path: root/src/tls/tlsv1_client.c
Commit message (Collapse)AuthorAgeFilesLines
* TLS: Remove storing of never-read valueJouni Malinen2015-12-281-1/+0
| | | | | | | | | | While this could in theory be claimed to be ready for something to be added to read a field following the server_write_IV, it does not look likely that such a use case would show up. As such, just remove the unused incrementing of pos at the end of the function to get rid of a useless static analyzer complaint. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Parse CertificateStatus messageJouni Malinen2015-12-141-1/+3
| | | | | | | | | | This allows the internal TLS client implementation to accept CertificateStatus message from the server when trying to use OCSP stapling. The actual OCSPResponse is not yet processed in this commit, but the CertificateStatus message is accepted to allow the TLS handshake to continue. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Use TLS_CONN_* flagsJouni Malinen2015-11-291-2/+7
| | | | | | | This makes it simpler to add support for new TLS_CONN_* flags without having to add a new configuration function for each flag. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add support for tls_get_version()Jouni Malinen2015-11-291-0/+23
| | | | | | | This allows wpa_supplicant to return eap_tls_version STATUS information when using the internal TLS client implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add support for server certificate probingJouni Malinen2015-11-291-0/+12
| | | | | | | | | The internal TLS client implementation can now be used with ca_cert="probe://" to probe the server certificate chain. This is also adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-PEER-CERT events. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS client: Add signature_algorithms extension into ClientHelloJouni Malinen2015-11-291-4/+2
| | | | | | | | | | Since we support only SHA256 (and not the default SHA1) with TLS v1.2, the signature_algorithms extensions needs to be added into ClientHello. This fixes interop issues with the current version of OpenSSL that uses the default SHA1 hash if ClientHello does not specify allowed signature algorithms. Signed-off-by: Jouni Malinen <j@w1.fi>
* Rename tls_connection_get_keys() to tls_connection_get_random()Jouni Malinen2015-08-021-3/+3
| | | | | | | | | | Commit 94f1fe6f6384a2ef379ef5b8cdc32a2fa01f8d13 ('Remove master key extraction from tls_connection_get_keys()') left only fetching of server/client random, but did not rename the function and structure to minimize code changes. The only name is quite confusing, so rename this through the repository to match the new purpose. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove master key extraction from tls_connection_get_keys()Jouni Malinen2015-03-311-2/+0
| | | | | | | | | This is not needed anymore with the tls_connection_prf() being used to handle all key derivation needs. tls_connection_get_keys() is a bit misnamed for now, but it is only used to fetch the client and server random for Session-Id derivation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Add new cipher suites to tls_get_cipher()Jouni Malinen2014-12-091-6/+39
| | | | | | | This fixes EAP-FAST server side issues for anonymous provisioning when using the internal TLS implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* TLS: Add support for DHE-RSA cipher suitesJouni Malinen2014-03-091-1/+6
| | | | | | | This extends the internal TLS implementation to support DHE-RSA cipher suites in both server and client roles. Signed-off-by: Jouni Malinen <j@w1.fi>
* Enable 256-bit key AES in internal TLS implementationJouni Malinen2012-09-091-4/+0
| | | | | | | | Now that the internal AES implementation supports 256-bit keys, enable use of the TLS cipher suites that use AES-256 regardless of which crypto implementation is used. Signed-hostap: Jouni Malinen <j@w1.fi>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* TLS: Add support for SHA256-based cipher suites from RFC 5246Jouni Malinen2011-11-271-0/+13
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* TLS: Update file headers to include TLS v1.2 supportJouni Malinen2011-11-271-1/+1
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* TLS: Pass version to tls_prf() in preparation for new PRFsJouni Malinen2011-11-271-3/+6
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Use NULL instead of 0 for pointersJouni Malinen2011-11-181-1/+1
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* TLS: Fix double-free on error pathJouni Malinen2011-11-131-1/+1
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* TLS: Add preliminary support for partial message processingJouni Malinen2011-11-131-41/+107
| | | | | | | Reassemble partial TLS records to make the internal TLS client implementation more convenient for stream sockets. Signed-hostap: Jouni Malinen <j@w1.fi>
* TLS: Clean up TLS record layer processingJouni Malinen2011-11-051-17/+56
| | | | | | | | | | Return number of user input bytes from tlsv1_record_receive() to move this detail into the proper record layer processing. In addition, ignore unknown content types at record layer and allow processing to continue after warning level TLS alerts to provide minimal workaround for closure alerts. Signed-hostap: Jouni Malinen <j@w1.fi>
* TLS: Add support for TLS v1.1 (RFC 4346) with internal TLSJouni Malinen2011-09-251-9/+21
| | | | | This is disabled by defautl and can be enabled with CONFIG_TLSV11=y build configuration parameter.
* TLS: Do not enforce in-place processing in tlsv1_record_send()Jouni Malinen2011-09-251-3/+1
| | | | | | In preparation for record layer format changes, modify tlsv1_record_send() to use separate buffers for payload and the output message.
* TLS: Add support for tls_disable_time_checks=1 in client modeJouni Malinen2011-07-051-1/+7
| | | | | | This phase1 parameter for TLS-based EAP methods was already supported with GnuTLS and this commit extends that support for OpenSSL and the internal TLS implementation.
* Include functionality to support EAP-FAST unconditionallyJouni Malinen2009-12-061-4/+0
| | | | | | | | | | Clean up the internal TLS implementation by removing conditional build blocks for (mostly) EAP-FAST specific functionality. This will increase the size a big for non-EAP-FAST builds, but is quite helpful in making src/tls/libtls.a with single build options. If the potential size reduction is considered significant in the future, this can be reconsider with a more library compatible way (e.g., external file with registration function, etc.).
* Remove src/crypto from default include pathJouni Malinen2009-11-291-2/+2
| | | | | | In addition, start ordering header file includes to be in more consistent order: system header files, src/utils, src/*, same directory as the *.c file.
* Fix a typo in a commentJouni Malinen2009-11-211-1/+1
* Add a workaround for EAP-FAST with Cisco AP local RADIUS serverJouni Malinen2009-03-081-0/+11
| | | | | | | | | | | | | | | | When using the internal TLS implementation, EAP-FAST unauthenticated provisioning ends up proposing multiple cipher suites. It looks like Cisco AP (at least 350 and 1200 series) local authentication server does not know how to search cipher suites from the list and seem to require that the last entry in the list is the one that it wants to use. However, TLS specification requires the list to be in the client preference order. As a workaround, ass anon-DH AES-128-SHA1 again at the end of the list to allow the Cisco code to find it. This fixed EAP-FAST provisioning with the following IOS version: Cisco IOS Software, C350 Software (C350-K9W7-M), Version 12.3(8)JEA3, RELEASE SOFTWARE (fc2) Compiled Wed 21-Nov-07 14:08 by ccai
* Fixed number of doxygen warningsJouni Malinen2009-01-021-0/+2
* Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 releaseJouni Malinen2008-02-281-0/+658