The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
ctx.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 5cf0fa44efabbe69bcd4f1cca7ede0e44859287d $
19 *
20 * @file tls/ctx.c
21 * @brief Initialise and configure SSL_CTX structures.
22 *
23 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24 * @copyright 2003 Alan DeKok (aland@freeradius.org)
25 * @copyright 2006-2016 The FreeRADIUS server project
26 */
27RCSID("$Id: 5cf0fa44efabbe69bcd4f1cca7ede0e44859287d $")
28USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
29
30#ifdef WITH_TLS
31#define LOG_PREFIX "tls"
32
33#include <freeradius-devel/tls/log.h>
34#include <freeradius-devel/tls/strerror.h>
35#include <freeradius-devel/util/base16.h>
36#include <freeradius-devel/util/debug.h>
37#include <freeradius-devel/util/misc.h>
38#include <freeradius-devel/util/strerror.h>
39#include <freeradius-devel/util/syserror.h>
40
41#include "base.h"
42#include "utils.h"
43#include "log.h"
44#include "cert.h"
45
46#include <openssl/rand.h>
47#include <openssl/dh.h>
48#include <openssl/x509v3.h>
49#include <openssl/provider.h>
50
51#ifndef OPENSSL_NO_ECDH
52static int ctx_ecdh_curve_set(SSL_CTX *ctx, char const *ecdh_curve, bool disable_single_dh_use)
53{
54 char *list;
55
56 if (!disable_single_dh_use) {
57 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
58 }
59
60 if (!ecdh_curve || !*ecdh_curve) return 0;
61
62 list = strdup(ecdh_curve);
63 if (SSL_CTX_set1_curves_list(ctx, list) == 0) {
64 free(list);
65 ERROR("Unknown ecdh_curve \"%s\"", ecdh_curve);
66 return -1;
67 }
68 free(list);
69 return 0;
70}
71#endif
72
73/*
74 * TODO: Check for the type of key exchange * like conf->dh_key
75 */
76static int ctx_dh_params_load(SSL_CTX *ctx, char *file)
77{
78 BIO *bio;
79 int ret;
80
81 EVP_PKEY *dh = NULL;
82
83 if (!file) return 0;
84
85 /*
86 * Prior to trying to load the file, check what OpenSSL will do with it.
87 *
88 * Certain downstreams (such as RHEL) will ignore user-provided dhparams
89 * in FIPS mode, unless the specified parameters are FIPS-approved.
90 * However, since OpenSSL >= 1.1.1 will automatically select parameters
91 * anyways, there's no point in attempting to load them.
92 *
93 * Change suggested by @t8m
94 */
95 if (EVP_default_properties_is_fips_enabled(NULL)) {
96 WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
97 return 0;
98 }
99
100 if ((bio = BIO_new_file(file, "r")) == NULL) {
101 ERROR("Unable to open DH file - %s", file);
102 return -1;
103 }
104
105 dh = PEM_read_bio_Parameters(bio, &dh);
106 BIO_free(bio);
107 if (!dh) {
108 WARN("Unable to set DH parameters. DH cipher suites may not work!");
109 WARN("Fix this by generating the DH parameter file");
110 return 0;
111 }
112
113 ret = SSL_CTX_set0_tmp_dh_pkey(ctx, dh);
114 if (ret == 0) {
115 EVP_PKEY_free(dh);
116 ERROR("Unable to set DH parameters");
117 return -1;
118 }
119
120 return 0;
121}
122
123static int tls_ctx_verify_chain_member(fr_unix_time_t *expires_first, X509 **self_signed,
124 SSL_CTX *ctx, X509 *to_verify,
125 fr_tls_chain_verify_mode_t verify_mode)
126{
127 fr_unix_time_t not_after;
128
129 STACK_OF(X509) *chain;
130 X509 *leaf;
131
132 leaf = SSL_CTX_get0_certificate(ctx);
133 if (!leaf) {
134 ERROR("Chain does not contain a valid leaf certificate");
135 return -1;
136 }
137
138 if (!SSL_CTX_get0_chain_certs(ctx, &chain)) {
139 fr_tls_log(NULL, "Failed retrieving chain certificates");
140 return -1;
141 }
142
143 switch (fr_tls_cert_is_valid(NULL, &not_after, to_verify)) {
144 case -1:
145 fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify);
146 PERROR("Malformed certificate");
147 return -1;
148
149 case -2:
150 case -3:
151 switch (verify_mode) {
152 case FR_TLS_CHAIN_VERIFY_SOFT:
153 fr_tls_chain_marker_log(NULL, L_WARN, chain, leaf, to_verify);
154 PWARN("Certificate validation failed");
155 break;
156
157 case FR_TLS_CHAIN_VERIFY_HARD:
158 fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify);
159 PERROR("Certificate validation failed");
160 return -1;
161
162 default:
163 break;
164 }
165
166 }
167
168 /*
169 * Check for self-signed certs
170 */
171 switch (verify_mode) {
172 case FR_TLS_CHAIN_VERIFY_SOFT:
173 case FR_TLS_CHAIN_VERIFY_HARD:
174 /*
175 * There can be only one... self signed
176 * cert in a chain.
