wolfSSL: Fix EAP-FAST key derivation

Implement tls_connection_get_eap_fast_key() using cryptographic
primitives as wolfSSL implements different spec.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
This commit is contained in:
Sean Parkinson 2018-03-29 14:55:55 +10:00 committed by Jouni Malinen
parent 71faf06cb6
commit ab35793ec1
2 changed files with 47 additions and 4 deletions

View file

@ -10,6 +10,8 @@
#include "common.h"
#include "crypto.h"
#include "crypto/sha1.h"
#include "crypto/sha256.h"
#include "tls.h"
/* wolfSSL includes */
@ -1962,18 +1964,58 @@ int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
}
#define SEED_LEN (RAN_LEN + RAN_LEN)
int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
u8 *out, size_t out_len)
{
int ret;
byte seed[SEED_LEN];
int ret = -1;
WOLFSSL *ssl;
byte *tmp_out;
byte *_out;
int skip = 0;
byte *master_key;
unsigned int master_key_len;
byte *server_random;
unsigned int server_len;
byte *client_random;
unsigned int client_len;
if (!conn || !conn->ssl)
return -1;
ssl = conn->ssl;
ret = wolfSSL_make_eap_keys(conn->ssl, out, out_len, "key expansion");
if (ret != 0)
skip = 2 * (wolfSSL_GetKeySize(ssl) + wolfSSL_GetHmacSize(ssl) +
wolfSSL_GetIVSize(ssl));
tmp_out = os_malloc(skip + out_len);
if (!tmp_out)
return -1;
return 0;
_out = tmp_out;
wolfSSL_get_keys(ssl, &master_key, &master_key_len, &server_random,
&server_len, &client_random, &client_len);
os_memcpy(seed, server_random, RAN_LEN);
os_memcpy(seed + RAN_LEN, client_random, RAN_LEN);
if (wolfSSL_GetVersion(ssl) == WOLFSSL_TLSV1_2) {
tls_prf_sha256(master_key, master_key_len,
"key expansion", seed, sizeof(seed),
_out, skip + out_len);
ret = 0;
} else {
ret = tls_prf_sha1_md5(master_key, master_key_len,
"key expansion", seed, sizeof(seed),
_out, skip + out_len);
}
os_memset(master_key, 0, master_key_len);
if (ret == 0)
os_memcpy(out, _out + skip, out_len);
bin_clear_free(tmp_out, skip + out_len);
return ret;
}

View file

@ -1059,6 +1059,7 @@ OBJS_p += ../src/crypto/crypto_wolfssl.o
ifdef NEED_FIPS186_2_PRF
OBJS += ../src/crypto/fips_prf_wolfssl.o
endif
NEED_TLS_PRF_SHA256=y
LIBS += -lwolfssl -lm
LIBS_p += -lwolfssl -lm
endif