aboutsummaryrefslogtreecommitdiffstats
path: root/src/crypto
Commit message (Collapse)AuthorAgeFilesLines
* EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSLJouni Malinen2015-12-312-2/+10
| | | | | | | This extends the list of TLS cipher suites enabled for EAP-FAST to include AES256-based suites. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Share a single openssl_tls_prf() implementationJouni Malinen2015-12-311-69/+13
| | | | | | | | Add SSL_SESSION_get_master_key() compatibility wrapper for older OpenSSL versions to be able to use the new openssl_tls_prf() implementation for OpenSSL 1.1.0 with all supported versions. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Clean up function to fetch client/server randomJouni Malinen2015-12-311-13/+27
| | | | | | | | SSL_get_client_random() and SSL_get_server_random() will be added in OpenSSL 1.1.0. Provide compatibility wrappers for older versions to simplify the tls_connection_get_random() implementation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Drop support for OpenSSL 1.0.0Jouni Malinen2015-12-311-11/+1
| | | | | | | | | The OpenSSL project will not support version 1.0.0 anymore. As there won't be even security fixes for this branch, it is not really safe to continue using 1.0.0 and we might as well drop support for it to allow cleaning up the conditional source code blocks. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Drop support for OpenSSL 0.9.8Jouni Malinen2015-12-312-31/+0
| | | | | | | | | The OpenSSL project will not support version 0.9.8 anymore. As there won't be even security fixes for this branch, it is not really safe to continue using 0.9.8 and we might as well drop support for it to allow cleaning up the conditional source code blocks. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Remove unnecessary cleanup assignment in SHA1Final()Jouni Malinen2015-12-281-1/+0
| | | | | | | | | | | This makes some static analyzers complain about stored value never being read. While it is good to clear some other temporary variables, this local variable i has no security private information (it has a fixed value of 20 here) and trying to clear it to 0 does not add any value. Remove that part of the "wipe variables" to avoid one useless static analyzer complaint. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS client: Multi-OCSP check to cover intermediate CAsJouni Malinen2015-12-231-6/+0
| | | | | | | This extends multi-OCSP support to verify status for intermediate CAs in the server certificate chain. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add ocsp=3 configuration parameter for multi-OCSPJouni Malinen2015-12-234-0/+19
| | | | | | | | | | ocsp=3 extends ocsp=2 by require all not-trusted certificates in the server certificate chain to receive a good OCSP status. This requires support for ocsp_multi (RFC 6961). This commit is only adding the configuration value, but all the currently included TLS library wrappers are rejecting this as unsupported for now. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS server: OCSP stapling with ocsp_multi option (RFC 6961)Jouni Malinen2015-12-221-0/+3
| | | | | | | | This allows hostapd with the internal TLS server implementation to support the extended OCSP stapling mechanism with multiple responses (ocsp_stapling_response_multi). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Server configuration for OCSP stapling with ocsp_multi (RFC 6961)Jouni Malinen2015-12-221-0/+4
| | | | | | | | | | | This adds a new hostapd configuration parameter ocsp_stapling_response_multi that can be used similarly to the existing ocsp_stapling_response, but for the purpose of providing multiple cached OCSP responses. This commit adds only the configuration parameter, but does not yet add support for this mechanism with any of the supported TLS implementations. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS server: OCSP staplingJouni Malinen2015-12-221-0/+4
| | | | | | | | | | This adds support for hostapd-as-authentication-server to be build with the internal TLS implementation and OCSP stapling server side support. This is more or less identical to the design used with OpenSSL, i.e., the cached response is read from the ocsp_stapling_response=<file> and sent as a response if the client requests it during the TLS handshake. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* GnuTLS: OCSP stapling on the server sideJouni Malinen2015-12-221-0/+52
| | | | | | | | | | This adds support for hostapd-as-authentication-server to be build against GnuTLS with OCSP stapling server side support. This is more or less identical to the design used with OpenSSL, i.e., the cached response is read from the ocsp_stapling_response=<file> and sent as a response if the client requests it during the TLS handshake. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP peer: External server certificate chain validationJouni Malinen2015-12-124-2/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support for optional functionality to validate server certificate chain in TLS-based EAP methods in an external program. wpa_supplicant control interface is used to indicate when such validation is needed and what the result of the external validation is. This external validation can extend or replace the internal validation. When ca_cert or ca_path parameter is set, the internal validation is used. If these parameters are omitted, only the external validation is used. It needs to be understood that leaving those parameters out will disable most of the validation steps done with the TLS library and that configuration is not really recommend. By default, the external validation is not used. It can be enabled by addingtls_ext_cert_check=1 into the network profile phase1 parameter. When enabled, external validation is required through the CTRL-REQ/RSP mechanism similarly to other EAP authentication parameters through the control interface. The request to perform external validation is indicated by the following event: CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid> Before that event, the server certificate chain is provided with the CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump> parameter. depth=# indicates which certificate is in question (0 for the server certificate, 1 for its issues, and so on). The result of the external validation is provided with the following command: CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad> It should be noted that this is currently enabled only for OpenSSL (and BoringSSL/LibreSSL). Due to the constraints in the library API, the validation result from external processing cannot be reported cleanly with TLS alert. In other words, if the external validation reject the server certificate chain, the pending TLS handshake is terminated without sending more messages to the server. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Support new API for HMAC/EVP_MD_CTX in OpenSSL 1.1.x-pre1Jouni Malinen2015-12-101-0/+92
| | | | | | | | The EVP_MD_CTX and HMAC_CTX definitions are now hidden from applications using OpenSSL. Fix compilation issues with OpenSSL 1.1.x-pre1 by using the new API for allocating these structures. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* BoringSSL: Move OCSP implementation into a separate fileJouni Malinen2015-12-043-820/+868
| | | | | | | | This makes it easier to share the OCSP implementation needed for BoringSSL outside tls_openssl.c. For now, this is mainly for http_curl.c. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* BoringSSL: Support new SHA_CTX definition for EAP-SIM PRFJouni Malinen2015-12-041-0/+14
| | | | | | | | | | | BoringSSL modified the struct sha_state_st (SHA_CTX) definition by converting h0..h4 with h[5] array. This broke wpa_supplicant/hostapd build with EAP-SIM enabled. BoringSSL restored the old version for ANDROID builds, but only the new version is currently defined for non-Android cases. For now, fix this by having matching selection in fips_prf_openssl.c based on OPENSSL_IS_BORINGSSL and ANDROID defines. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Fix build with current OpenSSL master branch snapshotJouni Malinen2015-12-031-0/+6
| | | | | | | | | OpenSSL 1.1.x will apparently go out with "SSLeay" renamed in the API to "OpenSSL", which broke the build here for fetching the version of the running OpenSSL library when wpa_supplicant/hostapd is built against the current OpenSSL snapshot. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix tls_connection_prf() regression with CONFIG_TLS=internalJouni Malinen2015-11-291-2/+2
| | | | | | | | | | Commit af851914f810978909dd8598ab88030fe43d0051 ('Make tls_connection_get_keyblock_size() internal to tls_*.c') broke tls_connection_prf() with the internal TLS implementation when using skip_keyblock=1. In practice, this broke EAP-FAST. Fix this by deriving the correct number of PRF bytes before skipping the keyblock. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add TEST_FAIL() support for internal hash functionsJouni Malinen2015-11-294-0/+12
| | | | | | | | | md4_vector(), md5_vector(), sha1_vector(), and sha256_vector() already supported TEST_FAIL() with the OpenSSL crypto implementation, but the same test functionality is needed for the internal crypto implementation as well. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix memory leak on NFC DH generation error pathJouni Malinen2015-11-292-1/+7
| | | | | | | It was possible for some NFC DH generation error paths to leak memory since the old private/public key was not freed if an allocation failed. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Use TLS_CONN_* flagsJouni Malinen2015-11-291-2/+1
| | | | | | | This makes it simpler to add support for new TLS_CONN_* flags without having to add a new configuration function for each flag. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add support for tls_get_version()Jouni Malinen2015-11-291-1/+6
| | | | | | | This allows wpa_supplicant to return eap_tls_version STATUS information when using the internal TLS client implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add support for server certificate probingJouni Malinen2015-11-291-0/+12
| | | | | | | | | The internal TLS client implementation can now be used with ca_cert="probe://" to probe the server certificate chain. This is also adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-PEER-CERT events. Signed-off-by: Jouni Malinen <j@w1.fi>
* crypto: Add CRYPTO_HASH_ALG_SHA384 and CRYPTO_HASH_ALG_SHA512Jouni Malinen2015-11-292-1/+52
| | | | | | | This extends the crypto_hash_*() API to support SHA384 and SHA512 when built with CONFIG_TLS=internal. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add SHA384 and SHA512 implementations from LibTomCrypt libraryPali Rohár2015-11-296-1/+429
| | | | | | | These will be used with the internal TLS implementation to extend hash algorithm support for new certificates and TLS v1.2. Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
* Add TEST_FAIL() condition to aes_128_cbc_encrypt/decrypt()Jouni Malinen2015-11-282-0/+12
| | | | | | This enables more error path testing. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Move EAP-SIM PRF module test into the hwsim frameworkJouni Malinen2015-11-231-0/+30
| | | | | | | | The old wpa_supplicant/Makefile target test-eap_sim_common did not work anymore and anyway, this test is better placed in the newer hwsim framework to make sure the test case gets executed automatically. Signed-off-by: Jouni Malinen <j@w1.fi>
* Check for LIBRESSL_VERSION_NUMBER in tls_openssl.cMarek Behún2015-11-221-6/+6
| | | | | | | LibreSSL does not yet support the new API, so do not use it when LIBRESSL_VERSION_NUMBER macro is defined. Signed-off-by: Marek Behun <kabel@blackhole.sk>
* TLS: Fix memory leak with multiple TLS server instancesJouni Malinen2015-10-311-1/+3
| | | | | | | | | | When using CONFIG_TLS=internal and starting hostapd with multiple configuration files that each initialize TLS server, the server certificate and related data was not freed for all the interfaces on exit path. Fix this by freeing the credential data that is stored separately for each call to tls_init(). Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Fix build without CONFIG_ERP=yJouni Malinen2015-10-251-0/+2
| | | | | | | | hmac_sha256_kdf() got pulled in only if CONFIG_ERP=y is set. Fix test_sha256() by making the test case conditional on the function being present. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Add TEST_FAIL() condition to omac1_aes_vector()Jouni Malinen2015-10-172-0/+6
| | | | | | This enables more error path testing. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Add TEST_FAIL() checks to allow error path testingJouni Malinen2015-10-111-0/+6
| | | | | | | This makes it easier to test various error paths related to key derivation and authentication steps. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Make msg_callback debug prints easier to readJouni Malinen2015-10-111-2/+63
| | | | | | | Write a text version of the content type and handshake type in debug log to make it easier to follow TLS exchange. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Recognize special write_p == 2 in msg_callbackJouni Malinen2015-10-111-0/+8
| | | | | | | OpenSSL could use this to identify crypto tracing values if built with OPENSSL_SSL_TRACE_CRYPTO. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Module test for hmac_sha256_kdf() maximum output lengthJouni Malinen2015-10-101-0/+24
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix MSCHAP UTF-8 to UCS-2 conversion check for three-byte encodingJouni Malinen2015-10-101-1/+1
| | | | | | | | | | | The utf8_string_len comparison was off by one and ended up accepting a truncated three-byte encoded UTF-8 character at the end of the string if the octet was missing. Since the password string gets null terminated in the configuration, this did not result in reading beyond the buffer, but anyway, it is better to explicitly reject the string rather than try to use an incorrectly encoded UTF-8 string as the password. Signed-off-by: Jouni Malinen <j@w1.fi>
* BoringSSL: Implement support for OCSP staplingJouni Malinen2015-10-091-0/+847
| | | | | | | | | | | | | | | | BoringSSL has removed the OpenSSL OCSP implementation (OCSP_*() functions) and instead, provides only a minimal mechanism for include the status request extension and fetching the response from the server. As such, the previous OpenSSL-based implementation for OCSP stapling is not usable with BoringSSL. Add a new implementation that uses BoringSSL to request and fetch the OCSP stapling response and then parse and validate this with the new implementation within wpa_supplicant. While this may not have identical behavior with the OpenSSL-based implementation, this should be a good starting point for being able to use OCSP stapling with BoringSSL. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Android: Fix keystore-backed keys with BoringSSLAdam Langley2015-10-061-4/+28
| | | | | | | | | | The switch to BoringSSL broke keystore-backed keys because wpa_supplicant was using the dynamic ENGINE loading to load the keystore module. The ENGINE-like functionality in BoringSSL is much simpler and this change should enable it. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
* Fix key derivation for Suite B 192-bit AKM to use SHA384Jouni Malinen2015-08-272-0/+105
| | | | | | | | | While the EAPOL-Key MIC derivation was already changed from SHA256 to SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly. Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK from PMK when using the Suite B 192-bit AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Write PKCS#12 extra cert errors into debug logJouni Malinen2015-08-241-0/+5
| | | | | | | | | | | | Commit de2a7b796d82d92120aa9532450863f503e1885a ('OpenSSL: Use connection certificate chain with PKCS#12 extra certs') added a new mechanism for doing this with OpenSSL 1.0.2 and newer. However, it did not poinr out anything in debug log if SSL_add1_chain_cert() failed. Add such a debug print and also silence static analyzer warning on res being stored without being read (since the error case is ignored at least for now). Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Enable support for server side TLS session resumptionJouni Malinen2015-08-241-13/+115
| | | | | | This allows TLS-based EAP server methods to use session resumption. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add functions for managing cached session stateJouni Malinen2015-08-235-0/+102
| | | | | | | | | | | The new tls_connection_set_success_data(), tls_connection_set_success_data_resumed(), tls_connection_get_success_data(), and tls_connection_remove_session() functions can be used to mark cached sessions valid and to remove invalid cached sessions. This commit is only adding empty functions. The actual functionality will be implemented in followup commits. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Add tls_session_lifetime configurationJouni Malinen2015-08-231-0/+1
| | | | | | | | | | This new hostapd configuration parameter can be used to enable TLS session resumption. This commit adds the configuration parameter through the configuration system and RADIUS/EAPOL/EAP server components. The actual changes to enable session caching will be addressed in followup commits. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Allow server connection parameters to be configuredJouni Malinen2015-08-231-27/+36
| | | | | | | This extends OpenSSL version of tls_connection_set_verify() to support the new flags argument. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add new arguments to tls_connection_set_verify()Jouni Malinen2015-08-235-5/+15
| | | | | | | The new flags and session_ctx arguments will be used in followup commits. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Add wrapper struct for tls_init() resultJouni Malinen2015-08-231-50/+76
| | | | | | | This new struct tls_data is needed to store per-tls_init() information in the followup commits. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Allow AES-WRAP-192 test cases to be commented out with BoringSSLJouni Malinen2015-08-181-0/+8
| | | | | | | BoringSSL does not support 192-bit AES, so these parts of the wpa_supplicant module tests would fail. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Reject OCSP-required configuration if no OCSP supportJouni Malinen2015-08-171-0/+10
| | | | | | | This is needed at least with BoringSSL to avoid accepting OCSP-required configuration with a TLS library that does not support OCSP stapling. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* BoringSSL: Fix PKCS12_parse() segfault when used without passwordJouni Malinen2015-08-171-0/+2
| | | | | | | | | Unlike OpenSSL PKCS12_parse(), the BoringSSL version seems to require the password pointer to be non-NULL even if no password is present. Map passwrd == NULL to passwd = "" to avoid a NULL pointer dereference within BoringSSL. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Handshake completion and resumption state into debug logJouni Malinen2015-08-171-2/+8
| | | | | | | This new debug log entry makes it more convenient to check how TLS handshake was completed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>