177 *
178 * We have to do this check manually
179 * because the OpenSSL functions will
180 * only check to see if it can build
181 * a chain, not that all certificates
182 * in the chain are used.
183 *
184 * Having multiple self-signed certificates
185 * usually indicates someone has copied
186 * the wrong certificates into the
187 * server.pem file.
188 */
189 if (X509_name_cmp(X509_get_subject_name(to_verify),
190 X509_get_issuer_name(to_verify)) == 0) {
191 if (*self_signed) {
192 switch (verify_mode) {
193 case FR_TLS_CHAIN_VERIFY_SOFT:
194 WARN("Found multiple self-signed certificates in chain");
195 WARN("First certificate was:");
196 fr_tls_chain_marker_log(NULL, L_WARN,
197 chain, leaf, *self_signed);
198
199 WARN("Second certificate was:");
200 fr_tls_chain_marker_log(NULL, L_WARN,
201 chain, leaf, to_verify);
202 break;
203
204 case FR_TLS_CHAIN_VERIFY_HARD:
205 ERROR("Found multiple self-signed certificates in chain");
206 ERROR("First certificate was:");
207 fr_tls_chain_marker_log(NULL, L_ERR,
208 chain, leaf, *self_signed);
209
210 ERROR("Second certificate was:");
211 fr_tls_chain_marker_log(NULL, L_ERR,
212 chain, leaf, to_verify);
213 return -1;
214
215 default:
216 break;
217 }
218 }
219 *self_signed = to_verify;
220 }
221 break;
222
223 default:
224 break;
225 }
226
227 /*
228 * Record the time the first certificate in
229 * the chain expires so we can use it for
230 * runtime checks.
231 */
232 if (!fr_unix_time_ispos(*expires_first) ||
233 (fr_unix_time_gt(*expires_first, not_after))) *expires_first = not_after;
234
235 return 0;
236}
237
238static int tls_ctx_load_cert_chain(SSL_CTX *ctx, fr_tls_chain_conf_t *chain, bool allow_multi_self_signed)
239{
240 char *password;
241
242 /*
243 * Conf parser should ensure they're both populated
244 */
245 fr_assert(chain->certificate_file && chain->private_key_file);
246
247 /*
248 * Set the password (this should have been retrieved earlier)
249 */
250 memcpy(&password, &chain->password, sizeof(password));
251 SSL_CTX_set_default_passwd_cb_userdata(ctx, password);
252
253 /*
254 * Always set the callback as it provides useful debug
255 * output if the certificate isn't set.
256 */
257 SSL_CTX_set_default_passwd_cb(ctx, fr_tls_session_password_cb);
258
259 switch (chain->file_format) {
260 case SSL_FILETYPE_PEM:
261 if (!(SSL_CTX_use_certificate_chain_file(ctx, chain->certificate_file))) {
262 fr_tls_log(NULL, "Failed reading certificate file \"%s\"",
263 chain->certificate_file);
264 return -1;
265 }
266 break;
267
268 case SSL_FILETYPE_ASN1:
269 if (!(SSL_CTX_use_certificate_file(ctx, chain->certificate_file, chain->file_format))) {
270 fr_tls_log(NULL, "Failed reading certificate file \"%s\"",
271 chain->certificate_file);
272 return -1;
273 }
274 break;
275
276 default:
277 fr_assert(0);
278 break;
279 }
280
281 if (!(SSL_CTX_use_PrivateKey_file(ctx, chain->private_key_file, chain->file_format))) {
282 fr_tls_log(NULL, "Failed reading private key file \"%s\"",
283 chain->private_key_file);
284 return -1;
285 }
286
287 {
288 size_t extra_cnt, i;
289 /*
290 * Load additional chain certificates from other files
291 * This allows us to specify chains in DER format as
292 * well as PEM, and means we can keep the intermediaries
293 * CAs and client/server certs in separate files.
294 */
295 extra_cnt = talloc_array_length(chain->ca_files);
296 for (i = 0; i < extra_cnt; i++) {
297 FILE *fp;
298 X509 *cert;
299 char const *filename = chain->ca_files[i];
300
301 fp = fopen(filename, "r");
302 if (!fp) {
303 ERROR("Failed opening ca_file \"%s\": %s", filename, fr_syserror(errno));
304 return -1;
305 }
306
307 /*
308 * Load the PEM encoded X509 certificate
309 */
310 switch (chain->file_format) {
311 case SSL_FILETYPE_PEM:
312 cert = PEM_read_X509(fp, NULL, NULL, NULL);
313 break;
314
315 case SSL_FILETYPE_ASN1:
316 cert = d2i_X509_fp(fp, NULL);
317 break;
318
319 default:
320 fr_assert(0);
321 fclose(fp);
322 return -1;
323 }
324 fclose(fp);
325
326 if (!cert) {
327 fr_tls_log(NULL, "Failed reading certificate file \"%s\"", filename);
328 return -1;
329 }
330
331 if (SSL_CTX_add0_chain_cert(ctx, cert) != 1) {
332 fr_tls_log(NULL, "Failed adding certificate to chain for \"%s\"", filename);
333 X509_free(cert);
334 return -1;
335 }
336 }
337 }
338
339 /*
340 * Check if the last loaded private key matches the last
341 * loaded certificate.
342 *
343 * Note: The call to SSL_CTX_use_certificate_chain_file
344 * can load in a private key too.
345 */
346 if (!SSL_CTX_check_private_key(ctx)) {
347 ERROR("Private key does not match the certificate public key");
348 return -1;
349 }
350
351 /*
352 * Loop over the certificates checking validity periods.
353 * SSL_CTX_build_cert_chain does this too, but we can
354 * produce significantly better errors here.
355 *
356 * After looping over all the certs we figure out when
357 * the chain will next need refreshing.
358 */
359 {
360 fr_unix_time_t expires_first = fr_unix_time_wrap(0);
361 X509 *self_signed = NULL;
362 STACK_OF(X509) *our_chain;
363 int i;
364
365 if (tls_ctx_verify_chain_member(&expires_first, &self_signed,
366 ctx, SSL_CTX_get0_certificate(ctx),
367 chain->verify_mode) < 0) return -1;
368
369 if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) {
370 fr_tls_log(NULL, "Failed retrieving chain certificates");
371 return -1;
372 }
373
374 if (allow_multi_self_signed) self_signed = NULL;
375
376DIAG_OFF(DIAG_UNKNOWN_PRAGMAS)
377DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */
378 for (i = sk_X509_num(our_chain); i > 0 ; i--) {
379 /*
380 * SSL_CTX_use_certificate_chain_file set the
381 * current cert to be the one loaded from
382 * that pem file.
383 */
384 if (tls_ctx_verify_chain_member(&expires_first, &self_signed,
385 ctx, sk_X509_value(our_chain, i - 1),
386 chain->verify_mode) < 0) return -1;
387
388 if (allow_multi_self_signed) self_signed = NULL;
389 }
390DIAG_ON(used-but-marked-unused) /* fix spurious warnings for sk macros */
391DIAG_ON(DIAG_UNKNOWN_PRAGMAS)
392 /*
393 * Record this as a unix timestamp as
394 * internal time might not progress at
395 * the same rate as wallclock time.
396 */
397 chain->valid_until = expires_first;
398 }
399
400 {
401 int mode = SSL_BUILD_CHAIN_FLAG_CHECK;
402
403 if (!chain->include_root_ca) mode |= SSL_BUILD_CHAIN_FLAG_NO_ROOT;
404
405 /*
406 * Explicitly check that the certificate chain
407 * we just loaded is sane.
408 *
409 * This operates on the last loaded certificate.
410 */
411 switch (chain->verify_mode) {
412 case FR_TLS_CHAIN_VERIFY_NONE:
413 mode |= SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR | SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR;
414 (void)SSL_CTX_build_cert_chain(ctx, mode);
415 break;
416
417 /*
418 * Seems to be a bug where
419 * SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR trashes the error,
420 * so have the function fail as normal.
421 */
422 case FR_TLS_CHAIN_VERIFY_SOFT:
423 if (!SSL_CTX_build_cert_chain(ctx, mode)) {
424 fr_tls_strerror_printf(NULL);
425 PWARN("Failed verifying chain");
426 }
427 break;
428
429 case FR_TLS_CHAIN_VERIFY_HARD:
430 if (!SSL_CTX_build_cert_chain(ctx, mode)) {
431 fr_tls_strerror_printf(NULL);
432 PERROR("Failed verifying chain");
433 return -1;
434 }
435 break;
436
437 default:
438 break;
439 }
440 }
441
442 return 0;
443}
444
445static inline CC_HINT(always_inline)
446int tls_ctx_version_set(
447 UNUSED
448 int *ctx_options, SSL_CTX *ctx, fr_tls_conf_t const *conf)
449{
450 /*
451 * SSL_CTX_set_(min|max)_proto_version was included in OpenSSL 1.1.0
452 *
453 * This version already defines macros for TLS1_2_VERSION and
454 * below, so we don't need to check for them explicitly.
455 *
456 * TLS1_3_VERSION is available in OpenSSL 1.1.1.
457 *
458 * TLS1_4_VERSION does not exist yet. But we allow it
459 * only if it is explicitly permitted by the
460 * administrator.
461 */
462 if (conf->tls_max_version > (float) 0.0) {
463 int max_version = 0;
464
465 if (conf->tls_min_version > conf->tls_max_version) {
466 /*
467 * %f is actually %lg now (double). Compile complains about
468 * implicit promotion unless we cast args to double.
469 */
470 ERROR("tls_min_version (%f) must be <= tls_max_version (%f)",
471 (double)conf->tls_min_version, (double)conf->tls_max_version);
472 error:
473 return -1;
474 }
475
476 if (conf->tls_max_version < (float) 1.0) {
477 ERROR("tls_max_version must be >= 1.0 as SSLv2 and SSLv3 are permanently disabled");
478 goto error;
479 }
480
481# ifdef TLS1_4_VERSION
482 else if (conf->tls_max_version >= (float) 1.4) max_version = TLS1_4_VERSION;
483# endif
484# ifdef TLS1_3_VERSION
485 else if (conf->tls_max_version >= (float) 1.3) max_version = TLS1_3_VERSION;
486# endif
487 else if (conf->tls_max_version >= (float) 1.2) max_version = TLS1_2_VERSION;
488 else if (conf->tls_max_version >= (float) 1.1) max_version = TLS1_1_VERSION;
489 else max_version = TLS1_VERSION;
490
491 /*
492 * Complain about insecure TLS versions.
493 */
494 if (max_version < TLS1_2_VERSION) {
495 WARN("TLS 1.0 and 1.1 are insecure and SHOULD NOT be used");
496 WARN("tls_max_version SHOULD be 1.2 or greater");
497 }
498
499 if (!SSL_CTX_set_max_proto_version(ctx, max_version)) {
500 fr_tls_log(NULL, "Failed setting TLS maximum version");
501 goto error;
502 }
503 }
504
505 {
506 int min_version;
507
508 if (conf->tls_min_version < (float) 1.0) {
509 ERROR("tls_min_version must be >= 1.0 as SSLv2 and SSLv3 are permanently disabled");
510 goto error;
511 }
512# ifdef TLS1_4_VERSION
513 else if (conf->tls_min_version >= (float) 1.4) min_version = TLS1_4_VERSION;
514# endif
515# ifdef TLS1_3_VERSION
516 else if (conf->tls_min_version >= (float) 1.3) min_version = TLS1_3_VERSION;
517# endif
518 else if (conf->tls_min_version >= (float) 1.2) min_version = TLS1_2_VERSION;
519 else if (conf->tls_min_version >= (float) 1.1) min_version = TLS1_1_VERSION;
520 else min_version = TLS1_VERSION;
521
522 /*
523 * Complain about insecure TLS versions.
524 */
525 if (min_version < TLS1_2_VERSION) {
526 WARN("TLS 1.0 and 1.1 are insecure and SHOULD NOT be used");
527 WARN("tls_min_version SHOULD be 1.2 or greater");
528 }
529
530 if (!SSL_CTX_set_min_proto_version(ctx, min_version)) {
531 fr_tls_log(NULL, "Failed setting TLS minimum version");
532 goto error;
533 }
534 }
535
536 return 0;
537}
538
539/** Create SSL context
540 *
541 * - Load the trusted CAs
542 * - Load the Private key & the certificate
543 * - Set the Context options & Verify options
544 *
545 * @param conf to read settings from.
