSG_DEBUG,
2428 "OpenSSL: Ignore certificate validity CRL time mismatch");
2429 preverify_ok = 1;
2430 }
2431
2432 err_str = X509_verify_cert_error_string(err);
2433
2434 #ifdef CONFIG_SHA256
2435 /*
2436 * Do not require preverify_ok so we can explicity allow otherwise
2437 * invalid pinned server certificates.
2438 */
2439 if (depth == 0 && conn->server_cert_only) {
2440 struct wpabuf *cert;
2441 cert = get_x509_cert(err_cert);
2442 if (!cert) {
2443 wpa_printf(MSG_DEBUG, "OpenSSL: Could not fetch "
2444 "server certificate data");
2445 preverify_ok = 0;
2446 } else {
2447 u8 hash[32];
2448 const u8 *addr[1];
2449 size_t len[1];
2450 addr[0] = wpabuf_head(cert);
2451 len[0] = wpabuf_len(cert);
2452 if (sha256_vector(1, addr, len, hash) < 0 ||
2453 os_memcmp(conn->srv_cert_hash, hash, 32) != 0) {
2454 err_str = "Server certificate mismatch";
2455 err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
2456 preverify_ok = 0;
2457 } else if (!preverify_ok) {
2458 /*
2459 * Certificate matches pinned certificate, allow
2460 * regardless of other problems.
2461 */
2462 wpa_printf(MSG_DEBUG,
2463 "OpenSSL: Ignore validation issues for a pinned server certificate");
2464 preverify_ok = 1;
2465 }
2466 wpabuf_free(cert);
2467 }
2468 }
2469 #endif /* CONFIG_SHA256 */
2470
2471 openssl_tls_cert_event(conn, err_cert, depth, buf);
2472
2473 if (!preverify_ok) {
2474 if (depth > 0) {
2475 /* Send cert event for the peer certificate so that
2476 * the upper layers get information about it even if
2477 * validation of a CA certificate fails. */
2478 STACK_OF(X509) *chain;
2479
2480 chain = X509_STORE_CTX_get1_chain(x509_ctx);
2481 if (chain && sk_X509_num(chain) > 0) {
2482 char buf2[256];
2483 X509 *cert;
2484
2485 cert = sk_X509_value(chain, 0);
2486 X509_NAME_oneline(X509_get_subject_name(cert),
2487 buf2, sizeof(buf2));
2488
2489 openssl_tls_cert_event(conn, cert, 0, buf2);
2490 }
2491 if (chain)
2492 sk_X509_pop_free(chain, X509_free);
2493 }
2494
2495 wpa_printf(MSG_WARNING, "TLS: Certificate verification failed,"
2496 " error %d (%s) depth %d for '%s'", err, err_str,
2497 depth, buf);
2498 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2499 err_str, TLS_FAIL_UNSPECIFIED);
2500 return preverify_ok;
2501 }
2502
2503 wpa_printf(MSG_EXCESSIVE, "TLS: tls_verify_cb - preverify_ok=%d "
2504 "err=%d (%s) ca_cert_verify=%d depth=%d buf='%s'",
2505 preverify_ok, err, err_str,
2506 conn->ca_cert_verify, depth, buf);
2507 check_cert_subject = conn->check_cert_subject;
2508 if (!check_cert_subject)
2509 check_cert_subject = conn->data->check_cert_subject;
2510 if (check_cert_subject) {
2511 if (depth == 0 &&
2512 !tls_match_dn_field(err_cert, check_cert_subject)) {
2513 preverify_ok = 0;
2514 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2515 "Distinguished Name",
2516 TLS_FAIL_DN_MISMATCH);
2517 }
2518 }
2519 if (depth == 0 && match && os_strstr(buf, match) == NULL) {
2520 wpa_printf(MSG_WARNING, "TLS: Subject '%s' did not "
2521 "match with '%s'", buf, match);
2522 preverify_ok = 0;
2523 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2524 "Subject mismatch",
2525 TLS_FAIL_SUBJECT_MISMATCH);
2526 } else if (depth == 0 && altmatch &&
2527 !tls_match_altsubject(err_cert, altmatch)) {
2528 wpa_printf(MSG_WARNING, "TLS: altSubjectName match "
2529 "'%s' not found", altmatch);
2530 preverify_ok = 0;
2531 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2532 "AltSubject mismatch",
2533 TLS_FAIL_ALTSUBJECT_MISMATCH);
2534 } else if (depth == 0 && suffix_match &&
2535 !tls_match_suffix(err_cert, suffix_match, 0)) {
2536 wpa_printf(MSG_WARNING, "TLS: Domain suffix match '%s' not found",
2537 suffix_match);
2538 preverify_ok = 0;
2539 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2540 "Domain suffix mismatch",
2541 TLS_FAIL_DOMAIN_SUFFIX_MISMATCH);
2542 } else if (depth == 0 && domain_match &&
2543 !tls_match_suffix(err_cert, domain_match, 1)) {
2544 wpa_printf(MSG_WARNING, "TLS: Domain match '%s' not found",
2545 domain_match);
2546 preverify_ok = 0;
2547 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2548 "Domain mismatch",
2549 TLS_FAIL_DOMAIN_MISMATCH);
2550 }
2551
2552 if (conn->cert_probe && preverify_ok && depth == 0) {
2553 wpa_printf(MSG_DEBUG, "OpenSSL: Reject server certificate "
2554 "on probe-only run");
2555 preverify_ok = 0;
2556 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2557 "Server certificate chain probe",
2558 TLS_FAIL_SERVER_CHAIN_PROBE);
2559 }
2560
2561 #ifdef CONFIG_SUITEB
2562 if (conn->flags & TLS_CONN_SUITEB) {
2563 EVP_PKEY *pk;
2564 RSA *rsa;
2565 int len = -1;
2566
2567 pk = X509_get_pubkey(err_cert);
2568 if (pk) {
2569 rsa = EVP_PKEY_get1_RSA(pk);
2570 if (rsa) {
2571 len = RSA_bits(rsa);
2572 RSA_free(rsa);
2573 }
2574 EVP_PKEY_free(pk);
2575 }
2576
2577 if (len >= 0) {
2578 wpa_printf(MSG_DEBUG,
2579 "OpenSSL: RSA modulus size: %d bits", len);
2580 if (len < 3072) {
2581 preverify_ok = 0;
2582 openssl_tls_fail_event(
2583 conn, err_cert, err,
2584 depth, buf,
2585 "Insufficient RSA modulus size",
2586 TLS_FAIL_INSUFFICIENT_KEY_LEN);
2587 }
2588 }
2589 }
2590 #endif /* CONFIG_SUITEB */
2591
2592 #ifdef OPENSSL_IS_BORINGSSL
2593 if (depth == 0 && (conn->flags & TLS_CONN_REQUEST_OCSP) &&
2594 preverify_ok) {
2595 enum ocsp_result res;
2596
2597 res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert,
2598 conn->peer_issuer,
2599 conn->peer_issuer_issuer);
2600 if (res == OCSP_REVOKED) {
2601 preverify_ok = 0;
2602 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2603 "certificate revoked",
2604 TLS_FAIL_REVOKED);
2605 if (err == X509_V_OK)
2606 X509_STORE_CTX_set_error(
2607 x509_ctx, X509_V_ERR_CERT_REVOKED);
2608 } else if (res != OCSP_GOOD &&
2609 (conn->flags & TLS_CONN_REQUIRE_OCSP)) {
2610 preverify_ok = 0;
2611 openssl_tls_fail_event(conn, err_cert, err, depth, buf,
2612 "bad certificate status response",
2613 TLS_FAIL_UNSPECIFIED);
2614 }
2615 }
2616 #endif /* OPENSSL_IS_BORINGSSL */
2617
2618 if (depth == 0 && preverify_ok && context->event_cb != NULL)
2619 context->event_cb(context->cb_ctx,
2620 TLS_CERT_CHAIN_SUCCESS, NULL);
2621
2622 if (depth == 0 && preverify_ok) {
2623 os_free(conn->peer_subject);
2624 conn->peer_subject = os_strdup(buf);
2625 }
2626
2627 return preverify_ok;
2628 }
2629
2630
2631 #ifndef OPENSSL_NO_STDIO
tls_load_ca_der(struct tls_data *data, const char *ca_cert)2632 static int tls_load_ca_der(struct tls_data *data, const char *ca_cert)
2633 {
2634 SSL_CTX *ssl_ctx = data->ssl;
2635 X509_LOOKUP *lookup;
2636 int ret = 0;
2637
2638 lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(ssl_ctx),
2639 X509_LOOKUP_file());
2640 if (lookup == NULL) {
2641 tls_show_errors(MSG_WARNING, __func__,
2642 "Failed add lookup for X509 store");
2643 return -1;
2644 }
2645
2646 if (!X509_LOOKUP_load_file(lookup, ca_cert, X509_FILETYPE_ASN1)) {
2647 unsigned long err = ERR_peek_error();
2648 tls_show_errors(MSG_WARNING, __func__,
2649 "Failed load CA in DER format");
2650 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
2651 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
2652 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
2653 "cert already in hash table error",
2654 __func__);
2655 } else
2656 ret = -1;
2657 }
2658
2659 return ret;
2660 }
2661 #endif /* OPENSSL_NO_STDIO */
2662
2663
tls_connection_ca_cert(struct tls_data *data, struct tls_connection *conn, const char *ca_cert, const u8 *ca_cert_blob, size_t ca_cert_blob_len, const char *ca_path)2664 static int tls_connection_ca_cert(struct tls_data *data,
2665 struct tls_connection *conn,
2666 const char *ca_cert, const u8 *ca_cert_blob,
2667 size_t ca_cert_blob_len, const char *ca_path)
2668 {
2669 SSL_CTX *ssl_ctx = data->ssl;
2670 X509_STORE *store;
2671
2672 /*
2673 * Remove previously configured trusted CA certificates before adding
2674 * new ones.
2675 */
2676 store = X509_STORE_new();
2677 if (store == NULL) {
2678 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
2679 "certificate store", __func__);
2680 return -1;
2681 }
2682 SSL_CTX_set_cert_store(ssl_ctx, store);
2683
2684 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2685 conn->ca_cert_verify = 1;
2686
2687 if (ca_cert && os_strncmp(ca_cert, "probe://", 8) == 0) {
2688 wpa_printf(MSG_DEBUG, "OpenSSL: Probe for server certificate "
2689 "chain");
2690 conn->cert_probe = 1;
2691 conn->ca_cert_verify = 0;
2692 return 0;
2693 }
2694
2695 if (ca_cert && os_strncmp(ca_cert, "hash://", 7) == 0) {
2696 #ifdef CONFIG_SHA256
2697 const char *pos = ca_cert + 7;
2698 if (os_strncmp(pos, "server/sha256/", 14) != 0) {
2699 wpa_printf(MSG_DEBUG, "OpenSSL: Unsupported ca_cert "
2700 "hash value '%s'", ca_cert);
2701 return -1;
2702 }
2703 pos += 14;
2704 if (os_strlen(pos) != 32 * 2) {
2705 wpa_printf(MSG_DEBUG, "OpenSSL: Unexpected SHA256 "
2706 "hash length in ca_cert '%s'", ca_cert);
2707 return -1;
2708 }
2709 if (hexstr2bin(pos, conn->srv_cert_hash, 32) < 0) {
2710 wpa_printf(MSG_DEBUG, "OpenSSL: Invalid SHA256 hash "
2711 "value in ca_cert '%s'", ca_cert);
2712 return -1;
2713 }
2714 conn->server_cert_only = 1;
2715 wpa_printf(MSG_DEBUG, "OpenSSL: Checking only server "
2716 "certificate match");
2717 return 0;
2718 #else /* CONFIG_SHA256 */
2719 wpa_printf(MSG_INFO, "No SHA256 included in the build - "
2720 "cannot validate server certificate hash");
2721 return -1;
2722 #endif /* CONFIG_SHA256 */
2723 }
2724
2725 if (ca_cert_blob) {
2726 X509 *cert = d2i_X509(NULL,
2727 (const unsigned char **) &ca_cert_blob,
2728 ca_cert_blob_len);
2729 if (cert == NULL) {
2730 BIO *bio = BIO_new_mem_buf(ca_cert_blob,
2731 ca_cert_blob_len);
2732
2733 if (bio) {
2734 cert = PEM_read_bio_X509(bio, NULL, NULL, NULL);
2735 BIO_free(bio);
2736 }
2737
2738 if (!cert) {
2739 tls_show_errors(MSG_WARNING, __func__,
2740 "Failed to parse ca_cert_blob");
2741 return -1;
2742 }
2743
2744 while (ERR_get_error()) {
2745 /* Ignore errors from DER conversion. */
2746 }
2747 }
2748
2749 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx),
2750 cert)) {
2751 unsigned long err = ERR_peek_error();
2752 tls_show_errors(MSG_WARNING, __func__,
2753 "Failed to add ca_cert_blob to "
2754 "certificate store");
2755 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
2756 ERR_GET_REASON(err) ==
2757 X509_R_CERT_ALREADY_IN_HASH_TABLE) {
2758 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring "
2759 "cert already in hash table error",
2760 __func__);
2761 } else {
2762 X509_free(cert);
2763 return -1;
2764 }
2765 }
2766 X509_free(cert);
2767 wpa_printf(MSG_DEBUG, "OpenSSL: %s - added ca_cert_blob "
2768 "to certificate store", __func__);
2769 return 0;
2770 }
2771
2772 #ifdef ANDROID
2773 /* Single alias */
2774 if (ca_cert && os_strncmp("keystore://", ca_cert, 11) == 0) {
2775 if (tls_add_ca_from_keystore(SSL_CTX_get_cert_store(ssl_ctx),
2776 &ca_cert[11]) < 0)
2777 return -1;
2778 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2779 return 0;
2780 }
2781
2782 /* Multiple aliases separated by space */
2783 if (ca_cert && os_strncmp("keystores://", ca_cert, 12) == 0) {
2784 char *aliases = os_strdup(&ca_cert[12]);
2785 const char *delim = " ";
2786 int rc = 0;
2787 char *savedptr;
2788 char *alias;
2789
2790 if (!aliases)
2791 return -1;
2792 alias = strtok_r(aliases, delim, &savedptr);
2793 for (; alias; alias = strtok_r(NULL, delim, &savedptr)) {
2794 if (tls_add_ca_from_keystore_encoded(
2795 SSL_CTX_get_cert_store(ssl_ctx), alias)) {
2796 wpa_printf(MSG_WARNING,
2797 "OpenSSL: %s - Failed to add ca_cert %s from keystore",
2798 __func__, alias);
2799 rc = -1;
2800 break;
2801 }
2802 }
2803 os_free(aliases);
2804 if (rc)
2805 return rc;
2806
2807 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
2808 return 0;
2809 }
2810 #endif /* ANDROID */
2811
2812 #ifdef CONFIG_NATIVE_WINDOWS
2813 if (ca_cert && tls_cryptoapi_ca_cert(ssl_ctx, conn->ssl, ca_cert) ==
2814 0) {
2815 wpa_printf(MSG_DEBUG, "OpenSSL: Added CA certificates from "
2816 "system certificate store");
2817 return 0;
2818 }
2819 #endif /* CONFIG_NATIVE_WINDOWS */
2820
2821 if (ca_cert || ca_path) {
2822 #ifndef OPENSSL_NO_STDIO
2823 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, ca_path) !=
2824 1) {
2825 tls_show_errors(MSG_WARNING, __func__,
2826 "Failed to load root certificates");
2827 if (ca_cert &&
2828 tls_load_ca_der(data, ca_cert) == 0) {
2829 wpa_printf(MSG_DEBUG, "OpenSSL: %s - loaded "
2830 "DER format CA certificate",
2831 __func__);
2832 } else
2833 return -1;
2834 } else {
2835 wpa_printf(MSG_DEBUG, "TLS: Trusted root "
2836 "certificate(s) loaded");
2837 tls_get_errors(data);
2838 }
2839 #else /* OPENSSL_NO_STDIO */
2840 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO",
2841 __func__);
2842 return -1;
2843 #endif /* OPENSSL_NO_STDIO */
2844 } else {
2845 /* No ca_cert configured - do not try to verify server
2846 * certificate */
2847 conn->ca_cert_verify = 0;
2848 }
2849
2850 return 0;
2851 }
2852
2853
tls_global_ca_cert(struct tls_data *data, const char *ca_cert)2854 static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert)
2855 {
2856 SSL_CTX *ssl_ctx = data->ssl;
2857
2858 if (ca_cert) {
2859 if (SSL_CTX_load_verify_locations(ssl_ctx, ca_cert, NULL) != 1)
2860 {
2861 tls_show_errors(MSG_WARNING, __func__,
2862 "Failed to load root certificates");
2863 return -1;
2864 }
2865
2866 wpa_printf(MSG_DEBUG, "TLS: Trusted root "
2867 "certificate(s) loaded");
2868
2869 #ifndef OPENSSL_NO_STDIO
2870 /* Add the same CAs to the client certificate requests */
2871 SSL_CTX_set_client_CA_list(ssl_ctx,
2872 SSL_load_client_CA_file(ca_cert));
2873 #endif /* OPENSSL_NO_STDIO */
2874
2875 os_free(data->ca_cert);
2876 data->ca_cert = os_strdup(ca_cert);
2877 }
2878
2879 return 0;
2880 }
2881
2882
tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)2883 int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
2884 {
2885 int flags;
2886
2887 if (check_crl) {
2888 struct tls_data *data = ssl_ctx;
2889 X509_STORE *cs = SSL_CTX_get_cert_store(data->ssl);
2890 if (cs == NULL) {
2891 tls_show_errors(MSG_INFO, __func__, "Failed to get "
2892 "certificate store when enabling "
2893 "check_crl");
2894 return -1;
2895 }
2896 flags = X509_V_FLAG_CRL_CHECK;
2897 if (check_crl == 2)
2898 flags |= X509_V_FLAG_CRL_CHECK_ALL;
2899 X509_STORE_set_flags(cs, flags);
2900
2901 data->check_crl = check_crl;
2902 data->check_crl_strict = strict;
2903 os_get_reltime(&data->crl_last_reload);
2904 }
2905 return 0;
2906 }
2907
2908
tls_connection_set_subject_match(struct tls_connection *conn, const char *subject_match, const char *altsubject_match, const char *suffix_match, const char *domain_match, const char *check_cert_subject)2909 static int tls_connection_set_subject_match(struct tls_connection *conn,
2910 const char *subject_match,
2911 const char *altsubject_match,
2912 const char *suffix_match,
2913 const char *domain_match,
2914 const char *check_cert_subject)
2915 {
2916 os_free(conn->subject_match);
2917 conn->subject_match = NULL;
2918 if (subject_match) {
2919 conn->subject_match = os_strdup(subject_match);
2920 if (conn->subject_match == NULL)
2921 return -1;
2922 }
2923
2924 os_free(conn->altsubject_match);
2925 conn->altsubject_match = NULL;
2926 if (altsubject_match) {
2927 conn->altsubject_match = os_strdup(altsubject_match);
2928 if (conn->altsubject_match == NULL)
2929 return -1;
2930 }
2931
2932 os_free(conn->suffix_match);
2933 conn->suffix_match = NULL;
2934 if (suffix_match) {
2935 conn->suffix_match = os_strdup(suffix_match);
2936 if (conn->suffix_match == NULL)
2937 return -1;
2938 }
2939
2940 os_free(conn->domain_match);
2941 conn->domain_match = NULL;
2942 if (domain_match) {
2943 conn->domain_match = os_strdup(domain_match);
2944 if (conn->domain_match == NULL)
2945 return -1;
2946 }
2947
2948 os_free(conn->check_cert_subject);
2949 conn->check_cert_subject = NULL;
2950 if (check_cert_subject) {
2951 conn->check_cert_subject = os_strdup(check_cert_subject);
2952 if (!conn->check_cert_subject)
2953 return -1;
2954 }
2955
2956 return 0;
2957 }
2958
2959
2960 #ifdef CONFIG_SUITEB
2961 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
suiteb_cert_cb(SSL *ssl, void *arg)2962 static int suiteb_cert_cb(SSL *ssl, void *arg)
2963 {
2964 struct tls_connection *conn = arg;
2965
2966 /*
2967 * This cert_cb() is not really the best location for doing a
2968 * constraint check for the ServerKeyExchange message, but this seems to
2969 * be the only place where the current OpenSSL sequence can be
2970 * terminated cleanly with an TLS alert going out to the server.
2971 */
2972
2973 if (!(conn->flags & TLS_CONN_SUITEB))
2974 return 1;
2975
2976 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
2977 if (conn->cipher_suite != 0x9f)
2978 return 1;
2979
2980 if (conn->server_dh_prime_len >= 3072)
2981 return 1;
2982
2983 wpa_printf(MSG_DEBUG,
2984 "OpenSSL: Server DH prime length (%d bits) not sufficient for Suite B RSA - reject handshake",
2985 conn->server_dh_prime_len);
2986 return 0;
2987 }
2988 #endif /* OPENSSL_VERSION_NUMBER */
2989 #endif /* CONFIG_SUITEB */
2990
2991
tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, const char *openssl_ciphers)2992 static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
2993 const char *openssl_ciphers)
2994 {
2995 SSL *ssl = conn->ssl;
2996
2997 #ifdef SSL_OP_NO_TICKET
2998 if (flags & TLS_CONN_DISABLE_SESSION_TICKET)
2999 SSL_set_options(ssl, SSL_OP_NO_TICKET);
3000 else
3001 SSL_clear_options(ssl, SSL_OP_NO_TICKET);
3002 #endif /* SSL_OP_NO_TICKET */
3003
3004 #ifdef SSL_OP_NO_TLSv1
3005 if (flags & TLS_CONN_DISABLE_TLSv1_0)
3006 SSL_set_options(ssl, SSL_OP_NO_TLSv1);
3007 else
3008 SSL_clear_options(ssl, SSL_OP_NO_TLSv1);
3009 #endif /* SSL_OP_NO_TLSv1 */
3010 #ifdef SSL_OP_NO_TLSv1_1
3011 if (flags & TLS_CONN_DISABLE_TLSv1_1)
3012 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
3013 else
3014 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_1);
3015 #endif /* SSL_OP_NO_TLSv1_1 */
3016 #ifdef SSL_OP_NO_TLSv1_2
3017 if (flags & TLS_CONN_DISABLE_TLSv1_2)
3018 SSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
3019 else
3020 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
3021 #endif /* SSL_OP_NO_TLSv1_2 */
3022 #ifdef SSL_OP_NO_TLSv1_3
3023 if (flags & TLS_CONN_DISABLE_TLSv1_3)
3024 SSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
3025 else
3026 SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3);
3027 #endif /* SSL_OP_NO_TLSv1_3 */
3028 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
3029 if (flags & (TLS_CONN_ENABLE_TLSv1_0 |
3030 TLS_CONN_ENABLE_TLSv1_1 |
3031 TLS_CONN_ENABLE_TLSv1_2)) {
3032 int version = 0;
3033
3034 /* Explicit request to enable TLS versions even if needing to
3035 * override systemwide policies. */
3036 if (flags & TLS_CONN_ENABLE_TLSv1_0)
3037 version = TLS1_VERSION;
3038 else if (flags & TLS_CONN_ENABLE_TLSv1_1)
3039 version = TLS1_1_VERSION;
3040 else if (flags & TLS_CONN_ENABLE_TLSv1_2)
3041 version = TLS1_2_VERSION;
3042 if (!version) {
3043 wpa_printf(MSG_DEBUG,
3044 "OpenSSL: Invalid TLS version configuration");
3045 return -1;
3046 }
3047
3048 if (SSL_set_min_proto_version(ssl, version) != 1) {
3049 wpa_printf(MSG_DEBUG,
3050 "OpenSSL: Failed to set minimum TLS version");
3051 return -1;
3052 }
3053 }
3054 #endif /* >= 1.1.0 */
3055 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3056 !defined(LIBRESSL_VERSION_NUMBER) && \
3057 !defined(OPENSSL_IS_BORINGSSL)
3058 {
3059 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
3060 int need_level = 0;
3061 #else
3062 int need_level = 1;
3063 #endif
3064
3065 if ((flags &
3066 (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
3067 SSL_get_security_level(ssl) > need_level) {
3068 /*
3069 * Need to drop to security level 1 (or 0 with OpenSSL
3070 * 3.0) to allow TLS versions older than 1.2 to be used
3071 * when explicitly enabled in configuration.
3072 */
3073 SSL_set_security_level(conn->ssl, need_level);
3074 }
3075 }
3076 #endif
3077
3078 #ifdef CONFIG_SUITEB
3079 #ifdef OPENSSL_IS_BORINGSSL
3080 /* Start with defaults from BoringSSL */
3081 SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, NULL, 0);
3082 #endif /* OPENSSL_IS_BORINGSSL */
3083 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
3084 if (flags & TLS_CONN_SUITEB_NO_ECDH) {
3085 const char *ciphers = "DHE-RSA-AES256-GCM-SHA384";
3086
3087 if (openssl_ciphers) {
3088 wpa_printf(MSG_DEBUG,
3089 "OpenSSL: Override ciphers for Suite B (no ECDH): %s",
3090 openssl_ciphers);
3091 ciphers = openssl_ciphers;
3092 }
3093 if (SSL_set_cipher_list(ssl, ciphers) != 1) {
3094 wpa_printf(MSG_INFO,
3095 "OpenSSL: Failed to set Suite B ciphers");
3096 return -1;
3097 }
3098 } else if (flags & TLS_CONN_SUITEB) {
3099 EC_KEY *ecdh;
3100 const char *ciphers =
3101 "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
3102 int nid[1] = { NID_secp384r1 };
3103
3104 if (openssl_ciphers) {
3105 wpa_printf(MSG_DEBUG,
3106 "OpenSSL: Override ciphers for Suite B: %s",
3107 openssl_ciphers);
3108 ciphers = openssl_ciphers;
3109 }
3110 if (SSL_set_cipher_list(ssl, ciphers) != 1) {
3111 wpa_printf(MSG_INFO,
3112 "OpenSSL: Failed to set Suite B ciphers");
3113 return -1;
3114 }
3115
3116 if (SSL_set1_curves(ssl, nid, 1) != 1) {
3117 wpa_printf(MSG_INFO,
3118 "OpenSSL: Failed to set Suite B curves");
3119 return -1;
3120 }
3121
3122 ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
3123 if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) {
3124 EC_KEY_free(ecdh);
3125 wpa_printf(MSG_INFO,
3126 "OpenSSL: Failed to set ECDH parameter");
3127 return -1;
3128 }
3129 EC_KEY_free(ecdh);
3130 }
3131 if (flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) {
3132 #ifdef OPENSSL_IS_BORINGSSL
3133 uint16_t sigalgs[1] = { SSL_SIGN_RSA_PKCS1_SHA384 };
3134
3135 if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs,
3136 1) != 1) {
3137 wpa_printf(MSG_INFO,
3138 "OpenSSL: Failed to set Suite B sigalgs");
3139 return -1;
3140 }
3141 #else /* OPENSSL_IS_BORINGSSL */
3142 /* ECDSA+SHA384 if need to add EC support here */
3143 if (SSL_set1_sigalgs_list(ssl, "RSA+SHA384") != 1) {
3144 wpa_printf(MSG_INFO,
3145 "OpenSSL: Failed to set Suite B sigalgs");
3146 return -1;
3147 }
3148 #endif /* OPENSSL_IS_BORINGSSL */
3149
3150 SSL_set_options(ssl, SSL_OP_NO_TLSv1);
3151 SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
3152 SSL_set_cert_cb(ssl, suiteb_cert_cb, conn);
3153 }
3154 #else /* OPENSSL_VERSION_NUMBER < 0x10002000L */
3155 if (flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) {
3156 wpa_printf(MSG_ERROR,
3157 "OpenSSL: Suite B RSA case not supported with this OpenSSL version");
3158 return -1;
3159 }
3160 #endif /* OPENSSL_VERSION_NUMBER */
3161
3162 #ifdef OPENSSL_IS_BORINGSSL
3163 if (openssl_ciphers && os_strcmp(openssl_ciphers, "SUITEB192") == 0) {
3164 uint16_t sigalgs[1] = { SSL_SIGN_ECDSA_SECP384R1_SHA384 };
3165 int nid[1] = { NID_secp384r1 };
3166
3167 if (SSL_set1_curves(ssl, nid, 1) != 1) {
3168 wpa_printf(MSG_INFO,
3169 "OpenSSL: Failed to set Suite B curves");
3170 return -1;
3171 }
3172
3173 if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs,
3174 1) != 1) {
3175 wpa_printf(MSG_INFO,
3176 "OpenSSL: Failed to set Suite B sigalgs");
3177 return -1;
3178 }
3179 }
3180 #else /* OPENSSL_IS_BORINGSSL */
3181 if (!(flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) &&
3182 openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
3183 wpa_printf(MSG_INFO,
3184 "OpenSSL: Failed to set openssl_ciphers '%s'",
3185 openssl_ciphers);
3186 return -1;
3187 }
3188 #endif /* OPENSSL_IS_BORINGSSL */
3189 #else /* CONFIG_SUITEB */
3190 if (openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
3191 wpa_printf(MSG_INFO,
3192 "OpenSSL: Failed to set openssl_ciphers '%s'",
3193 openssl_ciphers);
3194 return -1;
3195 }
3196 #endif /* CONFIG_SUITEB */
3197
3198 if (flags & TLS_CONN_TEAP_ANON_DH) {
3199 #ifndef TEAP_DH_ANON_CS
3200 #define TEAP_DH_ANON_CS \
3201 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:" \
3202 "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:" \
3203 "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:" \
3204 "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" \
3205 "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:" \
3206 "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" \
3207 "ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:" \
3208 "ADH-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA:ADH-AES128-SHA"
3209 #endif
3210 static const char *cs = TEAP_DH_ANON_CS;
3211
3212 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3213 !defined(LIBRESSL_VERSION_NUMBER) && \
3214 !defined(OPENSSL_IS_BORINGSSL)
3215 /*
3216 * Need to drop to security level 0 to allow anonymous
3217 * cipher suites for EAP-TEAP.
3218 */
3219 SSL_set_security_level(conn->ssl, 0);
3220 #endif
3221
3222 wpa_printf(MSG_DEBUG,
3223 "OpenSSL: Enable cipher suites for anonymous EAP-TEAP provisioning: %s",
3224 cs);
3225 if (SSL_set_cipher_list(conn->ssl, cs) != 1) {
3226 tls_show_errors(MSG_INFO, __func__,
3227 "Cipher suite configuration failed");
3228 return -1;
3229 }
3230 }
3231
3232 return 0;
3233 }
3234
3235
tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, int verify_peer, unsigned int flags, const u8 *session_ctx, size_t session_ctx_len)3236 int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
3237 int verify_peer, unsigned int flags,
3238 const u8 *session_ctx, size_t session_ctx_len)
3239 {
3240 static int counter = 0;
3241 struct tls_data *data = ssl_ctx;
3242
3243 if (conn == NULL)
3244 return -1;
3245
3246 if (verify_peer == 2) {
3247 conn->ca_cert_verify = 1;
3248 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
3249 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
3250 } else if (verify_peer) {
3251 conn->ca_cert_verify = 1;
3252 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER |
3253 SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
3254 SSL_VERIFY_CLIENT_ONCE, tls_verify_cb);
3255 } else {
3256 conn->ca_cert_verify = 0;
3257 SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
3258 }
3259
3260 if (tls_set_conn_flags(conn, flags, NULL) < 0)
3261 return -1;
3262 conn->flags = flags;
3263
3264 SSL_set_accept_state(conn->ssl);
3265
3266 if (data->tls_session_lifetime == 0) {
3267 /*
3268 * Set session id context to a unique value to make sure
3269 * session resumption cannot be used either through session
3270 * caching or TLS ticket extension.
