OpenSSL: unsafe legacy renegotiation can be allowed/disallowed by configuration

Resolves: #2077973
Signed-off-by: Davide Caratti <dcaratti@redhat.com>

0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch

@@ -0,0 +1,103 @@
+From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001
+Message-Id: <566ce69a8d0e64093309cbde80235aa522fbf84e.1652450572.git.davide.caratti@gmail.com>
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Thu, 5 May 2022 00:07:44 +0300
+Subject: [PATCH] EAP peer: Workaround for servers that do not support safe TLS
+ renegotiation
+
+The TLS protocol design for renegotiation was identified to have a
+significant security flaw in 2009 and an extension to secure this design
+was published in 2010 (RFC 5746). However, some old RADIUS
+authentication servers without support for this are still used commonly.
+
+This is obviously not good from the security view point, but since there
+are cases where the user of a network service has no realistic means for
+getting the authentication server upgraded, TLS handshake may still need
+to be allowed to be able to use the network.
+
+OpenSSL 3.0 disabled the client side workaround by default and this
+resulted in issues connection to some networks with insecure
+authentication servers. With OpenSSL 3.0, the client is now enforcing
+security by refusing to authenticate with such servers. The pre-3.0
+behavior of ignoring this issue and leaving security to the server can
+now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1.
+This should be used only when having to connect to a network that has an
+insecure authentication server that cannot be upgraded.
+
+The old (pre-2010) TLS renegotiation mechanism might open security
+vulnerabilities if the authentication server were to allow TLS
+renegotiation to be initiated. While this is unlikely to cause real
+issues with EAP-TLS, there might be cases where use of PEAP or TTLS with
+an authentication server that does not support RFC 5746 might result in
+a security vulnerability.
+
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+---
+ src/crypto/tls.h                   | 1 +
+ src/crypto/tls_openssl.c           | 5 +++++
+ src/eap_peer/eap_tls_common.c      | 4 ++++
+ wpa_supplicant/wpa_supplicant.conf | 5 +++++
+ 4 files changed, 15 insertions(+)
+
+diff --git a/src/crypto/tls.h b/src/crypto/tls.h
+index ccaac94c9..7ea32ee4a 100644
+--- a/src/crypto/tls.h
++++ b/src/crypto/tls.h
+@@ -112,6 +112,7 @@ struct tls_config {
+ #define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
+ #define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
+ #define TLS_CONN_TEAP_ANON_DH BIT(17)
++#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18)
+ 
+ /**
+  * struct tls_connection_params - Parameters for TLS connection
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 388c6b0f4..0d23f44ad 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
+ 		SSL_clear_options(ssl, SSL_OP_NO_TICKET);
+ #endif /* SSL_OP_NO_TICKET */
+ 
++#ifdef SSL_OP_LEGACY_SERVER_CONNECT
++	if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
++		SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
++#endif /* SSL_OP_LEGACY_SERVER_CONNECT */
++
+ #ifdef SSL_OP_NO_TLSv1
+ 	if (flags & TLS_CONN_DISABLE_TLSv1_0)
+ 		SSL_set_options(ssl, SSL_OP_NO_TLSv1);
+diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
+index 06c9b211e..6193b4bdb 100644
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
+ 		params->flags |= TLS_CONN_SUITEB_NO_ECDH;
+ 	if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
+ 		params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
++	if (os_strstr(txt, "allow_unsafe_renegotiation=1"))
++		params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
++	if (os_strstr(txt, "allow_unsafe_renegotiation=0"))
++		params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
+ }
+ 
+ 
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index a1dc769c9..b5304a77e 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1370,6 +1370,11 @@ fast_reauth=1
+ # tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
+ # tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
+ #	particular when using Suite B with RSA keys of >= 3K (3072) bits
++# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does
++#	not support safe renegotiation (RFC 5746); please note that this
++#	workaround should be only when having to authenticate with an old
++#	authentication server that cannot be updated to use secure TLS
++#	implementation.
+ #
+ # Following certificate/private key fields are used in inner Phase2
+ # authentication when using EAP-TTLS or EAP-PEAP.
+-- 
+2.35.1
+

0001-EAP-peer-status-notification-for-server-not-supporti.patch

@@ -0,0 +1,106 @@
+From a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Mon Sep 17 00:00:00 2001
+Message-Id: <a561d12d24c2c8bb0f825d4a3a55a5e47e845853.1652450863.git.davide.caratti@gmail.com>
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Wed, 4 May 2022 23:55:38 +0300
+Subject: [PATCH] EAP peer status notification for server not supporting RFC
+ 5746
+
+Add a notification message to indicate reason for TLS handshake failure
+due to the server not supporting safe renegotiation (RFC 5746).
+
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+---
+ src/ap/authsrv.c         |  3 +++
+ src/crypto/tls.h         |  3 ++-
+ src/crypto/tls_openssl.c | 15 +++++++++++++--
+ src/eap_peer/eap.c       |  5 +++++
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
+index 516c1da74..fd9c96fad 100644
+--- a/src/ap/authsrv.c
++++ b/src/ap/authsrv.c
+@@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev,
+ 			wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s",
+ 				   data->alert.description);
+ 		break;
++	case TLS_UNSAFE_RENEGOTIATION_DISABLED:
++		/* Not applicable to TLS server */
++		break;
+ 	}
+ }
+ #endif /* EAP_TLS_FUNCS */
+diff --git a/src/crypto/tls.h b/src/crypto/tls.h
+index 7ea32ee4a..7a2ee32df 100644
+--- a/src/crypto/tls.h
++++ b/src/crypto/tls.h
+@@ -22,7 +22,8 @@ enum tls_event {
+ 	TLS_CERT_CHAIN_SUCCESS,
+ 	TLS_CERT_CHAIN_FAILURE,
+ 	TLS_PEER_CERTIFICATE,
+-	TLS_ALERT
++	TLS_ALERT,
++	TLS_UNSAFE_RENEGOTIATION_DISABLED,
+ };
+ 
+ /*
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 0d23f44ad..912471ba2 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
+ static struct wpabuf *
+ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
+ {
++	struct tls_context *context = conn->context;
+ 	int res;
+ 	struct wpabuf *out_data;
+ 
+@@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
+ 			wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
+ 				   "write");
+ 		else {
++			unsigned long error = ERR_peek_last_error();
++
+ 			tls_show_errors(MSG_INFO, __func__, "SSL_connect");
++
++			if (context->event_cb &&
++			    ERR_GET_LIB(error) == ERR_LIB_SSL &&
++			    ERR_GET_REASON(error) ==
++			    SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) {
++				context->event_cb(
++					context->cb_ctx,
++					TLS_UNSAFE_RENEGOTIATION_DISABLED,
++					NULL);
++			}
+ 			conn->failed++;
+ 			if (!conn->server && !conn->client_hello_generated) {
+ 				/* The server would not understand TLS Alert
+@@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
+ 	if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
+ 	    os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
+ 	    conn->server_dh_prime_len < 3072) {
+-		struct tls_context *context = conn->context;
+-
+ 		/*
+ 		 * This should not be reached since earlier cert_cb should have
+ 		 * terminated the handshake. Keep this check here for extra
+diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
+index 429b20d3a..729388f4f 100644
+--- a/src/eap_peer/eap.c
++++ b/src/eap_peer/eap.c
+@@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
+ 			eap_notify_status(sm, "remote TLS alert",
+ 					  data->alert.description);
+ 		break;
++	case TLS_UNSAFE_RENEGOTIATION_DISABLED:
++		wpa_printf(MSG_INFO,
++			   "TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this");
++		eap_notify_status(sm, "unsafe server renegotiation", "failure");
++		break;
+ 	}
+ 
+ 	os_free(hash_hex);
+-- 
+2.35.1
+

wpa_supplicant.spec

@@ -9,7 +9,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
 Version: 2.10
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: BSD
 Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz
 Source1: wpa_supplicant.conf
@@ -31,6 +31,9 @@ Patch3: wpa_supplicant-quiet-scan-results-message.patch
 Patch4: wpa_supplicant-gui-qt4.patch
 # backport fix for bz2063730
 Patch5: 0001-D-Bus-Add-wep_disabled-capability.patch
+# backport fix for bz2077973
+Patch6: 0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch
+Patch7: 0001-EAP-peer-status-notification-for-server-not-supporti.patch
 
 URL: http://w1.fi/wpa_supplicant/
 
@@ -191,6 +194,10 @@ chmod -R 0644 wpa_supplicant/examples/*.py
 
 
 %changelog
+* Fri May 13 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-4
+- Explicitly allow/disallow unsafe legacy renegotiation on configuration base.
+  Resolves: rhbz#2077973
+
 * Fri Apr 22 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-3
 - Expose 'wep_disabled' capability via D-Bus. Resolves: rhbz#2063730