Line 0
Link Here
|
|
|
1 |
/* |
2 |
* eap-tls.c - EAP-TLS implementation for PPP |
3 |
* |
4 |
* Copyright (c) Beniamino Galvani 2005 All rights reserved. |
5 |
* |
6 |
* Redistribution and use in source and binary forms, with or without |
7 |
* modification, are permitted provided that the following conditions |
8 |
* are met: |
9 |
* |
10 |
* 1. Redistributions of source code must retain the above copyright |
11 |
* notice, this list of conditions and the following disclaimer. |
12 |
* |
13 |
* 2. Redistributions in binary form must reproduce the above copyright |
14 |
* notice, this list of conditions and the following disclaimer in |
15 |
* the documentation and/or other materials provided with the |
16 |
* distribution. |
17 |
* |
18 |
* 3. The name(s) of the authors of this software must not be used to |
19 |
* endorse or promote products derived from this software without |
20 |
* prior written permission. |
21 |
* |
22 |
* THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO |
23 |
* THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
24 |
* AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY |
25 |
* SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
26 |
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN |
27 |
* AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING |
28 |
* OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
29 |
* |
30 |
*/ |
31 |
|
32 |
#include <string.h> |
33 |
#include <unistd.h> |
34 |
#include <sys/types.h> |
35 |
#include <sys/stat.h> |
36 |
#include <fcntl.h> |
37 |
|
38 |
#include <openssl/conf.h> |
39 |
#include <openssl/engine.h> |
40 |
#include <openssl/hmac.h> |
41 |
#include <openssl/err.h> |
42 |
#include <openssl/x509v3.h> |
43 |
|
44 |
#include "pppd.h" |
45 |
#include "eap.h" |
46 |
#include "eap-tls.h" |
47 |
#include "fsm.h" |
48 |
#include "lcp.h" |
49 |
#include "pathnames.h" |
50 |
|
51 |
/* The openssl configuration file and engines can be loaded only once */ |
52 |
static CONF *ssl_config = NULL; |
53 |
static ENGINE *cert_engine = NULL; |
54 |
static ENGINE *pkey_engine = NULL; |
55 |
|
56 |
#ifdef MPPE |
57 |
|
58 |
/* |
59 |
* TLS PRF from RFC 2246 |
60 |
*/ |
61 |
static void P_hash(const EVP_MD *evp_md, |
62 |
const unsigned char *secret, unsigned int secret_len, |
63 |
const unsigned char *seed, unsigned int seed_len, |
64 |
unsigned char *out, unsigned int out_len) |
65 |
{ |
66 |
HMAC_CTX ctx_a, ctx_out; |
67 |
unsigned char a[HMAC_MAX_MD_CBLOCK]; |
68 |
unsigned int size; |
69 |
|
70 |
HMAC_CTX_init(&ctx_a); |
71 |
HMAC_CTX_init(&ctx_out); |
72 |
HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL); |
73 |
HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL); |
74 |
|
75 |
size = HMAC_size(&ctx_out); |
76 |
|
77 |
/* Calculate A(1) */ |
78 |
HMAC_Update(&ctx_a, seed, seed_len); |
79 |
HMAC_Final(&ctx_a, a, NULL); |
80 |
|
81 |
while (1) { |
82 |
/* Calculate next part of output */ |
83 |
HMAC_Update(&ctx_out, a, size); |
84 |
HMAC_Update(&ctx_out, seed, seed_len); |
85 |
|
86 |
/* Check if last part */ |
87 |
if (out_len < size) { |
88 |
HMAC_Final(&ctx_out, a, NULL); |
89 |
memcpy(out, a, out_len); |
90 |
break; |
91 |
} |
92 |
|
93 |
/* Place digest in output buffer */ |
94 |
HMAC_Final(&ctx_out, out, NULL); |
95 |
HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL); |
96 |
out += size; |
97 |
out_len -= size; |
98 |
|
99 |
/* Calculate next A(i) */ |
100 |
HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL); |
101 |
HMAC_Update(&ctx_a, a, size); |
102 |
HMAC_Final(&ctx_a, a, NULL); |
103 |
} |
104 |
|
105 |
HMAC_CTX_cleanup(&ctx_a); |
106 |
HMAC_CTX_cleanup(&ctx_out); |
107 |
memset(a, 0, sizeof(a)); |
108 |
} |
109 |
|
110 |
static void PRF(const unsigned char *secret, unsigned int secret_len, |
111 |
const unsigned char *seed, unsigned int seed_len, |
112 |
unsigned char *out, unsigned char *buf, unsigned int out_len) |
113 |
{ |
114 |
unsigned int i; |
115 |
unsigned int len = (secret_len + 1) / 2; |
116 |
const unsigned char *s1 = secret; |
117 |
const unsigned char *s2 = secret + (secret_len - len); |
118 |
|
119 |
P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len); |
120 |
P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len); |
121 |
|
