2 * SSL/TLS interface functions for OpenSSL
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
11 #ifndef CONFIG_SMARTCARD
12 #ifndef OPENSSL_NO_ENGINE
14 #define OPENSSL_NO_ENGINE
19 #include <openssl/ssl.h>
20 #include <openssl/err.h>
21 #include <openssl/opensslv.h>
22 #include <openssl/pkcs12.h>
23 #include <openssl/x509v3.h>
24 #ifndef OPENSSL_NO_ENGINE
25 #include <openssl/engine.h>
26 #endif /* OPENSSL_NO_ENGINE */
27 #ifndef OPENSSL_NO_DSA
28 #include <openssl/dsa.h>
31 #include <openssl/dh.h>
39 #include "tls_openssl.h"
41 #if !defined(CONFIG_FIPS) && \
42 (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
43 defined(EAP_SERVER_FAST))
44 #define OPENSSL_NEED_EAP_FAST_PRF
47 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \
48 defined(EAP_SERVER_FAST) || defined(EAP_TEAP) || \
49 defined(EAP_SERVER_TEAP)
50 #define EAP_FAST_OR_TEAP
54 #if defined(OPENSSL_IS_BORINGSSL)
55 /* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */
56 typedef size_t stack_index_t
;
58 typedef int stack_index_t
;
61 #ifdef SSL_set_tlsext_status_type
62 #ifndef OPENSSL_NO_TLSEXT
64 #include <openssl/ocsp.h>
65 #endif /* OPENSSL_NO_TLSEXT */
66 #endif /* SSL_set_tlsext_status_type */
68 #if (OPENSSL_VERSION_NUMBER < 0x10100000L || \
69 (defined(LIBRESSL_VERSION_NUMBER) && \
70 LIBRESSL_VERSION_NUMBER < 0x20700000L)) && \
71 !defined(BORINGSSL_API_VERSION)
73 * SSL_get_client_random() and SSL_get_server_random() were added in OpenSSL
74 * 1.1.0 and newer BoringSSL revisions. Provide compatibility wrappers for
78 static size_t SSL_get_client_random(const SSL
*ssl
, unsigned char *out
,
81 if (!ssl
->s3
|| outlen
< SSL3_RANDOM_SIZE
)
83 os_memcpy(out
, ssl
->s3
->client_random
, SSL3_RANDOM_SIZE
);
84 return SSL3_RANDOM_SIZE
;
88 static size_t SSL_get_server_random(const SSL
*ssl
, unsigned char *out
,
91 if (!ssl
->s3
|| outlen
< SSL3_RANDOM_SIZE
)
93 os_memcpy(out
, ssl
->s3
->server_random
, SSL3_RANDOM_SIZE
);
94 return SSL3_RANDOM_SIZE
;
98 #ifdef OPENSSL_NEED_EAP_FAST_PRF
99 static size_t SSL_SESSION_get_master_key(const SSL_SESSION
*session
,
100 unsigned char *out
, size_t outlen
)
102 if (!session
|| session
->master_key_length
< 0 ||
103 (size_t) session
->master_key_length
> outlen
)
105 if ((size_t) session
->master_key_length
< outlen
)
106 outlen
= session
->master_key_length
;
107 os_memcpy(out
, session
->master_key
, outlen
);
110 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
114 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
115 (defined(LIBRESSL_VERSION_NUMBER) && \
116 LIBRESSL_VERSION_NUMBER < 0x20700000L)
118 static int RSA_bits(const RSA
*r
)
120 return BN_num_bits(r
->n
);
122 #endif /* CONFIG_SUITEB */
125 static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING
*x
)
127 return ASN1_STRING_data((ASN1_STRING
*) x
);
132 #include <openssl/pem.h>
133 #include <keystore/keystore_get.h>
135 static BIO
* BIO_from_keystore(const char *key
)
138 uint8_t *value
= NULL
;
139 int length
= keystore_get(key
, strlen(key
), &value
);
140 if (length
!= -1 && (bio
= BIO_new(BIO_s_mem())) != NULL
)
141 BIO_write(bio
, value
, length
);
147 static int tls_add_ca_from_keystore(X509_STORE
*ctx
, const char *key_alias
)
149 BIO
*bio
= BIO_from_keystore(key_alias
);
150 STACK_OF(X509_INFO
) *stack
= NULL
;
154 stack
= PEM_X509_INFO_read_bio(bio
, NULL
, NULL
, NULL
);
159 wpa_printf(MSG_WARNING
, "TLS: Failed to parse certificate: %s",
164 for (i
= 0; i
< sk_X509_INFO_num(stack
); ++i
) {
165 X509_INFO
*info
= sk_X509_INFO_value(stack
, i
);
168 X509_STORE_add_cert(ctx
, info
->x509
);
170 X509_STORE_add_crl(ctx
, info
->crl
);
173 sk_X509_INFO_pop_free(stack
, X509_INFO_free
);
179 static int tls_add_ca_from_keystore_encoded(X509_STORE
*ctx
,
180 const char *encoded_key_alias
)
183 int len
= os_strlen(encoded_key_alias
);
184 unsigned char *decoded_alias
;
187 wpa_printf(MSG_WARNING
, "Invalid hex-encoded alias: %s",
192 decoded_alias
= os_malloc(len
/ 2 + 1);
194 if (!hexstr2bin(encoded_key_alias
, decoded_alias
, len
/ 2)) {
195 decoded_alias
[len
/ 2] = '\0';
196 rc
= tls_add_ca_from_keystore(
197 ctx
, (const char *) decoded_alias
);
199 os_free(decoded_alias
);
207 static int tls_openssl_ref_count
= 0;
208 static int tls_ex_idx_session
= -1;
211 void (*event_cb
)(void *ctx
, enum tls_event ev
,
212 union tls_event_data
*data
);
215 char *ocsp_stapling_response
;
218 static struct tls_context
*tls_global
= NULL
;
223 unsigned int tls_session_lifetime
;
225 int check_crl_strict
;
227 unsigned int crl_reload_interval
;
228 struct os_reltime crl_last_reload
;
229 char *check_cert_subject
;
232 struct tls_connection
{
233 struct tls_context
*context
;
234 struct tls_data
*data
;
237 BIO
*ssl_in
, *ssl_out
;
238 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
239 ENGINE
*engine
; /* functional reference to the engine */
240 EVP_PKEY
*private_key
; /* the private key if using engine */
241 #endif /* OPENSSL_NO_ENGINE */
242 char *subject_match
, *altsubject_match
, *suffix_match
, *domain_match
;
243 char *check_cert_subject
;
244 int read_alerts
, write_alerts
, failed
;
246 tls_session_ticket_cb session_ticket_cb
;
247 void *session_ticket_cb_ctx
;
249 /* SessionTicket received from OpenSSL hello_extension_cb (server) */
251 size_t session_ticket_len
;
253 unsigned int ca_cert_verify
:1;
254 unsigned int cert_probe
:1;
255 unsigned int server_cert_only
:1;
256 unsigned int invalid_hb_used
:1;
257 unsigned int success_data
:1;
258 unsigned int client_hello_generated
:1;
259 unsigned int server
:1;
261 u8 srv_cert_hash
[32];
267 X509
*peer_issuer_issuer
;
269 unsigned char client_random
[SSL3_RANDOM_SIZE
];
270 unsigned char server_random
[SSL3_RANDOM_SIZE
];
273 int server_dh_prime_len
;
277 static struct tls_context
* tls_context_new(const struct tls_config
*conf
)
279 struct tls_context
*context
= os_zalloc(sizeof(*context
));
283 context
->event_cb
= conf
->event_cb
;
284 context
->cb_ctx
= conf
->cb_ctx
;
285 context
->cert_in_cb
= conf
->cert_in_cb
;
291 #ifdef CONFIG_NO_STDOUT_DEBUG
293 static void _tls_show_errors(void)
297 while ((err
= ERR_get_error())) {
298 /* Just ignore the errors, since stdout is disabled */
301 #define tls_show_errors(l, f, t) _tls_show_errors()
303 #else /* CONFIG_NO_STDOUT_DEBUG */
305 static void tls_show_errors(int level
, const char *func
, const char *txt
)
309 wpa_printf(level
, "OpenSSL: %s - %s %s",
310 func
, txt
, ERR_error_string(ERR_get_error(), NULL
));
312 while ((err
= ERR_get_error())) {
313 wpa_printf(MSG_INFO
, "OpenSSL: pending error: %s",
314 ERR_error_string(err
, NULL
));
318 #endif /* CONFIG_NO_STDOUT_DEBUG */
321 static X509_STORE
* tls_crl_cert_reload(const char *ca_cert
, int check_crl
)
326 store
= X509_STORE_new();
328 wpa_printf(MSG_DEBUG
,
329 "OpenSSL: %s - failed to allocate new certificate store",
334 if (ca_cert
&& X509_STORE_load_locations(store
, ca_cert
, NULL
) != 1) {
335 tls_show_errors(MSG_WARNING
, __func__
,
336 "Failed to load root certificates");
337 X509_STORE_free(store
);
341 flags
= check_crl
? X509_V_FLAG_CRL_CHECK
: 0;
343 flags
|= X509_V_FLAG_CRL_CHECK_ALL
;
345 X509_STORE_set_flags(store
, flags
);
351 #ifdef CONFIG_NATIVE_WINDOWS
353 /* Windows CryptoAPI and access to certificate stores */
354 #include <wincrypt.h>
356 #ifdef __MINGW32_VERSION
358 * MinGW does not yet include all the needed definitions for CryptoAPI, so
359 * define here whatever extra is needed.
361 #define CERT_SYSTEM_STORE_CURRENT_USER (1 << 16)
362 #define CERT_STORE_READONLY_FLAG 0x00008000
363 #define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
365 #endif /* __MINGW32_VERSION */
368 struct cryptoapi_rsa_data
{
369 const CERT_CONTEXT
*cert
;
370 HCRYPTPROV crypt_prov
;
372 BOOL free_crypt_prov
;
376 static void cryptoapi_error(const char *msg
)
378 wpa_printf(MSG_INFO
, "CryptoAPI: %s; err=%u",
379 msg
, (unsigned int) GetLastError());
383 static int cryptoapi_rsa_pub_enc(int flen
, const unsigned char *from
,
384 unsigned char *to
, RSA
*rsa
, int padding
)
386 wpa_printf(MSG_DEBUG
, "%s - not implemented", __func__
);
391 static int cryptoapi_rsa_pub_dec(int flen
, const unsigned char *from
,
392 unsigned char *to
, RSA
*rsa
, int padding
)
394 wpa_printf(MSG_DEBUG
, "%s - not implemented", __func__
);
399 static int cryptoapi_rsa_priv_enc(int flen
, const unsigned char *from
,
400 unsigned char *to
, RSA
*rsa
, int padding
)
402 struct cryptoapi_rsa_data
*priv
=
403 (struct cryptoapi_rsa_data
*) rsa
->meth
->app_data
;
405 DWORD hash_size
, len
, i
;
406 unsigned char *buf
= NULL
;
410 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
,
411 ERR_R_PASSED_NULL_PARAMETER
);
415 if (padding
!= RSA_PKCS1_PADDING
) {
416 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
,
417 RSA_R_UNKNOWN_PADDING_TYPE
);
421 if (flen
!= 16 /* MD5 */ + 20 /* SHA-1 */) {
422 wpa_printf(MSG_INFO
, "%s - only MD5-SHA1 hash supported",
424 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
,
425 RSA_R_INVALID_MESSAGE_LENGTH
);
429 if (!CryptCreateHash(priv
->crypt_prov
, CALG_SSL3_SHAMD5
, 0, 0, &hash
))
431 cryptoapi_error("CryptCreateHash failed");
435 len
= sizeof(hash_size
);
436 if (!CryptGetHashParam(hash
, HP_HASHSIZE
, (BYTE
*) &hash_size
, &len
,
438 cryptoapi_error("CryptGetHashParam failed");
442 if ((int) hash_size
!= flen
) {
443 wpa_printf(MSG_INFO
, "CryptoAPI: Invalid hash size (%u != %d)",
444 (unsigned) hash_size
, flen
);
445 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
,
446 RSA_R_INVALID_MESSAGE_LENGTH
);
449 if (!CryptSetHashParam(hash
, HP_HASHVAL
, (BYTE
* ) from
, 0)) {
450 cryptoapi_error("CryptSetHashParam failed");
455 buf
= os_malloc(len
);
457 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT
, ERR_R_MALLOC_FAILURE
);
461 if (!CryptSignHash(hash
, priv
->key_spec
, NULL
, 0, buf
, &len
)) {
462 cryptoapi_error("CryptSignHash failed");
466 for (i
= 0; i
< len
; i
++)
467 to
[i
] = buf
[len
- i
- 1];
472 CryptDestroyHash(hash
);
478 static int cryptoapi_rsa_priv_dec(int flen
, const unsigned char *from
,
479 unsigned char *to
, RSA
*rsa
, int padding
)
481 wpa_printf(MSG_DEBUG
, "%s - not implemented", __func__
);
486 static void cryptoapi_free_data(struct cryptoapi_rsa_data
*priv
)
490 if (priv
->crypt_prov
&& priv
->free_crypt_prov
)
491 CryptReleaseContext(priv
->crypt_prov
, 0);
493 CertFreeCertificateContext(priv
->cert
);
498 static int cryptoapi_finish(RSA
*rsa
)
500 cryptoapi_free_data((struct cryptoapi_rsa_data
*) rsa
->meth
->app_data
);
501 os_free((void *) rsa
->meth
);
507 static const CERT_CONTEXT
* cryptoapi_find_cert(const char *name
, DWORD store
)
510 const CERT_CONTEXT
*ret
= NULL
;
512 cs
= CertOpenStore((LPCSTR
) CERT_STORE_PROV_SYSTEM
, 0, 0,
513 store
| CERT_STORE_OPEN_EXISTING_FLAG
|
514 CERT_STORE_READONLY_FLAG
, L
"MY");
516 cryptoapi_error("Failed to open 'My system store'");
520 if (strncmp(name
, "cert://", 7) == 0) {
521 unsigned short wbuf
[255];
522 MultiByteToWideChar(CP_ACP
, 0, name
+ 7, -1, wbuf
, 255);
523 ret
= CertFindCertificateInStore(cs
, X509_ASN_ENCODING
|
525 0, CERT_FIND_SUBJECT_STR
,
527 } else if (strncmp(name
, "hash://", 7) == 0) {
528 CRYPT_HASH_BLOB blob
;
530 const char *hash
= name
+ 7;
533 len
= os_strlen(hash
) / 2;
534 buf
= os_malloc(len
);
535 if (buf
&& hexstr2bin(hash
, buf
, len
) == 0) {
538 ret
= CertFindCertificateInStore(cs
,
547 CertCloseStore(cs
, 0);
553 static int tls_cryptoapi_cert(SSL
*ssl
, const char *name
)
556 RSA
*rsa
= NULL
, *pub_rsa
;
557 struct cryptoapi_rsa_data
*priv
;
558 RSA_METHOD
*rsa_meth
;
561 (strncmp(name
, "cert://", 7) != 0 &&
562 strncmp(name
, "hash://", 7) != 0))
565 priv
= os_zalloc(sizeof(*priv
));
566 rsa_meth
= os_zalloc(sizeof(*rsa_meth
));
567 if (priv
== NULL
|| rsa_meth
== NULL
) {
568 wpa_printf(MSG_WARNING
, "CryptoAPI: Failed to allocate memory "
569 "for CryptoAPI RSA method");
575 priv
->cert
= cryptoapi_find_cert(name
, CERT_SYSTEM_STORE_CURRENT_USER
);
576 if (priv
->cert
== NULL
) {
577 priv
->cert
= cryptoapi_find_cert(
578 name
, CERT_SYSTEM_STORE_LOCAL_MACHINE
);
580 if (priv
->cert
== NULL
) {
581 wpa_printf(MSG_INFO
, "CryptoAPI: Could not find certificate "
586 cert
= d2i_X509(NULL
,
587 (const unsigned char **) &priv
->cert
->pbCertEncoded
,
588 priv
->cert
->cbCertEncoded
);
590 wpa_printf(MSG_INFO
, "CryptoAPI: Could not process X509 DER "
595 if (!CryptAcquireCertificatePrivateKey(priv
->cert
,
596 CRYPT_ACQUIRE_COMPARE_KEY_FLAG
,
597 NULL
, &priv
->crypt_prov
,
599 &priv
->free_crypt_prov
)) {
600 cryptoapi_error("Failed to acquire a private key for the "
605 rsa_meth
->name
= "Microsoft CryptoAPI RSA Method";
606 rsa_meth
->rsa_pub_enc
= cryptoapi_rsa_pub_enc
;
607 rsa_meth
->rsa_pub_dec
= cryptoapi_rsa_pub_dec
;
608 rsa_meth
->rsa_priv_enc
= cryptoapi_rsa_priv_enc
;
609 rsa_meth
->rsa_priv_dec
= cryptoapi_rsa_priv_dec
;
610 rsa_meth
->finish
= cryptoapi_finish
;
611 rsa_meth
->flags
= RSA_METHOD_FLAG_NO_CHECK
;
612 rsa_meth
->app_data
= (char *) priv
;
616 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE
,
617 ERR_R_MALLOC_FAILURE
);
621 if (!SSL_use_certificate(ssl
, cert
)) {
626 pub_rsa
= cert
->cert_info
->key
->pkey
->pkey
.rsa
;
630 rsa
->n
= BN_dup(pub_rsa
->n
);
631 rsa
->e
= BN_dup(pub_rsa
->e
);
632 if (!RSA_set_method(rsa
, rsa_meth
))
635 if (!SSL_use_RSAPrivateKey(ssl
, rsa
))
648 cryptoapi_free_data(priv
);
654 static int tls_cryptoapi_ca_cert(SSL_CTX
*ssl_ctx
, SSL
*ssl
, const char *name
)
657 PCCERT_CONTEXT ctx
= NULL
;
665 if (name
== NULL
|| strncmp(name
, "cert_store://", 13) != 0)
670 wstore
= os_malloc((os_strlen(store
) + 1) * sizeof(WCHAR
));
673 wsprintf(wstore
, L
"%S", store
);
674 cs
= CertOpenSystemStore(0, wstore
);
677 cs
= CertOpenSystemStore(0, store
);
680 wpa_printf(MSG_DEBUG
, "%s: failed to open system cert store "
681 "'%s': error=%d", __func__
, store
,
682 (int) GetLastError());
686 while ((ctx
= CertEnumCertificatesInStore(cs
, ctx
))) {
687 cert
= d2i_X509(NULL
,
688 (const unsigned char **) &ctx
->pbCertEncoded
,
691 wpa_printf(MSG_INFO
, "CryptoAPI: Could not process "
692 "X509 DER encoding for CA cert");
696 X509_NAME_oneline(X509_get_subject_name(cert
), buf
,
698 wpa_printf(MSG_DEBUG
, "OpenSSL: Loaded CA certificate for "
699 "system certificate store: subject='%s'", buf
);
701 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx
),
703 tls_show_errors(MSG_WARNING
, __func__
,
704 "Failed to add ca_cert to OpenSSL "
705 "certificate store");
711 if (!CertCloseStore(cs
, 0)) {
712 wpa_printf(MSG_DEBUG
, "%s: failed to close system cert store "
713 "'%s': error=%d", __func__
, name
+ 13,
714 (int) GetLastError());
721 #else /* CONFIG_NATIVE_WINDOWS */
723 static int tls_cryptoapi_cert(SSL
*ssl
, const char *name
)
728 #endif /* CONFIG_NATIVE_WINDOWS */
731 static void ssl_info_cb(const SSL
*ssl
, int where
, int ret
)
736 wpa_printf(MSG_DEBUG
, "SSL: (where=0x%x ret=0x%x)", where
, ret
);
737 w
= where
& ~SSL_ST_MASK
;
738 if (w
& SSL_ST_CONNECT
)
740 else if (w
& SSL_ST_ACCEPT
)
745 if (where
& SSL_CB_LOOP
) {
746 wpa_printf(MSG_DEBUG
, "SSL: %s:%s",
747 str
, SSL_state_string_long(ssl
));
748 } else if (where
& SSL_CB_ALERT
) {
749 struct tls_connection
*conn
= SSL_get_app_data((SSL
*) ssl
);
750 wpa_printf(MSG_INFO
, "SSL: SSL3 alert: %s:%s:%s",
751 where
& SSL_CB_READ
?
752 "read (remote end reported an error)" :
753 "write (local SSL3 detected an error)",
754 SSL_alert_type_string_long(ret
),
755 SSL_alert_desc_string_long(ret
));
756 if ((ret
>> 8) == SSL3_AL_FATAL
) {
757 if (where
& SSL_CB_READ
)
760 conn
->write_alerts
++;
762 if (conn
->context
->event_cb
!= NULL
) {
763 union tls_event_data ev
;
764 struct tls_context
*context
= conn
->context
;
765 os_memset(&ev
, 0, sizeof(ev
));
766 ev
.alert
.is_local
= !(where
& SSL_CB_READ
);
767 ev
.alert
.type
= SSL_alert_type_string_long(ret
);
768 ev
.alert
.description
= SSL_alert_desc_string_long(ret
);
769 context
->event_cb(context
->cb_ctx
, TLS_ALERT
, &ev
);
771 } else if (where
& SSL_CB_EXIT
&& ret
<= 0) {
772 wpa_printf(MSG_DEBUG
, "SSL: %s:%s in %s",
773 str
, ret
== 0 ? "failed" : "error",
774 SSL_state_string_long(ssl
));
779 #ifndef OPENSSL_NO_ENGINE
781 * tls_engine_load_dynamic_generic - load any openssl engine
782 * @pre: an array of commands and values that load an engine initialized
783 * in the engine specific function
784 * @post: an array of commands and values that initialize an already loaded
785 * engine (or %NULL if not required)
786 * @id: the engine id of the engine to load (only required if post is not %NULL
788 * This function is a generic function that loads any openssl engine.
790 * Returns: 0 on success, -1 on failure
792 static int tls_engine_load_dynamic_generic(const char *pre
[],
793 const char *post
[], const char *id
)
796 const char *dynamic_id
= "dynamic";
798 engine
= ENGINE_by_id(id
);
800 wpa_printf(MSG_DEBUG
, "ENGINE: engine '%s' is already "
803 * If it was auto-loaded by ENGINE_by_id() we might still
804 * need to tell it which PKCS#11 module to use in legacy
805 * (non-p11-kit) environments. Do so now; even if it was
806 * properly initialised before, setting it again will be
813 engine
= ENGINE_by_id(dynamic_id
);
814 if (engine
== NULL
) {
815 wpa_printf(MSG_INFO
, "ENGINE: Can't find engine %s [%s]",
817 ERR_error_string(ERR_get_error(), NULL
));
821 /* Perform the pre commands. This will load the engine. */
822 while (pre
&& pre
[0]) {
823 wpa_printf(MSG_DEBUG
, "ENGINE: '%s' '%s'", pre
[0], pre
[1]);
824 if (ENGINE_ctrl_cmd_string(engine
, pre
[0], pre
[1], 0) == 0) {
825 wpa_printf(MSG_INFO
, "ENGINE: ctrl cmd_string failed: "
826 "%s %s [%s]", pre
[0], pre
[1],
827 ERR_error_string(ERR_get_error(), NULL
));
835 * Free the reference to the "dynamic" engine. The loaded engine can
836 * now be looked up using ENGINE_by_id().
840 engine
= ENGINE_by_id(id
);
841 if (engine
== NULL
) {
842 wpa_printf(MSG_INFO
, "ENGINE: Can't find engine %s [%s]",
843 id
, ERR_error_string(ERR_get_error(), NULL
));
847 while (post
&& post
[0]) {
848 wpa_printf(MSG_DEBUG
, "ENGINE: '%s' '%s'", post
[0], post
[1]);
849 if (ENGINE_ctrl_cmd_string(engine
, post
[0], post
[1], 0) == 0) {
850 wpa_printf(MSG_DEBUG
, "ENGINE: ctrl cmd_string failed:"
851 " %s %s [%s]", post
[0], post
[1],
852 ERR_error_string(ERR_get_error(), NULL
));
853 ENGINE_remove(engine
);
866 * tls_engine_load_dynamic_pkcs11 - load the pkcs11 engine provided by opensc
867 * @pkcs11_so_path: pksc11_so_path from the configuration
868 * @pcks11_module_path: pkcs11_module_path from the configuration
870 static int tls_engine_load_dynamic_pkcs11(const char *pkcs11_so_path
,
871 const char *pkcs11_module_path
)
873 char *engine_id
= "pkcs11";
874 const char *pre_cmd
[] = {
875 "SO_PATH", NULL
/* pkcs11_so_path */,
876 "ID", NULL
/* engine_id */,
878 /* "NO_VCHECK", "1", */
882 const char *post_cmd
[] = {
883 "MODULE_PATH", NULL
/* pkcs11_module_path */,
890 pre_cmd
[1] = pkcs11_so_path
;
891 pre_cmd
[3] = engine_id
;
892 if (pkcs11_module_path
)
893 post_cmd
[1] = pkcs11_module_path
;
897 wpa_printf(MSG_DEBUG
, "ENGINE: Loading pkcs11 Engine from %s",
900 return tls_engine_load_dynamic_generic(pre_cmd
, post_cmd
, engine_id
);
905 * tls_engine_load_dynamic_opensc - load the opensc engine provided by opensc
906 * @opensc_so_path: opensc_so_path from the configuration
908 static int tls_engine_load_dynamic_opensc(const char *opensc_so_path
)
910 char *engine_id
= "opensc";
911 const char *pre_cmd
[] = {
912 "SO_PATH", NULL
/* opensc_so_path */,
913 "ID", NULL
/* engine_id */,
922 pre_cmd
[1] = opensc_so_path
;
923 pre_cmd
[3] = engine_id
;
925 wpa_printf(MSG_DEBUG
, "ENGINE: Loading OpenSC Engine from %s",
928 return tls_engine_load_dynamic_generic(pre_cmd
, NULL
, engine_id
);
930 #endif /* OPENSSL_NO_ENGINE */
933 static void remove_session_cb(SSL_CTX
*ctx
, SSL_SESSION
*sess
)
937 if (tls_ex_idx_session
< 0)
939 buf
= SSL_SESSION_get_ex_data(sess
, tls_ex_idx_session
);
942 wpa_printf(MSG_DEBUG
,
943 "OpenSSL: Free application session data %p (sess %p)",
947 SSL_SESSION_set_ex_data(sess
, tls_ex_idx_session
, NULL
);
951 void * tls_init(const struct tls_config
*conf
)
953 struct tls_data
*data
;
955 struct tls_context
*context
;
958 if (tls_openssl_ref_count
== 0) {
959 tls_global
= context
= tls_context_new(conf
);
964 if (conf
&& conf
->fips_mode
) {
965 static int fips_enabled
= 0;
967 if (!fips_enabled
&& !FIPS_mode_set(1)) {
968 wpa_printf(MSG_ERROR
, "Failed to enable FIPS "
970 ERR_load_crypto_strings();
971 ERR_print_errors_fp(stderr
);
976 wpa_printf(MSG_INFO
, "Running in FIPS mode");
980 #else /* OPENSSL_FIPS */
981 if (conf
&& conf
->fips_mode
) {
982 wpa_printf(MSG_ERROR
, "FIPS mode requested, but not "
988 #endif /* OPENSSL_FIPS */
989 #endif /* CONFIG_FIPS */
990 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
991 (defined(LIBRESSL_VERSION_NUMBER) && \
992 LIBRESSL_VERSION_NUMBER < 0x20700000L)
993 SSL_load_error_strings();
995 #ifndef OPENSSL_NO_SHA256
996 EVP_add_digest(EVP_sha256());
997 #endif /* OPENSSL_NO_SHA256 */
998 /* TODO: if /dev/urandom is available, PRNG is seeded
999 * automatically. If this is not the case, random data should
1003 #ifndef OPENSSL_NO_RC2
1005 * 40-bit RC2 is commonly used in PKCS#12 files, so enable it.
1006 * This is enabled by PKCS12_PBE_add() in OpenSSL 0.9.8
1007 * versions, but it looks like OpenSSL 1.0.0 does not do that
1010 EVP_add_cipher(EVP_rc2_40_cbc());
1011 #endif /* OPENSSL_NO_RC2 */
1013 #endif /* PKCS12_FUNCS */
1014 #endif /* < 1.1.0 */
1016 context
= tls_context_new(conf
);
1017 if (context
== NULL
)
1020 tls_openssl_ref_count
++;
1022 data
= os_zalloc(sizeof(*data
));
1024 ssl
= SSL_CTX_new(SSLv23_method());
1028 tls_openssl_ref_count
--;
1029 if (context
!= tls_global
)
1031 if (tls_openssl_ref_count
== 0) {
1032 os_free(tls_global
);
1040 data
->tls_session_lifetime
= conf
->tls_session_lifetime
;
1041 data
->crl_reload_interval
= conf
->crl_reload_interval
;
1044 SSL_CTX_set_options(ssl
, SSL_OP_NO_SSLv2
);
1045 SSL_CTX_set_options(ssl
, SSL_OP_NO_SSLv3
);
1047 #ifdef SSL_MODE_NO_AUTO_CHAIN
1048 /* Number of deployed use cases assume the default OpenSSL behavior of
1049 * auto chaining the local certificate is in use. BoringSSL removed this
1050 * functionality by default, so we need to restore it here to avoid
1051 * breaking existing use cases. */
1052 SSL_CTX_clear_mode(ssl
, SSL_MODE_NO_AUTO_CHAIN
);
1053 #endif /* SSL_MODE_NO_AUTO_CHAIN */
1055 SSL_CTX_set_info_callback(ssl
, ssl_info_cb
);
1056 SSL_CTX_set_app_data(ssl
, context
);
1057 if (data
->tls_session_lifetime
> 0) {
1058 SSL_CTX_set_quiet_shutdown(ssl
, 1);
1060 * Set default context here. In practice, this will be replaced
1061 * by the per-EAP method context in tls_connection_set_verify().
1063 SSL_CTX_set_session_id_context(ssl
, (u8
*) "hostapd", 7);
1064 SSL_CTX_set_session_cache_mode(ssl
, SSL_SESS_CACHE_SERVER
);
1065 SSL_CTX_set_timeout(ssl
, data
->tls_session_lifetime
);
1066 SSL_CTX_sess_set_remove_cb(ssl
, remove_session_cb
);
1068 SSL_CTX_set_session_cache_mode(ssl
, SSL_SESS_CACHE_OFF
);
1071 if (tls_ex_idx_session
< 0) {
1072 tls_ex_idx_session
= SSL_SESSION_get_ex_new_index(
1073 0, NULL
, NULL
, NULL
, NULL
);
1074 if (tls_ex_idx_session
< 0) {
1080 #ifndef OPENSSL_NO_ENGINE
1081 wpa_printf(MSG_DEBUG
, "ENGINE: Loading builtin engines");
1082 ENGINE_load_builtin_engines();
1085 (conf
->opensc_engine_path
|| conf
->pkcs11_engine_path
||
1086 conf
->pkcs11_module_path
)) {
1087 if (tls_engine_load_dynamic_opensc(conf
->opensc_engine_path
) ||
1088 tls_engine_load_dynamic_pkcs11(conf
->pkcs11_engine_path
,
1089 conf
->pkcs11_module_path
)) {
1094 #endif /* OPENSSL_NO_ENGINE */
1096 if (conf
&& conf
->openssl_ciphers
)
1097 ciphers
= conf
->openssl_ciphers
;
1099 ciphers
= TLS_DEFAULT_CIPHERS
;
1100 if (SSL_CTX_set_cipher_list(ssl
, ciphers
) != 1) {
1101 wpa_printf(MSG_ERROR
,
1102 "OpenSSL: Failed to set cipher string '%s'",
1112 void tls_deinit(void *ssl_ctx
)
1114 struct tls_data
*data
= ssl_ctx
;
1115 SSL_CTX
*ssl
= data
->ssl
;
1116 struct tls_context
*context
= SSL_CTX_get_app_data(ssl
);
1117 if (context
!= tls_global
)
1119 if (data
->tls_session_lifetime
> 0)
1120 SSL_CTX_flush_sessions(ssl
, 0);
1121 os_free(data
->ca_cert
);
1124 tls_openssl_ref_count
--;
1125 if (tls_openssl_ref_count
== 0) {
1126 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
1127 (defined(LIBRESSL_VERSION_NUMBER) && \
1128 LIBRESSL_VERSION_NUMBER < 0x20700000L)
1129 #ifndef OPENSSL_NO_ENGINE
1131 #endif /* OPENSSL_NO_ENGINE */
1132 CRYPTO_cleanup_all_ex_data();
1133 ERR_remove_thread_state(NULL
);
1136 #endif /* < 1.1.0 */
1137 os_free(tls_global
->ocsp_stapling_response
);
1138 tls_global
->ocsp_stapling_response
= NULL
;
1139 os_free(tls_global
);
1143 os_free(data
->check_cert_subject
);
1148 #ifndef OPENSSL_NO_ENGINE
1150 /* Cryptoki return values */
1151 #define CKR_PIN_INCORRECT 0x000000a0
1152 #define CKR_PIN_INVALID 0x000000a1
1153 #define CKR_PIN_LEN_RANGE 0x000000a2
1156 #define ERR_LIB_PKCS11 ERR_LIB_USER
1158 static int tls_is_pin_error(unsigned int err
)
1160 return ERR_GET_LIB(err
) == ERR_LIB_PKCS11
&&
1161 (ERR_GET_REASON(err
) == CKR_PIN_INCORRECT
||
1162 ERR_GET_REASON(err
) == CKR_PIN_INVALID
||
1163 ERR_GET_REASON(err
) == CKR_PIN_LEN_RANGE
);
1166 #endif /* OPENSSL_NO_ENGINE */
1170 /* EVP_PKEY_from_keystore comes from system/security/keystore-engine. */
1171 EVP_PKEY
* EVP_PKEY_from_keystore(const char *key_id
);
1172 #endif /* ANDROID */
1174 static int tls_engine_init(struct tls_connection
*conn
, const char *engine_id
,
1175 const char *pin
, const char *key_id
,
1176 const char *cert_id
, const char *ca_cert_id
)
1178 #if defined(ANDROID) && defined(OPENSSL_IS_BORINGSSL)
1179 #if !defined(OPENSSL_NO_ENGINE)
1180 #error "This code depends on OPENSSL_NO_ENGINE being defined by BoringSSL."
1183 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED
;
1184 conn
->engine
= NULL
;
1185 conn
->private_key
= EVP_PKEY_from_keystore(key_id
);
1186 if (!conn
->private_key
) {
1187 wpa_printf(MSG_ERROR
,
1188 "ENGINE: cannot load private key with id '%s' [%s]",
1190 ERR_error_string(ERR_get_error(), NULL
));
1191 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED
;
1193 #endif /* ANDROID && OPENSSL_IS_BORINGSSL */
1195 #ifndef OPENSSL_NO_ENGINE
1197 if (engine_id
== NULL
) {
1198 wpa_printf(MSG_ERROR
, "ENGINE: Engine ID not set");
1204 ENGINE_load_dynamic();
1206 conn
->engine
= ENGINE_by_id(engine_id
);
1207 if (!conn
->engine
) {
1208 wpa_printf(MSG_ERROR
, "ENGINE: engine %s not available [%s]",
1209 engine_id
, ERR_error_string(ERR_get_error(), NULL
));
1212 if (ENGINE_init(conn
->engine
) != 1) {
1213 wpa_printf(MSG_ERROR
, "ENGINE: engine init failed "
1214 "(engine: %s) [%s]", engine_id
,
1215 ERR_error_string(ERR_get_error(), NULL
));
1218 wpa_printf(MSG_DEBUG
, "ENGINE: engine initialized");
1221 if (pin
&& ENGINE_ctrl_cmd_string(conn
->engine
, "PIN", pin
, 0) == 0) {
1222 wpa_printf(MSG_ERROR
, "ENGINE: cannot set pin [%s]",
1223 ERR_error_string(ERR_get_error(), NULL
));
1229 * Ensure that the ENGINE does not attempt to use the OpenSSL
1230 * UI system to obtain a PIN, if we didn't provide one.
1233 const void *password
;
1234 const char *prompt_info
;
1235 } key_cb
= { "", NULL
};
1237 /* load private key first in-case PIN is required for cert */
1238 conn
->private_key
= ENGINE_load_private_key(conn
->engine
,
1241 if (!conn
->private_key
) {
1242 unsigned long err
= ERR_get_error();
1244 wpa_printf(MSG_ERROR
,
1245 "ENGINE: cannot load private key with id '%s' [%s]",
1247 ERR_error_string(err
, NULL
));
1248 if (tls_is_pin_error(err
))
1249 ret
= TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN
;
1251 ret
= TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED
;
1256 /* handle a certificate and/or CA certificate */
1257 if (cert_id
|| ca_cert_id
) {
1258 const char *cmd_name
= "LOAD_CERT_CTRL";
1260 /* test if the engine supports a LOAD_CERT_CTRL */
1261 if (!ENGINE_ctrl(conn
->engine
, ENGINE_CTRL_GET_CMD_FROM_NAME
,
1262 0, (void *)cmd_name
, NULL
)) {
1263 wpa_printf(MSG_ERROR
, "ENGINE: engine does not support"
1264 " loading certificates");
1265 ret
= TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED
;
1274 ENGINE_free(conn
->engine
);
1275 conn
->engine
= NULL
;
1278 if (conn
->private_key
) {
1279 EVP_PKEY_free(conn
->private_key
);
1280 conn
->private_key
= NULL
;
1284 #else /* OPENSSL_NO_ENGINE */
1286 #endif /* OPENSSL_NO_ENGINE */
1290 static void tls_engine_deinit(struct tls_connection
*conn
)
1292 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
1293 wpa_printf(MSG_DEBUG
, "ENGINE: engine deinit");
1294 if (conn
->private_key
) {
1295 EVP_PKEY_free(conn
->private_key
);
1296 conn
->private_key
= NULL
;
1299 #if !defined(OPENSSL_IS_BORINGSSL)
1300 ENGINE_finish(conn
->engine
);
1301 #endif /* !OPENSSL_IS_BORINGSSL */
1302 conn
->engine
= NULL
;
1304 #endif /* ANDROID || !OPENSSL_NO_ENGINE */
1308 int tls_get_errors(void *ssl_ctx
)
1313 while ((err
= ERR_get_error())) {
1314 wpa_printf(MSG_INFO
, "TLS - SSL error: %s",
1315 ERR_error_string(err
, NULL
));
1323 static const char * openssl_content_type(int content_type
)
1325 switch (content_type
) {
1327 return "change cipher spec";
1333 return "application data";
1337 return "TLS header info"; /* pseudo content type */
1344 static const char * openssl_handshake_type(int content_type
, const u8
*buf
,
1347 if (content_type
!= 22 || !buf
|| len
== 0)
1351 return "hello request";
1353 return "client hello";
1355 return "server hello";
1357 return "hello verify request";
1359 return "new session ticket";
1361 return "end of early data";
1363 return "hello retry request";
1365 return "encrypted extensions";
1367 return "certificate";
1369 return "server key exchange";
1371 return "certificate request";
1373 return "server hello done";
1375 return "certificate verify";
1377 return "client key exchange";
1381 return "certificate url";
1383 return "certificate status";
1385 return "supplemental data";
1387 return "key update";
1389 return "message hash";
1396 #ifdef CONFIG_SUITEB
1398 static void check_server_hello(struct tls_connection
*conn
,
1399 const u8
*pos
, const u8
*end
)
1401 size_t payload_len
, id_len
;
1404 * Parse ServerHello to get the selected cipher suite since OpenSSL does
1405 * not make it cleanly available during handshake and we need to know
1406 * whether DHE was selected.
1411 payload_len
= WPA_GET_BE24(pos
);
1414 if ((size_t) (end
- pos
) < payload_len
)
1416 end
= pos
+ payload_len
;
1418 /* Skip Version and Random */
1419 if (end
- pos
< 2 + SSL3_RANDOM_SIZE
)
1421 pos
+= 2 + SSL3_RANDOM_SIZE
;
1423 /* Skip Session ID */
1427 if ((size_t) (end
- pos
) < id_len
)
1433 conn
->cipher_suite
= WPA_GET_BE16(pos
);
1434 wpa_printf(MSG_DEBUG
, "OpenSSL: Server selected cipher suite 0x%x",
1435 conn
->cipher_suite
);
1439 static void check_server_key_exchange(SSL
*ssl
, struct tls_connection
*conn
,
1440 const u8
*pos
, const u8
*end
)
1447 if (!(conn
->flags
& TLS_CONN_SUITEB
))
1450 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
1451 if (conn
->cipher_suite
!= 0x9f)
1456 payload_len
= WPA_GET_BE24(pos
);
1459 if ((size_t) (end
- pos
) < payload_len
)
1461 end
= pos
+ payload_len
;
1465 dh_len
= WPA_GET_BE16(pos
);
1468 if ((size_t) (end
- pos
) < dh_len
)
1470 p
= BN_bin2bn(pos
, dh_len
, NULL
);
1474 bits
= BN_num_bits(p
);
1477 conn
->server_dh_prime_len
= bits
;
1478 wpa_printf(MSG_DEBUG
, "OpenSSL: Server DH prime length: %d bits",
1479 conn
->server_dh_prime_len
);
1482 #endif /* CONFIG_SUITEB */
1485 static void tls_msg_cb(int write_p
, int version
, int content_type
,
1486 const void *buf
, size_t len
, SSL
*ssl
, void *arg
)
1488 struct tls_connection
*conn
= arg
;
1489 const u8
*pos
= buf
;
1492 wpa_printf(MSG_DEBUG
,
1493 "OpenSSL: session ver=0x%x content_type=%d",
1494 version
, content_type
);
1495 wpa_hexdump_key(MSG_MSGDUMP
, "OpenSSL: Data", buf
, len
);
1499 wpa_printf(MSG_DEBUG
, "OpenSSL: %s ver=0x%x content_type=%d (%s/%s)",
1500 write_p
? "TX" : "RX", version
, content_type
,
1501 openssl_content_type(content_type
),
1502 openssl_handshake_type(content_type
, buf
, len
));
1503 wpa_hexdump_key(MSG_MSGDUMP
, "OpenSSL: Message", buf
, len
);
1504 if (content_type
== 24 && len
>= 3 && pos
[0] == 1) {
1505 size_t payload_len
= WPA_GET_BE16(pos
+ 1);
1506 if (payload_len
+ 3 > len
) {
1507 wpa_printf(MSG_ERROR
, "OpenSSL: Heartbeat attack detected");
1508 conn
->invalid_hb_used
= 1;
1512 #ifdef CONFIG_SUITEB
1514 * Need to parse these handshake messages to be able to check DH prime
1515 * length since OpenSSL does not expose the new cipher suite and DH
1516 * parameters during handshake (e.g., for cert_cb() callback).
1518 if (content_type
== 22 && pos
&& len
> 0 && pos
[0] == 2)
1519 check_server_hello(conn
, pos
+ 1, pos
+ len
);
1520 if (content_type
== 22 && pos
&& len
> 0 && pos
[0] == 12)
1521 check_server_key_exchange(ssl
, conn
, pos
+ 1, pos
+ len
);
1522 #endif /* CONFIG_SUITEB */
1526 struct tls_connection
* tls_connection_init(void *ssl_ctx
)
1528 struct tls_data
*data
= ssl_ctx
;
1529 SSL_CTX
*ssl
= data
->ssl
;
1530 struct tls_connection
*conn
;
1532 X509_STORE
*new_cert_store
;
1533 struct os_reltime now
;
1534 struct tls_context
*context
= SSL_CTX_get_app_data(ssl
);
1536 /* Replace X509 store if it is time to update CRL. */
1537 if (data
->crl_reload_interval
> 0 && os_get_reltime(&now
) == 0 &&
1538 os_reltime_expired(&now
, &data
->crl_last_reload
,
1539 data
->crl_reload_interval
)) {
1540 wpa_printf(MSG_INFO
,
1541 "OpenSSL: Flushing X509 store with ca_cert file");
1542 new_cert_store
= tls_crl_cert_reload(data
->ca_cert
,
1544 if (!new_cert_store
) {
1545 wpa_printf(MSG_ERROR
,
1546 "OpenSSL: Error replacing X509 store with ca_cert file");
1548 /* Replace old store */
1549 SSL_CTX_set_cert_store(ssl
, new_cert_store
);
1550 data
->crl_last_reload
= now
;
1554 conn
= os_zalloc(sizeof(*conn
));
1558 conn
->ssl_ctx
= ssl
;
1559 conn
->ssl
= SSL_new(ssl
);
1560 if (conn
->ssl
== NULL
) {
1561 tls_show_errors(MSG_INFO
, __func__
,
1562 "Failed to initialize new SSL connection");
1567 conn
->context
= context
;
1568 SSL_set_app_data(conn
->ssl
, conn
);
1569 SSL_set_msg_callback(conn
->ssl
, tls_msg_cb
);
1570 SSL_set_msg_callback_arg(conn
->ssl
, conn
);
1571 options
= SSL_OP_NO_SSLv2
| SSL_OP_NO_SSLv3
|
1572 SSL_OP_SINGLE_DH_USE
;
1573 #ifdef SSL_OP_NO_COMPRESSION
1574 options
|= SSL_OP_NO_COMPRESSION
;
1575 #endif /* SSL_OP_NO_COMPRESSION */
1576 SSL_set_options(conn
->ssl
, options
);
1578 conn
->ssl_in
= BIO_new(BIO_s_mem());
1579 if (!conn
->ssl_in
) {
1580 tls_show_errors(MSG_INFO
, __func__
,
1581 "Failed to create a new BIO for ssl_in");
1582 SSL_free(conn
->ssl
);
1587 conn
->ssl_out
= BIO_new(BIO_s_mem());
1588 if (!conn
->ssl_out
) {
1589 tls_show_errors(MSG_INFO
, __func__
,
1590 "Failed to create a new BIO for ssl_out");
1591 SSL_free(conn
->ssl
);
1592 BIO_free(conn
->ssl_in
);
1597 SSL_set_bio(conn
->ssl
, conn
->ssl_in
, conn
->ssl_out
);
1603 void tls_connection_deinit(void *ssl_ctx
, struct tls_connection
*conn
)
1607 if (conn
->success_data
) {
1609 * Make sure ssl_clear_bad_session() does not remove this
1612 SSL_set_quiet_shutdown(conn
->ssl
, 1);
1613 SSL_shutdown(conn
->ssl
);
1615 SSL_free(conn
->ssl
);
1616 tls_engine_deinit(conn
);
1617 os_free(conn
->subject_match
);
1618 os_free(conn
->altsubject_match
);
1619 os_free(conn
->suffix_match
);
1620 os_free(conn
->domain_match
);
1621 os_free(conn
->check_cert_subject
);
1622 os_free(conn
->session_ticket
);
1627 int tls_connection_established(void *ssl_ctx
, struct tls_connection
*conn
)
1629 return conn
? SSL_is_init_finished(conn
->ssl
) : 0;
1633 char * tls_connection_peer_serial_num(void *tls_ctx
,
1634 struct tls_connection
*conn
)
1640 if (!conn
->peer_cert
)
1643 ser
= X509_get_serialNumber(conn
->peer_cert
);
1647 len
= ASN1_STRING_length(ser
) * 2 + 1;
1648 serial_num
= os_malloc(len
);
1651 wpa_snprintf_hex_uppercase(serial_num
, len
,
1652 ASN1_STRING_get0_data(ser
),
1653 ASN1_STRING_length(ser
));
1658 int tls_connection_shutdown(void *ssl_ctx
, struct tls_connection
*conn
)
1663 /* Shutdown previous TLS connection without notifying the peer
1664 * because the connection was already terminated in practice
1665 * and "close notify" shutdown alert would confuse AS. */
1666 SSL_set_quiet_shutdown(conn
->ssl
, 1);
1667 SSL_shutdown(conn
->ssl
);
1668 return SSL_clear(conn
->ssl
) == 1 ? 0 : -1;
1672 static int tls_match_altsubject_component(X509
*cert
, int type
,
1673 const char *value
, size_t len
)
1680 ext
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
1682 for (i
= 0; ext
&& i
< sk_GENERAL_NAME_num(ext
); i
++) {
1683 gen
= sk_GENERAL_NAME_value(ext
, i
);
1684 if (gen
->type
!= type
)
1686 if (os_strlen((char *) gen
->d
.ia5
->data
) == len
&&
1687 os_memcmp(value
, gen
->d
.ia5
->data
, len
) == 0)
1691 sk_GENERAL_NAME_pop_free(ext
, GENERAL_NAME_free
);
1697 static int tls_match_altsubject(X509
*cert
, const char *match
)
1700 const char *pos
, *end
;
1705 if (os_strncmp(pos
, "EMAIL:", 6) == 0) {
1708 } else if (os_strncmp(pos
, "DNS:", 4) == 0) {
1711 } else if (os_strncmp(pos
, "URI:", 4) == 0) {
1715 wpa_printf(MSG_INFO
, "TLS: Invalid altSubjectName "
1719 end
= os_strchr(pos
, ';');
1721 if (os_strncmp(end
+ 1, "EMAIL:", 6) == 0 ||
1722 os_strncmp(end
+ 1, "DNS:", 4) == 0 ||
1723 os_strncmp(end
+ 1, "URI:", 4) == 0)
1725 end
= os_strchr(end
+ 1, ';');
1730 len
= os_strlen(pos
);
1731 if (tls_match_altsubject_component(cert
, type
, pos
, len
) > 0)
1740 #ifndef CONFIG_NATIVE_WINDOWS
1741 static int domain_suffix_match(const u8
*val
, size_t len
, const char *match
,
1742 size_t match_len
, int full
)
1746 /* Check for embedded nuls that could mess up suffix matching */
1747 for (i
= 0; i
< len
; i
++) {
1748 if (val
[i
] == '\0') {
1749 wpa_printf(MSG_DEBUG
, "TLS: Embedded null in a string - reject");
1754 if (match_len
> len
|| (full
&& match_len
!= len
))
1757 if (os_strncasecmp((const char *) val
+ len
- match_len
, match
,
1759 return 0; /* no match */
1761 if (match_len
== len
)
1762 return 1; /* exact match */
1764 if (val
[len
- match_len
- 1] == '.')
1765 return 1; /* full label match completes suffix match */
1767 wpa_printf(MSG_DEBUG
, "TLS: Reject due to incomplete label match");
1770 #endif /* CONFIG_NATIVE_WINDOWS */
1773 struct tls_dn_field_order_cnt
{
1784 static int get_dn_field_index(const struct tls_dn_field_order_cnt
*dn_cnt
,
1788 case NID_commonName
:
1790 case NID_countryName
:
1792 case NID_localityName
:
1794 case NID_stateOrProvinceName
:
1796 case NID_organizationName
:
1798 case NID_organizationalUnitName
:
1800 case NID_pkcs9_emailAddress
:
1801 return dn_cnt
->email
;
1803 wpa_printf(MSG_ERROR
,
1804 "TLS: Unknown NID '%d' in check_cert_subject",
1812 * match_dn_field - Match configuration DN field against Certificate DN field
1813 * @cert: Certificate
1814 * @nid: NID of DN field
1815 * @field: Field name
1816 * @value DN field value which is passed from configuration
1817 * e.g., if configuration have C=US and this argument will point to US.
1818 * @dn_cnt: DN matching context
1819 * Returns: 1 on success and 0 on failure
1821 static int match_dn_field(const X509
*cert
, int nid
, const char *field
,
1823 const struct tls_dn_field_order_cnt
*dn_cnt
)
1825 int i
, ret
= 0, len
, config_dn_field_index
, match_index
= 0;
1828 len
= os_strlen(value
);
1829 name
= X509_get_subject_name((X509
*) cert
);
1831 /* Assign incremented cnt for every field of DN to check DN field in
1833 config_dn_field_index
= get_dn_field_index(dn_cnt
, nid
);
1834 if (config_dn_field_index
< 0)
1837 /* Fetch value based on NID */
1838 for (i
= -1; (i
= X509_NAME_get_index_by_NID(name
, nid
, i
)) > -1;) {
1842 e
= X509_NAME_get_entry(name
, i
);
1846 cn
= X509_NAME_ENTRY_get_data(e
);
1852 /* check for more than one DN field with same name */
1853 if (match_index
!= config_dn_field_index
)
1856 /* Check wildcard at the right end side */
1857 /* E.g., if OU=develop* mentioned in configuration, allow 'OU'
1858 * of the subject in the client certificate to start with
1860 if (len
> 0 && value
[len
- 1] == '*') {
1861 /* Compare actual certificate DN field value with
1862 * configuration DN field value up to the specified
1864 ret
= ASN1_STRING_length(cn
) >= len
- 1 &&
1865 os_memcmp(ASN1_STRING_get0_data(cn
), value
,
1868 /* Compare actual certificate DN field value with
1869 * configuration DN field value */
1870 ret
= ASN1_STRING_length(cn
) == len
&&
1871 os_memcmp(ASN1_STRING_get0_data(cn
), value
,
1875 wpa_printf(MSG_ERROR
,
1876 "OpenSSL: Failed to match %s '%s' with certificate DN field value '%s'",
1877 field
, value
, ASN1_STRING_get0_data(cn
));
1887 * get_value_from_field - Get value from DN field
1888 * @cert: Certificate
1889 * @field_str: DN field string which is passed from configuration file (e.g.,
1891 * @dn_cnt: DN matching context
1892 * Returns: 1 on success and 0 on failure
1894 static int get_value_from_field(const X509
*cert
, char *field_str
,
1895 struct tls_dn_field_order_cnt
*dn_cnt
)
1898 char *context
= NULL
, *name
, *value
;
1900 if (os_strcmp(field_str
, "*") == 0)
1901 return 1; /* wildcard matches everything */
1903 name
= str_token(field_str
, "=", &context
);
1907 /* Compare all configured DN fields and assign nid based on that to
1908 * fetch correct value from certificate subject */
1909 if (os_strcmp(name
, "CN") == 0) {
1910 nid
= NID_commonName
;
1912 } else if(os_strcmp(name
, "C") == 0) {
1913 nid
= NID_countryName
;
1915 } else if (os_strcmp(name
, "L") == 0) {
1916 nid
= NID_localityName
;
1918 } else if (os_strcmp(name
, "ST") == 0) {
1919 nid
= NID_stateOrProvinceName
;
1921 } else if (os_strcmp(name
, "O") == 0) {
1922 nid
= NID_organizationName
;
1924 } else if (os_strcmp(name
, "OU") == 0) {
1925 nid
= NID_organizationalUnitName
;
1927 } else if (os_strcmp(name
, "emailAddress") == 0) {
1928 nid
= NID_pkcs9_emailAddress
;
1931 wpa_printf(MSG_ERROR
,
1932 "TLS: Unknown field '%s' in check_cert_subject", name
);
1936 value
= str_token(field_str
, "=", &context
);
1938 wpa_printf(MSG_ERROR
,
1939 "TLS: Distinguished Name field '%s' value is not defined in check_cert_subject",
1944 return match_dn_field(cert
, nid
, name
, value
, dn_cnt
);
1949 * tls_match_dn_field - Match subject DN field with check_cert_subject
1950 * @cert: Certificate
1951 * @match: check_cert_subject string
1952 * Returns: Return 1 on success and 0 on failure
1954 static int tls_match_dn_field(X509
*cert
, const char *match
)
1956 const char *token
, *last
= NULL
;
1958 struct tls_dn_field_order_cnt dn_cnt
;
1960 os_memset(&dn_cnt
, 0, sizeof(dn_cnt
));
1962 /* Maximum length of each DN field is 255 characters */
1964 /* Process each '/' delimited field */
1965 while ((token
= cstr_token(match
, "/", &last
))) {
1966 if (last
- token
>= (int) sizeof(field
)) {
1967 wpa_printf(MSG_ERROR
,
1968 "OpenSSL: Too long DN matching field value in '%s'",
1972 os_memcpy(field
, token
, last
- token
);
1973 field
[last
- token
] = '\0';
1975 if (!get_value_from_field(cert
, field
, &dn_cnt
)) {
1976 wpa_printf(MSG_DEBUG
, "OpenSSL: No match for DN '%s'",
1986 #ifndef CONFIG_NATIVE_WINDOWS
1987 static int tls_match_suffix_helper(X509
*cert
, const char *match
,
1988 size_t match_len
, int full
)
1997 wpa_printf(MSG_DEBUG
, "TLS: Match domain against %s%s",
1998 full
? "": "suffix ", match
);
2000 ext
= X509_get_ext_d2i(cert
, NID_subject_alt_name
, NULL
, NULL
);
2002 for (j
= 0; ext
&& j
< sk_GENERAL_NAME_num(ext
); j
++) {
2003 gen
= sk_GENERAL_NAME_value(ext
, j
);
2004 if (gen
->type
!= GEN_DNS
)
2007 wpa_hexdump_ascii(MSG_DEBUG
, "TLS: Certificate dNSName",
2008 gen
->d
.dNSName
->data
,
2009 gen
->d
.dNSName
->length
);
2010 if (domain_suffix_match(gen
->d
.dNSName
->data
,
2011 gen
->d
.dNSName
->length
,
2012 match
, match_len
, full
) == 1) {
2013 wpa_printf(MSG_DEBUG
, "TLS: %s in dNSName found",
2014 full
? "Match" : "Suffix match");
2015 sk_GENERAL_NAME_pop_free(ext
, GENERAL_NAME_free
);
2019 sk_GENERAL_NAME_pop_free(ext
, GENERAL_NAME_free
);
2022 wpa_printf(MSG_DEBUG
, "TLS: None of the dNSName(s) matched");
2026 name
= X509_get_subject_name(cert
);
2032 i
= X509_NAME_get_index_by_NID(name
, NID_commonName
, i
);
2035 e
= X509_NAME_get_entry(name
, i
);
2038 cn
= X509_NAME_ENTRY_get_data(e
);
2041 wpa_hexdump_ascii(MSG_DEBUG
, "TLS: Certificate commonName",
2042 cn
->data
, cn
->length
);
2043 if (domain_suffix_match(cn
->data
, cn
->length
,
2044 match
, match_len
, full
) == 1) {
2045 wpa_printf(MSG_DEBUG
, "TLS: %s in commonName found",
2046 full
? "Match" : "Suffix match");
2051 wpa_printf(MSG_DEBUG
, "TLS: No CommonName %smatch found",
2052 full
? "": "suffix ");
2055 #endif /* CONFIG_NATIVE_WINDOWS */
2058 static int tls_match_suffix(X509
*cert
, const char *match
, int full
)
2060 #ifdef CONFIG_NATIVE_WINDOWS
2061 /* wincrypt.h has conflicting X509_NAME definition */
2063 #else /* CONFIG_NATIVE_WINDOWS */
2064 const char *token
, *last
= NULL
;
2066 /* Process each match alternative separately until a match is found */
2067 while ((token
= cstr_token(match
, ";", &last
))) {
2068 if (tls_match_suffix_helper(cert
, token
, last
- token
, full
))
2073 #endif /* CONFIG_NATIVE_WINDOWS */
2077 static enum tls_fail_reason
openssl_tls_fail_reason(int err
)
2080 case X509_V_ERR_CERT_REVOKED
:
2081 return TLS_FAIL_REVOKED
;
2082 case X509_V_ERR_CERT_NOT_YET_VALID
:
2083 case X509_V_ERR_CRL_NOT_YET_VALID
:
2084 return TLS_FAIL_NOT_YET_VALID
;
2085 case X509_V_ERR_CERT_HAS_EXPIRED
:
2086 case X509_V_ERR_CRL_HAS_EXPIRED
:
2087 return TLS_FAIL_EXPIRED
;
2088 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
:
2089 case X509_V_ERR_UNABLE_TO_GET_CRL
:
2090 case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
:
2091 case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
:
2092 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
:
2093 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
:
2094 case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
:
2095 case X509_V_ERR_CERT_CHAIN_TOO_LONG
:
2096 case X509_V_ERR_PATH_LENGTH_EXCEEDED
:
2097 case X509_V_ERR_INVALID_CA
:
2098 return TLS_FAIL_UNTRUSTED
;
2099 case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
:
2100 case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
:
2101 case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
:
2102 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
:
2103 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
:
2104 case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
:
2105 case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
:
2106 case X509_V_ERR_CERT_UNTRUSTED
:
2107 case X509_V_ERR_CERT_REJECTED
:
2108 return TLS_FAIL_BAD_CERTIFICATE
;
2110 return TLS_FAIL_UNSPECIFIED
;
2115 static struct wpabuf
* get_x509_cert(X509
*cert
)
2120 int cert_len
= i2d_X509(cert
, NULL
);
2124 buf
= wpabuf_alloc(cert_len
);
2128 tmp
= wpabuf_put(buf
, cert_len
);
2129 i2d_X509(cert
, &tmp
);
2134 static void openssl_tls_fail_event(struct tls_connection
*conn
,
2135 X509
*err_cert
, int err
, int depth
,
2136 const char *subject
, const char *err_str
,
2137 enum tls_fail_reason reason
)
2139 union tls_event_data ev
;
2140 struct wpabuf
*cert
= NULL
;
2141 struct tls_context
*context
= conn
->context
;
2143 if (context
->event_cb
== NULL
)
2146 cert
= get_x509_cert(err_cert
);
2147 os_memset(&ev
, 0, sizeof(ev
));
2148 ev
.cert_fail
.reason
= reason
!= TLS_FAIL_UNSPECIFIED
?
2149 reason
: openssl_tls_fail_reason(err
);
2150 ev
.cert_fail
.depth
= depth
;
2151 ev
.cert_fail
.subject
= subject
;
2152 ev
.cert_fail
.reason_txt
= err_str
;
2153 ev
.cert_fail
.cert
= cert
;
2154 context
->event_cb(context
->cb_ctx
, TLS_CERT_CHAIN_FAILURE
, &ev
);
2159 static int openssl_cert_tod(X509
*cert
)
2161 CERTIFICATEPOLICIES
*ext
;
2167 ext
= X509_get_ext_d2i(cert
, NID_certificate_policies
, NULL
, NULL
);
2171 for (i
= 0; i
< sk_POLICYINFO_num(ext
); i
++) {
2174 policy
= sk_POLICYINFO_value(ext
, i
);
2175 res
= OBJ_obj2txt(buf
, sizeof(buf
), policy
->policyid
, 0);
2176 if (res
< 0 || (size_t) res
>= sizeof(buf
))
2178 wpa_printf(MSG_DEBUG
, "OpenSSL: Certificate Policy %s", buf
);
2179 if (os_strcmp(buf
, "1.3.6.1.4.1.40808.1.3.1") == 0)
2187 static void openssl_tls_cert_event(struct tls_connection
*conn
,
2188 X509
*err_cert
, int depth
,
2189 const char *subject
)
2191 struct wpabuf
*cert
= NULL
;
2192 union tls_event_data ev
;
2193 struct tls_context
*context
= conn
->context
;
2194 char *altsubject
[TLS_MAX_ALT_SUBJECT
];
2195 int alt
, num_altsubject
= 0;
2200 char serial_num
[128];
2201 #ifdef CONFIG_SHA256
2203 #endif /* CONFIG_SHA256 */
2205 if (context
->event_cb
== NULL
)
2208 os_memset(&ev
, 0, sizeof(ev
));
2209 if (conn
->cert_probe
|| (conn
->flags
& TLS_CONN_EXT_CERT_CHECK
) ||
2210 context
->cert_in_cb
) {
2211 cert
= get_x509_cert(err_cert
);
2212 ev
.peer_cert
.cert
= cert
;
2214 #ifdef CONFIG_SHA256
2218 addr
[0] = wpabuf_head(cert
);
2219 len
[0] = wpabuf_len(cert
);
2220 if (sha256_vector(1, addr
, len
, hash
) == 0) {
2221 ev
.peer_cert
.hash
= hash
;
2222 ev
.peer_cert
.hash_len
= sizeof(hash
);
2225 #endif /* CONFIG_SHA256 */
2226 ev
.peer_cert
.depth
= depth
;
2227 ev
.peer_cert
.subject
= subject
;
2229 ser
= X509_get_serialNumber(err_cert
);
2231 wpa_snprintf_hex_uppercase(serial_num
, sizeof(serial_num
),
2232 ASN1_STRING_get0_data(ser
),
2233 ASN1_STRING_length(ser
));
2234 ev
.peer_cert
.serial_num
= serial_num
;
2237 ext
= X509_get_ext_d2i(err_cert
, NID_subject_alt_name
, NULL
, NULL
);
2238 for (i
= 0; ext
&& i
< sk_GENERAL_NAME_num(ext
); i
++) {
2241 if (num_altsubject
== TLS_MAX_ALT_SUBJECT
)
2243 gen
= sk_GENERAL_NAME_value(ext
, i
);
2244 if (gen
->type
!= GEN_EMAIL
&&
2245 gen
->type
!= GEN_DNS
&&
2246 gen
->type
!= GEN_URI
)
2249 pos
= os_malloc(10 + gen
->d
.ia5
->length
+ 1);
2252 altsubject
[num_altsubject
++] = pos
;
2254 switch (gen
->type
) {
2256 os_memcpy(pos
, "EMAIL:", 6);
2260 os_memcpy(pos
, "DNS:", 4);
2264 os_memcpy(pos
, "URI:", 4);
2269 os_memcpy(pos
, gen
->d
.ia5
->data
, gen
->d
.ia5
->length
);
2270 pos
+= gen
->d
.ia5
->length
;
2273 sk_GENERAL_NAME_pop_free(ext
, GENERAL_NAME_free
);
2275 for (alt
= 0; alt
< num_altsubject
; alt
++)
2276 ev
.peer_cert
.altsubject
[alt
] = altsubject
[alt
];
2277 ev
.peer_cert
.num_altsubject
= num_altsubject
;
2279 ev
.peer_cert
.tod
= openssl_cert_tod(err_cert
);
2281 context
->event_cb(context
->cb_ctx
, TLS_PEER_CERTIFICATE
, &ev
);
2283 for (alt
= 0; alt
< num_altsubject
; alt
++)
2284 os_free(altsubject
[alt
]);
2288 static int tls_verify_cb(int preverify_ok
, X509_STORE_CTX
*x509_ctx
)
2294 struct tls_connection
*conn
;
2295 struct tls_context
*context
;
2296 char *match
, *altmatch
, *suffix_match
, *domain_match
;
2297 const char *check_cert_subject
;
2298 const char *err_str
;
2300 err_cert
= X509_STORE_CTX_get_current_cert(x509_ctx
);
2304 err
= X509_STORE_CTX_get_error(x509_ctx
);
2305 depth
= X509_STORE_CTX_get_error_depth(x509_ctx
);
2306 ssl
= X509_STORE_CTX_get_ex_data(x509_ctx
,
2307 SSL_get_ex_data_X509_STORE_CTX_idx());
2308 X509_NAME_oneline(X509_get_subject_name(err_cert
), buf
, sizeof(buf
));
2310 conn
= SSL_get_app_data(ssl
);
2315 conn
->peer_cert
= err_cert
;
2316 else if (depth
== 1)
2317 conn
->peer_issuer
= err_cert
;
2318 else if (depth
== 2)
2319 conn
->peer_issuer_issuer
= err_cert
;
2321 context
= conn
->context
;
2322 match
= conn
->subject_match
;
2323 altmatch
= conn
->altsubject_match
;
2324 suffix_match
= conn
->suffix_match
;
2325 domain_match
= conn
->domain_match
;
2327 if (!preverify_ok
&& !conn
->ca_cert_verify
)
2329 if (!preverify_ok
&& depth
> 0 && conn
->server_cert_only
)
2331 if (!preverify_ok
&& (conn
->flags
& TLS_CONN_DISABLE_TIME_CHECKS
) &&
2332 (err
== X509_V_ERR_CERT_HAS_EXPIRED
||
2333 err
== X509_V_ERR_CERT_NOT_YET_VALID
)) {
2334 wpa_printf(MSG_DEBUG
, "OpenSSL: Ignore certificate validity "
2338 if (!preverify_ok
&& !conn
->data
->check_crl_strict
&&
2339 (err
== X509_V_ERR_CRL_HAS_EXPIRED
||
2340 err
== X509_V_ERR_CRL_NOT_YET_VALID
)) {
2341 wpa_printf(MSG_DEBUG
,
2342 "OpenSSL: Ignore certificate validity CRL time mismatch");
2346 err_str
= X509_verify_cert_error_string(err
);
2348 #ifdef CONFIG_SHA256
2350 * Do not require preverify_ok so we can explicity allow otherwise
2351 * invalid pinned server certificates.
2353 if (depth
== 0 && conn
->server_cert_only
) {
2354 struct wpabuf
*cert
;
2355 cert
= get_x509_cert(err_cert
);
2357 wpa_printf(MSG_DEBUG
, "OpenSSL: Could not fetch "
2358 "server certificate data");
2364 addr
[0] = wpabuf_head(cert
);
2365 len
[0] = wpabuf_len(cert
);
2366 if (sha256_vector(1, addr
, len
, hash
) < 0 ||
2367 os_memcmp(conn
->srv_cert_hash
, hash
, 32) != 0) {
2368 err_str
= "Server certificate mismatch";
2369 err
= X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
;
2371 } else if (!preverify_ok
) {
2373 * Certificate matches pinned certificate, allow
2374 * regardless of other problems.
2376 wpa_printf(MSG_DEBUG
,
2377 "OpenSSL: Ignore validation issues for a pinned server certificate");
2383 #endif /* CONFIG_SHA256 */
2385 openssl_tls_cert_event(conn
, err_cert
, depth
, buf
);
2387 if (!preverify_ok
) {
2389 /* Send cert event for the peer certificate so that
2390 * the upper layers get information about it even if
2391 * validation of a CA certificate fails. */
2392 STACK_OF(X509
) *chain
;
2394 chain
= X509_STORE_CTX_get1_chain(x509_ctx
);
2395 if (chain
&& sk_X509_num(chain
) > 0) {
2399 cert
= sk_X509_value(chain
, 0);
2400 X509_NAME_oneline(X509_get_subject_name(cert
),
2401 buf2
, sizeof(buf2
));
2403 openssl_tls_cert_event(conn
, cert
, 0, buf2
);
2406 sk_X509_pop_free(chain
, X509_free
);
2409 wpa_printf(MSG_WARNING
, "TLS: Certificate verification failed,"
2410 " error %d (%s) depth %d for '%s'", err
, err_str
,
2412 openssl_tls_fail_event(conn
, err_cert
, err
, depth
, buf
,
2413 err_str
, TLS_FAIL_UNSPECIFIED
);
2414 return preverify_ok
;
2417 wpa_printf(MSG_DEBUG
, "TLS: tls_verify_cb - preverify_ok=%d "
2418 "err=%d (%s) ca_cert_verify=%d depth=%d buf='%s'",
2419 preverify_ok
, err
, err_str
,
2420 conn
->ca_cert_verify
, depth
, buf
);
2421 check_cert_subject
= conn
->check_cert_subject
;
2422 if (!check_cert_subject
)
2423 check_cert_subject
= conn
->data
->check_cert_subject
;
2424 if (check_cert_subject
) {
2426 !tls_match_dn_field(err_cert
, check_cert_subject
)) {
2428 openssl_tls_fail_event(conn
, err_cert
, err
, depth
, buf
,
2429 "Distinguished Name",
2430 TLS_FAIL_DN_MISMATCH
);
2433 if (depth
== 0 && match
&& os_strstr(buf
, match
) == NULL
) {
2434 wpa_printf(MSG_WARNING
, "TLS: Subject '%s' did not "
2435 "match with '%s'", buf
, match
);
2437 openssl_tls_fail_event(conn
, err_cert
, err
, depth
, buf
,
2439 TLS_FAIL_SUBJECT_MISMATCH
);
2440 } else if (depth
== 0 && altmatch
&&
2441 !tls_match_altsubject(err_cert
, altmatch
)) {
2442 wpa_printf(MSG_WARNING
, "TLS: altSubjectName match "
2443 "'%s' not found", altmatch
);
2445 openssl_tls_fail_event(conn
, err_cert
, err
, depth
, buf
,
2446 "AltSubject mismatch",
2447 TLS_FAIL_ALTSUBJECT_MISMATCH
);
2448 } else if (depth
== 0 && suffix_match
&&
2449 !tls_match_suffix(err_cert
, suffix_match
, 0)) {
2450 wpa_printf(MSG_WARNING
, "TLS: Domain suffix match '%s' not found",
2453 openssl_tls_fail_event(conn
, err_cert
, err
, depth
, buf
,
2454 "Domain suffix mismatch",
2455 TLS_FAIL_DOMAIN_SUFFIX_MISMATCH
);
2456 } else if (depth
== 0 && domain_match
&&
2457 !tls_match_suffix(err_cert
, domain_match
, 1)) {
2458 wpa_printf(MSG_WARNING
, "TLS: Domain match '%s' not found",
2461 openssl_tls_fail_event(conn
, err_cert
, err
, depth
, buf
,
2463 TLS_FAIL_DOMAIN_MISMATCH
);
2466 if (conn
->cert_probe
&& preverify_ok
&& depth
== 0) {
2467 wpa_printf(MSG_DEBUG
, "OpenSSL: Reject server certificate "
2468 "on probe-only run");
2470 openssl_tls_fail_event(conn
, err_cert
, err
, depth
, buf
,
2471 "Server certificate chain probe",
2472 TLS_FAIL_SERVER_CHAIN_PROBE
);
2475 #ifdef CONFIG_SUITEB
2476 if (conn
->flags
& TLS_CONN_SUITEB
) {
2481 pk
= X509_get_pubkey(err_cert
);
2483 rsa
= EVP_PKEY_get1_RSA(pk
);
2485 len
= RSA_bits(rsa
);
2492 wpa_printf(MSG_DEBUG
,
2493 "OpenSSL: RSA modulus size: %d bits", len
);
2496 openssl_tls_fail_event(
2497 conn
, err_cert
, err
,
2499 "Insufficient RSA modulus size",
2500 TLS_FAIL_INSUFFICIENT_KEY_LEN
);
2504 #endif /* CONFIG_SUITEB */
2506 #ifdef OPENSSL_IS_BORINGSSL
2507 if (depth
== 0 && (conn
->flags
& TLS_CONN_REQUEST_OCSP
) &&
2509 enum ocsp_result res
;
2511 res
= check_ocsp_resp(conn
->ssl_ctx
, conn
->ssl
, err_cert
,
2513 conn
->peer_issuer_issuer
);
2514 if (res
== OCSP_REVOKED
) {
2516 openssl_tls_fail_event(conn
, err_cert
, err
, depth
, buf
,
2517 "certificate revoked",
2519 if (err
== X509_V_OK
)
2520 X509_STORE_CTX_set_error(
2521 x509_ctx
, X509_V_ERR_CERT_REVOKED
);
2522 } else if (res
!= OCSP_GOOD
&&
2523 (conn
->flags
& TLS_CONN_REQUIRE_OCSP
)) {
2525 openssl_tls_fail_event(conn
, err_cert
, err
, depth
, buf
,
2526 "bad certificate status response",
2527 TLS_FAIL_UNSPECIFIED
);
2530 #endif /* OPENSSL_IS_BORINGSSL */
2532 if (depth
== 0 && preverify_ok
&& context
->event_cb
!= NULL
)
2533 context
->event_cb(context
->cb_ctx
,
2534 TLS_CERT_CHAIN_SUCCESS
, NULL
);
2536 return preverify_ok
;
2540 #ifndef OPENSSL_NO_STDIO
2541 static int tls_load_ca_der(struct tls_data
*data
, const char *ca_cert
)
2543 SSL_CTX
*ssl_ctx
= data
->ssl
;
2544 X509_LOOKUP
*lookup
;
2547 lookup
= X509_STORE_add_lookup(SSL_CTX_get_cert_store(ssl_ctx
),
2548 X509_LOOKUP_file());
2549 if (lookup
== NULL
) {
2550 tls_show_errors(MSG_WARNING
, __func__
,
2551 "Failed add lookup for X509 store");
2555 if (!X509_LOOKUP_load_file(lookup
, ca_cert
, X509_FILETYPE_ASN1
)) {
2556 unsigned long err
= ERR_peek_error();
2557 tls_show_errors(MSG_WARNING
, __func__
,
2558 "Failed load CA in DER format");
2559 if (ERR_GET_LIB(err
) == ERR_LIB_X509
&&
2560 ERR_GET_REASON(err
) == X509_R_CERT_ALREADY_IN_HASH_TABLE
) {
2561 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - ignoring "
2562 "cert already in hash table error",
2570 #endif /* OPENSSL_NO_STDIO */
2573 static int tls_connection_ca_cert(struct tls_data
*data
,
2574 struct tls_connection
*conn
,
2575 const char *ca_cert
, const u8
*ca_cert_blob
,
2576 size_t ca_cert_blob_len
, const char *ca_path
)
2578 SSL_CTX
*ssl_ctx
= data
->ssl
;
2582 * Remove previously configured trusted CA certificates before adding
2585 store
= X509_STORE_new();
2586 if (store
== NULL
) {
2587 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - failed to allocate new "
2588 "certificate store", __func__
);
2591 SSL_CTX_set_cert_store(ssl_ctx
, store
);
2593 SSL_set_verify(conn
->ssl
, SSL_VERIFY_PEER
, tls_verify_cb
);
2594 conn
->ca_cert_verify
= 1;
2596 if (ca_cert
&& os_strncmp(ca_cert
, "probe://", 8) == 0) {
2597 wpa_printf(MSG_DEBUG
, "OpenSSL: Probe for server certificate "
2599 conn
->cert_probe
= 1;
2600 conn
->ca_cert_verify
= 0;
2604 if (ca_cert
&& os_strncmp(ca_cert
, "hash://", 7) == 0) {
2605 #ifdef CONFIG_SHA256
2606 const char *pos
= ca_cert
+ 7;
2607 if (os_strncmp(pos
, "server/sha256/", 14) != 0) {
2608 wpa_printf(MSG_DEBUG
, "OpenSSL: Unsupported ca_cert "
2609 "hash value '%s'", ca_cert
);
2613 if (os_strlen(pos
) != 32 * 2) {
2614 wpa_printf(MSG_DEBUG
, "OpenSSL: Unexpected SHA256 "
2615 "hash length in ca_cert '%s'", ca_cert
);
2618 if (hexstr2bin(pos
, conn
->srv_cert_hash
, 32) < 0) {
2619 wpa_printf(MSG_DEBUG
, "OpenSSL: Invalid SHA256 hash "
2620 "value in ca_cert '%s'", ca_cert
);
2623 conn
->server_cert_only
= 1;
2624 wpa_printf(MSG_DEBUG
, "OpenSSL: Checking only server "
2625 "certificate match");
2627 #else /* CONFIG_SHA256 */
2628 wpa_printf(MSG_INFO
, "No SHA256 included in the build - "
2629 "cannot validate server certificate hash");
2631 #endif /* CONFIG_SHA256 */
2635 X509
*cert
= d2i_X509(NULL
,
2636 (const unsigned char **) &ca_cert_blob
,
2639 BIO
*bio
= BIO_new_mem_buf(ca_cert_blob
,
2643 cert
= PEM_read_bio_X509(bio
, NULL
, NULL
, NULL
);
2648 tls_show_errors(MSG_WARNING
, __func__
,
2649 "Failed to parse ca_cert_blob");
2653 while (ERR_get_error()) {
2654 /* Ignore errors from DER conversion. */
2658 if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ssl_ctx
),
2660 unsigned long err
= ERR_peek_error();
2661 tls_show_errors(MSG_WARNING
, __func__
,
2662 "Failed to add ca_cert_blob to "
2663 "certificate store");
2664 if (ERR_GET_LIB(err
) == ERR_LIB_X509
&&
2665 ERR_GET_REASON(err
) ==
2666 X509_R_CERT_ALREADY_IN_HASH_TABLE
) {
2667 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - ignoring "
2668 "cert already in hash table error",
2676 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - added ca_cert_blob "
2677 "to certificate store", __func__
);
2683 if (ca_cert
&& os_strncmp("keystore://", ca_cert
, 11) == 0) {
2684 if (tls_add_ca_from_keystore(SSL_CTX_get_cert_store(ssl_ctx
),
2687 SSL_set_verify(conn
->ssl
, SSL_VERIFY_PEER
, tls_verify_cb
);
2691 /* Multiple aliases separated by space */
2692 if (ca_cert
&& os_strncmp("keystores://", ca_cert
, 12) == 0) {
2693 char *aliases
= os_strdup(&ca_cert
[12]);
2694 const char *delim
= " ";
2701 alias
= strtok_r(aliases
, delim
, &savedptr
);
2702 for (; alias
; alias
= strtok_r(NULL
, delim
, &savedptr
)) {
2703 if (tls_add_ca_from_keystore_encoded(
2704 SSL_CTX_get_cert_store(ssl_ctx
), alias
)) {
2705 wpa_printf(MSG_WARNING
,
2706 "OpenSSL: %s - Failed to add ca_cert %s from keystore",
2716 SSL_set_verify(conn
->ssl
, SSL_VERIFY_PEER
, tls_verify_cb
);
2719 #endif /* ANDROID */
2721 #ifdef CONFIG_NATIVE_WINDOWS
2722 if (ca_cert
&& tls_cryptoapi_ca_cert(ssl_ctx
, conn
->ssl
, ca_cert
) ==
2724 wpa_printf(MSG_DEBUG
, "OpenSSL: Added CA certificates from "
2725 "system certificate store");
2728 #endif /* CONFIG_NATIVE_WINDOWS */
2730 if (ca_cert
|| ca_path
) {
2731 #ifndef OPENSSL_NO_STDIO
2732 if (SSL_CTX_load_verify_locations(ssl_ctx
, ca_cert
, ca_path
) !=
2734 tls_show_errors(MSG_WARNING
, __func__
,
2735 "Failed to load root certificates");
2737 tls_load_ca_der(data
, ca_cert
) == 0) {
2738 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - loaded "
2739 "DER format CA certificate",
2744 wpa_printf(MSG_DEBUG
, "TLS: Trusted root "
2745 "certificate(s) loaded");
2746 tls_get_errors(data
);
2748 #else /* OPENSSL_NO_STDIO */
2749 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - OPENSSL_NO_STDIO",
2752 #endif /* OPENSSL_NO_STDIO */
2754 /* No ca_cert configured - do not try to verify server
2756 conn
->ca_cert_verify
= 0;
2763 static int tls_global_ca_cert(struct tls_data
*data
, const char *ca_cert
)
2765 SSL_CTX
*ssl_ctx
= data
->ssl
;
2768 if (SSL_CTX_load_verify_locations(ssl_ctx
, ca_cert
, NULL
) != 1)
2770 tls_show_errors(MSG_WARNING
, __func__
,
2771 "Failed to load root certificates");
2775 wpa_printf(MSG_DEBUG
, "TLS: Trusted root "
2776 "certificate(s) loaded");
2778 #ifndef OPENSSL_NO_STDIO
2779 /* Add the same CAs to the client certificate requests */
2780 SSL_CTX_set_client_CA_list(ssl_ctx
,
2781 SSL_load_client_CA_file(ca_cert
));
2782 #endif /* OPENSSL_NO_STDIO */
2784 os_free(data
->ca_cert
);
2785 data
->ca_cert
= os_strdup(ca_cert
);
2792 int tls_global_set_verify(void *ssl_ctx
, int check_crl
, int strict
)
2797 struct tls_data
*data
= ssl_ctx
;
2798 X509_STORE
*cs
= SSL_CTX_get_cert_store(data
->ssl
);
2800 tls_show_errors(MSG_INFO
, __func__
, "Failed to get "
2801 "certificate store when enabling "
2805 flags
= X509_V_FLAG_CRL_CHECK
;
2807 flags
|= X509_V_FLAG_CRL_CHECK_ALL
;
2808 X509_STORE_set_flags(cs
, flags
);
2810 data
->check_crl
= check_crl
;
2811 data
->check_crl_strict
= strict
;
2812 os_get_reltime(&data
->crl_last_reload
);
2818 static int tls_connection_set_subject_match(struct tls_connection
*conn
,
2819 const char *subject_match
,
2820 const char *altsubject_match
,
2821 const char *suffix_match
,
2822 const char *domain_match
,
2823 const char *check_cert_subject
)
2825 os_free(conn
->subject_match
);
2826 conn
->subject_match
= NULL
;
2827 if (subject_match
) {
2828 conn
->subject_match
= os_strdup(subject_match
);
2829 if (conn
->subject_match
== NULL
)
2833 os_free(conn
->altsubject_match
);
2834 conn
->altsubject_match
= NULL
;
2835 if (altsubject_match
) {
2836 conn
->altsubject_match
= os_strdup(altsubject_match
);
2837 if (conn
->altsubject_match
== NULL
)
2841 os_free(conn
->suffix_match
);
2842 conn
->suffix_match
= NULL
;
2844 conn
->suffix_match
= os_strdup(suffix_match
);
2845 if (conn
->suffix_match
== NULL
)
2849 os_free(conn
->domain_match
);
2850 conn
->domain_match
= NULL
;
2852 conn
->domain_match
= os_strdup(domain_match
);
2853 if (conn
->domain_match
== NULL
)
2857 os_free(conn
->check_cert_subject
);
2858 conn
->check_cert_subject
= NULL
;
2859 if (check_cert_subject
) {
2860 conn
->check_cert_subject
= os_strdup(check_cert_subject
);
2861 if (!conn
->check_cert_subject
)
2869 #ifdef CONFIG_SUITEB
2870 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
2871 static int suiteb_cert_cb(SSL
*ssl
, void *arg
)
2873 struct tls_connection
*conn
= arg
;
2876 * This cert_cb() is not really the best location for doing a
2877 * constraint check for the ServerKeyExchange message, but this seems to
2878 * be the only place where the current OpenSSL sequence can be
2879 * terminated cleanly with an TLS alert going out to the server.
