The result (y2) was cleared and freed in error cases, but the pointer
itself was not cleared to NULL, so the error path would have returned a
pointer to freed memory. Fix this by properly clearing the return value
in error cases. In addition, simplify the function to avoid tracking
success case separately.
Signed-off-by: Jouni Malinen <j@w1.fi>
wc_HmacSetKey() seems to initialize everything that is needed for the
actual operation, but at least valgrind is reporting use of
uninitialized values when this was done on a data structure that was not
explicitly cleared.
Call wc_HmacInit() before wc_HmacSetKey() to avoid any unexpected
behavior from potentially uninitialized values.
Signed-off-by: Jouni Malinen <j@w1.fi>
priv_sz and pub_sz needs to be initialized to the buffer size before the
wc_DhGenerateKeyPair() call. The previous version happened to work in
some cases where a separate handled prime length was used, but not for
the generic case.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like crypto_ecdh_set_peerkey() had started failing at some
point with a wolfSSL update due to ECC_TIMING_RESISTANT from
--enable-harden requiring RNG to be set.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous mechanism of unloaded the providers from tls_deinit() did
not work correctly for some cases. In particular, it was possible for
hostapd to end up unloading both providers and not being able to recover
from this if TLS server was not enabled.
Address this more cleanly by introducing a new crypto_unload() function
that will be called when the process is exiting.
Fixes: 097ca6bf0b ("OpenSSL: Unload providers on deinit")
Signed-off-by: Jouni Malinen <j@w1.fi>
/usr/bin/ld: /home/honma/git/hostap/build/wpa_supplicant/src/wps/wps.o: in function `wps_deinit':
/home/honma/git/hostap/wpa_supplicant/../src/wps/wps.c:184: undefined reference to `dh5_free'
/usr/bin/ld: /home/honma/git/hostap/build/wpa_supplicant/src/wps/wps_common.o: in function `wps_derive_keys':
/home/honma/git/hostap/wpa_supplicant/../src/wps/wps_common.c:83: undefined reference to `dh5_derive_shared'
/usr/bin/ld: /home/honma/git/hostap/wpa_supplicant/../src/wps/wps_common.c:84: undefined reference to `dh5_free'
/usr/bin/ld: /home/honma/git/hostap/build/wpa_supplicant/src/wps/wps_attr_build.o: in function `wps_build_public_key':
/home/honma/git/hostap/wpa_supplicant/../src/wps/wps_attr_build.c:68: undefined reference to `dh5_free'
/usr/bin/ld: /home/honma/git/hostap/wpa_supplicant/../src/wps/wps_attr_build.c:69: undefined reference to `dh5_init'
collect2: error: ld returned 1 exit status
make: *** [Makefile:1892: wpa_supplicant] Error 1
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The previous implementation used mp_rand_prime() to generate a random
value in range 0..m. That is insanely slow way of generating a random
value since mp_rand_prime() is for generating a random _prime_ which is
not what is needed here. Replace that implementation with generationg of
a random value in the requested range without doing any kind of prime
number checks or loops to reject values that are not primes.
This speeds up SAE and EAP-pwd routines by couple of orders of
magnitude..
Signed-off-by: Jouni Malinen <j@w1.fi>
This wrapper function is not used anymore, so drop it instead of trying
to figure out good way of implementing it in constant time with various
crypto libraries.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The initial crypto wrapper implementation for wolfSSL seems to have
included a copy-paste error in crypto_bignum_sub() implementation that
was identical to crypto_bignum_add() while mp_sub() should have been
used instead of mp_add().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Pass the group order (if known/specified) to crypto_dh_derive_secret()
(and also to OpenSSL DH_generate_key() in case of Group 5) and verify
that the public key received from the peer meets 1 < pubkey < p and
pubkey^q == 1 mod p conditions.
While all these use cases were using only ephemeral DH keys, it is
better to use more explicit checks while deriving the shared secret to
avoid unexpected behavior.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The n argument to this function is number of bits, not bytes, to shift.
As such, need to use mp_rshb() instead of mp_rshd(). This fixes EAP-pwd
with P-521 curve.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Depend on proper wolfSSL configuration instead of trying to define these
build configuration values externally.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Use the correct intermediate result from mp_sqrmod() in the following
mp_mulmod() call (t is not initialized here; it is used only after this
step).
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Provide full uncompressed DER data length to wc_ecc_import_point_der()
even though a compressed form is used here. In addition, use
ECC_POINT_COMP_* defined values to make this more readable.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