122 |
for (i=0; i < out_len; i++) { |
123 |
out[i] ^= buf[i]; |
124 |
} |
125 |
} |
126 |
|
127 |
#define EAPTLS_MPPE_KEY_LEN 32 |
128 |
|
129 |
/* |
130 |
* Generate keys according to RFC 2716 and add to reply |
131 |
*/ |
132 |
void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, |
133 |
int client) |
134 |
{ |
135 |
unsigned char out[4*EAPTLS_MPPE_KEY_LEN], buf[4*EAPTLS_MPPE_KEY_LEN]; |
136 |
unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; |
137 |
unsigned char *p = seed; |
138 |
SSL *s = ets->ssl; |
139 |
size_t prf_size; |
140 |
|
141 |
prf_size = strlen(prf_label); |
142 |
|
143 |
memcpy(p, prf_label, prf_size); |
144 |
p += prf_size; |
145 |
|
146 |
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); |
147 |
p += SSL3_RANDOM_SIZE; |
148 |
prf_size += SSL3_RANDOM_SIZE; |
149 |
|
150 |
memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); |
151 |
prf_size += SSL3_RANDOM_SIZE; |
152 |
|
153 |
PRF(s->session->master_key, s->session->master_key_length, |
154 |
seed, prf_size, out, buf, sizeof(out)); |
155 |
|
156 |
/* |
157 |
* We now have the master send and receive keys. |
158 |
* From these, generate the session send and receive keys. |
159 |
* (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) |
160 |
*/ |
161 |
if (client) |
162 |
{ |
163 |
p = out; |
164 |
BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); |
165 |
p += EAPTLS_MPPE_KEY_LEN; |
166 |
BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); |
167 |
} |
168 |
else |
169 |
{ |
170 |
p = out; |
171 |
BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); |
172 |
p += EAPTLS_MPPE_KEY_LEN; |
173 |
BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); |
174 |
} |
175 |
|
176 |
mppe_keys_set = 1; |
177 |
} |
178 |
|
179 |
#endif |
180 |
|
181 |
void log_ssl_errors( void ) |
182 |
{ |
183 |
unsigned long ssl_err = ERR_get_error(); |
184 |
|
185 |
if (ssl_err != 0) |
186 |
dbglog("EAP-TLS SSL error stack:"); |
187 |
while (ssl_err != 0) { |
188 |
dbglog( ERR_error_string( ssl_err, NULL ) ); |
189 |
ssl_err = ERR_get_error(); |
190 |
} |
191 |
} |
192 |
|
193 |
|
194 |
int password_callback (char *buf, int size, int rwflag, void *u) |
195 |
{ |
196 |
if (buf) |
197 |
{ |
198 |
strncpy (buf, passwd, size); |
199 |
return strlen (buf); |
200 |
} |
201 |
return 0; |
202 |
} |
203 |
|
204 |
|
205 |
CONF *eaptls_ssl_load_config( void ) |
206 |
{ |
207 |
CONF *config; |
208 |
int ret_code; |
209 |
long error_line = 33; |
210 |
|
211 |
config = NCONF_new( NULL ); |
212 |
dbglog( "Loading OpenSSL config file" ); |
213 |
ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); |
214 |
if (ret_code == 0) |
215 |
{ |
216 |
warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); |
217 |
NCONF_free( config ); |
218 |
config = NULL; |
219 |
ERR_clear_error(); |
220 |
} |
221 |
|
222 |
dbglog( "Loading OpenSSL built-ins" ); |
223 |
ENGINE_load_builtin_engines(); |
224 |
OPENSSL_load_builtin_modules(); |
225 |
|
226 |
dbglog( "Loading OpenSSL configured modules" ); |
227 |
if (CONF_modules_load( config, NULL, 0 ) <= 0 ) |
228 |
{ |
229 |
warn( "EAP-TLS: Error loading OpenSSL modules" ); |
230 |
log_ssl_errors(); |
231 |
config = NULL; |
232 |
} |
233 |
|
234 |
return config; |
235 |
} |
236 |
|
237 |
ENGINE *eaptls_ssl_load_engine( char *engine_name ) |
238 |
{ |
239 |
ENGINE *e = NULL; |
240 |
|
241 |
dbglog( "Enabling OpenSSL auto engines" ); |
242 |
ENGINE_register_all_complete(); |
243 |
|
244 |
dbglog( "Loading OpenSSL '%s' engine support", engine_name ); |
245 |
e = ENGINE_by_id( engine_name ); |
246 |
if (!e) |
247 |
{ |
248 |
dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); |
249 |
e = ENGINE_by_id( "dynamic" ); |
250 |
if (e) |
251 |
{ |
252 |
if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0) |
253 |
|| !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) |
254 |
{ |
255 |
warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name ); |
256 |
log_ssl_errors(); |
257 |
ENGINE_free(e); |
258 |
e = NULL; |
259 |
} |
260 |
} |
261 |
else |
262 |
{ |
263 |
warn( "EAP-TLS: Cannot load dynamic engine support" ); |
264 |
} |
265 |
} |
266 |
|
267 |
if (e) |
268 |
{ |
269 |
dbglog( "Initialising engine" ); |
270 |
if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) |
271 |
{ |
272 |
warn( "EAP-TLS: Cannot use that engine" ); |
273 |
log_ssl_errors(); |
274 |
ENGINE_free(e); |
275 |
e = NULL; |
276 |
} |
277 |
} |
278 |
|
279 |
return e; |
280 |
} |
281 |
|
282 |
/* |
283 |
* Initialize the SSL stacks and tests if certificates, key and crl |
284 |
* for client or server use can be loaded. |
285 |
*/ |
286 |
SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, |
287 |
char *certfile, char *peer_certfile, char *privkeyfile) |
288 |
{ |
289 |
char *cert_engine_name = NULL; |
290 |
char *cert_identifier = NULL; |
291 |
char *pkey_engine_name = NULL; |
292 |
char *pkey_identifier = NULL; |
293 |
SSL_CTX *ctx; |
294 |
X509_STORE *certstore; |
295 |
X509_LOOKUP *lookup; |
296 |
X509 *tmp; |
297 |
|
298 |
/* |
299 |
* Without these can't continue |
300 |
*/ |
301 |
if (!cacertfile[0]) |
302 |
{ |
303 |
error("EAP-TLS: CA certificate missing"); |
304 |
return NULL; |
305 |
} |
306 |
|
307 |
if (!certfile[0]) |
308 |
{ |
309 |
error("EAP-TLS: User certificate missing"); |
310 |
return NULL; |
311 |
} |
312 |
|
313 |
if (!privkeyfile[0]) |
314 |
{ |
315 |
error("EAP-TLS: User private key missing"); |
316 |
return NULL; |
317 |
} |
318 |
|
319 |
SSL_library_init(); |
320 |
SSL_load_error_strings(); |
321 |
|
322 |
ctx = SSL_CTX_new(TLSv1_method()); |
323 |
|
324 |
if (!ctx) { |
325 |
error("EAP-TLS: Cannot initialize SSL CTX context"); |
326 |
goto fail; |
327 |
} |
328 |
|
329 |
/* if the certificate filename is of the form engine:id. e.g. |
330 |
pkcs11:12345 |
331 |
then we try to load and use this engine. |
332 |
If the certificate filename starts with a / or . then we |
333 |
ALWAYS assume it is a file and not an engine/pkcs11 identifier |
334 |
*/ |
335 |
if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL ) |
336 |
{ |
337 |
cert_identifier = index( certfile, ':' ); |
338 |
|
339 |
if (cert_identifier) |
340 |
{ |
341 |
cert_engine_name = certfile; |
342 |
*cert_identifier = '\0'; |
343 |
cert_identifier++; |
344 |
|
345 |
dbglog( "Found certificate engine '%s'", cert_engine_name ); |
346 |
dbglog( "Found certificate identifier '%s'", cert_identifier ); |
347 |
} |
348 |
} |
349 |
|
350 |
/* if the privatekey filename is of the form engine:id. e.g. |
351 |
pkcs11:12345 |
352 |
then we try to load and use this engine. |
353 |
If the privatekey filename starts with a / or . then we |
354 |
ALWAYS assume it is a file and not an engine/pkcs11 identifier |
355 |
*/ |
356 |
if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL ) |
357 |
{ |
358 |
pkey_identifier = index( privkeyfile, ':' ); |
359 |
|
360 |
if (pkey_identifier) |
361 |
{ |
362 |
pkey_engine_name = privkeyfile; |
363 |
*pkey_identifier = '\0'; |
364 |
pkey_identifier++; |
365 |
|
366 |
dbglog( "Found privatekey engine '%s'", pkey_engine_name ); |
367 |
dbglog( "Found privatekey identifier '%s'", pkey_identifier ); |
368 |
} |
369 |
} |
370 |
|
371 |
if (cert_identifier && pkey_identifier) |
372 |
{ |
373 |
if (strlen( cert_identifier ) == 0) |
374 |
{ |
375 |
if (strlen( pkey_identifier ) == 0) |
376 |
error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" ); |
377 |
else |
378 |
{ |
379 |
dbglog( "Substituting privatekey identifier for certificate identifier" ); |
380 |
cert_identifier = pkey_identifier; |
381 |
} |
382 |
} |
383 |
else |
384 |
{ |
385 |
if (strlen( pkey_identifier ) == 0) |
386 |
{ |
387 |
dbglog( "Substituting certificate identifier for privatekey identifier" ); |
388 |
pkey_identifier = cert_identifier; |
389 |
} |
390 |
} |
391 |
|
392 |
} |
393 |
|
394 |
/* load the openssl config file only once */ |
395 |
if (!ssl_config) |
396 |
{ |
397 |
if (cert_engine_name || pkey_engine_name) |
398 |
ssl_config = eaptls_ssl_load_config(); |
399 |
|
400 |
if (ssl_config && cert_engine_name) |
401 |
cert_engine = eaptls_ssl_load_engine( cert_engine_name ); |
402 |
|
403 |
if (ssl_config && pkey_engine_name) |
404 |
{ |
405 |
/* don't load the same engine twice */ |
406 |
if ( strcmp( cert_engine_name, pkey_engine_name) == 0 ) |
407 |
pkey_engine = cert_engine; |
408 |
else |
409 |
pkey_engine = eaptls_ssl_load_engine( pkey_engine_name ); |
410 |
} |
411 |
} |
412 |
|
413 |
SSL_CTX_set_default_passwd_cb (ctx, password_callback); |
414 |
|
415 |
if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL)) |
416 |
{ |
417 |
error("EAP-TLS: Cannot load or verify CA file %s", cacertfile); |
418 |
goto fail; |
419 |
} |
420 |
|
421 |
if (init_server) |
422 |
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); |
423 |
|
424 |
if (cert_engine) |
425 |
{ |
426 |
struct |
427 |
{ |
428 |
const char *s_slot_cert_id; |
429 |
X509 *cert; |
430 |
} cert_info; |
431 |
|
432 |
cert_info.s_slot_cert_id = cert_identifier; |
433 |
cert_info.cert = NULL; |
434 |
|
435 |
if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) ) |
436 |
{ |
437 |
error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier ); |
438 |
goto fail; |
439 |
} |
440 |
|
441 |
if (cert_info.cert) |
442 |
{ |
443 |
dbglog( "Got the certificate, adding it to SSL context" ); |
444 |
dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) ); |
445 |
if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0) |
446 |
{ |
447 |
error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier); |
448 |
goto fail; |
449 |
} |
450 |
} |
451 |
else |
452 |
{ |
453 |
warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier); |
454 |
log_ssl_errors(); |
455 |
} |
456 |
} |
457 |
else |
458 |
{ |
459 |
if (!SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) |
460 |
{ |
461 |
error( "EAP-TLS: Cannot use public certificate %s", certfile ); |
462 |
goto fail; |
463 |
} |
464 |
} |
465 |
|
466 |
if (pkey_engine) |
467 |
{ |
468 |
EVP_PKEY *pkey = NULL; |
469 |
PW_CB_DATA cb_data; |
470 |
|
471 |
cb_data.password = passwd; |
472 |
cb_data.prompt_info = pkey_identifier; |
473 |
|
474 |
dbglog( "Loading private key '%s' from engine", pkey_identifier ); |
475 |
pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data); |
476 |
if (pkey) |
477 |
{ |
478 |
dbglog( "Got the private key, adding it to SSL context" ); |
479 |
if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) |
480 |
{ |
481 |
error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier); |
482 |
goto fail; |
483 |
} |
484 |
} |
485 |
else |
486 |
{ |
487 |
warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier); |
488 |
log_ssl_errors(); |
489 |
} |
490 |
} |
491 |
else |
492 |
{ |
493 |
if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM)) |
494 |
{ |
495 |
error("EAP-TLS: Cannot use private key %s", privkeyfile); |
496 |
goto fail; |
497 |
} |
498 |
} |
499 |
|
500 |
if (SSL_CTX_check_private_key(ctx) != 1) { |
501 |
error("EAP-TLS: Private key %s fails security check", privkeyfile); |
502 |
goto fail; |
503 |
} |
504 |
|
505 |
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); |
506 |
SSL_CTX_set_verify_depth(ctx, 5); |
507 |
SSL_CTX_set_verify(ctx, |
508 |
SSL_VERIFY_PEER | |
509 |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, |
510 |
&ssl_verify_callback); |
511 |
|
512 |
if (crl_dir) { |
513 |
if (!(certstore = SSL_CTX_get_cert_store(ctx))) { |
514 |
error("EAP-TLS: Failed to get certificate store"); |
515 |
goto fail; |
516 |
} |
517 |
|
518 |
if (!(lookup = |
519 |
X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) { |
520 |
error("EAP-TLS: Store lookup for CRL failed"); |
521 |
|
522 |
goto fail; |
523 |
} |
524 |
|
525 |
X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM); |
526 |
X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); |
527 |
} |
528 |
|
529 |
/* |
530 |
* If a peer certificate file was specified, it must be valid, else fail |
531 |
*/ |
532 |
if (peer_certfile[0]) { |
533 |
if (!(tmp = get_X509_from_file(peer_certfile))) { |
534 |
error("EAP-TLS: Error loading client certificate from file %s", |
535 |
peer_certfile); |
536 |
goto fail; |
537 |
} |
538 |
X509_free(tmp); |
539 |
} |
540 |
|
541 |
return ctx; |
542 |
|
543 |
fail: |
544 |
log_ssl_errors(); |
545 |
SSL_CTX_free(ctx); |
546 |
return NULL; |
547 |
} |
548 |
|
549 |
/* |
550 |
* Determine the maximum packet size by looking at the LCP handshake |
551 |
*/ |
552 |
|
553 |
int eaptls_get_mtu(int unit) |
554 |
{ |
555 |
int mtu, mru; |
556 |
|
557 |
lcp_options *wo = &lcp_wantoptions[unit]; |
558 |
lcp_options *go = &lcp_gotoptions[unit]; |
559 |
lcp_options *ho = &lcp_hisoptions[unit]; |
560 |
lcp_options *ao = &lcp_allowoptions[unit]; |
561 |
|
562 |
mtu = ho->neg_mru? ho->mru: PPP_MRU; |
563 |
mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; |
564 |
mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; |
565 |
|
566 |
dbglog("MTU = %d", mtu); |
567 |
return mtu; |
568 |
} |
569 |
|
570 |
|
571 |
/* |
572 |
* Init the ssl handshake (server mode) |
573 |
*/ |
574 |
int eaptls_init_ssl_server(eap_state * esp) |
575 |
{ |
576 |
struct eaptls_session *ets; |
577 |
char servcertfile[MAXWORDLEN]; |
578 |
char clicertfile[MAXWORDLEN]; |
579 |
char cacertfile[MAXWORDLEN]; |
580 |
char pkfile[MAXWORDLEN]; |
581 |
/* |
582 |
* Allocate new eaptls session |
583 |
*/ |
584 |
esp->es_server.ea_session = malloc(sizeof(struct eaptls_session)); |
585 |
if (!esp->es_server.ea_session) |
586 |
fatal("Allocation error"); |
587 |
ets = esp->es_server.ea_session; |
588 |
|
589 |
if (!esp->es_server.ea_peer) { |
590 |
error("EAP-TLS: Error: client name not set (BUG)"); |
591 |
return 0; |
592 |
} |
593 |
|
594 |
strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); |
595 |
|
596 |
dbglog( "getting eaptls secret" ); |
597 |
if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, |
598 |
esp->es_server.ea_name, clicertfile, |
599 |
servcertfile, cacertfile, pkfile, 1)) { |
600 |
error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", |
601 |
esp->es_server.ea_peer, esp->es_server.ea_name ); |
602 |
return 0; |
603 |
} |
604 |
|
605 |
ets->mtu = eaptls_get_mtu(esp->es_unit); |
606 |
|
607 |
ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile); |
608 |
if (!ets->ctx) |
609 |
goto fail; |
610 |
|
611 |
if (!(ets->ssl = SSL_new(ets->ctx))) |
612 |
goto fail; |
613 |
|
614 |
/* |
615 |
* Set auto-retry to avoid timeouts on BIO_read |
616 |
*/ |
617 |
SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY); |
618 |
|
619 |
/* |
620 |
* Initialize the BIOs we use to read/write to ssl engine |
621 |
*/ |
622 |
ets->into_ssl = BIO_new(BIO_s_mem()); |
623 |
ets->from_ssl = BIO_new(BIO_s_mem()); |
624 |
SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); |
625 |
|
626 |
SSL_set_msg_callback(ets->ssl, ssl_msg_callback); |
627 |
SSL_set_msg_callback_arg(ets->ssl, ets); |
628 |
|
629 |
/* |
630 |
* Attach the session struct to the connection, so we can later |
631 |
* retrieve it when doing certificate verification |
632 |
*/ |
633 |
SSL_set_ex_data(ets->ssl, 0, ets); |
634 |
|
635 |
SSL_set_accept_state(ets->ssl); |
636 |
|
637 |
ets->data = NULL; |
638 |
ets->datalen = 0; |
639 |
ets->alert_sent = 0; |
640 |
ets->alert_recv = 0; |
641 |
|
642 |
/* |
643 |
* If we specified the client certificate file, store it in ets->peercertfile, |
644 |
* so we can check it later in ssl_verify_callback() |
645 |
*/ |
646 |
if (clicertfile[0]) |
647 |
strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN); |
648 |
else |
649 |
ets->peercertfile[0] = 0; |
650 |
|
651 |
return 1; |
652 |
|
653 |
fail: |
654 |
SSL_CTX_free(ets->ctx); |
655 |
return 0; |
656 |
} |
657 |
|
658 |
/* |
659 |
* Init the ssl handshake (client mode) |
660 |
*/ |
661 |
int eaptls_init_ssl_client(eap_state * esp) |
662 |
{ |
663 |
struct eaptls_session *ets; |
664 |
char servcertfile[MAXWORDLEN]; |
665 |
char clicertfile[MAXWORDLEN]; |
666 |
char cacertfile[MAXWORDLEN]; |
667 |
char pkfile[MAXWORDLEN]; |
668 |
|
669 |
/* |
670 |
* Allocate new eaptls session |
671 |
*/ |
672 |
esp->es_client.ea_session = malloc(sizeof(struct eaptls_session)); |
673 |
if (!esp->es_client.ea_session) |
674 |
fatal("Allocation error"); |
675 |
ets = esp->es_client.ea_session; |
676 |
|
677 |
/* |
678 |
* If available, copy server name in ets; it will be used in cert |
679 |
* verify |
680 |
*/ |
681 |
if (esp->es_client.ea_peer) |
682 |
strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); |
683 |
else |
684 |
ets->peer[0] = 0; |
685 |
|
686 |
ets->mtu = eaptls_get_mtu(esp->es_unit); |
687 |
|
688 |
dbglog( "calling get_eaptls_secret" ); |
689 |
if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, |
690 |
esp->es_client.ea_peer, clicertfile, |
691 |
servcertfile, cacertfile, pkfile, 0)) { |
692 |
error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", |
693 |
esp->es_client.ea_name, esp->es_client.ea_peer ); |
694 |
return 0; |
695 |
} |
696 |
|
697 |
dbglog( "calling eaptls_init_ssl" ); |
698 |
ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile); |
699 |
if (!ets->ctx) |
700 |
goto fail; |
701 |
|
702 |
ets->ssl = SSL_new(ets->ctx); |
703 |
|
704 |
if (!ets->ssl) |
705 |
goto fail; |
706 |
|
707 |
/* |
708 |
* Initialize the BIOs we use to read/write to ssl engine |
709 |
*/ |
710 |
dbglog( "Initializing SSL BIOs" ); |
711 |
ets->into_ssl = BIO_new(BIO_s_mem()); |
712 |
ets->from_ssl = BIO_new(BIO_s_mem()); |
713 |
SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); |
714 |
|
715 |
SSL_set_msg_callback(ets->ssl, ssl_msg_callback); |
716 |
SSL_set_msg_callback_arg(ets->ssl, ets); |
717 |
|
718 |
/* |
719 |
* Attach the session struct to the connection, so we can later |
720 |
* retrieve it when doing certificate verification |
721 |
*/ |
722 |
SSL_set_ex_data(ets->ssl, 0, ets); |
723 |
|
724 |
SSL_set_connect_state(ets->ssl); |
725 |
|
726 |
ets->data = NULL; |
727 |
ets->datalen = 0; |
728 |
ets->alert_sent = 0; |
729 |
ets->alert_recv = 0; |
730 |
|
731 |
/* |
732 |
* If we specified the server certificate file, store it in |
733 |
* ets->peercertfile, so we can check it later in |
734 |
* ssl_verify_callback() |
735 |
*/ |
736 |
if (servcertfile[0]) |
737 |
strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); |
738 |
else |
739 |
ets->peercertfile[0] = 0; |
740 |
|
741 |
return 1; |
742 |
|
743 |
fail: |
744 |
dbglog( "eaptls_init_ssl_client: fail" ); |
745 |
SSL_CTX_free(ets->ctx); |
746 |
return 0; |
747 |
|
748 |
} |
749 |
|
750 |
void eaptls_free_session(struct eaptls_session *ets) |
751 |
{ |
752 |
if (ets->ssl) |
753 |
SSL_free(ets->ssl); |
754 |
|
755 |
if (ets->ctx) |
756 |
SSL_CTX_free(ets->ctx); |
757 |
|
758 |
free(ets); |
759 |
} |
760 |
|
761 |
/* |
762 |
* Handle a received packet, reassembling fragmented messages and |
763 |
* passing them to the ssl engine |
764 |
*/ |
765 |
int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len) |
766 |
{ |
767 |
u_char flags; |
768 |
u_int tlslen; |
769 |
u_char dummy[65536]; |
770 |
|
771 |
GETCHAR(flags, inp); |
772 |
len--; |
773 |
|
774 |
if (flags & EAP_TLS_FLAGS_LI && !ets->data) { |
775 |
|
776 |
/* |
777 |
* This is the first packet of a message |
778 |
*/ |
779 |
|
780 |
GETLONG(tlslen, inp); |
781 |
len -= 4; |
782 |
|
783 |
if (tlslen > EAP_TLS_MAX_LEN) { |
784 |
error("Error: tls message length > %d, truncated", |
785 |
EAP_TLS_MAX_LEN); |
786 |
tlslen = EAP_TLS_MAX_LEN; |
787 |
} |
788 |
|
789 |
/* |
790 |
* Allocate memory for the whole message |
791 |
*/ |
792 |
ets->data = malloc(tlslen); |
793 |
if (!ets->data) |
794 |
fatal("EAP TLS: allocation error\n"); |
795 |
|
796 |
ets->datalen = 0; |
797 |
ets->tlslen = tlslen; |
798 |
|
799 |
} |
800 |
else if (flags & EAP_TLS_FLAGS_LI && ets->data) { |
801 |
/* |
802 |
* Non first with LI (strange...) |
803 |
*/ |
804 |
|
805 |
GETLONG(tlslen, inp); |
806 |
len -= 4; |
807 |
|
808 |
} |
809 |
else if (!ets->data) { |
810 |
/* |
811 |
* A non fragmented message without LI flag |
812 |
*/ |
813 |
|
814 |
ets->data = malloc(len); |
815 |
if (!ets->data) |
816 |
fatal("EAP TLS: allocation error\n"); |
817 |
|
818 |
ets->datalen = 0; |
819 |
ets->tlslen = len; |
820 |
} |
821 |
|
822 |
if (flags & EAP_TLS_FLAGS_MF) |
823 |
ets->frag = 1; |
824 |
else |
825 |
ets->frag = 0; |
826 |
|
827 |
if (len + ets->datalen > ets->tlslen) { |
828 |
warn("EAP TLS: received data > TLS message length"); |
829 |
return 1; |
830 |
} |
831 |
|
832 |
BCOPY(inp, ets->data + ets->datalen, len); |
833 |
ets->datalen += len; |
834 |
|
835 |
if (!ets->frag) { |
836 |
|
837 |
/* |
838 |
* If we have the whole message, pass it to ssl |
839 |
*/ |
840 |
|
841 |
if (ets->datalen != ets->tlslen) { |
842 |
warn("EAP TLS: received data != TLS message length"); |
843 |
return 1; |
844 |
} |
845 |
|
846 |
if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1) |
847 |
log_ssl_errors(); |
848 |
|
849 |
SSL_read(ets->ssl, dummy, 65536); |
850 |
|
851 |
free(ets->data); |
852 |
ets->data = NULL; |
853 |
ets->datalen = 0; |
854 |
} |
855 |
|
856 |
return 0; |
857 |
} |
858 |
|
859 |
/* |
860 |
* Return an eap-tls packet in outp. |
861 |
* A TLS message read from the ssl engine is buffered in ets->data. |
862 |
* At each call we control if there is buffered data and send a |
