The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
ctx.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: a18c2f3112e793ee25bb4b21556b3090bee87d28 $
19  *
20  * @file tls/ctx.c
21  * @brief Initialise and configure SSL_CTX structures.
22  *
23  * @copyright 2001 hereUare Communications, Inc. (raghud@hereuare.com)
24  * @copyright 2003 Alan DeKok (aland@freeradius.org)
25  * @copyright 2006-2016 The FreeRADIUS server project
26  */
27 RCSID("$Id: a18c2f3112e793ee25bb4b21556b3090bee87d28 $")
28 USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
29 
30 #ifdef WITH_TLS
31 #define LOG_PREFIX "tls"
32 
33 #include <freeradius-devel/tls/log.h>
34 #include <freeradius-devel/tls/strerror.h>
35 #include <freeradius-devel/util/base16.h>
36 #include <freeradius-devel/util/debug.h>
37 #include <freeradius-devel/util/misc.h>
38 #include <freeradius-devel/util/strerror.h>
39 #include <freeradius-devel/util/syserror.h>
40 
41 #include "base.h"
42 #include "utils.h"
43 #include "log.h"
44 #include "cert.h"
45 
46 #include <openssl/rand.h>
47 #include <openssl/dh.h>
48 #include <openssl/x509v3.h>
49 #include <openssl/provider.h>
50 
51 #ifndef OPENSSL_NO_ECDH
52 static int ctx_ecdh_curve_set(SSL_CTX *ctx, char const *ecdh_curve, bool disable_single_dh_use)
53 {
54  char *list;
55 
56  if (!disable_single_dh_use) {
57  SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
58  }
59 
60  if (!ecdh_curve || !*ecdh_curve) return 0;
61 
62  list = strdup(ecdh_curve);
63  if (SSL_CTX_set1_curves_list(ctx, list) == 0) {
64  free(list);
65  ERROR("Unknown ecdh_curve \"%s\"", ecdh_curve);
66  return -1;
67  }
68  free(list);
69  return 0;
70 }
71 #endif
72 
73 /*
74  * TODO: Check for the type of key exchange * like conf->dh_key
75  */
76 static int ctx_dh_params_load(SSL_CTX *ctx, char *file)
77 {
78  BIO *bio;
79  int ret;
80 
81  EVP_PKEY *dh = NULL;
82 
83  if (!file) return 0;
84 
85  /*
86  * Prior to trying to load the file, check what OpenSSL will do with it.
87  *
88  * Certain downstreams (such as RHEL) will ignore user-provided dhparams
89  * in FIPS mode, unless the specified parameters are FIPS-approved.
90  * However, since OpenSSL >= 1.1.1 will automatically select parameters
91  * anyways, there's no point in attempting to load them.
92  *
93  * Change suggested by @t8m
94  */
95  if (EVP_default_properties_is_fips_enabled(NULL)) {
96  WARN(LOG_PREFIX ": Ignoring user-selected DH parameters in FIPS mode. Using defaults.");
97  return 0;
98  }
99 
100  if ((bio = BIO_new_file(file, "r")) == NULL) {
101  ERROR("Unable to open DH file - %s", file);
102  return -1;
103  }
104 
105  dh = PEM_read_bio_Parameters(bio, &dh);
106  BIO_free(bio);
107  if (!dh) {
108  WARN("Unable to set DH parameters. DH cipher suites may not work!");
109  WARN("Fix this by generating the DH parameter file");
110  return 0;
111  }
112 
113  ret = SSL_CTX_set0_tmp_dh_pkey(ctx, dh);
114  if (ret < 0) {
115  ERROR("Unable to set DH parameters");
116  return -1;
117  }
118 
119  return 0;
120 }
121 
122 static int tls_ctx_verify_chain_member(fr_unix_time_t *expires_first, X509 **self_signed,
123  SSL_CTX *ctx, X509 *to_verify,
124  fr_tls_chain_verify_mode_t verify_mode)
125 {
126  fr_unix_time_t not_after;
127 
128  STACK_OF(X509) *chain;
129  X509 *leaf;
130 
131  leaf = SSL_CTX_get0_certificate(ctx);
132  if (!leaf) {
133  ERROR("Chain does not contain a valid leaf certificate");
134  return -1;
135  }
136 
137  if (!SSL_CTX_get0_chain_certs(ctx, &chain)) {
138  fr_tls_log(NULL, "Failed retrieving chain certificates");
139  return -1;
140  }
141 
142  switch (fr_tls_cert_is_valid(NULL, &not_after, to_verify)) {
143  case -1:
144  fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify);
145  PERROR("Malformed certificate");
146  return -1;
147 
148  case -2:
149  case -3:
150  switch (verify_mode) {
151  case FR_TLS_CHAIN_VERIFY_SOFT:
152  fr_tls_chain_marker_log(NULL, L_WARN, chain, leaf, to_verify);
153  PWARN("Certificate validation failed");
154  break;
155 
156  case FR_TLS_CHAIN_VERIFY_HARD:
157  fr_tls_chain_marker_log(NULL, L_ERR, chain, leaf, to_verify);
158  PERROR("Certificate validation failed");
159  return -1;
160 
161  default:
162  break;
163  }
164 
165  }
166 
167  /*
168  * Check for self-signed certs
169  */
170  switch (verify_mode) {
171  case FR_TLS_CHAIN_VERIFY_SOFT:
172  case FR_TLS_CHAIN_VERIFY_HARD:
173  /*
174  * There can be only one... self signed
175  * cert in a chain.
176  *
177  * We have to do this check manually
178  * because the OpenSSL functions will
179  * only check to see if it can build
180  * a chain, not that all certificates
181  * in the chain are used.
182  *
183  * Having multiple self-signed certificates
184  * usually indicates someone has copied
185  * the wrong certificates into the
186  * server.pem file.
187  */
188  if (X509_name_cmp(X509_get_subject_name(to_verify),
189  X509_get_issuer_name(to_verify)) == 0) {
190  if (*self_signed) {
191  switch (verify_mode) {
192  case FR_TLS_CHAIN_VERIFY_SOFT:
193  WARN("Found multiple self-signed certificates in chain");
194  WARN("First certificate was:");
195  fr_tls_chain_marker_log(NULL, L_WARN,
196  chain, leaf, *self_signed);
197 
198  WARN("Second certificate was:");
199  fr_tls_chain_marker_log(NULL, L_WARN,
200  chain, leaf, to_verify);
201  break;
202 
203  case FR_TLS_CHAIN_VERIFY_HARD:
204  ERROR("Found multiple self-signed certificates in chain");
205  ERROR("First certificate was:");
206  fr_tls_chain_marker_log(NULL, L_ERR,
207  chain, leaf, *self_signed);
208 
209  ERROR("Second certificate was:");
210  fr_tls_chain_marker_log(NULL, L_ERR,
211  chain, leaf, to_verify);
212  return -1;
213 
214  default:
215  break;
216  }
217  }
218  *self_signed = to_verify;
219  }
220  break;
221 
222  default:
223  break;
224  }
225 
226  /*
227  * Record the time the first certificate in
228  * the chain expires so we can use it for
229  * runtime checks.
230  */
231  if (!fr_unix_time_ispos(*expires_first) ||
232  (fr_unix_time_gt(*expires_first, not_after))) *expires_first = not_after;
233 
234  return 0;
235 }
236 
237 static int tls_ctx_load_cert_chain(SSL_CTX *ctx, fr_tls_chain_conf_t *chain, bool allow_multi_self_signed)
238 {
239  char *password;
240 
241  /*
242  * Conf parser should ensure they're both populated
243  */
244  fr_assert(chain->certificate_file && chain->private_key_file);
245 
246  /*
247  * Set the password (this should have been retrieved earlier)
248  */
249  memcpy(&password, &chain->password, sizeof(password));
250  SSL_CTX_set_default_passwd_cb_userdata(ctx, password);
251 
252  /*
253  * Always set the callback as it provides useful debug
254  * output if the certificate isn't set.
255  */
256  SSL_CTX_set_default_passwd_cb(ctx, fr_tls_session_password_cb);
257 
258  switch (chain->file_format) {
259  case SSL_FILETYPE_PEM:
260  if (!(SSL_CTX_use_certificate_chain_file(ctx, chain->certificate_file))) {
261  fr_tls_log(NULL, "Failed reading certificate file \"%s\"",
262  chain->certificate_file);
263  return -1;
264  }
265  break;
266 
267  case SSL_FILETYPE_ASN1:
268  if (!(SSL_CTX_use_certificate_file(ctx, chain->certificate_file, chain->file_format))) {
269  fr_tls_log(NULL, "Failed reading certificate file \"%s\"",
270  chain->certificate_file);
271  return -1;
272  }
273  break;
274 
275  default:
276  fr_assert(0);
277  break;
278  }
279 
280  if (!(SSL_CTX_use_PrivateKey_file(ctx, chain->private_key_file, chain->file_format))) {
281  fr_tls_log(NULL, "Failed reading private key file \"%s\"",
282  chain->private_key_file);
283  return -1;
284  }
285 
286  {
287  size_t extra_cnt, i;
288  /*
289  * Load additional chain certificates from other files
290  * This allows us to specify chains in DER format as
291  * well as PEM, and means we can keep the intermediaries
292  * CAs and client/server certs in separate files.