3271 */
3272 counter++;
3273 SSL_set_session_id_context(conn->ssl,
3274 (const unsigned char *) &counter,
3275 sizeof(counter));
3276 } else if (session_ctx) {
3277 SSL_set_session_id_context(conn->ssl, session_ctx,
3278 session_ctx_len);
3279 }
3280
3281 return 0;
3282 }
3283
3284
tls_connection_client_cert(struct tls_connection *conn, const char *client_cert, const u8 *client_cert_blob, size_t client_cert_blob_len)3285 static int tls_connection_client_cert(struct tls_connection *conn,
3286 const char *client_cert,
3287 const u8 *client_cert_blob,
3288 size_t client_cert_blob_len)
3289 {
3290 if (client_cert == NULL && client_cert_blob == NULL)
3291 return 0;
3292
3293 #ifdef PKCS12_FUNCS
3294 #if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
3295 /*
3296 * Clear previously set extra chain certificates, if any, from PKCS#12
3297 * processing in tls_parse_pkcs12() to allow OpenSSL to build a new
3298 * chain properly.
3299 */
3300 SSL_CTX_clear_extra_chain_certs(conn->ssl_ctx);
3301 #endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */
3302 #endif /* PKCS12_FUNCS */
3303
3304 if (client_cert_blob &&
3305 SSL_use_certificate_ASN1(conn->ssl, (u8 *) client_cert_blob,
3306 client_cert_blob_len) == 1) {
3307 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_ASN1 --> "
3308 "OK");
3309 return 0;
3310 } else if (client_cert_blob) {
3311 #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20901000L
3312 tls_show_errors(MSG_DEBUG, __func__,
3313 "SSL_use_certificate_ASN1 failed");
3314 #else
3315 BIO *bio;
3316 X509 *x509;
3317
3318 tls_show_errors(MSG_DEBUG, __func__,
3319 "SSL_use_certificate_ASN1 failed");
3320 bio = BIO_new(BIO_s_mem());
3321 if (!bio)
3322 return -1;
3323 BIO_write(bio, client_cert_blob, client_cert_blob_len);
3324 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3325 if (!x509 || SSL_use_certificate(conn->ssl, x509) != 1) {
3326 X509_free(x509);
3327 BIO_free(bio);
3328 return -1;
3329 }
3330 X509_free(x509);
3331 wpa_printf(MSG_DEBUG,
3332 "OpenSSL: Found PEM encoded certificate from blob");
3333 while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL))) {
3334 wpa_printf(MSG_DEBUG,
3335 "OpenSSL: Added an additional certificate into the chain");
3336 SSL_add0_chain_cert(conn->ssl, x509);
3337 }
3338 BIO_free(bio);
3339 return 0;
3340 #endif
3341 }
3342
3343 if (client_cert == NULL)
3344 return -1;
3345
3346 #ifdef ANDROID
3347 if (os_strncmp("keystore://", client_cert, 11) == 0) {
3348 BIO *bio = BIO_from_keystore(&client_cert[11]);
3349 X509 *x509 = NULL;
3350 int ret = -1;
3351 if (bio) {
3352 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3353 }
3354 if (x509) {
3355 if (SSL_use_certificate(conn->ssl, x509) == 1)
3356 ret = 0;
3357 X509_free(x509);
3358 }
3359
3360 /* Read additional certificates into the chain. */
3361 while (bio) {
3362 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3363 if (x509) {
3364 /* Takes ownership of x509 */
3365 SSL_add0_chain_cert(conn->ssl, x509);
3366 } else {
3367 BIO_free(bio);
3368 bio = NULL;
3369 }
3370 }
3371 return ret;
3372 }
3373 #endif /* ANDROID */
3374
3375 #ifdef CONFIG_OHOS_CERTMGR
3376 if (os_strncmp(OH_PREFIX, client_cert, os_strlen(OH_PREFIX)) == 0) {
3377 int ret = -1;
3378 X509 *x509 = NULL;
3379
3380 struct Credential certificate = { 0 };
3381 certificate.credData.data = (uint8_t *)malloc(MAX_LEN_CERTIFICATE_CHAIN);
3382 if (certificate.credData.data == NULL) {
3383 wpa_printf(MSG_ERROR, "%s malloc certificate.credData.data fail", __func__);
3384 return -1;
3385 }
3386
3387 BIO *bio = BIO_from_cm(&client_cert[0], certificate);
3388
3389 if (!bio) {
3390 wpa_printf(MSG_DEBUG, "tls_connection_client_cert: bio = NULL");
3391 if (certificate.credData.data != NULL) {
3392 free(certificate.credData.data);
3393 }
3394 return -1;
3395 }
3396
3397 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3398 if (x509) {
3399 if (SSL_use_certificate(conn->ssl, x509) == 1) {
3400 ret = 0;
3401 }
3402 X509_free(x509);
3403 }
3404
3405 /* Read additional certificates into the chain. */
3406 while (bio) {
3407 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
3408 if (x509) {
3409 /* Takes ownership of x509 */
3410 SSL_add0_chain_cert(conn->ssl, x509);
3411 } else {
3412 BIO_free(bio);
3413 bio = NULL;
3414 }
3415 }
3416
3417 if (certificate.credData.data != NULL) {
3418 free(certificate.credData.data);
3419 }
3420
3421 return ret;
3422 }
3423 #endif
3424
3425 #ifndef OPENSSL_NO_STDIO
3426 if (SSL_use_certificate_file(conn->ssl, client_cert,
3427 SSL_FILETYPE_ASN1) == 1) {
3428 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (DER)"
3429 " --> OK");
3430 return 0;
3431 }
3432
3433 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3434 !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
3435 if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
3436 ERR_clear_error();
3437 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
3438 " --> OK");
3439 return 0;
3440 }
3441 #else
3442 if (SSL_use_certificate_file(conn->ssl, client_cert,
3443 SSL_FILETYPE_PEM) == 1) {
3444 ERR_clear_error();
3445 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)"
3446 " --> OK");
3447 return 0;
3448 }
3449 #endif
3450
3451 tls_show_errors(MSG_DEBUG, __func__,
3452 "SSL_use_certificate_file failed");
3453 #else /* OPENSSL_NO_STDIO */
3454 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3455 #endif /* OPENSSL_NO_STDIO */
3456
3457 return -1;
3458 }
3459
3460
tls_global_client_cert(struct tls_data *data, const char *client_cert)3461 static int tls_global_client_cert(struct tls_data *data,
3462 const char *client_cert)
3463 {
3464 #ifndef OPENSSL_NO_STDIO
3465 SSL_CTX *ssl_ctx = data->ssl;
3466
3467 if (client_cert == NULL)
3468 return 0;
3469
3470 if (SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
3471 SSL_FILETYPE_ASN1) != 1 &&
3472 SSL_CTX_use_certificate_chain_file(ssl_ctx, client_cert) != 1 &&
3473 SSL_CTX_use_certificate_file(ssl_ctx, client_cert,
3474 SSL_FILETYPE_PEM) != 1) {
3475 tls_show_errors(MSG_INFO, __func__,
3476 "Failed to load client certificate");
3477 return -1;
3478 }
3479 return 0;
3480 #else /* OPENSSL_NO_STDIO */
3481 if (client_cert == NULL)
3482 return 0;
3483 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3484 return -1;
3485 #endif /* OPENSSL_NO_STDIO */
3486 }
3487
3488
3489 #ifdef PKCS12_FUNCS
tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12, const char *passwd)3490 static int tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12,
3491 const char *passwd)
3492 {
3493 EVP_PKEY *pkey;
3494 X509 *cert;
3495 STACK_OF(X509) *certs;
3496 int res = 0;
3497 char buf[256];
3498
3499 pkey = NULL;
3500 cert = NULL;
3501 certs = NULL;
3502 if (!passwd)
3503 passwd = "";
3504 if (!PKCS12_parse(p12, passwd, &pkey, &cert, &certs)) {
3505 tls_show_errors(MSG_DEBUG, __func__,
3506 "Failed to parse PKCS12 file");
3507 PKCS12_free(p12);
3508 return -1;
3509 }
3510 wpa_printf(MSG_DEBUG, "TLS: Successfully parsed PKCS12 data");
3511
3512 if (cert) {
3513 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3514 sizeof(buf));
3515 wpa_printf(MSG_DEBUG, "TLS: Got certificate from PKCS12: "
3516 "subject='%s'", buf);
3517 if (ssl) {
3518 if (SSL_use_certificate(ssl, cert) != 1)
3519 res = -1;
3520 } else {
3521 if (SSL_CTX_use_certificate(data->ssl, cert) != 1)
3522 res = -1;
3523 }
3524 X509_free(cert);
3525 }
3526
3527 if (pkey) {
3528 wpa_printf(MSG_DEBUG, "TLS: Got private key from PKCS12");
3529 if (ssl) {
3530 if (SSL_use_PrivateKey(ssl, pkey) != 1)
3531 res = -1;
3532 } else {
3533 if (SSL_CTX_use_PrivateKey(data->ssl, pkey) != 1)
3534 res = -1;
3535 }
3536 EVP_PKEY_free(pkey);
3537 }
3538
3539 if (certs) {
3540 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
3541 if (ssl)
3542 SSL_clear_chain_certs(ssl);
3543 else
3544 SSL_CTX_clear_chain_certs(data->ssl);
3545 while ((cert = sk_X509_pop(certs)) != NULL) {
3546 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3547 sizeof(buf));
3548 wpa_printf(MSG_DEBUG, "TLS: additional certificate"
3549 " from PKCS12: subject='%s'", buf);
3550 if ((ssl && SSL_add1_chain_cert(ssl, cert) != 1) ||
3551 (!ssl && SSL_CTX_add1_chain_cert(data->ssl,
3552 cert) != 1)) {
3553 tls_show_errors(MSG_DEBUG, __func__,
3554 "Failed to add additional certificate");
3555 res = -1;
3556 X509_free(cert);
3557 break;
3558 }
3559 X509_free(cert);
3560 }
3561 if (!res) {
3562 /* Try to continue anyway */
3563 }
3564 sk_X509_pop_free(certs, X509_free);
3565 #ifndef OPENSSL_IS_BORINGSSL
3566 if (ssl)
3567 res = SSL_build_cert_chain(
3568 ssl,
3569 SSL_BUILD_CHAIN_FLAG_CHECK |
3570 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
3571 else
3572 res = SSL_CTX_build_cert_chain(
3573 data->ssl,
3574 SSL_BUILD_CHAIN_FLAG_CHECK |
3575 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
3576 if (!res) {
3577 tls_show_errors(MSG_DEBUG, __func__,
3578 "Failed to build certificate chain");
3579 } else if (res == 2) {
3580 wpa_printf(MSG_DEBUG,
3581 "TLS: Ignore certificate chain verification error when building chain with PKCS#12 extra certificates");
3582 }
3583 #endif /* OPENSSL_IS_BORINGSSL */
3584 /*
3585 * Try to continue regardless of result since it is possible for
3586 * the extra certificates not to be required.
3587 */
3588 res = 0;
3589 #else /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
3590 SSL_CTX_clear_extra_chain_certs(data->ssl);
3591 while ((cert = sk_X509_pop(certs)) != NULL) {
3592 X509_NAME_oneline(X509_get_subject_name(cert), buf,
3593 sizeof(buf));
3594 wpa_printf(MSG_DEBUG, "TLS: additional certificate"
3595 " from PKCS12: subject='%s'", buf);
3596 /*
3597 * There is no SSL equivalent for the chain cert - so
3598 * always add it to the context...
