From patchwork Wed Apr 7 07:23:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Tobler X-Patchwork-Id: 1463247 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2001:8b0:10b:1:d65d:64ff:fe57:4e05; helo=desiato.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=desiato.20200630 header.b=E+RKBv4v; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=cloudguard.onmicrosoft.com header.i=@cloudguard.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-cloudguard-onmicrosoft-com header.b=ejIFtdZ/; dkim-atps=neutral Received: from desiato.infradead.org (desiato.infradead.org [IPv6:2001:8b0:10b:1:d65d:64ff:fe57:4e05]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FFd133nTNz9sRR for ; Wed, 7 Apr 2021 18:32:07 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Cc:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=D9D7ujtSVYI0zTEMqcUBKndyJWX1MrRElJVVNT/lONo=; b=E+RKBv4vSCF2Zamv/JmJR/x+N 431je90vo1+aPBdsTfomOQ2tsL9GH8FaR9xMaHrtFBGkuk9iSJh7KToCUwNkRo1Qc/QeTu8G1I6Ok 3SeiPzjD1RZuvRUaYTnnWTypweutlt2d/2WGkhLGI37pUG0f5+OB/eXbexYtNKU7EGEeuC0Z0yS7e CxHl2nIQc8UMOgnWsfuGiMZoWItm1eqHFxq92dlNbAP7hMKYpcnIfycaP+x+8GiqvqzEmA+AQlufQ 816EgVZwwGMvJyE3CPKb49Slan4xR0QV1tYGpBLv53wauPQLZFfghuZgRl+y1vfzKAeJDuvl9+EPn tGMO862RA==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lU3af-004Ud5-NO; Wed, 07 Apr 2021 08:31:09 +0000 Received: from mail-zr0che01on2053.outbound.protection.outlook.com ([40.107.24.53] helo=CHE01-ZR0-obe.outbound.protection.outlook.com) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lU2Xo-004KPm-I3 for hostap@lists.infradead.org; Wed, 07 Apr 2021 07:24:15 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oBgaZVQnn276J59RhB+cNEHqXuTpAlvYUkx3zKRf/elbvLjOOIvri/NM0PB7X9CLIbGOfNuCLe3KwkSzwbOuHM2uSSPwGRH4AskJZU14smLLwWT1hE1gvCahRFAAke9+u6Qw6SKur1Zot6bR/dJyF9skdOBdxYGS4Jf3UwoN3dhbb/72fWK9JtfjdD5ryYJcQBhlf+pTF4LOLkhWReUK9Zkykr6gn67Ghs+eO/CuZ2TjZcNK0u2hYc7JJaR66C/va4MsGTYueWkqGTVrOJXYH6Op48mAEQx0ljkvZBSF6Dp45+JQo2dDwmXLO+HsGPL7bbRXVIID7MJYmUCIEtNbYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RxeGYAKtbjfs0+dmIqsCZet5PWEPBHarVj4A9xp5ERM=; b=csJ5OxQDD5A42fmFo6iYBNPzUZAV18zuJhRHXoEkMWi9KeEoI+4iVlitZ6PCH4i6SUQ7+Mr3xgUB++Y1d/1wzdSSfh41TTU/j5wkeMaeJApcnxprnwk6NfLHngp+bVlZEyVlA7/LTz0HUtTBth+JWujFzNrbYkeiqrDJc8nTlshbTMk8PgPmMw+4eLrjgW7ca3a7mdjM5YhX6EH3TcAJiuIY/g8xLIHrEdl04hRFf9mImTVaAhOsly3bmQdwyWKFiN8fgqGjw4MKOw531r9TuRaJ3qtx5+B4DTtGCDj7Ndn+cLQoiZlhUUyX7flrkcWsF549a4V+FCHsdsLZhG3VXw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=onway.ch; dmarc=pass action=none header.from=onway.ch; dkim=pass header.d=onway.ch; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudguard.onmicrosoft.com; s=selector2-cloudguard-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RxeGYAKtbjfs0+dmIqsCZet5PWEPBHarVj4A9xp5ERM=; b=ejIFtdZ/cp+4k8QNOiXYlwXjaP2r/wj00hcgLN0AJwUZ0ucchgVmzokaQhMrkRKFEEOmXb3lkvJBaX97ErpLoPZ56JUEGkMM9e0iSoSSYhzWtPLn2r/BufONNRIMb4F2YbefGcVxe52dS849llGEg6/967DdqEbiuevA3d5vJPw= Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=onway.ch; Received: from ZR0P278MB0202.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:25::12) by ZR0P278MB0234.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:36::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.16; Wed, 7 Apr 2021 07:24:04 +0000 Received: from ZR0P278MB0202.CHEP278.PROD.OUTLOOK.COM ([fe80::5081:4a9:6d90:7a88]) by ZR0P278MB0202.CHEP278.PROD.OUTLOOK.COM ([fe80::5081:4a9:6d90:7a88%6]) with mapi id 15.20.3999.033; Wed, 7 Apr 2021 07:24:04 +0000 From: Andreas Tobler To: andreastt@gmail.com, hostap@lists.infradead.org Subject: [PATCH 1/1] wolfssl: Add missing functions for EAP-TLS Date: Wed, 7 Apr 2021 09:23:52 +0200 Message-Id: <20210407072352.4152945-2-andreas.tobler@onway.ch> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210407072352.4152945-1-andreas.tobler@onway.ch> References: <20210407072352.4152945-1-andreas.tobler@onway.ch> X-Originating-IP: [185.12.128.224] X-ClientProxiedBy: ZR0P278CA0105.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::20) To ZR0P278MB0202.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:25::12) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (185.12.128.224) by ZR0P278CA0105.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:23::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.16 via Frontend Transport; Wed, 7 Apr 2021 07:24:04 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7c5f31b6-b271-4473-4649-08d8f9961fae X-MS-TrafficTypeDiagnostic: ZR0P278MB0234: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5797; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KXdbr4BA3bjkYYO1UE1QKTefv7cf1at3FUZpG7FJa6ZZngttsPXM1RB2uGthjU7y6mUz+rZ9VwJqicjSFBirv345GaymBPGaoZ+vJPEqZYxQw5piQv3HhbLNZFCFgk3WQlQqKhaOWNLd/m47ZhLT8nxGsmCFKdD6ssyuFwjWj/mjDyMj4GZpd1vdbU437rApyJcZzjQeZLMQJ9NoSgDJ8rO9PHVeKII+A4D2a+ma1sJpA1UKHgepicKYw96WI/oWAmk7jLDeXQvhfq6DEKLeG+3k1LiYS3VPPYI3CETHa4dbwY9WUEZFIkjrbfkLH9FyH+Y2y7BbU1PMCgDNWGRr++JoqizsfmE7ZnUQ7A2+Eu2hv824EkRsxdlR73amaN1de9N28LlGCx0B4rD67ge/SNH214nZyial+mkRHB0TwmrhW7Utz5h92o5MwO7FhyJP4mIS6QRRibtlSOP5lgr77F/XLBX5PTTok16+PHK6p9y6Ulula3Jmtg0/2zKxf0GHuiEoYqhnCgXHxkJmcvsfsRFgKI960RQq2IpCQuONqqMimHeIVpMlFV5HyuvBFL4Jn5FpS6oXHyE1RxOpiYnKWcZU6U5ElWMwEadL99LVyOcPffxg6vaulWYOUCvllUxPpdqbjFJ8znw+ouAGg369hU8TPvTtHmSTqJGULO4ZPgD4axlZHjLhJv7N5MofKYbQIA83Opnq6yReMMESdlwqf/RP6iw0ISiOkXpTUKF+Ylw= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ZR0P278MB0202.CHEP278.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(396003)(346002)(136003)(39830400003)(376002)(316002)(6506007)(36756003)(52116002)(38100700001)(86362001)(16526019)(8936002)(26005)(6512007)(6486002)(186003)(478600001)(2906002)(8676002)(38350700001)(69590400012)(5660300002)(66946007)(1076003)(956004)(2616005)(6666004)(83380400001)(44832011)(66476007)(66556008); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData: TPm6lr6z50w0YFaQHQQ0pTO5Kgcoo7MF1ha1vjfUJfRT5rnuhie6fHpmJ0ac2OgbsrLREyQBkjIa9V4n+VE/5la23YILnRpq3hGl9ip088TzFylKUGTpgFTMvnCrYg8pLGVKFRL9O0FbKZxwceNxAszRabKrCAS3Skt/iM3yamtC83J7uUbCp84lPgpchN7FTFM+HC01c8U5cAjrZR0kxcrxPOW8SoxvoiQMnZrW3DjOjUWLi13YKnBTTN49UXriIGKuVSIhFtm5Z96d739E41l+zJdSHahtLr+KfYhLnxxoAeTS/IodAi/lkYpLuK+kezhPE/UK5bbGqavi4nAUpRqM5jMMcqqNKsGs4rMUzfGMGHFs4PygOqzhgHry8uIWpWo8+0YBrNPWhl7vlS2kr3/YSa672Nlxb2qIUQZzfWs5QlIoA3IPZ3byZ6rB7oL8ugDXX+esu19CLedAhzWlh50C/fXLJLDwL6JApEeQrEbenT5hq62z3xYEFWT20vtV/pwqS10P0iL/9tf+5WZKHzW4UKMmNj6ZZXWOHCo0SphoF0VoRLyhqweGsOPG8pxt/edTrV8EZBsC3jQMumoeM4o69VeKstUJ/PPaaZ/Q7yvICZUwuBMIcaBMyrJcRV4Hvyv+ZNT/rlHFwBMR0lMWi7nrsJzlwe3g/kyc+x3bRAZQAiKcgbvFmWcFubNmFodMPNimzKwyLdmNc1Qm3dPJe+vbRoHJsmZMfxnRbtsE+AJLQJCIjuyP7vTPsJwDE3MUNTYNf7UwPQHt6YUz1AYa7+mVHwbTLfpBfZEMLfxqIFsyDOvNozr1DKrvjvzIrQVeiG/8hVJg+7PSEObtDHn+xuLnwiNjfNGUShhxwfxpuChr6f5Azr8xTI+MWf4vnPo8bwiVUvvBa7eYFxsP5HS4+5H7zpwwcZqAIv0aDA6sGwpBMpUISOp3iGQtNW+4aMHn62c2RESzzbqAWKn2GsyXztqZhP4JTGUeTIjd2H59gTRtvhsMELkH0vs65y0jeplyY2S0bsxNiqRb/s+BoJSI98rJdf0jvKANb1B67lNpkoghdjyRbs68FTeGvv8faTbHY6trto50lIRtk/2E72rWaH/vdCYlSNF5edmrnNL4Lg2XUNeljVX61OpO6IlQRdP1gCB8pSM7NthgWZ3tQmOPoR5ZGTK2FisWLb4xJyo3jqAyp5XHebfRv92+hVhXMWqAjpRScdiTsUHZHSTosCaUgOgaxqtZm9vmzNnqGRfG+DnyCy7G2Ioccie7AhqPuy7ECsQOZXi4Dj7h4dk2f/JC8nMxLZH2z31enZT1s92rDuFyrYzqnj6mcpYnyR98KZu8 X-OriginatorOrg: onway.ch X-MS-Exchange-CrossTenant-Network-Message-Id: 7c5f31b6-b271-4473-4649-08d8f9961fae X-MS-Exchange-CrossTenant-AuthSource: ZR0P278MB0202.CHEP278.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Apr 2021 07:24:04.5796 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 6609f251-fcb7-49e1-90a9-db1acfa508db X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: qPNg0BegKW9nAQxd7A5xZ4xu+xkpihFakrApr7XwDRn+HjrLcMZ8ziRDpBFrcrJVbtI0aCtNt9KNAmg4jgA7iw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZR0P278MB0234 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210407_082410_591676_29287A41 X-CRM114-Status: GOOD ( 15.56 ) X-Spam-Score: -0.7 (/) X-Spam-Report: Spam detection software, running on the system "desiato.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Implement the missing functions when using EAP-TLS with wolfSSL. Signed-off-by: Andreas Tobler --- src/crypto/tls_wolfssl.c | 68 +++++++++++++++++++++++++++++++++++----- 1 file changed, 61 insertions(+), 7 deletions(-) Content analysis details: (-0.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [40.107.24.53 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [40.107.24.53 listed in wl.mailspike.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay X-Mailman-Approved-At: Wed, 07 Apr 2021 09:31:06 +0100 X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Implement the missing functions when using EAP-TLS with wolfSSL. Signed-off-by: Andreas Tobler --- src/crypto/tls_wolfssl.c | 68 +++++++++++++++++++++++++++++++++++----- 1 file changed, 61 insertions(+), 7 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index cf482bfc3..4dfe53422 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -90,10 +90,12 @@ struct tls_connection { unsigned int cert_probe:1; unsigned int server_cert_only:1; unsigned int success_data:1; + unsigned int server:1; WOLFSSL_X509 *peer_cert; WOLFSSL_X509 *peer_issuer; WOLFSSL_X509 *peer_issuer_issuer; + char *peer_subject; /* peer subject info for authenticated peer */ }; @@ -337,6 +339,8 @@ void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn) os_free(conn->suffix_match); os_free(conn->domain_match); + os_free(conn->peer_subject); + /* self */ os_free(conn); } @@ -1134,6 +1138,11 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) context->event_cb(context->cb_ctx, TLS_CERT_CHAIN_SUCCESS, NULL); + if (depth == 0 && preverify_ok) { + os_free(conn->peer_subject); + conn->peer_subject = os_strdup(buf); + } + return preverify_ok; } @@ -1614,15 +1623,14 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, static struct wpabuf * wolfssl_handshake(struct tls_connection *conn, - const struct wpabuf *in_data, - int server) + const struct wpabuf *in_data) { int res; wolfssl_reset_out_data(&conn->output); /* Initiate TLS handshake or continue the existing handshake */ - if (server) { + if (conn->server) { wolfSSL_set_accept_state(conn->ssl); res = wolfSSL_accept(conn->ssl); wpa_printf(MSG_DEBUG, "SSL: wolfSSL_accept: %d", res); @@ -1695,7 +1703,7 @@ static struct wpabuf * wolfssl_get_appl_data(struct tls_connection *conn, static struct wpabuf * wolfssl_connection_handshake(struct tls_connection *conn, const struct wpabuf *in_data, - struct wpabuf **appl_data, int server) + struct wpabuf **appl_data) { struct wpabuf *out_data; @@ -1704,7 +1712,7 @@ wolfssl_connection_handshake(struct tls_connection *conn, if (appl_data) *appl_data = NULL; - out_data = wolfssl_handshake(conn, in_data, server); + out_data = wolfssl_handshake(conn, in_data); if (!out_data) return NULL; @@ -1726,7 +1734,7 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx, const struct wpabuf *in_data, struct wpabuf **appl_data) { - return wolfssl_connection_handshake(conn, in_data, appl_data, 0); + return wolfssl_connection_handshake(conn, in_data, appl_data); } @@ -1735,7 +1743,8 @@ struct wpabuf * tls_connection_server_handshake(void *tls_ctx, const struct wpabuf *in_data, struct wpabuf **appl_data) { - return wolfssl_connection_handshake(conn, in_data, appl_data, 1); + conn->server = 1; + return wolfssl_connection_handshake(conn, in_data, appl_data); } @@ -2206,3 +2215,48 @@ tls_connection_get_success_data(struct tls_connection *conn) return NULL; return wolfSSL_SESSION_get_ex_data(sess, tls_ex_idx_session); } + + +int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len) +{ + size_t len; + int reused; + + reused = wolfSSL_session_reused(conn->ssl); + if ((conn->server && !reused) || (!conn->server && reused)) + len = wolfSSL_get_peer_finished(conn->ssl, buf, max_len); + else + len = wolfSSL_get_finished(conn->ssl, buf, max_len); + + if (len == 0 || len > max_len) + return -1; + + return len; +} + + +u16 tls_connection_get_cipher_suite(struct tls_connection *conn) +{ + const WOLFSSL_CIPHER *cipher; + + cipher = wolfSSL_get_current_cipher(conn->ssl); + if (!cipher) + return 0; + return wolfSSL_CIPHER_get_id(cipher); +} + + +const char * tls_connection_get_peer_subject(struct tls_connection *conn) +{ + if (conn) + return conn->peer_subject; + return NULL; +} + + +bool tls_connection_get_own_cert_used(struct tls_connection *conn) +{ + if (conn) + return wolfSSL_get_certificate(conn->ssl) != NULL; + return false; +}