293  */
294  extra_cnt = talloc_array_length(chain->ca_files);
295  for (i = 0; i < extra_cnt; i++) {
296  FILE *fp;
297  X509 *cert;
298  char const *filename = chain->ca_files[i];
299 
300  fp = fopen(filename, "r");
301  if (!fp) {
302  ERROR("Failed opening ca_file \"%s\": %s", filename, fr_syserror(errno));
303  return -1;
304  }
305 
306  /*
307  * Load the PEM encoded X509 certificate
308  */
309  switch (chain->file_format) {
310  case SSL_FILETYPE_PEM:
311  cert = PEM_read_X509(fp, NULL, NULL, NULL);
312  break;
313 
314  case SSL_FILETYPE_ASN1:
315  cert = d2i_X509_fp(fp, NULL);
316  break;
317 
318  default:
319  fr_assert(0);
320  fclose(fp);
321  return -1;
322  }
323  fclose(fp);
324 
325  if (!cert) {
326  fr_tls_log(NULL, "Failed reading certificate file \"%s\"", filename);
327  return -1;
328  }
329  SSL_CTX_add0_chain_cert(ctx, cert);
330  }
331  }
332 
333  /*
334  * Check if the last loaded private key matches the last
335  * loaded certificate.
336  *
337  * Note: The call to SSL_CTX_use_certificate_chain_file
338  * can load in a private key too.
339  */
340  if (!SSL_CTX_check_private_key(ctx)) {
341  ERROR("Private key does not match the certificate public key");
342  return -1;
343  }
344 
345  /*
346  * Loop over the certificates checking validity periods.
347  * SSL_CTX_build_cert_chain does this too, but we can
348  * produce significantly better errors here.
349  *
350  * After looping over all the certs we figure out when
351  * the chain will next need refreshing.
352  */
353  {
354  fr_unix_time_t expires_first = fr_unix_time_wrap(0);
355  X509 *self_signed = NULL;
356  STACK_OF(X509) *our_chain;
357  int i;
358 
359  if (tls_ctx_verify_chain_member(&expires_first, &self_signed,
360  ctx, SSL_CTX_get0_certificate(ctx),
361  chain->verify_mode) < 0) return -1;
362 
363  if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) {
364  fr_tls_log(NULL, "Failed retrieving chain certificates");
365  return -1;
366  }
367 
368  if (allow_multi_self_signed) self_signed = NULL;
369 
370 DIAG_OFF(DIAG_UNKNOWN_PRAGMAS)
371 DIAG_OFF(used-but-marked-unused) /* fix spurious warnings for sk macros */
372  for (i = sk_X509_num(our_chain); i > 0 ; i--) {
373  /*
374  * SSL_CTX_use_certificate_chain_file set the
375  * current cert to be the one loaded from
376  * that pem file.
377  */
378  if (tls_ctx_verify_chain_member(&expires_first, &self_signed,
379  ctx, sk_X509_value(our_chain, i - 1),
380  chain->verify_mode) < 0) return -1;
381 
382  if (allow_multi_self_signed) self_signed = NULL;
383  }
384 DIAG_ON(used-but-marked-unused) /* fix spurious warnings for sk macros */
385 DIAG_ON(DIAG_UNKNOWN_PRAGMAS)
386  /*
387  * Record this as a unix timestamp as
388  * internal time might not progress at
389  * the same rate as wallclock time.
390  */
391  chain->valid_until = expires_first;
392  }
393 
394  {
395  int mode = SSL_BUILD_CHAIN_FLAG_CHECK;
396 
397  if (!chain->include_root_ca) mode |= SSL_BUILD_CHAIN_FLAG_NO_ROOT;
398 
399  /*
400  * Explicitly check that the certificate chain
401  * we just loaded is sane.
402  *
403  * This operates on the last loaded certificate.
404  */
405  switch (chain->verify_mode) {
406  case FR_TLS_CHAIN_VERIFY_NONE:
407  mode |= SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR | SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR;
408  (void)SSL_CTX_build_cert_chain(ctx, mode);
409  break;
410 
411  /*
412  * Seems to be a bug where
413  * SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR trashes the error,
414  * so have the function fail as normal.
415  */
416  case FR_TLS_CHAIN_VERIFY_SOFT:
417  if (!SSL_CTX_build_cert_chain(ctx, mode)) {
418  fr_tls_strerror_printf(NULL);
419  PWARN("Failed verifying chain");
420  }
421  break;
422 
423  case FR_TLS_CHAIN_VERIFY_HARD:
424  if (!SSL_CTX_build_cert_chain(ctx, mode)) {
425  fr_tls_strerror_printf(NULL);
426  PERROR("Failed verifying chain");
427  return -1;
428  }
429  break;
430 
431  default:
432  break;
433  }
434  }
435 
436  return 0;
437 }
438 
439 static inline CC_HINT(always_inline)
440 int tls_ctx_version_set(
441  UNUSED
442  int *ctx_options, SSL_CTX *ctx, fr_tls_conf_t const *conf)
443 {
444  /*
445  * SSL_CTX_set_(min|max)_proto_version was included in OpenSSL 1.1.0
446  *
447  * This version already defines macros for TLS1_2_VERSION and
448  * below, so we don't need to check for them explicitly.
449  *
450  * TLS1_3_VERSION is available in OpenSSL 1.1.1.
451  *
452  * TLS1_4_VERSION does not exist yet. But we allow it
453  * only if it is explicitly permitted by the
454  * administrator.
455  */
456  if (conf->tls_max_version > (float) 0.0) {
457  int max_version = 0;
458 
459  if (conf->tls_min_version > conf->tls_max_version) {
460  /*
461  * %f is actually %lg now (double). Compile complains about
462  * implicit promotion unless we cast args to double.
463  */
464  ERROR("tls_min_version (%f) must be <= tls_max_version (%f)",
465  (double)conf->tls_min_version, (double)conf->tls_max_version);
466  error:
467  return -1;
468  }
469 
470  if (conf->tls_max_version < (float) 1.0) {
471  ERROR("tls_max_version must be >= 1.0 as SSLv2 and SSLv3 are permanently disabled");
472  goto error;
473  }
474 
475 # ifdef TLS1_4_VERSION
476  else if (conf->tls_max_version >= (float) 1.4) max_version = TLS1_4_VERSION;
477 # endif
478 # ifdef TLS1_3_VERSION
479  else if (conf->tls_max_version >= (float) 1.3) max_version = TLS1_3_VERSION;
480 # endif
481  else if (conf->tls_max_version >= (float) 1.2) max_version = TLS1_2_VERSION;
482  else if (conf->tls_max_version >= (float) 1.1) max_version = TLS1_1_VERSION;
483  else max_version = TLS1_VERSION;
484 
485  /*
486  * Complain about insecure TLS versions.
487  */
488  if (max_version < TLS1_2_VERSION) {
489  WARN("TLS 1.0 and 1.1 are insecure and SHOULD NOT be used");
490  WARN("tls_max_version SHOULD be 1.2 or greater");
491  }
492 
493  if (!SSL_CTX_set_max_proto_version(ctx, max_version)) {
494  fr_tls_log(NULL, "Failed setting TLS maximum version");
495  goto error;
496  }
497  }
498 
499  {
500  int min_version;
501 
502  if (conf->tls_min_version < (float) 1.0) {
503  ERROR("tls_min_version must be >= 1.0 as SSLv2 and SSLv3 are permanently disabled");
504  goto error;
505  }
506 # ifdef TLS1_4_VERSION
507  else if (conf->tls_min_version >= (float) 1.4) min_version = TLS1_4_VERSION;
508 # endif
509 # ifdef TLS1_3_VERSION
510  else if (conf->tls_min_version >= (float) 1.3) min_version = TLS1_3_VERSION;
511 # endif
512  else if (conf->tls_min_version >= (float) 1.2) min_version = TLS1_2_VERSION;
513  else if (conf->tls_min_version >= (float) 1.1) min_version = TLS1_1_VERSION;
514  else min_version = TLS1_VERSION;
515 
516  /*
517  * Complain about insecure TLS versions.
518  */
519  if (min_version < TLS1_2_VERSION) {
520  WARN("TLS 1.0 and 1.1 are insecure and SHOULD NOT be used");
521  WARN("tls_min_version SHOULD be 1.2 or greater");
522  }
523 
524  if (!SSL_CTX_set_min_proto_version(ctx, min_version)) {
525  fr_tls_log(NULL, "Failed setting TLS minimum version");
526  goto error;
527  }
528  }
529 
530  return 0;
531 }
532 
533 /** Create SSL context
534  *
535  * - Load the trusted CAs
536  * - Load the Private key & the certificate
537  * - Set the Context options & Verify options
538  *
539  * @param conf to read settings from.
540  * @param client If true SSL_CTX will be configured as a client context.
541  * @return
542  * - A new SSL_CTX on success.
543  * - NULL on failure.
544  */
545 SSL_CTX *fr_tls_ctx_alloc(fr_tls_conf_t const *conf, bool client)
546 {
547  SSL_CTX *ctx;
548  X509_STORE *cert_vpstore;
549  X509_STORE *verify_store;
550  int ctx_options = 0;
551 
552  ctx = SSL_CTX_new(TLS_method());
553  if (!ctx) {
554  fr_tls_log(NULL, "Failed creating TLS context");
555  return NULL;
556  }
557 
558  /*
559  * Save the config on the context so that callbacks which
560  * only get SSL_CTX* e.g. session persistence, can get at it.
561  */
562  SSL_CTX_set_ex_data(ctx, FR_TLS_EX_INDEX_CONF, UNCONST(void *, conf));
563 
564  /*
565  * Identify the type of certificates that needs to be loaded
566  */
567 #ifdef PSK_MAX_IDENTITY_LEN
568  /*
569  * A dynamic query exists. There MUST NOT be a
570  * statically configured identity and password.
571  */
572  if (conf->psk_query) {
573  if (!*conf->psk_query) {
574  ERROR("Invalid PSK Configuration: psk_query cannot be empty");
575  error:
576  SSL_CTX_free(ctx);
577  return NULL;
578  }
579 
580  if (conf->psk_identity && *conf->psk_identity) {
581  ERROR("Invalid PSK Configuration: psk_identity and psk_query cannot be used at the same time.");
582  goto error;
583  }
584 
585  if (conf->psk_password && *conf->psk_password) {
586  ERROR("Invalid PSK Configuration: psk_password and psk_query cannot be used at the same time.");
587  goto error;
588  }
589 
590  if (client) {
591  ERROR("Invalid PSK Configuration: psk_query cannot be used for outgoing connections");
592  goto error;
593  }
594 
595  /*
596  * Now check that if PSK is being used, that the config is valid.
597  */
598  } else if (conf->psk_identity) {
599  if (!*conf->psk_identity) {
600  ERROR("Invalid PSK Configuration: psk_identity is empty");
601  goto error;
602  }
603 
604 
605  if (!conf->psk_password || !*conf->psk_password) {
606  ERROR("Invalid PSK Configuration: psk_identity is set, but there is no psk_password");
607  goto error;
608  }
609 
610  } else if (conf->psk_password) {
611  ERROR("Invalid PSK Configuration: psk_password is set, but there is no psk_identity");
612  goto error;
613  }
614 
615  /*
616  * Set the server PSK callback if necessary.
617  */
618  if (!client && (conf->psk_identity || conf->psk_query)) {
619  SSL_CTX_set_psk_server_callback(ctx, fr_tls_session_psk_server_cb);
620  }
621 
622  /*
623  * Do more sanity checking if we have a PSK identity. We
624  * check the password, and convert it to it's final form.
625  */
626  if (conf->psk_identity && *conf->psk_identity) {
627  size_t psk_len, hex_len;
628  uint8_t buffer[PSK_MAX_PSK_LEN];
629 
630  if (client) {
631  SSL_CTX_set_psk_client_callback(ctx, fr_tls_session_psk_client_cb);
632  }
633 
634  if (!conf->psk_password) goto error; /* clang is too dumb to catch the above checks */
635 
636  psk_len = strlen(conf->psk_password);
637  if (strlen(conf->psk_password) > (2 * PSK_MAX_PSK_LEN)) {
638  ERROR("psk_hexphrase is too long (max %d)", PSK_MAX_PSK_LEN);
639  goto error;
640  }
641 
642  /*
643  * Check the password now, so that we don't have
644  * errors at run-time.
645  */
646  hex_len = fr_base16_decode(NULL,
647  &FR_DBUFF_TMP(buffer, sizeof(buffer)),
648  &FR_SBUFF_IN(conf->psk_password, psk_len), false);
649  if (psk_len != (2 * hex_len)) {
650  ERROR("psk_hexphrase is not all hex");
651  goto error;
652  }
653 
654  goto post_ca;
655  }
656 #else
657  (void) client; /* -Wunused */
658 #endif
659 
660  /*
661  * Set mode before processing any certifictes
662  */
663  {
664  int mode = SSL_MODE_ASYNC;
665 
666  /*
667  * OpenSSL will automatically create certificate chains,
668  * unless we tell it to not do that. The problem is that
669  * it sometimes gets the chains right from a certificate
670  * signature view, but wrong from the clients view.
671  *
672  * It's better just to have users specify the complete
673  * chains.