3599 */
3600 if (SSL_CTX_add_extra_chain_cert(data->ssl, cert) != 1)
3601 {
3602 X509_free(cert);
3603 res = -1;
3604 break;
3605 }
3606 }
3607 sk_X509_pop_free(certs, X509_free);
3608 #endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
3609 }
3610
3611 PKCS12_free(p12);
3612
3613 if (res < 0)
3614 tls_get_errors(data);
3615
3616 return res;
3617 }
3618 #endif /* PKCS12_FUNCS */
3619
3620
tls_read_pkcs12(struct tls_data *data, SSL *ssl, const char *private_key, const char *passwd)3621 static int tls_read_pkcs12(struct tls_data *data, SSL *ssl,
3622 const char *private_key, const char *passwd)
3623 {
3624 #ifdef PKCS12_FUNCS
3625 FILE *f;
3626 PKCS12 *p12;
3627
3628 f = fopen(private_key, "rb");
3629 if (f == NULL)
3630 return -1;
3631
3632 p12 = d2i_PKCS12_fp(f, NULL);
3633 fclose(f);
3634
3635 if (p12 == NULL) {
3636 tls_show_errors(MSG_INFO, __func__,
3637 "Failed to use PKCS#12 file");
3638 return -1;
3639 }
3640
3641 return tls_parse_pkcs12(data, ssl, p12, passwd);
3642
3643 #else /* PKCS12_FUNCS */
3644 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot read "
3645 "p12/pfx files");
3646 return -1;
3647 #endif /* PKCS12_FUNCS */
3648 }
3649
3650
tls_read_pkcs12_blob(struct tls_data *data, SSL *ssl, const u8 *blob, size_t len, const char *passwd)3651 static int tls_read_pkcs12_blob(struct tls_data *data, SSL *ssl,
3652 const u8 *blob, size_t len, const char *passwd)
3653 {
3654 #ifdef PKCS12_FUNCS
3655 PKCS12 *p12;
3656
3657 p12 = d2i_PKCS12(NULL, (const unsigned char **) &blob, len);
3658 if (p12 == NULL) {
3659 tls_show_errors(MSG_INFO, __func__,
3660 "Failed to use PKCS#12 blob");
3661 return -1;
3662 }
3663
3664 return tls_parse_pkcs12(data, ssl, p12, passwd);
3665
3666 #else /* PKCS12_FUNCS */
3667 wpa_printf(MSG_INFO, "TLS: PKCS12 support disabled - cannot parse "
3668 "p12/pfx blobs");
3669 return -1;
3670 #endif /* PKCS12_FUNCS */
3671 }
3672
3673
3674 #ifndef OPENSSL_NO_ENGINE
tls_engine_get_cert(struct tls_connection *conn, const char *cert_id, X509 **cert)3675 static int tls_engine_get_cert(struct tls_connection *conn,
3676 const char *cert_id,
3677 X509 **cert)
3678 {
3679 /* this runs after the private key is loaded so no PIN is required */
3680 struct {
3681 const char *cert_id;
3682 X509 *cert;
3683 } params;
3684 params.cert_id = cert_id;
3685 params.cert = NULL;
3686
3687 if (!ENGINE_ctrl_cmd(conn->engine, "LOAD_CERT_CTRL",
3688 0, ¶ms, NULL, 1)) {
3689 unsigned long err = ERR_get_error();
3690
3691 wpa_printf(MSG_ERROR, "ENGINE: cannot load client cert with id"
3692 " '%s' [%s]", cert_id,
3693 ERR_error_string(err, NULL));
3694 if (tls_is_pin_error(err))
3695 return TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN;
3696 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
3697 }
3698 if (!params.cert) {
3699 wpa_printf(MSG_ERROR, "ENGINE: did not properly cert with id"
3700 " '%s'", cert_id);
3701 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
3702 }
3703 *cert = params.cert;
3704 return 0;
3705 }
3706 #endif /* OPENSSL_NO_ENGINE */
3707
3708
tls_connection_engine_client_cert(struct tls_connection *conn, const char *cert_id)3709 static int tls_connection_engine_client_cert(struct tls_connection *conn,
3710 const char *cert_id)
3711 {
3712 #ifndef OPENSSL_NO_ENGINE
3713 X509 *cert;
3714
3715 if (tls_engine_get_cert(conn, cert_id, &cert))
3716 return -1;
3717
3718 if (!SSL_use_certificate(conn->ssl, cert)) {
3719 tls_show_errors(MSG_ERROR, __func__,
3720 "SSL_use_certificate failed");
3721 X509_free(cert);
3722 return -1;
3723 }
3724 X509_free(cert);
3725 wpa_printf(MSG_DEBUG, "ENGINE: SSL_use_certificate --> "
3726 "OK");
3727 return 0;
3728
3729 #else /* OPENSSL_NO_ENGINE */
3730 return -1;
3731 #endif /* OPENSSL_NO_ENGINE */
3732 }
3733
3734
tls_connection_engine_ca_cert(struct tls_data *data, struct tls_connection *conn, const char *ca_cert_id)3735 static int tls_connection_engine_ca_cert(struct tls_data *data,
3736 struct tls_connection *conn,
3737 const char *ca_cert_id)
3738 {
3739 #ifndef OPENSSL_NO_ENGINE
3740 X509 *cert;
3741 SSL_CTX *ssl_ctx = data->ssl;
3742 X509_STORE *store;
3743
3744 if (tls_engine_get_cert(conn, ca_cert_id, &cert))
3745 return -1;
3746
3747 /* start off the same as tls_connection_ca_cert */
3748 store = X509_STORE_new();
3749 if (store == NULL) {
3750 wpa_printf(MSG_DEBUG, "OpenSSL: %s - failed to allocate new "
3751 "certificate store", __func__);
3752 X509_free(cert);
3753 return -1;
3754 }
3755 SSL_CTX_set_cert_store(ssl_ctx, store);
3756 if (!X509_STORE_add_cert(store, cert)) {
3757 unsigned long err = ERR_peek_error();
3758 tls_show_errors(MSG_WARNING, __func__,
3759 "Failed to add CA certificate from engine "
3760 "to certificate store");
3761 if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
3762 ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
3763 wpa_printf(MSG_DEBUG, "OpenSSL: %s - ignoring cert"
3764 " already in hash table error",
3765 __func__);
3766 } else {
3767 X509_free(cert);
3768 return -1;
3769 }
3770 }
3771 X509_free(cert);
3772 wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine "
3773 "to certificate store", __func__);
3774 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
3775 conn->ca_cert_verify = 1;
3776
3777 return 0;
3778
3779 #else /* OPENSSL_NO_ENGINE */
3780 return -1;
3781 #endif /* OPENSSL_NO_ENGINE */
3782 }
3783
3784
tls_connection_engine_private_key(struct tls_connection *conn)3785 static int tls_connection_engine_private_key(struct tls_connection *conn)
3786 {
3787 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
3788 if (SSL_use_PrivateKey(conn->ssl, conn->private_key) != 1) {
3789 tls_show_errors(MSG_ERROR, __func__,
3790 "ENGINE: cannot use private key for TLS");
3791 return -1;
3792 }
3793 if (!SSL_check_private_key(conn->ssl)) {
3794 tls_show_errors(MSG_INFO, __func__,
3795 "Private key failed verification");
3796 return -1;
3797 }
3798 return 0;
3799 #else /* OPENSSL_NO_ENGINE */
3800 wpa_printf(MSG_ERROR, "SSL: Configuration uses engine, but "
3801 "engine support was not compiled in");
3802 return -1;
3803 #endif /* OPENSSL_NO_ENGINE */
3804 }
3805
3806
3807 #ifndef OPENSSL_NO_STDIO
tls_passwd_cb(char *buf, int size, int rwflag, void *password)3808 static int tls_passwd_cb(char *buf, int size, int rwflag, void *password)
3809 {
3810 if (!password)
3811 return 0;
3812 os_strlcpy(buf, (const char *) password, size);
3813 return os_strlen(buf);
3814 }
3815 #endif /* OPENSSL_NO_STDIO */
3816
3817
tls_use_private_key_file(struct tls_data *data, SSL *ssl, const char *private_key, const char *private_key_passwd)3818 static int tls_use_private_key_file(struct tls_data *data, SSL *ssl,
3819 const char *private_key,
3820 const char *private_key_passwd)
3821 {
3822 #ifndef OPENSSL_NO_STDIO
3823 BIO *bio;
3824 EVP_PKEY *pkey;
3825 int ret;
3826
3827 /* First try ASN.1 (DER). */
3828 bio = BIO_new_file(private_key, "r");
3829 if (!bio)
3830 return -1;
3831 pkey = d2i_PrivateKey_bio(bio, NULL);
3832 BIO_free(bio);
3833
3834 if (pkey) {
3835 wpa_printf(MSG_DEBUG, "OpenSSL: %s (DER) --> loaded", __func__);
3836 } else {
3837 /* Try PEM with the provided password. */
3838 bio = BIO_new_file(private_key, "r");
3839 if (!bio)
3840 return -1;
3841 pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_passwd_cb,
3842 (void *) private_key_passwd);
3843 BIO_free(bio);
3844 if (!pkey)
3845 return -1;
3846 wpa_printf(MSG_DEBUG, "OpenSSL: %s (PEM) --> loaded", __func__);
3847 /* Clear errors from the previous failed load. */
3848 ERR_clear_error();
3849 }
3850
3851 if (ssl)
3852 ret = SSL_use_PrivateKey(ssl, pkey);
3853 else
3854 ret = SSL_CTX_use_PrivateKey(data->ssl, pkey);
3855
3856 EVP_PKEY_free(pkey);
3857 return ret == 1 ? 0 : -1;
3858 #else /* OPENSSL_NO_STDIO */
3859 wpa_printf(MSG_DEBUG, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__);
3860 return -1;
3861 #endif /* OPENSSL_NO_STDIO */
3862 }
3863
3864 #ifdef CONFIG_OHOS_CERTMGR
tls_use_cm_key(struct tls_data *data, SSL *ssl, const char *private_key)3865 static int tls_use_cm_key(struct tls_data *data, SSL *ssl, const char *private_key)
3866 {
3867 int ret;
3868 EVP_PKEY *pkey = GET_EVP_PKEY(private_key);
3869 if (pkey == NULL) {
3870 wpa_printf(MSG_DEBUG, "can not get evp pkey");
3871 return -1;
3872 }
3873 if (ssl)
3874 ret = SSL_use_PrivateKey(ssl, pkey);
3875 else
3876 ret = SSL_CTX_use_PrivateKey(data->ssl, pkey);
3877
3878 EVP_PKEY_free(pkey);
3879 return ret == 1 ? 0 : -1;
3880 }
3881 #endif
3882
tls_connection_private_key(struct tls_data *data, struct tls_connection *conn, const char *private_key, const char *private_key_passwd, const u8 *private_key_blob, size_t private_key_blob_len)3883 static int tls_connection_private_key(struct tls_data *data,
3884 struct tls_connection *conn,
3885 const char *private_key,
3886 const char *private_key_passwd,
3887 const u8 *private_key_blob,
3888 size_t private_key_blob_len)
3889 {
3890 BIO *bio;
3891 int ok;
3892
3893 if (private_key == NULL && private_key_blob == NULL)
3894 return 0;
3895
3896 ok = 0;
3897 while (private_key_blob) {
3898 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA, conn->ssl,
3899 (u8 *) private_key_blob,
3900 private_key_blob_len) == 1) {
3901 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
3902 "ASN1(EVP_PKEY_RSA) --> OK");
3903 ok = 1;
3904 break;
3905 }
3906
3907 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA, conn->ssl,
3908 (u8 *) private_key_blob,
3909 private_key_blob_len) == 1) {
3910 wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_PrivateKey_"
3911 "ASN1(EVP_PKEY_DSA) --> OK");
3912 ok = 1;
3913 break;
3914 }
3915
3916 #ifndef OPENSSL_NO_EC
3917 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_EC, conn->ssl,
3918 (u8 *) private_key_blob,
3919 private_key_blob_len) == 1) {
3920 wpa_printf(MSG_DEBUG,
3921 "OpenSSL: SSL_use_PrivateKey_ASN1(EVP_PKEY_EC) --> OK");
3922 ok = 1;
3923 break;
3924 }
3925 #endif /* OPENSSL_NO_EC */
3926
3927 if (SSL_use_RSAPrivateKey_ASN1(conn->ssl,
3928 (u8 *) private_key_blob,
3929 private_key_blob_len) == 1) {
3930 wpa_printf(MSG_DEBUG, "OpenSSL: "
3931 "SSL_use_RSAPrivateKey_ASN1 --> OK");
3932 ok = 1;
3933 break;
3934 }
3935
3936 bio = BIO_new_mem_buf((u8 *) private_key_blob,
3937 private_key_blob_len);
3938 if (bio) {
3939 EVP_PKEY *pkey;
3940
3941 pkey = PEM_read_bio_PrivateKey(
3942 bio, NULL, tls_passwd_cb,
3943 (void *) private_key_passwd);
3944 if (pkey) {
3945 if (SSL_use_PrivateKey(conn->ssl, pkey) == 1) {
3946 wpa_printf(MSG_DEBUG,
3947 "OpenSSL: SSL_use_PrivateKey --> OK");
3948 ok = 1;
3949 EVP_PKEY_free(pkey);
3950 BIO_free(bio);
3951 break;
3952 }
3953 EVP_PKEY_free(pkey);
3954 }
3955 BIO_free(bio);
3956 }
3957
3958 if (tls_read_pkcs12_blob(data, conn->ssl, private_key_blob,
3959 private_key_blob_len,
3960 private_key_passwd) == 0) {
3961 wpa_printf(MSG_DEBUG, "OpenSSL: PKCS#12 as blob --> "
3962 "OK");
3963 ok = 1;
3964 break;
3965 }
3966
3967 break;
3968 }
3969
3970 while (!ok && private_key) {
3971 #ifdef CONFIG_OHOS_CERTMGR
3972 if (tls_use_cm_key(data, conn->ssl, private_key) == 0) {
3973 ok = 1;
3974 break;
3975 }
3976 #endif
3977
3978 if (tls_use_private_key_file(data, conn->ssl, private_key,
3979 private_key_passwd) == 0) {
3980 ok = 1;
3981 break;
3982 }
3983
3984 if (tls_read_pkcs12(data, conn->ssl, private_key,
3985 private_key_passwd) == 0) {
3986 wpa_printf(MSG_DEBUG, "OpenSSL: Reading PKCS#12 file "
3987 "--> OK");
3988 ok = 1;
3989 break;
3990 }
3991
3992 if (tls_cryptoapi_cert(conn->ssl, private_key) == 0) {
3993 wpa_printf(MSG_DEBUG, "OpenSSL: Using CryptoAPI to "
3994 "access certificate store --> OK");
3995 ok = 1;
3996 break;
3997 }
3998
3999 break;
4000 }
4001
4002 if (!ok) {
4003 tls_show_errors(MSG_INFO, __func__,
4004 "Failed to load private key");
4005 return -1;
4006 }
4007 ERR_clear_error();
4008
4009 if (!SSL_check_private_key(conn->ssl)) {
4010 tls_show_errors(MSG_INFO, __func__, "Private key failed "
4011 "verification");
4012 return -1;
4013 }
4014
4015 wpa_printf(MSG_DEBUG, "SSL: Private key loaded successfully");
4016 return 0;
4017 }
4018
4019
tls_global_private_key(struct tls_data *data, const char *private_key, const char *private_key_passwd)4020 static int tls_global_private_key(struct tls_data *data,
4021 const char *private_key,
4022 const char *private_key_passwd)
4023 {
4024 SSL_CTX *ssl_ctx = data->ssl;
4025
4026 if (private_key == NULL)
4027 return 0;
4028
4029 if (tls_use_private_key_file(data, NULL, private_key,
4030 private_key_passwd) &&
4031 tls_read_pkcs12(data, NULL, private_key, private_key_passwd)) {
4032 tls_show_errors(MSG_INFO, __func__,
4033 "Failed to load private key");
4034 ERR_clear_error();
4035 return -1;
4036 }
4037 ERR_clear_error();
4038
4039 if (!SSL_CTX_check_private_key(ssl_ctx)) {
4040 tls_show_errors(MSG_INFO, __func__,
4041 "Private key failed verification");
4042 return -1;
4043 }
4044
4045 return 0;
4046 }
4047
4048
