The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
ctx.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: cb2d81539e96ed8278df37b0bff52bea53d1ab82 $
19 *
20 * @file tls/ctx.c
21 * @brief Initialise and configure SSL_CTX structures.
22 *
23 * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24 * @copyright 2003 Alan DeKok (aland@freeradius.org)
25 * @copyright 2006-2016 The FreeRADIUS server project
26 */
27RCSID("$Id: cb2d81539e96ed8278df37b0bff52bea53d1ab82 $")
28USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
29
30#ifdef WITH_TLS
31#define LOG_PREFIX "tls"
32
33#include <freeradius-devel/tls/log.h>
34#include <freeradius-devel/tls/strerror.h>
35#include <freeradius-devel/util/base16.h>
36#include <freeradius-devel/util/debug.h>
37#include <freeradius-devel/util/misc.h>
38#include <freeradius-devel/util/syserror.h>
39
40#include "base.h"
41#include "utils.h"
42#include "log.h"
43#include "cert.h"
44
45#include <openssl/rand.h>
46#include <openssl/dh.h>
47#include <openssl/x509v3.h>
48#include <openssl/provider.h>
49
50#ifndef OPENSSL_NO_ECDH
51static int ctx_ecdh_curve_set(SSL_CTX *ctx, char const *ecdh_curve, bool disable_single_dh_use)
52{
53 char *list;
54
55 if (!disable_single_dh_use) {
56 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
57 }
58
59 if (!ecdh_curve || !*ecdh_curve) return 0;
60
61 list = strdup(ecdh_curve);
62 if (SSL_CTX_set1_curves_list(ctx, list) == 0) {
63 free(list);
64 ERROR("Unknown ecdh_curve \"%s\"", ecdh_curve);
65 return -1;
66 }
67 free(list);
68 return 0;
69}
70#endif
71
72/*
73 * TODO: Check for the type of key exchange * like conf->dh_key
74 */
75static int ctx_dh_params_load(SSL_CTX *ctx, char *file)
76{
77 BIO *bio;
78 int ret;
79
80 EVP_PKEY *dh = NULL;
81
82 if (!file) return 0;
83
84 /*
85 * Prior to trying to load the file, check what OpenSSL will do with it.
86 *
87 * Certain downstreams (such as RHEL) will ignore user-provided dhparams
88 * in FIPS mode, unless the specified parameters are FIPS-approved.
89 * However, since OpenSSL >= 1.1.1 will automatically select parameters
90 * anyways, there's no point in attempting to load them.
91 *
92 * Change suggested by @t8m
93 */
94 if (EVP_default_properties_is_fips_enabled(NULL)) {
95 WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
96 return 0;
97 }
98
99 if ((bio = BIO_new_file(file, "r")) == NULL) {
100 ERROR("Unable to open DH file - %s", file);
101 return -1;
102 }
103
104 dh = PEM_read_bio_Parameters(bio, &dh);
105 BIO_free(bio);
106 if (!dh) {
107 WARN("Unable to set DH parameters. DH cipher suites may not work!");
108 WARN("Fix this by generating the DH parameter file");
109 return 0;
110 }
111
112 ret = SSL_CTX_set0_tmp_dh_pkey(ctx, dh);
113 if (ret == 0) {
114 EVP_PKEY_free(dh);
115 ERROR("Unable to set DH parameters");
116 return -1;
117 }
118
119 return 0;
120}
121
122static int tls_ctx_verify_chain_member(fr_unix_time_t *expires_first, X509 **self_signed,
123 SSL_CTX *ctx, X509 *to_verify,
124 fr_tls_chain_verify_mode_t verify_mode)
125{
126 fr_unix_time_t not_after;
127
128 STACK_OF(X509) *chain;
129 X509 *leaf;
130
131 leaf = SSL_CTX_get0_certificate(ctx);
132 if (!leaf) {
133 ERROR("Chain does not contain a valid leaf certificate");
134 return -1;
135 }
136
137 if (!SSL_CTX_get0_chain_certs(ctx, &chain)) {
138 fr_tls_log(NULL, "Failed retrieving chain certificates");
139 return -1;
140 }
141
142 switch (fr_tls_cert_is_valid(NULL, &not_after, to_verify)) {
143 case -1:
144 fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify);
145 PERROR("Malformed certificate");
146 return -1;
147
148 case -2:
149 case -3:
150 switch (verify_mode) {
151 case FR_TLS_CHAIN_VERIFY_SOFT:
152 fr_tls_chain_marker_log(NULL, L_WARN, chain, leaf, to_verify);
153 PWARN("Certificate validation failed");
154 break;
155
156 case FR_TLS_CHAIN_VERIFY_HARD:
157 fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify);
158 PERROR("Certificate validation failed");
159 return -1;
160
161 default:
162 break;
163 }
164
165 }
166
167 /*
168 * Check for self-signed certs
169 */
170 switch (verify_mode) {
171 case FR_TLS_CHAIN_VERIFY_SOFT:
172 case FR_TLS_CHAIN_VERIFY_HARD:
173 /*
174 * There can be only one... self signed
175 * cert in a chain.
176 *
177 * We have to do this check manually
178 * because the OpenSSL functions will
179 * only check to see if it can build
180 * a chain, not that all certificates
181 * in the chain are used.
182 *
183 * Having multiple self-signed certificates
184 * usually indicates someone has copied
185 * the wrong certificates into the
186 * server.pem file.
187 */
188 if (X509_name_cmp(X509_get_subject_name(to_verify),
189 X509_get_issuer_name(to_verify)) == 0) {
190 if (*self_signed) {
191 switch (verify_mode) {
192 case FR_TLS_CHAIN_VERIFY_SOFT:
193 WARN("Found multiple self-signed certificates in chain");
194 WARN("First certificate was:");
195 fr_tls_chain_marker_log(NULL, L_WARN,
196 chain, leaf, *self_signed);
197
198 WARN("Second certificate was:");
199 fr_tls_chain_marker_log(NULL, L_WARN,
200 chain, leaf, to_verify);
201 break;
202
203 case FR_TLS_CHAIN_VERIFY_HARD:
204 ERROR("Found multiple self-signed certificates in chain");
205 ERROR("First certificate was:");
206 fr_tls_chain_marker_log(NULL, L_ERR,
207 chain, leaf, *self_signed);
208
209 ERROR("Second certificate was:");
210 fr_tls_chain_marker_log(NULL, L_ERR,
211 chain, leaf, to_verify);
212 return -1;
213
214 default:
215 break;
216 }
217 }
218 *self_signed = to_verify;
219 }
220 break;
221
222 default:
223 break;
224 }
225
226 /*
227 * Record the time the first certificate in
228 * the chain expires so we can use it for
229 * runtime checks.
230 */
231 if (!fr_unix_time_ispos(*expires_first) ||
232 (fr_unix_time_gt(*expires_first, not_after))) *expires_first = not_after;
233
234 return 0;
235}
236
237static int tls_ctx_load_cert_chain(SSL_CTX *ctx, fr_tls_chain_conf_t *chain, bool allow_multi_self_signed)
238{
239 char *password;
240
241 /*
242 * Conf parser should ensure they're both populated
243 */
244 fr_assert(chain->certificate_file && chain->private_key_file);
245
246 /*
247 * Set the password (this should have been retrieved earlier)
248 */
249 memcpy(&password, &chain->password, sizeof(password));
250 SSL_CTX_set_default_passwd_cb_userdata(ctx, password);
251
252 /*
253 * Always set the callback as it provides useful debug
254 * output if the certificate isn't set.
255 */
256 SSL_CTX_set_default_passwd_cb(ctx, fr_tls_session_password_cb);
257
258 switch (chain->file_format) {
259 case SSL_FILETYPE_PEM:
260 if (!(SSL_CTX_use_certificate_chain_file(ctx, chain->certificate_file))) {
261 fr_tls_log(NULL, "Failed reading certificate file \"%s\"",
262 chain->certificate_file);
263 return -1;
264 }
265 break;
266
267 case SSL_FILETYPE_ASN1:
268 if (!(SSL_CTX_use_certificate_file(ctx, chain->certificate_file, chain->file_format))) {
269 fr_tls_log(NULL, "Failed reading certificate file \"%s\"",
270 chain->certificate_file);
271 return -1;
272 }
273 break;
274
275 default:
276 fr_assert(0);
277 break;
278 }
279
280 if (!(SSL_CTX_use_PrivateKey_file(ctx, chain->private_key_file, chain->file_format))) {
281 fr_tls_log(NULL, "Failed reading private key file \"%s\"",
282 chain->private_key_file);
283 return -1;
284 }
285
286 {
287 size_t extra_cnt, i;
288 /*
289 * Load additional chain certificates from other files
290 * This allows us to specify chains in DER format as
291 * well as PEM, and means we can keep the intermediaries
292 * CAs and client/server certs in separate files.
293 */
294 extra_cnt = talloc_array_length(chain->ca_files);
295 for (i = 0; i < extra_cnt; i++) {
296 FILE *fp;
297 X509 *cert;
298 char const *filename = chain->ca_files[i];
299
300 fp = fopen(filename, "r");
301 if (!fp) {
302 ERROR("Failed opening ca_file \"%s\": %s", filename, fr_syserror(errno));
303 return -1;
304 }
305
306 /*
307 * Load the PEM encoded X509 certificate
308 */
309 switch (chain->file_format) {
310 case SSL_FILETYPE_PEM:
311 cert = PEM_read_X509(fp, NULL, NULL, NULL);
312 break;
313
314 case SSL_FILETYPE_ASN1:
315 cert = d2i_X509_fp(fp, NULL);
316 break;
317
318 default:
319 fr_assert(0);
320 fclose(fp);
321 return -1;
322 }
323 fclose(fp);
324
325 if (!cert) {
326 fr_tls_log(NULL, "Failed reading certificate file \"%s\"", filename);
327 return -1;
328 }
329
330 if (SSL_CTX_add0_chain_cert(ctx, cert) != 1) {
331 fr_tls_log(NULL, "Failed adding certificate to chain for \"%s\"", filename);
332 X509_free(cert);
333 return -1;
334 }
335 }
336 }
337
338 /*
339 * Check if the last loaded private key matches the last
340 * loaded certificate.
341 *
342 * Note: The call to SSL_CTX_use_certificate_chain_file
343 * can load in a private key too.
344 */
345 if (!SSL_CTX_check_private_key(ctx)) {
346 ERROR("Private key does not match the certificate public key");
347 return -1;
348 }
349
350 /*
351 * Loop over the certificates checking validity periods.
352 * SSL_CTX_build_cert_chain does this too, but we can
353 * produce significantly better errors here.
354 *
355 * After looping over all the certs we figure out when
356 * the chain will next need refreshing.
357 */
358 {
359 fr_unix_time_t expires_first = fr_unix_time_wrap(0);
360 X509 *self_signed = NULL;
361 STACK_OF(X509) *our_chain;
362 int i;
363
364 if (tls_ctx_verify_chain_member(&expires_first, &self_signed,
365 ctx, SSL_CTX_get0_certificate(ctx),
366 chain->verify_mode) < 0) return -1;
367
368 if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) {
369 fr_tls_log(NULL, "Failed retrieving chain certificates");
370 return -1;
371 }
372
373 if (allow_multi_self_signed) self_signed = NULL;
374
375DIAG_OFF(DIAG_UNKNOWN_PRAGMAS)
376DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */
377 for (i = sk_X509_num(our_chain); i > 0 ; i--) {
378 /*
379 * SSL_CTX_use_certificate_chain_file set the
380 * current cert to be the one loaded from
381 * that pem file.
382 */
383 if (tls_ctx_verify_chain_member(&expires_first, &self_signed,
384 ctx, sk_X509_value(our_chain, i - 1),
385 chain->verify_mode) < 0) return -1;
386
387 if (allow_multi_self_signed) self_signed = NULL;
388 }
389DIAG_ON(used-but-marked-unused) /* fix spurious warnings for sk macros */
390DIAG_ON(DIAG_UNKNOWN_PRAGMAS)
391 /*
392 * Record this as a unix timestamp as
393 * internal time might not progress at
394 * the same rate as wallclock time.
395 */
396 chain->valid_until = expires_first;
397 }
398
399 {
400 int mode = SSL_BUILD_CHAIN_FLAG_CHECK;
401
402 if (!chain->include_root_ca) mode |= SSL_BUILD_CHAIN_FLAG_NO_ROOT;
403
404 /*
405 * Explicitly check that the certificate chain
406 * we just loaded is sane.
407 *
408 * This operates on the last loaded certificate.
409 */
410 switch (chain->verify_mode) {
411 case FR_TLS_CHAIN_VERIFY_NONE:
412 mode |= SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR | SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR;
413 (void)SSL_CTX_build_cert_chain(ctx, mode);
414 break;
415
416 /*
417 * Seems to be a bug where
418 * SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR trashes the error,
419 * so have the function fail as normal.
