Commit graph

634 commits

Author SHA1 Message Date
Jouni Malinen
622d4d49e2 GnuTLS: Add TEST_FAIL() to crypto routines for testing purposes
This allows number of hwsim test cases for local error conditions to be
executed with GnuTLS-based builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-28 22:33:12 +02:00
Jouni Malinen
f8697e8109 GnuTLS: Implement tls_get_version()
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-28 22:33:06 +02:00
Jouni Malinen
133f8d09fc GnuTLS: Implement HMAC functions using libgcrypt
Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with
the ones from libgcrypt and also add the SHA384 and SHA512 versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:35:26 +02:00
Jouni Malinen
85c12a62ee GnuTLS: Implement sha{256,384,512}_vector() using libgcrypt
Replace the internal SHA256 implementation with the one from libgcrypt
and also add the SHA384 and SHA512 versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:21:37 +02:00
Jouni Malinen
cc3e7bfc3c GnuTLS: Use a helper function for hash functions
Use a shared helper function instead of implementing practically same
sequence separately for each hash function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:13:51 +02:00
Sean Parkinson
c335507c8d Enhance crypto abstract API for DH
The patch offers alternate implementations of some functions using the
abstract cryptographic API.

This work was done in preparation for the changes to allow hostap to be
compiled with the wolfSSL cryptography and TLS library.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 17:38:10 +02:00
Jouni Malinen
0e02f2a9fa crypto: Implement new crypto API functions for DH
This implements crypto_dh_init() and crypto_dh_derive_secret() using
os_get_random() and crypto_mod_exp() for all crypto_*.c wrappers that
include crypto_mod_exp() implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-24 17:36:04 +02:00
Jouni Malinen
eac084cb38 OpenSSL: Implement new crypto API functions
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-24 17:35:41 +02:00
Sean Parkinson
23ff5d73df Enhance crypto abstract API
Add more crypto_*() wrappers to enable use of other crypto libraries
than OpenSSL.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 17:35:38 +02:00
Sean Parkinson
441e8bfbb4 Fix copy-paste errors in function comments
Use correct function names for the documentation.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 17:03:07 +02:00
Jouni Malinen
47e966abac DH: Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-24 17:02:53 +02:00
Jouni Malinen
c23e87d0d1 OpenSSL: Replace EVP_PKEY_paramgen() with EC_KEY_new_by_curve_name()
The BoringSSL version of crypto_ecdh_init() and dpp_gen_keypair() works
fine with OpenSSL as well, so use that same implementation for both to
avoid unnecessary maintanence of multiple versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-10 23:49:39 +02:00
Jouni Malinen
7641d485db BoringSSL: Use EC_KEY_new_by_curve_name() to simplify implementation
There is no need to go through EC_GROUP_new_by_curve_name(),
EC_KEY_new(), and EC_KEY_set_group() when a single call to
EC_KEY_new_by_curve_name() takes care of all that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-10 23:41:29 +02:00
Jouni Malinen
0f30844722 Revert "BoringSSL: Define RSA_bits() helper"
This reverts commit 3cfbd3b0f6 since
BoringSSL added RSA_bits() in commit
8dc226ca8f1ef60737e1c1bf8cfcabf51d4068c7 ('Add some missing OpenSSL
1.1.0 accessors.').

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-10 23:22:05 +02:00
Jouni Malinen
a2c442be25 OpenSSL: Allow cipher list to be overridden for tls_suiteb=1 case
This allows wpa_supplicant configuration with phase1="tls_suiteb=1" to
use openssl_ciphers="ECDHE-RSA-AES256-GCM-SHA384" to further limit the
possible TLS cipher suites when using Suite B with RSA >3K keys. This
combination disables use of DHE and as such, mandates ECDHE to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-10 21:16:26 +02:00
David Benjamin
63942cf0f3 OpenSSL: Avoid SSL*_use_default_passwd_cb()
These functions are a bit awkward to use for one-off file loads, as
suggested by the tls_clear_default_passwd_cb() logic. There was also
some historical mess with OpenSSL versions and either not having per-SSL
settings, having per-SSL settings but ignoring them, and requiring the
per-SSL settings.

Instead, loading the key with the lower-level functions seems a bit
tidier and also allows abstracting away trying both formats, one after
another.

Signed-off-by: David Benjamin <davidben@google.com>
2017-12-09 18:29:08 +02:00
David Benjamin
149143e31d OpenSSL: Remove unnecessary os_strdup() from password callback
There's no need to make an extra copy of private_key_passwd for
SSL_{CTX_,}set_default_passwd_cb().

Signed-off-by: David Benjamin <davidben@google.com>
2017-12-09 18:09:10 +02:00
Jouni Malinen
c1564149a6 BoringSSL: Add AES support with 192-bit keys
BoringSSL restored the previously removed AES-192 ECB support in ("Add
AES-192 ECB.") commit. Since this is needed for DPP with the P-384
curve, restore support for this through EVP_aes_192_ecb().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 21:03:04 +02:00
Jouni Malinen
edd72f55f8 OpenSSL: Debug message if requested AES key length is not supported
This makes it clearer why some AES operations fail especially with
BoringSSL where the 192-bit case is not supported.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 20:59:25 +02:00
Jouni Malinen
f29761297b BoringSSL: Implement crypto_ecdh_init()
BoringSSL does not provide some of the OpenSSL API that was used here,
so update this to use similar design to what was already done with DPP
key derivation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 20:41:25 +02:00
Jouni Malinen
7721fe082b BoringSSL: Comment out SSL_set_default_passwd_cb*() calls
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide SSL_set_default_passwd_cb*(). For
now, comment out this regardless of the version BoringSSL claims to be.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 20:34:17 +02:00
Jouni Malinen
b9dc63c261 BoringSSL: Comment out SSL_set1_sigalgs_list() call
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide SSL_set1_sigalgs_list(). For now,
comment out this regardless of the version BoringSSL claims to be.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 20:30:37 +02:00
Jouni Malinen
3cfbd3b0f6 BoringSSL: Define RSA_bits() helper
It looks like BoringSSL claims to have OPENSSL_VERSION_NUMBER for a
1.1.0 version, but it does not provide RSA_bits(). For now, add this
backwards compatibility wrapper for BoringSSL regardless of the version
it claims to be.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 20:24:46 +02:00
Jouni Malinen
1c9663cf6b OpenSSL: Force RSA 3072-bit DH prime size limit for Suite B
Reject a DHE handshake if the server uses a DH prime that does not have
sufficient length to meet the Suite B 192-bit level requirement (<= 3k
(3072) bits).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
2ed70c7586 OpenSSL: Add option to disable ECDHE with Suite B RSA
The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network
profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite
B RSA constraints with ECDHE disabled. This is mainly to allow
the DHE TLS cipher suite to be tested.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
4eb8cfe06b OpenSSL: Force RSA 3072-bit key size limit for Suite B
Reject a peer certificate chain if it includes an RSA public key that
does not use sufficient key length to meet the Suite B 192-bit level
requirement (<= 3k (3072) bits).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
6418400db9 Add hostapd tls_flags parameter
This can be used to set the TLS flags for authentication server.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
60ed2f24eb Suite B: Add tls_suiteb=1 parameter for RSA 3k key case
This adds phase1 parameter tls_suiteb=1 into wpa_supplicant
configuration to allow TLS library (only OpenSSL supported for now) to
use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-17 00:09:47 +03:00
Michael Braun
333517ac1c crypto: Fix undefined behavior in random number generator
ubsan reported:

../src/crypto/random.c:69:30: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int'

Explicitly check for the ROL32(x, 0) case which is supposed to be a
no-op.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-09-10 21:50:21 +03:00
Jouni Malinen
3db2a82df8 Add SHA-384 routines to libcrypto.a
wlantest needs this for being able to decrypt FILS (Re)Association
Request/Response frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-05 18:58:59 +03:00
Jouni Malinen
89971d8b1e OpenSSL: Clear default_passwd_cb more thoroughly
Previously, the pointer to strdup passwd was left in OpenSSL library
default_passwd_cb_userdata and even the default_passwd_cb was left set
on an error path. To avoid unexpected behavior if something were to
manage to use there pointers, clear them explicitly once done with
loading of the private key.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-07-17 12:06:17 +03:00
Beniamino Galvani
f665c93e1d OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f
Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
callback from the SSL object instead of the one from the CTX, so let's
set the callback on both SSL and CTX. Note that
SSL_set_default_passwd_cb*() is available only in 1.1.0.

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-07-17 11:57:16 +03:00
Beniamino Galvani
2b9891bd6e OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".

This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.

[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-07-17 11:55:22 +03:00
Jouni Malinen
77f273c82c Extend SHA-384 and SHA-512 support to match SHA-256
The additional SHA-384 and SHA-512 functionality is needed to support
DPP with various ECC curves.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:12 +03:00
Jouni Malinen
85cff4b0d8 OpenSSL: Try SHA256 hash for OCSP certificate matching
Previously, only SHA1 hash -based server certificate matching was used,
but the OCSP response may use SHA256 instead of SHA1, so check the match
with both hash functions, if needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-09 23:36:36 +03:00
Jouni Malinen
ef23838590 Return success/failure result from sha384_prf()
This makes the function more consistent with sha256_prf().

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 20:43:06 +02:00
Jouni Malinen
e73244c240 tests: Extract-and-Expand HKDF (RFC 5869)
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 22:40:31 +02:00
Jouni Malinen
4ec833daf8 Extend hmac_sha256_kdf() to support HKDF-Expand() as defined in RFC 5869
The KDF define in RFC 5295 is very similar to HKDF-Expand() defined in
RFC 5869. Allow a NULL label to be used to select the RFC 5869 version
with arbitrary seed (info in RFC 5869) material without forcing the
label and NULL termination to be included. HKDF-Expand() will be needed
for OWE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 22:40:10 +02:00
Jouni Malinen
ae1ec1aaf2 OpenSSL: Add wrapper functions for ECDH
These allow ECDH to be used with compressed public key encoding (only
x-coordinate). This is needed for FILS PFS and OWE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 22:08:48 +02:00
Johannes Berg
a1f11e34c4 Use os_memdup()
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.

The mechanical conversions all over the code were done with
the following spatch:

    @@
    expression SIZE, SRC;
    expression a;
    @@
    -a = os_malloc(SIZE);
    +a = os_memdup(SRC, SIZE);
    <...
    if (!a) {...}
    ...>
    -os_memcpy(a, SRC, SIZE);

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:19:10 +02:00
Jouni Malinen
206516e8c2 af_alg: Crypto wrappers for Linux kernel crypto (AF_ALG)
CONFIG_TLS=linux can now be used to select the crypto implementation
that uses the user space socket interface (AF_ALG) for the Linux kernel
crypto implementation. This commit includes some of the cipher, hash,
and HMAC functions. The functions that are not available through AF_ALG
(e.g., the actual TLS implementation) use the internal implementation
(CONFIG_TLS=internal).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:15 +02:00
Jouni Malinen
b41d3e0a75 crypto: Process des_encrypt() error returns in callers
This updates all the des_encrypt() callers to handle error cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:05 +02:00
Jouni Malinen
5f0e165e80 crypto: Add return value to DES and AES encrypt/decrypt
These operations may fail with some crypto wrappers, so allow the
functions to report their results to the caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:23:54 +02:00
Jouni Malinen
2e555f9cb0 tests: Add HMAC-SHA256 and HMAC-SHA384 test vectors from RFC 4231
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 22:15:29 +02:00
Jouni Malinen
62944f7d2c Add HMAC-SHA384 with internal crypto
This is a copy of the internal HMAC-SHA256 implementation with the hash
block size and output length updated to match SHA384 parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-16 22:15:29 +02:00
Jouni Malinen
aeecd4eaec OpenSSL: Fix hmac_sha384_vector() implementation
The output length was incorrect (32 from the copy-pasted SHA256
version). Fix this to return the correct number of octets (48) for
SHA384. This fixes incorrect key derivation in FILS when using the
SHA384-based AKM.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 20:59:06 +02:00
Jouni Malinen
f229f2c67d tests: Add TEST_FAIL() to OpenSSL aes_wrap() and aes_unwrap()
This makes it easier to add more testing coverage for error paths.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-14 10:53:10 +02:00
Paul Stewart
6d08f23f0a OpenSSL/BoringSSL: Read certificate chain from client_cert on Android
If the keychain holds additional certificates other than the end
certificate, read them into the certificate chain.

Signed-off-by: Paul Stewart <pstew@google.com>
2017-01-30 01:54:30 +02:00
Jouni Malinen
ef495c78dd OpenSSL: Implement sha384_vector()
This was forgotten from the addition of SHA384 support and is now needed
for FILS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 21:05:19 +02:00
Jouni Malinen
95de34a10a Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:31:42 +02:00
Jouni Malinen
d7f12e4eb9 OpenSSL: Make sure local certificate auto chaining is enabled
Number of deployed use cases assume the default OpenSSL behavior of auto
chaining the local certificate is in use. BoringSSL removed this
functionality by default, so we need to restore it here to avoid
breaking existing use cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-21 12:23:15 +02:00
Jouni Malinen
4be02b71bb OpenSSL: Remove SSL_{CTX_,}_clear_options ifdefs
This simplifies the implementation since the SSL_clear_options() and
SSL_CTX_clear_options() are available in all supported versions of
OpenSSL. These were previously needed with older (now obsolete) versions
of OpenSSL, but the ifdefs were missed when removing the more explicit
version macro based backwards compatibility sections.

In practice, this reverts commit
d53d2596e4.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-21 12:06:21 +02:00
Jouni Malinen
325a85be36 Extend AES-SIV implementation to support different key lengths
The previous implementation was hardcoded to use 128-bit AES key
(AEAD_AES_SIV_CMAC_256). Extend this by allowing AEAD_AES_SIV_CMAC_384
and AEAD_AES_SIV_CMAC_512 with 192-bit and 256-bit AES keys.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 19:40:59 +03:00
Julian Ospald
b70d508c50 LibreSSL: Fix compatibility for EAP-FAST
This basically just follows commit
587b0457e0 ('LibreSSL: Fix build with
LibreSSL') with the same pattern, which was missed here.

Signed-off-by: Julian Ospald <hasufell@hasufell.de>
2016-10-08 00:36:18 +03:00
Christian Neukirchen
df426738fb LibreSSL: Fix TLS initialization/deinitialization
Due to a missing guard for old OpenSSL code, SSL_library_init() was not
called, which is required for LibreSSL. Likewise for cleanup.

Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
2016-10-08 00:27:56 +03:00
Christian Neukirchen
0d42179e12 LibreSSL: Fix dh5 code
Add LibreSSL check to old OpenSSL #ifdef guard as DH_{get0,set0}_key()
is not implemented in LibreSSL.

Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
2016-10-08 00:26:18 +03:00
Nishant Chaprana
746e5c2565 Fix spelling mistakes in number of comments
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2016-09-30 22:45:03 +03:00
David Benjamin
478441bf81 OpenSSL: Fix OpenSSL 1.1.0 compatibility functions
To be consistent with OpenSSL 1.1.0, the free functions should
internally check for NULL. EVP_MD_CTX_free also was missing an
EVP_MD_CTX_cleanup, so this leaked a little.

OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace
with get_rfc3526_prime_1536 as a compatibility-only name. Use that
instead in 1.1.0.

Signed-off-by: David Benjamin <davidben@google.com>
2016-08-13 21:07:05 +03:00
Jouni Malinen
460e5cdf43 OpenSSL: Fix OpenSSL 1.1.0 DH operation
Commit 49fe2ada20 ('OpenSSL: Support
OpenSSL 1.1.0 DH opacity') started using the new accessor functions, but
used incorrect success check for the DH_set0_key() call. This resulted
in dh5_init_fixed() failures and double-free on error path if the build
was linked against OpenSSL 1.1.0. Fix this by checking DH_set0_key()
return value to be 1 for the success case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-07-15 13:30:57 +03:00
Jouni Malinen
e6804fef93 OpenSSL: Update to match the modified DH_get0_key() API
OpenSSL 1.1.0 (master branch) apparently ended up modifying the API
after the beta 2 release that was supposed to complete the work. Mark
the variables const to fix the compilation with the modified OpenSSL
API.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-25 00:35:17 +03:00
Jouni Malinen
582121b038 OpenSSL: Silence sparse warnings in fips186_2_prf()
Use WPA_PUT_BE32() instead of inplace conversion with host_to_be32() to
avoid sparse warnings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-24 19:02:58 +03:00
Jouni Malinen
50a17a76e1 tests: Declare module test functions in a header file
This gets rid of number of warnings from sparse.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-23 18:26:09 +03:00
Jouni Malinen
3e624369cb tests: Mark some module test arrays static
These are not used outside the source code file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-23 18:11:35 +03:00
Jouni Malinen
3787c91da0 OpenSSL: Pull in header files to check function prototypes
Since crypto_openssl.c is now implementing couple of functions
internally, pull in the relevant header files md5.h and aes_wrap.h to
make sure the function declaration are consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-23 13:35:26 +03:00
David Woodhouse
c3d7fb7e27 OpenSSL: Initialise PKCS#11 engine even if found with ENGINE_by_id()
Recent versions of engine_pkcs11 are set up to be autoloaded on demand
with ENGINE_by_id() because they don't need explicit configuration.

But if we *do* want to explicitly configure them with a PKCS#11 module
path, we should still do so.

We can't tell whether it was already initialised, but it's harmless to
repeat the MODULE_PATH command if it was.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tested-by: Michael Schaller <misch@google.com>
2016-06-11 12:21:08 +03:00
David Benjamin
1cece2fafb OpenSSL: Comment out tls_connection_get_eap_fast_key without EAP-FAST
This avoids internal access of structs and also removes the dependency
on the reimplemented TLS PRF functions when EAP-FAST support is not
enabled. Notably, BoringSSL doesn't support EAP-FAST, so there is no
need to access its internals with openssl_get_keyblock_size().

Signed-Off-By: David Benjamin <davidben@google.com>
2016-05-23 21:22:33 +03:00
David Benjamin
7358170787 TLS: Split tls_connection_prf() into two functions
Most protocols extracting keys from TLS use RFC 5705 exporters which is
commonly implemented in TLS libraries. This is the mechanism used by
EAP-TLS. (EAP-TLS actually predates RFC 5705, but RFC 5705 was defined
to be compatible with it.)

EAP-FAST, however, uses a legacy mechanism. It reuses the TLS internal
key block derivation and derives key material after the key block. This
is uncommon and a misuse of TLS internals, so not all TLS libraries
support this. Instead, we reimplement the PRF for the OpenSSL backend
and don't support it at all in the GnuTLS one.

Since these two are very different operations, split
tls_connection_prf() in two. tls_connection_export_key() implements the
standard RFC 5705 mechanism that we expect most TLS libraries to
support. tls_connection_get_eap_fast_key() implements the
EAP-FAST-specific legacy mechanism which may not be implemented on all
backends but is only used by EAP-FAST.

Signed-Off-By: David Benjamin <davidben@google.com>
2016-05-23 20:40:12 +03:00
David Benjamin
f150db6c83 OpenSSL: Remove two more accesses of ssl_ctx->cert_store
Commit 68ae4773a4 ('OpenSSL: Use library
wrapper functions to access cert store') fixed most of these, but missed
a few.

Signed-Off-By: David Benjamin <davidben@google.com>
2016-05-23 19:08:40 +03:00
Jouni Malinen
6a9681e90c OpenSSL: Make dh5_init() match the generic implementation
Commit 4104267e81 ('Fix memory leak on NFC
DH generation error path') modified the generic (non-OpenSSL)
implementation of dh5_init() to free the previously assigned public key,
if any. However, that commit did not modify the OpenSSL specific version
of this function. Add the same change there to maintain consistent
behavior between these two implementations of the same function.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-13 18:25:57 +03:00
David Benjamin
e4471338c6 OpenSSL: BoringSSL has SSL_get_client_random(), etc.
BoringSSL added OpenSSL 1.1.0's SSL_get_client_random() and friends in
working towards opaquifying the SSL struct. But it, for the moment,
still looks more like 1.0.2 than 1.1.0 and advertises
OPENSSL_VERSION_NUMBER as such. This means that there is no need to
define those in BoringSSL and defining them causes conflicts. (C does
not like having static and non-static functions with the same name.)

As requested, this is conditioned on defined(BORINGSSL_API_VERSION) so
wpa_supplicant may continue to support older BoringSSLs for a time.
(BoringSSL revisions without the accessors predate BoringSSL maintaining
a BORINGSSL_API_VERSION.)

Also add a missing opensslv.h include. tls_openssl.c is sensitive to
OPENSSL_VERSION_NUMBER, so it should include the header directly rather
than rely on another header to do so.

Signed-off-by: David Benjamin <davidben@google.com>
2016-05-10 19:36:46 +03:00
Jouni Malinen
49fe2ada20 OpenSSL: Support OpenSSL 1.1.0 DH opacity
The OpenSSL 1.1.0 Beta 2 release made DH opaque and that broke
compilation of crypto_openssl.c. Fix this by using the new accessor
functions when building against OpenSSL 1.1.0 or newer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-04-20 01:20:00 +03:00
Jouni Malinen
f73b167c69 tests: Add TEST_FAIL() calls into OpenSSL bignum operations
This makes it easier to test error paths in bignum operations in SAE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-28 01:10:31 +03:00
Jouni Malinen
0741c481ee SAE: Check SHA256-PRF operation result
While this is mostly theoretical, check explicitly that SHA256
operations in sha256_prf*() succeed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-27 21:44:49 +03:00
Jouni Malinen
8b827c342f BoringSSL: Keep static analyzers happier with X509_get0_pubkey_bitstr()
While this function could return NULL if the parameter issued to it were
NULL, that does not really happen here. Anyway, since this can result in
a warning from a static analyzer that does can see the return NULL
without fully understanding what it means here, check the return value
explicitly against NULL to avoid false warnings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 21:34:01 +02:00
Jouni Malinen
3a583e0023 OpenSSL: Fix PKCS#12 parsing of extra certificates with OpenSSL 1.0.1
Commit 8bcf8de827 ('OpenSSL: Fix memory
leak in PKCS12 additional certificate parsing') tried to fix a memory
leak in both the 1.0.2(and newer) and 1.0.1 branches of PKCS12 parsing.
However, the 1.0.1 case was not properly tested and freeing of the
certificate after a successful SSL_CTX_add_extra_chain_cert() call
resulted in use of freed memory when going through the TLS handshake.
Fix this by not freeing the certificate in that specific case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 18:30:55 +02:00
Jouni Malinen
8bcf8de827 OpenSSL: Fix memory leak in PKCS12 additional certificate parsing
The additional PKCS12 certificates were not freed properly in the loop
added in commit de2a7b796d ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs').

