|
 |
00ee6d |
From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001
|
|
|
00ee6d |
Message-Id: <566ce69a8d0e64093309cbde80235aa522fbf84e.1652450572.git.davide.caratti@gmail.com>
|
|
|
00ee6d |
From: Jouni Malinen <quic_jouni@quicinc.com>
|
|
|
00ee6d |
Date: Thu, 5 May 2022 00:07:44 +0300
|
|
|
00ee6d |
Subject: [PATCH] EAP peer: Workaround for servers that do not support safe TLS
|
|
|
00ee6d |
renegotiation
|
|
|
00ee6d |
|
|
|
00ee6d |
The TLS protocol design for renegotiation was identified to have a
|
|
|
00ee6d |
significant security flaw in 2009 and an extension to secure this design
|
|
|
00ee6d |
was published in 2010 (RFC 5746). However, some old RADIUS
|
|
|
00ee6d |
authentication servers without support for this are still used commonly.
|
|
|
00ee6d |
|
|
|
00ee6d |
This is obviously not good from the security view point, but since there
|
|
|
00ee6d |
are cases where the user of a network service has no realistic means for
|
|
|
00ee6d |
getting the authentication server upgraded, TLS handshake may still need
|
|
|
00ee6d |
to be allowed to be able to use the network.
|
|
|
00ee6d |
|
|
|
00ee6d |
OpenSSL 3.0 disabled the client side workaround by default and this
|
|
|
00ee6d |
resulted in issues connection to some networks with insecure
|
|
|
00ee6d |
authentication servers. With OpenSSL 3.0, the client is now enforcing
|
|
|
00ee6d |
security by refusing to authenticate with such servers. The pre-3.0
|
|
|
00ee6d |
behavior of ignoring this issue and leaving security to the server can
|
|
|
00ee6d |
now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1.
|
|
|
00ee6d |
This should be used only when having to connect to a network that has an
|
|
|
00ee6d |
insecure authentication server that cannot be upgraded.
|
|
|
00ee6d |
|
|
|
00ee6d |
The old (pre-2010) TLS renegotiation mechanism might open security
|
|
|
00ee6d |
vulnerabilities if the authentication server were to allow TLS
|
|
|
00ee6d |
renegotiation to be initiated. While this is unlikely to cause real
|
|
|
00ee6d |
issues with EAP-TLS, there might be cases where use of PEAP or TTLS with
|
|
|
00ee6d |
an authentication server that does not support RFC 5746 might result in
|
|
|
00ee6d |
a security vulnerability.
|
|
|
00ee6d |
|
|
|
00ee6d |
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
|
|
|
00ee6d |
---
|
|
|
00ee6d |
src/crypto/tls.h | 1 +
|
|
|
00ee6d |
src/crypto/tls_openssl.c | 5 +++++
|
|
|
00ee6d |
src/eap_peer/eap_tls_common.c | 4 ++++
|
|
|
00ee6d |
wpa_supplicant/wpa_supplicant.conf | 5 +++++
|
|
|
00ee6d |
4 files changed, 15 insertions(+)
|
|
|
00ee6d |
|
|
|
00ee6d |
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
|
|
|
00ee6d |
index ccaac94c9..7ea32ee4a 100644
|
|
|
00ee6d |
--- a/src/crypto/tls.h
|
|
|
00ee6d |
+++ b/src/crypto/tls.h
|
|
|
00ee6d |
@@ -112,6 +112,7 @@ struct tls_config {
|
|
|
00ee6d |
#define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
|
|
|
00ee6d |
#define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
|
|
|
00ee6d |
#define TLS_CONN_TEAP_ANON_DH BIT(17)
|
|
|
00ee6d |
+#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18)
|
|
|
00ee6d |
|
|
|
00ee6d |
/**
|
|
|
00ee6d |
* struct tls_connection_params - Parameters for TLS connection
|
|
|
00ee6d |
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
|
|
|
00ee6d |
index 388c6b0f4..0d23f44ad 100644
|
|
|
00ee6d |
--- a/src/crypto/tls_openssl.c
|
|
|
00ee6d |
+++ b/src/crypto/tls_openssl.c
|
|
|
00ee6d |
@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
|
|
|
00ee6d |
SSL_clear_options(ssl, SSL_OP_NO_TICKET);
|
|
|
00ee6d |
#endif /* SSL_OP_NO_TICKET */
|
|
|
00ee6d |
|
|
|
00ee6d |
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
|
|
|
00ee6d |
+ if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
|
|
|
00ee6d |
+ SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
|
|
|
00ee6d |
+#endif /* SSL_OP_LEGACY_SERVER_CONNECT */
|
|
|
00ee6d |
+
|
|
|
00ee6d |
#ifdef SSL_OP_NO_TLSv1
|
|
|
00ee6d |
if (flags & TLS_CONN_DISABLE_TLSv1_0)
|
|
|
00ee6d |
SSL_set_options(ssl, SSL_OP_NO_TLSv1);
|
|
|
00ee6d |
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
|
|
|
00ee6d |
index 06c9b211e..6193b4bdb 100644
|
|
|
00ee6d |
--- a/src/eap_peer/eap_tls_common.c
|
|
|
00ee6d |
+++ b/src/eap_peer/eap_tls_common.c
|
|
|
00ee6d |
@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
|
|
|
00ee6d |
params->flags |= TLS_CONN_SUITEB_NO_ECDH;
|
|
|
00ee6d |
if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
|
|
|
00ee6d |
params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
|
|
|
00ee6d |
+ if (os_strstr(txt, "allow_unsafe_renegotiation=1"))
|
|
|
00ee6d |
+ params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
|
|
|
00ee6d |
+ if (os_strstr(txt, "allow_unsafe_renegotiation=0"))
|
|
|
00ee6d |
+ params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
|
|
|
00ee6d |
}
|
|
|
00ee6d |
|
|
|
00ee6d |
|
|
|
00ee6d |
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
|
|
|
00ee6d |
index a1dc769c9..b5304a77e 100644
|
|
|
00ee6d |
--- a/wpa_supplicant/wpa_supplicant.conf
|
|
|
00ee6d |
+++ b/wpa_supplicant/wpa_supplicant.conf
|
|
|
00ee6d |
@@ -1370,6 +1370,11 @@ fast_reauth=1
|
|
|
00ee6d |
# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
|
|
|
00ee6d |
# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
|
|
|
00ee6d |
# particular when using Suite B with RSA keys of >= 3K (3072) bits
|
|
|
00ee6d |
+# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does
|
|
|
00ee6d |
+# not support safe renegotiation (RFC 5746); please note that this
|
|
|
00ee6d |
+# workaround should be only when having to authenticate with an old
|
|
|
00ee6d |
+# authentication server that cannot be updated to use secure TLS
|
|
|
00ee6d |
+# implementation.
|
|
|
00ee6d |
#
|
|
|
00ee6d |
# Following certificate/private key fields are used in inner Phase2
|
|
|
00ee6d |
# authentication when using EAP-TTLS or EAP-PEAP.
|
|
|
00ee6d |
--
|
|
|
00ee6d |
2.35.1
|
|
|
00ee6d |
|