674  */
675  mode |= SSL_MODE_NO_AUTO_CHAIN;
676 
677  if (client) {
678  mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
679  mode |= SSL_MODE_AUTO_RETRY;
680  }
681 
682  if (mode) SSL_CTX_set_mode(ctx, mode);
683  }
684 
685  /*
686  * Initialise a separate store for verifying user
687  * certificates.
688  *
689  * This makes the configuration cleaner as there's
690  * no mixing of chain certs and user certs.
691  */
692  MEM(verify_store = X509_STORE_new());
693 
694  /* Sets OpenSSL's (CERT *)->verify_store, overring (SSL_CTX *)->cert_store */
695  SSL_CTX_set0_verify_cert_store(ctx, verify_store);
696 
697  /* This isn't accessible to use later, i.e. there's no SSL_CTX_get0_verify_cert_store */
698  SSL_CTX_set_ex_data(ctx, FR_TLS_EX_CTX_INDEX_VERIFY_STORE, verify_store);
699 
700  /*
701  * Load the CAs we trust
702  */
703  if (conf->ca_file || conf->ca_path) {
704  /*
705  * This adds all the certificates to the store for conf->ca_file
706  * and adds a dynamic lookup for conf->ca_path.
707  *
708  * It's also possible to add extra virtual server lookups
709  */
710  if (!X509_STORE_load_locations(verify_store, conf->ca_file, conf->ca_path)) {
711  fr_tls_log(NULL, "Failed reading Trusted root CA list \"%s\"",
712  conf->ca_file);
713  goto error;
714  }
715 
716  /*
717  * These set the default parameters of the store when the
718  * store is involved in building chains.
719  *
720  * - X509_PURPOSE_SSL_CLIENT ensure the purpose of the
721  * client certificate is for peer authentication as
722  * a client.
723  */
724  X509_STORE_set_purpose(verify_store, X509_PURPOSE_SSL_CLIENT);
725 
726  /*
727  * Sets the list of CAs we send to the peer if we're
728  * requesting a certificate.
729  *
730  * This does not change the trusted certificate authorities,
731  * those are set above with SSL_CTX_load_verify_locations.
732  */
733  if (conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
734  } else {
735  X509_STORE_set_default_paths(verify_store);
736  }
737 
738  /*
739  * Load our certificate chains and keys
740  */
741  if (conf->chains) {
742  size_t chains_conf = talloc_array_length(conf->chains);
743 
744  /*
745  * Load our keys and certificates
746  *
747  * If certificates are of type PEM then we can make use
748  * of cert chain authentication using openssl api call
749  * SSL_CTX_use_certificate_chain_file. Please see how
750  * the cert chain needs to be given in PEM from
751  * openSSL.org
752  */
753  {
754  size_t i;
755 
756  for (i = 0; i < chains_conf; i++) {
757  if (tls_ctx_load_cert_chain(ctx, conf->chains[i], false) < 0) goto error;
758  }
759  }
760 
761  /*
762  * Print out our certificate chains.
763  *
764  * There may be up to three, one for RSA, DH, DSA and EC.
765  * OpenSSL internally and transparently stores completely
766  * separate and distinct RSA/DSA/DH/ECC key pairs and chains.
767  */
768  if (DEBUG_ENABLED2) {
769  size_t chains_set = 0;
770  int ret;
771 
772  /*
773  * Iterate over the different chain types we have
774  * RSA, DSA, DH, EC etc...
775  */
776  for (ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
777  ret == 1;
778  ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT)) chains_set++;
779 
780  /*
781  * Check for discrepancies
782  */
783 
784  DEBUG3("Found %zu server certificate chain(s)", chains_set);
785 
786  if (chains_set != chains_conf) {
787  WARN("Number of chains configured (%zu) does not match chains set (%zu)",
788  chains_conf, chains_set);
789  if (chains_conf > chains_set) WARN("Only one chain per key type is allowed, "
790  "check config for duplicates");
791  }
792 
793  for (ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
794  ret == 1;
795  ret = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT)) {
796  STACK_OF(X509) *our_chain;
797  X509 *our_cert;
798 
799  our_cert = SSL_CTX_get0_certificate(ctx);
800 
801  /*
802  * The pkey type of the server certificate
803  * determines which pkey slot OpenSSL
804  * uses to store the chain.
805  */
806  DEBUG3("%s chain", fr_tls_utils_x509_pkey_type(our_cert));
807  if (!SSL_CTX_get0_chain_certs(ctx, &our_chain)) {
808  fr_tls_log(NULL, "Failed retrieving chain certificates");
809  goto error;
810  }
811 
812  if (DEBUG_ENABLED3) fr_tls_chain_log(NULL, L_DBG, our_chain, our_cert);
813  }
814  (void)SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); /* Reset */
815  }
816  }
817 
818 #ifdef PSK_MAX_IDENTITY_LEN
819 post_ca:
820 #endif
821  if (tls_ctx_version_set(&ctx_options, ctx, conf) < 0) goto error;
822 
823  /*
824  * SSL_OP_SINGLE_DH_USE must be used in order to prevent
825  * small subgroup attacks and forward secrecy. Always
826  * using SSL_OP_SINGLE_DH_USE has an impact on the
827  * computer time needed during negotiation, but it is not
828  * very large.
829  */
830  if (!conf->disable_single_dh_use) {
831  ctx_options |= SSL_OP_SINGLE_DH_USE;
832  }
833 
834 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
835  /*
836  * Note: This flag isn't honoured by all OpenSSL forks.
837  */
838  if (conf->allow_renegotiation) {
839  ctx_options |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
840  }
841 #endif
842 
843  /*
844  * SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS to work around issues
845  * in Windows Vista client.
846  * http://www.openssl.org/~bodo/tls-cbc.txt
847  * http://www.nabble.com/(RADIATOR)-Radiator-Version-3.16-released-t2600070.html
848  */
849  ctx_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
850 
851  /*
852  * SSL_OP_CIPHER_SERVER_PREFERENCE to follow best practice
853  * of nowday's TLS: do not allow poorly-selected ciphers from
854  * client to take preference
855  */
856  if (conf->cipher_server_preference) ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
857 
858  SSL_CTX_set_options(ctx, ctx_options);
859 
860  /*
861  * TODO: Set the RSA & DH
862  * SSL_CTX_set_tmp_rsa_callback(ctx, cbtls_rsa);
863  * SSL_CTX_set_tmp_dh_callback(ctx, cbtls_dh);
864  */
865 
866  /*
867  * Set the block size for record padding. This is only
868  * used in TLS 1.3.
869  */
870  if (conf->padding_block_size) SSL_CTX_set_block_padding(ctx, conf->padding_block_size);
871 
872  /*
873  * Set elliptical curve crypto configuration.
874  */
875 #ifndef OPENSSL_NO_ECDH
876  if (ctx_ecdh_curve_set(ctx, conf->ecdh_curve, conf->disable_single_dh_use) < 0) goto error;
877 #endif
878 
879 
880  /* Set Info callback */
881  SSL_CTX_set_info_callback(ctx, fr_tls_session_info_cb);
882 
883  /*
884  * Check the certificates for revocation.
885  */
886 #ifdef X509_V_FLAG_CRL_CHECK_ALL
887  if (conf->verify.check_crl) {
888  cert_vpstore = SSL_CTX_get_cert_store(ctx);
889  if (cert_vpstore == NULL) {
890  fr_tls_log(NULL, "Error reading Certificate Store");
891  goto error;
892  }
893  X509_STORE_set_flags(cert_vpstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
894 #ifdef X509_V_FLAG_USE_DELTAS
895  /*
896  * If set, delta CRLs (if present) are used to
897  * determine certificate status. If not set
898  * deltas are ignored.
899  *
900  * So it's safe to always set this flag.
901  */
902  X509_STORE_set_flags(cert_vpstore, X509_V_FLAG_USE_DELTAS);
903 #endif
904  }
905 #endif
906 
907  /*
908  * SSL_ctx_set_verify is now called in the session
909  * alloc functions so they can set custom behaviour
910  * depending on the code area the SSL * will be used
911  * and whether we're acting as a client or server.