2882 if (!(conn
->flags
& TLS_CONN_SUITEB
))
2885 /* DHE is enabled only with DHE-RSA-AES256-GCM-SHA384 */
2886 if (conn
->cipher_suite
!= 0x9f)
2889 if (conn
->server_dh_prime_len
>= 3072)
2892 wpa_printf(MSG_DEBUG
,
2893 "OpenSSL: Server DH prime length (%d bits) not sufficient for Suite B RSA - reject handshake",
2894 conn
->server_dh_prime_len
);
2897 #endif /* OPENSSL_VERSION_NUMBER */
2898 #endif /* CONFIG_SUITEB */
2901 static int tls_set_conn_flags(struct tls_connection
*conn
, unsigned int flags
,
2902 const char *openssl_ciphers
)
2904 SSL
*ssl
= conn
->ssl
;
2906 #ifdef SSL_OP_NO_TICKET
2907 if (flags
& TLS_CONN_DISABLE_SESSION_TICKET
)
2908 SSL_set_options(ssl
, SSL_OP_NO_TICKET
);
2910 SSL_clear_options(ssl
, SSL_OP_NO_TICKET
);
2911 #endif /* SSL_OP_NO_TICKET */
2913 #ifdef SSL_OP_NO_TLSv1
2914 if (flags
& TLS_CONN_DISABLE_TLSv1_0
)
2915 SSL_set_options(ssl
, SSL_OP_NO_TLSv1
);
2917 SSL_clear_options(ssl
, SSL_OP_NO_TLSv1
);
2918 #endif /* SSL_OP_NO_TLSv1 */
2919 #ifdef SSL_OP_NO_TLSv1_1
2920 if (flags
& TLS_CONN_DISABLE_TLSv1_1
)
2921 SSL_set_options(ssl
, SSL_OP_NO_TLSv1_1
);
2923 SSL_clear_options(ssl
, SSL_OP_NO_TLSv1_1
);
2924 #endif /* SSL_OP_NO_TLSv1_1 */
2925 #ifdef SSL_OP_NO_TLSv1_2
2926 if (flags
& TLS_CONN_DISABLE_TLSv1_2
)
2927 SSL_set_options(ssl
, SSL_OP_NO_TLSv1_2
);
2929 SSL_clear_options(ssl
, SSL_OP_NO_TLSv1_2
);
2930 #endif /* SSL_OP_NO_TLSv1_2 */
2931 #ifdef SSL_OP_NO_TLSv1_3
2932 if (flags
& TLS_CONN_DISABLE_TLSv1_3
)
2933 SSL_set_options(ssl
, SSL_OP_NO_TLSv1_3
);
2935 SSL_clear_options(ssl
, SSL_OP_NO_TLSv1_3
);
2936 #endif /* SSL_OP_NO_TLSv1_3 */
2937 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
2938 if (flags
& (TLS_CONN_ENABLE_TLSv1_0
|
2939 TLS_CONN_ENABLE_TLSv1_1
|
2940 TLS_CONN_ENABLE_TLSv1_2
)) {
2943 /* Explicit request to enable TLS versions even if needing to
2944 * override systemwide policies. */
2945 if (flags
& TLS_CONN_ENABLE_TLSv1_0
) {
2946 version
= TLS1_VERSION
;
2947 } else if (flags
& TLS_CONN_ENABLE_TLSv1_1
) {
2948 if (!(flags
& TLS_CONN_DISABLE_TLSv1_0
))
2949 version
= TLS1_1_VERSION
;
2950 } else if (flags
& TLS_CONN_ENABLE_TLSv1_2
) {
2951 if (!(flags
& (TLS_CONN_DISABLE_TLSv1_0
|
2952 TLS_CONN_DISABLE_TLSv1_1
)))
2953 version
= TLS1_2_VERSION
;
2956 wpa_printf(MSG_DEBUG
,
2957 "OpenSSL: Invalid TLS version configuration");
2961 if (SSL_set_min_proto_version(ssl
, version
) != 1) {
2962 wpa_printf(MSG_DEBUG
,
2963 "OpenSSL: Failed to set minimum TLS version");
2967 #endif /* >= 1.1.0 */
2969 #ifdef CONFIG_SUITEB
2970 #ifdef OPENSSL_IS_BORINGSSL
2971 /* Start with defaults from BoringSSL */
2972 SSL_CTX_set_verify_algorithm_prefs(conn
->ssl_ctx
, NULL
, 0);
2973 #endif /* OPENSSL_IS_BORINGSSL */
2974 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
2975 if (flags
& TLS_CONN_SUITEB_NO_ECDH
) {
2976 const char *ciphers
= "DHE-RSA-AES256-GCM-SHA384";
2978 if (openssl_ciphers
) {
2979 wpa_printf(MSG_DEBUG
,
2980 "OpenSSL: Override ciphers for Suite B (no ECDH): %s",
2982 ciphers
= openssl_ciphers
;
2984 if (SSL_set_cipher_list(ssl
, ciphers
) != 1) {
2985 wpa_printf(MSG_INFO
,
2986 "OpenSSL: Failed to set Suite B ciphers");
2989 } else if (flags
& TLS_CONN_SUITEB
) {
2991 const char *ciphers
=
2992 "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
2993 int nid
[1] = { NID_secp384r1
};
2995 if (openssl_ciphers
) {
2996 wpa_printf(MSG_DEBUG
,
2997 "OpenSSL: Override ciphers for Suite B: %s",
2999 ciphers
= openssl_ciphers
;
3001 if (SSL_set_cipher_list(ssl
, ciphers
) != 1) {
3002 wpa_printf(MSG_INFO
,
3003 "OpenSSL: Failed to set Suite B ciphers");
3007 if (SSL_set1_curves(ssl
, nid
, 1) != 1) {
3008 wpa_printf(MSG_INFO
,
3009 "OpenSSL: Failed to set Suite B curves");
3013 ecdh
= EC_KEY_new_by_curve_name(NID_secp384r1
);
3014 if (!ecdh
|| SSL_set_tmp_ecdh(ssl
, ecdh
) != 1) {
3016 wpa_printf(MSG_INFO
,
3017 "OpenSSL: Failed to set ECDH parameter");
3022 if (flags
& (TLS_CONN_SUITEB
| TLS_CONN_SUITEB_NO_ECDH
)) {
3023 #ifdef OPENSSL_IS_BORINGSSL
3024 uint16_t sigalgs
[1] = { SSL_SIGN_RSA_PKCS1_SHA384
};
3026 if (SSL_CTX_set_verify_algorithm_prefs(conn
->ssl_ctx
, sigalgs
,
3028 wpa_printf(MSG_INFO
,
3029 "OpenSSL: Failed to set Suite B sigalgs");
3032 #else /* OPENSSL_IS_BORINGSSL */
3033 /* ECDSA+SHA384 if need to add EC support here */
3034 if (SSL_set1_sigalgs_list(ssl
, "RSA+SHA384") != 1) {
3035 wpa_printf(MSG_INFO
,
3036 "OpenSSL: Failed to set Suite B sigalgs");
3039 #endif /* OPENSSL_IS_BORINGSSL */
3041 SSL_set_options(ssl
, SSL_OP_NO_TLSv1
);
3042 SSL_set_options(ssl
, SSL_OP_NO_TLSv1_1
);
3043 SSL_set_cert_cb(ssl
, suiteb_cert_cb
, conn
);
3045 #else /* OPENSSL_VERSION_NUMBER < 0x10002000L */
3046 if (flags
& (TLS_CONN_SUITEB
| TLS_CONN_SUITEB_NO_ECDH
)) {
3047 wpa_printf(MSG_ERROR
,
3048 "OpenSSL: Suite B RSA case not supported with this OpenSSL version");
3051 #endif /* OPENSSL_VERSION_NUMBER */
3053 #ifdef OPENSSL_IS_BORINGSSL
3054 if (openssl_ciphers
&& os_strcmp(openssl_ciphers
, "SUITEB192") == 0) {
3055 uint16_t sigalgs
[1] = { SSL_SIGN_ECDSA_SECP384R1_SHA384
};
3056 int nid
[1] = { NID_secp384r1
};
3058 if (SSL_set1_curves(ssl
, nid
, 1) != 1) {
3059 wpa_printf(MSG_INFO
,
3060 "OpenSSL: Failed to set Suite B curves");
3064 if (SSL_CTX_set_verify_algorithm_prefs(conn
->ssl_ctx
, sigalgs
,
3066 wpa_printf(MSG_INFO
,
3067 "OpenSSL: Failed to set Suite B sigalgs");
3071 #else /* OPENSSL_IS_BORINGSSL */
3072 if (!(flags
& (TLS_CONN_SUITEB
| TLS_CONN_SUITEB_NO_ECDH
)) &&
3073 openssl_ciphers
&& SSL_set_cipher_list(ssl
, openssl_ciphers
) != 1) {
3074 wpa_printf(MSG_INFO
,
3075 "OpenSSL: Failed to set openssl_ciphers '%s'",
3079 #endif /* OPENSSL_IS_BORINGSSL */
3080 #else /* CONFIG_SUITEB */
3081 if (openssl_ciphers
&& SSL_set_cipher_list(ssl
, openssl_ciphers
) != 1) {
3082 wpa_printf(MSG_INFO
,
3083 "OpenSSL: Failed to set openssl_ciphers '%s'",
3087 #endif /* CONFIG_SUITEB */
3089 if (flags
& TLS_CONN_TEAP_ANON_DH
) {
3090 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
3091 #ifndef TEAP_DH_ANON_CS
3092 #define TEAP_DH_ANON_CS \
3093 "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:" \
3094 "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:" \
3095 "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:" \
3096 "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" \
3097 "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:" \
3098 "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" \
3099 "ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:" \
3100 "ADH-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA:ADH-AES128-SHA"
3102 static const char *cs
= TEAP_DH_ANON_CS
;
3104 * Need to drop to security level 0 to allow anonymous
3105 * cipher suites for EAP-TEAP.
3107 SSL_set_security_level(conn
->ssl
, 0);
3110 wpa_printf(MSG_DEBUG
,
3111 "OpenSSL: Enable cipher suites for anonymous EAP-TEAP provisioning: %s",
3113 if (SSL_set_cipher_list(conn
->ssl
, cs
) != 1) {
3114 tls_show_errors(MSG_INFO
, __func__
,
3115 "Cipher suite configuration failed");
3124 int tls_connection_set_verify(void *ssl_ctx
, struct tls_connection
*conn
,
3125 int verify_peer
, unsigned int flags
,
3126 const u8
*session_ctx
, size_t session_ctx_len
)
3128 static int counter
= 0;
3129 struct tls_data
*data
= ssl_ctx
;
3135 conn
->ca_cert_verify
= 1;
3136 SSL_set_verify(conn
->ssl
, SSL_VERIFY_PEER
|
3137 SSL_VERIFY_FAIL_IF_NO_PEER_CERT
|
3138 SSL_VERIFY_CLIENT_ONCE
, tls_verify_cb
);
3140 conn
->ca_cert_verify
= 0;
3141 SSL_set_verify(conn
->ssl
, SSL_VERIFY_NONE
, NULL
);
3144 if (tls_set_conn_flags(conn
, flags
, NULL
) < 0)
3146 conn
->flags
= flags
;
3148 SSL_set_accept_state(conn
->ssl
);
3150 if (data
->tls_session_lifetime
== 0) {
3152 * Set session id context to a unique value to make sure
3153 * session resumption cannot be used either through session
3154 * caching or TLS ticket extension.
3157 SSL_set_session_id_context(conn
->ssl
,
3158 (const unsigned char *) &counter
,
3160 } else if (session_ctx
) {
3161 SSL_set_session_id_context(conn
->ssl
, session_ctx
,
3169 static int tls_connection_client_cert(struct tls_connection
*conn
,
3170 const char *client_cert
,
3171 const u8
*client_cert_blob
,
3172 size_t client_cert_blob_len
)
3174 if (client_cert
== NULL
&& client_cert_blob
== NULL
)
3178 #if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
3180 * Clear previously set extra chain certificates, if any, from PKCS#12
3181 * processing in tls_parse_pkcs12() to allow OpenSSL to build a new
3184 SSL_CTX_clear_extra_chain_certs(conn
->ssl_ctx
);
3185 #endif /* OPENSSL_VERSION_NUMBER < 0x10002000L */
3186 #endif /* PKCS12_FUNCS */
3188 if (client_cert_blob
&&
3189 SSL_use_certificate_ASN1(conn
->ssl
, (u8
*) client_cert_blob
,
3190 client_cert_blob_len
) == 1) {
3191 wpa_printf(MSG_DEBUG
, "OpenSSL: SSL_use_certificate_ASN1 --> "
3194 } else if (client_cert_blob
) {
3195 tls_show_errors(MSG_DEBUG
, __func__
,
3196 "SSL_use_certificate_ASN1 failed");
3199 if (client_cert
== NULL
)
3203 if (os_strncmp("keystore://", client_cert
, 11) == 0) {
3204 BIO
*bio
= BIO_from_keystore(&client_cert
[11]);
3208 x509
= PEM_read_bio_X509(bio
, NULL
, NULL
, NULL
);
3211 if (SSL_use_certificate(conn
->ssl
, x509
) == 1)
3216 /* Read additional certificates into the chain. */
3218 x509
= PEM_read_bio_X509(bio
, NULL
, NULL
, NULL
);
3220 /* Takes ownership of x509 */
3221 SSL_add0_chain_cert(conn
->ssl
, x509
);
3229 #endif /* ANDROID */
3231 #ifndef OPENSSL_NO_STDIO
3232 if (SSL_use_certificate_file(conn
->ssl
, client_cert
,
3233 SSL_FILETYPE_ASN1
) == 1) {
3234 wpa_printf(MSG_DEBUG
, "OpenSSL: SSL_use_certificate_file (DER)"
3239 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
3240 !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
3241 if (SSL_use_certificate_chain_file(conn
->ssl
, client_cert
) == 1) {
3243 wpa_printf(MSG_DEBUG
, "OpenSSL: SSL_use_certificate_chain_file"
3248 if (SSL_use_certificate_file(conn
->ssl
, client_cert
,
3249 SSL_FILETYPE_PEM
) == 1) {
3251 wpa_printf(MSG_DEBUG
, "OpenSSL: SSL_use_certificate_file (PEM)"
3257 tls_show_errors(MSG_DEBUG
, __func__
,
3258 "SSL_use_certificate_file failed");
3259 #else /* OPENSSL_NO_STDIO */
3260 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__
);
3261 #endif /* OPENSSL_NO_STDIO */
3267 static int tls_global_client_cert(struct tls_data
*data
,
3268 const char *client_cert
)
3270 #ifndef OPENSSL_NO_STDIO
3271 SSL_CTX
*ssl_ctx
= data
->ssl
;
3273 if (client_cert
== NULL
)
3276 if (SSL_CTX_use_certificate_file(ssl_ctx
, client_cert
,
3277 SSL_FILETYPE_ASN1
) != 1 &&
3278 SSL_CTX_use_certificate_chain_file(ssl_ctx
, client_cert
) != 1 &&
3279 SSL_CTX_use_certificate_file(ssl_ctx
, client_cert
,
3280 SSL_FILETYPE_PEM
) != 1) {
3281 tls_show_errors(MSG_INFO
, __func__
,
3282 "Failed to load client certificate");
3286 #else /* OPENSSL_NO_STDIO */
3287 if (client_cert
== NULL
)
3289 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__
);
3291 #endif /* OPENSSL_NO_STDIO */
3296 static int tls_parse_pkcs12(struct tls_data
*data
, SSL
*ssl
, PKCS12
*p12
,
3301 STACK_OF(X509
) *certs
;
3310 if (!PKCS12_parse(p12
, passwd
, &pkey
, &cert
, &certs
)) {
3311 tls_show_errors(MSG_DEBUG
, __func__
,
3312 "Failed to parse PKCS12 file");
3316 wpa_printf(MSG_DEBUG
, "TLS: Successfully parsed PKCS12 data");
3319 X509_NAME_oneline(X509_get_subject_name(cert
), buf
,
3321 wpa_printf(MSG_DEBUG
, "TLS: Got certificate from PKCS12: "
3322 "subject='%s'", buf
);
3324 if (SSL_use_certificate(ssl
, cert
) != 1)
3327 if (SSL_CTX_use_certificate(data
->ssl
, cert
) != 1)
3334 wpa_printf(MSG_DEBUG
, "TLS: Got private key from PKCS12");
3336 if (SSL_use_PrivateKey(ssl
, pkey
) != 1)
3339 if (SSL_CTX_use_PrivateKey(data
->ssl
, pkey
) != 1)
3342 EVP_PKEY_free(pkey
);
3346 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
3348 SSL_clear_chain_certs(ssl
);
3350 SSL_CTX_clear_chain_certs(data
->ssl
);
3351 while ((cert
= sk_X509_pop(certs
)) != NULL
) {
3352 X509_NAME_oneline(X509_get_subject_name(cert
), buf
,
3354 wpa_printf(MSG_DEBUG
, "TLS: additional certificate"
3355 " from PKCS12: subject='%s'", buf
);
3356 if ((ssl
&& SSL_add1_chain_cert(ssl
, cert
) != 1) ||
3357 (!ssl
&& SSL_CTX_add1_chain_cert(data
->ssl
,
3359 tls_show_errors(MSG_DEBUG
, __func__
,
3360 "Failed to add additional certificate");
3368 /* Try to continue anyway */
3370 sk_X509_pop_free(certs
, X509_free
);
3371 #ifndef OPENSSL_IS_BORINGSSL
3373 res
= SSL_build_cert_chain(
3375 SSL_BUILD_CHAIN_FLAG_CHECK
|
3376 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR
);
3378 res
= SSL_CTX_build_cert_chain(
3380 SSL_BUILD_CHAIN_FLAG_CHECK
|
3381 SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR
);
3383 tls_show_errors(MSG_DEBUG
, __func__
,
3384 "Failed to build certificate chain");
3385 } else if (res
== 2) {
3386 wpa_printf(MSG_DEBUG
,
3387 "TLS: Ignore certificate chain verification error when building chain with PKCS#12 extra certificates");
3389 #endif /* OPENSSL_IS_BORINGSSL */
3391 * Try to continue regardless of result since it is possible for
3392 * the extra certificates not to be required.
3395 #else /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
3396 SSL_CTX_clear_extra_chain_certs(data
->ssl
);
3397 while ((cert
= sk_X509_pop(certs
)) != NULL
) {
3398 X509_NAME_oneline(X509_get_subject_name(cert
), buf
,
3400 wpa_printf(MSG_DEBUG
, "TLS: additional certificate"
3401 " from PKCS12: subject='%s'", buf
);
3403 * There is no SSL equivalent for the chain cert - so
3404 * always add it to the context...
3406 if (SSL_CTX_add_extra_chain_cert(data
->ssl
, cert
) != 1)
3413 sk_X509_pop_free(certs
, X509_free
);
3414 #endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
3420 tls_get_errors(data
);
3424 #endif /* PKCS12_FUNCS */
3427 static int tls_read_pkcs12(struct tls_data
*data
, SSL
*ssl
,
3428 const char *private_key
, const char *passwd
)
3434 f
= fopen(private_key
, "rb");
3438 p12
= d2i_PKCS12_fp(f
, NULL
);
3442 tls_show_errors(MSG_INFO
, __func__
,
3443 "Failed to use PKCS#12 file");
3447 return tls_parse_pkcs12(data
, ssl
, p12
, passwd
);
3449 #else /* PKCS12_FUNCS */
3450 wpa_printf(MSG_INFO
, "TLS: PKCS12 support disabled - cannot read "
3453 #endif /* PKCS12_FUNCS */
3457 static int tls_read_pkcs12_blob(struct tls_data
*data
, SSL
*ssl
,
3458 const u8
*blob
, size_t len
, const char *passwd
)
3463 p12
= d2i_PKCS12(NULL
, (const unsigned char **) &blob
, len
);
3465 tls_show_errors(MSG_INFO
, __func__
,
3466 "Failed to use PKCS#12 blob");
3470 return tls_parse_pkcs12(data
, ssl
, p12
, passwd
);
3472 #else /* PKCS12_FUNCS */
3473 wpa_printf(MSG_INFO
, "TLS: PKCS12 support disabled - cannot parse "
3476 #endif /* PKCS12_FUNCS */
3480 #ifndef OPENSSL_NO_ENGINE
3481 static int tls_engine_get_cert(struct tls_connection
*conn
,
3482 const char *cert_id
,
3485 /* this runs after the private key is loaded so no PIN is required */
3487 const char *cert_id
;
3490 params
.cert_id
= cert_id
;
3493 if (!ENGINE_ctrl_cmd(conn
->engine
, "LOAD_CERT_CTRL",
3494 0, ¶ms
, NULL
, 1)) {
3495 unsigned long err
= ERR_get_error();
3497 wpa_printf(MSG_ERROR
, "ENGINE: cannot load client cert with id"
3498 " '%s' [%s]", cert_id
,
3499 ERR_error_string(err
, NULL
));
3500 if (tls_is_pin_error(err
))
3501 return TLS_SET_PARAMS_ENGINE_PRV_BAD_PIN
;
3502 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED
;
3505 wpa_printf(MSG_ERROR
, "ENGINE: did not properly cert with id"
3507 return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED
;
3509 *cert
= params
.cert
;
3512 #endif /* OPENSSL_NO_ENGINE */
3515 static int tls_connection_engine_client_cert(struct tls_connection
*conn
,
3516 const char *cert_id
)
3518 #ifndef OPENSSL_NO_ENGINE
3521 if (tls_engine_get_cert(conn
, cert_id
, &cert
))
3524 if (!SSL_use_certificate(conn
->ssl
, cert
)) {
3525 tls_show_errors(MSG_ERROR
, __func__
,
3526 "SSL_use_certificate failed");
3531 wpa_printf(MSG_DEBUG
, "ENGINE: SSL_use_certificate --> "
3535 #else /* OPENSSL_NO_ENGINE */
3537 #endif /* OPENSSL_NO_ENGINE */
3541 static int tls_connection_engine_ca_cert(struct tls_data
*data
,
3542 struct tls_connection
*conn
,
3543 const char *ca_cert_id
)
3545 #ifndef OPENSSL_NO_ENGINE
3547 SSL_CTX
*ssl_ctx
= data
->ssl
;
3550 if (tls_engine_get_cert(conn
, ca_cert_id
, &cert
))
3553 /* start off the same as tls_connection_ca_cert */
3554 store
= X509_STORE_new();
3555 if (store
== NULL
) {
3556 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - failed to allocate new "
3557 "certificate store", __func__
);
3561 SSL_CTX_set_cert_store(ssl_ctx
, store
);
3562 if (!X509_STORE_add_cert(store
, cert
)) {
3563 unsigned long err
= ERR_peek_error();
3564 tls_show_errors(MSG_WARNING
, __func__
,
3565 "Failed to add CA certificate from engine "
3566 "to certificate store");
3567 if (ERR_GET_LIB(err
) == ERR_LIB_X509
&&
3568 ERR_GET_REASON(err
) == X509_R_CERT_ALREADY_IN_HASH_TABLE
) {
3569 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - ignoring cert"
3570 " already in hash table error",
3578 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - added CA certificate from engine "
3579 "to certificate store", __func__
);
3580 SSL_set_verify(conn
->ssl
, SSL_VERIFY_PEER
, tls_verify_cb
);
3581 conn
->ca_cert_verify
= 1;
3585 #else /* OPENSSL_NO_ENGINE */
3587 #endif /* OPENSSL_NO_ENGINE */
3591 static int tls_connection_engine_private_key(struct tls_connection
*conn
)
3593 #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
3594 if (SSL_use_PrivateKey(conn
->ssl
, conn
->private_key
) != 1) {
3595 tls_show_errors(MSG_ERROR
, __func__
,
3596 "ENGINE: cannot use private key for TLS");
3599 if (!SSL_check_private_key(conn
->ssl
)) {
3600 tls_show_errors(MSG_INFO
, __func__
,
3601 "Private key failed verification");
3605 #else /* OPENSSL_NO_ENGINE */
3606 wpa_printf(MSG_ERROR
, "SSL: Configuration uses engine, but "
3607 "engine support was not compiled in");
3609 #endif /* OPENSSL_NO_ENGINE */
3613 #ifndef OPENSSL_NO_STDIO
3614 static int tls_passwd_cb(char *buf
, int size
, int rwflag
, void *password
)
3618 os_strlcpy(buf
, (const char *) password
, size
);
3619 return os_strlen(buf
);
3621 #endif /* OPENSSL_NO_STDIO */
3624 static int tls_use_private_key_file(struct tls_data
*data
, SSL
*ssl
,
3625 const char *private_key
,
3626 const char *private_key_passwd
)
3628 #ifndef OPENSSL_NO_STDIO
3633 /* First try ASN.1 (DER). */
3634 bio
= BIO_new_file(private_key
, "r");
3637 pkey
= d2i_PrivateKey_bio(bio
, NULL
);
3641 wpa_printf(MSG_DEBUG
, "OpenSSL: %s (DER) --> loaded", __func__
);
3643 /* Try PEM with the provided password. */
3644 bio
= BIO_new_file(private_key
, "r");
3647 pkey
= PEM_read_bio_PrivateKey(bio
, NULL
, tls_passwd_cb
,
3648 (void *) private_key_passwd
);
3652 wpa_printf(MSG_DEBUG
, "OpenSSL: %s (PEM) --> loaded", __func__
);
3653 /* Clear errors from the previous failed load. */
3658 ret
= SSL_use_PrivateKey(ssl
, pkey
);
3660 ret
= SSL_CTX_use_PrivateKey(data
->ssl
, pkey
);
3662 EVP_PKEY_free(pkey
);
3663 return ret
== 1 ? 0 : -1;
3664 #else /* OPENSSL_NO_STDIO */
3665 wpa_printf(MSG_DEBUG
, "OpenSSL: %s - OPENSSL_NO_STDIO", __func__
);
3667 #endif /* OPENSSL_NO_STDIO */
3671 static int tls_connection_private_key(struct tls_data
*data
,
3672 struct tls_connection
*conn
,
3673 const char *private_key
,
3674 const char *private_key_passwd
,
3675 const u8
*private_key_blob
,
3676 size_t private_key_blob_len
)
3680 if (private_key
== NULL
&& private_key_blob
== NULL
)
3684 while (private_key_blob
) {
3685 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_RSA
, conn
->ssl
,
3686 (u8
*) private_key_blob
,
3687 private_key_blob_len
) == 1) {
3688 wpa_printf(MSG_DEBUG
, "OpenSSL: SSL_use_PrivateKey_"
3689 "ASN1(EVP_PKEY_RSA) --> OK");
3694 if (SSL_use_PrivateKey_ASN1(EVP_PKEY_DSA
, conn
->ssl
,
3695 (u8
*) private_key_blob
,
3696 private_key_blob_len
) == 1) {
3697 wpa_printf(MSG_DEBUG
, "OpenSSL: SSL_use_PrivateKey_"
3698 "ASN1(EVP_PKEY_DSA) --> OK");
3703 if (SSL_use_RSAPrivateKey_ASN1(conn
->ssl
,
3704 (u8
*) private_key_blob
,
3705 private_key_blob_len
) == 1) {
3706 wpa_printf(MSG_DEBUG
, "OpenSSL: "
3707 "SSL_use_RSAPrivateKey_ASN1 --> OK");
3712 if (tls_read_pkcs12_blob(data
, conn
->ssl
, private_key_blob
,
3713 private_key_blob_len
,
3714 private_key_passwd
) == 0) {
3715 wpa_printf(MSG_DEBUG
, "OpenSSL: PKCS#12 as blob --> "
3724 while (!ok
&& private_key
) {
3725 if (tls_use_private_key_file(data
, conn
->ssl
, private_key
,
3726 private_key_passwd
) == 0) {
3731 if (tls_read_pkcs12(data
, conn
->ssl
, private_key
,
3732 private_key_passwd
) == 0) {
3733 wpa_printf(MSG_DEBUG
, "OpenSSL: Reading PKCS#12 file "
3739 if (tls_cryptoapi_cert(conn
->ssl
, private_key
) == 0) {
3740 wpa_printf(MSG_DEBUG
, "OpenSSL: Using CryptoAPI to "
3741 "access certificate store --> OK");
3750 tls_show_errors(MSG_INFO
, __func__
,
3751 "Failed to load private key");
3756 if (!SSL_check_private_key(conn
->ssl
)) {
3757 tls_show_errors(MSG_INFO
, __func__
, "Private key failed "
3762 wpa_printf(MSG_DEBUG
, "SSL: Private key loaded successfully");
3767 static int tls_global_private_key(struct tls_data
*data
,
3768 const char *private_key
,
3769 const char *private_key_passwd
)
3771 SSL_CTX
*ssl_ctx
= data
->ssl
;
3773 if (private_key
== NULL
)
3776 if (tls_use_private_key_file(data
, NULL
, private_key
,
3777 private_key_passwd
) &&
3778 tls_read_pkcs12(data
, NULL
, private_key
, private_key_passwd
)) {
3779 tls_show_errors(MSG_INFO
, __func__
,
3780 "Failed to load private key");
3786 if (!SSL_CTX_check_private_key(ssl_ctx
)) {
3787 tls_show_errors(MSG_INFO
, __func__
,
3788 "Private key failed verification");
3796 static int tls_connection_dh(struct tls_connection
*conn
, const char *dh_file
)
3798 #ifdef OPENSSL_NO_DH
3799 if (dh_file
== NULL
)
3801 wpa_printf(MSG_ERROR
, "TLS: openssl does not include DH support, but "
3802 "dh_file specified");
3804 #else /* OPENSSL_NO_DH */
3808 /* TODO: add support for dh_blob */
3809 if (dh_file
== NULL
)
3814 bio
= BIO_new_file(dh_file
, "r");
3816 wpa_printf(MSG_INFO
, "TLS: Failed to open DH file '%s': %s",
3817 dh_file
, ERR_error_string(ERR_get_error(), NULL
));
3820 dh
= PEM_read_bio_DHparams(bio
, NULL
, NULL
, NULL
);
3822 #ifndef OPENSSL_NO_DSA
3823 while (dh
== NULL
) {
3825 wpa_printf(MSG_DEBUG
, "TLS: Failed to parse DH file '%s': %s -"
3826 " trying to parse as DSA params", dh_file
,
3827 ERR_error_string(ERR_get_error(), NULL
));
3828 bio
= BIO_new_file(dh_file
, "r");
3831 dsa
= PEM_read_bio_DSAparams(bio
, NULL
, NULL
, NULL
);
3834 wpa_printf(MSG_DEBUG
, "TLS: Failed to parse DSA file "
3835 "'%s': %s", dh_file
,
3836 ERR_error_string(ERR_get_error(), NULL
));
3840 wpa_printf(MSG_DEBUG
, "TLS: DH file in DSA param format");
3841 dh
= DSA_dup_DH(dsa
);
3844 wpa_printf(MSG_INFO
, "TLS: Failed to convert DSA "
3845 "params into DH params");
3850 #endif /* !OPENSSL_NO_DSA */
3852 wpa_printf(MSG_INFO
, "TLS: Failed to read/parse DH/DSA file "
3857 if (SSL_set_tmp_dh(conn
->ssl
, dh
) != 1) {
3858 wpa_printf(MSG_INFO
, "TLS: Failed to set DH params from '%s': "
3860 ERR_error_string(ERR_get_error(), NULL
));
3866 #endif /* OPENSSL_NO_DH */
3870 static int tls_global_dh(struct tls_data
*data
, const char *dh_file
)
3872 #ifdef OPENSSL_NO_DH
3873 if (dh_file
== NULL
)
3875 wpa_printf(MSG_ERROR
, "TLS: openssl does not include DH support, but "
3876 "dh_file specified");
3878 #else /* OPENSSL_NO_DH */
3879 SSL_CTX
*ssl_ctx
= data
->ssl
;
3883 /* TODO: add support for dh_blob */
3884 if (dh_file
== NULL
)
3886 if (ssl_ctx
== NULL
)
3889 bio
= BIO_new_file(dh_file
, "r");
3891 wpa_printf(MSG_INFO
, "TLS: Failed to open DH file '%s': %s",
3892 dh_file
, ERR_error_string(ERR_get_error(), NULL
));
3895 dh
= PEM_read_bio_DHparams(bio
, NULL
, NULL
, NULL
);
3897 #ifndef OPENSSL_NO_DSA
3898 while (dh
== NULL
) {
3900 wpa_printf(MSG_DEBUG
, "TLS: Failed to parse DH file '%s': %s -"
3901 " trying to parse as DSA params", dh_file
,
3902 ERR_error_string(ERR_get_error(), NULL
));
3903 bio
= BIO_new_file(dh_file
, "r");
3906 dsa
= PEM_read_bio_DSAparams(bio
, NULL
, NULL
, NULL
);
3909 wpa_printf(MSG_DEBUG
, "TLS: Failed to parse DSA file "
3910 "'%s': %s", dh_file
,
3911 ERR_error_string(ERR_get_error(), NULL
));
3915 wpa_printf(MSG_DEBUG
, "TLS: DH file in DSA param format");
3916 dh
= DSA_dup_DH(dsa
);
3919 wpa_printf(MSG_INFO
, "TLS: Failed to convert DSA "
3920 "params into DH params");
3925 #endif /* !OPENSSL_NO_DSA */
3927 wpa_printf(MSG_INFO
, "TLS: Failed to read/parse DH/DSA file "
3932 if (SSL_CTX_set_tmp_dh(ssl_ctx
, dh
) != 1) {
3933 wpa_printf(MSG_INFO
, "TLS: Failed to set DH params from '%s': "
3935 ERR_error_string(ERR_get_error(), NULL
));
3941 #endif /* OPENSSL_NO_DH */
3945 int tls_connection_get_random(void *ssl_ctx
, struct tls_connection
*conn
,
3946 struct tls_random
*keys
)
3950 if (conn
== NULL
|| keys
== NULL
)
3956 os_memset(keys
, 0, sizeof(*keys
));
3957 keys
->client_random
= conn
->client_random
;
3958 keys
->client_random_len
= SSL_get_client_random(
3959 ssl
, conn
->client_random
, sizeof(conn
->client_random
));
3960 keys
->server_random
= conn
->server_random
;
3961 keys
->server_random_len
= SSL_get_server_random(
3962 ssl
, conn
->server_random
, sizeof(conn
->server_random
));
3968 #ifdef OPENSSL_NEED_EAP_FAST_PRF
3969 static int openssl_get_keyblock_size(SSL
*ssl
)
3971 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
3972 (defined(LIBRESSL_VERSION_NUMBER) && \
3973 LIBRESSL_VERSION_NUMBER < 0x20700000L)
3974 const EVP_CIPHER
*c
;
3978 if (ssl
->enc_read_ctx
== NULL
|| ssl
->enc_read_ctx
->cipher
== NULL
||
3979 ssl
->read_hash
== NULL
)
3982 c
= ssl
->enc_read_ctx
->cipher
;
3983 h
= EVP_MD_CTX_md(ssl
->read_hash
);
3985 md_size
= EVP_MD_size(h
);
3987 md_size
= ssl
->s3
->tmp
.new_mac_secret_size
;
3991 wpa_printf(MSG_DEBUG
, "OpenSSL: keyblock size: key_len=%d MD_size=%d "
3992 "IV_len=%d", EVP_CIPHER_key_length(c
), md_size
,
3993 EVP_CIPHER_iv_length(c
));
3994 return 2 * (EVP_CIPHER_key_length(c
) +
3996 EVP_CIPHER_iv_length(c
));
3998 const SSL_CIPHER
*ssl_cipher
;
4000 const EVP_CIPHER
*c
;
4003 ssl_cipher
= SSL_get_current_cipher(ssl
);
4006 cipher
= SSL_CIPHER_get_cipher_nid(ssl_cipher
);
4007 digest
= SSL_CIPHER_get_digest_nid(ssl_cipher
);
4008 wpa_printf(MSG_DEBUG
, "OpenSSL: cipher nid %d digest nid %d",
4010 if (cipher
< 0 || digest
< 0)
4012 c
= EVP_get_cipherbynid(cipher
);
4013 h
= EVP_get_digestbynid(digest
);
4017 wpa_printf(MSG_DEBUG
,
4018 "OpenSSL: keyblock size: key_len=%d MD_size=%d IV_len=%d",
4019 EVP_CIPHER_key_length(c
), EVP_MD_size(h
),
4020 EVP_CIPHER_iv_length(c
));
4021 return 2 * (EVP_CIPHER_key_length(c
) + EVP_MD_size(h
) +
4022 EVP_CIPHER_iv_length(c
));
4025 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4028 int tls_connection_export_key(void *tls_ctx
, struct tls_connection
*conn
,
4029 const char *label
, const u8
*context
,
4030 size_t context_len
, u8
*out
, size_t out_len
)
4033 SSL_export_keying_material(conn
->ssl
, out
, out_len
, label
,
4034 os_strlen(label
), context
, context_len
,
4035 context
!= NULL
) != 1)
4041 int tls_connection_get_eap_fast_key(void *tls_ctx
, struct tls_connection
*conn
,
4042 u8
*out
, size_t out_len
)
4044 #ifdef OPENSSL_NEED_EAP_FAST_PRF
4052 unsigned char client_random
[SSL3_RANDOM_SIZE
];
4053 unsigned char server_random
[SSL3_RANDOM_SIZE
];
4054 unsigned char master_key
[64];
4055 size_t master_key_len
;
4059 * TLS library did not support EAP-FAST key generation, so get the
4060 * needed TLS session parameters and use an internal implementation of
4061 * TLS PRF to derive the key.
4069 ver
= SSL_get_version(ssl
);
4070 sess
= SSL_get_session(ssl
);
4074 skip
= openssl_get_keyblock_size(ssl
);
4077 tmp_out
= os_malloc(skip
+ out_len
);
4082 rnd
= os_malloc(2 * SSL3_RANDOM_SIZE
);
4088 SSL_get_client_random(ssl
, client_random
, sizeof(client_random
));
4089 SSL_get_server_random(ssl
, server_random
, sizeof(server_random
));
4090 master_key_len
= SSL_SESSION_get_master_key(sess
, master_key
,
4091 sizeof(master_key
));
4093 os_memcpy(rnd
, server_random
, SSL3_RANDOM_SIZE
);
4094 os_memcpy(rnd
+ SSL3_RANDOM_SIZE
, client_random
, SSL3_RANDOM_SIZE
);
4096 if (os_strcmp(ver
, "TLSv1.2") == 0) {
4097 tls_prf_sha256(master_key
, master_key_len
,
4098 "key expansion", rnd
, 2 * SSL3_RANDOM_SIZE
,
4099 _out
, skip
+ out_len
);
4101 } else if (tls_prf_sha1_md5(master_key
, master_key_len
,
4102 "key expansion", rnd
, 2 * SSL3_RANDOM_SIZE
,
4103 _out
, skip
+ out_len
) == 0) {
4106 forced_memzero(master_key
, sizeof(master_key
));
4109 os_memcpy(out
, _out
+ skip
, out_len
);
4110 bin_clear_free(tmp_out
, skip
);
4113 #else /* OPENSSL_NEED_EAP_FAST_PRF */
4114 wpa_printf(MSG_ERROR
,
4115 "OpenSSL: EAP-FAST keys cannot be exported in FIPS mode");
4117 #endif /* OPENSSL_NEED_EAP_FAST_PRF */
4121 static struct wpabuf
*
4122 openssl_handshake(struct tls_connection
*conn
, const struct wpabuf
*in_data
)
4125 struct wpabuf
*out_data
;
4128 * Give TLS handshake data from the server (if available) to OpenSSL
4131 if (in_data
&& wpabuf_len(in_data
) > 0 &&
4132 BIO_write(conn
->ssl_in
, wpabuf_head(in_data
), wpabuf_len(in_data
))
4134 tls_show_errors(MSG_INFO
, __func__
,
4135 "Handshake failed - BIO_write");
4139 /* Initiate TLS handshake or continue the existing handshake */
4141 res
= SSL_accept(conn
->ssl
);
4143 res
= SSL_connect(conn
->ssl
);
4145 int err
= SSL_get_error(conn
->ssl
, res
);
4146 if (err
== SSL_ERROR_WANT_READ
)
4147 wpa_printf(MSG_DEBUG
, "SSL: SSL_connect - want "
4149 else if (err
== SSL_ERROR_WANT_WRITE
)
4150 wpa_printf(MSG_DEBUG
, "SSL: SSL_connect - want to "
4153 tls_show_errors(MSG_INFO
, __func__
, "SSL_connect");
4155 if (!conn
->server
&& !conn
->client_hello_generated
) {
4156 /* The server would not understand TLS Alert
4157 * before ClientHello, so simply terminate
4158 * handshake on this type of error case caused
4159 * by a likely internal error like no ciphers
4161 wpa_printf(MSG_DEBUG
,
4162 "OpenSSL: Could not generate ClientHello");
4163 conn
->write_alerts
++;
4169 if (!conn
->server
&& !conn
->failed
)
4170 conn
->client_hello_generated
= 1;
4172 #ifdef CONFIG_SUITEB
4173 if ((conn
->flags
& TLS_CONN_SUITEB
) && !conn
->server
&&
4174 os_strncmp(SSL_get_cipher(conn
->ssl
), "DHE-", 4) == 0 &&
4175 conn
->server_dh_prime_len
< 3072) {
4176 struct tls_context
*context
= conn
->context
;
4179 * This should not be reached since earlier cert_cb should have
4180 * terminated the handshake. Keep this check here for extra
4181 * protection if anything goes wrong with the more low-level
4182 * checks based on having to parse the TLS handshake messages.
4184 wpa_printf(MSG_DEBUG
,
4185 "OpenSSL: Server DH prime length: %d bits",
4186 conn
->server_dh_prime_len
);
4188 if (context
->event_cb
) {
4189 union tls_event_data ev
;
4191 os_memset(&ev
, 0, sizeof(ev
));
4192 ev
.alert
.is_local
= 1;
4193 ev
.alert
.type
= "fatal";
4194 ev
.alert
.description
= "insufficient security";
4195 context
->event_cb(context
->cb_ctx
, TLS_ALERT
, &ev
);
4198 * Could send a TLS Alert to the server, but for now, simply
4199 * terminate handshake.
4202 conn
->write_alerts
++;
4205 #endif /* CONFIG_SUITEB */
4207 /* Get the TLS handshake data to be sent to the server */
4208 res
= BIO_ctrl_pending(conn
->ssl_out
);
4209 wpa_printf(MSG_DEBUG
, "SSL: %d bytes pending from ssl_out", res
);
4210 out_data
= wpabuf_alloc(res
);
4211 if (out_data
== NULL
) {
4212 wpa_printf(MSG_DEBUG
, "SSL: Failed to allocate memory for "
4213 "handshake output (%d bytes)", res
);
4214 if (BIO_reset(conn
->ssl_out
) < 0) {
4215 tls_show_errors(MSG_INFO
, __func__
,
4216 "BIO_reset failed");
4220 res
= res
== 0 ? 0 : BIO_read(conn
->ssl_out
, wpabuf_mhead(out_data
),
4223 tls_show_errors(MSG_INFO
, __func__
,
4224 "Handshake failed - BIO_read");
4225 if (BIO_reset(conn
->ssl_out
) < 0) {
4226 tls_show_errors(MSG_INFO
, __func__
,
4227 "BIO_reset failed");
4229 wpabuf_free(out_data
);
4232 wpabuf_put(out_data
, res
);
4238 static struct wpabuf
*
4239 openssl_get_appl_data(struct tls_connection
*conn
, size_t max_len
)
4241 struct wpabuf
*appl_data
;
4244 appl_data
= wpabuf_alloc(max_len
+ 100);
4245 if (appl_data
== NULL
)
4248 res
= SSL_read(conn
->ssl
, wpabuf_mhead(appl_data
),
4249 wpabuf_size(appl_data
));
4251 int err
= SSL_get_error(conn
->ssl
, res
);
4252 if (err
== SSL_ERROR_WANT_READ
||
4253 err
== SSL_ERROR_WANT_WRITE
) {
4254 wpa_printf(MSG_DEBUG
, "SSL: No Application Data "
4257 tls_show_errors(MSG_INFO
, __func__
,
4258 "Failed to read possible "
4259 "Application Data");
4261 wpabuf_free(appl_data
);
4265 wpabuf_put(appl_data
, res
);
4266 wpa_hexdump_buf_key(MSG_MSGDUMP
, "SSL: Application Data in Finished "
4267 "message", appl_data
);
4273 static struct wpabuf
*
4274 openssl_connection_handshake(struct tls_connection
*conn
,
4275 const struct wpabuf
*in_data
,
4276 struct wpabuf
**appl_data
)
4278 struct wpabuf
*out_data
;
4283 out_data
= openssl_handshake(conn
, in_data
);
4284 if (out_data
== NULL
)
4286 if (conn
->invalid_hb_used
) {
4287 wpa_printf(MSG_INFO
, "TLS: Heartbeat attack detected - do not send response");
4288 wpabuf_free(out_data
);
4292 if (SSL_is_init_finished(conn
->ssl
)) {
4293 wpa_printf(MSG_DEBUG
,
4294 "OpenSSL: Handshake finished - resumed=%d",
4295 tls_connection_resumed(conn
->ssl_ctx
, conn
));
4298 size_t buflen
= 2000;
4300 buf
= os_malloc(buflen
);
4302 if (SSL_get_shared_ciphers(conn
->ssl
, buf
,
4304 buf
[buflen
- 1] = '\0';
4305 wpa_printf(MSG_DEBUG
,
4306 "OpenSSL: Shared ciphers: %s",
4312 if (appl_data
&& in_data
)
4313 *appl_data
= openssl_get_appl_data(conn
,
4314 wpabuf_len(in_data
));
4317 if (conn
->invalid_hb_used
) {
4318 wpa_printf(MSG_INFO
, "TLS: Heartbeat attack detected - do not send response");
4320 wpabuf_free(*appl_data
);
4323 wpabuf_free(out_data
);
4332 tls_connection_handshake(void *ssl_ctx
, struct tls_connection
*conn
,
4333 const struct wpabuf
*in_data
,
4334 struct wpabuf
**appl_data
)
4336 return openssl_connection_handshake(conn
, in_data
, appl_data
);
4340 struct wpabuf
* tls_connection_server_handshake(void *tls_ctx
,
4341 struct tls_connection
*conn
,
4342 const struct wpabuf
*in_data
,
4343 struct wpabuf
**appl_data
)
4346 return openssl_connection_handshake(conn
, in_data
, appl_data
);
4350 struct wpabuf
* tls_connection_encrypt(void *tls_ctx
,
4351 struct tls_connection
*conn
,
4352 const struct wpabuf
*in_data
)
4360 /* Give plaintext data for OpenSSL to encrypt into the TLS tunnel. */
4361 if ((res
= BIO_reset(conn
->ssl_in
)) < 0 ||
4362 (res
= BIO_reset(conn
->ssl_out
)) < 0) {
4363 tls_show_errors(MSG_INFO
, __func__
, "BIO_reset failed");
4366 res
= SSL_write(conn
->ssl
, wpabuf_head(in_data
), wpabuf_len(in_data
));
4368 tls_show_errors(MSG_INFO
, __func__
,
4369 "Encryption failed - SSL_write");
4373 /* Read encrypted data to be sent to the server */
4374 buf
= wpabuf_alloc(wpabuf_len(in_data
) + 300);
4377 res
= BIO_read(conn
->ssl_out
, wpabuf_mhead(buf
), wpabuf_size(buf
));
4379 tls_show_errors(MSG_INFO
, __func__
,
4380 "Encryption failed - BIO_read");
4384 wpabuf_put(buf
, res
);
4390 struct wpabuf
* tls_connection_decrypt(void *tls_ctx
,
4391 struct tls_connection
*conn
,
4392 const struct wpabuf
*in_data
)
4397 /* Give encrypted data from TLS tunnel for OpenSSL to decrypt. */
4398 res
= BIO_write(conn
->ssl_in
, wpabuf_head(in_data
),
4399 wpabuf_len(in_data
));
4401 tls_show_errors(MSG_INFO
, __func__
,
4402 "Decryption failed - BIO_write");
4405 if (BIO_reset(conn
->ssl_out
) < 0) {
4406 tls_show_errors(MSG_INFO
, __func__
, "BIO_reset failed");
4410 /* Read decrypted data for further processing */
4412 * Even though we try to disable TLS compression, it is possible that
4413 * this cannot be done with all TLS libraries. Add extra buffer space
4414 * to handle the possibility of the decrypted data being longer than
4417 buf
= wpabuf_alloc((wpabuf_len(in_data
) + 500) * 3);
4420 res
= SSL_read(conn
->ssl
, wpabuf_mhead(buf
), wpabuf_size(buf
));
4422 tls_show_errors(MSG_INFO
, __func__
,
4423 "Decryption failed - SSL_read");
4427 wpabuf_put(buf
, res
);
4429 if (conn
->invalid_hb_used
) {
4430 wpa_printf(MSG_INFO
, "TLS: Heartbeat attack detected - do not send response");
4439 int tls_connection_resumed(void *ssl_ctx
, struct tls_connection
*conn
)
4441 return conn
? SSL_session_reused(conn
->ssl
) : 0;
4445 int tls_connection_set_cipher_list(void *tls_ctx
, struct tls_connection
*conn
,
4448 char buf
[500], *pos
, *end
;
4452 if (conn
== NULL
|| conn
->ssl
== NULL
|| ciphers
== NULL
)
4457 end
= pos
+ sizeof(buf
);
4460 while (*c
!= TLS_CIPHER_NONE
) {
4464 case TLS_CIPHER_RC4_SHA
:
4467 case TLS_CIPHER_AES128_SHA
:
4468 suite
= "AES128-SHA";
4470 case TLS_CIPHER_RSA_DHE_AES128_SHA
:
4471 suite
= "DHE-RSA-AES128-SHA";
4473 case TLS_CIPHER_ANON_DH_AES128_SHA
:
4474 suite
= "ADH-AES128-SHA";
4476 case TLS_CIPHER_RSA_DHE_AES256_SHA
:
4477 suite
= "DHE-RSA-AES256-SHA";
4479 case TLS_CIPHER_AES256_SHA
:
4480 suite
= "AES256-SHA";
4483 wpa_printf(MSG_DEBUG
, "TLS: Unsupported "
4484 "cipher selection: %d", *c
);
4487 ret
= os_snprintf(pos
, end
- pos
, ":%s", suite
);
4488 if (os_snprintf_error(end
- pos
, ret
))
4495 wpa_printf(MSG_DEBUG
, "OpenSSL: No ciphers listed");
4499 wpa_printf(MSG_DEBUG
, "OpenSSL: cipher suites: %s", buf
+ 1);
4501 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
4502 #ifdef EAP_FAST_OR_TEAP
4503 if (os_strstr(buf
, ":ADH-")) {
4505 * Need to drop to security level 0 to allow anonymous
4506 * cipher suites for EAP-FAST.
4508 SSL_set_security_level(conn
->ssl
, 0);
4509 } else if (SSL_get_security_level(conn
->ssl
) == 0) {
4510 /* Force at least security level 1 */
4511 SSL_set_security_level(conn
->ssl
, 1);
4513 #endif /* EAP_FAST_OR_TEAP */
4516 if (SSL_set_cipher_list(conn
->ssl
, buf
+ 1) != 1) {
4517 tls_show_errors(MSG_INFO
, __func__
,
4518 "Cipher suite configuration failed");
4526 int tls_get_version(void *ssl_ctx
, struct tls_connection
*conn
,
4527 char *buf
, size_t buflen
)
4530 if (conn
== NULL
|| conn
->ssl
== NULL
)
4533 name
= SSL_get_version(conn
->ssl
);
4537 os_strlcpy(buf
, name
, buflen
);
4542 int tls_get_cipher(void *ssl_ctx
, struct tls_connection
*conn
,
4543 char *buf
, size_t buflen
)
4546 if (conn
== NULL
|| conn
->ssl
== NULL
)
4549 name
= SSL_get_cipher(conn
->ssl
);
4553 os_strlcpy(buf
, name
, buflen
);
4558 int tls_connection_enable_workaround(void *ssl_ctx
,
4559 struct tls_connection
*conn
)
4561 SSL_set_options(conn
->ssl
, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
);
4567 #ifdef EAP_FAST_OR_TEAP
4568 /* ClientHello TLS extensions require a patch to openssl, so this function is
4569 * commented out unless explicitly needed for EAP-FAST in order to be able to
4570 * build this file with unmodified openssl. */
4571 int tls_connection_client_hello_ext(void *ssl_ctx
, struct tls_connection
*conn
,
4572 int ext_type
, const u8
*data
,
4575 if (conn
== NULL
|| conn
->ssl
== NULL
|| ext_type
!= 35)
4578 if (SSL_set_session_ticket_ext(conn
->ssl
, (void *) data
,
4584 #endif /* EAP_FAST_OR_TEAP */
4587 int tls_connection_get_failed(void *ssl_ctx
, struct tls_connection
*conn
)
4591 return conn
->failed
;
4595 int tls_connection_get_read_alerts(void *ssl_ctx
, struct tls_connection
*conn
)
4599 return conn
->read_alerts
;
4603 int tls_connection_get_write_alerts(void *ssl_ctx
, struct tls_connection
*conn
)
4607 return conn
->write_alerts
;
4613 static void ocsp_debug_print_resp(OCSP_RESPONSE
*rsp
)
4615 #ifndef CONFIG_NO_STDOUT_DEBUG
4621 if (wpa_debug_level
> MSG_DEBUG
)
4624 out
= BIO_new(BIO_s_mem());
4628 OCSP_RESPONSE_print(out
, rsp
, 0);
4629 rlen
= BIO_ctrl_pending(out
);
4630 txt
= os_malloc(rlen
+ 1);
4636 res
= BIO_read(out
, txt
, rlen
);
4639 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP Response\n%s", txt
);
4643 #endif /* CONFIG_NO_STDOUT_DEBUG */
4647 static void debug_print_cert(X509
*cert
, const char *title
)
4649 #ifndef CONFIG_NO_STDOUT_DEBUG
4655 if (wpa_debug_level
> MSG_DEBUG
)
4658 out
= BIO_new(BIO_s_mem());
4662 X509_print(out
, cert
);
4663 rlen
= BIO_ctrl_pending(out
);
4664 txt
= os_malloc(rlen
+ 1);
4670 res
= BIO_read(out
, txt
, rlen
);
4673 wpa_printf(MSG_DEBUG
, "OpenSSL: %s\n%s", title
, txt
);
4678 #endif /* CONFIG_NO_STDOUT_DEBUG */
4682 static int ocsp_resp_cb(SSL
*s
, void *arg
)
4684 struct tls_connection
*conn
= arg
;
4685 const unsigned char *p
;
4686 int len
, status
, reason
, res
;
4688 OCSP_BASICRESP
*basic
;
4690 ASN1_GENERALIZEDTIME
*produced_at
, *this_update
, *next_update
;
4692 STACK_OF(X509
) *certs
= NULL
;
4694 len
= SSL_get_tlsext_status_ocsp_resp(s
, &p
);
4696 wpa_printf(MSG_DEBUG
, "OpenSSL: No OCSP response received");
4697 return (conn
->flags
& TLS_CONN_REQUIRE_OCSP
) ? 0 : 1;
4700 wpa_hexdump(MSG_DEBUG
, "OpenSSL: OCSP response", p
, len
);
4702 rsp
= d2i_OCSP_RESPONSE(NULL
, &p
, len
);
4704 wpa_printf(MSG_INFO
, "OpenSSL: Failed to parse OCSP response");
4708 ocsp_debug_print_resp(rsp
);
4710 status
= OCSP_response_status(rsp
);
4711 if (status
!= OCSP_RESPONSE_STATUS_SUCCESSFUL
) {
4712 wpa_printf(MSG_INFO
, "OpenSSL: OCSP responder error %d (%s)",
4713 status
, OCSP_response_status_str(status
));
4717 basic
= OCSP_response_get1_basic(rsp
);
4719 wpa_printf(MSG_INFO
, "OpenSSL: Could not find BasicOCSPResponse");
4723 store
= SSL_CTX_get_cert_store(conn
->ssl_ctx
);
4724 if (conn
->peer_issuer
) {
4725 debug_print_cert(conn
->peer_issuer
, "Add OCSP issuer");
4727 if (X509_STORE_add_cert(store
, conn
->peer_issuer
) != 1) {
4728 tls_show_errors(MSG_INFO
, __func__
,
4729 "OpenSSL: Could not add issuer to certificate store");
4731 certs
= sk_X509_new_null();
4734 cert
= X509_dup(conn
->peer_issuer
);
4735 if (cert
&& !sk_X509_push(certs
, cert
)) {
4738 "OpenSSL: Could not add issuer to OCSP responder trust store");
4740 sk_X509_free(certs
);
4743 if (certs
&& conn
->peer_issuer_issuer
) {
4744 cert
= X509_dup(conn
->peer_issuer_issuer
);
4745 if (cert
&& !sk_X509_push(certs
, cert
)) {
4748 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
4755 status
= OCSP_basic_verify(basic
, certs
, store
, OCSP_TRUSTOTHER
);
4756 sk_X509_pop_free(certs
, X509_free
);
4758 tls_show_errors(MSG_INFO
, __func__
,
4759 "OpenSSL: OCSP response failed verification");
4760 OCSP_BASICRESP_free(basic
);
4761 OCSP_RESPONSE_free(rsp
);
4765 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP response verification succeeded");
4767 if (!conn
->peer_cert
) {
4768 wpa_printf(MSG_DEBUG
, "OpenSSL: Peer certificate not available for OCSP status check");
4769 OCSP_BASICRESP_free(basic
);
4770 OCSP_RESPONSE_free(rsp
);
4774 if (!conn
->peer_issuer
) {
4775 wpa_printf(MSG_DEBUG
, "OpenSSL: Peer issuer certificate not available for OCSP status check");
4776 OCSP_BASICRESP_free(basic
);
4777 OCSP_RESPONSE_free(rsp
);
4781 id
= OCSP_cert_to_id(EVP_sha256(), conn
->peer_cert
, conn
->peer_issuer
);
4783 wpa_printf(MSG_DEBUG
,
4784 "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
4785 OCSP_BASICRESP_free(basic
);
4786 OCSP_RESPONSE_free(rsp
);
4790 res
= OCSP_resp_find_status(basic
, id
, &status
, &reason
, &produced_at
,
4791 &this_update
, &next_update
);
4793 OCSP_CERTID_free(id
);
4794 id
= OCSP_cert_to_id(NULL
, conn
->peer_cert
, conn
->peer_issuer
);
4796 wpa_printf(MSG_DEBUG
,
4797 "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
4798 OCSP_BASICRESP_free(basic
);
4799 OCSP_RESPONSE_free(rsp
);
4803 res
= OCSP_resp_find_status(basic
, id
, &status
, &reason
,
4804 &produced_at
, &this_update
,
4809 wpa_printf(MSG_INFO
, "OpenSSL: Could not find current server certificate from OCSP response%s",
4810 (conn
->flags
& TLS_CONN_REQUIRE_OCSP
) ? "" :
4811 " (OCSP not required)");
4812 OCSP_CERTID_free(id
);
4813 OCSP_BASICRESP_free(basic
);
4814 OCSP_RESPONSE_free(rsp
);
4815 return (conn
->flags
& TLS_CONN_REQUIRE_OCSP
) ? 0 : 1;
4817 OCSP_CERTID_free(id
);
4819 if (!OCSP_check_validity(this_update
, next_update
, 5 * 60, -1)) {
4820 tls_show_errors(MSG_INFO
, __func__
,
4821 "OpenSSL: OCSP status times invalid");
4822 OCSP_BASICRESP_free(basic
);
4823 OCSP_RESPONSE_free(rsp
);
4827 OCSP_BASICRESP_free(basic
);
4828 OCSP_RESPONSE_free(rsp
);
4830 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP status for server certificate: %s",
4831 OCSP_cert_status_str(status
));
4833 if (status
== V_OCSP_CERTSTATUS_GOOD
)
4835 if (status
== V_OCSP_CERTSTATUS_REVOKED
)
4837 if (conn
->flags
& TLS_CONN_REQUIRE_OCSP
) {
4838 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP status unknown, but OCSP required");
4841 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP status unknown, but OCSP was not required, so allow connection to continue");
4846 static int ocsp_status_cb(SSL
*s
, void *arg
)
4852 if (tls_global
->ocsp_stapling_response
== NULL
) {
4853 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP status callback - no response configured");
4854 return SSL_TLSEXT_ERR_OK
;
4857 resp
= os_readfile(tls_global
->ocsp_stapling_response
, &len
);
4859 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP status callback - could not read response file");
4860 /* TODO: Build OCSPResponse with responseStatus = internalError
4862 return SSL_TLSEXT_ERR_OK
;
4864 wpa_printf(MSG_DEBUG
, "OpenSSL: OCSP status callback - send cached response");
4865 tmp
= OPENSSL_malloc(len
);
4868 return SSL_TLSEXT_ERR_ALERT_FATAL
;
4871 os_memcpy(tmp
, resp
, len
);
4873 SSL_set_tlsext_status_ocsp_resp(s
, tmp
, len
);
4875 return SSL_TLSEXT_ERR_OK
;
4878 #endif /* HAVE_OCSP */
4881 int tls_connection_set_params(void *tls_ctx
, struct tls_connection
*conn
,
4882 const struct tls_connection_params
*params
)
4884 struct tls_data
*data
= tls_ctx
;
4888 const char *key_id
= params
->key_id
;
4889 const char *cert_id
= params
->cert_id
;
4890 const char *ca_cert_id
= params
->ca_cert_id
;
4891 const char *engine_id
= params
->engine
? params
->engine_id
: NULL
;
4892 const char *ciphers
;
4897 if (params
->flags
& TLS_CONN_REQUIRE_OCSP_ALL
) {
4898 wpa_printf(MSG_INFO
,
4899 "OpenSSL: ocsp=3 not supported");
4904 * If the engine isn't explicitly configured, and any of the
4905 * cert/key fields are actually PKCS#11 URIs, then automatically
4906 * use the PKCS#11 ENGINE.
4908 if (!engine_id
|| os_strcmp(engine_id
, "pkcs11") == 0)
4911 if (!key_id
&& params
->private_key
&& can_pkcs11
&&
4912 os_strncmp(params
->private_key
, "pkcs11:", 7) == 0) {
4914 key_id
= params
->private_key
;
4917 if (!cert_id
&& params
->client_cert
&& can_pkcs11
&&
4918 os_strncmp(params
->client_cert
, "pkcs11:", 7) == 0) {
4920 cert_id
= params
->client_cert
;
4923 if (!ca_cert_id
&& params
->ca_cert
&& can_pkcs11
&&
4924 os_strncmp(params
->ca_cert
, "pkcs11:", 7) == 0) {
4926 ca_cert_id
= params
->ca_cert
;
4929 /* If we need to automatically enable the PKCS#11 ENGINE, do so. */
4930 if (can_pkcs11
== 2 && !engine_id
)
4931 engine_id
= "pkcs11";
4933 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
4934 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
4935 if (params
->flags
& TLS_CONN_EAP_FAST
) {
4936 wpa_printf(MSG_DEBUG
,
4937 "OpenSSL: Use TLSv1_method() for EAP-FAST");
4938 if (SSL_set_ssl_method(conn
->ssl
, TLSv1_method()) != 1) {
4939 tls_show_errors(MSG_INFO
, __func__
,
4940 "Failed to set TLSv1_method() for EAP-FAST");
4945 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
4946 #ifdef SSL_OP_NO_TLSv1_3
4947 if (params
->flags
& TLS_CONN_EAP_FAST
) {
4948 /* Need to disable TLS v1.3 at least for now since OpenSSL 1.1.1
4949 * refuses to start the handshake with the modified ciphersuite
4950 * list (no TLS v1.3 ciphersuites included) for EAP-FAST. */
4951 wpa_printf(MSG_DEBUG
, "OpenSSL: Disable TLSv1.3 for EAP-FAST");
4952 SSL_set_options(conn
->ssl
, SSL_OP_NO_TLSv1_3
);
4954 #endif /* SSL_OP_NO_TLSv1_3 */
4956 #endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
4958 while ((err
= ERR_get_error())) {
4959 wpa_printf(MSG_INFO
, "%s: Clearing pending SSL error: %s",
4960 __func__
, ERR_error_string(err
, NULL
));
4964 wpa_printf(MSG_DEBUG
, "SSL: Initializing TLS engine");
4965 ret
= tls_engine_init(conn
, engine_id
, params
->pin
,
4966 key_id
, cert_id
, ca_cert_id
);
4970 if (tls_connection_set_subject_match(conn
,
4971 params
->subject_match
,
4972 params
->altsubject_match
,
4973 params
->suffix_match
,
4974 params
->domain_match
,
4975 params
->check_cert_subject
))
4978 if (engine_id
&& ca_cert_id
) {
4979 if (tls_connection_engine_ca_cert(data
, conn
, ca_cert_id
))
4980 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED
;
4981 } else if (tls_connection_ca_cert(data
, conn
, params
->ca_cert
,
4982 params
->ca_cert_blob
,
4983 params
->ca_cert_blob_len
,
4987 if (engine_id
&& cert_id
) {
4988 if (tls_connection_engine_client_cert(conn
, cert_id
))
4989 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED
;
4990 } else if (tls_connection_client_cert(conn
, params
->client_cert
,
4991 params
->client_cert_blob
,
4992 params
->client_cert_blob_len
))
4995 if (engine_id
&& key_id
) {
4996 wpa_printf(MSG_DEBUG
, "TLS: Using private key from engine");
4997 if (tls_connection_engine_private_key(conn
))
4998 return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED
;
4999 } else if (tls_connection_private_key(data
, conn
,
5000 params
->private_key
,
5001 params
->private_key_passwd
,
5002 params
->private_key_blob
,
5003 params
->private_key_blob_len
)) {
5004 wpa_printf(MSG_INFO
, "TLS: Failed to load private key '%s'",
5005 params
->private_key
);
5009 if (tls_connection_dh(conn
, params
->dh_file
)) {
5010 wpa_printf(MSG_INFO
, "TLS: Failed to load DH file '%s'",
5015 ciphers
= params
->openssl_ciphers
;
5016 #ifdef CONFIG_SUITEB
5017 #ifdef OPENSSL_IS_BORINGSSL
5018 if (ciphers
&& os_strcmp(ciphers
, "SUITEB192") == 0) {
5019 /* BoringSSL removed support for SUITEB192, so need to handle
5020 * this with hardcoded ciphersuite and additional checks for
5021 * other parameters. */
5022 ciphers
= "ECDHE-ECDSA-AES256-GCM-SHA384";
5024 #endif /* OPENSSL_IS_BORINGSSL */
5025 #endif /* CONFIG_SUITEB */
5026 if (ciphers
&& SSL_set_cipher_list(conn
->ssl
, ciphers
) != 1) {
5027 wpa_printf(MSG_INFO
,
5028 "OpenSSL: Failed to set cipher string '%s'",
5033 if (!params
->openssl_ecdh_curves
) {
5034 #ifndef OPENSSL_IS_BORINGSSL
5035 #ifndef OPENSSL_NO_EC
5036 #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
5037 (OPENSSL_VERSION_NUMBER < 0x10100000L)
5038 if (SSL_set_ecdh_auto(conn
->ssl
, 1) != 1) {
5039 wpa_printf(MSG_INFO
,
5040 "OpenSSL: Failed to set ECDH curves to auto");
5043 #endif /* >= 1.0.2 && < 1.1.0 */
5044 #endif /* OPENSSL_NO_EC */
5045 #endif /* OPENSSL_IS_BORINGSSL */
5046 } else if (params
->openssl_ecdh_curves
[0]) {
5047 #if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
5048 wpa_printf(MSG_INFO
,
5049 "OpenSSL: ECDH configuration nnot supported");
5051 #else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
5052 #ifndef OPENSSL_NO_EC
5053 if (SSL_set1_curves_list(conn
->ssl
,
5054 params
->openssl_ecdh_curves
) != 1) {
5055 wpa_printf(MSG_INFO
,
5056 "OpenSSL: Failed to set ECDH curves '%s'",
5057 params
->openssl_ecdh_curves
);
5060 #else /* OPENSSL_NO_EC */
5061 wpa_printf(MSG_INFO
, "OpenSSL: ECDH not supported");
5063 #endif /* OPENSSL_NO_EC */
5064 #endif /* OPENSSL_IS_BORINGSSL */
5067 if (tls_set_conn_flags(conn
, params
->flags
,
5068 params
->openssl_ciphers
) < 0)
5071 #ifdef OPENSSL_IS_BORINGSSL
5072 if (params
->flags
& TLS_CONN_REQUEST_OCSP
) {
5073 SSL_enable_ocsp_stapling(conn
->ssl
);
5075 #else /* OPENSSL_IS_BORINGSSL */
5077 if (params
->flags
& TLS_CONN_REQUEST_OCSP
) {
5078 SSL_CTX
*ssl_ctx
= data
->ssl
;
5079 SSL_set_tlsext_status_type(conn
->ssl
, TLSEXT_STATUSTYPE_ocsp
);
5080 SSL_CTX_set_tlsext_status_cb(ssl_ctx
, ocsp_resp_cb
);
5081 SSL_CTX_set_tlsext_status_arg(ssl_ctx
, conn
);
5083 #else /* HAVE_OCSP */
5084 if (params
->flags
& TLS_CONN_REQUIRE_OCSP
) {
5085 wpa_printf(MSG_INFO
,
5086 "OpenSSL: No OCSP support included - reject configuration");
5089 if (params
->flags
& TLS_CONN_REQUEST_OCSP
) {
5090 wpa_printf(MSG_DEBUG
,
5091 "OpenSSL: No OCSP support included - allow optional OCSP case to continue");
5093 #endif /* HAVE_OCSP */
5094 #endif /* OPENSSL_IS_BORINGSSL */
5096 conn
->flags
= params
->flags
;
5098 tls_get_errors(data
);
5104 static void openssl_debug_dump_cipher_list(SSL_CTX
*ssl_ctx
)
5109 ssl
= SSL_new(ssl_ctx
);
5113 wpa_printf(MSG_DEBUG
,
5114 "OpenSSL: Enabled cipher suites in priority order");
5115 for (i
= 0; ; i
++) {
5118 cipher
= SSL_get_cipher_list(ssl
, i
);
5121 wpa_printf(MSG_DEBUG
, "Cipher %d: %s", i
, cipher
);
5128 static const char * openssl_pkey_type_str(const EVP_PKEY
*pkey
)
5132 switch (EVP_PKEY_type(EVP_PKEY_id(pkey
))) {
5146 static void openssl_debug_dump_certificate(int i
, X509
*cert
)
5151 char serial_num
[128];
5153 X509_NAME_oneline(X509_get_subject_name(cert
), buf
, sizeof(buf
));
5155 ser
= X509_get_serialNumber(cert
);
5157 wpa_snprintf_hex_uppercase(serial_num
, sizeof(serial_num
),
5158 ASN1_STRING_get0_data(ser
),
5159 ASN1_STRING_length(ser
));
5161 serial_num
[0] = '\0';
5163 pkey
= X509_get_pubkey(cert
);
5164 wpa_printf(MSG_DEBUG
, "%d: %s (%s) %s", i
, buf
,
5165 openssl_pkey_type_str(pkey
), serial_num
);
5166 EVP_PKEY_free(pkey
);
5170 static void openssl_debug_dump_certificates(SSL_CTX
*ssl_ctx
)
5172 STACK_OF(X509
) *certs
;
5174 wpa_printf(MSG_DEBUG
, "OpenSSL: Configured certificate chain");
5175 if (SSL_CTX_get0_chain_certs(ssl_ctx
, &certs
) == 1) {
5178 for (i
= sk_X509_num(certs
); i
> 0; i
--)
5179 openssl_debug_dump_certificate(i
, sk_X509_value(certs
,
5182 openssl_debug_dump_certificate(0, SSL_CTX_get0_certificate(ssl_ctx
));
5186 static void openssl_debug_dump_certificate_chains(SSL_CTX
*ssl_ctx
)
5190 for (res
= SSL_CTX_set_current_cert(ssl_ctx
, SSL_CERT_SET_FIRST
);
5192 res
= SSL_CTX_set_current_cert(ssl_ctx
, SSL_CERT_SET_NEXT
))
5193 openssl_debug_dump_certificates(ssl_ctx
);
5195 SSL_CTX_set_current_cert(ssl_ctx
, SSL_CERT_SET_FIRST
);
5199 static void openssl_debug_dump_ctx(SSL_CTX
*ssl_ctx
)
5201 openssl_debug_dump_cipher_list(ssl_ctx
);
5202 openssl_debug_dump_certificate_chains(ssl_ctx
);
5206 int tls_global_set_params(void *tls_ctx
,
5207 const struct tls_connection_params
*params
)
5209 struct tls_data
*data
= tls_ctx
;
5210 SSL_CTX
*ssl_ctx
= data
->ssl
;
5213 while ((err
= ERR_get_error())) {
5214 wpa_printf(MSG_INFO
, "%s: Clearing pending SSL error: %s",
5215 __func__
, ERR_error_string(err
, NULL
));
5218 os_free(data
->check_cert_subject
);
5219 data
->check_cert_subject
= NULL
;
5220 if (params
->check_cert_subject
) {
5221 data
->check_cert_subject
=
5222 os_strdup(params
->check_cert_subject
);
5223 if (!data
->check_cert_subject
)
5227 if (tls_global_ca_cert(data
, params
->ca_cert
) ||
5228 tls_global_client_cert(data
, params
->client_cert
) ||
5229 tls_global_private_key(data
, params
->private_key
,
5230 params
->private_key_passwd
) ||
5231 tls_global_dh(data
, params
->dh_file
)) {
5232 wpa_printf(MSG_INFO
, "TLS: Failed to set global parameters");
5236 if (params
->openssl_ciphers
&&
5237 SSL_CTX_set_cipher_list(ssl_ctx
, params
->openssl_ciphers
) != 1) {
5238 wpa_printf(MSG_INFO
,
5239 "OpenSSL: Failed to set cipher string '%s'",
5240 params
->openssl_ciphers
);
5244 if (!params
->openssl_ecdh_curves
) {
5245 #ifndef OPENSSL_IS_BORINGSSL
5246 #ifndef OPENSSL_NO_EC
5247 #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
5248 (OPENSSL_VERSION_NUMBER < 0x10100000L)
5249 if (SSL_CTX_set_ecdh_auto(ssl_ctx
, 1) != 1) {
5250 wpa_printf(MSG_INFO
,
5251 "OpenSSL: Failed to set ECDH curves to auto");
5254 #endif /* >= 1.0.2 && < 1.1.0 */
5255 #endif /* OPENSSL_NO_EC */
5256 #endif /* OPENSSL_IS_BORINGSSL */
5257 } else if (params
->openssl_ecdh_curves
[0]) {
5258 #if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
5259 wpa_printf(MSG_INFO
,
5260 "OpenSSL: ECDH configuration nnot supported");
5262 #else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
5263 #ifndef OPENSSL_NO_EC
5264 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5265 SSL_CTX_set_ecdh_auto(ssl_ctx
, 1);
5267 if (SSL_CTX_set1_curves_list(ssl_ctx
,
5268 params
->openssl_ecdh_curves
) !=
5270 wpa_printf(MSG_INFO
,
5271 "OpenSSL: Failed to set ECDH curves '%s'",
5272 params
->openssl_ecdh_curves
);
5275 #else /* OPENSSL_NO_EC */
5276 wpa_printf(MSG_INFO
, "OpenSSL: ECDH not supported");
5278 #endif /* OPENSSL_NO_EC */
5279 #endif /* OPENSSL_IS_BORINGSSL */
5282 #ifdef SSL_OP_NO_TICKET
5283 if (params
->flags
& TLS_CONN_DISABLE_SESSION_TICKET
)
5284 SSL_CTX_set_options(ssl_ctx
, SSL_OP_NO_TICKET
);
5286 SSL_CTX_clear_options(ssl_ctx
, SSL_OP_NO_TICKET
);
5287 #endif /* SSL_OP_NO_TICKET */
5290 SSL_CTX_set_tlsext_status_cb(ssl_ctx
, ocsp_status_cb
);
5291 SSL_CTX_set_tlsext_status_arg(ssl_ctx
, ssl_ctx
);
5292 os_free(tls_global
->ocsp_stapling_response
);
5293 if (params
->ocsp_stapling_response
)
5294 tls_global
->ocsp_stapling_response
=
5295 os_strdup(params
->ocsp_stapling_response
);
5297 tls_global
->ocsp_stapling_response
= NULL
;
5298 #endif /* HAVE_OCSP */
5300 openssl_debug_dump_ctx(ssl_ctx
);
5306 #ifdef EAP_FAST_OR_TEAP
5307 /* Pre-shared secred requires a patch to openssl, so this function is
5308 * commented out unless explicitly needed for EAP-FAST in order to be able to
5309 * build this file with unmodified openssl. */
5311 #if (defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
5312 static int tls_sess_sec_cb(SSL
*s
, void *secret
, int *secret_len
,
5313 STACK_OF(SSL_CIPHER
) *peer_ciphers
,
5314 const SSL_CIPHER
**cipher
, void *arg
)
5315 #else /* OPENSSL_IS_BORINGSSL */
5316 static int tls_sess_sec_cb(SSL
*s
, void *secret
, int *secret_len
,
5317 STACK_OF(SSL_CIPHER
) *peer_ciphers
,
5318 SSL_CIPHER
**cipher
, void *arg
)
5319 #endif /* OPENSSL_IS_BORINGSSL */
5321 struct tls_connection
*conn
= arg
;
5324 #if OPENSSL_VERSION_NUMBER < 0x10100000L || \
5325 (defined(LIBRESSL_VERSION_NUMBER) && \
5326 LIBRESSL_VERSION_NUMBER < 0x20700000L)
5327 if (conn
== NULL
|| conn
->session_ticket_cb
== NULL
)
5330 ret
= conn
->session_ticket_cb(conn
->session_ticket_cb_ctx
,
5331 conn
->session_ticket
,
5332 conn
->session_ticket_len
,
5333 s
->s3
->client_random
,
5334 s
->s3
->server_random
, secret
);
5336 unsigned char client_random
[SSL3_RANDOM_SIZE
];
5337 unsigned char server_random
[SSL3_RANDOM_SIZE
];
5339 if (conn
== NULL
|| conn
->session_ticket_cb
== NULL
)
5342 SSL_get_client_random(s
, client_random
, sizeof(client_random
));
5343 SSL_get_server_random(s
, server_random
, sizeof(server_random
));
5345 ret
= conn
->session_ticket_cb(conn
->session_ticket_cb_ctx
,
5346 conn
->session_ticket
,
5347 conn
->session_ticket_len
,
5349 server_random
, secret
);
5352 os_free(conn
->session_ticket
);
5353 conn
->session_ticket
= NULL
;
5358 *secret_len
= SSL_MAX_MASTER_KEY_LENGTH
;
5363 static int tls_session_ticket_ext_cb(SSL
*s
, const unsigned char *data
,
5366 struct tls_connection
*conn
= arg
;
5368 if (conn
== NULL
|| conn
->session_ticket_cb
== NULL
)
5371 wpa_printf(MSG_DEBUG
, "OpenSSL: %s: length=%d", __func__
, len
);
5373 os_free(conn
->session_ticket
);
5374 conn
->session_ticket
= NULL
;
5376 wpa_hexdump(MSG_DEBUG
, "OpenSSL: ClientHello SessionTicket "
5377 "extension", data
, len
);
5379 conn
->session_ticket
= os_memdup(data
, len
);
5380 if (conn
->session_ticket
== NULL
)
5383 conn
->session_ticket_len
= len
;
5387 #endif /* EAP_FAST_OR_TEAP */
5390 int tls_connection_set_session_ticket_cb(void *tls_ctx
,
5391 struct tls_connection
*conn
,
5392 tls_session_ticket_cb cb
,
5395 #ifdef EAP_FAST_OR_TEAP
5396 conn
->session_ticket_cb
= cb
;
5397 conn
->session_ticket_cb_ctx
= ctx
;
5400 if (SSL_set_session_secret_cb(conn
->ssl
, tls_sess_sec_cb
,
5403 SSL_set_session_ticket_ext_cb(conn
->ssl
,
5404 tls_session_ticket_ext_cb
, conn
);
5406 if (SSL_set_session_secret_cb(conn
->ssl
, NULL
, NULL
) != 1)
5408 SSL_set_session_ticket_ext_cb(conn
->ssl
, NULL
, NULL
);
5412 #else /* EAP_FAST_OR_TEAP */
5414 #endif /* EAP_FAST_OR_TEAP */
5418 int tls_get_library_version(char *buf
, size_t buf_len
)
5420 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
5421 return os_snprintf(buf
, buf_len
, "OpenSSL build=%s run=%s",
5422 OPENSSL_VERSION_TEXT
,
5423 OpenSSL_version(OPENSSL_VERSION
));
5425 return os_snprintf(buf
, buf_len
, "OpenSSL build=%s run=%s",
5426 OPENSSL_VERSION_TEXT
,
5427 SSLeay_version(SSLEAY_VERSION
));
5432 void tls_connection_set_success_data(struct tls_connection
*conn
,
5433 struct wpabuf
*data
)
5438 if (tls_ex_idx_session
< 0)
5440 sess
= SSL_get_session(conn
->ssl
);
5443 old
= SSL_SESSION_get_ex_data(sess
, tls_ex_idx_session
);
5445 wpa_printf(MSG_DEBUG
, "OpenSSL: Replacing old success data %p",
5449 if (SSL_SESSION_set_ex_data(sess
, tls_ex_idx_session
, data
) != 1)
5452 wpa_printf(MSG_DEBUG
, "OpenSSL: Stored success data %p", data
);
5453 conn
->success_data
= 1;
5457 wpa_printf(MSG_INFO
, "OpenSSL: Failed to store success data");
5462 void tls_connection_set_success_data_resumed(struct tls_connection
*conn
)
5464 wpa_printf(MSG_DEBUG
,
5465 "OpenSSL: Success data accepted for resumed session");
5466 conn
->success_data
= 1;
5470 const struct wpabuf
*
5471 tls_connection_get_success_data(struct tls_connection
*conn
)
5475 if (tls_ex_idx_session
< 0 ||
5476 !(sess
= SSL_get_session(conn
->ssl
)))
5478 return SSL_SESSION_get_ex_data(sess
, tls_ex_idx_session
);
5482 void tls_connection_remove_session(struct tls_connection
*conn
)
5486 sess
= SSL_get_session(conn
->ssl
);
5490 if (SSL_CTX_remove_session(conn
->ssl_ctx
, sess
) != 1)
5491 wpa_printf(MSG_DEBUG
,
5492 "OpenSSL: Session was not cached");
5494 wpa_printf(MSG_DEBUG
,
5495 "OpenSSL: Removed cached session to disable session resumption");
5499 int tls_get_tls_unique(struct tls_connection
*conn
, u8
*buf
, size_t max_len
)
5504 reused
= SSL_session_reused(conn
->ssl
);
5505 if ((conn
->server
&& !reused
) || (!conn
->server
&& reused
))
5506 len
= SSL_get_peer_finished(conn
->ssl
, buf
, max_len
);
5508 len
= SSL_get_finished(conn
->ssl
, buf
, max_len
);
5510 if (len
== 0 || len
> max_len
)
5517 u16
tls_connection_get_cipher_suite(struct tls_connection
*conn
)
5519 const SSL_CIPHER
*cipher
;
5521 cipher
= SSL_get_current_cipher(conn
->ssl
);
5524 return SSL_CIPHER_get_protocol_id(cipher
);