Commit graph

354 commits

Author SHA1 Message Date
Mikael Kanstrup
8b423edbd3 Declare all read only data structures as const
By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2015-04-25 17:33:06 +03:00
Mike Gerow
fd4fb28179 OpenSSL: Try to ensure we don't throw away the PIN unnecessarily
Now on an engine error we decode the error value and determine if the
issue is due to a true PIN error or not. If it is due to incorrrect PIN,
delete the PIN as usual, but if it isn't let the PIN be.

Signed-off-by: Mike Gerow <gerow@google.com>
2015-04-25 16:05:50 +03:00
Jouni Malinen
cb71a8342d OpenSSL: Clean up TLS PRF implementation
Commit fa0e715100 ('Use
tls_connection_prf() for all EAP TLS-based key derivation') copied some
pointer checks from the generic implementation to tls_openssl.c.
However, these are arrays and cannot be NULL in OpenSSL data. Remove the
unnecessary checks and add master_key_length check for completeness.
(CID 109619).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:17:26 +03:00
Nick Kralevich
d447cd596f Updates for stricter automatic memcpy bounds checking
Both Android's libc and glibc support _FORTIFY_SOURCE, a compiler
and libc feature which inserts automatic bounds checking into
common C functions such as memcpy() and strcpy(). If a buffer
overflow occurs when calling a hardened libc function, the
automatic bounds checking will safely shutdown the program and
prevent memory corruption.

Android is experimenting with _FORTIFY_SOURCE=3, a new fortify
level which enhances memcpy() to prevent overflowing an element
of a struct. Under the enhancements, code such as

  struct foo {
    char empty[0];
    char one[1];
    char a[10];
    char b[10];
  };

  int main() {
    foo myfoo;
    int n = atoi("11");
    memcpy(myfoo.a, "01234567890123456789", n);
    return 0;
  }

will cleanly crash when the memcpy() call is made.

Fixup hostap code to support the new level. Specifically:

* Fixup sha1_transform so it works with the enhanced bounds checking.
The old memcpy() code was attempting to write to context.h0, but that
structure element is too small and the write was extending (by design)
into h1, h2, h3, and h4. Use explicit assignments instead of
overflowing the struct element.

* Modify most of the structures in ieee802_11_defs.h to use ISO C99
flexible array members (https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html)
instead of a zero length array. Zero length arrays have zero length,
and any attempt to call memcpy() on such elements will always overflow.
Flexible array members have no such limitation. The only element not
adjusted is probe_req, since doing so will generate a compile time error,
and it's not obvious to me how to fix it.

Signed-off-by: Nick Kralevich <nnk@google.com>
2015-04-13 14:01:40 +03:00
Jouni Malinen
c4b45c60ad TLS: Fix memory leaks on tls_connection_set_params() error paths
The internal TLS implementation started rejecting number of unsupported
configuration parameters recently, but those new error paths did not
free the allocated tlsv1_credentials buffer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:57:11 +03:00
Jouni Malinen
af851914f8 Make tls_connection_get_keyblock_size() internal to tls_*.c
This function exposes internal state of the TLS negotiated parameters
for the sole purpose of being able to implement PRF for EAP-FAST. Since
tls_connection_prf() is now taking care of all TLS-based key derivation
cases, it is cleaner to keep this detail internal to each tls_*.c
wrapper implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:56:54 +03:00
Jouni Malinen
94f1fe6f63 Remove master key extraction from tls_connection_get_keys()
This is not needed anymore with the tls_connection_prf() being used to
handle all key derivation needs. tls_connection_get_keys() is a bit
misnamed for now, but it is only used to fetch the client and server
random for Session-Id derivation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-31 15:52:40 +03:00
Jouni Malinen
fa0e715100 Use tls_connection_prf() for all EAP TLS-based key derivation
tls_openssl.c is the only remaining TLS/crypto wrapper that needs the
internal PRF implementation for EAP-FAST (since
SSL_export_keying_material() is not available in older versions and does
not support server-random-before-client case). As such, it is cleaner to
assume that TLS libraries support tls_connection_prf() and move the
additional support code for the otherwise unsupported cases into
tls_openssl.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-31 15:47:32 +03:00
Jouni Malinen
5955cfaacd ms_funcs: Make challenge_hash() non-static
This function can be of use outside ms_funcs.c.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 22:27:00 +03:00
Jouni Malinen
65a7b21f5e OpenSSL: Implement AES-128 CBC using EVP API
This replaces the internal CBC mode implementation in
aes_128_cbc_encrypt() and aes_128_cbc_decrypt() with the OpenSSL
implementation for CONFIG_TLS=openssl builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 20:30:58 +03:00
Jouni Malinen
22ba05c09e Explicitly clear temporary stack buffers in tls_prf_sha1_md5()
The local buffers may contain information used to generate parts of the
derived key, so clear these explicitly to minimize amount of unnecessary
private key-related material in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 16:43:03 +03:00
Jouni Malinen
940a4dbf66 Explicitly clear temporary stack buffer in sha1_t_prf()
The local hash[] buffer may contain parts of the derived key, so clear
it explicitly to minimize number of unnecessary copies of key material
in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 16:40:55 +03:00
Jouni Malinen
eccca102bf Explicitly clear temporary stack buffer in hmac_sha256_kdf()
The local T[] buffer may contain parts of the derived key, so clear it
explicitly to minimize number of unnecessary copies of key material in
memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 16:38:37 +03:00
Jouni Malinen
6784168d07 Remove SChannel support
SChannel/CryptoAPI as a TLS/crypto library alternative was never
completed. Critical functionality is missing and there are bugs in this
implementation. Since there are no known plans of completing this
support, it is better to remove this code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-18 22:31:36 +02:00
Rohit Agrawal
00033a0903 OpenSSL: Always accept pinned certificates
If OpenSSL reports that a presented leaf certificate is invalid,
but it has been explicitly pinned, accept it anyway.

Signed-off-by: Rohit Agrawal <rohit.agrawal.mn@gmail.com>
2015-03-07 21:26:26 +02:00
Jouni Malinen
58d405fcdb Fix OCSP debug messages
These were not supposed to include a newline at the end of the message
text since such formatting gets handled by tls_show_errors(). In
addition, change the message about the issuer's issuer to be more
accurate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 13:33:33 +02:00
Jouni Malinen
710dfb4e32 OpenSSL: Fix OCSP error path
If addition of a peer issuer certificate fails, the certs pointer would
be NULL when being passed to sk_X509_push() for peer issuer's issuer.
Fix this by skipping addition of issuer's issue if issuer addition
fails.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 13:32:05 +02:00
Jouni Malinen
db3168d414 OpenSSL: Use SSL_cache_hit() when available
This is going to be required for OpenSSL 1.1.0 which makes the SSL
structure opaque. Older versions starting from OpenSSL 1.0.1 include
this function, so start using it now based on OPENSSL_VERSION_NUMBER.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-04 02:04:35 +02:00
Jouni Malinen
68ae4773a4 OpenSSL: Use library wrapper functions to access cert store
OpenSSL 0.9.8 and newer includes SSL_CTX_get_cert_store() and
SSL_CTX_set_cert_store() helper functions, so there is no need to
dereference the SSL_CTX pointer to cert ssl_ctx->cert_store. This helps
in working with the future OpenSSL 1.1.0 release that makes the SSL_CTX
structure opaque.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-04 01:58:37 +02:00
Jouni Malinen
f19c907822 OpenSSL: Implement aes_wrap() and aes_unwrap()
This replaces the implementation in aes-wrap.c and aes-unwrap.c with
OpenSSL AES_wrap_key() and AES_unwrap_key() functions when building
hostapd or wpa_supplicant with OpenSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
fee31f76cd OpenSSL: Remove support for versions older than 0.9.8
These have reached out-of-life status in the OpenSSL project and there
is no need to maintain support for them in hostapd/wpa_supplicant
either.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
8bf3030af6 OpenSSL: Use a common helper function for HMAC
There is no need to duplicate this construction for each hash algorithm.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
983c6a606b OpenSSL: Replace internal HMAC-MD5 implementation
Use OpenSSL HMAC_* functions to implement HMAC-MD5 instead of depending
on the src/crypto/md5.c implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
97ae35a848 Add HMAC-SHA384
For now, this is only implemented with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:26:51 +02:00
Jouni Malinen
30bff1d0f4 Extend AES-CMAC routines to support 256-bit keys
omac1_aes_256() and omac1_aes_vector() can now be used to perform
256-bit CMAC operations similarly to the previously supported 128-bit
cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-24 19:37:42 +02:00
Jouni Malinen
cebee30f31 Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
d07d3fbda2 Add peer certificate alt subject name information to EAP events
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com

Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-14 15:45:18 +02:00
Jouni Malinen
3e7f1c7980 GnuTLS: Add TLS event callbacks for chain success/failure and peer cert
This makes GnuTLS events match the ones provided when OpenSSL is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0eb2ed067f GnuTLS: Add support for OCSP stapling as a client
This allows ocsp=2 to be used with wpa_supplicant when built with GnuTLS
to request TLS status extension (OCSP stapling) to be used to validate
server certificate validity.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0e1bb94b91 GnuTLS: Verify that server certificate EKU is valid for a server
The server certificate will be rejected if it includes any EKU and none
of the listed EKUs is either TLS Web Server Authentication or ANY.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
d4d1f5cb33 GnuTLS: Fix tls_disable_time_checks=1 processing
Certificate expiration is checked both within GnuTLS and in the
tls_gnutls.c implementation. The former was configured to use the
request to ignore time checks while the latter was not. Complete support
for this parameter by ignoring the internal expiration checks if
requested.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
594d1fc084 GnuTLS: Add support for private_key and client_cert as blobs
This allows private key and client certificate to be configured using
wpa_supplicant blobs instead of external files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
79b1dd9aad GnuTLS: Fix DER encoding certificate parsing
It looks like GnuTLS may return success on
gnutls_certificate_set_x509_*() functions with GNUTLS_X509_FMT_PEM even
when trying to read DER encoded information. Reverse the order of
parsing attempts so that we start with DER and then move to PEM if
GnuTLS reports failure on DER parsing. This seems to be more reliable
way of getting errors reported and both cases can now be handled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
1068bdb90c tests: Fix crypto module test build without EAP-FAST
Skip the EAP-FAST specific test cases if wpa_supplicant build is
configured not to include EAP-FAST support.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
a16514516b Add "GET tls_library" to provide information on TLS library and version
This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
c3bb84b415 GnuTLS: Add event callbacks
This allows wpa_supplicant to provide more information about peer
certificate validation results to upper layers similarly to the
mechanism used with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
8ddcd6b9d4 GnuTLS: Add support for domain_suffix_match
This implementation uses GnuTLS function
gnutls_x509_crt_check_hostname(). It has a bit different rules regarding
matching (allows wildcards in some cases, but does not use suffix
matching) compared to the internal implementation used with OpenSSL.
However, these rules are sufficiently close to each other to be of
reasonable use for most cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
4bc13bf709 GnuTLS: Check for any unknown verification failure
After having checked all known GNUTLS_CERT_* error cases that we care
about, check that no other errors have been indicated by
gnutls_certificate_verify_peers2() as a reason to reject negotiation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
e0d431a515 GnuTLS: Add more debug prints for version and session status
Make the debug output more useful for determining whuch version of
GnuTLS was used and what was negotiated for the session.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
65ec7f4c12 GnuTLS: Move peer certificate validation into callback function
GnuTLS 2.10.0 added gnutls_certificate_set_verify_function() that can be
used to move peer certificate validation to an earlier point in the
handshake. Use that to get similar validation behavior to what was done
with OpenSSL, i.e., reject the handshake immediately after receiving the
peer certificate rather than at the completion of handshake.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:20 +02:00
Jouni Malinen
7c8245798f GnuTLS: Remove support for versions older than 2.12.x
GnuTLS project has marked 2.12.x obsolete since January 2014. There is
not much need for maintaining support for obsolete versions of the
library, so drop all #if/#endif blocks targeting 2.x.y versions. In
practice, none of these were requiring 2.12.x version with x greater
than 0, so 2.12.x remains supported for now.

In addition, add newer version (GnuTLS 3.0.18 and newer) to fetch client
and server random from the session since the old method is not supported
by new GnuTLS versions and as such, gets removed with rest of the old
ifdef blocks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:18:57 +02:00
Jouni Malinen
e1d63f6aea GnuTLS: Remove old version number checks for 1.3.2
No one should be using GnuTLS versions older than 1.3.2 from 2006
anymore, so remove these unnecessary #if/#endif checks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 11:13:20 +02:00
Jouni Malinen
ae0a23a0ca GnuTLS: Remove GNUTLS_INTERNAL_STRUCTURE_HACK
This was needed with very old GnuTLS versions, but has not been needed,
or used, since GnuTLS 1.3.2 which was released in 2006. As such, there
is no need to maintain this code anymore and it is better to just clean
the source code by removing all the related code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 11:11:03 +02:00
Jouni Malinen
db4cf40b92 GnuTLS: Add support for ca_cert as a blob
This allows GnuTLS to be used with trusted CA certificate from
wpa_supplicant blob rather than an external certificate file.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 01:49:09 +02:00
Jouni Malinen
224104ddf6 TLS: Reject openssl_ciphers parameter in non-OpenSSL cases
This TLS configuration parameter is explicitly for OpenSSL. Instead of
ignoring it silently, reject any configuration trying to use it in
builds that use other options for TLS implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 01:35:54 +02:00
Jouni Malinen
0b402479bf Remove Network Security Service (NSS) support
NSS as a TLS/crypto library alternative was never completed and this
barely functional code does not even build with the current NSS version.
Taken into account that there has not been much interest in working on
this crypto wrapper over the years, it is better to just remove this
code rather than try to get it into somewhat more functional state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Jouni Malinen
d16694761a schannel: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with schannel.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with schannel instead of the default OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Jouni Malinen
59051f8ecf TLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented in the internal
TLS implementation. Instead of ignoring them silently, reject the
configuration to avoid giving incorrect impression of the parameters
being used if wpa_supplicant is built with the internal TLS
implementation instead of the default OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:37:21 +02:00
Jouni Malinen
f8717ac8b3 GnuTLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with GnuTLS.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with GnuTLS instead of the default OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:33:48 +02:00
Jouni Malinen
51f3427019 crypto: Clear temporary stack buffers after use
This reduces possibility of exposure of private keys should something
get access to stack memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 02:49:13 +02:00
Jouni Malinen
77a2c3941e crypto: Clear temporary heap allocations before freeing
This reduces the time private keys may remain in heap memory after use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 02:49:13 +02:00
Jouni Malinen
a15a7fcf69 DH: Clear memory explicitly on private key deinit
Remove any DH private key from heap memory after use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 18:03:40 +02:00
Jouni Malinen
59be78ef93 tests: Move SHA256 test cases into hwsim framework
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 17:34:20 +02:00
Jouni Malinen
4b462a0226 tests: Move SHA1 test cases into hwsim framework
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 17:29:00 +02:00
Jouni Malinen
a90c7d91a0 OpenSSL: Fix pbkdf2_sha1() wrapper
This was supposed to use the iterations parameter from the caller
instead of the hardcoded 4096. In practice, this did not have problems
for normal uses since that 4096 value was used in all cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 17:27:08 +02:00
Jouni Malinen
896e1b836f tests: Move MD5 test cases into hwsim framework
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 17:12:27 +02:00
Jouni Malinen
88fc0dca98 tests: Move ms_funcs test cases into hwsim framework
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 17:05:42 +02:00
Jouni Malinen
5c0ff9f9a3 tests: Add some of the AES ECB mode test cases from CAVS 11.1
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 16:57:57 +02:00
Jouni Malinen
1244408401 tests: Move AES key wrap/unwrap test cases into hwsim framework
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 16:35:59 +02:00
Jouni Malinen
477f83131f tests: Move AES-CBC test cases into hwsim framework
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 16:28:46 +02:00
Jouni Malinen
e438fb0d3a tests: Move AES-128 EAX mode test cases into hwsim framework
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 16:24:42 +02:00
Jouni Malinen
6c33962dd1 tests: Additional OMAC1-AES module test coverage
This verifies couple of corner cases with short vector entries in the
OMAC1-AES implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 16:15:23 +02:00
Jouni Malinen
304d40e904 tests: Move OMAC1-AES test cases into hwsim module tests
This makes sure the test cases are executed automatically with rest of
the hwsim tests.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 16:02:08 +02:00
Jouni Malinen
942b75468d tests: Add module tests for AES-SIV
This moves the AES-SIV test case from tests/test-aes.c to be part of
wpa_supplicant module testing framework with a new
src/crypto/crypto_module_tests.c component. In addition, the second test
vector from RFC 5297 is also included for additional coverage.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 15:50:53 +02:00
Jouni Malinen
f6ebbcf62a AES-SIV: Make aes_s2v() static
This function is not used outside aes-siv.c. In addition, include the
aes_siv.h header to make sure that functions get declared consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-05 15:22:36 +02:00
David Woodhouse
a642a52b17 OpenSSL: Do not require a PIN for PKCS#11
It isn't mandatory. If we need one and it's not present, the ENGINE will
try asking for it. Make sure it doesn't actually let an OpenSSL UI loose,
since we don't currently capture those.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2014-12-29 15:49:05 +02:00
David Woodhouse
96955192b3 OpenSSL: Automatically enable PKCS#11 engine where it's needed
It needs to be available to ENGINE_by_id(), which in my case means it
needs to be /usr/lib64/openssl/engines/libpkcs11.so. But that's a system
packaging issue. If it isn't there, it will fail gracefully enough with:

ENGINE: engine pkcs11 not available [error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library]
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2014-12-29 15:49:05 +02:00
David Woodhouse
ddda627618 OpenSSL: Load dynamic ENGINE unconditionally
This means that if the PKCS#11 engine is installed in the right place
in the system, it'll automatically be invoked by ENGINE_by_id("pkcs11")
later, and things work without explictly configuring pkcs11_engine_path.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2014-12-29 15:49:05 +02:00
David Woodhouse
01b0d1d5c1 OpenSSL: Automatically handle PKCS#11 URIs in private_key, ca/client_cert
If these start with "pkcs11:" then they are PKCS#11 URIs. These Just Work
in the normal private_key/ca_cert/client_cert configuration fields when
built with GnuTLS; make it work that way with OpenSSL too.

(Yes, you still need to explicitly set engine=1 and point to the engine,
but I'll work on that next...)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2014-12-29 15:49:05 +02:00
David Woodhouse
3d268b8d19 OpenSSL: Do not require private key to come from PKCS#11
There's no reason I shouldn't be able to use PKCS#11 for just the CA cert,
or even the client cert, while the private key is still from a file.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2014-12-29 15:49:05 +02:00
David Woodhouse
5c8ab0d49c OpenSSL: Allow pkcs11_module_path to be NULL
New versions of engine_pkcs11 will automatically use the system's
p11-kit-proxy.so to make the globally-configured PKCS#11 tokens available
by default. So invoking the engine without an explicit module path is
not an error.

Older engines will fail but gracefully enough, so although it's still an
error in that case there's no need for us to catch it for ourselves.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2014-12-29 15:49:05 +02:00
Jouni Malinen
49e3eea8d9 Avoid -Wshadow warnings from older gcc versions
It looks like gcc 4.8.2 would warn about these with -Wshadow, but 4.6.3
did.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-26 13:21:00 +02:00
Jouni Malinen
a193231dfb Clean up debug prints to use wpa_printf()
This converts most of the remaining perror() and printf() calls from
hostapd and wpa_supplicant to use wpa_printf().

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-26 13:20:57 +02:00
David Woodhouse
7d9286d3e7 Support private_key_passwd for GnuTLS (3.1.11+)
It's possible to jump through hoops to support it in older versions too,
but that seems a little unnecessary at this point.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
2014-12-25 16:37:12 +02:00
Jouni Malinen
cbe23ffd6d GnuTLS: Get rid of warnings about deprecated typedef names
'_t' suffix for gnutls_session and gnutls_transport_ptr was added in
GnuTLS 1.1.11 over ten years ago and the more recent versions of GnuTLS
have started forcing compiler warnings from the old names. Move to the
new names and don't bother about backwards compatibility with older
versions taken into account how long ago this change happened in GnuTLS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-25 16:37:12 +02:00
Jouni Malinen
6a31a31da1 OpenSSL: Simplify EAP-FAST peer workaround
Commit d4913c585e ('OpenSSL: Fix EAP-FAST
peer regression') introduced a workaround to use a new SSL_CTX instance
set for TLSv1_method() when using EAP-FAST. While that works, it is
unnecessarily complex since there is not really a need to use a separate
SSL_CTX to be able to do that. Instead, simply use SSL_set_ssl_method()
to update the ssl_method for the SSL instance. In practice, this commit
reverts most of the tls_openssl.c changes from that earlier commit and
adds that single call into tls_connection_set_params() based on EAP-FAST
flag.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 23:55:41 +02:00
Jouni Malinen
d4913c585e OpenSSL: Fix EAP-FAST peer regression
Commit 35efa2479f ('OpenSSL: Allow TLS
v1.1 and v1.2 to be negotiated by default') changed from using
TLSv1_method() to SSLv23_method() to allow negotiation of TLS v1.0,
v1.1, and v1.2.

Unfortunately, it looks like EAP-FAST does not work with this due to
OpenSSL not allowing ClientHello extensions to be configured with
SSL_set_session_ticket_ext() when SSLv23_method() is used. Work around
this regression by initiating a separate SSL_CTX instance for EAP-FAST
phase 1 needs with TLSv1_method() while leaving all other EAP cases
using TLS to work with the new default that allows v1.1 and v1.2 to be
negotiated. This is not ideal and will hopefully get fixed in the future
with a new OpenSSL method, but until that time, this can be used allow
other methods use newer TLS versions while still allowing EAP-FAST to be
used even if it remains to be constraint to TLS v1.0 only.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 16:57:05 +02:00
Jouni Malinen
c25addb156 OpenSSL: Remove support for the old EAP-FAST interface
Commit f5fa824e9a ('Update OpenSSL 0.9.8
patch for EAP-FAST support') changed the OpenSSL 0.9.8 patch to support
the new API that was introduced in OpenSSL 1.0.0 for EAP-FAST. As such,
there should be no valid users of the old API anymore and tls_openssl.c
can be cleaned up to use only the new API.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 16:57:05 +02:00
Jouni Malinen
d85e1fc8a5 Check os_snprintf() result more consistently - automatic 1
This converts os_snprintf() result validation cases to use
os_snprintf_error() where the exact rule used in os_snprintf_error() was
used. These changes were done automatically with spatch using the
following semantic patch:

@@
identifier E1;
expression E2,E3,E4,E5,E6;
statement S1;
@@

(
  E1 = os_snprintf(E2, E3, ...);
|
  int E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else if (E6)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = 0;
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else if (E6) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	E1 = os_snprintf(E2, E3, ...);
  }
)
? os_free(E4);
- if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \))
+ if (os_snprintf_error(E3, E1))
(
  S1
|
{ ... }
)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
0087061de7 ERP: Add HMAC-SHA256 KDF (RFC 5295)
This is needed for ERP key derivation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:08:59 +02:00
Jouni Malinen
0a11409c00 Fix omac1_aes_128_vector() not to read beyond addr/len array
Previously, it was possible for the loop through the data components to
increment addr/len index at the last position beyond the declared size.
This resulted in reading beyond those arrays. The read values were not
used and as such, this was unlikely to cause noticeable issues, but
anyway, memory checkers can detect this and the correct behavior is to
stop increments before going beyond the arrays since no more bytes will
be processed after this anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-30 15:53:11 +02:00
Jouni Malinen
35efa2479f OpenSSL: Allow TLS v1.1 and v1.2 to be negotiated by default
Use SSLv23_method() to enable TLS version negotiation for any version
equal to or newer than 1.0. If the old behavior is needed as a
workaround for some broken authentication servers, it can be configured
with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1".

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-15 12:35:10 +02:00
Bob Copeland
f7072600be Implement RFC 5297 AES-SIV
Add an implementation of Synthetic Initialization Vector (SIV)
Authenticated Encryption Using the Advanced Encryption Standard (AES).

This mode of AES is used to protect peering frames when using
the authenticated mesh peering exchange.

Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
2014-10-19 12:43:38 +03:00
Jouni Malinen
b7328434f7 OpenSSL: Add a mechanism to configure cipher suites
This extends the TLS wrapper code to allow OpenSSL cipherlist string to
be configured. In addition, the default value is now set to
DEFAULT:!EXP:!LOW to ensure cipher suites with low and export encryption
algoriths (40-64 bit keys) do not get enabled in default configuration
regardless of how OpenSSL build was configured.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-12 11:45:21 +03:00
Jouni Malinen
a256506ddc AES: Extend key wrap implementation to support longer data
This extends the "XOR t" operation in aes_wrap() and aes_unwrap() to
handle up to four octets of the n*h+i value instead of just the least
significant octet. This allows the plaintext be longer than 336 octets
which was the previous limit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-07 14:57:10 +03:00
Jouni Malinen
eefec1e40b AES: Extend key wrap design to support longer AES keys
This adds kek_len argument to aes_wrap() and aes_unwrap() functions and
allows AES to be initialized with 192 and 256 bit KEK in addition to
the previously supported 128 bit KEK.

The test vectors in test-aes.c are extended to cover all the test
vectors from RFC 3394.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-07 14:57:06 +03:00
Jouni Malinen
98a1571d88 OpenSSL: Clean up one part from the BoringSSL patch
The (int) typecast I used with sk_GENERAL_NAME_num() to complete the
BoringSSL compilation was not really the cleanest way of doing this.
Update that to use stack_index_t variable to avoid this just like the
other sk_*_num() calls.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-07 11:49:20 +03:00
Adam Langley
a8572960a9 Support building with BoringSSL
BoringSSL is Google's cleanup of OpenSSL and an attempt to unify
Chromium, Android and internal codebases around a single OpenSSL.

As part of moving Android to BoringSSL, the wpa_supplicant maintainers
in Android requested that I upstream the change. I've worked to reduce
the size of the patch a lot but I'm afraid that it still contains a
number of #ifdefs.

[1] https://www.imperialviolet.org/2014/06/20/boringssl.html

Signed-off-by: Adam Langley <agl@chromium.org>
2014-10-07 01:18:03 +03:00
Masashi Honma
5c61d214ad openssl: Fix memory leak in openssl ec deinit
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-09-07 19:14:18 +03:00
Florent Daigniere
26c10f797c OpenSSL: Use EC_POINT_clear_free instead of EC_POINT_free
This changes OpenSSL calls to explicitly clear the EC_POINT memory
allocations when freeing them. This adds an extra layer of security by
avoiding leaving potentially private keys into local memory after they
are not needed anymore. While some of these variables are not really
private (e.g., they are sent in clear anyway), the extra cost of
clearing them is not significant and it is simpler to just clear these
explicitly rather than review each possible code path to confirm where
this does not help.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:35:07 +03:00
Florent Daigniere
3248071dc3 OpenSSL: Use BN_clear_free instead of BN_free
This changes OpenSSL calls to explicitly clear the bignum memory
allocations when freeing them. This adds an extra layer of security by
avoiding leaving potentially private keys into local memory after they
are not needed anymore. While some of these variables are not really
private (e.g., they are sent in clear anyway), the extra cost of
clearing them is not significant and it is simpler to just clear these
explicitly rather than review each possible code path to confirm where
this does not help.

Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
2014-07-24 19:28:39 +03:00
Jouni Malinen
a79aea531e Milenage: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
05f916eeed AES-GCM: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
87a5c93bec AES-CCM: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Jouni Malinen
4eb3b76b0f OpenSSL: Fix OCSP certificate debug print to use wpa_printf
Instead of using X509_print_fp() to print directly to stdout, print the
certificate dump to a memory BIO and use wpa_printf() to get this into
the debug log. This allows redirection of debug log to work better and
avoids undesired stdout prints when debugging is not enabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-29 15:37:18 +03:00
Jouni Malinen
ab6d047405 Add function for building RSA public key from n and e parameters
This is similar to the existing functionality that parsed ASN.1-encoded
RSA public key by generating a similar public key instance from already
parsed n and e parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-19 23:27:30 +03:00
Jouni Malinen
bb52293e71 OpenSSL: Detect and prevent TLS heartbeat attack
Some OpenSSL versions have vulnerability in TLS heartbeat request
processing. Check the processed message to determine if the attack has
been used and if so, do not send the response to the peer. This does not
prevent the buffer read overflow within OpenSSL, but this prevents the
attacker from receiving the information.

This change is an additional layer of protection if some yet to be
identified paths were to expose this OpenSSL vulnerability. However, the
way OpenSSL is used for EAP-TLS/TTLS/PEAP/FAST in hostapd/wpa_supplicant
was already rejecting the messages before the response goes out and as
such, this additional change is unlikely to be needed to avoid the
issue.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-09 14:58:48 +03:00
Jouni Malinen
47bd94a09f TLS testing: Add new test cases for RSA-DHE primes
test-tls-4: Short 511-bit RSA-DHE prime
test-tls-5: Short 767-bit RSA-DHE prime
test-tls-6: Bogus RSA-DHE "prime" 15
test-tls-7: Very short 58-bit RSA-DHE prime in a long container
test-tls-8: Non-prime as RSA-DHE prime

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 12:43:49 +02:00
Jouni Malinen
09eef142ea Use internal FIPS 186-2 PRF if needed
Previously, EAP-SIM/AKA/AKA' did not work with number of crypto
libraries (GnuTLS, CryptoAPI, NSS) since the required FIPS 186-2 PRF
function was not implemented. This resulted in somewhat confusing error
messages since the placeholder functions were silently returning an
error. Fix this by using the internal implementation of FIP 186-2 PRF
(including internal SHA-1 implementation) with crypto libraries that do
not implement this in case EAP-SIM/AKA/AKA' is included in the build.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-11 16:44:22 +02:00
Jouni Malinen
390b92913a TLS testing: Allow hostapd to be used as a TLS testing tool
The internal TLS server implementation and RADIUS server implementation
in hostapd can be configured to allow EAP clients to be tested to
perform TLS validation steps correctly. This functionality is not
included in the default build; CONFIG_TESTING_OPTIONS=y in
hostapd/.config can be used to enable this.

When enabled, the RADIUS server will configure special TLS test modes
based on the received User-Name attribute value in this format:
<user>@test-tls-<id>.<rest-of-realm>. For example,
anonymous@test-tls-1.example.com. When this special format is used, TLS
test modes are enabled. For other cases, the RADIUS server works
normally.

The following TLS test cases are enabled in this commit:
1 - break verify_data in the server Finished message
2 - break signed_params hash in ServerKeyExchange
3 - break Signature in ServerKeyExchange

Correctly behaving TLS client must abort connection if any of these
failures is detected and as such, shall not transmit continue the
session.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-09 18:47:09 +02:00