912  */
913  if (conf->verify_depth) {
914  SSL_CTX_set_verify_depth(ctx, conf->verify_depth);
915  }
916 
917 #ifdef HAVE_OPENSSL_OCSP_H
918  /*
919  * Configure OCSP stapling for the server cert
920  */
921  if (conf->staple.enable) {
922  SSL_CTX_set_tlsext_status_cb(ctx, fr_tls_ocsp_staple_cb);
923  SSL_CTX_set_tlsext_status_arg(ctx, UNCONST(fr_tls_ocsp_conf_t *, &(conf->staple)));
924  }
925 #endif
926 
927  /*
928  * Set the cipher list if we were told to
929  */
930  if (conf->cipher_list) {
931  if (!SSL_CTX_set_cipher_list(ctx, conf->cipher_list)) {
932  fr_tls_log(NULL, "Failed setting cipher list");
933  goto error;
934  }
935  }
936 
937  /*
938  * Print the actual cipher list
939  */
940  if (DEBUG_ENABLED3) {
941  SSL *ssl;
942  unsigned int i = 0;
943  char const *cipher;
944 
945  ssl = SSL_new(ctx);
946  if (!ssl) {
947  fr_tls_log(NULL, "Failed creating temporary SSL session");
948  goto error;
949  }
950 
951  DEBUG3("Configured ciphers (by priority)");
952 
953  while ((cipher = SSL_get_cipher_list(ssl, i))) {
954  DEBUG3("[%i] %s", i, cipher);
955  i++; /* Print index starting at zero */
956  }
957 
958  SSL_free(ssl);
959  }
960 
961  /*
962  * Load dh params
963  */
964  if (conf->dh_file && (ctx_dh_params_load(ctx, UNCONST(char *, conf->dh_file)) < 0)) goto error;
965 
966  /*
967  * Setup session caching
968  */
969  if (fr_tls_cache_ctx_init(ctx, &conf->cache) < 0) goto error;
970 
971  /*
972  * Set the keylog file if the admin requested it.
973  */
974  if ((getenv("SSLKEYLOGFILE") != NULL) || (conf->keylog_file && *conf->keylog_file)) {
975  SSL_CTX_set_keylog_callback(ctx, fr_tls_session_keylog_cb);
976  }
977 
978  return ctx;
979 }
980 #endif
buffer
static int const char char buffer[256]
Definition: acutest.h:574
file
int const char * file
Definition: acutest.h:702
fr_base16_decode
#define fr_base16_decode(_err, _out, _in, _no_trailing)
Definition: base16.h:95
UNCONST
#define UNCONST(_type, _ptr)
Remove const qualification from a pointer.
Definition: build.h:165
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition: build.h:468
RCSID
#define RCSID(id)
Definition: build.h:481
DIAG_UNKNOWN_PRAGMAS
#define DIAG_UNKNOWN_PRAGMAS
Definition: build.h:454
DIAG_ON
#define DIAG_ON(_x)
Definition: build.h:456
UNUSED
#define UNUSED
Definition: build.h:313
DIAG_OFF
#define DIAG_OFF(_x)
Definition: build.h:455
FR_DBUFF_TMP
#define FR_DBUFF_TMP(_start, _len_or_end)
Creates a compound literal to pass into functions which accept a dbuff.
Definition: dbuff.h:514
ERROR
#define ERROR(fmt,...)
Definition: dhcpclient.c:41
free
free(array)
LOG_PREFIX
#define LOG_PREFIX
Definition: base.c:63
PERROR
#define PERROR(_fmt,...)
Definition: log.h:228
DEBUG_ENABLED2
#define DEBUG_ENABLED2
True if global debug level 1-2 messages are enabled.
Definition: log.h:258
DEBUG3
#define DEBUG3(_fmt,...)
Definition: log.h:266
PWARN
#define PWARN(_fmt,...)
Definition: log.h:227
DEBUG_ENABLED3
#define DEBUG_ENABLED3
True if global debug level 1-3 messages are enabled.
Definition: log.h:259
L_WARN
@ L_WARN
Warning.
Definition: log.h:57
L_ERR
@ L_ERR
Error message.
Definition: log.h:56
L_DBG
@ L_DBG
Only displayed when debugging is enabled.
Definition: log.h:59
uint8_t
unsigned char uint8_t
Definition: merged_model.c:30
used
static size_t used
Definition: message_set_test.c:51
fr_tls_ocsp_staple_cb
int fr_tls_ocsp_staple_cb(SSL *ssl, void *data)
fr_tls_ocsp_conf_t
OCSP Configuration.
Definition: ocsp.h:4
WARN
#define WARN(fmt,...)
Definition: radclient.h:47
conf
static rs_t * conf
Definition: radsniff.c:53
FR_SBUFF_IN
#define FR_SBUFF_IN(_start, _len_or_end)
fr_assert
fr_assert(0)
MEM
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
fr_syserror
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition: syserror.c:243
fr_unix_time_ispos
#define fr_unix_time_ispos(_a)
Definition: time.h:372
fr_unix_time_gt
#define fr_unix_time_gt(_a, _b)
Definition: time.h:365
fr_unix_time_wrap
#define fr_unix_time_wrap(_time)
Definition: time.h:160
fr_unix_time_s
"Unix" time.
Definition: time.h:95
fr_tls_utils_x509_pkey_type
char const * fr_tls_utils_x509_pkey_type(X509 *cert)
Returns a friendly identifier for the public key type of a certificate.
Definition: utils.c:45
Generated by   doxygen 1.9.1