aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--hostapd/Makefile8
-rw-r--r--hostapd/defconfig4
-rw-r--r--src/tls/tlsv1_common.c15
-rw-r--r--src/tls/tlsv1_common.h5
-rw-r--r--wpa_supplicant/Makefile8
-rw-r--r--wpa_supplicant/defconfig7
6 files changed, 47 insertions, 0 deletions
diff --git a/hostapd/Makefile b/hostapd/Makefile
index 2dfb7d6..22c09c1 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -440,6 +440,11 @@ ifdef CONFIG_TLSV11
CFLAGS += -DCONFIG_TLSV11
endif
+ifdef CONFIG_TLSV12
+CFLAGS += -DCONFIG_TLSV12
+NEED_SHA256=y
+endif
+
ifeq ($(CONFIG_TLS), openssl)
ifdef TLS_FUNCS
OBJS += ../src/crypto/tls_openssl.o
@@ -519,6 +524,9 @@ OBJS += ../src/tls/pkcs8.o
NEED_SHA256=y
NEED_BASE64=y
NEED_TLS_PRF=y
+ifdef CONFIG_TLSV12
+NEED_TLS_PRF_SHA256=y
+endif
NEED_MODEXP=y
NEED_CIPHER=y
CFLAGS += -DCONFIG_TLS_INTERNAL
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 36f286f..bae5ba2 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -221,6 +221,10 @@ CONFIG_IPV6=y
# are used.
#CONFIG_TLSV11=y
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms.
+#CONFIG_TLSV12=y
+
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
diff --git a/src/tls/tlsv1_common.c b/src/tls/tlsv1_common.c
index a9ffc10..19c50c2 100644
--- a/src/tls/tlsv1_common.c
+++ b/src/tls/tlsv1_common.c
@@ -16,6 +16,7 @@
#include "common.h"
#include "crypto/sha1.h"
+#include "crypto/sha256.h"
#include "x509v3.h"
#include "tlsv1_common.h"
@@ -250,6 +251,10 @@ int tls_version_ok(u16 ver)
if (ver == TLS_VERSION_1_1)
return 1;
#endif /* CONFIG_TLSV11 */
+#ifdef CONFIG_TLSV12
+ if (ver == TLS_VERSION_1_2)
+ return 1;
+#endif /* CONFIG_TLSV12 */
return 0;
}
@@ -262,6 +267,8 @@ const char * tls_version_str(u16 ver)
return "1.0";
case TLS_VERSION_1_1:
return "1.1";
+ case TLS_VERSION_1_2:
+ return "1.2";
}
return "?";
@@ -271,6 +278,14 @@ const char * tls_version_str(u16 ver)
int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
{
+#ifdef CONFIG_TLSV12
+ if (ver >= TLS_VERSION_1_2) {
+ tls_prf_sha256(secret, secret_len, label, seed, seed_len,
+ out, outlen);
+ return 0;
+ }
+#endif /* CONFIG_TLSV12 */
+
return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
outlen);
}
diff --git a/src/tls/tlsv1_common.h b/src/tls/tlsv1_common.h
index 855a407..91a0380 100644
--- a/src/tls/tlsv1_common.h
+++ b/src/tls/tlsv1_common.h
@@ -19,11 +19,16 @@
#define TLS_VERSION_1 0x0301 /* TLSv1 */
#define TLS_VERSION_1_1 0x0302 /* TLSv1.1 */
+#define TLS_VERSION_1_2 0x0303 /* TLSv1.2 */
+#ifdef CONFIG_TLSV12
+#define TLS_VERSION TLS_VERSION_1_2
+#else /* CONFIG_TLSV12 */
#ifdef CONFIG_TLSV11
#define TLS_VERSION TLS_VERSION_1_1
#else /* CONFIG_TLSV11 */
#define TLS_VERSION TLS_VERSION_1
#endif /* CONFIG_TLSV11 */
+#endif /* CONFIG_TLSV12 */
#define TLS_RANDOM_LEN 32
#define TLS_PRE_MASTER_SECRET_LEN 48
#define TLS_MASTER_SECRET_LEN 48
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index dad156c..0bc96c7 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -827,6 +827,11 @@ ifdef CONFIG_TLSV11
CFLAGS += -DCONFIG_TLSV11
endif
+ifdef CONFIG_TLSV12
+CFLAGS += -DCONFIG_TLSV12
+NEED_SHA256=y
+endif
+
ifeq ($(CONFIG_TLS), openssl)
ifdef TLS_FUNCS
CFLAGS += -DEAP_TLS_OPENSSL
@@ -911,6 +916,9 @@ OBJS += ../src/tls/pkcs8.o
NEED_SHA256=y
NEED_BASE64=y
NEED_TLS_PRF=y
+ifdef CONFIG_TLSV12
+NEED_TLS_PRF_SHA256=y
+endif
NEED_MODEXP=y
NEED_CIPHER=y
CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT
diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index 03a4223..cff25d6 100644
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -332,6 +332,13 @@ CONFIG_PEERKEY=y
# sent prior to negotiating which version will be used)
#CONFIG_TLSV11=y
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms. It should be
+# noted that some existing TLS v1.0 -based implementation may not be compatible
+# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
+# will be used)
+#CONFIG_TLSV12=y
+
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits