rpms / wpa_supplicant

Clone
Source Code
GIT

Blame SOURCES/0001-EAP-peer-status-notification-for-server-not-supporti.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   c9
  2.   SOURCES
  3.   0001-EAP-peer-status-notification-for-server-not-supporti.patch
Blob History Raw
00ee6d 
From a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Mon Sep 17 00:00:00 2001
00ee6d 
Message-Id: <a561d12d24c2c8bb0f825d4a3a55a5e47e845853.1652450863.git.davide.caratti@gmail.com>
00ee6d 
From: Jouni Malinen <quic_jouni@quicinc.com>
00ee6d 
Date: Wed, 4 May 2022 23:55:38 +0300
00ee6d 
Subject: [PATCH] EAP peer status notification for server not supporting RFC
00ee6d 
 5746
00ee6d
00ee6d 
Add a notification message to indicate reason for TLS handshake failure
00ee6d 
due to the server not supporting safe renegotiation (RFC 5746).
00ee6d
00ee6d 
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
00ee6d 
---
00ee6d 
 src/ap/authsrv.c         |  3 +++
00ee6d 
 src/crypto/tls.h         |  3 ++-
00ee6d 
 src/crypto/tls_openssl.c | 15 +++++++++++++--
00ee6d 
 src/eap_peer/eap.c       |  5 +++++
00ee6d 
 4 files changed, 23 insertions(+), 3 deletions(-)
00ee6d
00ee6d 
diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
00ee6d 
index 516c1da74..fd9c96fad 100644
00ee6d 
--- a/src/ap/authsrv.c
00ee6d 
+++ b/src/ap/authsrv.c
00ee6d 
@@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev,
00ee6d 
 			wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s",
00ee6d 
 				   data->alert.description);
00ee6d 
 		break;
00ee6d 
+	case TLS_UNSAFE_RENEGOTIATION_DISABLED:
00ee6d 
+		/* Not applicable to TLS server */
00ee6d 
+		break;
00ee6d 
 	}
00ee6d 
 }
00ee6d 
 #endif /* EAP_TLS_FUNCS */
00ee6d 
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
00ee6d 
index 7ea32ee4a..7a2ee32df 100644
00ee6d 
--- a/src/crypto/tls.h
00ee6d 
+++ b/src/crypto/tls.h
00ee6d 
@@ -22,7 +22,8 @@ enum tls_event {
00ee6d 
 	TLS_CERT_CHAIN_SUCCESS,
00ee6d 
 	TLS_CERT_CHAIN_FAILURE,
00ee6d 
 	TLS_PEER_CERTIFICATE,
00ee6d 
-	TLS_ALERT
00ee6d 
+	TLS_ALERT,
00ee6d 
+	TLS_UNSAFE_RENEGOTIATION_DISABLED,
00ee6d 
 };
00ee6d
00ee6d 
 /*
00ee6d 
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
00ee6d 
index 0d23f44ad..912471ba2 100644
00ee6d 
--- a/src/crypto/tls_openssl.c
00ee6d 
+++ b/src/crypto/tls_openssl.c
00ee6d 
@@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
00ee6d 
 static struct wpabuf *
00ee6d 
 openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
00ee6d 
 {
00ee6d 
+	struct tls_context *context = conn->context;
00ee6d 
 	int res;
00ee6d 
 	struct wpabuf *out_data;
00ee6d
00ee6d 
@@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
00ee6d 
 			wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
00ee6d 
 				   "write");
00ee6d 
 		else {
00ee6d 
+			unsigned long error = ERR_peek_last_error();
00ee6d 
+
00ee6d 
 			tls_show_errors(MSG_INFO, __func__, "SSL_connect");
00ee6d 
+
00ee6d 
+			if (context->event_cb &&
00ee6d 
+			    ERR_GET_LIB(error) == ERR_LIB_SSL &&
00ee6d 
+			    ERR_GET_REASON(error) ==
00ee6d 
+			    SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) {
00ee6d 
+				context->event_cb(
00ee6d 
+					context->cb_ctx,
00ee6d 
+					TLS_UNSAFE_RENEGOTIATION_DISABLED,
00ee6d 
+					NULL);
00ee6d 
+			}
00ee6d 
 			conn->failed++;
00ee6d 
 			if (!conn->server && !conn->client_hello_generated) {
00ee6d 
 				/* The server would not understand TLS Alert
00ee6d 
@@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
00ee6d 
 	if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
00ee6d 
 	    os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
00ee6d 
 	    conn->server_dh_prime_len < 3072) {
00ee6d 
-		struct tls_context *context = conn->context;
00ee6d 
-
00ee6d 
 		/*
00ee6d 
 		 * This should not be reached since earlier cert_cb should have
00ee6d 
 		 * terminated the handshake. Keep this check here for extra
00ee6d 
diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
00ee6d 
index 429b20d3a..729388f4f 100644
00ee6d 
--- a/src/eap_peer/eap.c
00ee6d 
+++ b/src/eap_peer/eap.c
00ee6d 
@@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
00ee6d 
 			eap_notify_status(sm, "remote TLS alert",
00ee6d 
 					  data->alert.description);
00ee6d 
 		break;
00ee6d 
+	case TLS_UNSAFE_RENEGOTIATION_DISABLED:
00ee6d 
+		wpa_printf(MSG_INFO,
00ee6d 
+			   "TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this");
00ee6d 
+		eap_notify_status(sm, "unsafe server renegotiation", "failure");
00ee6d 
+		break;
00ee6d 
 	}
00ee6d
00ee6d 
 	os_free(hash_hex);
00ee6d 
--
00ee6d 
2.35.1
00ee6d

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation