27 RCSID(
"$Id: 66d2d6b0dfab6d50005c83c585e958d72f9cbbe1 $")
31 #define LOG_PREFIX "tls"
33 #include <freeradius-devel/tls/log.h>
34 #include <freeradius-devel/tls/strerror.h>
35 #include <freeradius-devel/util/base16.h>
36 #include <freeradius-devel/util/debug.h>
37 #include <freeradius-devel/util/misc.h>
38 #include <freeradius-devel/util/strerror.h>
39 #include <freeradius-devel/util/syserror.h>
46 #include <openssl/rand.h>
47 #include <openssl/dh.h>
48 #include <openssl/x509v3.h>
49 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
50 # include <openssl/provider.h>
53 #ifndef OPENSSL_NO_ECDH
54 static int ctx_ecdh_curve_set(SSL_CTX *ctx,
char const *ecdh_curve,
bool disable_single_dh_use)
58 if (!disable_single_dh_use) {
59 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
62 if (!ecdh_curve || !*ecdh_curve)
return 0;
64 list = strdup(ecdh_curve);
65 if (SSL_CTX_set1_curves_list(ctx, list) == 0) {
67 ERROR(
"Unknown ecdh_curve \"%s\"", ecdh_curve);
78 static int ctx_dh_params_load(SSL_CTX *ctx,
char *
file)
83 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
101 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
102 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
103 if (EVP_default_properties_is_fips_enabled(NULL)) {
105 if (FIPS_mode() > 0) {
107 WARN(
LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
112 if ((
bio = BIO_new_file(
file,
"r")) == NULL) {
113 ERROR(
"Unable to open DH file - %s",
file);
117 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
118 dh = PEM_read_bio_Parameters(
bio, &dh);
120 dh = PEM_read_bio_DHparams(
bio, NULL, NULL, NULL);
124 WARN(
"Unable to set DH parameters. DH cipher suites may not work!");
125 WARN(
"Fix this by generating the DH parameter file");
129 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
130 ret = SSL_CTX_set0_tmp_dh_pkey(ctx, dh);
132 ret = SSL_CTX_set_tmp_dh(ctx, dh);
137 ERROR(
"Unable to set DH parameters");
144 static int tls_ctx_verify_chain_member(
fr_unix_time_t *expires_first, X509 **self_signed,
145 SSL_CTX *ctx, X509 *to_verify,
146 fr_tls_chain_verify_mode_t verify_mode)
150 STACK_OF(X509) *chain;
153 leaf = SSL_CTX_get0_certificate(ctx);
155 ERROR(
"Chain does not contain a valid leaf certificate");
159 if (!SSL_CTX_get0_chain_certs(ctx, &chain)) {
160 fr_tls_log(NULL,
"Failed retrieving chain certificates");
164 switch (fr_tls_cert_is_valid(NULL, ¬_after, to_verify)) {
166 fr_tls_chain_marker_log(NULL,
L_ERR, chain, leaf, to_verify);
167 PERROR(
"Malformed certificate");
172 switch (verify_mode) {
173 case FR_TLS_CHAIN_VERIFY_SOFT:
174 fr_tls_chain_marker_log(NULL,
L_WARN, chain, leaf, to_verify);
175 PWARN(
"Certificate validation failed");
178 case FR_TLS_CHAIN_VERIFY_HARD:
179 fr_tls_chain_marker_log(NULL,
L_ERR, chain, leaf, to_verify);
180 PERROR(
"Certificate validation failed");
192 switch (verify_mode) {
193 case FR_TLS_CHAIN_VERIFY_SOFT:
194 case FR_TLS_CHAIN_VERIFY_HARD:
210 if (X509_name_cmp(X509_get_subject_name(to_verify),
211 X509_get_issuer_name(to_verify)) == 0) {
213 switch (verify_mode) {
214 case FR_TLS_CHAIN_VERIFY_SOFT:
215 WARN(
"Found multiple self-signed certificates in chain");
216 WARN(
"First certificate was:");
217 fr_tls_chain_marker_log(NULL,
L_WARN,
218 chain, leaf, *self_signed);
220 WARN(
"Second certificate was:");
221 fr_tls_chain_marker_log(NULL,
L_WARN,
222 chain, leaf, to_verify);
225 case FR_TLS_CHAIN_VERIFY_HARD:
226 ERROR(
"Found multiple self-signed certificates in chain");
227 ERROR(
"First certificate was:");
228 fr_tls_chain_marker_log(NULL,
L_ERR,
229 chain, leaf, *self_signed);
231 ERROR(
"Second certificate was:");
232 fr_tls_chain_marker_log(NULL,
L_ERR,
233 chain, leaf, to_verify);
240 *self_signed = to_verify;
254 (
fr_unix_time_gt(*expires_first, not_after))) *expires_first = not_after;
259 static int tls_ctx_load_cert_chain(SSL_CTX *ctx, fr_tls_chain_conf_t *chain,
bool allow_multi_self_signed)
266 fr_assert(chain->certificate_file && chain->private_key_file);
271 memcpy(&password, &chain->password,
sizeof(password));
272 SSL_CTX_set_default_passwd_cb_userdata(ctx, password);
278 SSL_CTX_set_default_passwd_cb(ctx, fr_tls_session_password_cb);
280 switch (chain->file_format) {
281 case SSL_FILETYPE_PEM:
282 if (!(SSL_CTX_use_certificate_chain_file(ctx, chain->certificate_file))) {
283 fr_tls_log(NULL,
"Failed reading certificate file \"%s\"",
284 chain->certificate_file);
289 case SSL_FILETYPE_ASN1:
290 if (!(SSL_CTX_use_certificate_file(ctx, chain->certificate_file, chain->file_format))) {
291 fr_tls_log(NULL,
"Failed reading certificate file \"%s\"",
292 chain->certificate_file);
302 if (!(SSL_CTX_use_PrivateKey_file(ctx, chain->private_key_file, chain->file_format))) {
303 fr_tls_log(NULL,
"Failed reading private key file \"%s\"",
304 chain->private_key_file);
316 extra_cnt = talloc_array_length(chain->ca_files);
317 for (i = 0; i < extra_cnt; i++) {
320 char const *filename = chain->ca_files[i];
322 fp = fopen(filename,
"r");
331 switch (chain->file_format) {
332 case SSL_FILETYPE_PEM:
333 cert = PEM_read_X509(fp, NULL, NULL, NULL);
336 case SSL_FILETYPE_ASN1:
337 cert = d2i_X509_fp(fp, NULL);
348 fr_tls_log(NULL,
"Failed reading certificate file \"%s\"", filename);
351 SSL_CTX_add0_chain_cert(ctx, cert);
362 if (!SSL_CTX_check_private_key(ctx)) {
363 ERROR(
"Private key does not match the certificate public key");
377 X509 *self_signed = NULL;
378 STACK_OF(X509) *our_chain;
381 if (tls_ctx_verify_chain_member(&expires_first, &self_signed,
382 ctx, SSL_CTX_get0_certificate(ctx),
383 chain->verify_mode) < 0)
return -1;
385 if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) {
386 fr_tls_log(NULL,
"Failed retrieving chain certificates");
390 if (allow_multi_self_signed) self_signed = NULL;
394 for (i = sk_X509_num(our_chain); i > 0 ; i--) {
400 if (tls_ctx_verify_chain_member(&expires_first, &self_signed,
401 ctx, sk_X509_value(our_chain, i - 1),
402 chain->verify_mode) < 0)
return -1;
404 if (allow_multi_self_signed) self_signed = NULL;
413 chain->valid_until = expires_first;
417 int mode = SSL_BUILD_CHAIN_FLAG_CHECK;
419 if (!chain->include_root_ca) mode |= SSL_BUILD_CHAIN_FLAG_NO_ROOT;
427 switch (chain->verify_mode) {
428 case FR_TLS_CHAIN_VERIFY_NONE:
429 mode |= SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR | SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR;
430 (void)SSL_CTX_build_cert_chain(ctx, mode);
438 case FR_TLS_CHAIN_VERIFY_SOFT:
439 if (!SSL_CTX_build_cert_chain(ctx, mode)) {
440 fr_tls_strerror_printf(NULL);
441 PWARN(
"Failed verifying chain");
445 case FR_TLS_CHAIN_VERIFY_HARD:
446 if (!SSL_CTX_build_cert_chain(ctx, mode)) {
447 fr_tls_strerror_printf(NULL);
448 PERROR(
"Failed verifying chain");
461 static inline CC_HINT(always_inline)
462 int tls_ctx_version_set(
463 #
if OPENSSL_VERSION_NUMBER >= 0x10100000L
466 int *ctx_options, SSL_CTX *ctx, fr_tls_conf_t
const *
conf)
469 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
482 if (
conf->tls_max_version > (
float) 0.0) {
485 if (
conf->tls_min_version >
conf->tls_max_version) {
490 ERROR(
"tls_min_version (%f) must be <= tls_max_version (%f)",
491 (
double)
conf->tls_min_version, (
double)
conf->tls_max_version);
496 if (
conf->tls_max_version < (
float) 1.0) {
497 ERROR(
"tls_max_version must be >= 1.0 as SSLv2 and SSLv3 are permanently disabled");
501 # ifdef TLS1_4_VERSION
502 else if (
conf->tls_max_version >= (
float) 1.4) max_version = TLS1_4_VERSION;
504 # ifdef TLS1_3_VERSION
505 else if (
conf->tls_max_version >= (
float) 1.3) max_version = TLS1_3_VERSION;
507 else if (
conf->tls_max_version >= (
float) 1.2) max_version = TLS1_2_VERSION;
508 else if (
conf->tls_max_version >= (
float) 1.1) max_version = TLS1_1_VERSION;
509 else max_version = TLS1_VERSION;
514 if (max_version < TLS1_2_VERSION) {
515 WARN(
"TLS 1.0 and 1.1 are insecure and SHOULD NOT be used");
516 WARN(
"tls_max_version SHOULD be 1.2 or greater");
519 if (!SSL_CTX_set_max_proto_version(ctx, max_version)) {
520 fr_tls_log(NULL,
"Failed setting TLS maximum version");
528 if (
conf->tls_min_version < (
float) 1.0) {
529 ERROR(
"tls_min_version must be >= 1.0 as SSLv2 and SSLv3 are permanently disabled");
532 # ifdef TLS1_4_VERSION
533 else if (
conf->tls_min_version >= (
float) 1.4) min_version = TLS1_4_VERSION;
535 # ifdef TLS1_3_VERSION
536 else if (
conf->tls_min_version >= (
float) 1.3) min_version = TLS1_3_VERSION;
538 else if (
conf->tls_min_version >= (
float) 1.2) min_version = TLS1_2_VERSION;
539 else if (
conf->tls_min_version >= (
float) 1.1) min_version = TLS1_1_VERSION;
540 else min_version = TLS1_VERSION;
545 if (min_version < TLS1_2_VERSION) {
546 WARN(
"TLS 1.0 and 1.1 are insecure and SHOULD NOT be used");
547 WARN(
"tls_min_version SHOULD be 1.2 or greater");
550 if (!SSL_CTX_set_min_proto_version(ctx, min_version)) {
551 fr_tls_log(NULL,
"Failed setting TLS minimum version");
561 int ctx_tls_versions = 0;
566 *ctx_options |= SSL_OP_NO_SSLv2;
567 *ctx_options |= SSL_OP_NO_SSLv3;
569 # ifdef SSL_OP_NO_TLSv1
570 if (
conf->tls_min_version > (
float) 1.0) *ctx_options |= SSL_OP_NO_TLSv1;
571 ctx_tls_versions |= SSL_OP_NO_TLSv1;
573 # ifdef SSL_OP_NO_TLSv1_1
574 if (
conf->tls_min_version > (
float) 1.1) *ctx_options |= SSL_OP_NO_TLSv1_1;
575 if ((
conf->tls_max_version > (
float) 0.0) && (
conf->tls_max_version < (
float) 1.1)) {
576 *ctx_options |= SSL_OP_NO_TLSv1_1;
578 ctx_tls_versions |= SSL_OP_NO_TLSv1_1;
580 # ifdef SSL_OP_NO_TLSv1_2
581 if (
conf->tls_min_version > (
float) 1.2) *ctx_options |= SSL_OP_NO_TLSv1_2;
582 if ((
conf->tls_max_version > (
float) 0.0) && (
conf->tls_max_version < (
float) 1.2)) {
583 *ctx_options |= SSL_OP_NO_TLSv1_2;
585 ctx_tls_versions |= SSL_OP_NO_TLSv1_2;
588 if ((*ctx_options & ctx_tls_versions) == ctx_tls_versions) {
589 ERROR(
"You have disabled all available TLS versions");
610 SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t
const *
conf,
bool client)
613 X509_STORE *cert_vpstore;
614 X509_STORE *verify_store;
617 ctx = SSL_CTX_new(TLS_method());
619 fr_tls_log(NULL,
"Failed creating TLS context");
627 SSL_CTX_set_ex_data(ctx, FR_TLS_EX_INDEX_CONF,
UNCONST(
void *,
conf));
632 #ifdef PSK_MAX_IDENTITY_LEN
637 if (
conf->psk_query) {
638 if (!*
conf->psk_query) {
639 ERROR(
"Invalid PSK Configuration: psk_query cannot be empty");
645 if (
conf->psk_identity && *
conf->psk_identity) {
646 ERROR(
"Invalid PSK Configuration: psk_identity and psk_query cannot be used at the same time.");
650 if (
conf->psk_password && *
conf->psk_password) {
651 ERROR(
"Invalid PSK Configuration: psk_password and psk_query cannot be used at the same time.");
656 ERROR(
"Invalid PSK Configuration: psk_query cannot be used for outgoing connections");
663 }
else if (
conf->psk_identity) {
664 if (!*
conf->psk_identity) {
665 ERROR(
"Invalid PSK Configuration: psk_identity is empty");
670 if (!
conf->psk_password || !*
conf->psk_password) {
671 ERROR(
"Invalid PSK Configuration: psk_identity is set, but there is no psk_password");
675 }
else if (
conf->psk_password) {
676 ERROR(
"Invalid PSK Configuration: psk_password is set, but there is no psk_identity");
683 if (!client && (
conf->psk_identity ||
conf->psk_query)) {
684 SSL_CTX_set_psk_server_callback(ctx, fr_tls_session_psk_server_cb);
691 if (
conf->psk_identity && *
conf->psk_identity) {
692 size_t psk_len, hex_len;
696 SSL_CTX_set_psk_client_callback(ctx, fr_tls_session_psk_client_cb);
699 if (!
conf->psk_password)
goto error;
701 psk_len = strlen(
conf->psk_password);
702 if (strlen(
conf->psk_password) > (2 * PSK_MAX_PSK_LEN)) {
703 ERROR(
"psk_hexphrase is too long (max %d)", PSK_MAX_PSK_LEN);
714 if (psk_len != (2 * hex_len)) {
715 ERROR(
"psk_hexphrase is not all hex");
729 int mode = SSL_MODE_ASYNC;
740 mode |= SSL_MODE_NO_AUTO_CHAIN;
743 mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
744 mode |= SSL_MODE_AUTO_RETRY;
747 if (mode) SSL_CTX_set_mode(ctx, mode);
757 MEM(verify_store = X509_STORE_new());
760 SSL_CTX_set0_verify_cert_store(ctx, verify_store);
763 SSL_CTX_set_ex_data(ctx, FR_TLS_EX_CTX_INDEX_VERIFY_STORE, verify_store);
768 if (
conf->ca_file ||
conf->ca_path) {
775 if (!X509_STORE_load_locations(verify_store,
conf->ca_file,
conf->ca_path)) {
776 fr_tls_log(NULL,
"Failed reading Trusted root CA list \"%s\"",
789 X509_STORE_set_purpose(verify_store, X509_PURPOSE_SSL_CLIENT);
798 if (
conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(
conf->ca_file));
800 X509_STORE_set_default_paths(verify_store);
807 size_t chains_conf = talloc_array_length(
conf->chains);
821 for (i = 0; i < chains_conf; i++) {
822 if (tls_ctx_load_cert_chain(ctx,
conf->chains[i],
false) < 0)
goto error;
834 size_t chains_set = 0;
841 for (ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
843 ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT)) chains_set++;
849 DEBUG3(
"Found %zu server certificate chain(s)", chains_set);
851 if (chains_set != chains_conf) {
852 WARN(
"Number of chains configured (%zu) does not match chains set (%zu)",
853 chains_conf, chains_set);
854 if (chains_conf > chains_set)
WARN(
"Only one chain per key type is allowed, "
855 "check config for duplicates");
858 for (ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
860 ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT)) {
861 STACK_OF(X509) *our_chain;
864 our_cert = SSL_CTX_get0_certificate(ctx);
872 if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) {
873 fr_tls_log(NULL,
"Failed retrieving chain certificates");
879 (void)SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
883 #ifdef PSK_MAX_IDENTITY_LEN
886 if (tls_ctx_version_set(&ctx_options, ctx,
conf) < 0)
goto error;
895 if (!
conf->disable_single_dh_use) {
896 ctx_options |= SSL_OP_SINGLE_DH_USE;
899 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
903 if (
conf->allow_renegotiation) {
904 ctx_options |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
914 ctx_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
921 if (
conf->cipher_server_preference) ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
923 SSL_CTX_set_options(ctx, ctx_options);
931 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
936 if (
conf->padding_block_size) SSL_CTX_set_block_padding(ctx,
conf->padding_block_size);
942 #ifndef OPENSSL_NO_ECDH
943 if (ctx_ecdh_curve_set(ctx,
conf->ecdh_curve,
conf->disable_single_dh_use) < 0)
goto error;
948 SSL_CTX_set_info_callback(ctx, fr_tls_session_info_cb);
953 #ifdef X509_V_FLAG_CRL_CHECK_ALL
954 if (
conf->verify.check_crl) {
955 cert_vpstore = SSL_CTX_get_cert_store(ctx);
956 if (cert_vpstore == NULL) {
957 fr_tls_log(NULL,
"Error reading Certificate Store");
960 X509_STORE_set_flags(cert_vpstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
961 #ifdef X509_V_FLAG_USE_DELTAS
969 X509_STORE_set_flags(cert_vpstore, X509_V_FLAG_USE_DELTAS);
980 if (
conf->verify_depth) {
981 SSL_CTX_set_verify_depth(ctx,
conf->verify_depth);
984 #ifdef HAVE_OPENSSL_OCSP_H
988 if (
conf->staple.enable) {
997 if (
conf->cipher_list) {
998 if (!SSL_CTX_set_cipher_list(ctx,
conf->cipher_list)) {
999 fr_tls_log(NULL,
"Failed setting cipher list");
1014 fr_tls_log(NULL,
"Failed creating temporary SSL session");
1018 DEBUG3(
"Configured ciphers (by priority)");
1020 while ((cipher = SSL_get_cipher_list(ssl, i))) {
1021 DEBUG3(
"[%i] %s", i, cipher);
1031 if (
conf->dh_file && (ctx_dh_params_load(ctx,
UNCONST(
char *,
conf->dh_file)) < 0))
goto error;
1036 if (fr_tls_cache_ctx_init(ctx, &
conf->cache) < 0)
goto error;
1038 #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
1042 if ((getenv(
"SSLKEYLOGFILE") != NULL) || (
conf->keylog_file && *
conf->keylog_file)) {
1043 SSL_CTX_set_keylog_callback(ctx, fr_tls_session_keylog_cb);
static int const char char buffer[256]
#define fr_base16_decode(_err, _out, _in, _no_trailing)
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
#define USES_APPLE_DEPRECATED_API
#define DIAG_UNKNOWN_PRAGMAS
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
#define DEBUG_ENABLED2
True if global debug level 1-2 messages are enabled.
#define DEBUG_ENABLED3
True if global debug level 1-3 messages are enabled.
@ L_DBG
Only displayed when debugging is enabled.
int fr_tls_ocsp_staple_cb(SSL *ssl, void *data)
#define FR_SBUFF_IN(_start, _len_or_end)
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
#define fr_unix_time_ispos(_a)
#define fr_unix_time_gt(_a, _b)
#define fr_unix_time_wrap(_time)
char const * fr_tls_utils_x509_pkey_type(X509 *cert)
Returns a friendly identifier for the public key type of a certificate.