wolfSSL: Fix EAP-FAST key derivation
Implement tls_connection_get_eap_fast_key() using cryptographic primitives as wolfSSL implements different spec. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
This commit is contained in:
Sean Parkinson
Jouni Malinen
parent
71faf06cb6
commit
ab35793ec1
2 changed files with 47 additions and 4 deletions
|
|
@ -10,6 +10,8 @@
|
||||||
|
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
#include "crypto.h"
|
#include "crypto.h"
|
||||||
|
#include "crypto/sha1.h"
|
||||||
|
#include "crypto/sha256.h"
|
||||||
#include "tls.h"
|
#include "tls.h"
|
||||||
|
|
||||||
/* wolfSSL includes */
|
/* wolfSSL includes */
|
||||||
|
|
@ -1962,18 +1964,58 @@ int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#define SEED_LEN (RAN_LEN + RAN_LEN)
|
||||||
|
|
||||||
int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
|
int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
|
||||||
u8 *out, size_t out_len)
|
u8 *out, size_t out_len)
|
||||||
{
|
{
|
||||||
int ret;
|
byte seed[SEED_LEN];
|
||||||
|
int ret = -1;
|
||||||
|
WOLFSSL *ssl;
|
||||||
|
byte *tmp_out;
|
||||||
|
byte *_out;
|
||||||
|
int skip = 0;
|
||||||
|
byte *master_key;
|
||||||
|
unsigned int master_key_len;
|
||||||
|
byte *server_random;
|
||||||
|
unsigned int server_len;
|
||||||
|
byte *client_random;
|
||||||
|
unsigned int client_len;
|
||||||
|
|
||||||
if (!conn || !conn->ssl)
|
if (!conn || !conn->ssl)
|
||||||
return -1;
|
return -1;
|
||||||
|
ssl = conn->ssl;
|
||||||
|
|
||||||
ret = wolfSSL_make_eap_keys(conn->ssl, out, out_len, "key expansion");
|
skip = 2 * (wolfSSL_GetKeySize(ssl) + wolfSSL_GetHmacSize(ssl) +
|
||||||
if (ret != 0)
|
wolfSSL_GetIVSize(ssl));
|
||||||
|
|
||||||
|
tmp_out = os_malloc(skip + out_len);
|
||||||
|
if (!tmp_out)
|
||||||
return -1;
|
return -1;
|
||||||
return 0;
|
_out = tmp_out;
|
||||||
|
|
||||||
|
wolfSSL_get_keys(ssl, &master_key, &master_key_len, &server_random,
|
||||||
|
&server_len, &client_random, &client_len);
|
||||||
|
os_memcpy(seed, server_random, RAN_LEN);
|
||||||
|
os_memcpy(seed + RAN_LEN, client_random, RAN_LEN);
|
||||||
|
|
||||||
|
if (wolfSSL_GetVersion(ssl) == WOLFSSL_TLSV1_2) {
|
||||||
|
tls_prf_sha256(master_key, master_key_len,
|
||||||
|
"key expansion", seed, sizeof(seed),
|
||||||
|
_out, skip + out_len);
|
||||||
|
ret = 0;
|
||||||
|
} else {
|
||||||
|
ret = tls_prf_sha1_md5(master_key, master_key_len,
|
||||||
|
"key expansion", seed, sizeof(seed),
|
||||||
|
_out, skip + out_len);
|
||||||
|
}
|
||||||
|
|
||||||
|
os_memset(master_key, 0, master_key_len);
|
||||||
|
if (ret == 0)
|
||||||
|
os_memcpy(out, _out + skip, out_len);
|
||||||
|
bin_clear_free(tmp_out, skip + out_len);
|
||||||
|
|
||||||
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1059,6 +1059,7 @@ OBJS_p += ../src/crypto/crypto_wolfssl.o
|
||||||
ifdef NEED_FIPS186_2_PRF
|
ifdef NEED_FIPS186_2_PRF
|
||||||
OBJS += ../src/crypto/fips_prf_wolfssl.o
|
OBJS += ../src/crypto/fips_prf_wolfssl.o
|
||||||
endif
|
endif
|
||||||
|
NEED_TLS_PRF_SHA256=y
|
||||||
LIBS += -lwolfssl -lm
|
LIBS += -lwolfssl -lm
|
||||||
LIBS_p += -lwolfssl -lm
|
LIBS_p += -lwolfssl -lm
|
||||||
endif
|
endif
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue