TLS: Add build configuration for TLS v1.2 support
This allows the internal TLS implementation to be built for TLS v1.2 support. In addition to the build option, this changes the TLS PRF based on the negotiated version number. Though, this commit does not yet complete support for TLS v1.2. Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
bcf03f5209
commit
ca84eed7ad
6 changed files with 47 additions and 0 deletions
|
@ -440,6 +440,11 @@ ifdef CONFIG_TLSV11
|
||||||
CFLAGS += -DCONFIG_TLSV11
|
CFLAGS += -DCONFIG_TLSV11
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
ifdef CONFIG_TLSV12
|
||||||
|
CFLAGS += -DCONFIG_TLSV12
|
||||||
|
NEED_SHA256=y
|
||||||
|
endif
|
||||||
|
|
||||||
ifeq ($(CONFIG_TLS), openssl)
|
ifeq ($(CONFIG_TLS), openssl)
|
||||||
ifdef TLS_FUNCS
|
ifdef TLS_FUNCS
|
||||||
OBJS += ../src/crypto/tls_openssl.o
|
OBJS += ../src/crypto/tls_openssl.o
|
||||||
|
@ -519,6 +524,9 @@ OBJS += ../src/tls/pkcs8.o
|
||||||
NEED_SHA256=y
|
NEED_SHA256=y
|
||||||
NEED_BASE64=y
|
NEED_BASE64=y
|
||||||
NEED_TLS_PRF=y
|
NEED_TLS_PRF=y
|
||||||
|
ifdef CONFIG_TLSV12
|
||||||
|
NEED_TLS_PRF_SHA256=y
|
||||||
|
endif
|
||||||
NEED_MODEXP=y
|
NEED_MODEXP=y
|
||||||
NEED_CIPHER=y
|
NEED_CIPHER=y
|
||||||
CFLAGS += -DCONFIG_TLS_INTERNAL
|
CFLAGS += -DCONFIG_TLS_INTERNAL
|
||||||
|
|
|
@ -221,6 +221,10 @@ CONFIG_IPV6=y
|
||||||
# are used.
|
# are used.
|
||||||
#CONFIG_TLSV11=y
|
#CONFIG_TLSV11=y
|
||||||
|
|
||||||
|
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
|
||||||
|
# can be enabled to enable use of stronger crypto algorithms.
|
||||||
|
#CONFIG_TLSV12=y
|
||||||
|
|
||||||
# If CONFIG_TLS=internal is used, additional library and include paths are
|
# If CONFIG_TLS=internal is used, additional library and include paths are
|
||||||
# needed for LibTomMath. Alternatively, an integrated, minimal version of
|
# needed for LibTomMath. Alternatively, an integrated, minimal version of
|
||||||
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
|
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
|
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
#include "crypto/sha1.h"
|
#include "crypto/sha1.h"
|
||||||
|
#include "crypto/sha256.h"
|
||||||
#include "x509v3.h"
|
#include "x509v3.h"
|
||||||
#include "tlsv1_common.h"
|
#include "tlsv1_common.h"
|
||||||
|
|
||||||
|
@ -250,6 +251,10 @@ int tls_version_ok(u16 ver)
|
||||||
if (ver == TLS_VERSION_1_1)
|
if (ver == TLS_VERSION_1_1)
|
||||||
return 1;
|
return 1;
|
||||||
#endif /* CONFIG_TLSV11 */
|
#endif /* CONFIG_TLSV11 */
|
||||||
|
#ifdef CONFIG_TLSV12
|
||||||
|
if (ver == TLS_VERSION_1_2)
|
||||||
|
return 1;
|
||||||
|
#endif /* CONFIG_TLSV12 */
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -262,6 +267,8 @@ const char * tls_version_str(u16 ver)
|
||||||
return "1.0";
|
return "1.0";
|
||||||
case TLS_VERSION_1_1:
|
case TLS_VERSION_1_1:
|
||||||
return "1.1";
|
return "1.1";
|
||||||
|
case TLS_VERSION_1_2:
|
||||||
|
return "1.2";
|
||||||
}
|
}
|
||||||
|
|
||||||
return "?";
|
return "?";
|
||||||
|
@ -271,6 +278,14 @@ const char * tls_version_str(u16 ver)
|
||||||
int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
|
int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
|
||||||
const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
|
const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
|
||||||
{
|
{
|
||||||
|
#ifdef CONFIG_TLSV12
|
||||||
|
if (ver >= TLS_VERSION_1_2) {
|
||||||
|
tls_prf_sha256(secret, secret_len, label, seed, seed_len,
|
||||||
|
out, outlen);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif /* CONFIG_TLSV12 */
|
||||||
|
|
||||||
return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
|
return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
|
||||||
outlen);
|
outlen);
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,11 +19,16 @@
|
||||||
|
|
||||||
#define TLS_VERSION_1 0x0301 /* TLSv1 */
|
#define TLS_VERSION_1 0x0301 /* TLSv1 */
|
||||||
#define TLS_VERSION_1_1 0x0302 /* TLSv1.1 */
|
#define TLS_VERSION_1_1 0x0302 /* TLSv1.1 */
|
||||||
|
#define TLS_VERSION_1_2 0x0303 /* TLSv1.2 */
|
||||||
|
#ifdef CONFIG_TLSV12
|
||||||
|
#define TLS_VERSION TLS_VERSION_1_2
|
||||||
|
#else /* CONFIG_TLSV12 */
|
||||||
#ifdef CONFIG_TLSV11
|
#ifdef CONFIG_TLSV11
|
||||||
#define TLS_VERSION TLS_VERSION_1_1
|
#define TLS_VERSION TLS_VERSION_1_1
|
||||||
#else /* CONFIG_TLSV11 */
|
#else /* CONFIG_TLSV11 */
|
||||||
#define TLS_VERSION TLS_VERSION_1
|
#define TLS_VERSION TLS_VERSION_1
|
||||||
#endif /* CONFIG_TLSV11 */
|
#endif /* CONFIG_TLSV11 */
|
||||||
|
#endif /* CONFIG_TLSV12 */
|
||||||
#define TLS_RANDOM_LEN 32
|
#define TLS_RANDOM_LEN 32
|
||||||
#define TLS_PRE_MASTER_SECRET_LEN 48
|
#define TLS_PRE_MASTER_SECRET_LEN 48
|
||||||
#define TLS_MASTER_SECRET_LEN 48
|
#define TLS_MASTER_SECRET_LEN 48
|
||||||
|
|
|
@ -827,6 +827,11 @@ ifdef CONFIG_TLSV11
|
||||||
CFLAGS += -DCONFIG_TLSV11
|
CFLAGS += -DCONFIG_TLSV11
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
ifdef CONFIG_TLSV12
|
||||||
|
CFLAGS += -DCONFIG_TLSV12
|
||||||
|
NEED_SHA256=y
|
||||||
|
endif
|
||||||
|
|
||||||
ifeq ($(CONFIG_TLS), openssl)
|
ifeq ($(CONFIG_TLS), openssl)
|
||||||
ifdef TLS_FUNCS
|
ifdef TLS_FUNCS
|
||||||
CFLAGS += -DEAP_TLS_OPENSSL
|
CFLAGS += -DEAP_TLS_OPENSSL
|
||||||
|
@ -911,6 +916,9 @@ OBJS += ../src/tls/pkcs8.o
|
||||||
NEED_SHA256=y
|
NEED_SHA256=y
|
||||||
NEED_BASE64=y
|
NEED_BASE64=y
|
||||||
NEED_TLS_PRF=y
|
NEED_TLS_PRF=y
|
||||||
|
ifdef CONFIG_TLSV12
|
||||||
|
NEED_TLS_PRF_SHA256=y
|
||||||
|
endif
|
||||||
NEED_MODEXP=y
|
NEED_MODEXP=y
|
||||||
NEED_CIPHER=y
|
NEED_CIPHER=y
|
||||||
CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT
|
CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT
|
||||||
|
|
|
@ -332,6 +332,13 @@ CONFIG_PEERKEY=y
|
||||||
# sent prior to negotiating which version will be used)
|
# sent prior to negotiating which version will be used)
|
||||||
#CONFIG_TLSV11=y
|
#CONFIG_TLSV11=y
|
||||||
|
|
||||||
|
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
|
||||||
|
# can be enabled to enable use of stronger crypto algorithms. It should be
|
||||||
|
# noted that some existing TLS v1.0 -based implementation may not be compatible
|
||||||
|
# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
|
||||||
|
# will be used)
|
||||||
|
#CONFIG_TLSV12=y
|
||||||
|
|
||||||
# If CONFIG_TLS=internal is used, additional library and include paths are
|
# If CONFIG_TLS=internal is used, additional library and include paths are
|
||||||
# needed for LibTomMath. Alternatively, an integrated, minimal version of
|
# needed for LibTomMath. Alternatively, an integrated, minimal version of
|
||||||
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
|
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
|
||||||
|
|
Loading…
Reference in a new issue