863 |
* packet of mtu bytes. |
864 |
*/ |
865 |
int eaptls_send(struct eaptls_session *ets, u_char ** outp) |
866 |
{ |
867 |
bool first = 0; |
868 |
int size; |
869 |
u_char fromtls[65536]; |
870 |
int res; |
871 |
u_char *start; |
872 |
|
873 |
start = *outp; |
874 |
|
875 |
if (!ets->data) { |
876 |
|
877 |
if(!ets->alert_sent) |
878 |
SSL_read(ets->ssl, fromtls, 65536); |
879 |
|
880 |
/* |
881 |
* Read from ssl |
882 |
*/ |
883 |
if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) |
884 |
fatal("No data from BIO_read"); |
885 |
|
886 |
ets->datalen = res; |
887 |
|
888 |
ets->data = malloc(ets->datalen); |
889 |
BCOPY(fromtls, ets->data, ets->datalen); |
890 |
|
891 |
ets->offset = 0; |
892 |
first = 1; |
893 |
|
894 |
} |
895 |
|
896 |
size = ets->datalen - ets->offset; |
897 |
|
898 |
if (size > ets->mtu) { |
899 |
size = ets->mtu; |
900 |
ets->frag = 1; |
901 |
} else |
902 |
ets->frag = 0; |
903 |
|
904 |
PUTCHAR(EAPT_TLS, *outp); |
905 |
|
906 |
/* |
907 |
* Set right flags and length if necessary |
908 |
*/ |
909 |
if (ets->frag && first) { |
910 |
PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp); |
911 |
PUTLONG(ets->datalen, *outp); |
912 |
} else if (ets->frag) { |
913 |
PUTCHAR(EAP_TLS_FLAGS_MF, *outp); |
914 |
} else |
915 |
PUTCHAR(0, *outp); |
916 |
|
917 |
/* |
918 |
* Copy the data in outp |
919 |
*/ |
920 |
BCOPY(ets->data + ets->offset, *outp, size); |
921 |
INCPTR(size, *outp); |
922 |
|
923 |
/* |
924 |
* Copy the packet in retransmission buffer |
925 |
*/ |
926 |
BCOPY(start, &ets->rtx[0], *outp - start); |
927 |
ets->rtx_len = *outp - start; |
928 |
|
929 |
ets->offset += size; |
930 |
|
931 |
if (ets->offset >= ets->datalen) { |
932 |
|
933 |
/* |
934 |
* The whole message has been sent |
935 |
*/ |
936 |
|
937 |
free(ets->data); |
938 |
ets->data = NULL; |
939 |
ets->datalen = 0; |
940 |
ets->offset = 0; |
941 |
} |
942 |
|
943 |
return 0; |
944 |
} |
945 |
|
946 |
/* |
947 |
* Get the sent packet from the retransmission buffer |
948 |
*/ |
949 |
void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp) |
950 |
{ |
951 |
BCOPY(ets->rtx, *outp, ets->rtx_len); |
952 |
INCPTR(ets->rtx_len, *outp); |
953 |
} |
954 |
|
955 |
/* |
956 |
* Verify a certificate. |
957 |
* Most of the work (signatures and issuer attributes checking) |
958 |
* is done by ssl; we check the CN in the peer certificate |
959 |
* against the peer name. |
960 |
*/ |
961 |
int ssl_verify_callback(int preverify_ok, X509_STORE_CTX * ctx) |
962 |
{ |
963 |
char subject[256]; |
964 |
char cn_str[256]; |
965 |
X509 *peer_cert; |
966 |
int err, depth; |
967 |
int ok = preverify_ok; |
968 |
SSL *ssl; |
969 |
struct eaptls_session *ets; |
970 |
|
971 |
peer_cert = X509_STORE_CTX_get_current_cert(ctx); |
972 |
err = X509_STORE_CTX_get_error(ctx); |
973 |
depth = X509_STORE_CTX_get_error_depth(ctx); |
974 |
|
975 |
dbglog("certificate verify depth: %d", depth); |
976 |
|
977 |
if (auth_required && !ok) { |
978 |
X509_NAME_oneline(X509_get_subject_name(peer_cert), |
979 |
subject, 256); |
980 |
|
981 |
X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), |
982 |
NID_commonName, cn_str, 256); |
983 |
|
984 |
dbglog("Certificate verification error:\n depth: %d CN: %s" |
985 |
"\n err: %d (%s)\n", depth, cn_str, err, |
986 |
X509_verify_cert_error_string(err)); |
987 |
|
988 |
return 0; |
989 |
} |
990 |
|
991 |
ssl = X509_STORE_CTX_get_ex_data(ctx, |
992 |
SSL_get_ex_data_X509_STORE_CTX_idx()); |
993 |
|
994 |
ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0); |
995 |
|
996 |
if (ets == NULL) { |
997 |
error("Error: SSL_get_ex_data returned NULL"); |
998 |
return 0; |
999 |
} |
1000 |
|
1001 |
log_ssl_errors(); |
1002 |
|
1003 |
if (!depth) { /* This is the peer certificate */ |
1004 |
|
1005 |
X509_NAME_oneline(X509_get_subject_name(peer_cert), |
1006 |
subject, 256); |
1007 |
|
1008 |
X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), |
1009 |
NID_commonName, cn_str, 256); |
1010 |
|
1011 |
/* |
1012 |
* If acting as client and the name of the server wasn't specified |
1013 |
* explicitely, we can't verify the server authenticity |
1014 |
*/ |
1015 |
if (!ets->peer[0]) { |
1016 |
warn("Peer name not specified: no check"); |
1017 |
