Commit graph

584 commits

Author SHA1 Message Date
Jouni Malinen
622d4d49e2 GnuTLS: Add TEST_FAIL() to crypto routines for testing purposes
This allows number of hwsim test cases for local error conditions to be
executed with GnuTLS-based builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-28 22:33:12 +02:00
Jouni Malinen
f8697e8109 GnuTLS: Implement tls_get_version()
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-28 22:33:06 +02:00
Jouni Malinen
133f8d09fc GnuTLS: Implement HMAC functions using libgcrypt
Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with
the ones from libgcrypt and also add the SHA384 and SHA512 versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:35:26 +02:00
Jouni Malinen
85c12a62ee GnuTLS: Implement sha{256,384,512}_vector() using libgcrypt
Replace the internal SHA256 implementation with the one from libgcrypt
and also add the SHA384 and SHA512 versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:21:37 +02:00
Jouni Malinen
cc3e7bfc3c GnuTLS: Use a helper function for hash functions
Use a shared helper function instead of implementing practically same
sequence separately for each hash function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:13:51 +02:00
Sean Parkinson
c335507c8d Enhance crypto abstract API for DH
The patch offers alternate implementations of some functions using the
abstract cryptographic API.

This work was done in preparation for the changes to allow hostap to be
compiled with the wolfSSL cryptography and TLS library.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 17:38:10 +02:00
Jouni Malinen
0e02f2a9fa crypto: Implement new crypto API functions for DH
This implements crypto_dh_init() and crypto_dh_derive_secret() using
os_get_random() and crypto_mod_exp() for all crypto_*.c wrappers that
include crypto_mod_exp() implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-24 17:36:04 +02:00
Jouni Malinen
eac084cb38 OpenSSL: Implement new crypto API functions
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-24 17:35:41 +02:00
Sean Parkinson
23ff5d73df Enhance crypto abstract API
Add more crypto_*() wrappers to enable use of other crypto libraries
than OpenSSL.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 17:35:38 +02:00
Sean Parkinson
441e8bfbb4 Fix copy-paste errors in function comments
Use correct function names for the documentation.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 17:03:07 +02:00
Jouni Malinen
47e966abac DH: Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-24 17:02:53 +02:00
Jouni Malinen
c23e87d0d1 OpenSSL: Replace EVP_PKEY_paramgen() with EC_KEY_new_by_curve_name()
The BoringSSL version of crypto_ecdh_init() and dpp_gen_keypair() works
fine with OpenSSL as well, so use that same implementation for both to
avoid unnecessary maintanence of multiple versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-10 23:49:39 +02:00
Jouni Malinen
7641d485db BoringSSL: Use EC_KEY_new_by_curve_name() to simplify implementation
There is no need to go through EC_GROUP_new_by_curve_name(),
EC_KEY_new(), and EC_KEY_set_group() when a single call to
EC_KEY_new_by_curve_name() takes care of all that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-10 23:41:29 +02:00
Jouni Malinen
0f30844722 Revert "BoringSSL: Define RSA_bits() helper"
This reverts commit 3cfbd3b0f6 since
BoringSSL added RSA_bits() in commit
8dc226ca8f1ef60737e1c1bf8cfcabf51d4068c7 ('Add some missing OpenSSL
1.1.0 accessors.').

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-10 23:22:05 +02:00
Jouni Malinen
a2c442be25 OpenSSL: Allow cipher list to be overridden for tls_suiteb=1 case
This allows wpa_supplicant configuration with phase1="tls_suiteb=1" to
use openssl_ciphers="ECDHE-RSA-AES256-GCM-SHA384" to further limit the
possible TLS cipher suites when using Suite B with RSA >3K keys. This
combination disables use of DHE and as such, mandates ECDHE to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-10 21:16:26 +02:00
David Benjamin
63942cf0f3 OpenSSL: Avoid SSL*_use_default_passwd_cb()
These functions are a bit awkward to use for one-off file loads, as
suggested by the tls_clear_default_passwd_cb() logic. There was also
some historical mess with OpenSSL versions and either not having per-SSL
settings, having per-SSL settings but ignoring them, and requiring the
per-SSL settings.

Instead, loading the key with the lower-level functions seems a bit
tidier and also allows abstracting away trying both formats, one after
another.

Signed-off-by: David Benjamin <davidben@google.com>
2017-12-09 18:29:08 +02:00
David Benjamin
149143e31d OpenSSL: Remove unnecessary os_strdup() from password callback
There's no need to make an extra copy of private_key_passwd for
SSL_{CTX_,}set_default_passwd_cb().

Signed-off-by: David Benjamin <davidben@google.com>
2017-12-09 18:09:10 +02:00
Jouni Malinen
c1564149a6 BoringSSL: Add AES support with 192-bit keys
BoringSSL restored the previously removed AES-192 ECB support in ("Add
AES-192 ECB.") commit. Since this is needed for DPP with the P-384
curve, restore support for this through EVP_aes_192_ecb().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 21:03:04 +02:00
Jouni Malinen
edd72f55f8 OpenSSL: Debug message if requested AES key length is not supported
This makes it clearer why some AES operations fail especially with
BoringSSL where the 192-bit case is not supported.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 20:59:25 +02:00
Jouni Malinen
f29761297b BoringSSL: Implement crypto_ecdh_init()
BoringSSL does not provide some of the OpenSSL API that was used here,
so update this to use similar design to what was already done with DPP
key derivation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 20:41:25 +02:00
Jouni Malinen
7721fe082b BoringSSL: Comment out SSL_set_default_passwd_cb*() calls
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide SSL_set_default_passwd_cb*(). For
now, comment out this regardless of the version BoringSSL claims to be.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 20:34:17 +02:00
Jouni Malinen
b9dc63c261 BoringSSL: Comment out SSL_set1_sigalgs_list() call
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide SSL_set1_sigalgs_list(). For now,
comment out this regardless of the version BoringSSL claims to be.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 20:30:37 +02:00
Jouni Malinen
3cfbd3b0f6 BoringSSL: Define RSA_bits() helper
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide RSA_bits(). For now, add this
backwards compatibility wrapper for BoringSSL regardless of the version
it claims to be.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 20:24:46 +02:00
Jouni Malinen
1c9663cf6b OpenSSL: Force RSA 3072-bit DH prime size limit for Suite B
Reject a DHE handshake if the server uses a DH prime that does not have
sufficient length to meet the Suite B 192-bit level requirement (<= 3k
(3072) bits).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
2ed70c7586 OpenSSL: Add option to disable ECDHE with Suite B RSA
The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network
profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite
B RSA constraints with ECDHE disabled. This is mainly to allow
the DHE TLS cipher suite to be tested.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
4eb8cfe06b OpenSSL: Force RSA 3072-bit key size limit for Suite B
Reject a peer certificate chain if it includes an RSA public key that
does not use sufficient key length to meet the Suite B 192-bit level
requirement (<= 3k (3072) bits).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
6418400db9 Add hostapd tls_flags parameter
This can be used to set the TLS flags for authentication server.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
60ed2f24eb Suite B: Add tls_suiteb=1 parameter for RSA 3k key case
This adds phase1 parameter tls_suiteb=1 into wpa_supplicant
configuration to allow TLS library (only OpenSSL supported for now) to
use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-17 00:09:47 +03:00
Michael Braun
333517ac1c crypto: Fix undefined behavior in random number generator
ubsan reported:

../src/crypto/random.c:69:30: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int'

Explicitly check for the ROL32(x, 0) case which is supposed to be a
no-op.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-09-10 21:50:21 +03:00
Jouni Malinen
3db2a82df8 Add SHA-384 routines to libcrypto.a
wlantest needs this for being able to decrypt FILS (Re)Association
Request/Response frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-05 18:58:59 +03:00
Jouni Malinen
89971d8b1e OpenSSL: Clear default_passwd_cb more thoroughly
Previously, the pointer to strdup passwd was left in OpenSSL library
default_passwd_cb_userdata and even the default_passwd_cb was left set
on an error path. To avoid unexpected behavior if something were to
manage to use there pointers, clear them explicitly once done with
loading of the private key.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-07-17 12:06:17 +03:00
Beniamino Galvani
f665c93e1d OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f
Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
callback from the SSL object instead of the one from the CTX, so let's
set the callback on both SSL and CTX. Note that
SSL_set_default_passwd_cb*() is available only in 1.1.0.

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-07-17 11:57:16 +03:00
Beniamino Galvani
2b9891bd6e OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".

This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.

[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-07-17 11:55:22 +03:00
Jouni Malinen
77f273c82c Extend SHA-384 and SHA-512 support to match SHA-256
The additional SHA-384 and SHA-512 functionality is needed to support
DPP with various ECC curves.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:12 +03:00
Jouni Malinen
85cff4b0d8 OpenSSL: Try SHA256 hash for OCSP certificate matching
Previously, only SHA1 hash -based server certificate matching was used,
but the OCSP response may use SHA256 instead of SHA1, so check the match
with both hash functions, if needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-09 23:36:36 +03:00
Jouni Malinen
ef23838590 Return success/failure result from sha384_prf()
This makes the function more consistent with sha256_prf().

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 20:43:06 +02:00
Jouni Malinen
e73244c240 tests: Extract-and-Expand HKDF (RFC 5869)
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 22:40:31 +02:00
Jouni Malinen
4ec833daf8 Extend hmac_sha256_kdf() to support HKDF-Expand() as defined in RFC 5869
The KDF define in RFC 5295 is very similar to HKDF-Expand() defined in
RFC 5869. Allow a NULL label to be used to select the RFC 5869 version
with arbitrary seed (info in RFC 5869) material without forcing the
label and NULL termination to be included. HKDF-Expand() will be needed
for OWE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 22:40:10 +02:00
Jouni Malinen
ae1ec1aaf2 OpenSSL: Add wrapper functions for ECDH
These allow ECDH to be used with compressed public key encoding (only
x-coordinate). This is needed for FILS PFS and OWE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 22:08:48 +02:00
Johannes Berg
a1f11e34c4 Use os_memdup()
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.

The mechanical conversions all over the code were done with
the following spatch:

    @@
    expression SIZE, SRC;
    expression a;
    @@
    -a = os_malloc(SIZE);
    +a = os_memdup(SRC, SIZE);
    <...
    if (!a) {...}
    ...>
    -os_memcpy(a, SRC, SIZE);

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:19:10 +02:00
Jouni Malinen
206516e8c2 af_alg: Crypto wrappers for Linux kernel crypto (AF_ALG)
CONFIG_TLS=linux can now be used to select the crypto implementation
that uses the user space socket interface (AF_ALG) for the Linux kernel
crypto implementation. This commit includes some of the cipher, hash,
and HMAC functions. The functions that are not available through AF_ALG
(e.g., the actual TLS implementation) use the internal implementation
(CONFIG_TLS=internal).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:15 +02:00
Jouni Malinen
b41d3e0a75 crypto: Process des_encrypt() error returns in callers
This updates all the des_encrypt() callers to handle error cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:05 +02:00
Jouni Malinen
5f0e165e80 crypto: Add return value to DES and AES encrypt/decrypt
These operations may fail with some crypto wrappers, so allow the
functions to report their results to the caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:23:54 +02:00
Jouni Malinen
2e555f9cb0 tests: Add HMAC-SHA256 and HMAC-SHA384 test vectors from RFC 4231
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 22:15:29 +02:00
Jouni Malinen
62944f7d2c Add HMAC-SHA384 with internal crypto
This is a copy of the internal HMAC-SHA256 implementation with the hash
block size and output length updated to match SHA384 parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-16 22:15:29 +02:00
Jouni Malinen
aeecd4eaec OpenSSL: Fix hmac_sha384_vector() implementation
The output length was incorrect (32 from the copy-pasted SHA256
version). Fix this to return the correct number of octets (48) for
SHA384. This fixes incorrect key derivation in FILS when using the
SHA384-based AKM.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 20:59:06 +02:00
Jouni Malinen
f229f2c67d tests: Add TEST_FAIL() to OpenSSL aes_wrap() and aes_unwrap()
This makes it easier to add more testing coverage for error paths.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-14 10:53:10 +02:00
Paul Stewart
6d08f23f0a OpenSSL/BoringSSL: Read certificate chain from client_cert on Android
If the keychain holds additional certificates other than the end
certificate, read them into the certificate chain.

Signed-off-by: Paul Stewart <pstew@google.com>
2017-01-30 01:54:30 +02:00
Jouni Malinen
ef495c78dd OpenSSL: Implement sha384_vector()
This was forgotten from the addition of SHA384 support and is now needed
for FILS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 21:05:19 +02:00
Jouni Malinen
95de34a10a Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:31:42 +02:00
Jouni Malinen
d7f12e4eb9 OpenSSL: Make sure local certificate auto chaining is enabled
Number of deployed use cases assume the default OpenSSL behavior of auto
chaining the local certificate is in use. BoringSSL removed this
functionality by default, so we need to restore it here to avoid
breaking existing use cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-21 12:23:15 +02:00
Jouni Malinen
4be02b71bb OpenSSL: Remove SSL_{CTX_,}_clear_options ifdefs
This simplifies the implementation since the SSL_clear_options() and
SSL_CTX_clear_options() are available in all supported versions of
OpenSSL. These were previously needed with older (now obsolete) versions
of OpenSSL, but the ifdefs were missed when removing the more explicit
version macro based backwards compatibility sections.

In practice, this reverts commit
d53d2596e4.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-21 12:06:21 +02:00
Jouni Malinen
325a85be36 Extend AES-SIV implementation to support different key lengths
The previous implementation was hardcoded to use 128-bit AES key
(AEAD_AES_SIV_CMAC_256). Extend this by allowing AEAD_AES_SIV_CMAC_384
and AEAD_AES_SIV_CMAC_512 with 192-bit and 256-bit AES keys.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 19:40:59 +03:00
Julian Ospald
b70d508c50 LibreSSL: Fix compatibility for EAP-FAST
This basically just follows commit
587b0457e0 ('LibreSSL: Fix build with
LibreSSL') with the same pattern, which was missed here.

Signed-off-by: Julian Ospald <hasufell@hasufell.de>
2016-10-08 00:36:18 +03:00
Christian Neukirchen
df426738fb LibreSSL: Fix TLS initialization/deinitialization
Due to a missing guard for old OpenSSL code, SSL_library_init() was not
called, which is required for LibreSSL. Likewise for cleanup.

Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
2016-10-08 00:27:56 +03:00
Christian Neukirchen
0d42179e12 LibreSSL: Fix dh5 code
Add LibreSSL check to old OpenSSL #ifdef guard as DH_{get0,set0}_key()
is not implemented in LibreSSL.

Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
2016-10-08 00:26:18 +03:00
Nishant Chaprana
746e5c2565 Fix spelling mistakes in number of comments
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2016-09-30 22:45:03 +03:00
David Benjamin
478441bf81 OpenSSL: Fix OpenSSL 1.1.0 compatibility functions
To be consistent with OpenSSL 1.1.0, the free functions should
internally check for NULL. EVP_MD_CTX_free also was missing an
EVP_MD_CTX_cleanup, so this leaked a little.

OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace
with get_rfc3526_prime_1536 as a compatibility-only name. Use that
instead in 1.1.0.

Signed-off-by: David Benjamin <davidben@google.com>
2016-08-13 21:07:05 +03:00
Jouni Malinen
460e5cdf43 OpenSSL: Fix OpenSSL 1.1.0 DH operation
Commit 49fe2ada20 ('OpenSSL: Support
OpenSSL 1.1.0 DH opacity') started using the new accessor functions, but
used incorrect success check for the DH_set0_key() call. This resulted
in dh5_init_fixed() failures and double-free on error path if the build
was linked against OpenSSL 1.1.0. Fix this by checking DH_set0_key()
return value to be 1 for the success case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-07-15 13:30:57 +03:00
Jouni Malinen
e6804fef93 OpenSSL: Update to match the modified DH_get0_key() API
OpenSSL 1.1.0 (master branch) apparently ended up modifying the API
after the beta 2 release that was supposed to complete the work. Mark
the variables const to fix the compilation with the modified OpenSSL
API.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-25 00:35:17 +03:00
Jouni Malinen
582121b038 OpenSSL: Silence sparse warnings in fips186_2_prf()
Use WPA_PUT_BE32() instead of inplace conversion with host_to_be32() to
avoid sparse warnings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-24 19:02:58 +03:00
Jouni Malinen
50a17a76e1 tests: Declare module test functions in a header file
This gets rid of number of warnings from sparse.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-23 18:26:09 +03:00
Jouni Malinen
3e624369cb tests: Mark some module test arrays static
These are not used outside the source code file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-23 18:11:35 +03:00
Jouni Malinen
3787c91da0 OpenSSL: Pull in header files to check function prototypes
Since crypto_openssl.c is now implementing couple of functions
internally, pull in the relevant header files md5.h and aes_wrap.h to
make sure the function declaration are consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-23 13:35:26 +03:00
David Woodhouse
c3d7fb7e27 OpenSSL: Initialise PKCS#11 engine even if found with ENGINE_by_id()
Recent versions of engine_pkcs11 are set up to be autoloaded on demand
with ENGINE_by_id() because they don't need explicit configuration.

But if we *do* want to explicitly configure them with a PKCS#11 module
path, we should still do so.

We can't tell whether it was already initialised, but it's harmless to
repeat the MODULE_PATH command if it was.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Michael Schaller <misch@google.com>
2016-06-11 12:21:08 +03:00
David Benjamin
1cece2fafb OpenSSL: Comment out tls_connection_get_eap_fast_key without EAP-FAST
This avoids internal access of structs and also removes the dependency
on the reimplemented TLS PRF functions when EAP-FAST support is not
enabled. Notably, BoringSSL doesn't support EAP-FAST, so there is no
need to access its internals with openssl_get_keyblock_size().

Signed-Off-By: David Benjamin <davidben@google.com>
2016-05-23 21:22:33 +03:00
David Benjamin
7358170787 TLS: Split tls_connection_prf() into two functions
Most protocols extracting keys from TLS use RFC 5705 exporters which is
commonly implemented in TLS libraries. This is the mechanism used by
EAP-TLS. (EAP-TLS actually predates RFC 5705, but RFC 5705 was defined
to be compatible with it.)

EAP-FAST, however, uses a legacy mechanism. It reuses the TLS internal
key block derivation and derives key material after the key block. This
is uncommon and a misuse of TLS internals, so not all TLS libraries
support this. Instead, we reimplement the PRF for the OpenSSL backend
and don't support it at all in the GnuTLS one.

Since these two are very different operations, split
tls_connection_prf() in two. tls_connection_export_key() implements the
standard RFC 5705 mechanism that we expect most TLS libraries to
support. tls_connection_get_eap_fast_key() implements the
EAP-FAST-specific legacy mechanism which may not be implemented on all
backends but is only used by EAP-FAST.

Signed-Off-By: David Benjamin <davidben@google.com>
2016-05-23 20:40:12 +03:00
David Benjamin
f150db6c83 OpenSSL: Remove two more accesses of ssl_ctx->cert_store
Commit 68ae4773a4 ('OpenSSL: Use library
wrapper functions to access cert store') fixed most of these, but missed
a few.

Signed-Off-By: David Benjamin <davidben@google.com>
2016-05-23 19:08:40 +03:00
Jouni Malinen
6a9681e90c OpenSSL: Make dh5_init() match the generic implementation
Commit 4104267e81 ('Fix memory leak on NFC
DH generation error path') modified the generic (non-OpenSSL)
implementation of dh5_init() to free the previously assigned public key,
if any. However, that commit did not modify the OpenSSL specific version
of this function. Add the same change there to maintain consistent
behavior between these two implementations of the same function.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-13 18:25:57 +03:00
David Benjamin
e4471338c6 OpenSSL: BoringSSL has SSL_get_client_random(), etc.
BoringSSL added OpenSSL 1.1.0's SSL_get_client_random() and friends in
working towards opaquifying the SSL struct. But it, for the moment,
still looks more like 1.0.2 than 1.1.0 and advertises
OPENSSL_VERSION_NUMBER as such. This means that there is no need to
define those in BoringSSL and defining them causes conflicts. (C does
not like having static and non-static functions with the same name.)

As requested, this is conditioned on defined(BORINGSSL_API_VERSION) so
wpa_supplicant may continue to support older BoringSSLs for a time.
(BoringSSL revisions without the accessors predate BoringSSL maintaining
a BORINGSSL_API_VERSION.)

Also add a missing opensslv.h include. tls_openssl.c is sensitive to
OPENSSL_VERSION_NUMBER, so it should include the header directly rather
than rely on another header to do so.

Signed-off-by: David Benjamin <davidben@google.com>
2016-05-10 19:36:46 +03:00
Jouni Malinen
49fe2ada20 OpenSSL: Support OpenSSL 1.1.0 DH opacity
The OpenSSL 1.1.0 Beta 2 release made DH opaque and that broke
compilation of crypto_openssl.c. Fix this by using the new accessor
functions when building against OpenSSL 1.1.0 or newer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-04-20 01:20:00 +03:00
Jouni Malinen
f73b167c69 tests: Add TEST_FAIL() calls into OpenSSL bignum operations
This makes it easier to test error paths in bignum operations in SAE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-28 01:10:31 +03:00
Jouni Malinen
0741c481ee SAE: Check SHA256-PRF operation result
While this is mostly theoretical, check explicitly that SHA256
operations in sha256_prf*() succeed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-27 21:44:49 +03:00
Jouni Malinen
8b827c342f BoringSSL: Keep static analyzers happier with X509_get0_pubkey_bitstr()
While this function could return NULL if the parameter issued to it were
NULL, that does not really happen here. Anyway, since this can result in
a warning from a static analyzer that does can see the return NULL
without fully understanding what it means here, check the return value
explicitly against NULL to avoid false warnings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 21:34:01 +02:00
Jouni Malinen
3a583e0023 OpenSSL: Fix PKCS#12 parsing of extra certificates with OpenSSL 1.0.1
Commit 8bcf8de827 ('OpenSSL: Fix memory
leak in PKCS12 additional certificate parsing') tried to fix a memory
leak in both the 1.0.2(and newer) and 1.0.1 branches of PKCS12 parsing.
However, the 1.0.1 case was not properly tested and freeing of the
certificate after a successful SSL_CTX_add_extra_chain_cert() call
resulted in use of freed memory when going through the TLS handshake.
Fix this by not freeing the certificate in that specific case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 18:30:55 +02:00
Jouni Malinen
8bcf8de827 OpenSSL: Fix memory leak in PKCS12 additional certificate parsing
The additional PKCS12 certificates were not freed properly in the loop
added in commit de2a7b796d ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs').

