aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls
Commit message (Collapse)AuthorAgeFilesLines
* libtommath: Make sure fast_s_mp_mul_digs initializes the W[] arrayJouni Malinen2019-06-221-0/+1
| | | | | | | | Some compilers have started to warn about this and the use of two loops with ix 0..pa-1 and 0..pa loop a bit suspicious, so better make sure the array is initialized with zeros before extracting the terms from it. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Move ASN.1 DER BOOLEAN validation into generic ASN.1 parsingJouni Malinen2019-06-222-24/+32
| | | | | | | | This does not need to be specific to X.509, so move the BOOLEAN DER encoding validation into asn1_get_next() to make it apply for all cases instead of having to have the caller handle this separately. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Only allow 0xff value as TRUE for ASN.1 DER encoded BOOLEANJouni Malinen2019-06-221-0/+12
| | | | | | | | While BER encoding allows any nonzero value to be used for TRUE, DER is explicitly allowing only the value 0xff. Enforce this constraint in X.509 parsing to be more strict with what is acceptable. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Fix X.509v3 BasicConstraints parsingJouni Malinen2019-06-221-4/+6
| | | | | | | | | | | | | | Handling of the optional pathLenConstraint after cA was not done properly. The position after cA needs to be compared to the end of the SEQUENCE, not the end of the available buffer, to determine whether the optional pathLenConstraint is present. In addition, when parsing pathLenConstraint, the length of the remaining buffer was calculated incorrectly by not subtracting the length of the header fields needed for cA. This could result in reading couple of octets beyond the end of the buffer before rejecting the ASN.1 data as invalid. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15408 Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Be more careful in X.509 Time parsingJouni Malinen2019-06-111-8/+50
| | | | | | | | | | sscanf() can apparently read beyond the end of the buffer even if the maximum length of the integer is specified in the format string. Replace this parsing mechanism with helper functions that use sscanf() with NUL terminated string to avoid this. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15158 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* TLS: Add support for RFC 5705 TLS exporter context with internal TLSJouni Malinen2019-03-164-12/+62
| | | | | | Use the provided context, if any, to generate the seed for TLS PRF. Signed-off-by: Jouni Malinen <j@w1.fi>
* bignum: Fix documentation for bignum_cmp_d()Jouni Malinen2019-03-051-2/+2
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* TLS: Fix X.509 certificate name conversion into empty stringJouni Malinen2019-02-111-0/+2
| | | | | | | | | If none of the supported name attributes are present, the name string was nul terminated only at the end. Add an explicit nul termination at the end of the last written (or beginning of the buffer, if nothing is written) to avoid writing uninitialized data to debug log. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Fix ASN.1 parsing with no room for the headerJouni Malinen2019-02-111-0/+8
| | | | | | | | | | Explicitly check the remaining buffer length before trying to read the ASN.1 header values. Attempt to parse an ASN.1 header when there was not enough buffer room for it would have started by reading one or two octets beyond the end of the buffer before reporting invalid data at the following explicit check for buffer room. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Fix AlertDescription for missing partial processing caseJouni Malinen2019-02-111-1/+2
| | | | | | | | tlsv1_record_receive() did not return error here and as such, &alert was not set and must not be used. Report internal error instead to avoid use of uninitialized memory. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: TLS fuzzing toolJouni Malinen2019-02-112-0/+6
| | | | | | | | | | | | | | Add test-tls program that can be used for fuzzing the internal TLS client and server implementations. This tool can write client or server messages into a file as an initialization step and for the fuzzing step, that file (with potential modifications) can be used to replace the internally generated message contents. The TEST_FUZZ=y build parameter is used to make a special build where a hardcoded random number generator and hardcoded timestamp are used to force deterministic behavior for the TLS operations. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS server: Check credentials have been configured before using themJouni Malinen2019-02-091-1/+1
| | | | | | Allow ServerHello to be built without local credential configuration. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS server: Local failure information on verify_data mismatchJouni Malinen2019-02-091-0/+1
| | | | | | | Mark connection state FAILED in this case even though TLS Alert is not sent. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS server: Add internal callbacks get_failed, get_*_alertsJouni Malinen2019-02-093-0/+26
| | | | | | | These can be used to implement cleaner termination of the handshake in case of failures. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS server: More complete logging of ClientHello decode errorsJouni Malinen2019-02-091-11/+39
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Fix peer certificate event checking for probingJouni Malinen2019-02-091-1/+1
| | | | | | | | | conn->cred might be NULL here, so check for that explicitly before checking whether conn->cred->cert_probe is set. This fixes a potential NULL pointer dereference when going through peer certificates with event_cb functionality enabled. Signed-off-by: Jouni Malinen <j@w1.fi>
* Use os_memdup()Johannes Berg2017-03-073-16/+8
| | | | | | | | | | | | | | | | | | | | | | This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* Remove trailing whitespaceJouni Malinen2016-12-286-118/+118
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix typo in DigestAlgorithnSergei Sinyak2016-10-291-3/+3
| | | | | | Replace n with m in DigestAlgorithn, i.e., DigestAlgorithm. Signed-off-by: Sergei Sinyak <serega.belarus@gmail.com>
* TLS: Make tls_cert_chain_failure_event() more robustJouni Malinen2015-12-281-1/+1
| | | | | | | Explicitly check for the failure event to include a certificate before trying to build the event. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Remove storing of never-read valueJouni Malinen2015-12-281-1/+0
| | | | | | | | | | While this could in theory be claimed to be ready for something to be added to read a field following the server_write_IV, it does not look likely that such a use case would show up. As such, just remove the unused incrementing of pos at the end of the function to get rid of a useless static analyzer complaint. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS client: Multi-OCSP check to cover intermediate CAsJouni Malinen2015-12-234-16/+81
| | | | | | | This extends multi-OCSP support to verify status for intermediate CAs in the server certificate chain. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Move variable declaration to the beginning of the blockJouni Malinen2015-12-231-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS client: OCSP stapling with ocsp_multi option (RFC 6961)Jouni Malinen2015-12-222-39/+136
| | | | | | | | | This adds a minimal support for using status_request_v2 extension and ocsp_multi format (OCSPResponseList instead of OCSPResponse) for CertificateStatus. This commit does not yet extend use of OCSP stapling to validate the intermediate CA certificates. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS server: OCSP stapling with ocsp_multi option (RFC 6961)Jouni Malinen2015-12-226-30/+145
| | | | | | | | This allows hostapd with the internal TLS server implementation to support the extended OCSP stapling mechanism with multiple responses (ocsp_stapling_response_multi). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS server: OCSP staplingJouni Malinen2015-12-225-1/+116
| | | | | | | | | | This adds support for hostapd-as-authentication-server to be build with the internal TLS implementation and OCSP stapling server side support. This is more or less identical to the design used with OpenSSL, i.e., the cached response is read from the ocsp_stapling_response=<file> and sent as a response if the client requests it during the TLS handshake. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Report OCSP rejection cases when no valid response if foundJouni Malinen2015-12-171-0/+10
| | | | | | | | | This adds a CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-STATUS messages with 'bad certificate status response' for cases where no valid OCSP response was received, but the network profile requires OCSP to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Process OCSP SingleResponse(s)Jouni Malinen2015-12-171-1/+287
| | | | | | | | | | This completes OCSP stapling support on the TLS client side. Each SingleResponse value is iterated until a response matching the server certificate is found. The validity time of the SingleResponse is verified and certStatus good/revoked is reported if all validation step succeed. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Store DER encoded version of Subject DN for X.509 certificatesJouni Malinen2015-12-172-0/+10
| | | | | | This is needed for OCSP issuerNameHash matching. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Share digest OID checkers from X.509Jouni Malinen2015-12-172-4/+9
| | | | | | These will be used by the OCSP implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Support longer X.509 serialNumber valuesJouni Malinen2015-12-162-12/+17
| | | | | | | This extends the old support from 32 or 64 bit value to full 20 octets maximum (RFC 5280, 4.1.2.2). Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Parse and validate BasicOCSPResponseJouni Malinen2015-12-163-42/+387
| | | | | | | | | This adds the next step in completing TLS client support for OCSP stapling. The BasicOCSPResponse is parsed, a signing certificate is found, and the signature is verified. The actual sequence of OCSP responses (SignleResponse) is not yet processed in this commit. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Parse OCSPResponse to extract BasicOCSPResponseJouni Malinen2015-12-141-2/+145
| | | | | | | | This adds the next step for OCSP stapling. The received OCSPResponse is parsed to get the BasicOCSPResponse. This commit does not yet process the BasicOCSPResponse. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Parse CertificateStatus messageJouni Malinen2015-12-145-3/+190
| | | | | | | | | | This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add status_request ClientHello extension if OCSP is requestedJouni Malinen2015-12-141-1/+39
| | | | | | | | This allows the internal TLS implementation to request server certificate status using OCSP stapling. This commit is only adding code to add the request. The response is not yet used. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Parse ServerHello extensionsJouni Malinen2015-12-141-2/+55
| | | | | | | This prints the received ServerHello extensions into the debug log and allows handshake to continue even if such extensions are included. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add minimal support for PKCS #12Jouni Malinen2015-12-141-1/+737
| | | | | | | | This allows the internal TLS implementation to parse a private key and a certificate from a PKCS #12 file protected with pbeWithSHAAnd3-KeyTripleDES-CBC. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Extend PKCS #5 to support PKCS #12 style key decryptionJouni Malinen2015-12-141-4/+170
| | | | | | | This adds support for decrypting private keys protected with the old PKCS #12 mechanism using OID pbeWithSHAAnd3-KeyTripleDES-CBC. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Fix and complete ASN.1 tag listJouni Malinen2015-12-131-1/+3
| | | | | | | One of the unused defines had incorrect value and couple of tags were missing. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add support for PKCS #5 v2.0 PBES2Jouni Malinen2015-12-051-11/+263
| | | | | | | This extends the internal TLS support for PKCS #5 v2.0 PBES2 private key format with des-ede3-cbc encryption and PBKDF2 SHA-1. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Fix session_resumed status after TLS session ticket useJouni Malinen2015-11-291-0/+2
| | | | | | | | | | conn->session_resumed was not set to 1 after successful use of a TLS session ticket with EAP-FAST. This resulted in the wpa_supplicant STATUS tls_session_reused showing incorrect value (0 instead of 1) when EAP-FAST PAC was used. Fix this by setting conn->session_resumed = 1 when TLS handshake using the session ticket succeeds. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add support for extKeyUsage X.509v3 extensionJouni Malinen2015-11-294-1/+134
| | | | | | | | | If the server/client certificate includes the extKeyUsage extension, verify that the listed key purposes include either the anyExtendedKeyUsage wildcard or id-kp-serverAuth/id-kp-clientAuth, respectively. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add certificate chain validation failure callbacksJouni Malinen2015-11-291-0/+38
| | | | | | | This adds more support for event_cb() calls for various server certificate chain validation failures. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add support for disabling TLS versionsJouni Malinen2015-11-292-3/+34
| | | | | | | | The internal TLS client implementation in wpa_supplicant can now be used with the phase2 parameters tls_disable_tlsv1_0=1, tls_disable_tlsv1_1=1, and tls_disable_tlsv1_2=1 to disable the specified TLS version(s). Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Use TLS_CONN_* flagsJouni Malinen2015-11-294-7/+13
| | | | | | | This makes it simpler to add support for new TLS_CONN_* flags without having to add a new configuration function for each flag. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add support for tls_get_version()Jouni Malinen2015-11-292-0/+25
| | | | | | | This allows wpa_supplicant to return eap_tls_version STATUS information when using the internal TLS client implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add support for server certificate probingJouni Malinen2015-11-296-0/+108
| | | | | | | | | The internal TLS client implementation can now be used with ca_cert="probe://" to probe the server certificate chain. This is also adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-PEER-CERT events. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add TLS v1.2 signature algorithm support for SHA384 and SHA512Jouni Malinen2015-11-295-12/+52
| | | | | | | | This extends the internal TLS client implementation to support signature algorithms SHA384 and SHA512 in addition to the previously supported SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add signature_algorithms extension into ClientHelloJouni Malinen2015-11-293-5/+35
| | | | | | | | | | Since we support only SHA256 (and not the default SHA1) with TLS v1.2, the signature_algorithms extensions needs to be added into ClientHello. This fixes interop issues with the current version of OpenSSL that uses the default SHA1 hash if ClientHello does not specify allowed signature algorithms. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Validate certificates with SHA384 and SHA512 hashesPali Rohár2015-11-291-4/+62
| | | | | | | | | | This commit adds support for validating certificates with SHA384 and SHA512 hashes. Those certificates are now very common so wpa_supplicant needs support for them. SHA384 and SHA512 hash functions are included in the previous commit. Signed-off-by: Pali Rohár <pali.rohar@gmail.com>