tls_connection_dh(struct tls_connection *conn, const char *dh_file)4049 static int tls_connection_dh(struct tls_connection *conn, const char *dh_file)
4050 {
4051 #ifdef OPENSSL_NO_DH
4052 if (dh_file == NULL)
4053 return 0;
4054 wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
4055 "dh_file specified");
4056 return -1;
4057 #else /* OPENSSL_NO_DH */
4058 DH *dh;
4059 BIO *bio;
4060
4061 /* TODO: add support for dh_blob */
4062 if (dh_file == NULL)
4063 return 0;
4064 if (conn == NULL)
4065 return -1;
4066
4067 bio = BIO_new_file(dh_file, "r");
4068 if (bio == NULL) {
4069 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
4070 dh_file, ERR_error_string(ERR_get_error(), NULL));
4071 return -1;
4072 }
4073 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
4074 BIO_free(bio);
4075 #ifndef OPENSSL_NO_DSA
4076 while (dh == NULL) {
4077 DSA *dsa;
4078 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
4079 " trying to parse as DSA params", dh_file,
4080 ERR_error_string(ERR_get_error(), NULL));
4081 bio = BIO_new_file(dh_file, "r");
4082 if (bio == NULL)
4083 break;
4084 dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
4085 BIO_free(bio);
4086 if (!dsa) {
4087 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
4088 "'%s': %s", dh_file,
4089 ERR_error_string(ERR_get_error(), NULL));
4090 break;
4091 }
4092
4093 wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
4094 dh = DSA_dup_DH(dsa);
4095 DSA_free(dsa);
4096 if (dh == NULL) {
4097 wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
4098 "params into DH params");
4099 break;
4100 }
4101 break;
4102 }
4103 #endif /* !OPENSSL_NO_DSA */
4104 if (dh == NULL) {
4105 wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
4106 "'%s'", dh_file);
4107 return -1;
4108 }
4109
4110 if (SSL_set_tmp_dh(conn->ssl, dh) != 1) {
4111 wpa_printf(MSG_INFO, "TLS: Failed to set DH params from '%s': "
4112 "%s", dh_file,
4113 ERR_error_string(ERR_get_error(), NULL));
4114 DH_free(dh);
4115 return -1;
4116 }
4117 DH_free(dh);
4118 return 0;
4119 #endif /* OPENSSL_NO_DH */
4120 }
4121
4122
tls_global_dh(struct tls_data *data, const char *dh_file)4123 static int tls_global_dh(struct tls_data *data, const char *dh_file)
4124 {
4125 #ifdef OPENSSL_NO_DH
4126 if (dh_file == NULL)
4127 return 0;
4128 wpa_printf(MSG_ERROR, "TLS: openssl does not include DH support, but "
4129 "dh_file specified");
4130 return -1;
4131 #else /* OPENSSL_NO_DH */
4132 SSL_CTX *ssl_ctx = data->ssl;
4133 DH *dh;
4134 BIO *bio;
4135
4136 /* TODO: add support for dh_blob */
4137 if (dh_file == NULL)
4138 return 0;
4139 if (ssl_ctx == NULL)
4140 return -1;
4141
4142 bio = BIO_new_file(dh_file, "r");
4143 if (bio == NULL) {
4144 wpa_printf(MSG_INFO, "TLS: Failed to open DH file '%s': %s",
4145 dh_file, ERR_error_string(ERR_get_error(), NULL));
4146 return -1;
4147 }
4148 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
4149 BIO_free(bio);
4150 #ifndef OPENSSL_NO_DSA
4151 while (dh == NULL) {
4152 DSA *dsa;
4153 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DH file '%s': %s -"
4154 " trying to parse as DSA params", dh_file,
4155 ERR_error_string(ERR_get_error(), NULL));
4156 bio = BIO_new_file(dh_file, "r");
4157 if (bio == NULL)
4158 break;
4159 dsa = PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
4160 BIO_free(bio);
4161 if (!dsa) {
4162 wpa_printf(MSG_DEBUG, "TLS: Failed to parse DSA file "
4163 "'%s': %s", dh_file,
4164 ERR_error_string(ERR_get_error(), NULL));
4165 break;
4166 }
4167
4168 wpa_printf(MSG_DEBUG, "TLS: DH file in DSA param format");
4169 dh = DSA_dup_DH(dsa);
4170 DSA_free(dsa);
4171 if (dh == NULL) {
4172 wpa_printf(MSG_INFO, "TLS: Failed to convert DSA "
4173 "params into DH params");
4174 break;
4175 }
4176 break;
4177 }
4178 #endif /* !OPENSSL_NO_DSA */
4179 if (dh == NULL) {
4180 wpa_printf(MSG_INFO, "TLS: Failed to read/parse DH/DSA file "
4181 "'%s'", dh_file);
4182 return -1;
4183 }
4184
4185 if (SSL_CTX_set_tmp_dh(ssl_ctx, dh) != 1) {
4186 wpa_printf(MSG_INFO, "TLS: Failed to set DH params from '%s': "
4187 "%s", dh_file,
4188 ERR_error_string(ERR_get_error(), NULL));
4189 DH_free(dh);
4190 return -1;
4191 }
4192 DH_free(dh);
4193 return 0;
4194 #endif /* OPENSSL_NO_DH */
4195 }
4196
4197
tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn, struct tls_random *keys)4198 int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn,
4199 struct tls_random *keys)
4200 {
4201 SSL *ssl;
4202
4203 if (conn == NULL || keys == NULL)
4204 return -1;
4205 ssl = conn->ssl;
4206 if (ssl == NULL)
4207 return -1;
4208
4209 os_memset(keys, 0, sizeof(*keys));
4210 keys->client_random = conn->client_random;
4211 keys->client_random_len = SSL_get_client_random(
4212 ssl, conn->client_random, sizeof(conn->client_random));
4213 keys->server_random = conn->server_random;
4214 keys->server_random_len = SSL_get_server_random(
4215 ssl, conn->server_random, sizeof(conn->server_random));
4216
4217 return 0;
4218 }
4219
4220
4221 #ifdef OPENSSL_NEED_EAP_FAST_PRF
openssl_get_keyblock_size(SSL *ssl)4222 static int openssl_get_keyblock_size(SSL *ssl)
4223 {
4224 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
4225 (defined(LIBRESSL_VERSION_NUMBER) && \
4226 LIBRESSL_VERSION_NUMBER < 0x20700000L)
4227 const EVP_CIPHER *c;
4228 const EVP_MD *h;
4229 int md_size;
4230
4231 if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL ||
4232 ssl->read_hash == NULL)
4233 return -1;
4234
4235 c = ssl->enc_read_ctx->cipher;
4236 h = EVP_MD_CTX_md(ssl->read_hash);
4237 if (h)
4238 md_size = EVP_MD_size(h);
4239 else if (ssl->s3)
4240 md_size = ssl->s3->tmp.new_mac_secret_size;
4241 else
4242 return -1;
4243
4244 wpa_printf(MSG_DEBUG, "OpenSSL: keyblock size: key_len=%d MD_size=%d "
4245 "IV_len=%d", EVP_CIPHER_key_length(c), md_size,
4246 EVP_CIPHER_iv_length(c));
4247 return 2 * (EVP_CIPHER_key_length(c) +
4248 md_size +
4249 EVP_CIPHER_iv_length(c));
4250 #else
4251 const SSL_CIPHER *ssl_cipher;
4252 int cipher, digest;
4253 const EVP_CIPHER *c;
4254 const EVP_MD *h;
4255 int mac_key_len, enc_key_len, fixed_iv_len;
4256
4257 ssl_cipher = SSL_get_current_cipher(ssl);
4258 if (!ssl_cipher)
4259 return -1;
4260 cipher = SSL_CIPHER_get_cipher_nid(ssl_cipher);
4261 digest = SSL_CIPHER_get_digest_nid(ssl_cipher);
4262 wpa_printf(MSG_DEBUG, "OpenSSL: cipher nid %d digest nid %d",
4263 cipher, digest);
4264 if (cipher < 0 || digest < 0)
4265 return -1;
4266 if (cipher == NID_undef) {
4267 wpa_printf(MSG_DEBUG, "OpenSSL: no cipher in use?!");
4268 return -1;
4269 }
4270 c = EVP_get_cipherbynid(cipher);
4271 if (!c)
4272 return -1;
4273 enc_key_len = EVP_CIPHER_key_length(c);
4274 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE ||
4275 EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
4276 fixed_iv_len = 4; /* only part of IV from PRF */
4277 else
4278 fixed_iv_len = EVP_CIPHER_iv_length(c);
4279 if (digest == NID_undef) {
4280 wpa_printf(MSG_DEBUG, "OpenSSL: no digest in use (e.g., AEAD)");
4281 mac_key_len = 0;
4282 } else {
4283 h = EVP_get_digestbynid(digest);
4284 if (!h)
4285 return -1;
4286 mac_key_len = EVP_MD_size(h);
4287 }
4288
4289 wpa_printf(MSG_DEBUG,
4290 "OpenSSL: keyblock size: mac_key_len=%d enc_key_len=%d fixed_iv_len=%d",
4291 mac_key_len, enc_key_len, fixed_iv_len);
4292 return 2 * (mac_key_len + enc_key_len + fixed_iv_len);
4293 #endif
4294 }
4295 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4296
4297
tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, const char *label, const u8 *context, size_t context_len, u8 *out, size_t out_len)4298 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
4299 const char *label, const u8 *context,
4300 size_t context_len, u8 *out, size_t out_len)
4301 {
4302 if (!conn ||
4303 SSL_export_keying_material(conn->ssl, out, out_len, label,
4304 os_strlen(label), context, context_len,
4305 context != NULL) != 1)
4306 return -1;
4307 return 0;
4308 }
4309
4310
tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn, u8 *out, size_t out_len)4311 int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
4312 u8 *out, size_t out_len)
4313 {
4314 #ifdef OPENSSL_NEED_EAP_FAST_PRF
4315 SSL *ssl;
4316 SSL_SESSION *sess;
4317 u8 *rnd;
4318 int ret = -1;
4319 int skip = 0;
4320 u8 *tmp_out = NULL;
4321 u8 *_out = out;
4322 unsigned char client_random[SSL3_RANDOM_SIZE];
4323 unsigned char server_random[SSL3_RANDOM_SIZE];
4324 unsigned char master_key[64];
4325 size_t master_key_len;
4326 const char *ver;
4327
4328 /*
4329 * TLS library did not support EAP-FAST key generation, so get the
4330 * needed TLS session parameters and use an internal implementation of
4331 * TLS PRF to derive the key.
4332 */
4333
4334 if (conn == NULL)
4335 return -1;
4336 ssl = conn->ssl;
4337 if (ssl == NULL)
4338 return -1;
4339 ver = SSL_get_version(ssl);
4340 sess = SSL_get_session(ssl);
4341 if (!ver || !sess)
4342 return -1;
4343
4344 skip = openssl_get_keyblock_size(ssl);
4345 if (skip < 0)
4346 return -1;
4347 tmp_out = os_malloc(skip + out_len);
4348 if (!tmp_out)
4349 return -1;
4350 _out = tmp_out;
4351
4352 rnd = os_malloc(2 * SSL3_RANDOM_SIZE);
4353 if (!rnd) {
4354 os_free(tmp_out);
4355 return -1;
4356 }
4357
4358 SSL_get_client_random(ssl, client_random, sizeof(client_random));
4359 SSL_get_server_random(ssl, server_random, sizeof(server_random));
4360 master_key_len = SSL_SESSION_get_master_key(sess, master_key,
4361 sizeof(master_key));
4362
4363 os_memcpy(rnd, server_random, SSL3_RANDOM_SIZE);
4364 os_memcpy(rnd + SSL3_RANDOM_SIZE, client_random, SSL3_RANDOM_SIZE);
4365
4366 if (os_strcmp(ver, "TLSv1.2") == 0) {
4367 tls_prf_sha256(master_key, master_key_len,
4368 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE,
4369 _out, skip + out_len);
4370 ret = 0;
4371 } else if (tls_prf_sha1_md5(master_key, master_key_len,
4372 "key expansion", rnd, 2 * SSL3_RANDOM_SIZE,
4373 _out, skip + out_len) == 0) {
4374 ret = 0;
4375 }
4376 forced_memzero(master_key, sizeof(master_key));
4377 os_free(rnd);
4378 if (ret == 0)
4379 os_memcpy(out, _out + skip, out_len);
4380 bin_clear_free(tmp_out, skip);
4381
4382 return ret;
4383 #else /* OPENSSL_NEED_EAP_FAST_PRF */
4384 wpa_printf(MSG_ERROR,
4385 "OpenSSL: EAP-FAST keys cannot be exported in FIPS mode");
4386 return -1;
4387 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4388 }
4389
4390
4391 static struct wpabuf *
openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)4392 openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
4393 {
4394 int res;
4395 struct wpabuf *out_data;
4396
4397 /*
4398 * Give TLS handshake data from the server (if available) to OpenSSL
4399 * for processing.
4400 */
4401 if (in_data && wpabuf_len(in_data) > 0 &&
4402 BIO_write(conn->ssl_in, wpabuf_head(in_data), wpabuf_len(in_data))
4403 < 0) {
4404 tls_show_errors(MSG_INFO, __func__,
4405 "Handshake failed - BIO_write");
4406 return NULL;
4407 }
4408
4409 /* Initiate TLS handshake or continue the existing handshake */
4410 if (conn->server)
4411 res = SSL_accept(conn->ssl);
4412 else
4413 res = SSL_connect(conn->ssl);
4414 if (res != 1) {
4415 int err = SSL_get_error(conn->ssl, res);
4416 if (err == SSL_ERROR_WANT_READ)
4417 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want "
4418 "more data");
4419 else if (err == SSL_ERROR_WANT_WRITE)
4420 wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
4421 "write");
4422 else {
4423 tls_show_errors(MSG_INFO, __func__, "SSL_connect");
4424 conn->failed++;
4425 if (!conn->server && !conn->client_hello_generated) {
4426 /* The server would not understand TLS Alert
4427 * before ClientHello, so simply terminate
4428 * handshake on this type of error case caused
4429 * by a likely internal error like no ciphers
4430 * available. */
4431 wpa_printf(MSG_DEBUG,
4432 "OpenSSL: Could not generate ClientHello");
4433 conn->write_alerts++;
4434 return NULL;
4435 }
4436 }
4437 }
4438
4439 if (!conn->server && !conn->failed)
4440 conn->client_hello_generated = 1;
4441
4442 #ifdef CONFIG_SUITEB
4443 if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
4444 os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
4445 conn->server_dh_prime_len < 3072) {
4446 struct tls_context *context = conn->context;
4447
4448 /*
4449 * This should not be reached since earlier cert_cb should have
4450 * terminated the handshake. Keep this check here for extra
4451 * protection if anything goes wrong with the more low-level
4452 * checks based on having to parse the TLS handshake messages.
4453 */
4454 wpa_printf(MSG_DEBUG,
4455 "OpenSSL: Server DH prime length: %d bits",
4456 conn->server_dh_prime_len);
4457
4458 if (context->event_cb) {
4459 union tls_event_data ev;
4460
4461 os_memset(&ev, 0, sizeof(ev));
4462 ev.alert.is_local = 1;
4463 ev.alert.type = "fatal";
4464 ev.alert.description = "insufficient security";
4465 context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
4466 }
4467 /*
4468 * Could send a TLS Alert to the server, but for now, simply
4469 * terminate handshake.
4470 */
4471 conn->failed++;
4472 conn->write_alerts++;
4473 return NULL;
4474 }
4475 #endif /* CONFIG_SUITEB */
4476
4477 /* Get the TLS handshake data to be sent to the server */
4478 res = BIO_ctrl_pending(conn->ssl_out);
4479 wpa_printf(MSG_DEBUG, "SSL: %d bytes pending from ssl_out", res);
4480 out_data = wpabuf_alloc(res);
4481 if (out_data == NULL) {
4482 wpa_printf(MSG_DEBUG, "SSL: Failed to allocate memory for "
4483 "handshake output (%d bytes)", res);
4484 if (BIO_reset(conn->ssl_out) < 0) {
4485 tls_show_errors(MSG_INFO, __func__,
4486 "BIO_reset failed");
4487 }
4488 return NULL;
4489 }
4490 res = res == 0 ? 0 : BIO_read(conn->ssl_out, wpabuf_mhead(out_data),
4491 res);
4492 if (res < 0) {
4493 tls_show_errors(MSG_INFO, __func__,
4494 "Handshake failed - BIO_read");
4495 if (BIO_reset(conn->ssl_out) < 0) {
4496 tls_show_errors(MSG_INFO, __func__,
4497 "BIO_reset failed");
4498 }
4499 wpabuf_free(out_data);
4500 return NULL;
4501 }
4502 wpabuf_put(out_data, res);
4503
4504 return out_data;
4505 }
4506
4507
4508 static struct wpabuf *
openssl_get_appl_data(struct tls_connection *conn, size_t max_len)4509 openssl_get_appl_data(struct tls_connection *conn, size_t max_len)
4510 {
4511 struct wpabuf *appl_data;
4512 int res;
4513
4514 appl_data = wpabuf_alloc(max_len + 100);
4515 if (appl_data == NULL)
4516 return NULL;
4517
4518 res = SSL_read(conn->ssl, wpabuf_mhead(appl_data),
4519 wpabuf_size(appl_data));
4520 if (res < 0) {
4521 int err = SSL_get_error(conn->ssl, res);
4522 if (err == SSL_ERROR_WANT_READ ||
4523 err == SSL_ERROR_WANT_WRITE) {
4524 wpa_printf(MSG_DEBUG, "SSL: No Application Data "
4525 "included");
4526 } else {
4527 tls_show_errors(MSG_INFO, __func__,
4528 "Failed to read possible "
4529 "Application Data");
4530 }
4531 wpabuf_free(appl_data);
4532 return NULL;
4533 }
4534
4535 wpabuf_put(appl_data, res);
4536 wpa_hexdump_buf_key(MSG_MSGDUMP, "SSL: Application Data in Finished "
4537 "message", appl_data);
4538
4539 return appl_data;
4540 }
4541
4542
4543 static struct wpabuf *
openssl_connection_handshake(struct tls_connection *conn, const struct wpabuf *in_data, struct wpabuf **appl_data)4544 openssl_connection_handshake(struct tls_connection *conn,
4545 const struct wpabuf *in_data,
4546 struct wpabuf **appl_data)
4547 {
4548 struct wpabuf *out_data;
4549
4550 if (appl_data)
4551 *appl_data = NULL;
4552
4553 out_data = openssl_handshake(conn, in_data);
4554 if (out_data == NULL)
4555 return NULL;
4556 if (conn->invalid_hb_used) {
4557 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4558 wpabuf_free(out_data);
4559 return NULL;
4560 }
4561
4562 if (SSL_is_init_finished(conn->ssl)) {
4563 wpa_printf(MSG_DEBUG,
4564 "OpenSSL: Handshake finished - resumed=%d",
4565 tls_connection_resumed(conn->ssl_ctx, conn));
4566 if (conn->server) {
4567 char *buf;
4568 size_t buflen = 2000;
4569
4570 buf = os_malloc(buflen);
4571 if (buf) {
4572 if (SSL_get_shared_ciphers(conn->ssl, buf,
4573 buflen)) {
4574 buf[buflen - 1] = '\0';
4575 wpa_printf(MSG_DEBUG,
4576 "OpenSSL: Shared ciphers: %s",
4577 buf);
4578 }
4579 os_free(buf);
4580 }
4581 }
4582 if (appl_data && in_data)
4583 *appl_data = openssl_get_appl_data(conn,
4584 wpabuf_len(in_data));
4585 }
4586
4587 if (conn->invalid_hb_used) {
4588 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4589 if (appl_data) {
4590 wpabuf_free(*appl_data);
4591 *appl_data = NULL;
4592 }
4593 wpabuf_free(out_data);
4594 return NULL;
4595 }
4596
4597 return out_data;
4598 }
4599
4600
4601 struct wpabuf *
tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn, const struct wpabuf *in_data, struct wpabuf **appl_data)4602 tls_connection_handshake(void *ssl_ctx, struct tls_connection *conn,
4603 const struct wpabuf *in_data,
4604 struct wpabuf **appl_data)
4605 {
4606 return openssl_connection_handshake(conn, in_data, appl_data);
4607 }
4608
4609
tls_connection_server_handshake(void *tls_ctx, struct tls_connection *conn, const struct wpabuf *in_data, struct wpabuf **appl_data)4610 struct wpabuf * tls_connection_server_handshake(void *tls_ctx,
4611 struct tls_connection *conn,
4612 const struct wpabuf *in_data,
4613 struct wpabuf **appl_data)
4614 {
4615 conn->server = 1;
4616 return openssl_connection_handshake(conn, in_data, appl_data);
4617 }
4618
4619
tls_connection_encrypt(void *tls_ctx, struct tls_connection *conn, const struct wpabuf *in_data)4620 struct wpabuf * tls_connection_encrypt(void *tls_ctx,
4621 struct tls_connection *conn,
4622 const struct wpabuf *in_data)
4623 {
4624 int res;
4625 struct wpabuf *buf;
4626
4627 if (conn == NULL)
4628 return NULL;
4629
4630 /* Give plaintext data for OpenSSL to encrypt into the TLS tunnel. */
4631 if ((res = BIO_reset(conn->ssl_in)) < 0 ||
4632 (res = BIO_reset(conn->ssl_out)) < 0) {
4633 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
4634 return NULL;
4635 }
4636 res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data));
4637 if (res < 0) {
4638 tls_show_errors(MSG_INFO, __func__,
4639 "Encryption failed - SSL_write");
4640 return NULL;
4641 }
4642
4643 /* Read encrypted data to be sent to the server */
4644 buf = wpabuf_alloc(wpabuf_len(in_data) + 300);
4645 if (buf == NULL)
4646 return NULL;
4647 res = BIO_read(conn->ssl_out, wpabuf_mhead(buf), wpabuf_size(buf));
4648 if (res < 0) {
4649 tls_show_errors(MSG_INFO, __func__,
4650 "Encryption failed - BIO_read");
4651 wpabuf_free(buf);
4652 return NULL;
4653 }
4654 wpabuf_put(buf, res);
4655
4656 return buf;
4657 }
4658
4659
tls_connection_decrypt(void *tls_ctx, struct tls_connection *conn, const struct wpabuf *in_data)4660 struct wpabuf * tls_connection_decrypt(void *tls_ctx,
4661 struct tls_connection *conn,
4662 const struct wpabuf *in_data)
4663 {
4664 int res;
4665 struct wpabuf *buf;
4666
4667 /* Give encrypted data from TLS tunnel for OpenSSL to decrypt. */
4668 res = BIO_write(conn->ssl_in, wpabuf_head(in_data),
4669 wpabuf_len(in_data));
4670 if (res < 0) {
4671 tls_show_errors(MSG_INFO, __func__,
4672 "Decryption failed - BIO_write");
4673 return NULL;
4674 }
4675 if (BIO_reset(conn->ssl_out) < 0) {
4676 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed");
4677 return NULL;
4678 }
4679
4680 /* Read decrypted data for further processing */
4681 /*
4682 * Even though we try to disable TLS compression, it is possible that
4683 * this cannot be done with all TLS libraries. Add extra buffer space
4684 * to handle the possibility of the decrypted data being longer than
4685 * input data.
4686 */
4687 buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3);
4688 if (buf == NULL)
4689 return NULL;
4690 res = SSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf));
4691 if (res < 0) {
4692 int err = SSL_get_error(conn->ssl, res);
4693
4694 if (err == SSL_ERROR_WANT_READ) {
4695 wpa_printf(MSG_DEBUG,
4696 "SSL: SSL_connect - want more data");
4697 res = 0;
4698 } else {
4699 tls_show_errors(MSG_INFO, __func__,
4700 "Decryption failed - SSL_read");
4701 wpabuf_free(buf);
4702 return NULL;
4703 }
4704 }
4705 wpabuf_put(buf, res);
4706
4707 if (conn->invalid_hb_used) {
4708 wpa_printf(MSG_INFO, "TLS: Heartbeat attack detected - do not send response");
4709 wpabuf_free(buf);
4710 return NULL;
4711 }
4712
4713 return buf;
4714 }
4715
4716
tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)4717 int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
4718 {
4719 return conn ? SSL_session_reused(conn->ssl) : 0;
4720 }
4721
4722
tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, u8 *ciphers)4723 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
4724 u8 *ciphers)
4725 {
4726 char buf[500], *pos, *end;
4727 u8 *c;
4728 int ret;
4729
4730 if (conn == NULL || conn->ssl == NULL || ciphers == NULL)
4731 return -1;
4732
4733 buf[0] = '\0';
4734 pos = buf;
4735 end = pos + sizeof(buf);
4736
4737 c = ciphers;
4738 while (*c != TLS_CIPHER_NONE) {
4739 const char *suite;
4740
4741 switch (*c) {
4742 case TLS_CIPHER_RC4_SHA:
4743 suite = "RC4-SHA";
4744 break;
4745 case TLS_CIPHER_AES128_SHA:
4746 suite = "AES128-SHA";
4747 break;
4748 case TLS_CIPHER_RSA_DHE_AES128_SHA:
4749 suite = "DHE-RSA-AES128-SHA";
4750 break;
4751 case TLS_CIPHER_ANON_DH_AES128_SHA:
4752 suite = "ADH-AES128-SHA";
4753 break;
4754 case TLS_CIPHER_RSA_DHE_AES256_SHA:
4755 suite = "DHE-RSA-AES256-SHA";
4756 break;
4757 case TLS_CIPHER_AES256_SHA:
4758 suite = "AES256-SHA";
4759 break;
4760 default:
4761 wpa_printf(MSG_DEBUG, "TLS: Unsupported "
4762 "cipher selection: %d", *c);
4763 return -1;
4764 }
4765 ret = os_snprintf(pos, end - pos, ":%s", suite);
4766 if (os_snprintf_error(end - pos, ret))
4767 break;
4768 pos += ret;
4769
4770 c++;
4771 }
4772 if (!buf[0]) {
4773 wpa_printf(MSG_DEBUG, "OpenSSL: No ciphers listed");
4774 return -1;
4775 }
4776
4777 wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
4778
4779 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
4780 #ifdef EAP_FAST_OR_TEAP
4781 if (os_strstr(buf, ":ADH-")) {
4782 /*
4783 * Need to drop to security level 0 to allow anonymous
4784 * cipher suites for EAP-FAST.
4785 */
4786 SSL_set_security_level(conn->ssl, 0);
4787 } else if (SSL_get_security_level(conn->ssl) == 0) {
4788 /* Force at least security level 1 */
4789 SSL_set_security_level(conn->ssl, 1);
4790 }
4791 #endif /* EAP_FAST_OR_TEAP */
4792 #endif
4793
4794 if (SSL_set_cipher_list(conn->ssl, buf + 1) != 1) {
4795 tls_show_errors(MSG_INFO, __func__,
4796 "Cipher suite configuration failed");
4797 return -1;
4798 }
4799
4800 return 0;
4801 }
4802
4803
tls_get_version(void *ssl_ctx, struct tls_connection *conn, char *buf, size_t buflen)4804 int tls_get_version(void *ssl_ctx, struct tls_connection *conn,
4805 char *buf, size_t buflen)
4806 {
4807 const char *name;
4808 if (conn == NULL || conn->ssl == NULL)
4809 return -1;
4810
4811 name = SSL_get_version(conn->ssl);
4812 if (name == NULL)
4813 return -1;
4814
4815 os_strlcpy(buf, name, buflen);
4816 return 0;
4817 }
4818
4819
tls_get_cipher(void *ssl_ctx, struct tls_connection *conn, char *buf, size_t buflen)4820 int tls_get_cipher(void *ssl_ctx, struct tls_connection *conn,
4821 char *buf, size_t buflen)
4822 {
4823 const char *name;
4824 if (conn == NULL || conn->ssl == NULL)
4825 return -1;
4826
4827 name = SSL_get_cipher(conn->ssl);
4828 if (name == NULL)
4829 return -1;
4830
4831 os_strlcpy(buf, name, buflen);
4832 return 0;
4833 }
4834
4835
tls_connection_enable_workaround(void *ssl_ctx, struct tls_connection *conn)4836 int tls_connection_enable_workaround(void *ssl_ctx,
4837 struct tls_connection *conn)
4838 {
4839 SSL_set_options(conn->ssl, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
4840
4841 return 0;
4842 }
4843
4844
4845 #ifdef EAP_FAST_OR_TEAP
4846 /* ClientHello TLS extensions require a patch to openssl, so this function is
4847 * commented out unless explicitly needed for EAP-FAST in order to be able to
4848 * build this file with unmodified openssl. */
tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn, int ext_type, const u8 *data, size_t data_len)4849 int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
4850 int ext_type, const u8 *data,
4851 size_t data_len)
4852 {
4853 if (conn == NULL || conn->ssl == NULL || ext_type != 35)
4854 return -1;
4855
4856 if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
4857 data_len) != 1)
4858 return -1;
4859
4860 return 0;
4861 }
4862 #endif /* EAP_FAST_OR_TEAP */
4863
4864
tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)4865 int tls_connection_get_failed(void *ssl_ctx, struct tls_connection *conn)
4866 {
4867 if (conn == NULL)
4868 return -1;
4869 return conn->failed;
4870 }
4871
4872
tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)4873 int tls_connection_get_read_alerts(void *ssl_ctx, struct tls_connection *conn)
4874 {
4875 if (conn == NULL)
4876 return -1;
4877 return conn->read_alerts;
4878 }
4879
4880
tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)4881 int tls_connection_get_write_alerts(void *ssl_ctx, struct tls_connection *conn)
4882 {
4883 if (conn == NULL)
4884 return -1;
4885 return conn->write_alerts;
4886 }
4887
4888
4889 #ifdef HAVE_OCSP
4890
ocsp_debug_print_resp(OCSP_RESPONSE *rsp)4891 static void ocsp_debug_print_resp(OCSP_RESPONSE *rsp)
4892 {
4893 #ifndef CONFIG_NO_STDOUT_DEBUG
4894 BIO *out;
4895 size_t rlen;
4896 char *txt;
4897 int res;
4898
4899 if (wpa_debug_level > MSG_DEBUG)
4900 return;
4901
4902 out = BIO_new(BIO_s_mem());
4903 if (!out)
4904 return;
4905
4906 OCSP_RESPONSE_print(out, rsp, 0);
4907 rlen = BIO_ctrl_pending(out);
4908 txt = os_malloc(rlen + 1);
4909 if (!txt) {
4910 BIO_free(out);
4911 return;
4912 }
4913
4914 res = BIO_read(out, txt, rlen);
4915 if (res > 0) {
4916 txt[res] = '\0';
4917 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP Response\n%s", txt);
4918 }
4919 os_free(txt);
4920 BIO_free(out);
4921 #endif /* CONFIG_NO_STDOUT_DEBUG */
4922 }
4923
4924
ocsp_resp_cb(SSL *s, void *arg)4925 static int ocsp_resp_cb(SSL *s, void *arg)
4926 {
4927 struct tls_connection *conn = arg;
4928 const unsigned char *p;
4929 int len, status, reason, res;
4930 OCSP_RESPONSE *rsp;
4931 OCSP_BASICRESP *basic;
4932 OCSP_CERTID *id;
4933 ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
4934 X509_STORE *store;
4935 STACK_OF(X509) *certs = NULL;
4936
4937 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
4938 if (!p) {
4939 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
4940 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
4941 }
4942
4943 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", p, len);
4944
4945 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
4946 if (!rsp) {
4947 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSP response");
4948 return 0;
4949 }
4950
4951 ocsp_debug_print_resp(rsp);
4952
4953 status = OCSP_response_status(rsp);
4954 if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
4955 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d (%s)",
4956 status, OCSP_response_status_str(status));
4957 return 0;
4958 }
4959
4960 basic = OCSP_response_get1_basic(rsp);
4961 if (!basic) {
4962 wpa_printf(MSG_INFO, "OpenSSL: Could not find BasicOCSPResponse");
4963 return 0;
4964 }
4965