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 13:29:40 +02:00
Jouni Malinen
03e3ddf84e OpenSSL: Fix memory leak in HMAC_CTX compatibility wrapper function
Commit 5c9a33702f ('OpenSSL: Clean up
crypto_hash_*() to use a single implementation') added a wrapper
function to allow the new OpenSSL API to be used with older OpenSSL
versions. However, the HMAC_CTX_free() wrapper was incorrectly skipping
the call to HMAC_CTX_cleanup() which is still needed to free the
resources OpenSSL allocated internally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 13:13:36 +02:00
Jouni Malinen
d9a0f69747 OpenSSL: Fix memory leak in OCSP parsing
The result from OCSP_cert_to_id() needs to be freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:40:41 +02:00
Jouni Malinen
29bc76e3d3 OpenSSL: Do not use library init/deinit functions with 1.1.0
SSL_library_init() does not work properly after EVP_cleanup() starting
from OpenSSL 1.1.0 pre release 3. The automated library init/deinit
functions in that pre release are supposed to handle all initialization
and deinitialiation, so comment out the explicit calls to these function
with OpenSSL 1.1.0 and newer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:35:34 +02:00
Jouni Malinen
0f09637001 OpenSSL: Fix memory leak in subjectAltName parsing
The parsed data from X509_get_ext_d2i() needs to be freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:35:20 +02:00
Jouni Malinen
6014890bfb OpenSSL: Fix memory leak with EVP_CIPHER_CTX_new()
Commit 1eb87ae48d ('OpenSSL: Use
EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0') started using
EVP_CIPHER_CTX_new() to allocate EVP_CIPHER_CTX from heap instead of
using stack memory. This commit used incorrect EVP_CIPHER_CTX_reset()
function in number of cases when the allocated memory was supposed to be
freed instead of just reset for reuse. Fix this by using
EVP_CIPHER_CTX_free() properly.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:30:43 +02:00
Jouni Malinen
1f1e599b3b OpenSSL: Fix memory leak on error path
If SSL_CTX_new(SSLv23_method()) fails, tls_init() error path did not
free the allocated struct tls_data instance.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-15 21:53:33 +02:00
Ayala Beker
dda091cf51 OpenSSL: Fix server side PKCS#12 processing with extra certificates
Fix a possible null pointer dereference in tls_parse_pkcs12() when
loading a PKCS#12 file for the server keys and the file includes extra
certificates.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-02-06 01:14:43 +02:00
Ayala Beker
443c8e18de OpenSSL: Fix possible null pointer dereference on an OCSP error path
Fix possible null pointer dereference in check_ocsp_resp() if an memory
allocation fails.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-02-06 00:58:32 +02:00
Rubin Xu
a8ef133f1d Android: Support multiple CA certs when connecting to EAP network
In the Android-specific case, make ca_cert directive parse a
space-separated list of hex-encoded CA certificate aliases following the
"keystores://" prefix. Server certificate validation should succeed as
long as the chain ends with one of them.

Signed-off-by: Rubin Xu <rubinxu@google.com>
2016-02-05 17:31:46 +02:00
Jouni Malinen
ac2053b103 OpenSSL: Clean up openssl_digest_vector() to use a single implementation
Use compatibility wrapper functions to allow a single implementation
based on the latest OpenSSL API to be used to implement these functions
instead of having to maintain two conditional implementation based on
the library version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 14:17:16 +02:00
Jouni Malinen
5c9a33702f OpenSSL: Clean up crypto_hash_*() to use a single implementation
Use compatibility wrapper functions to allow a single implementation
based on the latest OpenSSL API to be used to implement these functions
instead of having to maintain two conditional implementation based on
the library version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 14:14:07 +02:00
Jouni Malinen
587b0457e0 LibreSSL: Fix build with LibreSSL
The changes needed for OpenSSL 1.1.0 had broken this since LibreSSL is
defining OPENSSL_VERSION_NUMBER in a manner that claims it to be newer
than the current OpenSSL version even though it does not support the
current OpenSSL API.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 14:06:46 +02:00
Jouni Malinen
465196ebd2 tests: aes_encrypt_init() and aes_decrypt_init() to use TEST_FAIL
Now the these functions cannot be made to fail by forcing the memory
allocation fail since the OpenSSL-internal version is used, add
TEST_FAIL check to allow OOM test cases to be converted to use the
TEST_FAIL mechanism without reducing coverage.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 19:44:47 +02:00
Jouni Malinen
1eb87ae48d OpenSSL: Use EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0
The EVP_CIPHER_CTX structure will be made opaque in OpenSSL 1.1.0, so
need to use EVP_CIPHER_CTX_new() with it instead of stack memory. The
design here moves the older OpenSSL versions to use that dynamic
allocation design as well to minimize maintenance effort.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 19:30:24 +02:00
Jouni Malinen
3fb3bea8e9 OpenSSL: Update session_secret callback to match OpenSSL 1.1.0 API
The SSL_CIPHER **cipher argument was marked const in OpenSSL 1.1.0
pre-release 2 similarly to how this is in BoringSSL. Fix build with that
in preparation for supporting OpenSSL 1.1.0.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-14 19:28:33 +02:00
Jouni Malinen
21cb63fffd OpenSSL: Fix client certificate chain building after PKCS#12 use
If wpa_supplicant was first configured with PKCS #12 -based client
certificate chain and then used with another network profile that used a
different certificate chain from a X.509 certificate PEM file instead of
PKCS#12, the extra certificate chain was not reconstructed properly with
older versions of OpenSSL that 1.0.2. This could result in the
authentication failing due to the client certificate chain not being
complete or including incorrect certificates.

Fix this by clearing the extra certificate chain when setting up a new
TLS connection with OpenSSL 1.0.1. This allows OpenSSL to build the
chain using the default mechanism in case the new TLS exchange does not
use PKCS#12.

The following hwsim test case sequence was able to find the issue:
ap_wpa2_eap_tls_pkcs12 ap_wpa2_eap_tls_intermediate_ca_ocsp

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-07 17:54:23 +02:00
Jouni Malinen
750f5d9964 EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSL
This extends the list of TLS cipher suites enabled for EAP-FAST to
include AES256-based suites.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 20:52:58 +02:00
Jouni Malinen
1ebb24bbfb OpenSSL: Share a single openssl_tls_prf() implementation
Add SSL_SESSION_get_master_key() compatibility wrapper for older OpenSSL
versions to be able to use the new openssl_tls_prf() implementation for
OpenSSL 1.1.0 with all supported versions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 20:10:30 +02:00
Jouni Malinen
dea20519aa OpenSSL: Clean up function to fetch client/server random
SSL_get_client_random() and SSL_get_server_random() will be added in
OpenSSL 1.1.0. Provide compatibility wrappers for older versions to
simplify the tls_connection_get_random() implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 18:15:09 +02:00
Jouni Malinen
9a42d859a2 OpenSSL: Drop support for OpenSSL 1.0.0
The OpenSSL project will not support version 1.0.0 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 1.0.0 and we might as well drop support for it to allow
cleaning up the conditional source code blocks.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 18:05:28 +02:00
Jouni Malinen
de213e84e0 OpenSSL: Drop support for OpenSSL 0.9.8
The OpenSSL project will not support version 0.9.8 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 0.9.8 and we might as well drop support for it to allow
cleaning up the conditional source code blocks.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 18:01:59 +02:00
Jouni Malinen
15a68138c1 Remove unnecessary cleanup assignment in SHA1Final()
This makes some static analyzers complain about stored value never being
read. While it is good to clear some other temporary variables, this
local variable i has no security private information (it has a fixed
value of 20 here) and trying to clear it to 0 does not add any value.
Remove that part of the "wipe variables" to avoid one useless static
analyzer complaint.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-28 18:12:03 +02:00
Jouni Malinen
0764dd6849 TLS client: Multi-OCSP check to cover intermediate CAs
This extends multi-OCSP support to verify status for intermediate CAs in
the server certificate chain.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
d6b536f7e5 Add ocsp=3 configuration parameter for multi-OCSP
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
8ea6a27003 TLS server: OCSP stapling with ocsp_multi option (RFC 6961)
This allows hostapd with the internal TLS server implementation to
support the extended OCSP stapling mechanism with multiple responses
(ocsp_stapling_response_multi).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 20:44:52 +02:00
Jouni Malinen
5addb0df59 Server configuration for OCSP stapling with ocsp_multi (RFC 6961)
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 19:42:07 +02:00
Jouni Malinen
bca0872dd5 TLS server: OCSP stapling
This adds support for hostapd-as-authentication-server to be build with
the internal TLS implementation and OCSP stapling server side support.
This is more or less identical to the design used with OpenSSL, i.e.,
the cached response is read from the ocsp_stapling_response=<file> and
sent as a response if the client requests it during the TLS handshake.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 17:53:45 +02:00
Jouni Malinen
9532bd2b44 GnuTLS: OCSP stapling on the server side
This adds support for hostapd-as-authentication-server to be build
against GnuTLS with OCSP stapling server side support. This is more or
less identical to the design used with OpenSSL, i.e., the cached
response is read from the ocsp_stapling_response=<file> and sent as a
response if the client requests it during the TLS handshake.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 16:47:29 +02:00
Jouni Malinen
3c108b7573 EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.

This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.

By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.

The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>

Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).

The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>

It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 18:24:27 +02:00
Jouni Malinen
36478a16e6 OpenSSL: Support new API for HMAC/EVP_MD_CTX in OpenSSL 1.1.x-pre1
The EVP_MD_CTX and HMAC_CTX definitions are now hidden from applications
using OpenSSL. Fix compilation issues with OpenSSL 1.1.x-pre1 by using
the new API for allocating these structures.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-10 18:11:39 +02:00
Jouni Malinen
213e158ca8 BoringSSL: Move OCSP implementation into a separate file
This makes it easier to share the OCSP implementation needed for
BoringSSL outside tls_openssl.c. For now, this is mainly for
http_curl.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-04 20:08:31 +02:00
Jouni Malinen
f846211e3e BoringSSL: Support new SHA_CTX definition for EAP-SIM PRF
BoringSSL modified the struct sha_state_st (SHA_CTX) definition by
converting h0..h4 with h[5] array. This broke wpa_supplicant/hostapd
build with EAP-SIM enabled. BoringSSL restored the old version for
ANDROID builds, but only the new version is currently defined for
non-Android cases. For now, fix this by having matching selection in
fips_prf_openssl.c based on OPENSSL_IS_BORINGSSL and ANDROID defines.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-04 11:30:36 +02:00
Jouni Malinen
b34c623c07 OpenSSL: Fix build with current OpenSSL master branch snapshot
OpenSSL 1.1.x will apparently go out with "SSLeay" renamed in the API to
"OpenSSL", which broke the build here for fetching the version of the
running OpenSSL library when wpa_supplicant/hostapd is built against the
current OpenSSL snapshot.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-03 23:53:35 +02:00
Jouni Malinen
7fff91ae51 Fix tls_connection_prf() regression with CONFIG_TLS=internal
Commit af851914f8 ('Make
tls_connection_get_keyblock_size() internal to tls_*.c') broke
tls_connection_prf() with the internal TLS implementation when using
skip_keyblock=1. In practice, this broke EAP-FAST. Fix this by deriving
the correct number of PRF bytes before skipping the keyblock.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 23:40:54 +02:00
Jouni Malinen
07555778a7 Add TEST_FAIL() support for internal hash functions
md4_vector(), md5_vector(), sha1_vector(), and sha256_vector() already
supported TEST_FAIL() with the OpenSSL crypto implementation, but the
same test functionality is needed for the internal crypto implementation
as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 21:01:33 +02:00
Jouni Malinen
4104267e81 Fix memory leak on NFC DH generation error path
It was possible for some NFC DH generation error paths to leak memory
since the old private/public key was not freed if an allocation failed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 20:53:20 +02:00
Jouni Malinen
0cbc22b2eb TLS client: Use TLS_CONN_* flags
This makes it simpler to add support for new TLS_CONN_* flags without
having to add a new configuration function for each flag.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 19:48:17 +02:00
Jouni Malinen
20804fe844 TLS: Add support for tls_get_version()
This allows wpa_supplicant to return eap_tls_version STATUS information
when using the internal TLS client implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 19:41:37 +02:00
Jouni Malinen
f2a6ad01a9 TLS client: Add support for server certificate probing
The internal TLS client implementation can now be used with
ca_cert="probe://" to probe the server certificate chain. This is also
adding the related CTRL-EVENT-EAP-TLS-CERT-ERROR and
CTRL-EVENT-EAP-PEER-CERT events.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 18:59:27 +02:00
Jouni Malinen
c0acec3934 crypto: Add CRYPTO_HASH_ALG_SHA384 and CRYPTO_HASH_ALG_SHA512
This extends the crypto_hash_*() API to support SHA384 and SHA512 when
built with CONFIG_TLS=internal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-29 18:21:08 +02:00
Pali Rohár
6bb6a9ce29 Add SHA384 and SHA512 implementations from LibTomCrypt library
These will be used with the internal TLS implementation to extend hash
algorithm support for new certificates and TLS v1.2.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-29 18:19:32 +02:00
Jouni Malinen
11c9ddb766 Add TEST_FAIL() condition to aes_128_cbc_encrypt/decrypt()
This enables more error path testing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-28 20:46:36 +02:00
Jouni Malinen
1fff13a9cb tests: Move EAP-SIM PRF module test into the hwsim framework
The old wpa_supplicant/Makefile target test-eap_sim_common did not work
anymore and anyway, this test is better placed in the newer hwsim
framework to make sure the test case gets executed automatically.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-24 00:00:21 +02:00
Marek Behún
36e820605f Check for LIBRESSL_VERSION_NUMBER in tls_openssl.c
LibreSSL does not yet support the new API, so do not use it
when LIBRESSL_VERSION_NUMBER macro is defined.

Signed-off-by: Marek Behun <kabel@blackhole.sk>
2015-11-22 12:00:53 +02:00
Jouni Malinen
2e38079531 TLS: Fix memory leak with multiple TLS server instances
When using CONFIG_TLS=internal and starting hostapd with multiple
configuration files that each initialize TLS server, the server
certificate and related data was not freed for all the interfaces on
exit path. Fix this by freeing the credential data that is stored
separately for each call to tls_init().

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-31 18:15:22 +02:00
Jouni Malinen
8f3ea3175f tests: Fix build without CONFIG_ERP=y
hmac_sha256_kdf() got pulled in only if CONFIG_ERP=y is set. Fix
test_sha256() by making the test case conditional on the function being
present.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-26 00:42:14 +02:00
Jouni Malinen
cc4f3d6ea7 tests: Add TEST_FAIL() condition to omac1_aes_vector()
This enables more error path testing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-17 20:40:36 +03:00
Jouni Malinen
8fd1d6236d OpenSSL: Add TEST_FAIL() checks to allow error path testing
This makes it easier to test various error paths related to key
derivation and authentication steps.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-12 01:04:22 +03:00
Jouni Malinen
cbb154973d OpenSSL: Make msg_callback debug prints easier to read
Write a text version of the content type and handshake type in debug log
to make it easier to follow TLS exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-11 11:35:35 +03:00
Jouni Malinen
faf8f29379 OpenSSL: Recognize special write_p == 2 in msg_callback
OpenSSL could use this to identify crypto tracing values if built with
OPENSSL_SSL_TRACE_CRYPTO.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-11 11:14:00 +03:00
Jouni Malinen
6f5b284b32 tests: Module test for hmac_sha256_kdf() maximum output length
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-10 18:57:14 +03:00
Jouni Malinen
5a55c9b411 Fix MSCHAP UTF-8 to UCS-2 conversion check for three-byte encoding
The utf8_string_len comparison was off by one and ended up accepting a
truncated three-byte encoded UTF-8 character at the end of the string if
the octet was missing. Since the password string gets null terminated in
the configuration, this did not result in reading beyond the buffer, but
anyway, it is better to explicitly reject the string rather than try to
use an incorrectly encoded UTF-8 string as the password.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-10 18:38:37 +03:00
Jouni Malinen
bdee6ca0e0 BoringSSL: Implement support for OCSP stapling
BoringSSL has removed the OpenSSL OCSP implementation (OCSP_*()
functions) and instead, provides only a minimal mechanism for include
the status request extension and fetching the response from the server.
As such, the previous OpenSSL-based implementation for OCSP stapling is
not usable with BoringSSL.

Add a new implementation that uses BoringSSL to request and fetch the
OCSP stapling response and then parse and validate this with the new
implementation within wpa_supplicant. While this may not have identical
behavior with the OpenSSL-based implementation, this should be a good
starting point for being able to use OCSP stapling with BoringSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-09 23:48:30 +03:00
Adam Langley
aeeb0bca71 Android: Fix keystore-backed keys with BoringSSL
The switch to BoringSSL broke keystore-backed keys because
wpa_supplicant was using the dynamic ENGINE loading to load
the keystore module.
The ENGINE-like functionality in BoringSSL is much simpler
and this change should enable it.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2015-10-06 23:10:17 +03:00
Jouni Malinen
d9c807cab1 Fix key derivation for Suite B 192-bit AKM to use SHA384
While the EAPOL-Key MIC derivation was already changed from SHA256 to
SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly.
Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK
from PMK when using the Suite B 192-bit AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-27 20:42:14 +03:00
Jouni Malinen
20f331b707 OpenSSL: Write PKCS#12 extra cert errors into debug log
Commit de2a7b796d ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs') added a new
mechanism for doing this with OpenSSL 1.0.2 and newer. However, it did
not poinr out anything in debug log if SSL_add1_chain_cert() failed. Add
such a debug print and also silence static analyzer warning on res being
stored without being read (since the error case is ignored at least for
now).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 19:36:34 +03:00
Jouni Malinen
acf36f319f OpenSSL: Enable support for server side TLS session resumption
This allows TLS-based EAP server methods to use session resumption.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 18:01:40 +03:00
Jouni Malinen
b3b8085ae8 TLS: Add functions for managing cached session state
The new tls_connection_set_success_data(),
tls_connection_set_success_data_resumed(),
tls_connection_get_success_data(), and tls_connection_remove_session()
functions can be used to mark cached sessions valid and to remove
invalid cached sessions. This commit is only adding empty functions. The
actual functionality will be implemented in followup commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:30 +03:00
Jouni Malinen
681e199dfb EAP server: Add tls_session_lifetime configuration
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:30 +03:00
Jouni Malinen
93bc654996 OpenSSL: Allow server connection parameters to be configured
This extends OpenSSL version of tls_connection_set_verify() to support
the new flags argument.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:29 +03:00
Jouni Malinen
bfbebd2665 TLS: Add new arguments to tls_connection_set_verify()
The new flags and session_ctx arguments will be used in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:29 +03:00
Jouni Malinen
bd9b8b2b68 OpenSSL: Add wrapper struct for tls_init() result
This new struct tls_data is needed to store per-tls_init() information
in the followup commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:25 +03:00
Jouni Malinen
87c59a1e5a tests: Allow AES-WRAP-192 test cases to be commented out with BoringSSL
BoringSSL does not support 192-bit AES, so these parts of the
wpa_supplicant module tests would fail.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 20:21:44 +03:00
Jouni Malinen
355a5c8ec5 OpenSSL: Reject OCSP-required configuration if no OCSP support
This is needed at least with BoringSSL to avoid accepting OCSP-required
configuration with a TLS library that does not support OCSP stapling.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 02:24:06 +03:00
Jouni Malinen
c07e7b43e9 BoringSSL: Fix PKCS12_parse() segfault when used without password
Unlike OpenSSL PKCS12_parse(), the BoringSSL version seems to require
the password pointer to be non-NULL even if no password is present. Map
passwrd == NULL to passwd = "" to avoid a NULL pointer dereference
within BoringSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 02:06:02 +03:00
Jouni Malinen
a89beee589 OpenSSL: Handshake completion and resumption state into debug log
This new debug log entry makes it more convenient to check how TLS
handshake was completed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:05 +03:00
Jouni Malinen
a7803b0caf BoringSSL: Fix session resumption
BoringSSL commit 533ef7304d9b48aad38805f1997031a0a034d7fe ('Remove
SSL_clear calls in handshake functions.') triggered a regression for
EAP-TLS/TTLS/PEAP session resumption in wpa_supplicant due to the
removed SSL_clear() call in ssl3_connect() going away and wpa_supplicant
not calling SSL_clear() after SSL_shutdown(). Fix this by adding the
SSL_clear() call into wpa_supplicant after SSL_shutdown() when preparing
the ssl instance for another connection.

While OpenSSL is still call SSL_clear() in ssl3_connect(), it looks to
be safe to add this call to wpa_supplicant unconditionally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:05 +03:00
Jouni Malinen
0f56057c64 BoringSSL: Make SSL_set_ssl_method() conditional on EAP-FAST
This function does not seem to be available in BoringSSL. Since it is
needed for EAP-FAST (which is not currently working with BoringSSL),
address this by commenting out the EAP-FAST specific step from builds
that do not include EAP-FAST support.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:05 +03:00
Jouni Malinen
226cdea6ca BoringSSL: Comment out SSL_build_cert_chain() call
It looks like BoringSSL does include that function even though it claims
support for OPENSSL_VERSION_NUMBER where this is available (1.0.2). For
now, comment out that call to fix build.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:04 +03:00
Jouni Malinen
812f28b79c BoringSSL: Allow internal AES key wrap to be used with "OpenSSL" build
It looks like BoringSSL has removed the AES_wrap_key(), AES_unwrap_key()
API. This broke wpa_supplicant/hostapd build since those functions from
OpenSSL were used to replace the internal AES key wrap implementation.
Add a new build configuration option
(CONFIG_OPENSSL_INTERNAL_AES_WRAP=y) to allow the internal
implementation to be used with CONFIG_OPENSSL=y build to allow build
against the latest BoringSSL version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:02 +03:00
Jouni Malinen
de2a7b796d OpenSSL: Use connection certificate chain with PKCS#12 extra certs
When using OpenSSL 1.0.2 or newer, this replaces the older
SSL_CTX_add_extra_chain_cert() design with SSL_add1_chain_cert() to keep
the extra chain certificates out from SSL_CTX and specific to each
connection. In addition, build and rearrange extra certificates with
SSL_build_cert_chain() to avoid incorrect certificates and incorrect
order of certificates in the TLS handshake.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-11 01:27:03 +03:00
Jouni Malinen
0d2c0e6776 OpenSSL: Fix PKCS#12 extra certificate handling
Previously, the possible extra certificate(s) from a PKCS#12 file was
added once for each authentication attempt. This resulted in OpenSSL
concatenating the certificates multiple time (add one copy for each try
during the wpa_supplicant process lifetime). Fix this by clearing the
extra chain certificates before adding new ones when using OpenSSL 1.0.1
or newer that include the needed function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-11 01:27:00 +03:00
Jouni Malinen
7cb53ded11 Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.

This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
4fc53159b9 OpenSSL: Fix FIPS mode enabling in dynamic interface case
FIPS_mode_set(1) cannot be called multiple times which could happen in
some dynamic interface cases. Avoid this by enabling FIPS mode only
once. There is no code in wpa_supplicant to disable FIPS mode, so once
it is enabled, it will remain enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
e234c7c010 OpenSSL: Remove md4_vector() from CONFIG_FIPS=y builds
MD4 is not allowed in such builds, so comment out md4_vector() from the
build to force compile time failures for cases that cannot be supported
instead of failing the MD¤ operations at runtime. This makes it easier
to detect and fix accidental cases where MD4 could still be used in some
older protocols.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
cd94f0d159 tests: Skip ms_funcs module tests in CONFIG_FIPS=y builds
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
1046db8b53 Rename tls_connection_get_keys() to tls_connection_get_random()
Commit 94f1fe6f63 ('Remove master key
extraction from tls_connection_get_keys()') left only fetching of
server/client random, but did not rename the function and structure to
minimize code changes. The only name is quite confusing, so rename this
through the repository to match the new purpose.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
d0eb8a0b4e OpenSSL: Allow server/client random to be fetched in FIPS mode
tls_connection_get_keys() used to return TLS master secret, but that
part was removed in commit 94f1fe6f63
('Remove master key extraction from tls_connection_get_keys()'). Since
then, there is no real need for preventing this function from being used
in FIPS mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
f413eb03d9 random: Fix random_get_bytes() with CONFIG_FIPS=y
The bytes pointer was not reset back to the beginning of the buffer when
mixing in additional entropy from the crypto module. This resulted in
writing beyond the return buffer and not getting the required mixing of
the extra entropy for the actual return buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 21:08:11 +03:00
Jouni Malinen
4a26972dfc OpenSSL: Remove md5_vector() from CONFIG_FIPS=y builds
MD5 is not allowed in such builds, so comment out md5_vector() from the
build to force compile time failures for cases that cannot be supported
instead of failing the MD5 operations at runtime. This makes it easier
to detect and fix accidental cases where MD5 could still be used in some
older protocols.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 21:08:06 +03:00
Jouni Malinen
97e986cd74 tests: Skip MD5 module tests in CONFIG_FIPS=y builds
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 16:57:04 +03:00
Jouni Malinen
276a3c44dd OpenSSL: Implement aes_wrap/aes_unwrap through EVP for CONFIG_FIPS=y
The OpenSSL internal AES_wrap_key() and AES_unwrap_key() functions are
unfortunately not available in FIPS mode. Trying to use them results in
"aes_misc.c(83): OpenSSL internal error, assertion failed: Low level API
call to cipher AES forbidden in FIPS mode!" and process termination.
Work around this by reverting commit
f19c907822 ('OpenSSL: Implement aes_wrap()
and aes_unwrap()') changes for CONFIG_FIPS=y case. In practice, this
ends up using the internal AES key wrap/unwrap implementation through
the OpenSSL EVP API which is available in FIPS mode. When CONFIG_FIPS=y
is not used, the OpenSSL AES_wrap_key()/AES_unwrap_key() API continues
to be used to minimize code size.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 16:56:59 +03:00
Jouni Malinen
266cf4a0bc OpenSSL: Comment out openssl_get_keyblock_size() if CONFIG_FIPS=y
This function is not used in CONFIG_FIPS=y builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 15:52:35 +03:00
Jouni Malinen
5bbc1c2581 tests: Comment out TLS PRF test from CONFIG_FIPS=y build
This fixes CONFIG_FIPS=y build that may not include tls_prf_sha1_md5().

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 15:51:44 +03:00
Jouni Malinen
06836013d3 OpenSSL: Remove EAP-FAST TLSv1.0 only workaround for OpenSSL 1.1.0
The issue with the special form of TLS session tickets has been fixed in
the OpenSSL 1.1.0 branch, so disable workaround for it. OpenSSL 1.0.1
and 1.0.2 workaround is still in place until a release with the fix has
been made.

This allows TLSv1.1 and TLSv1.2 to be negotiated for EAP-FAST with the
OpenSSL versions that support this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:18 +03:00
Jouni Malinen
c34cd66866 OpenSSL: Drop security level to 0 if needed for EAP-FAST
OpenSSL 1.1.0 disables the anonymous ciphers by default, so need to
enable these for the special case of anonymous EAP-FAST provisioning.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:17 +03:00
Jouni Malinen
16bc3b8935 OpenSSL: Add SHA256 support in openssl_tls_prf() for TLSv1.2
This is needed when enabling TLSv1.2 support for EAP-FAST since the
SSL_export_keying_material() call does not support the needed parameters
for TLS PRF and the external-to-OpenSSL PRF needs to be used instead.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:17 +03:00
Jouni Malinen
3de28506d2 OpenSSL: Implement openssl_tls_prf() for OpenSSL 1.1.0
This needs to use the new accessor functions since the SSL session
details are not directly accessible anymore and there is now sufficient
helper functions to get to the needed information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 18:56:45 +03:00
Jouni Malinen
4d2a1b4f8f OpenSSL: Implement SSL_set_session_secret_cb() callback for OpenSSL 1.1.0
This needs to use the new accessor functions for client/server random
since the previously used direct access won't be available anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 18:56:45 +03:00
Jouni Malinen
005c5dcf43 OpenSSL: Implement tls_connection_get_keys() for OpenSSL 1.1.0
This needs to use the new accessor functions since the SSL session
details are not directly accessible anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 18:56:45 +03:00
Jouni Malinen
690e543e8a OpenSSL: Include openssl/engine.h and openssl/dsa.h explicitly
This seems to be needed for OpenSSL 1.1.0.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 18:56:45 +03:00
Jouni Malinen
e9690eb74e OpenSSL: Remove extra BIO_write() call on TLS client
openssl_handshake() was checking only that in_data is not NULL and not
its length when determining whether to call BIO_write(). Extend that to
check the buffer length as well. In practice, this removes an
unnecessary BIO_write() call at the beginning of a TLS handshake on the
client side. This did not cause issues with OpenSSL versions up to
1.0.2, but that call seems to fail with the current OpenSSL 1.1.0
degvelopment snapshot. There is no need for that zero-length BIO_write()
call, so remove it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 18:56:45 +03:00
Jouni Malinen
fe1bf32974 Make TLS version number available in STATUS command
This adds a new STATUS command field "eap_tls_version" that shows the
TLS version number that was used during EAP-TLS/TTLS/PEAP/FAST exchange.
For now, this is only supported with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 19:51:03 +03:00
Jouni Malinen
5650d379a3 OpenSSL: Add option to disable use of TLSv1.0
The new phase1 config parameter value tls_disable_tlsv1_0=1 can now be
used to disable use of TLSv1.0 for a network configuration. This can be
used to force a newer TLS version to be used. For example,
phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" would indicate that
only TLS v1.2 is accepted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-08 19:27:57 +03:00
Jouni Malinen
f24b97972b OpenSSL: Merge error returns
These similar error cases can use a single return statement.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-30 21:48:22 +03:00
Jouni Malinen
84d6a17a27 TLS: Remove unused tls_capabilities()
This mechanism to figure out TLS library capabilities has not been used
since commit fd2f2d0489 ('Remove
EAP-TTLSv1 and TLS/IA') (Sep 2011).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-30 21:40:48 +03:00
Jouni Malinen
786722763d ms_funcs: Merge similar return cases
There is no need to have separate return statements for these corner
cases that are unlikely to be hit in practice.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-29 23:23:56 +03:00
Jouni Malinen
f826fb1de1 OpenSSL: Handle EC_POINT_is_on_curve() error case
Even though this OpenSSL function is documented as returning "1 if point
if on the curve and 0 otherwise", it can apparently return -1 on some
error cases. Be prepared for that and check explicitly against 1 instead
of non-zero.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-26 22:41:51 +03:00
Jouni Malinen
16841ab246 crypto: Add functions for computing the Legendre symbol and EC y^2
These are needed to implement side-channel protection for SAE PWE
derivation for ECC.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-26 22:41:51 +03:00
Jouni Malinen
c4a13b424b OpenSSL: Add support for Brainpool Elliptic Curves
This allows the IKE groups 27-30 (RFC 6932) to be used with OpenSSL
1.0.2 and newer. For now, these get enabled for SAE as configurable
groups (sae_groups parameter), but the new groups are not enabled by
default.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-26 22:41:51 +03:00
Jouni Malinen
4e7e68890a Add crypto_ec_point_cmp()
This is needed to allow SAE to check whether ECC elements are identical.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 22:29:23 +03:00
Jouni Malinen
fdc5608c12 OpenSSL: Remove SSL_CTX_{get,set}_app_data() compatibility wrapper
OpenSSL 0.9.8 (and newer) includes SSL_CTX_get_app_data() and
SSL_CTX_set_app_data(), so there is no need to maintain this old
OPENSSL_SUPPORTS_CTX_APP_DATA backwards compatibility design.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 21:05:02 +03:00
Ben Rosenfeld
144b6a0650 OpenSSL: Fix memory leak on an openssl_tls_prf() error path
Free tmp_out before returning to prevent memory leak in case the second
memory allocation in openssl_tls_prf() fails. This is quite unlikely,
but at least theoretically possible memory leak with EAP-FAST.

Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
2015-06-19 01:23:24 +03:00
MAYANK HAARIT
92f190a0ac OpenSSL: Fix build iwth OpenSSL 0.9.8
The OPENSSL_VERSION_NUMBER < 0x00909000L case of
openssl_get_keyblock_size() had not been kept in sync with the cleanup
changes.

Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
2015-06-06 17:15:47 +03:00
Mikael Kanstrup
8b423edbd3 Declare all read only data structures as const
By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2015-04-25 17:33:06 +03:00
Mike Gerow
fd4fb28179 OpenSSL: Try to ensure we don't throw away the PIN unnecessarily
Now on an engine error we decode the error value and determine if the
issue is due to a true PIN error or not. If it is due to incorrrect PIN,
delete the PIN as usual, but if it isn't let the PIN be.

Signed-off-by: Mike Gerow <gerow@google.com>
2015-04-25 16:05:50 +03:00
Jouni Malinen
cb71a8342d OpenSSL: Clean up TLS PRF implementation
Commit fa0e715100 ('Use
tls_connection_prf() for all EAP TLS-based key derivation') copied some
pointer checks from the generic implementation to tls_openssl.c.
However, these are arrays and cannot be NULL in OpenSSL data. Remove the
unnecessary checks and add master_key_length check for completeness.
(CID 109619).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:17:26 +03:00
Nick Kralevich
d447cd596f Updates for stricter automatic memcpy bounds checking
Both Android's libc and glibc support _FORTIFY_SOURCE, a compiler
and libc feature which inserts automatic bounds checking into
common C functions such as memcpy() and strcpy(). If a buffer
overflow occurs when calling a hardened libc function, the
automatic bounds checking will safely shutdown the program and
prevent memory corruption.

Android is experimenting with _FORTIFY_SOURCE=3, a new fortify
level which enhances memcpy() to prevent overflowing an element
of a struct. Under the enhancements, code such as

  struct foo {
    char empty[0];
    char one[1];
    char a[10];
    char b[10];
  };

  int main() {
    foo myfoo;
    int n = atoi("11");
    memcpy(myfoo.a, "01234567890123456789", n);
    return 0;
  }

will cleanly crash when the memcpy() call is made.

Fixup hostap code to support the new level. Specifically:

* Fixup sha1_transform so it works with the enhanced bounds checking.
The old memcpy() code was attempting to write to context.h0, but that
structure element is too small and the write was extending (by design)
into h1, h2, h3, and h4. Use explicit assignments instead of
overflowing the struct element.

* Modify most of the structures in ieee802_11_defs.h to use ISO C99
flexible array members (https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html)
instead of a zero length array. Zero length arrays have zero length,
and any attempt to call memcpy() on such elements will always overflow.
Flexible array members have no such limitation. The only element not
adjusted is probe_req, since doing so will generate a compile time error,
and it's not obvious to me how to fix it.

Signed-off-by: Nick Kralevich <nnk@google.com>
2015-04-13 14:01:40 +03:00
Jouni Malinen
c4b45c60ad TLS: Fix memory leaks on tls_connection_set_params() error paths
The internal TLS implementation started rejecting number of unsupported
configuration parameters recently, but those new error paths did not
free the allocated tlsv1_credentials buffer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:57:11 +03:00
Jouni Malinen
af851914f8 Make tls_connection_get_keyblock_size() internal to tls_*.c
This function exposes internal state of the TLS negotiated parameters
for the sole purpose of being able to implement PRF for EAP-FAST. Since
tls_connection_prf() is now taking care of all TLS-based key derivation
cases, it is cleaner to keep this detail internal to each tls_*.c
wrapper implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:56:54 +03:00
Jouni Malinen
94f1fe6f63 Remove master key extraction from tls_connection_get_keys()
This is not needed anymore with the tls_connection_prf() being used to
handle all key derivation needs. tls_connection_get_keys() is a bit
misnamed for now, but it is only used to fetch the client and server
random for Session-Id derivation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-31 15:52:40 +03:00
Jouni Malinen
fa0e715100 Use tls_connection_prf() for all EAP TLS-based key derivation
tls_openssl.c is the only remaining TLS/crypto wrapper that needs the
internal PRF implementation for EAP-FAST (since
SSL_export_keying_material() is not available in older versions and does
not support server-random-before-client case). As such, it is cleaner to
assume that TLS libraries support tls_connection_prf() and move the
additional support code for the otherwise unsupported cases into
tls_openssl.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-31 15:47:32 +03:00
Jouni Malinen
5955cfaacd ms_funcs: Make challenge_hash() non-static
This function can be of use outside ms_funcs.c.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 22:27:00 +03:00
Jouni Malinen
65a7b21f5e OpenSSL: Implement AES-128 CBC using EVP API
This replaces the internal CBC mode implementation in
aes_128_cbc_encrypt() and aes_128_cbc_decrypt() with the OpenSSL
implementation for CONFIG_TLS=openssl builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 20:30:58 +03:00
Jouni Malinen
22ba05c09e Explicitly clear temporary stack buffers in tls_prf_sha1_md5()
The local buffers may contain information used to generate parts of the
derived key, so clear these explicitly to minimize amount of unnecessary
private key-related material in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 16:43:03 +03:00
Jouni Malinen
940a4dbf66 Explicitly clear temporary stack buffer in sha1_t_prf()
The local hash[] buffer may contain parts of the derived key, so clear
it explicitly to minimize number of unnecessary copies of key material
in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 16:40:55 +03:00
Jouni Malinen
eccca102bf Explicitly clear temporary stack buffer in hmac_sha256_kdf()
The local T[] buffer may contain parts of the derived key, so clear it
explicitly to minimize number of unnecessary copies of key material in
memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 16:38:37 +03:00
Jouni Malinen
6784168d07 Remove SChannel support
SChannel/CryptoAPI as a TLS/crypto library alternative was never
completed. Critical functionality is missing and there are bugs in this
implementation. Since there are no known plans of completing this
support, it is better to remove this code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-18 22:31:36 +02:00
Rohit Agrawal
00033a0903 OpenSSL: Always accept pinned certificates
If OpenSSL reports that a presented leaf certificate is invalid,
but it has been explicitly pinned, accept it anyway.

Signed-off-by: Rohit Agrawal <rohit.agrawal.mn@gmail.com>
2015-03-07 21:26:26 +02:00
Jouni Malinen
58d405fcdb Fix OCSP debug messages
These were not supposed to include a newline at the end of the message
text since such formatting gets handled by tls_show_errors(). In
addition, change the message about the issuer's issuer to be more
accurate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 13:33:33 +02:00
Jouni Malinen
710dfb4e32 OpenSSL: Fix OCSP error path
If addition of a peer issuer certificate fails, the certs pointer would
be NULL when being passed to sk_X509_push() for peer issuer's issuer.
Fix this by skipping addition of issuer's issue if issuer addition
fails.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 13:32:05 +02:00
Jouni Malinen
db3168d414 OpenSSL: Use SSL_cache_hit() when available
This is going to be required for OpenSSL 1.1.0 which makes the SSL
structure opaque. Older versions starting from OpenSSL 1.0.1 include
this function, so start using it now based on OPENSSL_VERSION_NUMBER.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-04 02:04:35 +02:00
Jouni Malinen
68ae4773a4 OpenSSL: Use library wrapper functions to access cert store
OpenSSL 0.9.8 and newer includes SSL_CTX_get_cert_store() and
SSL_CTX_set_cert_store() helper functions, so there is no need to
dereference the SSL_CTX pointer to cert ssl_ctx->cert_store. This helps
in working with the future OpenSSL 1.1.0 release that makes the SSL_CTX
structure opaque.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-04 01:58:37 +02:00
Jouni Malinen
f19c907822 OpenSSL: Implement aes_wrap() and aes_unwrap()
This replaces the implementation in aes-wrap.c and aes-unwrap.c with
OpenSSL AES_wrap_key() and AES_unwrap_key() functions when building
hostapd or wpa_supplicant with OpenSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00