diff options
Diffstat (limited to 'main/wpa_supplicant/unsafe-renegotiation-2.patch')
| -rw-r--r-- | main/wpa_supplicant/unsafe-renegotiation-2.patch | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/main/wpa_supplicant/unsafe-renegotiation-2.patch b/main/wpa_supplicant/unsafe-renegotiation-2.patch new file mode 100644 index 00000000000..20466378d6f --- /dev/null +++ b/main/wpa_supplicant/unsafe-renegotiation-2.patch @@ -0,0 +1,105 @@ +Patch-Source: https://w1.fi/cgit/hostap/commit/?id=a561d12d24c2c8bb0f825d4a3a55a5e47e845853 +From a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <quic_jouni@quicinc.com> +Date: Wed, 4 May 2022 23:55:38 +0300 +Subject: EAP peer status notification for server not supporting RFC 5746 + +Add a notification message to indicate reason for TLS handshake failure +due to the server not supporting safe renegotiation (RFC 5746). + +Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com> +--- + src/ap/authsrv.c | 3 +++ + src/crypto/tls.h | 3 ++- + src/crypto/tls_openssl.c | 15 +++++++++++++-- + src/eap_peer/eap.c | 5 +++++ + 4 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c +index 516c1da74..fd9c96fad 100644 +--- a/src/ap/authsrv.c ++++ b/src/ap/authsrv.c +@@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev, + wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s", + data->alert.description); + break; ++ case TLS_UNSAFE_RENEGOTIATION_DISABLED: ++ /* Not applicable to TLS server */ ++ break; + } + } + #endif /* EAP_TLS_FUNCS */ +diff --git a/src/crypto/tls.h b/src/crypto/tls.h +index 7ea32ee4a..7a2ee32df 100644 +--- a/src/crypto/tls.h ++++ b/src/crypto/tls.h +@@ -22,7 +22,8 @@ enum tls_event { + TLS_CERT_CHAIN_SUCCESS, + TLS_CERT_CHAIN_FAILURE, + TLS_PEER_CERTIFICATE, +- TLS_ALERT ++ TLS_ALERT, ++ TLS_UNSAFE_RENEGOTIATION_DISABLED, + }; + + /* +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 0d23f44ad..912471ba2 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn, + static struct wpabuf * + openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) + { ++ struct tls_context *context = conn->context; + int res; + struct wpabuf *out_data; + +@@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) + wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to " + "write"); + else { ++ unsigned long error = ERR_peek_last_error(); ++ + tls_show_errors(MSG_INFO, __func__, "SSL_connect"); ++ ++ if (context->event_cb && ++ ERR_GET_LIB(error) == ERR_LIB_SSL && ++ ERR_GET_REASON(error) == ++ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) { ++ context->event_cb( ++ context->cb_ctx, ++ TLS_UNSAFE_RENEGOTIATION_DISABLED, ++ NULL); ++ } + conn->failed++; + if (!conn->server && !conn->client_hello_generated) { + /* The server would not understand TLS Alert +@@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data) + if ((conn->flags & TLS_CONN_SUITEB) && !conn->server && + os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 && + conn->server_dh_prime_len < 3072) { +- struct tls_context *context = conn->context; +- + /* + * This should not be reached since earlier cert_cb should have + * terminated the handshake. Keep this check here for extra +diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c +index 429b20d3a..729388f4f 100644 +--- a/src/eap_peer/eap.c ++++ b/src/eap_peer/eap.c +@@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev, + eap_notify_status(sm, "remote TLS alert", + data->alert.description); + break; ++ case TLS_UNSAFE_RENEGOTIATION_DISABLED: ++ wpa_printf(MSG_INFO, ++ "TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this"); ++ eap_notify_status(sm, "unsafe server renegotiation", "failure"); ++ break; + } + + os_free(hash_hex); +-- +cgit v1.2.3-18-g5258 + |