4966 store = SSL_CTX_get_cert_store(conn->ssl_ctx);
4967 if (conn->peer_issuer) {
4968 debug_print_cert(conn->peer_issuer, "Add OCSP issuer");
4969
4970 if (X509_STORE_add_cert(store, conn->peer_issuer) != 1) {
4971 tls_show_errors(MSG_INFO, __func__,
4972 "OpenSSL: Could not add issuer to certificate store");
4973 }
4974 certs = sk_X509_new_null();
4975 if (certs) {
4976 X509 *cert;
4977 cert = X509_dup(conn->peer_issuer);
4978 if (cert && !sk_X509_push(certs, cert)) {
4979 tls_show_errors(
4980 MSG_INFO, __func__,
4981 "OpenSSL: Could not add issuer to OCSP responder trust store");
4982 X509_free(cert);
4983 sk_X509_free(certs);
4984 certs = NULL;
4985 }
4986 if (certs && conn->peer_issuer_issuer) {
4987 cert = X509_dup(conn->peer_issuer_issuer);
4988 if (cert && !sk_X509_push(certs, cert)) {
4989 tls_show_errors(
4990 MSG_INFO, __func__,
4991 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
4992 X509_free(cert);
4993 }
4994 }
4995 }
4996 }
4997
4998 status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
4999 sk_X509_pop_free(certs, X509_free);
5000 if (status <= 0) {
5001 tls_show_errors(MSG_INFO, __func__,
5002 "OpenSSL: OCSP response failed verification");
5003 OCSP_BASICRESP_free(basic);
5004 OCSP_RESPONSE_free(rsp);
5005 return 0;
5006 }
5007
5008 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response verification succeeded");
5009
5010 if (!conn->peer_cert) {
5011 wpa_printf(MSG_DEBUG, "OpenSSL: Peer certificate not available for OCSP status check");
5012 OCSP_BASICRESP_free(basic);
5013 OCSP_RESPONSE_free(rsp);
5014 return 0;
5015 }
5016
5017 if (!conn->peer_issuer) {
5018 wpa_printf(MSG_DEBUG, "OpenSSL: Peer issuer certificate not available for OCSP status check");
5019 OCSP_BASICRESP_free(basic);
5020 OCSP_RESPONSE_free(rsp);
5021 return 0;
5022 }
5023
5024 id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer);
5025 if (!id) {
5026 wpa_printf(MSG_DEBUG,
5027 "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
5028 OCSP_BASICRESP_free(basic);
5029 OCSP_RESPONSE_free(rsp);
5030 return 0;
5031 }
5032
5033 res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
5034 &this_update, &next_update);
5035 if (!res) {
5036 OCSP_CERTID_free(id);
5037 id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
5038 if (!id) {
5039 wpa_printf(MSG_DEBUG,
5040 "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
5041 OCSP_BASICRESP_free(basic);
5042 OCSP_RESPONSE_free(rsp);
5043 return 0;
5044 }
5045
5046 res = OCSP_resp_find_status(basic, id, &status, &reason,
5047 &produced_at, &this_update,
5048 &next_update);
5049 }
5050
5051 if (!res) {
5052 wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
5053 (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" :
5054 " (OCSP not required)");
5055 OCSP_CERTID_free(id);
5056 OCSP_BASICRESP_free(basic);
5057 OCSP_RESPONSE_free(rsp);
5058 return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
5059 }
5060 OCSP_CERTID_free(id);
5061
5062 if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
5063 tls_show_errors(MSG_INFO, __func__,
5064 "OpenSSL: OCSP status times invalid");
5065 OCSP_BASICRESP_free(basic);
5066 OCSP_RESPONSE_free(rsp);
5067 return 0;
5068 }
5069
5070 OCSP_BASICRESP_free(basic);
5071 OCSP_RESPONSE_free(rsp);
5072
5073 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status for server certificate: %s",
5074 OCSP_cert_status_str(status));
5075
5076 if (status == V_OCSP_CERTSTATUS_GOOD)
5077 return 1;
5078 if (status == V_OCSP_CERTSTATUS_REVOKED)
5079 return 0;
5080 if (conn->flags & TLS_CONN_REQUIRE_OCSP) {
5081 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP required");
5082 return 0;
5083 }
5084 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
5085 return 1;
5086 }
5087
5088
ocsp_status_cb(SSL *s, void *arg)5089 static int ocsp_status_cb(SSL *s, void *arg)
5090 {
5091 char *tmp;
5092 char *resp;
5093 size_t len;
5094
5095 if (tls_global->ocsp_stapling_response == NULL) {
5096 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - no response configured");
5097 return SSL_TLSEXT_ERR_OK;
5098 }
5099
5100 resp = os_readfile(tls_global->ocsp_stapling_response, &len);
5101 if (resp == NULL) {
5102 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - could not read response file");
5103 /* TODO: Build OCSPResponse with responseStatus = internalError
5104 */
5105 return SSL_TLSEXT_ERR_OK;
5106 }
5107 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP status callback - send cached response");
5108 tmp = OPENSSL_malloc(len);
5109 if (tmp == NULL) {
5110 os_free(resp);
5111 return SSL_TLSEXT_ERR_ALERT_FATAL;
5112 }
5113
5114 os_memcpy(tmp, resp, len);
5115 os_free(resp);
5116 SSL_set_tlsext_status_ocsp_resp(s, tmp, len);
5117
5118 return SSL_TLSEXT_ERR_OK;
5119 }
5120
5121 #endif /* HAVE_OCSP */
5122
5123
max_str_len(const char **lines)5124 static size_t max_str_len(const char **lines)
5125 {
5126 const char **p;
5127 size_t max_len = 0;
5128
5129 for (p = lines; *p; p++) {
5130 size_t len = os_strlen(*p);
5131
5132 if (len > max_len)
5133 max_len = len;
5134 }
5135
5136 return max_len;
5137 }
5138
5139
match_lines_in_file(const char *path, const char **lines)5140 static int match_lines_in_file(const char *path, const char **lines)
5141 {
5142 FILE *f;
5143 char *buf;
5144 size_t bufsize;
5145 int found = 0, is_linestart = 1;
5146
5147 bufsize = max_str_len(lines) + sizeof("\r\n");
5148 buf = os_malloc(bufsize);
5149 if (!buf)
5150 return 0;
5151
5152 f = fopen(path, "r");
5153 if (!f) {
5154 os_free(buf);
5155 return 0;
5156 }
5157
5158 while (!found && fgets(buf, bufsize, f)) {
5159 int is_lineend;
5160 size_t len;
5161 const char **p;
5162
5163 len = strcspn(buf, "\r\n");
5164 is_lineend = buf[len] != '\0';
5165 buf[len] = '\0';
5166
5167 if (is_linestart && is_lineend) {
5168 for (p = lines; !found && *p; p++)
5169 found = os_strcmp(buf, *p) == 0;
5170 }
5171 is_linestart = is_lineend;
5172 }
5173
5174 fclose(f);
5175 bin_clear_free(buf, bufsize);
5176
5177 return found;
5178 }
5179
5180
is_tpm2_key(const char *path)5181 static int is_tpm2_key(const char *path)
5182 {
5183 /* Check both new and old format of TPM2 PEM guard tag */
5184 static const char *tpm2_tags[] = {
5185 "-----BEGIN TSS2 PRIVATE KEY-----",
5186 "-----BEGIN TSS2 KEY BLOB-----",
5187 NULL
5188 };
5189
5190 return match_lines_in_file(path, tpm2_tags);
5191 }
5192
5193
tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, const struct tls_connection_params *params)5194 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
5195 const struct tls_connection_params *params)
5196 {
5197 struct tls_data *data = tls_ctx;
5198 int ret;
5199 unsigned long err;
5200 int can_pkcs11 = 0;
5201 const char *key_id = params->key_id;
5202 const char *cert_id = params->cert_id;
5203 const char *ca_cert_id = params->ca_cert_id;
5204 const char *engine_id = params->engine ? params->engine_id : NULL;
5205 const char *ciphers;
5206
5207 if (conn == NULL)
5208 return -1;
5209
5210 if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
5211 wpa_printf(MSG_INFO,
5212 "OpenSSL: ocsp=3 not supported");
5213 return -1;
5214 }
5215
5216 /*
5217 * If the engine isn't explicitly configured, and any of the
5218 * cert/key fields are actually PKCS#11 URIs, then automatically
5219 * use the PKCS#11 ENGINE.
5220 */
5221 if (!engine_id || os_strcmp(engine_id, "pkcs11") == 0)
5222 can_pkcs11 = 1;
5223
5224 if (!key_id && params->private_key && can_pkcs11 &&
5225 os_strncmp(params->private_key, "pkcs11:", 7) == 0) {
5226 can_pkcs11 = 2;
5227 key_id = params->private_key;
5228 }
5229
5230 if (!cert_id && params->client_cert && can_pkcs11 &&
5231 os_strncmp(params->client_cert, "pkcs11:", 7) == 0) {
5232 can_pkcs11 = 2;
5233 cert_id = params->client_cert;
5234 }
5235
5236 if (!ca_cert_id && params->ca_cert && can_pkcs11 &&
5237 os_strncmp(params->ca_cert, "pkcs11:", 7) == 0) {
5238 can_pkcs11 = 2;
5239 ca_cert_id = params->ca_cert;
5240 }
5241
5242 /* If we need to automatically enable the PKCS#11 ENGINE, do so. */
5243 if (can_pkcs11 == 2 && !engine_id)
5244 engine_id = "pkcs11";
5245
5246 /* If private_key points to a TPM2-wrapped key, automatically enable
5247 * tpm2 engine and use it to unwrap the key. */
5248 if (params->private_key &&
5249 (!engine_id || os_strcmp(engine_id, "tpm2") == 0) &&
5250 is_tpm2_key(params->private_key)) {
5251 wpa_printf(MSG_DEBUG, "OpenSSL: Found TPM2 wrapped key %s",
5252 params->private_key);
5253 key_id = key_id ? key_id : params->private_key;
5254 engine_id = engine_id ? engine_id : "tpm2";
5255 }
5256
5257 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
5258 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
5259 if (params->flags & TLS_CONN_EAP_FAST) {
5260 wpa_printf(MSG_DEBUG,
5261 "OpenSSL: Use TLSv1_method() for EAP-FAST");
5262 if (SSL_set_ssl_method(conn->ssl, TLSv1_method()) != 1) {
5263 tls_show_errors(MSG_INFO, __func__,
5264 "Failed to set TLSv1_method() for EAP-FAST");
5265 return -1;
5266 }
5267 }
5268 #endif
5269 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
5270 #ifdef SSL_OP_NO_TLSv1_3
5271 if (params->flags & TLS_CONN_EAP_FAST) {
5272 /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1
5273 * refuses to start the handshake with the modified ciphersuite
5274 * list (no TLS v1.3 ciphersuites included) for EAP-FAST. */
5275 wpa_printf(MSG_DEBUG, "OpenSSL: Disable TLSv1.3 for EAP-FAST");
5276 SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_3);
5277 }
5278 #endif /* SSL_OP_NO_TLSv1_3 */
5279 #endif
5280 #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
5281
5282 while ((err = ERR_get_error())) {
5283 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",
5284 __func__, ERR_error_string(err, NULL));
5285 }
5286
5287 if (engine_id) {
5288 wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s",
5289 engine_id);
5290 ret = tls_engine_init(conn, engine_id, params->pin,
5291 key_id, cert_id, ca_cert_id);
5292 if (ret)
5293 return ret;
5294 }
5295 if (tls_connection_set_subject_match(conn,
5296 params->subject_match,
5297 params->altsubject_match,
5298 params->suffix_match,
5299 params->domain_match,
5300 params->check_cert_subject))
5301 return -1;
5302
5303 if (engine_id && ca_cert_id) {
5304 if (tls_connection_engine_ca_cert(data, conn, ca_cert_id))
5305 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5306 } else if (tls_connection_ca_cert(data, conn, params->ca_cert,
5307 params->ca_cert_blob,
5308 params->ca_cert_blob_len,
5309 params->ca_path))
5310 return -1;
5311
5312 if (engine_id && cert_id) {
5313 if (tls_connection_engine_client_cert(conn, cert_id))
5314 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5315 } else if (tls_connection_client_cert(conn, params->client_cert,
5316 params->client_cert_blob,
5317 params->client_cert_blob_len))
5318 return -1;
5319
5320 if (engine_id && key_id) {
5321 wpa_printf(MSG_DEBUG, "TLS: Using private key from engine");
5322 if (tls_connection_engine_private_key(conn))
5323 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
5324 } else if (tls_connection_private_key(data, conn,
5325 params->private_key,
5326 params->private_key_passwd,
5327 params->private_key_blob,
5328 params->private_key_blob_len)) {
5329 wpa_printf(MSG_INFO, "TLS: Failed to load private key '%s'",
5330 params->private_key);
5331 return -1;
5332 }
5333
5334 if (tls_connection_dh(conn, params->dh_file)) {
5335 wpa_printf(MSG_INFO, "TLS: Failed to load DH file '%s'",
5336 params->dh_file);
5337 return -1;
5338 }
5339
5340 ciphers = params->openssl_ciphers;
5341 #ifdef CONFIG_SUITEB
5342 #ifdef OPENSSL_IS_BORINGSSL
5343 if (ciphers && os_strcmp(ciphers, "SUITEB192") == 0) {
5344 /* BoringSSL removed support for SUITEB192, so need to handle
5345 * this with hardcoded ciphersuite and additional checks for
5346 * other parameters. */
5347 ciphers = "ECDHE-ECDSA-AES256-GCM-SHA384";
5348 }
5349 #endif /* OPENSSL_IS_BORINGSSL */
5350 #endif /* CONFIG_SUITEB */
5351 if (ciphers && SSL_set_cipher_list(conn->ssl, ciphers) != 1) {
5352 wpa_printf(MSG_INFO,
5353 "OpenSSL: Failed to set cipher string '%s'",
5354 ciphers);
5355 return -1;
5356 }
5357
5358 if (!params->openssl_ecdh_curves) {
5359 #ifndef OPENSSL_IS_BORINGSSL
5360 #ifndef OPENSSL_NO_EC
5361 #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
5362 (OPENSSL_VERSION_NUMBER < 0x10100000L)
5363 if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) {
5364 wpa_printf(MSG_INFO,
5365 "OpenSSL: Failed to set ECDH curves to auto");
5366 return -1;
5367 }
5368 #endif /* >= 1.0.2 && < 1.1.0 */
5369 #endif /* OPENSSL_NO_EC */
5370 #endif /* OPENSSL_IS_BORINGSSL */
5371 } else if (params->openssl_ecdh_curves[0]) {
5372 #if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
5373 wpa_printf(MSG_INFO,
5374 "OpenSSL: ECDH configuration nnot supported");
5375 return -1;
5376 #else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
5377 #ifndef OPENSSL_NO_EC
5378 if (SSL_set1_curves_list(conn->ssl,
5379 params->openssl_ecdh_curves) != 1) {
5380 wpa_printf(MSG_INFO,
5381 "OpenSSL: Failed to set ECDH curves '%s'",
5382 params->openssl_ecdh_curves);
5383 return -1;
5384 }
5385 #else /* OPENSSL_NO_EC */
5386 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
5387 return -1;
5388 #endif /* OPENSSL_NO_EC */
5389 #endif /* OPENSSL_IS_BORINGSSL */
5390 }
5391
5392 if (tls_set_conn_flags(conn, params->flags,
5393 params->openssl_ciphers) < 0)
5394 return -1;
5395
5396 #ifdef OPENSSL_IS_BORINGSSL
5397 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5398 SSL_enable_ocsp_stapling(conn->ssl);
5399 }
5400 #else /* OPENSSL_IS_BORINGSSL */
5401 #ifdef HAVE_OCSP
5402 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5403 SSL_CTX *ssl_ctx = data->ssl;
5404 SSL_set_tlsext_status_type(conn->ssl, TLSEXT_STATUSTYPE_ocsp);
5405 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
5406 SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
5407 }
5408 #else /* HAVE_OCSP */
5409 if (params->flags & TLS_CONN_REQUIRE_OCSP) {
5410 wpa_printf(MSG_INFO,
5411 "OpenSSL: No OCSP support included - reject configuration");
5412 return -1;
5413 }
5414 if (params->flags & TLS_CONN_REQUEST_OCSP) {
5415 wpa_printf(MSG_DEBUG,
5416 "OpenSSL: No OCSP support included - allow optional OCSP case to continue");
5417 }
5418 #endif /* HAVE_OCSP */
5419 #endif /* OPENSSL_IS_BORINGSSL */
5420
5421 conn->flags = params->flags;
5422
5423 tls_get_errors(data);
5424
5425 return 0;
5426 }
5427
5428
openssl_debug_dump_cipher_list(SSL_CTX *ssl_ctx)5429 static void openssl_debug_dump_cipher_list(SSL_CTX *ssl_ctx)
5430 {
5431 SSL *ssl;
5432 int i;
5433
5434 ssl = SSL_new(ssl_ctx);
5435 if (!ssl)
5436 return;
5437
5438 wpa_printf(MSG_DEBUG,
5439 "OpenSSL: Enabled cipher suites in priority order");
5440 for (i = 0; ; i++) {
5441 const char *cipher;
5442
5443 cipher = SSL_get_cipher_list(ssl, i);
5444 if (!cipher)
5445 break;
5446 wpa_printf(MSG_DEBUG, "Cipher %d: %s", i, cipher);
5447 }
5448
5449 SSL_free(ssl);
5450 }
5451
5452
5453 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
5454
openssl_pkey_type_str(const EVP_PKEY *pkey)5455 static const char * openssl_pkey_type_str(const EVP_PKEY *pkey)
5456 {
5457 if (!pkey)
5458 return "NULL";
5459 switch (EVP_PKEY_type(EVP_PKEY_id(pkey))) {
5460 case EVP_PKEY_RSA:
5461 return "RSA";
5462 case EVP_PKEY_DSA:
5463 return "DSA";
5464 case EVP_PKEY_DH:
5465 return "DH";
5466 case EVP_PKEY_EC:
5467 return "EC";
5468 }
5469 return "?";
5470 }
5471
5472
openssl_debug_dump_certificate(int i, X509 *cert)5473 static void openssl_debug_dump_certificate(int i, X509 *cert)
5474 {
5475 char buf[256];
5476 EVP_PKEY *pkey;
5477 ASN1_INTEGER *ser;
5478 char serial_num[128];
5479
5480 if (!cert)
5481 return;
5482
5483 X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
5484
5485 ser = X509_get_serialNumber(cert);
5486 if (ser)
5487 wpa_snprintf_hex_uppercase(serial_num, sizeof(serial_num),
5488 ASN1_STRING_get0_data(ser),
5489 ASN1_STRING_length(ser));
5490 else
5491 serial_num[0] = '\0';
5492
5493 pkey = X509_get_pubkey(cert);
5494 wpa_printf(MSG_DEBUG, "%d: %s (%s) %s", i, buf,
5495 openssl_pkey_type_str(pkey), serial_num);
5496 EVP_PKEY_free(pkey);
5497 }
5498
5499
openssl_debug_dump_certificates(SSL_CTX *ssl_ctx)5500 static void openssl_debug_dump_certificates(SSL_CTX *ssl_ctx)
5501 {
5502 STACK_OF(X509) *certs;
5503
5504 wpa_printf(MSG_DEBUG, "OpenSSL: Configured certificate chain");
5505 if (SSL_CTX_get0_chain_certs(ssl_ctx, &certs) == 1) {
5506 int i;
5507
5508 for (i = sk_X509_num(certs); i > 0; i--)
5509 openssl_debug_dump_certificate(i, sk_X509_value(certs,
5510 i - 1));
5511 }
5512 openssl_debug_dump_certificate(0, SSL_CTX_get0_certificate(ssl_ctx));
5513 }
5514
5515 #endif
5516
5517
openssl_debug_dump_certificate_chains(SSL_CTX *ssl_ctx)5518 static void openssl_debug_dump_certificate_chains(SSL_CTX *ssl_ctx)
5519 {
5520 #if !defined(LIBRESSL_VERSION_NUMBER) && !defined(BORINGSSL_API_VERSION)
5521 int res;
5522
5523 for (res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
5524 res == 1;
5525 res = SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_NEXT))
5526 openssl_debug_dump_certificates(ssl_ctx);
5527
5528 SSL_CTX_set_current_cert(ssl_ctx, SSL_CERT_SET_FIRST);
5529 #endif
5530 }
5531
5532
openssl_debug_dump_ctx(SSL_CTX *ssl_ctx)5533 static void openssl_debug_dump_ctx(SSL_CTX *ssl_ctx)
5534 {
5535 openssl_debug_dump_cipher_list(ssl_ctx);
5536 openssl_debug_dump_certificate_chains(ssl_ctx);
5537 }
5538
5539
tls_global_set_params(void *tls_ctx, const struct tls_connection_params *params)5540 int tls_global_set_params(void *tls_ctx,
5541 const struct tls_connection_params *params)
5542 {
5543 struct tls_data *data = tls_ctx;
5544 SSL_CTX *ssl_ctx = data->ssl;
5545 unsigned long err;
5546
5547 while ((err = ERR_get_error())) {
5548 wpa_printf(MSG_INFO, "%s: Clearing pending SSL error: %s",
5549 __func__, ERR_error_string(err, NULL));
5550 }
5551
5552 os_free(data->check_cert_subject);
5553 data->check_cert_subject = NULL;
5554 if (params->check_cert_subject) {
5555 data->check_cert_subject =
5556 os_strdup(params->check_cert_subject);
5557 if (!data->check_cert_subject)
5558 return -1;
5559 }
5560
5561 if (tls_global_ca_cert(data, params->ca_cert) ||
5562 tls_global_client_cert(data, params->client_cert) ||
5563 tls_global_private_key(data, params->private_key,
5564 params->private_key_passwd) ||
5565 tls_global_client_cert(data, params->client_cert2) ||
5566 tls_global_private_key(data, params->private_key2,
5567 params->private_key_passwd2) ||
5568 tls_global_dh(data, params->dh_file)) {
5569 wpa_printf(MSG_INFO, "TLS: Failed to set global parameters");
5570 return -1;
5571 }
5572
5573 if (params->openssl_ciphers &&
5574 SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) {
5575 wpa_printf(MSG_INFO,
5576 "OpenSSL: Failed to set cipher string '%s'",
5577 params->openssl_ciphers);
5578 return -1;
5579 }
5580
5581 if (!params->openssl_ecdh_curves) {
5582 #ifndef OPENSSL_IS_BORINGSSL
5583 #ifndef OPENSSL_NO_EC
5584 #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
5585 (OPENSSL_VERSION_NUMBER < 0x10100000L)
5586 if (SSL_CTX_set_ecdh_auto(ssl_ctx, 1) != 1) {
5587 wpa_printf(MSG_INFO,
5588 "OpenSSL: Failed to set ECDH curves to auto");
5589 return -1;
5590 }
5591 #endif /* >= 1.0.2 && < 1.1.0 */
5592 #endif /* OPENSSL_NO_EC */
5593 #endif /* OPENSSL_IS_BORINGSSL */
5594 } else if (params->openssl_ecdh_curves[0]) {
5595 #if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
5596 wpa_printf(MSG_INFO,
5597 "OpenSSL: ECDH configuration nnot supported");
5598 return -1;
5599 #else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
5600 #ifndef OPENSSL_NO_EC
5601 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5602 SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
5603 #endif
5604 if (SSL_CTX_set1_curves_list(ssl_ctx,
5605 params->openssl_ecdh_curves) !=
5606 1) {
5607 wpa_printf(MSG_INFO,
5608 "OpenSSL: Failed to set ECDH curves '%s'",
5609 params->openssl_ecdh_curves);
5610 return -1;
5611 }
5612 #else /* OPENSSL_NO_EC */
5613 wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
5614 return -1;
5615 #endif /* OPENSSL_NO_EC */
5616 #endif /* OPENSSL_IS_BORINGSSL */
5617 }
5618
5619 #ifdef SSL_OP_NO_TICKET
5620 if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
5621 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
5622 else
5623 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TICKET);
5624 #endif /* SSL_OP_NO_TICKET */
5625
5626 #ifdef HAVE_OCSP
5627 SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_status_cb);
5628 SSL_CTX_set_tlsext_status_arg(ssl_ctx, ssl_ctx);
5629 os_free(tls_global->ocsp_stapling_response);
5630 if (params->ocsp_stapling_response)
5631 tls_global->ocsp_stapling_response =
5632 os_strdup(params->ocsp_stapling_response);
5633 else
5634 tls_global->ocsp_stapling_response = NULL;
5635 #endif /* HAVE_OCSP */
5636
5637 openssl_debug_dump_ctx(ssl_ctx);
5638
5639 return 0;
5640 }
5641
5642
5643 #ifdef EAP_FAST_OR_TEAP
5644 /* Pre-shared secred requires a patch to openssl, so this function is
5645 * commented out unless explicitly needed for EAP-FAST in order to be able to
5646 * build this file with unmodified openssl. */
5647
5648 #if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
tls_sess_sec_cb(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, const SSL_CIPHER **cipher, void *arg)5649 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
5650 STACK_OF(SSL_CIPHER) *peer_ciphers,
5651 const SSL_CIPHER **cipher, void *arg)
5652 #else /* OPENSSL_IS_BORINGSSL */
5653 static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
5654 STACK_OF(SSL_CIPHER) *peer_ciphers,
5655 SSL_CIPHER **cipher, void *arg)
5656 #endif /* OPENSSL_IS_BORINGSSL */
5657 {
5658 struct tls_connection *conn = arg;
5659 int ret;
5660
5661 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
5662 (defined(LIBRESSL_VERSION_NUMBER) && \
5663 LIBRESSL_VERSION_NUMBER < 0x20700000L)
5664 if (conn == NULL || conn->session_ticket_cb == NULL)
5665 return 0;
5666
5667 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
5668 conn->session_ticket,
5669 conn->session_ticket_len,
5670 s->s3->client_random,
5671 s->s3->server_random, secret);
5672 #else
5673 unsigned char client_random[SSL3_RANDOM_SIZE];
5674 unsigned char server_random[SSL3_RANDOM_SIZE];
5675
5676 if (conn == NULL || conn->session_ticket_cb == NULL)
5677 return 0;
5678
5679 SSL_get_client_random(s, client_random, sizeof(client_random));
5680 SSL_get_server_random(s, server_random, sizeof(server_random));
5681
5682 ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
5683 conn->session_ticket,
5684 conn->session_ticket_len,
5685 client_random,
5686 server_random, secret);
5687 #endif
5688
5689 os_free(conn->session_ticket);
5690 conn->session_ticket = NULL;
5691
5692 if (ret <= 0)
5693 return 0;
5694
5695 *secret_len = SSL_MAX_MASTER_KEY_LENGTH;
5696 return 1;
5697 }
5698
5699
tls_session_ticket_ext_cb(SSL *s, const unsigned char *data, int len, void *arg)5700 static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
5701 int len, void *arg)
5702 {
5703 struct tls_connection *conn = arg;
5704
5705 if (conn == NULL || conn->session_ticket_cb == NULL)
5706 return 0;
5707
5708 wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len);
5709
5710 os_free(conn->session_ticket);
5711 conn->session_ticket = NULL;
5712
5713 wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
5714 "extension", data, len);
5715
5716 conn->session_ticket = os_memdup(data, len);
5717 if (conn->session_ticket == NULL)
5718 return 0;
5719
5720 conn->session_ticket_len = len;
5721
5722 return 1;
5723 }
5724 #endif /* EAP_FAST_OR_TEAP */
5725
5726
tls_connection_set_session_ticket_cb(void *tls_ctx, struct tls_connection *conn, tls_session_ticket_cb cb, void *ctx)5727 int tls_connection_set_session_ticket_cb(void *tls_ctx,
5728 struct tls_connection *conn,
5729 tls_session_ticket_cb cb,
5730 void *ctx)
5731 {
5732 #ifdef EAP_FAST_OR_TEAP
5733 conn->session_ticket_cb = cb;
5734 conn->session_ticket_cb_ctx = ctx;
5735
5736 if (cb) {
5737 if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
5738 conn) != 1)
5739 return -1;
5740 SSL_set_session_ticket_ext_cb(conn->ssl,
5741 tls_session_ticket_ext_cb, conn);
5742 } else {
5743 if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
5744 return -1;
5745 SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
5746 }
5747
5748 return 0;
5749 #else /* EAP_FAST_OR_TEAP */
5750 return -1;
5751 #endif /* EAP_FAST_OR_TEAP */
5752 }
5753
5754
tls_get_library_version(char *buf, size_t buf_len)5755 int tls_get_library_version(char *buf, size_t buf_len)
5756 {
5757 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
5758 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
5759 OPENSSL_VERSION_TEXT,
5760 OpenSSL_version(OPENSSL_VERSION));
5761 #else
5762 return os_snprintf(buf, buf_len, "OpenSSL build=%s run=%s",
5763 OPENSSL_VERSION_TEXT,
5764 SSLeay_version(SSLEAY_VERSION));
5765 #endif
5766 }
5767
5768
tls_connection_set_success_data(struct tls_connection *conn, struct wpabuf *data)5769 void tls_connection_set_success_data(struct tls_connection *conn,
5770 struct wpabuf *data)
5771 {
5772 SSL_SESSION *sess;
5773 struct wpabuf *old;
5774
5775 if (tls_ex_idx_session < 0)
5776 goto fail;
5777 sess = SSL_get_session(conn->ssl);
5778 if (!sess)
5779 goto fail;
5780 old = SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
5781 if (old) {
5782 wpa_printf(MSG_DEBUG, "OpenSSL: Replacing old success data %p",
5783 old);
5784 wpabuf_free(old);
5785 }
5786 if (SSL_SESSION_set_ex_data(sess, tls_ex_idx_session, data) != 1)
5787 goto fail;
5788
5789 wpa_printf(MSG_DEBUG, "OpenSSL: Stored success data %p", data);
5790 conn->success_data = 1;
5791 return;
5792
5793 fail:
5794 wpa_printf(MSG_INFO, "OpenSSL: Failed to store success data");
5795 wpabuf_free(data);
5796 }
5797
5798
tls_connection_set_success_data_resumed(struct tls_connection *conn)5799 void tls_connection_set_success_data_resumed(struct tls_connection *conn)
5800 {
5801 wpa_printf(MSG_DEBUG,
5802 "OpenSSL: Success data accepted for resumed session");
5803 conn->success_data = 1;
5804 }
5805
5806
5807 const struct wpabuf *
tls_connection_get_success_data(struct tls_connection *conn)5808 tls_connection_get_success_data(struct tls_connection *conn)
5809 {
5810 SSL_SESSION *sess;
5811
5812 if (tls_ex_idx_session < 0 ||
5813 !(sess = SSL_get_session(conn->ssl)))
5814 return NULL;
5815 return SSL_SESSION_get_ex_data(sess, tls_ex_idx_session);
5816 }
5817
5818
tls_connection_remove_session(struct tls_connection *conn)5819 void tls_connection_remove_session(struct tls_connection *conn)
5820 {
5821 SSL_SESSION *sess;
5822
5823 sess = SSL_get_session(conn->ssl);
5824 if (!sess)
5825 return;
5826
5827 if (SSL_CTX_remove_session(conn->ssl_ctx, sess) != 1)
5828 wpa_printf(MSG_DEBUG,
5829 "OpenSSL: Session was not cached");
5830 else
5831 wpa_printf(MSG_DEBUG,
5832 "OpenSSL: Removed cached session to disable session resumption");
5833 }
5834
5835
tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len)5836 int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len)
5837 {
5838 size_t len;
5839 int reused;
5840
5841 reused = SSL_session_reused(conn->ssl);
5842 if ((conn->server && !reused) || (!conn->server && reused))
5843 len = SSL_get_peer_finished(conn->ssl, buf, max_len);
5844 else
5845 len = SSL_get_finished(conn->ssl, buf, max_len);
5846
5847 if (len == 0 || len > max_len)
5848 return -1;
5849
5850 return len;
5851 }
5852
5853
tls_connection_get_cipher_suite(struct tls_connection *conn)5854 u16 tls_connection_get_cipher_suite(struct tls_connection *conn)
5855 {
5856 const SSL_CIPHER *cipher;
5857
5858 cipher = SSL_get_current_cipher(conn->ssl);
5859 if (!cipher)
5860 return 0;
5861 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
5862 return SSL_CIPHER_get_protocol_id(cipher);
5863 #else
5864 return SSL_CIPHER_get_id(cipher) & 0xFFFF;
5865 #endif
5866 }
5867
5868
tls_connection_get_peer_subject(struct tls_connection *conn)5869 const char * tls_connection_get_peer_subject(struct tls_connection *conn)
5870 {
5871 if (conn)
5872 return conn->peer_subject;
5873 return NULL;
5874 }
5875
5876
tls_connection_get_own_cert_used(struct tls_connection *conn)5877 bool tls_connection_get_own_cert_used(struct tls_connection *conn)
5878 {
5879 if (conn)
5880 return SSL_get_certificate(conn->ssl) != NULL;
5881 return false;
5882 }
5883