return 1; |
1018 |
} |
1019 |
|
1020 |
/* |
1021 |
* Check the CN |
1022 |
*/ |
1023 |
if (strcmp(cn_str, ets->peer)) { |
1024 |
error |
1025 |
("Certificate verification error: CN (%s) != peer_name (%s)", |
1026 |
cn_str, ets->peer); |
1027 |
return 0; |
1028 |
} |
1029 |
|
1030 |
warn("Certificate CN: %s , peer name %s", cn_str, ets->peer); |
1031 |
|
1032 |
/* |
1033 |
* If a peer certificate file was specified, here we check it |
1034 |
*/ |
1035 |
if (ets->peercertfile[0]) { |
1036 |
if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert) |
1037 |
!= 0) { |
1038 |
error |
1039 |
("Peer certificate doesn't match stored certificate"); |
1040 |
return 0; |
1041 |
} |
1042 |
} |
1043 |
} |
1044 |
|
1045 |
return 1; |
1046 |
} |
1047 |
|
1048 |
/* |
1049 |
* Compare a certificate with the one stored in a file |
1050 |
*/ |
1051 |
int ssl_cmp_certs(char *filename, X509 * a) |
1052 |
{ |
1053 |
X509 *b; |
1054 |
int ret; |
1055 |
|
1056 |
if (!(b = get_X509_from_file(filename))) |
1057 |
return 1; |
1058 |
|
1059 |
ret = X509_cmp(a, b); |
1060 |
X509_free(b); |
1061 |
|
1062 |
return ret; |
1063 |
|
1064 |
} |
1065 |
|
1066 |
X509 *get_X509_from_file(char *filename) |
1067 |
{ |
1068 |
FILE *fp; |
1069 |
X509 *ret; |
1070 |
|
1071 |
if (!(fp = fopen(filename, "r"))) |
1072 |
return NULL; |
1073 |
|
1074 |
ret = PEM_read_X509(fp, NULL, NULL, NULL); |
1075 |
|
1076 |
fclose(fp); |
1077 |
|
1078 |
return ret; |
1079 |
} |
1080 |
|
1081 |
/* |
1082 |
* Every sent & received message this callback function is invoked, |
1083 |
* so we know when alert messages have arrived or are sent and |
1084 |
* we can print debug information about TLS handshake. |
1085 |
*/ |
1086 |
void |
1087 |
ssl_msg_callback(int write_p, int version, int content_type, |
1088 |
const void *buf, size_t len, SSL * ssl, void *arg) |
1089 |
{ |
1090 |
char string[256]; |
1091 |
struct eaptls_session *ets = (struct eaptls_session *)arg; |
1092 |
unsigned char code; |
1093 |
|
1094 |
if(write_p) |
1095 |
strcpy(string, " -> "); |
1096 |
else |
1097 |
strcpy(string, " <- "); |
1098 |
|
1099 |
|
1100 |
switch(content_type) { |
1101 |
|
1102 |
case SSL3_RT_ALERT: |
1103 |
strcat(string, "Alert: "); |
1104 |
code = ((const unsigned char *)buf)[1]; |
1105 |
|
1106 |
if (write_p) { |
1107 |
ets->alert_sent = 1; |
1108 |
ets->alert_sent_desc = code; |
1109 |
} else { |
1110 |
ets->alert_recv = 1; |
1111 |
ets->alert_recv_desc = code; |
1112 |
} |
1113 |
|
1114 |
strcat(string, SSL_alert_desc_string_long(code)); |
1115 |
break; |
1116 |
|
1117 |
case SSL3_RT_CHANGE_CIPHER_SPEC: |
1118 |
strcat(string, "ChangeCipherSpec"); |
1119 |
break; |
1120 |
|
1121 |
case SSL3_RT_HANDSHAKE: |
1122 |
|
1123 |
strcat(string, "Handshake: "); |
1124 |
code = ((const unsigned char *)buf)[0]; |
1125 |
|
1126 |
switch(code) { |
1127 |
case SSL3_MT_HELLO_REQUEST: |
1128 |
strcat(string,"Hello Request"); |
1129 |
break; |
1130 |
case SSL3_MT_CLIENT_HELLO: |
1131 |
strcat(string,"Client Hello"); |
1132 |
break; |
1133 |
case SSL3_MT_SERVER_HELLO: |
1134 |
strcat(string,"Server Hello"); |
1135 |
break; |
1136 |
case SSL3_MT_CERTIFICATE: |
1137 |
strcat(string,"Certificate"); |
1138 |
break; |
1139 |
case SSL3_MT_SERVER_KEY_EXCHANGE: |
1140 |
strcat(string,"Server Key Exchange"); |
1141 |
break; |
1142 |
case SSL3_MT_CERTIFICATE_REQUEST: |
1143 |
strcat(string,"Certificate Request"); |
1144 |
break; |
1145 |
case SSL3_MT_SERVER_DONE: |
1146 |
strcat(string,"Server Hello Done"); |
1147 |
break; |
1148 |
case SSL3_MT_CERTIFICATE_VERIFY: |
1149 |
strcat(string,"Certificate Verify"); |
1150 |
break; |
1151 |
case SSL3_MT_CLIENT_KEY_EXCHANGE: |
1152 |
strcat(string,"Client Key Exchange"); |
1153 |
break; |
1154 |
case SSL3_MT_FINISHED: |
1155 |
strcat(string,"Finished"); |
1156 |
break; |
1157 |
|
1158 |
default: |
1159 |
sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); |
1160 |
} |
1161 |
break; |
1162 |
|
1163 |
default: |
1164 |
sprintf( string, "SSL message contains unknown content type: %d", content_type ); |
1165 |
|
1166 |
} |
1167 |
|
1168 |
/* Alert messages must always be displayed */ |
1169 |
if(content_type == SSL3_RT_ALERT) |
1170 |
error("%s", string); |
1171 |
else |
1172 |
dbglog("%s", string); |
1173 |
} |
1174 |
|