aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls
Commit message (Collapse)AuthorAgeFilesLines
* TLS: Make tls_cert_chain_failure_event() more robustJouni Malinen2015-12-281-1/+1
| | | | | | | Explicitly check for the failure event to include a certificate before trying to build the event. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Remove storing of never-read valueJouni Malinen2015-12-281-1/+0
| | | | | | | | | | While this could in theory be claimed to be ready for something to be added to read a field following the server_write_IV, it does not look likely that such a use case would show up. As such, just remove the unused incrementing of pos at the end of the function to get rid of a useless static analyzer complaint. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS client: Multi-OCSP check to cover intermediate CAsJouni Malinen2015-12-234-16/+81
| | | | | | | This extends multi-OCSP support to verify status for intermediate CAs in the server certificate chain. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Move variable declaration to the beginning of the blockJouni Malinen2015-12-231-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS client: OCSP stapling with ocsp_multi option (RFC 6961)Jouni Malinen2015-12-222-39/+136
| | | | | | | | | This adds a minimal support for using status_request_v2 extension and ocsp_multi format (OCSPResponseList instead of OCSPResponse) for CertificateStatus. This commit does not yet extend use of OCSP stapling to validate the intermediate CA certificates. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS server: OCSP stapling with ocsp_multi option (RFC 6961)Jouni Malinen2015-12-226-30/+145
| | | | | | | | This allows hostapd with the internal TLS server implementation to support the extended OCSP stapling mechanism with multiple responses (ocsp_stapling_response_multi). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS server: OCSP staplingJouni Malinen2015-12-225-1/+116
| | | | | | | | | | This adds support for hostapd-as-authentication-server to be build with the internal TLS implementation and OCSP stapling server side support. This is more or less identical to the design used with OpenSSL, i.e., the cached response is read from the ocsp_stapling_response=<file> and sent as a response if the client requests it during the TLS handshake. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Report OCSP rejection cases when no valid response if foundJouni Malinen2015-12-171-0/+10
| | | | | | | | | This adds a CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-STATUS messages with 'bad certificate status response' for cases where no valid OCSP response was received, but the network profile requires OCSP to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Process OCSP SingleResponse(s)Jouni Malinen2015-12-171-1/+287
| | | | | | | | | | This completes OCSP stapling support on the TLS client side. Each SingleResponse value is iterated until a response matching the server certificate is found. The validity time of the SingleResponse is verified and certStatus good/revoked is reported if all validation step succeed. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Store DER encoded version of Subject DN for X.509 certificatesJouni Malinen2015-12-172-0/+10
| | | | | | This is needed for OCSP issuerNameHash matching. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Share digest OID checkers from X.509Jouni Malinen2015-12-172-4/+9
| | | | | | These will be used by the OCSP implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Support longer X.509 serialNumber valuesJouni Malinen2015-12-162-12/+17
| | | | | | | This extends the old support from 32 or 64 bit value to full 20 octets maximum (RFC 5280, 4.1.2.2). Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Parse and validate BasicOCSPResponseJouni Malinen2015-12-163-42/+387
| | | | | | | | | This adds the next step in completing TLS client support for OCSP stapling. The BasicOCSPResponse is parsed, a signing certificate is found, and the signature is verified. The actual sequence of OCSP responses (SignleResponse) is not yet processed in this commit. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Parse OCSPResponse to extract BasicOCSPResponseJouni Malinen2015-12-141-2/+145
| | | | | | | | This adds the next step for OCSP stapling. The received OCSPResponse is parsed to get the BasicOCSPResponse. This commit does not yet process the BasicOCSPResponse. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Parse CertificateStatus messageJouni Malinen2015-12-145-3/+190
| | | | | | | | | | This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add status_request ClientHello extension if OCSP is requestedJouni Malinen2015-12-141-1/+39
| | | | | | | | This allows the internal TLS implementation to request server certificate status using OCSP stapling. This commit is only adding code to add the request. The response is not yet used. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Parse ServerHello extensionsJouni Malinen2015-12-141-2/+55
| | | | | | | This prints the received ServerHello extensions into the debug log and allows handshake to continue even if such extensions are included. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add minimal support for PKCS #12Jouni Malinen2015-12-141-1/+737
| | | | | | | | This allows the internal TLS implementation to parse a private key and a certificate from a PKCS #12 file protected with pbeWithSHAAnd3-KeyTripleDES-CBC. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Extend PKCS #5 to support PKCS #12 style key decryptionJouni Malinen2015-12-141-4/+170
