aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2008-08-16 08:21:22 (GMT)
committerJouni Malinen <j@w1.fi>2008-08-16 08:21:22 (GMT)
commit1d8ce433c9491260005111812976ec0655ef1370 (patch)
tree60e5754c0d9931a90144edefa5d8aa7316a3eb64
parenta9141cffb0d80e52255e69cbb50fb9179d055786 (diff)
downloadhostap-1d8ce433c9491260005111812976ec0655ef1370.zip
hostap-1d8ce433c9491260005111812976ec0655ef1370.tar.gz
hostap-1d8ce433c9491260005111812976ec0655ef1370.tar.bz2
Internal X.509/TLSv1: Support SHA-256 in X.509 certificate digest
-rw-r--r--hostapd/ChangeLog4
-rw-r--r--src/tls/x509v3.c44
-rw-r--r--wpa_supplicant/ChangeLog4
-rw-r--r--wpa_supplicant/Makefile12
4 files changed, 57 insertions, 7 deletions
diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index 8b29ba8..382b869 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -1,5 +1,9 @@
ChangeLog for hostapd
+????-??-?? - v0.6.5
+ * added support for SHA-256 as X.509 certificate digest when using the
+ internal X.509/TLSv1 implementation
+
2008-08-10 - v0.6.4
* added peer identity into EAP-FAST PAC-Opaque and skip Phase 2
Identity Request if identity is already known
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index 4da4891..59bf4ff 100644
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -1185,6 +1185,21 @@ static int x509_sha1_oid(struct asn1_oid *oid)
}
+static int x509_sha256_oid(struct asn1_oid *oid)
+{
+ return oid->len == 9 &&
+ oid->oid[0] == 2 /* joint-iso-itu-t */ &&
+ oid->oid[1] == 16 /* country */ &&
+ oid->oid[2] == 840 /* us */ &&
+ oid->oid[3] == 1 /* organization */ &&
+ oid->oid[4] == 101 /* gov */ &&
+ oid->oid[5] == 3 /* csor */ &&
+ oid->oid[6] == 4 /* nistAlgorithm */ &&
+ oid->oid[7] == 2 /* hashAlgs */ &&
+ oid->oid[8] == 1 /* sha256 */;
+}
+
+
/**
* x509_certificate_parse - Parse a X.509 certificate in DER format
* @buf: Pointer to the X.509 certificate in DER format
@@ -1309,7 +1324,7 @@ int x509_certificate_check_signature(struct x509_certificate *issuer,
size_t data_len;
struct asn1_hdr hdr;
struct asn1_oid oid;
- u8 hash[20];
+ u8 hash[32];
size_t hash_len;
if (!x509_pkcs_oid(&cert->signature.oid) ||
@@ -1408,6 +1423,19 @@ int x509_certificate_check_signature(struct x509_certificate *issuer,
goto skip_digest_oid;
}
+ if (x509_sha256_oid(&oid)) {
+ if (cert->signature.oid.oid[6] !=
+ 11 /* sha2561WithRSAEncryption */) {
+ wpa_printf(MSG_DEBUG, "X509: digestAlgorithm SHA256 "
+ "does not match with certificate "
+ "signatureAlgorithm (%lu)",
+ cert->signature.oid.oid[6]);
+ os_free(data);
+ return -1;
+ }
+ goto skip_digest_oid;
+ }
+
if (!x509_digest_oid(&oid)) {
wpa_printf(MSG_DEBUG, "X509: Unrecognized digestAlgorithm");
os_free(data);
@@ -1466,8 +1494,20 @@ skip_digest_oid:
wpa_hexdump(MSG_MSGDUMP, "X509: Certificate hash (SHA1)",
hash, hash_len);
break;
- case 2: /* md2WithRSAEncryption */
case 11: /* sha256WithRSAEncryption */
+#ifdef NEED_SHA256
+ sha256_vector(1, &cert->tbs_cert_start, &cert->tbs_cert_len,
+ hash);
+ hash_len = 32;
+ wpa_hexdump(MSG_MSGDUMP, "X509: Certificate hash (SHA256)",
+ hash, hash_len);
+ break;
+#else /* NEED_SHA256 */
+ wpa_printf(MSG_INFO, "X509: SHA256 support disabled");
+ os_free(data);
+ return -1;
+#endif /* NEED_SHA256 */
+ case 2: /* md2WithRSAEncryption */
case 12: /* sha384WithRSAEncryption */
case 13: /* sha512WithRSAEncryption */
default:
diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog
index 399bcd8..07dc0f0 100644
--- a/wpa_supplicant/ChangeLog
+++ b/wpa_supplicant/ChangeLog
@@ -1,5 +1,9 @@
ChangeLog for wpa_supplicant
+????-??-?? - v0.6.5
+ * added support for SHA-256 as X.509 certificate digest when using the
+ internal X.509/TLSv1 implementation
+
2008-08-10 - v0.6.4
* added support for EAP Sequences in EAP-FAST Phase 2
* added support for using TNC with EAP-FAST
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 7fd3fc5..9920f1b 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -776,8 +776,14 @@ ifdef CONFIG_IEEE80211R
NEED_SHA256=y
endif
+ifdef CONFIG_IEEE80211W
+CFLAGS += -DCONFIG_IEEE80211W
+NEED_SHA256=y
+endif
+
ifdef NEED_SHA256
OBJS += ../src/crypto/sha256.o
+CFLAGS += -DNEED_SHA256
endif
ifdef CONFIG_WIRELESS_EXTENSION
@@ -861,11 +867,6 @@ ifdef CONFIG_PEERKEY
CFLAGS += -DCONFIG_PEERKEY
endif
-ifdef CONFIG_IEEE80211W
-CFLAGS += -DCONFIG_IEEE80211W
-NEED_SHA256=y
-endif
-
ifdef CONFIG_IEEE80211R
CFLAGS += -DCONFIG_IEEE80211R
OBJS += ../src/rsn_supp/wpa_ft.o
@@ -1036,6 +1037,7 @@ OBJSx=tests/test_x509v3.o ../src/tls/asn1.o ../src/tls/x509v3.o \
../src/crypto/crypto_$(CONFIG_CRYPTO).o \
../src/crypto/md5.o ../src/crypto/sha1.o ../src/crypto/aes.o \
../src/crypto/rc4.o ../src/crypto/des.o ../src/crypto/aes_wrap.o \
+ ../src/crypto/sha256.o \
../src/tls/bignum.o ../src/tls/rsa.o
test_x509v3: $(OBJSx)
$(LDO) $(LDFLAGS) -o test_x509v3 $(OBJSx)