62ab4bd374
Resolves: #2077973 Signed-off-by: Davide Caratti <dcaratti@redhat.com>
104 lines
4.5 KiB
Diff
104 lines
4.5 KiB
Diff
From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001
|
|
Message-Id: <566ce69a8d0e64093309cbde80235aa522fbf84e.1652450572.git.davide.caratti@gmail.com>
|
|
From: Jouni Malinen <quic_jouni@quicinc.com>
|
|
Date: Thu, 5 May 2022 00:07:44 +0300
|
|
Subject: [PATCH] EAP peer: Workaround for servers that do not support safe TLS
|
|
renegotiation
|
|
|
|
The TLS protocol design for renegotiation was identified to have a
|
|
significant security flaw in 2009 and an extension to secure this design
|
|
was published in 2010 (RFC 5746). However, some old RADIUS
|
|
authentication servers without support for this are still used commonly.
|
|
|
|
This is obviously not good from the security view point, but since there
|
|
are cases where the user of a network service has no realistic means for
|
|
getting the authentication server upgraded, TLS handshake may still need
|
|
to be allowed to be able to use the network.
|
|
|
|
OpenSSL 3.0 disabled the client side workaround by default and this
|
|
resulted in issues connection to some networks with insecure
|
|
authentication servers. With OpenSSL 3.0, the client is now enforcing
|
|
security by refusing to authenticate with such servers. The pre-3.0
|
|
behavior of ignoring this issue and leaving security to the server can
|
|
now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1.
|
|
This should be used only when having to connect to a network that has an
|
|
insecure authentication server that cannot be upgraded.
|
|
|
|
The old (pre-2010) TLS renegotiation mechanism might open security
|
|
vulnerabilities if the authentication server were to allow TLS
|
|
renegotiation to be initiated. While this is unlikely to cause real
|
|
issues with EAP-TLS, there might be cases where use of PEAP or TTLS with
|
|
an authentication server that does not support RFC 5746 might result in
|
|
a security vulnerability.
|
|
|
|
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
|
|
---
|
|
src/crypto/tls.h | 1 +
|
|
src/crypto/tls_openssl.c | 5 +++++
|
|
src/eap_peer/eap_tls_common.c | 4 ++++
|
|
wpa_supplicant/wpa_supplicant.conf | 5 +++++
|
|
4 files changed, 15 insertions(+)
|
|
|
|
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
|
|
index ccaac94c9..7ea32ee4a 100644
|
|
--- a/src/crypto/tls.h
|
|
+++ b/src/crypto/tls.h
|
|
@@ -112,6 +112,7 @@ struct tls_config {
|
|
#define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
|
|
#define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
|
|
#define TLS_CONN_TEAP_ANON_DH BIT(17)
|
|
+#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18)
|
|
|
|
/**
|
|
* struct tls_connection_params - Parameters for TLS connection
|
|
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
|
|
index 388c6b0f4..0d23f44ad 100644
|
|
--- a/src/crypto/tls_openssl.c
|
|
+++ b/src/crypto/tls_openssl.c
|
|
@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
|
|
SSL_clear_options(ssl, SSL_OP_NO_TICKET);
|
|
#endif /* SSL_OP_NO_TICKET */
|
|
|
|
+#ifdef SSL_OP_LEGACY_SERVER_CONNECT
|
|
+ if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
|
|
+ SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
|
|
+#endif /* SSL_OP_LEGACY_SERVER_CONNECT */
|
|
+
|
|
#ifdef SSL_OP_NO_TLSv1
|
|
if (flags & TLS_CONN_DISABLE_TLSv1_0)
|
|
SSL_set_options(ssl, SSL_OP_NO_TLSv1);
|
|
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
|
|
index 06c9b211e..6193b4bdb 100644
|
|
--- a/src/eap_peer/eap_tls_common.c
|
|
+++ b/src/eap_peer/eap_tls_common.c
|
|
@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
|
|
params->flags |= TLS_CONN_SUITEB_NO_ECDH;
|
|
if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
|
|
params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
|
|
+ if (os_strstr(txt, "allow_unsafe_renegotiation=1"))
|
|
+ params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
|
|
+ if (os_strstr(txt, "allow_unsafe_renegotiation=0"))
|
|
+ params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
|
|
}
|
|
|
|
|
|
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
|
|
index a1dc769c9..b5304a77e 100644
|
|
--- a/wpa_supplicant/wpa_supplicant.conf
|
|
+++ b/wpa_supplicant/wpa_supplicant.conf
|
|
@@ -1370,6 +1370,11 @@ fast_reauth=1
|
|
# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
|
|
# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
|
|
# particular when using Suite B with RSA keys of >= 3K (3072) bits
|
|
+# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does
|
|
+# not support safe renegotiation (RFC 5746); please note that this
|
|
+# workaround should be only when having to authenticate with an old
|
|
+# authentication server that cannot be updated to use secure TLS
|
|
+# implementation.
|
|
#
|
|
# Following certificate/private key fields are used in inner Phase2
|
|
# authentication when using EAP-TTLS or EAP-PEAP.
|
|
--
|
|
2.35.1
|
|
|