546 * @param client If true SSL_CTX will be configured as a client context.
547 * @return
548 * - A new SSL_CTX on success.
549 * - NULL on failure.
550 */
551SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client)
552{
553 SSL_CTX *ctx;
554 X509_STORE *cert_vpstore;
555 X509_STORE *verify_store;
556 int ctx_options = 0;
557
558 ctx = SSL_CTX_new(TLS_method());
559 if (!ctx) {
560 fr_tls_log(NULL, "Failed creating TLS context");
561 return NULL;
562 }
563
564 /*
565 * Save the config on the context so that callbacks which
566 * only get SSL_CTX* e.g. session persistence, can get at it.
567 */
568 SSL_CTX_set_ex_data(ctx, FR_TLS_EX_INDEX_CONF, UNCONST(void *, conf));
569
570 /*
571 * Identify the type of certificates that needs to be loaded
572 */
573#ifdef PSK_MAX_IDENTITY_LEN
574 /*
575 * A dynamic query exists. There MUST NOT be a
576 * statically configured identity and password.
577 */
578 if (conf->psk_query) {
579 if (!*conf->psk_query) {
580 ERROR("Invalid PSK Configuration: psk_query cannot be empty");
581 error:
582 SSL_CTX_free(ctx);
583 return NULL;
584 }
585
586 if (conf->psk_identity && *conf->psk_identity) {
587 ERROR("Invalid PSK Configuration: psk_identity and psk_query cannot be used at the same time.");
588 goto error;
589 }
590
591 if (conf->psk_password && *conf->psk_password) {
592 ERROR("Invalid PSK Configuration: psk_hexphrase and psk_query cannot be used at the same time.");
593 goto error;
594 }
595
596 if (client) {
597 ERROR("Invalid PSK Configuration: psk_query cannot be used for outgoing connections");
598 goto error;
599 }
600
601 /*
602 * Now check that if PSK is being used, that the config is valid.
603 */
604 } else if (conf->psk_identity) {
605 if (!*conf->psk_identity) {
606 ERROR("Invalid PSK Configuration: psk_identity is empty");
607 goto error;
608 }
609
610
611 if (!conf->psk_password || !*conf->psk_password) {
612 ERROR("Invalid PSK Configuration: psk_identity is set, but there is no psk_hexphrase");
613 goto error;
614 }
615
616 } else if (conf->psk_password) {
617 ERROR("Invalid PSK Configuration: psk_hexphrase is set, but there is no psk_identity");
618 goto error;
619 }
620
621 /*
622 * Set the server PSK callback if necessary.
623 */
624 if (!client && (conf->psk_identity || conf->psk_query)) {
625 SSL_CTX_set_psk_server_callback(ctx, fr_tls_session_psk_server_cb);
626 }
627
628 /*
629 * Do more sanity checking if we have a PSK identity. We
630 * check the password, and convert it to it's final form.
631 */
632 if (conf->psk_identity && *conf->psk_identity) {
633 size_t psk_len, hex_len;
634 uint8_t buffer[PSK_MAX_PSK_LEN];
635
636 if (client) {
637 SSL_CTX_set_psk_client_callback(ctx, fr_tls_session_psk_client_cb);
638 }
639
640 if (!conf->psk_password) goto error; /* clang is too dumb to catch the above checks */
641
642 psk_len = strlen(conf->psk_password);
643 if (strlen(conf->psk_password) > (2 * PSK_MAX_PSK_LEN)) {
644 ERROR("psk_hexphrase is too long (max %d)", PSK_MAX_PSK_LEN);
645 goto error;
646 }
647
648 /*
649 * Check the password now, so that we don't have
650 * errors at run-time.
651 */
652 hex_len = fr_base16_decode(NULL,
653 &FR_DBUFF_TMP(buffer, sizeof(buffer)),
654 &FR_SBUFF_IN(conf->psk_password, psk_len), false);
655 if (psk_len != (2 * hex_len)) {
656 ERROR("psk_hexphrase is not all hex");
657 goto error;
658 }
659
660 goto post_ca;
661 }
662#else
663 (void) client; /* -Wunused */
664#endif
665
666 /*
667 * Set mode before processing any certifictes
668 */
669 {
670 int mode = SSL_MODE_ASYNC;
671
672 /*
673 * OpenSSL will automatically create certificate chains,
674 * unless we tell it to not do that. The problem is that
675 * it sometimes gets the chains right from a certificate
676 * signature view, but wrong from the clients view.
677 *
678 * It's better just to have users specify the complete
679 * chains.
680 */
681 mode |= SSL_MODE_NO_AUTO_CHAIN;
682
683 if (client) {
684 mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
685 mode |= SSL_MODE_AUTO_RETRY;
686 }
687
688 if (mode) SSL_CTX_set_mode(ctx, mode);
689 }
690
691 /*
692 * Initialise a separate store for verifying user
693 * certificates.
694 *
695 * This makes the configuration cleaner as there's
696 * no mixing of chain certs and user certs.
697 */
698 MEM(verify_store = X509_STORE_new());
699
700 /* Sets OpenSSL's (CERT *)->verify_store, overring (SSL_CTX *)->cert_store */
701 SSL_CTX_set0_verify_cert_store(ctx, verify_store);
702
703 /* This isn't accessible to use later, i.e. there's no SSL_CTX_get0_verify_cert_store */
704 SSL_CTX_set_ex_data(ctx, FR_TLS_EX_CTX_INDEX_VERIFY_STORE, verify_store);
705
706 /*
707 * Load the CAs we trust
708 */
709 if (conf->ca_file || conf->ca_path) {
710 /*
711 * This adds all the certificates to the store for conf->ca_file
712 * and adds a dynamic lookup for conf->ca_path.
713 *
714 * It's also possible to add extra virtual server lookups
715 */
716 if (!X509_STORE_load_locations(verify_store, conf->ca_file, conf->ca_path)) {
717 fr_tls_log(NULL, "Failed reading Trusted root CA list \"%s\"",
718 conf->ca_file ? conf->ca_file : conf->ca_path);
719 goto error;
720 }
721
722 /*
723 * These set the default parameters of the store when the
724 * store is involved in building chains.
725 *
726 * - X509_PURPOSE_SSL_CLIENT ensure the purpose of the
727 * client certificate is for peer authentication as
728 * a client.
729 */
730 X509_STORE_set_purpose(verify_store, X509_PURPOSE_SSL_CLIENT);
731
732 /*
733 * Sets the list of CAs we send to the peer if we're
734 * requesting a certificate.
735 *
736 * This does not change the trusted certificate authorities,
737 * those are set above with SSL_CTX_load_verify_locations.
738 */
739 if (conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
740 } else {
741 X509_STORE_set_default_paths(verify_store);
742 }
743
744 /*
745 * Load our certificate chains and keys
746 */
747 if (conf->chains) {
748 size_t chains_conf = talloc_array_length(conf->chains);
749
750 /*
751 * Load our keys and certificates
752 *
753 * If certificates are of type PEM then we can make use
754 * of cert chain authentication using openssl api call
755 * SSL_CTX_use_certificate_chain_file. Please see how
756 * the cert chain needs to be given in PEM from
757 * openSSL.org
758 */
759 {
760 size_t i;
761
762 for (i = 0; i < chains_conf; i++) {
763 if (tls_ctx_load_cert_chain(ctx, conf->chains[i], false) < 0) goto error;
764 }
765 }
766
767 /*
768 * Print out our certificate chains.
769 *
770 * There may be up to three, one for RSA, DH, DSA and EC.
771 * OpenSSL internally and transparently stores completely
772 * separate and distinct RSA/DSA/DH/ECC key pairs and chains.
773 */
774 if (DEBUG_ENABLED2) {
775 size_t chains_set = 0;
776 int ret;
777
778 /*
779 * Iterate over the different chain types we have
780 * RSA, DSA, DH, EC etc...
781 */
782 for (ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
783 ret == 1;
784 ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT)) chains_set++;
785
786 /*
787 * Check for discrepancies
788 */
789
790 DEBUG3("Found %zu server certificate chain(s)", chains_set);
791
792 if (chains_set != chains_conf) {
793 WARN("Number of chains configured (%zu) does not match chains set (%zu)",
794 chains_conf, chains_set);
795 if (chains_conf > chains_set) WARN("Only one chain per key type is allowed, "
796 "check config for duplicates");
797 }
798
799 for (ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
800 ret == 1;
801 ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT)) {
802 STACK_OF(X509) *our_chain;
803 X509 *our_cert;
804
805 our_cert = SSL_CTX_get0_certificate(ctx);
806
807 /*
808 * The pkey type of the server certificate
809 * determines which pkey slot OpenSSL
810 * uses to store the chain.