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 13:29:40 +02:00
Jouni Malinen
03e3ddf84e OpenSSL: Fix memory leak in HMAC_CTX compatibility wrapper function
Commit 5c9a33702f ('OpenSSL: Clean up
crypto_hash_*() to use a single implementation') added a wrapper
function to allow the new OpenSSL API to be used with older OpenSSL
versions. However, the HMAC_CTX_free() wrapper was incorrectly skipping
the call to HMAC_CTX_cleanup() which is still needed to free the
resources OpenSSL allocated internally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 13:13:36 +02:00
Jouni Malinen
d9a0f69747 OpenSSL: Fix memory leak in OCSP parsing
The result from OCSP_cert_to_id() needs to be freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:40:41 +02:00
Jouni Malinen
29bc76e3d3 OpenSSL: Do not use library init/deinit functions with 1.1.0
SSL_library_init() does not work properly after EVP_cleanup() starting
from OpenSSL 1.1.0 pre release 3. The automated library init/deinit
functions in that pre release are supposed to handle all initialization
and deinitialiation, so comment out the explicit calls to these function
with OpenSSL 1.1.0 and newer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:35:34 +02:00
Jouni Malinen
0f09637001 OpenSSL: Fix memory leak in subjectAltName parsing
The parsed data from X509_get_ext_d2i() needs to be freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:35:20 +02:00
Jouni Malinen
6014890bfb OpenSSL: Fix memory leak with EVP_CIPHER_CTX_new()
Commit 1eb87ae48d ('OpenSSL: Use
EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0') started using
EVP_CIPHER_CTX_new() to allocate EVP_CIPHER_CTX from heap instead of
using stack memory. This commit used incorrect EVP_CIPHER_CTX_reset()
function in number of cases when the allocated memory was supposed to be
freed instead of just reset for reuse. Fix this by using
EVP_CIPHER_CTX_free() properly.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:30:43 +02:00
Jouni Malinen
1f1e599b3b OpenSSL: Fix memory leak on error path
If SSL_CTX_new(SSLv23_method()) fails, tls_init() error path did not
free the allocated struct tls_data instance.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-15 21:53:33 +02:00
Ayala Beker
dda091cf51 OpenSSL: Fix server side PKCS#12 processing with extra certificates
Fix a possible null pointer dereference in tls_parse_pkcs12() when
loading a PKCS#12 file for the server keys and the file includes extra
certificates.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-02-06 01:14:43 +02:00
Ayala Beker
443c8e18de OpenSSL: Fix possible null pointer dereference on an OCSP error path
Fix possible null pointer dereference in check_ocsp_resp() if an memory
allocation fails.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-02-06 00:58:32 +02:00
Rubin Xu
a8ef133f1d Android: Support multiple CA certs when connecting to EAP network
In the Android-specific case, make ca_cert directive parse a
space-separated list of hex-encoded CA certificate aliases following the
"keystores://" prefix. Server certificate validation should succeed as
long as the chain ends with one of them.

Signed-off-by: Rubin Xu <rubinxu@google.com>
2016-02-05 17:31:46 +02:00
Jouni Malinen
ac2053b103 OpenSSL: Clean up openssl_digest_vector() to use a single implementation
Use compatibility wrapper functions to allow a single implementation
based on the latest OpenSSL API to be used to implement these functions
instead of having to maintain two conditional implementation based on
the library version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 14:17:16 +02:00
Jouni Malinen
5c9a33702f OpenSSL: Clean up crypto_hash_*() to use a single implementation
Use compatibility wrapper functions to allow a single implementation
based on the latest OpenSSL API to be used to implement these functions
instead of having to maintain two conditional implementation based on
the library version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 14:14:07 +02:00
Jouni Malinen
587b0457e0 LibreSSL: Fix build with LibreSSL
The changes needed for OpenSSL 1.1.0 had broken this since LibreSSL is
defining OPENSSL_VERSION_NUMBER in a manner that claims it to be newer
than the current OpenSSL version even though it does not support the
current OpenSSL API.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 14:06:46 +02:00
Jouni Malinen
465196ebd2 tests: aes_encrypt_init() and aes_decrypt_init() to use TEST_FAIL
Now the these functions cannot be made to fail by forcing the memory
allocation fail since the OpenSSL-internal version is used, add
TEST_FAIL check to allow OOM test cases to be converted to use the
TEST_FAIL mechanism without reducing coverage.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 19:44:47 +02:00
Jouni Malinen
1eb87ae48d OpenSSL: Use EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0
The EVP_CIPHER_CTX structure will be made opaque in OpenSSL 1.1.0, so
need to use EVP_CIPHER_CTX_new() with it instead of stack memory. The
design here moves the older OpenSSL versions to use that dynamic
allocation design as well to minimize maintenance effort.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 19:30:24 +02:00
Jouni Malinen
3fb3bea8e9 OpenSSL: Update session_secret callback to match OpenSSL 1.1.0 API
The SSL_CIPHER **cipher argument was marked const in OpenSSL 1.1.0
pre-release 2 similarly to how this is in BoringSSL. Fix build with that
in preparation for supporting OpenSSL 1.1.0.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 19:28:33 +02:00
Jouni Malinen
21cb63fffd OpenSSL: Fix client certificate chain building after PKCS#12 use
If wpa_supplicant was first configured with PKCS #12 -based client
certificate chain and then used with another network profile that used a
different certificate chain from a X.509 certificate PEM file instead of
PKCS#12, the extra certificate chain was not reconstructed properly with
older versions of OpenSSL that 1.0.2. This could result in the
authentication failing due to the client certificate chain not being
complete or including incorrect certificates.

Fix this by clearing the extra certificate chain when setting up a new
TLS connection with OpenSSL 1.0.1. This allows OpenSSL to build the
chain using the default mechanism in case the new TLS exchange does not
use PKCS#12.