| | | | | | | This adds support for decrypting private keys protected with the old PKCS #12 mechanism using OID pbeWithSHAAnd3-KeyTripleDES-CBC. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Fix and complete ASN.1 tag listJouni Malinen2015-12-131-1/+3
| | | | | | | One of the unused defines had incorrect value and couple of tags were missing. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add support for PKCS #5 v2.0 PBES2Jouni Malinen2015-12-051-11/+263
| | | | | | | This extends the internal TLS support for PKCS #5 v2.0 PBES2 private key format with des-ede3-cbc encryption and PBKDF2 SHA-1. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Fix session_resumed status after TLS session ticket useJouni Malinen2015-11-291-0/+2
| | | | | | | | | | conn->session_resumed was not set to 1 after successful use of a TLS session ticket with EAP-FAST. This resulted in the wpa_supplicant STATUS tls_session_reused showing incorrect value (0 instead of 1) when EAP-FAST PAC was used. Fix this by setting conn->session_resumed = 1 when TLS handshake using the session ticket succeeds. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add support for extKeyUsage X.509v3 extensionJouni Malinen2015-11-294-1/+134
| | | | | | | | | If the server/client certificate includes the extKeyUsage extension, verify that the listed key purposes include either the anyExtendedKeyUsage wildcard or id-kp-serverAuth/id-kp-clientAuth, respectively. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add certificate chain validation failure callbacksJouni Malinen2015-11-291-0/+38
| | | | | | | This adds more support for event_cb() calls for various server certificate chain validation failures. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add support for disabling TLS versionsJouni Malinen2015-11-292-3/+34
| | | | | | | | The internal TLS client implementation in wpa_supplicant can now be used with the phase2 parameters tls_disable_tlsv1_0=1, tls_disable_tlsv1_1=1, and tls_disable_tlsv1_2=1 to disable the specified TLS version(s). Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Use TLS_CONN_* flagsJouni Malinen2015-11-294-7/+13
| | | | | | | This makes it simpler to add support for new TLS_CONN_* flags without having to add a new configuration function for each flag. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add support for tls_get_version()Jouni Malinen2015-11-292-0/+25
| | | | | | | This allows wpa_supplicant to return eap_tls_version STATUS information when using the internal TLS client implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add support for server certificate probingJouni Malinen2015-11-296-0/+108
| | | | | | | | | The internal TLS client implementation can now be used with ca_cert="probe://" to probe the server certificate chain. This is also adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-PEER-CERT events. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add TLS v1.2 signature algorithm support for SHA384 and SHA512Jouni Malinen2015-11-295-12/+52
| | | | | | | | This extends the internal TLS client implementation to support signature algorithms SHA384 and SHA512 in addition to the previously supported SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add signature_algorithms extension into ClientHelloJouni Malinen2015-11-293-5/+35
| | | | | | | | | | Since we support only SHA256 (and not the default SHA1) with TLS v1.2, the signature_algorithms extensions needs to be added into ClientHello. This fixes interop issues with the current version of OpenSSL that uses the default SHA1 hash if ClientHello does not specify allowed signature algorithms. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Validate certificates with SHA384 and SHA512 hashesPali Rohár2015-11-291-4/+62
| | | | | | | | | | This commit adds support for validating certificates with SHA384 and SHA512 hashes. Those certificates are now very common so wpa_supplicant needs support for them. SHA384 and SHA512 hash functions are included in the previous commit. Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
* TLS client: Add support for validating server certificate hashPali Rohár2015-11-293-4/+56
| | | | | | | This commit adds support for "hash://server/sha256/cert_hash_in_hex" scheme in ca_cert property for the internal TLS implementation. Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
* TLS client: Do not verify CA certificates when ca_cert is not specifiedPali Rohár2015-11-293-1/+5
| | | | | | | | | | | | | | | In documentation is written: "If ca_cert and ca_path are not included, server certificate will not be verified". This is the case when wpa_supplicant is compiled with OpenSSL library, but when using the internal TLS implementation and some certificates in CA chain are in unsupported format (e.g., use SHA384 or SHA512 hash functions) then verification fails even if ca_cert property is not specified. This commit changes behavior so that certificate verification in internal TLS implementation is really skipped when ca_cert is not specified. Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
* TLS: Avoid undefined behavior in pointer arithmeticJouni Malinen2015-10-253-16/+32
| | | | | | | | | Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
* Rename tls_connection_get_keys() to tls_connection_get_random()Jouni Malinen2015-08-024-8/+8
| | | | | | | | | | Commit 94f1fe6f6384a2ef379ef5b8cdc32a2fa01f8d13 ('Remove master key extraction from tls_connection_get_keys()') left only fetching of server/client random, but did not rename the function and structure to minimize code changes. The only name is quite confusing, so rename this through the repository to match the new purpose. Signed-off-by: Jouni Malinen <j@w1.fi>
* libtommath: Fix mp_init_multi() stdarg use on error pathJouni Malinen2015-06-231-2/+1
| | | | | | | | | | Previously, it would have been possible for va_end(args) to be called twice in case mp_init() fails. While that may not cause issues on number of platforms, that is not how va_start()/va_end() are supposed to be used. Fix this by returning from the function without using va_end() twice on the same va_list args. Signed-off-by: Jouni Malinen <j@w1.fi>
* libtommath: Fix check mp_init_multi() resultMaks Naumov2015-05-031-1/+1
| | | | | | | | | | | If the mp_init_multi() call had failed due to memory allocation failure, mp_div() would have returned 1 instead of MP_MEM (-2). It looks like all callers are checking the return value against MP_OKAY instead of <1 (etc.), so this does not seem to result in difference in behavior. Anyway, it's best to fix the mp_div() return value for the MP_MEM error case to avoid unexpected behavior. Signed-off-by: Maks Naumov <maksqwe1@ukr.net>
* TLS: Fix debug dump of X.509 certificateJouni Malinen2015-05-031-1/+1
| | | | | | | The length of the extra data following the encoded certificate was printed out in debug hexdump. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove master key extraction from tls_connection_get_keys()Jouni Malinen2015-03-312-4/+0
| | | | | | | | | This is not needed anymore with the tls_connection_prf() being used to handle all key derivation needs. tls_connection_get_keys() is a bit misnamed for now, but it is only used to fetch the client and server random for Session-Id derivation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Remove placeholders for SIGN_ALG_DSA supportJouni Malinen2015-02-283-49/+34
| | | | | | | It does not look likely that the old DSA design would be added into the internal TLS implement, so remove this otherwise dead code. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add new cipher suites to tls_get_cipher()Jouni Malinen2014-12-092-8/+83
| | | | | | | This fixes EAP-FAST server side issues for anonymous provisioning when using the internal TLS implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* Check os_snprintf() result more consistently - automatic 1Jouni Malinen2014-12-082-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This converts os_snprintf() result validation cases to use os_snprintf_error() where the exact rule used in os_snprintf_error() was used. These changes were done automatically with spatch using the following semantic patch: @@ identifier E1; expression E2,E3,E4,E5,E6; statement S1; @@ ( E1 = os_snprintf(E2, E3, ...); | int E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else if (E6) E1 = os_snprintf(E2, E3, ...); else E1 = 0; | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else if (E6) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... E1 = os_snprintf(E2, E3, ...); } ) ? os_free(E4); - if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \)) + if (os_snprintf_error(E3, E1)) ( S1 | { ... } ) Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Reorder length bounds checking to avoid static analyzer warningJouni Malinen2014-12-061-1/+1
| | | | | | | | For some reason, "pos + len > end" is not clear enough, but "len > end - pos" is recognized. Use that to get rid of a false positive from a static analyzer (CID 72697). Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Check DH parameters using a local variableJouni Malinen2014-11-231-8/+11
| | | | | | | | | Use a temporary, local variable to check the DH parameters received from the server before assigning the length to the struct tlsv1_client variables. This will hopefully make it easier for static analyzers to figure out that there is bounds checking for the value. (CID 72699) Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Make DH parameter parsing easier for static analyzersJouni Malinen2014-10-111-3/+3
| | | | | | | | The dh_p_len, dh_g_len, and dh_ys_len parameters were validated against the received message structure, but that did not seem to be done in a way that some static analyzers would understand this (CID 72699). Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Use os_memcmp_const() for hash/password comparisonsJouni Malinen2014-07-026-6/+7
| | | | | | | | | This makes the implementation less likely to provide useful timing information to potential attackers from comparisons of information received from a remote device and private material known only by the authorized devices. Signed-off-by: Jouni Malinen <j@w1.fi>
* PKCS 1: Add function for checking v1.5 RSA signatureJouni Malinen2014-05-202-1/+137
| | | | | | | This could be used as a step towards replacing more specific functions used in X.509 and TLS processing. Signed-off-by: Jouni Malinen <j@w1.fi>
* RSA: Add OID definitions and helper function for hash algorithmsJouni Malinen2014-05-192-3/+34
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Add function for building RSA public key from n and e parametersJouni Malinen2014-05-192-1/+27
| | | | | | | | This is similar to the existing functionality that parsed ASN.1-encoded RSA public key by generating a similar public key instance from already parsed n and e parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* PKCS #1: Enforce minimum padding for decryption in internal TLSJouni Malinen2014-05-191-0/+5
| | | | | | | | | Follow the PKCS #1 v1.5, 8.1 constraint of at least eight octets long PS for the case where the internal TLS implementation decrypts PKCS #1 formatted data. Similar limit was already in place for signature validation, but not for this decryption routine. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>