420 */
421 case FR_TLS_CHAIN_VERIFY_SOFT:
422 if (!SSL_CTX_build_cert_chain(ctx, mode)) {
423 fr_tls_strerror_printf(NULL);
424 PWARN("Failed verifying chain");
425 }
426 break;
427
428 case FR_TLS_CHAIN_VERIFY_HARD:
429 if (!SSL_CTX_build_cert_chain(ctx, mode)) {
430 fr_tls_strerror_printf(NULL);
431 PERROR("Failed verifying chain");
432 return -1;
433 }
434 break;
435
436 default:
437 break;
438 }
439 }
440
441 return 0;
442}
443
444static inline CC_HINT(always_inline)
445int tls_ctx_version_set(
446 UNUSED
447 int *ctx_options, SSL_CTX *ctx, fr_tls_conf_t const *conf)
448{
449 /*
450 * SSL_CTX_set_(min|max)_proto_version was included in OpenSSL 1.1.0
451 *
452 * This version already defines macros for TLS1_2_VERSION and
453 * below, so we don't need to check for them explicitly.
454 *
455 * TLS1_3_VERSION is available in OpenSSL 1.1.1.
456 *
457 * TLS1_4_VERSION does not exist yet. But we allow it
458 * only if it is explicitly permitted by the
459 * administrator.
460 */
461 if (conf->tls_max_version > (float) 0.0) {
462 int max_version = 0;
463
464 if (conf->tls_min_version > conf->tls_max_version) {
465 /*
466 * %f is actually %lg now (double). Compile complains about
467 * implicit promotion unless we cast args to double.
468 */
469 ERROR("tls_min_version (%f) must be <= tls_max_version (%f)",
470 (double)conf->tls_min_version, (double)conf->tls_max_version);
471 error:
472 return -1;
473 }
474
475 if (conf->tls_max_version < (float) 1.0) {
476 ERROR("tls_max_version must be >= 1.0 as SSLv2 and SSLv3 are permanently disabled");
477 goto error;
478 }
479
480# ifdef TLS1_4_VERSION
481 else if (conf->tls_max_version >= (float) 1.4) max_version = TLS1_4_VERSION;
482# endif
483# ifdef TLS1_3_VERSION
484 else if (conf->tls_max_version >= (float) 1.3) max_version = TLS1_3_VERSION;
485# endif
486 else if (conf->tls_max_version >= (float) 1.2) max_version = TLS1_2_VERSION;
487 else if (conf->tls_max_version >= (float) 1.1) max_version = TLS1_1_VERSION;
488 else max_version = TLS1_VERSION;
489
490 /*
491 * Complain about insecure TLS versions.
492 */
493 if (max_version < TLS1_2_VERSION) {
494 WARN("TLS 1.0 and 1.1 are insecure and SHOULD NOT be used");
495 WARN("tls_max_version SHOULD be 1.2 or greater");
496 }
497
498 if (!SSL_CTX_set_max_proto_version(ctx, max_version)) {
499 fr_tls_log(NULL, "Failed setting TLS maximum version");
500 goto error;
501 }
502 }
503
504 {
505 int min_version;
506
507 if (conf->tls_min_version < (float) 1.0) {
508 ERROR("tls_min_version must be >= 1.0 as SSLv2 and SSLv3 are permanently disabled");
509 goto error;
510 }
511# ifdef TLS1_4_VERSION
512 else if (conf->tls_min_version >= (float) 1.4) min_version = TLS1_4_VERSION;
513# endif
514# ifdef TLS1_3_VERSION
515 else if (conf->tls_min_version >= (float) 1.3) min_version = TLS1_3_VERSION;
516# endif
517 else if (conf->tls_min_version >= (float) 1.2) min_version = TLS1_2_VERSION;
518 else if (conf->tls_min_version >= (float) 1.1) min_version = TLS1_1_VERSION;
519 else min_version = TLS1_VERSION;
520
521 /*
522 * Complain about insecure TLS versions.
523 */
524 if (min_version < TLS1_2_VERSION) {
525 WARN("TLS 1.0 and 1.1 are insecure and SHOULD NOT be used");
526 WARN("tls_min_version SHOULD be 1.2 or greater");
527 }
528
529 if (!SSL_CTX_set_min_proto_version(ctx, min_version)) {
530 fr_tls_log(NULL, "Failed setting TLS minimum version");
531 goto error;
532 }
533 }
534
535 return 0;
536}
537
538/** Create SSL context
539 *
540 * - Load the trusted CAs
541 * - Load the Private key & the certificate
542 * - Set the Context options & Verify options
543 *
544 * @param conf to read settings from.
545 * @param client If true SSL_CTX will be configured as a client context.
546 * @return
547 * - A new SSL_CTX on success.
548 * - NULL on failure.
549 */
550SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client)
551{
552 SSL_CTX *ctx;
553 X509_STORE *verify_store = NULL;
554 int ctx_options = 0;
555 int mode= SSL_MODE_ASYNC;
556
557 ctx = SSL_CTX_new(TLS_method());
558 if (!ctx) {
559 fr_tls_log(NULL, "Failed creating TLS context");
560 return NULL;
561 }
562
563 /*
564 * Save the config on the context so that callbacks which
565 * only get SSL_CTX* e.g. session persistence, can get at it.
566 */
567 SSL_CTX_set_ex_data(ctx, FR_TLS_EX_INDEX_CONF, UNCONST(void *, conf));
568
569 /*
570 * Identify the type of certificates that needs to be loaded
571 */
572#ifdef PSK_MAX_IDENTITY_LEN
573 /*
574 * A dynamic query exists. There MUST NOT be a
575 * statically configured identity and password.
576 */
577 if (conf->psk_query) {
578 if (!*conf->psk_query) {
579 ERROR("Invalid PSK Configuration: psk_query cannot be empty");
580 error:
581 SSL_CTX_free(ctx);
582 return NULL;
583 }
584
585 if (conf->psk_identity && *conf->psk_identity) {
586 ERROR("Invalid PSK Configuration: psk_identity and psk_query cannot be used at the same time.");
587 goto error;
588 }
589
590 if (conf->psk_password && *conf->psk_password) {
591 ERROR("Invalid PSK Configuration: psk_hexphrase and psk_query cannot be used at the same time.");
592 goto error;
593 }
594
595 if (client) {
596 ERROR("Invalid PSK Configuration: psk_query cannot be used for outgoing connections");
597 goto error;
598 }
599
600 /*
601 * Now check that if PSK is being used, that the config is valid.
602 */
603 } else if (conf->psk_identity) {
604 if (!*conf->psk_identity) {
605 ERROR("Invalid PSK Configuration: psk_identity is empty");
606 goto error;
607 }
608
609
610 if (!conf->psk_password || !*conf->psk_password) {
611 ERROR("Invalid PSK Configuration: psk_identity is set, but there is no psk_hexphrase");
612 goto error;
613 }
614
615 } else if (conf->psk_password) {
616 ERROR("Invalid PSK Configuration: psk_hexphrase is set, but there is no psk_identity");
617 goto error;
618 }
619
620 /*
621 * Set the server PSK callback if necessary.
622 */
623 if (!client && (conf->psk_identity || conf->psk_query)) {
624 SSL_CTX_set_psk_server_callback(ctx, fr_tls_session_psk_server_cb);
625 }
626
627 /*
628 * Do more sanity checking if we have a PSK identity. We
629 * check the password, and convert it to it's final form.
630 */
631 if (conf->psk_identity && *conf->psk_identity) {
632 size_t psk_len, hex_len;
633 uint8_t buffer[PSK_MAX_PSK_LEN];
634
635 if (client) {
636 SSL_CTX_set_psk_client_callback(ctx, fr_tls_session_psk_client_cb);
637 }
638
639 if (!conf->psk_password) goto error; /* clang is too dumb to catch the above checks */
640
641 psk_len = strlen(conf->psk_password);
642 if (strlen(conf->psk_password) > (2 * PSK_MAX_PSK_LEN)) {
643 ERROR("psk_hexphrase is too long (max %d)", PSK_MAX_PSK_LEN);
644 goto error;
645 }
646
647 /*
648 * Check the password now, so that we don't have
649 * errors at run-time.
650 */
651 hex_len = fr_base16_decode(NULL,
652 &FR_DBUFF_TMP(buffer, sizeof(buffer)),
653 &FR_SBUFF_IN(conf->psk_password, psk_len), false);
654 if (psk_len != (2 * hex_len)) {
655 ERROR("psk_hexphrase is not all hex");
656 goto error;
657 }
658
659 SSL_CTX_set_mode(ctx, mode);
660 goto post_ca;
661 }
662#else
663 (void) client; /* -Wunused */
664#endif
665
666 /*
667 * OpenSSL will automatically create certificate chains,
668 * unless we tell it to not do that. The problem is that
669 * it sometimes gets the chains right from a certificate
670 * signature view, but wrong from the clients view.
671 *
672 * It's better just to have users specify the complete
673 * chains.
674 */
675 mode |= SSL_MODE_NO_AUTO_CHAIN;
676
677 if (client) {
678 mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
679 mode |= SSL_MODE_AUTO_RETRY;
680 }
681
682 SSL_CTX_set_mode(ctx, mode);
683
684 /*
685 * Initialise a separate store for verifying user
686 * certificates.
687 *
688 * This makes the configuration cleaner as there's
689 * no mixing of chain certs and user certs.
690 */
691 MEM(verify_store = X509_STORE_new());
692
693 /* Sets OpenSSL's (CERT *)->verify_store, overring (SSL_CTX *)->cert_store */
694 SSL_CTX_set0_verify_cert_store(ctx, verify_store);
695
696 /* This isn't accessible to use later, i.e. there's no SSL_CTX_get0_verify_cert_store */
697 SSL_CTX_set_ex_data(ctx, FR_TLS_EX_CTX_INDEX_VERIFY_STORE, verify_store);
698
699 /*
700 * Load the CAs we trust
701 */
702 if (conf->ca_file || conf->ca_path) {
703 /*
704 * This adds all the certificates to the store for conf->ca_file
705 * and adds a dynamic lookup for conf->ca_path.
706 *
707 * It's also possible to add extra virtual server lookups
708 */
709 if (!X509_STORE_load_locations(verify_store, conf->ca_file, conf->ca_path)) {
710 fr_tls_log(NULL, "Failed reading Trusted root CA list \"%s\"",
711 conf->ca_file ? conf->ca_file : conf->ca_path);
712 goto error;
713 }
714
715 /*
716 * These set the default parameters of the store when the
717 * store is involved in building chains.
718 *
719 * - X509_PURPOSE_SSL_CLIENT ensure the purpose of the
720 * client certificate is for peer authentication as
721 * a client.
722 */
723 X509_STORE_set_purpose(verify_store, X509_PURPOSE_SSL_CLIENT);
724
725 /*
726 * Sets the list of CAs we send to the peer if we're
727 * requesting a certificate.
728 *
729 * This does not change the trusted certificate authorities,
730 * those are set above with SSL_CTX_load_verify_locations.
731 */
732 if (conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
733 } else {
734 X509_STORE_set_default_paths(verify_store);
735 }
736
737 /*
738 * Load our certificate chains and keys
739 */
740 if (conf->chains) {
741 size_t chains_conf = talloc_array_length(conf->chains);
742
743 /*
744 * Load our keys and certificates
745 *
746 * If certificates are of type PEM then we can make use
747 * of cert chain authentication using openssl api call
748 * SSL_CTX_use_certificate_chain_file. Please see how
749 * the cert chain needs to be given in PEM from
750 * openSSL.org
751 */
752 {
753 size_t i;
754
755 for (i = 0; i < chains_conf; i++) {
756 if (tls_ctx_load_cert_chain(ctx, conf->chains[i], false) < 0) goto error;
757 }
758 }
759
760 /*
761 * Print out our certificate chains.
762 *
763 * There may be up to three, one for RSA, DH, DSA and EC.
764 * OpenSSL internally and transparently stores completely
765 * separate and distinct RSA/DSA/DH/ECC key pairs and chains.
766 */
767 if (DEBUG_ENABLED2) {
768 size_t chains_set = 0;
769 int ret;
770
771 /*
772 * Iterate over the different chain types we have
773 * RSA, DSA, DH, EC etc...
774 */
775 for (ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
776 ret == 1;
777 ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT)) chains_set++;
778
779 /*
780 * Check for discrepancies
781 */
782
783 DEBUG3("Found %zu server certificate chain(s)", chains_set);
784
785 if (chains_set != chains_conf) {
786 WARN("Number of chains configured (%zu) does not match chains set (%zu)",
787 chains_conf, chains_set);
788 if (chains_conf > chains_set) WARN("Only one chain per key type is allowed, "
789 "check config for duplicates");
790 }
791
792 for (ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
793 ret == 1;
794 ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT)) {
795 STACK_OF(X509) *our_chain;
796 X509 *our_cert;
797
798 our_cert = SSL_CTX_get0_certificate(ctx);
799
800 /*
801 * The pkey type of the server certificate
802 * determines which pkey slot OpenSSL
803 * uses to store the chain.
804 */
805 DEBUG3("%s chain", fr_tls_utils_x509_pkey_type(our_cert));
806 if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) {
807 fr_tls_log(NULL, "Failed retrieving chain certificates");
808 goto error;
809 }
810
811 if (DEBUG_ENABLED3) fr_tls_chain_log(NULL, L_DBG, our_chain, our_cert);
812 }
813 (void)SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); /* Reset */
814 }
815 }
816
817#ifdef PSK_MAX_IDENTITY_LEN
818post_ca:
819#endif
820 if (tls_ctx_version_set(&ctx_options, ctx, conf) < 0) goto error;
821
822 /*
823 * SSL_OP_SINGLE_DH_USE must be used in order to prevent
824 * small subgroup attacks and forward secrecy. Always
825 * using SSL_OP_SINGLE_DH_USE has an impact on the
826 * computer time needed during negotiation, but it is not
827 * very large.
828 */
829 if (!conf->disable_single_dh_use) {
830 ctx_options |= SSL_OP_SINGLE_DH_USE;
831 }
832
833#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
834 /*
835 * Note: This flag isn't honoured by all OpenSSL forks.
836 */
837 if (conf->allow_renegotiation) {
838 ctx_options |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
839 }
840#endif
841
842 /*
843 * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS to work around issues
844 * in Windows Vista client.
845 * http://www.openssl.org/~bodo/tls-cbc.txt
846 * http://www.nabble.com/(RADIATOR)-Radiator-Version-3.16-released-t2600070.html
847 */
848 ctx_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
849
850 /*
851 * SSL_OP_CIPHER_SERVER_PREFERENCE to follow best practice
852 * of nowday's TLS: do not allow poorly-selected ciphers from
853 * client to take preference
854 */
855 if (conf->cipher_server_preference) ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
856
857 SSL_CTX_set_options(ctx, ctx_options);
858
859 /*
860 * TODO: Set the RSA & DH
861 * SSL_CTX_set_tmp_rsa_callback(ctx, cbtls_rsa);
862 * SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
863 */
864
865 /*
866 * Set the block size for record padding. This is only
867 * used in TLS 1.3.
868 */
869 if (conf->padding_block_size) SSL_CTX_set_block_padding(ctx, conf->padding_block_size);
870
871 /*
872 * Set elliptical curve crypto configuration.
873 */
874#ifndef OPENSSL_NO_ECDH
875 if (ctx_ecdh_curve_set(ctx, conf->ecdh_curve, conf->disable_single_dh_use) < 0) goto error;
876#endif
877
878
879 /* Set Info callback */
880 SSL_CTX_set_info_callback(ctx, fr_tls_session_info_cb);
881
882 /*
883 * Check the certificates for revocation, but not if we're doing PSK.
884 */
885 if (conf->verify.check_crl && verify_store) {
886#ifdef X509_V_FLAG_CRL_CHECK_ALL
887 X509_STORE_set_flags(verify_store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
888#ifdef X509_V_FLAG_USE_DELTAS
889 /*
890 * If set, delta CRLs (if present) are used to
891 * determine certificate status. If not set
892 * deltas are ignored.
893 *
894 * So it's safe to always set this flag.
895 */
896 X509_STORE_set_flags(verify_store, X509_V_FLAG_USE_DELTAS);
897#endif
898#else
899 WARN(LOG_PREFIX ": Ignoring 'check_crl = yes' as the OpenSSL libraries do not support the relevant flags");
900#endif
901 }
902
903 /*
904 * SSL_ctx_set_verify is now called in the session
905 * alloc functions so they can set custom behaviour
906 * depending on the code area the SSL * will be used
907 * and whether we're acting as a client or server.
908 */
909 if (conf->verify_depth) {
910 SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
911 }
912
913#ifdef HAVE_OPENSSL_OCSP_H
914 /*
915 * Configure OCSP stapling for the server cert
916 */
917 if (conf->staple.enable) {
918 SSL_CTX_set_tlsext_status_cb(ctx, fr_tls_ocsp_staple_cb);
919 SSL_CTX_set_tlsext_status_arg(ctx, UNCONST(fr_tls_ocsp_conf_t *, &(conf->staple)));
920 }
921#endif
922
923 /*
924 * Set the cipher list if we were told to
925 */
926 if (conf->cipher_list) {
927 if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) {
928 fr_tls_log(NULL, "Failed setting cipher list");
929 goto error;
930 }
931 }
932
933 /*
934 * Print the actual cipher list
935 */
936 if (DEBUG_ENABLED3) {
937 SSL *ssl;
938 unsigned int i = 0;
939 char const *cipher;
940
941 ssl = SSL_new(ctx);
942 if (!ssl) {
943 fr_tls_log(NULL, "Failed creating temporary SSL session");
944 goto error;
945 }
946
947 DEBUG3("Configured ciphers (by priority)");
948
949 while ((cipher = SSL_get_cipher_list(ssl, i))) {
950 DEBUG3("[%u] %s", i, cipher);
951 i++; /* Print index starting at zero */
952 }
953
954 SSL_free(ssl);
955 }
956
957 /*
958 * Load dh params
959 */
960 if (conf->dh_file) {
961 if (ctx_dh_params_load(ctx, UNCONST(char *, conf->dh_file)) < 0) goto error;
962 } else {
963 /*
964 * Tell OpenSSL to automatically set the DH
965 * parameters based on the the size of the key
966 * associated with the certificate, or for PSK,
967 * with the negotiated symmetric cipher key.
968 */
969 SSL_CTX_set_dh_auto(ctx, 1);
970 }
971
972 /*
973 * Setup session caching
974 */
975 if (fr_tls_cache_ctx_init(ctx, &conf->cache) < 0) goto error;
976
977 /*
978 * Set the keylog file if the admin requested it.
979 */
980 if ((getenv("SSLKEYLOGFILE") != NULL) || (conf->keylog_file && *conf->keylog_file)) {
981 SSL_CTX_set_keylog_callback(ctx, fr_tls_session_keylog_cb);
982 }
983
984 return ctx;
985}
986#endif
buffer
static int const char char buffer[256]
Definition acutest.h:576
file
int const char * file
Definition acutest.h:702
fr_base16_decode
#define fr_base16_decode(_err, _out, _in, _no_trailing)
Definition base16.h:92
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition build.h:186
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:493
RCSID
#define RCSID(id)
Definition build.h:506
DIAG_UNKNOWN_PRAGMAS
#define DIAG_UNKNOWN_PRAGMAS
Definition build.h:479
DIAG_ON
#define DIAG_ON(_x)
Definition build.h:481
UNUSED
#define UNUSED
Definition build.h:336
DIAG_OFF
#define DIAG_OFF(_x)
Definition build.h:480
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition dbuff.h:522
MEM
#define MEM(x)
Definition debug.h:46
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:40
free
free(array)
LOG_PREFIX
#define LOG_PREFIX
Definition base.c:63
PERROR
#define PERROR(_fmt,...)
Definition log.h:228
DEBUG_ENABLED2
#define DEBUG_ENABLED2
True if global debug level 1-2 messages are enabled.
Definition log.h:258
DEBUG3
#define DEBUG3(_fmt,...)
Definition log.h:266
PWARN
#define PWARN(_fmt,...)
Definition log.h:227
DEBUG_ENABLED3
#define DEBUG_ENABLED3
True if global debug level 1-3 messages are enabled.
Definition log.h:259
L_WARN
@ L_WARN
Warning.
Definition log.h:54
L_ERR
@ L_ERR
Error message.
Definition log.h:53
L_DBG
@ L_DBG
Only displayed when debugging is enabled.
Definition log.h:56
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
used
static size_t used
Definition message_set_test.c:49
fr_tls_ocsp_staple_cb
int fr_tls_ocsp_staple_cb(SSL *ssl, void *data)
fr_tls_ocsp_conf_t
OCSP Configuration.
Definition ocsp.h:4
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:37
WARN
#define WARN(fmt,...)
Definition radclient-ng.h:47
conf
static rs_t * conf
Definition radsniff.c:52
FR_SBUFF_IN
#define FR_SBUFF_IN(_start, _len_or_end)
fr_syserror
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243
fr_unix_time_ispos
#define fr_unix_time_ispos(_a)
Definition time.h:372
fr_unix_time_gt
#define fr_unix_time_gt(_a, _b)
Definition time.h:365
fr_unix_time_wrap
#define fr_unix_time_wrap(_time)
Definition time.h:160
fr_unix_time_s
"Unix" time.
Definition time.h:95
fr_tls_utils_x509_pkey_type
char const * fr_tls_utils_x509_pkey_type(X509 *cert)
Returns a friendly identifier for the public key type of a certificate.
Definition utils.c:45
Generated by   doxygen 1.9.8