aboutsummaryrefslogtreecommitdiffstats
path: root/src/crypto
Commit message (Collapse)AuthorAgeFilesLines
* OpenSSL: Fix compilation for version < 1.1.0 without CONFIG_ECCHEADpendingmasterWolfgang Steinwender16 hours1-0/+2
| | | | | | | | When CONFIG_ECC is not defined, openssl/ec.h is not included and EC_KEY not known. Fix be not defining EVP_PKEY_get0_EC_KEY() when CONFIG_ECC is not defined. Signed-off-by: Wolfgang Steinwender <wsteinwender@pcs.com>
* EAP-TTLS/PEAP peer: Fix failure when using session tickets under TLS 1.3Alexander Clouter2021-02-201-4/+14
| | | | | | | | | | | | | | | | | | | | | | | EAP peer does not expect data present when beginning the Phase 2 in EAP-{TTLS,PEAP} but in TLS 1.3 session tickets are sent after the handshake completes. There are several strategies that can be used to handle this, but this patch picks up from the discussion[1] and implements the proposed use of SSL_MODE_AUTO_RETRY. SSL_MODE_AUTO_RETRY has already been enabled by default in OpenSSL 1.1.1, but it needs to be enabled for older versions. The main OpenSSL wrapper change in tls_connection_decrypt() takes care of the new possible case with SSL_MODE_AUTO_RETRY for SSL_ERROR_WANT_READ to indicate that a non-application_data was processed. That is not really an error case with TLS 1.3, so allow it to complete and return an empty decrypted application data buffer. EAP-PEAP/TTLS processing can then use this to move ahead with starting Phase 2. [1] https://www.spinics.net/lists/hostap/msg05376.html Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
* wolfSSL: wolfSSL_use_PrivateKey_* correct return codesJuliusz Sosinowicz2021-02-091-3/+3
| | | | | | | The wolfSSL_use_PrivateKey_* APIs return 1 on success. 0 is also an error. Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
* wolfSSL: Client cert loading API fixJuliusz Sosinowicz2020-12-041-4/+4
| | | | | | | Client cert loading API should check equality to SSL_SUCCESS for success. Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
* OpenSSL: Make openssl_debug_dump_certificate() more robustPooventhiran G2020-10-191-0/+3
| | | | | | | | | | | SSL_CTX_get0_certificate() returns NULL if no certificate is installed. While this should not be the case here due to the loop in openssl_debug_dump_certificate_chains() proceeding only if the SSL_CTX_set_current_cert() returns success, it is safer to make openssl_debug_dump_certificate() explicitly check against NULL before trying to dump details about the certificate. Signed-off-by: Pooventhiran G <pooventh@codeaurora.org>
* build: Make more library things commonJohannes Berg2020-10-121-9/+1
| | | | | | | | We don't really need to duplicate more of this, so just move the lib.rules include to the end and do more of the stuff that's common anyway there. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Make a common library buildJohannes Berg2020-10-121-4/+0
| | | | | | | | | | Derive the library name from the directory name, and let each library Makefile only declare the objects that are needed. This reduces duplicate code for the ar call. While at it, also pretty-print that call. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* gitignore: Clean up a bitJohannes Berg2020-10-111-1/+0
| | | | | | | | Now that we no longer leave build artifacts outside the build folder, we can clean up the gitignore a bit. Also move more things to per-folder files that we mostly had already anyway. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Put archive files into build/ folder tooJohannes Berg2020-10-111-2/+2
| | | | | | | | | | | | | | | | This is something I hadn't previously done, but there are cases where it's needed, e.g., building 'wlantest' and then one of the tests/fuzzing/*/ projects, they use a different configuration (fuzzing vs. not fuzzing). Perhaps more importantly, this gets rid of the last thing that was dumped into the source directories, apart from the binaries themselves. Note that due to the use of thin archives, this required building with absolute paths. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* wolfSSL: Fix wrong types in tls_wolfssl.cJuliusz Sosinowicz2020-10-111-20/+27
| | | | | | | | | | wolfSSL_X509_get_ext_d2i() returns STACK_OF(GENERAL_NAME)* for ALT_NAMES_OID therefore wolfSSL_sk_value needs to expect a WOLFSSL_GENERAL_NAME*. In addition, explicitly check for NULL return from wolfSSL_sk_value(). Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
* build: Put object files into build/ folderJohannes Berg2020-10-101-2/+2
| | | | | | | | | | | | | | | | Instead of building in the source tree, put most object files into the build/ folder at the root, and put each thing that's being built into a separate folder. This then allows us to build hostapd and wpa_supplicant (or other combinations) without "make clean" inbetween. For the tests keep the objects in place for now (and to do that, add the build rule) so that we don't have to rewrite all of that with $(call BUILDOBJS,...) which is just noise there. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Use build.rules in lib.rulesJohannes Berg2020-10-101-5/+2
| | | | | | | Use the new build.rules in lib.rules and also unify the clean targets to lib.rules. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* OpenSSL: Allow systemwide secpolicy overrides for TLS versionJouni Malinen2020-09-081-9/+17
| | | | | | | | | | | Explicit configuration to enable TLS v1.0 and/or v1.1 did not work with systemwide OpenSSL secpolicy=2 cases (e.g., Ubuntu 20.04). Allow such systemwide configuration to be overridden if the older TLS versions have been explicitly enabled in the network profile. The default behavior follows the systemwide policy, but this allows compatibility with old authentication servers without having to touch the systemwide policy. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* LibreSSL: Fix build with LibreSSL versions older than 2.9.1Jouni Malinen2020-08-221-0/+5
| | | | | | | | SSL_add0_chain_cert() was not available in LibreSSL before version 2.9.1. Fixes: 4b834df5e08a ("OpenSSL: Support PEM encoded chain from client_cert blob") Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: AES-CTR encrypt test vectorsJouni Malinen2020-07-301-0/+150
| | | | | | | | | Verify AES-CTR encryption implementation against the test vectors in NIST SP 800-38a. This implementations was already tested against AES SIV and EAX mode test vectors, but this adds more explicit testing against published CTR mode test vectors. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Provide access to peer subject and own certificate useJouni Malinen2020-06-202-1/+42
| | | | | | | | These are needed for EAP-TEAP server and client side implementation to allow Phase 2 to be skipped based on client certificate use during Phase 1. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Use EVP-based interface for ECDSA sign/verifyJouni Malinen2020-06-161-17/+22
| | | | | | | | The low level ECDSA interface is not available in BoringSSL and has been deprecetated in OpenSSL 3.0, so move to using a higher layer EVP-based interface for performing the ECDSA sign/verify operations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Support EC key from private_key blobJouni Malinen2020-06-161-0/+11
| | | | | | | Try to parse the private_key blob as an ECPrivateKey in addition to the previously supported RSA and DSA. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Support PEM encoded chain from client_cert blobJouni Malinen2020-06-161-0/+23
| | | | | | | Allow a chain of certificates to be configured through a client_cert blob. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Additional EC functionality for SAE-PKJouni Malinen2020-06-022-0/+176
| | | | | | | These will be needed for implementing SAE-PK ECDSA signing and signature verification operations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix a typo in a commentJouni Malinen2020-05-161-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* wolfssl: Fix crypto_bignum_rand() implementationJouni Malinen2020-05-161-5/+7
| | | | | | | | | | | | | | The previous implementation used mp_rand_prime() to generate a random value in range 0..m. That is insanely slow way of generating a random value since mp_rand_prime() is for generating a random _prime_ which is not what is needed here. Replace that implementation with generationg of a random value in the requested range without doing any kind of prime number checks or loops to reject values that are not primes. This speeds up SAE and EAP-pwd routines by couple of orders of magnitude.. Signed-off-by: Jouni Malinen <j@w1.fi>
* wolfssl: Fix compiler warnings on size_t printf format useJouni Malinen2020-05-161-2/+2
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* crypto: Add a function to get the ECDH prime lengthIlan Peer2020-02-293-0/+13
| | | | | | | crypto_ecdh_prime_len() can now be used to fetch the length (in octets) of the prime used in ECDH. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* wlantest: Add PTK derivation support with SAE, OWE, DPPJouni Malinen2020-02-101-0/+2
| | | | | | | | | wlantest build did not define build options to determine key management values for SAE, OWE, and DPP. Add those and the needed SHA512 functions to be able to decrypt sniffer captures with PMK available from an external source. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* crypto: Allow up to 10 fragments for hmac_sha*_vector()Jouni Malinen2020-01-263-9/+9
| | | | | | | | This increases the limit of how many data fragments can be supported with the internal HMAC implementation. The previous limit was hit with some FT use cases. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Fix memory leak in TOD policy validationJouni Malinen2020-01-071-0/+1
| | | | | | | Returned policies from X509_get_ext_d2i() need to be freed. Fixes: 21f1a1e66c39 ("Report TOD policy") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Add support for TPM2-wrapped keysDaniel Kobras2019-12-291-1/+83
| | | | | | | | | | | | | | If the header of a PEM-formatted certificate or key in private_key file indicates that it is wrapped with a TPM2 key, try to autoload the appropriate OpenSSL engine that can transparently unwrap the key. This enables systems to use TPM2-wrapped keys as drop-in replacements to ordinary SSL keys. This functionality needs https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git to be installed as an OpenSSL engine. Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
* OpenSSL: Extend key_block size determination to support GCM/CCM ciphersJouni Malinen2019-12-231-7/+24
| | | | | | | | | These ciphers do not use a separate MAC algorithm, so digest nid will be NID_undef. In addition, the fixed_iv_length needs to be set to 4 which is the implicit part of the IV from PRF. This is needed to fix EAP-FAST key derivation for cases where GCM/CCM ciphers are used for TLS. Signed-off-by: Jouni Malinen <j@w1.fi>
* crypto: Remove unused crypto_bignum_sqrtmod()Jouni Malinen2019-10-253-41/+0
| | | | | | | | This wrapper function is not used anymore, so drop it instead of trying to figure out good way of implementing it in constant time with various crypto libraries. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wolfSSL: Fix crypto_bignum_sub()Jouni Malinen2019-10-141-1/+1
| | | | | | | | | The initial crypto wrapper implementation for wolfSSL seems to have included a copy-paste error in crypto_bignum_sub() implementation that was identical to crypto_bignum_add() while mp_sub() should have been used instead of mp_add(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* crypto: Add more bignum/EC helper functionsJouni Malinen2019-10-143-0/+205
| | | | | | These are needed for implementing SAE hash-to-element. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Write peer certificate chain details in debug logJouni Malinen2019-08-191-35/+34
| | | | | | | This makes it more convenient to debug TLS certificate validation issues. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add TLS-PRF using HMAC with P_SHA384 for TEAPJouni Malinen2019-08-162-0/+74
| | | | | | | This version of TLS PRF is needed when using TEAP with TLS ciphersuites that are defined to use SHA384 instead of SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
* Extend server certificate TOD policy reporting to include TOD-TOFUJouni Malinen2019-08-161-1/+3
| | | | | | | | | The previously used single TOD policy was split into two policies: TOD-STRICT and TOD-TOFU. Report these separately in the CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for TOD-TOFU). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wolfssl: Avoid void pointer arithmeticJouni Malinen2019-08-061-1/+1
| | | | | | | This is a compiler specific extension and not compliant with the C standard. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Handle EVP_PKEY_derive() secret_len changes for ECDHJouni Malinen2019-08-041-2/+6
| | | | | | | | | | | It looks like EVP_PKEY_derive() may change the returned length of the buffer from the initial length determination (NULL buffer) to the fetching of the value. Handle this by updating the secret length based on the second call instead of the first one. This fixes some cases where ECDH result has been used with extra data (zeros in the end) with OWE or FILS PFS. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Fix crypto_bignum_to_bin() with padlen == 0Jouni Malinen2019-08-031-13/+9
| | | | | | | | | | | | The earlier change to add support for BN_bn2binpad() and BN_bn2bin_padded() broke this function for cases where no padding is used (padlen == 0). Those would have always failed after the changes and the function would return -1. There are no such cases in the current hostap.git, so this did not have any real issues, but anyway, better fix this function to match its documentation. Fixes: 1e237903f5b5 ("OpenSSL: Use BN_bn2binpad() or BN_bn2bin_padded() if available") Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Fix build with LibreSSL and BoringSSLJouni Malinen2019-07-131-0/+6
| | | | | | | | The new certificate chain debug dumps used functions that are not available with LibreSSL or BoringSSL. Fixes: 857edf4bf43e ("OpenSSL: More debug prints of configured ciphers and certificates") Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Fix TLS_CONN_TEAP_ANON_DH build with some library versionsJouni Malinen2019-07-131-1/+4
| | | | | | | | | The OPENSSL_VERSION_NUMBER ifdef block left out the local variable that is needed with all versions. In addition, SSL_set_security_level() is not available with LibreSSL or BoringSSL. Fixes: 3ec65a8e38a0 ("OpenSSL: Allow anon-DH cipher suites to be added for TEAP") Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Fix build with OpenSSL 1.0.2 and 1.1.0 and LibreSSLJouni Malinen2019-07-131-0/+4
| | | | | | | | | The tls_connection_get_cipher_suite() implementation used SSL_CIPHER_get_protocol_id which was added in OpenSSL 1.1.1. Need to use compatibility code with older versions. Fixes: 94714ec341cc ("OpenSSL: Add tls_connection_get_cipher_suite()") Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Parse msg_callback inner content type into debug messagesJouni Malinen2019-07-121-0/+4
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: disable TLS 1.3 middlebox compatibilityJouni Malinen2019-07-121-0/+5
| | | | | | | | This will hopefully not be needed for EAP-TLS use cases since there should not really be a middlebox that looks at the TLS layer details in case of EAP authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Allow two server certificates/keys to be configured on serverJouni Malinen2019-07-122-0/+6
| | | | | | | | | | | | | hostapd EAP server can now be configured with two separate server certificates/keys to enable parallel operations using both RSA and ECC public keys. The server will pick which one to use based on the client preferences for the cipher suite (in the TLS ClientHello message). It should be noted that number of deployed EAP peer implementations do not filter out the cipher suite list based on their local configuration and as such, configuration of alternative types of certificates on the server may result in interoperability issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: More debug prints of configured ciphers and certificatesJouni Malinen2019-07-111-0/+120
| | | | | | | This adds TLS server mode debug prints to make it easier to see what exactly has been configured in OpenSSL. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server and peer implementation (RFC 7170)Jouni Malinen2019-07-091-9/+16
| | | | | | | | | | | | | | | | | This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
* Return success/failure result from tls_prf_sha256()Jouni Malinen2019-07-092-8/+13
| | | | | | | The hash functions used within this function could fail in theory, so provide the result to the caller. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Allow anon-DH cipher suites to be added for TEAPJouni Malinen2019-07-092-0/+32
| | | | | | | | Add a new TLS_CONN_* flag to provide a higher level mechanism for adding (instead of fully replacing) allowed list of TLS ciphersuites for TEAP provisioning purposes. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Add tls_connection_get_cipher_suite()Jouni Malinen2019-07-092-0/+18
| | | | | | This can be used to fetch the 16-bit TLS cipher suite identifier. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Reject empty cipher list in tls_connection_set_cipher_list()Jouni Malinen2019-07-091-0/+4
| | | | | | | Previously, this invalid call would have resulted in printing out a string from uninitialized memory Signed-off-by: Jouni Malinen <j@w1.fi>