wpa_supplicant/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch

104 lines
4.5 KiB
Diff
Raw Normal View History

From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001
Message-Id: <566ce69a8d0e64093309cbde80235aa522fbf84e.1652450572.git.davide.caratti@gmail.com>
From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Thu, 5 May 2022 00:07:44 +0300
Subject: [PATCH] EAP peer: Workaround for servers that do not support safe TLS
renegotiation
The TLS protocol design for renegotiation was identified to have a
significant security flaw in 2009 and an extension to secure this design
was published in 2010 (RFC 5746). However, some old RADIUS
authentication servers without support for this are still used commonly.
This is obviously not good from the security view point, but since there
are cases where the user of a network service has no realistic means for
getting the authentication server upgraded, TLS handshake may still need
to be allowed to be able to use the network.
OpenSSL 3.0 disabled the client side workaround by default and this
resulted in issues connection to some networks with insecure
authentication servers. With OpenSSL 3.0, the client is now enforcing
security by refusing to authenticate with such servers. The pre-3.0
behavior of ignoring this issue and leaving security to the server can
now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1.
This should be used only when having to connect to a network that has an
insecure authentication server that cannot be upgraded.
The old (pre-2010) TLS renegotiation mechanism might open security
vulnerabilities if the authentication server were to allow TLS
renegotiation to be initiated. While this is unlikely to cause real
issues with EAP-TLS, there might be cases where use of PEAP or TTLS with
an authentication server that does not support RFC 5746 might result in
a security vulnerability.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---
src/crypto/tls.h | 1 +
src/crypto/tls_openssl.c | 5 +++++
src/eap_peer/eap_tls_common.c | 4 ++++
wpa_supplicant/wpa_supplicant.conf | 5 +++++
4 files changed, 15 insertions(+)
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index ccaac94c9..7ea32ee4a 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -112,6 +112,7 @@ struct tls_config {
#define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
#define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
#define TLS_CONN_TEAP_ANON_DH BIT(17)
+#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18)
/**
* struct tls_connection_params - Parameters for TLS connection
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 388c6b0f4..0d23f44ad 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
SSL_clear_options(ssl, SSL_OP_NO_TICKET);
#endif /* SSL_OP_NO_TICKET */
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
+ if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
+ SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
+#endif /* SSL_OP_LEGACY_SERVER_CONNECT */
+
#ifdef SSL_OP_NO_TLSv1
if (flags & TLS_CONN_DISABLE_TLSv1_0)
SSL_set_options(ssl, SSL_OP_NO_TLSv1);
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 06c9b211e..6193b4bdb 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
params->flags |= TLS_CONN_SUITEB_NO_ECDH;
if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
+ if (os_strstr(txt, "allow_unsafe_renegotiation=1"))
+ params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
+ if (os_strstr(txt, "allow_unsafe_renegotiation=0"))
+ params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
}
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index a1dc769c9..b5304a77e 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1370,6 +1370,11 @@ fast_reauth=1
# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
# particular when using Suite B with RSA keys of >= 3K (3072) bits
+# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does
+# not support safe renegotiation (RFC 5746); please note that this
+# workaround should be only when having to authenticate with an old
+# authentication server that cannot be updated to use secure TLS
+# implementation.
#
# Following certificate/private key fields are used in inner Phase2
# authentication when using EAP-TTLS or EAP-PEAP.
--
2.35.1