811 */
812 DEBUG3("%s chain", fr_tls_utils_x509_pkey_type(our_cert));
813 if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) {
814 fr_tls_log(NULL, "Failed retrieving chain certificates");
815 goto error;
816 }
817
818 if (DEBUG_ENABLED3) fr_tls_chain_log(NULL, L_DBG, our_chain, our_cert);
819 }
820 (void)SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); /* Reset */
821 }
822 }
823
824#ifdef PSK_MAX_IDENTITY_LEN
825post_ca:
826#endif
827 if (tls_ctx_version_set(&ctx_options, ctx, conf) < 0) goto error;
828
829 /*
830 * SSL_OP_SINGLE_DH_USE must be used in order to prevent
831 * small subgroup attacks and forward secrecy. Always
832 * using SSL_OP_SINGLE_DH_USE has an impact on the
833 * computer time needed during negotiation, but it is not
834 * very large.
835 */
836 if (!conf->disable_single_dh_use) {
837 ctx_options |= SSL_OP_SINGLE_DH_USE;
838 }
839
840#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
841 /*
842 * Note: This flag isn't honoured by all OpenSSL forks.
843 */
844 if (conf->allow_renegotiation) {
845 ctx_options |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
846 }
847#endif
848
849 /*
850 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS to work around issues
851 * in Windows Vista client.
852 * http://www.openssl.org/~bodo/tls-cbc.txt
853 * http://www.nabble.com/(RADIATOR)-Radiator-Version-3.16-released-t2600070.html
854 */
855 ctx_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
856
857 /*
858 * SSL_OP_CIPHER_SERVER_PREFERENCE to follow best practice
859 * of nowday's TLS: do not allow poorly-selected ciphers from
860 * client to take preference
861 */
862 if (conf->cipher_server_preference) ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
863
864 SSL_CTX_set_options(ctx, ctx_options);
865
866 /*
867 * TODO: Set the RSA & DH
868 * SSL_CTX_set_tmp_rsa_callback(ctx, cbtls_rsa);
869 * SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
870 */
871
872 /*
873 * Set the block size for record padding. This is only
874 * used in TLS 1.3.
875 */
876 if (conf->padding_block_size) SSL_CTX_set_block_padding(ctx, conf->padding_block_size);
877
878 /*
879 * Set elliptical curve crypto configuration.
880 */
881#ifndef OPENSSL_NO_ECDH
882 if (ctx_ecdh_curve_set(ctx, conf->ecdh_curve, conf->disable_single_dh_use) < 0) goto error;
883#endif
884
885
886 /* Set Info callback */
887 SSL_CTX_set_info_callback(ctx, fr_tls_session_info_cb);
888
889 /*
890 * Check the certificates for revocation.
891 */
892#ifdef X509_V_FLAG_CRL_CHECK_ALL
893 if (conf->verify.check_crl) {
894 cert_vpstore = SSL_CTX_get_cert_store(ctx);
895 if (cert_vpstore == NULL) {
896 fr_tls_log(NULL, "Error reading Certificate Store");
897 goto error;
898 }
899 X509_STORE_set_flags(cert_vpstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
900#ifdef X509_V_FLAG_USE_DELTAS
901 /*
902 * If set, delta CRLs (if present) are used to
903 * determine certificate status. If not set
904 * deltas are ignored.
905 *
906 * So it's safe to always set this flag.
907 */
908 X509_STORE_set_flags(cert_vpstore, X509_V_FLAG_USE_DELTAS);
909#endif
910 }
911#endif
912
913 /*
914 * SSL_ctx_set_verify is now called in the session
915 * alloc functions so they can set custom behaviour
916 * depending on the code area the SSL * will be used
917 * and whether we're acting as a client or server.