The following hwsim test case sequence was able to find the issue:
ap_wpa2_eap_tls_pkcs12 ap_wpa2_eap_tls_intermediate_ca_ocsp

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-07 17:54:23 +02:00
Jouni Malinen
750f5d9964 EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSL
This extends the list of TLS cipher suites enabled for EAP-FAST to
include AES256-based suites.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 20:52:58 +02:00
Jouni Malinen
1ebb24bbfb OpenSSL: Share a single openssl_tls_prf() implementation
Add SSL_SESSION_get_master_key() compatibility wrapper for older OpenSSL
versions to be able to use the new openssl_tls_prf() implementation for
OpenSSL 1.1.0 with all supported versions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 20:10:30 +02:00
Jouni Malinen
dea20519aa OpenSSL: Clean up function to fetch client/server random
SSL_get_client_random() and SSL_get_server_random() will be added in
OpenSSL 1.1.0. Provide compatibility wrappers for older versions to
simplify the tls_connection_get_random() implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 18:15:09 +02:00
Jouni Malinen
9a42d859a2 OpenSSL: Drop support for OpenSSL 1.0.0
The OpenSSL project will not support version 1.0.0 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 1.0.0 and we might as well drop support for it to allow
cleaning up the conditional source code blocks.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 18:05:28 +02:00
Jouni Malinen
de213e84e0 OpenSSL: Drop support for OpenSSL 0.9.8
The OpenSSL project will not support version 0.9.8 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 0.9.8 and we might as well drop support for it to allow
cleaning up the conditional source code blocks.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 18:01:59 +02:00
Jouni Malinen
15a68138c1 Remove unnecessary cleanup assignment in SHA1Final()
This makes some static analyzers complain about stored value never being
read. While it is good to clear some other temporary variables, this
local variable i has no security private information (it has a fixed
value of 20 here) and trying to clear it to 0 does not add any value.
Remove that part of the "wipe variables" to avoid one useless static
analyzer complaint.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-28 18:12:03 +02:00
Jouni Malinen
0764dd6849 TLS client: Multi-OCSP check to cover intermediate CAs
This extends multi-OCSP support to verify status for intermediate CAs in
the server certificate chain.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
d6b536f7e5 Add ocsp=3 configuration parameter for multi-OCSP
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
8ea6a27003 TLS server: OCSP stapling with ocsp_multi option (RFC 6961)
This allows hostapd with the internal TLS server implementation to
support the extended OCSP stapling mechanism with multiple responses
(ocsp_stapling_response_multi).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 20:44:52 +02:00
Jouni Malinen
5addb0df59 Server configuration for OCSP stapling with ocsp_multi (RFC 6961)
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 19:42:07 +02:00
Jouni Malinen
bca0872dd5 TLS server: OCSP stapling
This adds support for hostapd-as-authentication-server to be build with
the internal TLS implementation and OCSP stapling server side support.
This is more or less identical to the design used with OpenSSL, i.e.,
the cached response is read from the ocsp_stapling_response=<file> and
sent as a response if the client requests it during the TLS handshake.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 17:53:45 +02:00
Jouni Malinen
9532bd2b44 GnuTLS: OCSP stapling on the server side
This adds support for hostapd-as-authentication-server to be build
against GnuTLS with OCSP stapling server side support. This is more or
less identical to the design used with OpenSSL, i.e., the cached
response is read from the ocsp_stapling_response=<file> and sent as a
response if the client requests it during the TLS handshake.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 16:47:29 +02:00
Jouni Malinen
3c108b7573 EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.

This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.

By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.

The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>

Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).

The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>

It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 18:24:27 +02:00
Jouni Malinen
36478a16e6 OpenSSL: Support new API for HMAC/EVP_MD_CTX in OpenSSL 1.1.x-pre1
The EVP_MD_CTX and HMAC_CTX definitions are now hidden from applications
using OpenSSL. Fix compilation issues with OpenSSL 1.1.x-pre1 by using
the new API for allocating these structures.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-10 18:11:39 +02:00
Jouni Malinen
213e158ca8 BoringSSL: Move OCSP implementation into a separate file
This makes it easier to share the OCSP implementation needed for
BoringSSL outside tls_openssl.c. For now, this is mainly for
http_curl.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-04 20:08:31 +02:00
Jouni Malinen
f846211e3e BoringSSL: Support new SHA_CTX definition for EAP-SIM PRF
BoringSSL modified the struct sha_state_st (SHA_CTX) definition by
converting h0..h4 with h[5] array. This broke wpa_supplicant/hostapd
build with EAP-SIM enabled. BoringSSL restored the old version for
ANDROID builds, but only the new version is currently defined for
non-Android cases. For now, fix this by having matching selection in
fips_prf_openssl.c based on OPENSSL_IS_BORINGSSL and ANDROID defines.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-04 11:30:36 +02:00
Jouni Malinen
b34c623c07 OpenSSL: Fix build with current OpenSSL master branch snapshot
OpenSSL 1.1.x will apparently go out with "SSLeay" renamed in the API to
"OpenSSL", which broke the build here for fetching the version of the
running OpenSSL library when wpa_supplicant/hostapd is built against the
current OpenSSL snapshot.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-03 23:53:35 +02:00
Jouni Malinen
7fff91ae51 Fix tls_connection_prf() regression with CONFIG_TLS=internal
Commit af851914f8 ('Make
tls_connection_get_keyblock_size() internal to tls_*.c') broke
tls_connection_prf() with the internal TLS implementation when using
skip_keyblock=1. In practice, this broke EAP-FAST. Fix this by deriving
the correct number of PRF bytes before skipping the keyblock.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 23:40:54 +02:00
Jouni Malinen
07555778a7 Add TEST_FAIL() support for internal hash functions
md4_vector(), md5_vector(), sha1_vector(), and sha256_vector() already
supported TEST_FAIL() with the OpenSSL crypto implementation, but the
same test functionality is needed for the internal crypto implementation
as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 21:01:33 +02:00
Jouni Malinen
4104267e81 Fix memory leak on NFC DH generation error path
It was possible for some NFC DH generation error paths to leak memory
since the old private/public key was not freed if an allocation failed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 20:53:20 +02:00
Jouni Malinen
0cbc22b2eb TLS client: Use TLS_CONN_* flags
This makes it simpler to add support for new TLS_CONN_* flags without
having to add a new configuration function for each flag.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 19:48:17 +02:00
Jouni Malinen
20804fe844 TLS: Add support for tls_get_version()
This allows wpa_supplicant to return eap_tls_version STATUS information
when using the internal TLS client implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 19:41:37 +02:00
Jouni Malinen
f2a6ad01a9 TLS client: Add support for server certificate probing
The internal TLS client implementation can now be used with
ca_cert="probe://" to probe the server certificate chain. This is also
adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and
CTRL-EVENT-EAP-PEER-CERT events.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 18:59:27 +02:00
Jouni Malinen
c0acec3934 crypto: Add CRYPTO_HASH_ALG_SHA384 and CRYPTO_HASH_ALG_SHA512
This extends the crypto_hash_*() API to support SHA384 and SHA512 when
built with CONFIG_TLS=internal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 18:21:08 +02:00
Pali Rohár
6bb6a9ce29 Add SHA384 and SHA512 implementations from LibTomCrypt library
These will be used with the internal TLS implementation to extend hash
algorithm support for new certificates and TLS v1.2.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-29 18:19:32 +02:00
Jouni Malinen
11c9ddb766 Add TEST_FAIL() condition to aes_128_cbc_encrypt/decrypt()
This enables more error path testing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 20:46:36 +02:00
Jouni Malinen
1fff13a9cb tests: Move EAP-SIM PRF module test into the hwsim framework
The old wpa_supplicant/Makefile target test-eap_sim_common did not work
anymore and anyway, this test is better placed in the newer hwsim
framework to make sure the test case gets executed automatically.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-24 00:00:21 +02:00
Marek Behún
36e820605f Check for LIBRESSL_VERSION_NUMBER in tls_openssl.c
LibreSSL does not yet support the new API, so do not use it
when LIBRESSL_VERSION_NUMBER macro is defined.

Signed-off-by: Marek Behun <kabel@blackhole.sk>
2015-11-22 12:00:53 +02:00
Jouni Malinen
2e38079531 TLS: Fix memory leak with multiple TLS server instances
When using CONFIG_TLS=internal and starting hostapd with multiple
configuration files that each initialize TLS server, the server
certificate and related data was not freed for all the interfaces on
exit path. Fix this by freeing the credential data that is stored
separately for each call to tls_init().

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-31 18:15:22 +02:00
Jouni Malinen
8f3ea3175f tests: Fix build without CONFIG_ERP=y
hmac_sha256_kdf() got pulled in only if CONFIG_ERP=y is set. Fix
test_sha256() by making the test case conditional on the function being
present.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-26 00:42:14 +02:00
Jouni Malinen
cc4f3d6ea7 tests: Add TEST_FAIL() condition to omac1_aes_vector()
This enables more error path testing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-17 20:40:36 +03:00
Jouni Malinen
8fd1d6236d OpenSSL: Add TEST_FAIL() checks to allow error path testing
This makes it easier to test various error paths related to key
derivation and authentication steps.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-12 01:04:22 +03:00
Jouni Malinen
cbb154973d OpenSSL: Make msg_callback debug prints easier to read
Write a text version of the content type and handshake type in debug log
to make it easier to follow TLS exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-11 11:35:35 +03:00
Jouni Malinen
faf8f29379 OpenSSL: Recognize special write_p == 2 in msg_callback
OpenSSL could use this to identify crypto tracing values if built with
OPENSSL_SSL_TRACE_CRYPTO.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-11 11:14:00 +03:00
Jouni Malinen
6f5b284b32 tests: Module test for hmac_sha256_kdf() maximum output length
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-10 18:57:14 +03:00
Jouni Malinen
5a55c9b411 Fix MSCHAP UTF-8 to UCS-2 conversion check for three-byte encoding
The utf8_string_len comparison was off by one and ended up accepting a
truncated three-byte encoded UTF-8 character at the end of the string if
the octet was missing. Since the password string gets null terminated in
the configuration, this did not result in reading beyond the buffer, but
anyway, it is better to explicitly reject the string rather than try to
use an incorrectly encoded UTF-8 string as the password.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-10 18:38:37 +03:00
Jouni Malinen
bdee6ca0e0 BoringSSL: Implement support for OCSP stapling
BoringSSL has removed the OpenSSL OCSP implementation (OCSP_*()
functions) and instead, provides only a minimal mechanism for include
the status request extension and fetching the response from the server.
As such, the previous OpenSSL-based implementation for OCSP stapling is
not usable with BoringSSL.

Add a new implementation that uses BoringSSL to request and fetch the
OCSP stapling response and then parse and validate this with the new
implementation within wpa_supplicant. While this may not have identical
behavior with the OpenSSL-based implementation, this should be a good
starting point for being able to use OCSP stapling with BoringSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-09 23:48:30 +03:00
Adam Langley
aeeb0bca71 Android: Fix keystore-backed keys with BoringSSL
The switch to BoringSSL broke keystore-backed keys because
wpa_supplicant was using the dynamic ENGINE loading to load
the keystore module.
The ENGINE-like functionality in BoringSSL is much simpler
and this change should enable it.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2015-10-06 23:10:17 +03:00
Jouni Malinen
d9c807cab1 Fix key derivation for Suite B 192-bit AKM to use SHA384
While the EAPOL-Key MIC derivation was already changed from SHA256 to
SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly.
Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK
from PMK when using the Suite B 192-bit AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-27 20:42:14 +03:00
Jouni Malinen
20f331b707 OpenSSL: Write PKCS#12 extra cert errors into debug log
Commit de2a7b796d ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs') added a new
mechanism for doing this with OpenSSL 1.0.2 and newer. However, it did
not poinr out anything in debug log if SSL_add1_chain_cert() failed. Add
such a debug print and also silence static analyzer warning on res being
stored without being read (since the error case is ignored at least for
now).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 19:36:34 +03:00
Jouni Malinen
acf36f319f OpenSSL: Enable support for server side TLS session resumption
This allows TLS-based EAP server methods to use session resumption.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 18:01:40 +03:00
Jouni Malinen
b3b8085ae8 TLS: Add functions for managing cached session state
The new tls_connection_set_success_data(),
tls_connection_set_success_data_resumed(),
tls_connection_get_success_data(), and tls_connection_remove_session()
functions can be used to mark cached sessions valid and to remove
invalid cached sessions. This commit is only adding empty functions. The
actual functionality will be implemented in followup commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:30 +03:00
Jouni Malinen
681e199dfb EAP server: Add tls_session_lifetime configuration
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:30 +03:00
Jouni Malinen
93bc654996 OpenSSL: Allow server connection parameters to be configured
This extends OpenSSL version of tls_connection_set_verify() to support
the new flags argument.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:29 +03:00
Jouni Malinen
bfbebd2665 TLS: Add new arguments to tls_connection_set_verify()
The new flags and session_ctx arguments will be used in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:29 +03:00
Jouni Malinen
bd9b8b2b68 OpenSSL: Add wrapper struct for tls_init() result
This new struct tls_data is needed to store per-tls_init() information
in the followup commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:25 +03:00
Jouni Malinen
87c59a1e5a tests: Allow AES-WRAP-192 test cases to be commented out with BoringSSL
BoringSSL does not support 192-bit AES, so these parts of the
wpa_supplicant module tests would fail.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 20:21:44 +03:00
Jouni Malinen
355a5c8ec5 OpenSSL: Reject OCSP-required configuration if no OCSP support
This is needed at least with BoringSSL to avoid accepting OCSP-required
configuration with a TLS library that does not support OCSP stapling.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 02:24:06 +03:00
Jouni Malinen
c07e7b43e9 BoringSSL: Fix PKCS12_parse() segfault when used without password
Unlike OpenSSL PKCS12_parse(), the BoringSSL version seems to require
the password pointer to be non-NULL even if no password is present. Map
passwrd == NULL to passwd = "" to avoid a NULL pointer dereference
within BoringSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 02:06:02 +03:00
Jouni Malinen
a89beee589 OpenSSL: Handshake completion and resumption state into debug log
This new debug log entry makes it more convenient to check how TLS
handshake was completed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:05 +03:00
Jouni Malinen
a7803b0caf BoringSSL: Fix session resumption
BoringSSL commit 533ef7304d9b48aad38805f1997031a0a034d7fe ('Remove
SSL_clear calls in handshake functions.') triggered a regression for
EAP-TLS/TTLS/PEAP session resumption in wpa_supplicant due to the
removed SSL_clear() call in ssl3_connect() going away and wpa_supplicant
not calling SSL_clear() after SSL_shutdown(). Fix this by adding the
SSL_clear() call into wpa_supplicant after SSL_shutdown() when preparing
the ssl instance for another connection.

While OpenSSL is still call SSL_clear() in ssl3_connect(), it looks to
be safe to add this call to wpa_supplicant unconditionally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:05 +03:00
Jouni Malinen
0f56057c64 BoringSSL: Make SSL_set_ssl_method() conditional on EAP-FAST
This function does not seem to be available in BoringSSL. Since it is
needed for EAP-FAST (which is not currently working with BoringSSL),
address this by commenting out the EAP-FAST specific step from builds
that do not include EAP-FAST support.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:05 +03:00
Jouni Malinen
226cdea6ca BoringSSL: Comment out SSL_build_cert_chain() call
It looks like BoringSSL does include that function even though it claims
support for OPENSSL_VERSION_NUMBER where this is available (1.0.2). For
now, comment out that call to fix build.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:04 +03:00
Jouni Malinen
812f28b79c BoringSSL: Allow internal AES key wrap to be used with "OpenSSL" build
It looks like BoringSSL has removed the AES_wrap_key(), AES_unwrap_key()
API. This broke wpa_supplicant/hostapd build since those functions from
OpenSSL were used to replace the internal AES key wrap implementation.
Add a new build configuration option
(CONFIG_OPENSSL_INTERNAL_AES_WRAP=y) to allow the internal
implementation to be used with CONFIG_OPENSSL=y build to allow build
against the latest BoringSSL version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:02 +03:00
Jouni Malinen
de2a7b796d OpenSSL: Use connection certificate chain with PKCS#12 extra certs
When using OpenSSL 1.0.2 or newer, this replaces the older
SSL_CTX_add_extra_chain_cert() design with SSL_add1_chain_cert() to keep
the extra chain certificates out from SSL_CTX and specific to each
connection. In addition, build and rearrange extra certificates with
SSL_build_cert_chain() to avoid incorrect certificates and incorrect
order of certificates in the TLS handshake.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-11 01:27:03 +03:00
Jouni Malinen
0d2c0e6776 OpenSSL: Fix PKCS#12 extra certificate handling
Previously, the possible extra certificate(s) from a PKCS#12 file was
added once for each authentication attempt. This resulted in OpenSSL
concatenating the certificates multiple time (add one copy for each try
during the wpa_supplicant process lifetime). Fix this by clearing the
extra chain certificates before adding new ones when using OpenSSL 1.0.1
or newer that include the needed function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-11 01:27:00 +03:00
Jouni Malinen
7cb53ded11 Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.

This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
4fc53159b9 OpenSSL: Fix FIPS mode enabling in dynamic interface case
FIPS_mode_set(1) cannot be called multiple times which could happen in
some dynamic interface cases. Avoid this by enabling FIPS mode only
once. There is no code in wpa_supplicant to disable FIPS mode, so once
it is enabled, it will remain enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00