918 */
919 if (conf->verify_depth) {
920 SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
921 }
922
923#ifdef HAVE_OPENSSL_OCSP_H
924 /*
925 * Configure OCSP stapling for the server cert
926 */
927 if (conf->staple.enable) {
928 SSL_CTX_set_tlsext_status_cb(ctx, fr_tls_ocsp_staple_cb);
929 SSL_CTX_set_tlsext_status_arg(ctx, UNCONST(fr_tls_ocsp_conf_t *, &(conf->staple)));
930 }
931#endif
932
933 /*
934 * Set the cipher list if we were told to
935 */
936 if (conf->cipher_list) {
937 if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) {
938 fr_tls_log(NULL, "Failed setting cipher list");
939 goto error;
940 }
941 }
942
943 /*
944 * Print the actual cipher list
945 */
946 if (DEBUG_ENABLED3) {
947 SSL *ssl;
948 unsigned int i = 0;
949 char const *cipher;
950
951 ssl = SSL_new(ctx);
952 if (!ssl) {
953 fr_tls_log(NULL, "Failed creating temporary SSL session");
954 goto error;
955 }
956
957 DEBUG3("Configured ciphers (by priority)");
958
959 while ((cipher = SSL_get_cipher_list(ssl, i))) {
960 DEBUG3("[%u] %s", i, cipher);
961 i++; /* Print index starting at zero */
962 }
963
964 SSL_free(ssl);
965 }
966
967 /*
968 * Load dh params
969 */
970 if (conf->dh_file) {
971 if (ctx_dh_params_load(ctx, UNCONST(char *, conf->dh_file)) < 0) goto error;
972 } else {
973 /*
974 * Tell OpenSSL to automatically set the DH
975 * parameters based on the the size of the key
976 * associated with the certificate, or for PSK,
977 * with the negotiated symmetric cipher key.
978 */
979 SSL_CTX_set_dh_auto(ctx, 1);
980 }
981
982 /*
983 * Setup session caching
984 */
985 if (fr_tls_cache_ctx_init(ctx, &conf->cache) < 0) goto error;
986
987 /*
988 * Set the keylog file if the admin requested it.
989 */
990 if ((getenv("SSLKEYLOGFILE") != NULL) || (conf->keylog_file && *conf->keylog_file)) {
991 SSL_CTX_set_keylog_callback(ctx, fr_tls_session_keylog_cb);
992 }
993
994 return ctx;
995}
996#endif
buffer
static int const char char buffer[256]
Definition acutest.h:578
file
int const char * file
Definition acutest.h:704
fr_base16_decode
#define fr_base16_decode(_err, _out, _in, _no_trailing)
Definition base16.h:95
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:167
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:474
RCSID
#define RCSID(id)
Definition build.h:487
DIAG_UNKNOWN_PRAGMAS
#define DIAG_UNKNOWN_PRAGMAS
Definition build.h:460
DIAG_ON
#define DIAG_ON(_x)
Definition build.h:462
UNUSED
#define UNUSED
Definition build.h:317
DIAG_OFF
#define DIAG_OFF(_x)
Definition build.h:461
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:524
MEM
#define MEM(x)
Definition debug.h:36
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41
free
free(array)
LOG_PREFIX
#define LOG_PREFIX
Definition base.c:63
PERROR
#define PERROR(_fmt,...)
Definition log.h:228
DEBUG_ENABLED2
#define DEBUG_ENABLED2
True if global debug level 1-2 messages are enabled.
Definition log.h:258
DEBUG3
#define DEBUG3(_fmt,...)
Definition log.h:266
PWARN
#define PWARN(_fmt,...)
Definition log.h:227
DEBUG_ENABLED3
#define DEBUG_ENABLED3
True if global debug level 1-3 messages are enabled.
Definition log.h:259
L_WARN
@ L_WARN
Warning.
Definition log.h:57
L_ERR
@ L_ERR
Error message.
Definition log.h:56
L_DBG
@ L_DBG
Only displayed when debugging is enabled.
Definition log.h:59
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
used
static size_t used
Definition message_set_test.c:51
fr_tls_ocsp_staple_cb
int fr_tls_ocsp_staple_cb(SSL *ssl, void *data)
fr_tls_ocsp_conf_t
OCSP Configuration.
Definition ocsp.h:4
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
WARN
#define WARN(fmt,...)
Definition radclient-ng.h:47
conf
static rs_t * conf
Definition radsniff.c:53
FR_SBUFF_IN
#define FR_SBUFF_IN(_start, _len_or_end)
fr_syserror
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243
fr_unix_time_ispos
#define fr_unix_time_ispos(_a)
Definition time.h:372
fr_unix_time_gt
#define fr_unix_time_gt(_a, _b)
Definition time.h:365
fr_unix_time_wrap
#define fr_unix_time_wrap(_time)
Definition time.h:160
fr_unix_time_s
"Unix" time.
Definition time.h:95
fr_tls_utils_x509_pkey_type
char const * fr_tls_utils_x509_pkey_type(X509 *cert)
Returns a friendly identifier for the public key type of a certificate.
Definition utils.c:45
Generated by   doxygen 1.9.8