DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
hostapd/src/crypto
History
Jouni Malinen cc9c4feccc OpenSSL: Allow systemwide policies to be overridden 
Some distributions (e.g., Debian) have started introducting systemwide
OpenSSL policies to disable older protocol versions and ciphers
throughout all programs using OpenSSL. This can result in significant
number of interoperability issues with deployed EAP implementations.

Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server)
parameters to be used to request systemwide policies to be overridden if
older versions are needed to be able to interoperate with devices that
cannot be updated to support the newer protocol versions or keys. The
default behavior is not changed here, i.e., the systemwide policies will
be followed if no explicit override configuration is used. The overrides
should be used only if really needed since they can result in reduced
security.

In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network
profile parameter can be used to explicitly enable TLS versions that are
disabled in the systemwide configuration. For example,
phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS
v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces
TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter
can be used to override systemwide policy, e.g., with
openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1
in Debian to allow shorter keys to be used.

In hostapd, tls_flags parameter can be used to configure similar
options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1]

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-05 17:14:26 +02:00
..
.gitignore Add rules for building src/crypto as a library 2009-12-05 22:03:46 +02:00
aes-cbc.c Add TEST_FAIL() condition to aes_128_cbc_encrypt/decrypt() 2015-11-28 20:46:36 +02:00
aes-ccm.c AES-CCM: Use os_memcmp_const() for hash/password comparisons 2014-07-02 12:38:47 +03:00
aes-ctr.c Extend AES-SIV implementation to support different key lengths 2016-10-10 19:40:59 +03:00
aes-eax.c crypto: Clear temporary heap allocations before freeing 2015-01-06 02:49:13 +02:00
aes-encblock.c Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
aes-gcm.c AES-GCM: Use os_memcmp_const() for hash/password comparisons 2014-07-02 12:38:47 +03:00
aes-internal-dec.c crypto: Add return value to DES and AES encrypt/decrypt 2017-02-28 11:23:54 +02:00
aes-internal-enc.c crypto: Add return value to DES and AES encrypt/decrypt 2017-02-28 11:23:54 +02:00
aes-internal.c Add support for using 192-bit and 256-bit keys with AES-GCM 2012-09-09 13:30:51 +03:00
aes-omac1.c tests: Add TEST_FAIL() condition to omac1_aes_vector() 2015-10-17 20:40:36 +03:00
aes-siv.c Use os_memdup() 2017-03-07 13:19:10 +02:00
aes-unwrap.c AES: Extend key wrap implementation to support longer data 2014-10-07 14:57:10 +03:00
aes-wrap.c AES: Extend key wrap implementation to support longer data 2014-10-07 14:57:10 +03:00
aes.h crypto: Add return value to DES and AES encrypt/decrypt 2017-02-28 11:23:54 +02:00
aes_i.h Add support for using 192-bit and 256-bit keys with AES-GCM 2012-09-09 13:30:51 +03:00
aes_siv.h Extend AES-SIV implementation to support different key lengths 2016-10-10 19:40:59 +03:00
aes_wrap.h Extend AES-SIV implementation to support different key lengths 2016-10-10 19:40:59 +03:00
crypto.h Enhance crypto abstract API 2017-12-24 17:35:38 +02:00
crypto_gnutls.c GnuTLS: Add TEST_FAIL() to crypto routines for testing purposes 2017-12-28 22:33:12 +02:00
crypto_internal-cipher.c Fix AES block size handling for internal cipher 2012-09-09 14:12:59 +03:00
crypto_internal-modexp.c crypto: Implement new crypto API functions for DH 2017-12-24 17:36:04 +02:00
crypto_internal-rsa.c Add function for building RSA public key from n and e parameters 2014-05-19 23:27:30 +03:00
crypto_internal.c crypto: Add CRYPTO_HASH_ALG_SHA384 and CRYPTO_HASH_ALG_SHA512 2015-11-29 18:21:08 +02:00
crypto_libtomcrypt.c crypto: Implement new crypto API functions for DH 2017-12-24 17:36:04 +02:00
crypto_linux.c af_alg: Crypto wrappers for Linux kernel crypto (AF_ALG) 2017-02-28 11:24:15 +02:00
crypto_module_tests.c tests: Extract-and-Expand HKDF (RFC 5869) 2017-03-11 22:40:31 +02:00
crypto_nettle.c GnuTLS: Add option to build with libnettle instead of libgcrypt 2017-12-29 17:13:57 +02:00
crypto_none.c crypto: Add return value to DES and AES encrypt/decrypt 2017-02-28 11:23:54 +02:00
crypto_openssl.c OpenSSL: Include sha512.h to match function prototypes 2018-11-30 21:28:06 +02:00
crypto_wolfssl.c wolfSSL: Fix crypto_bignum_rshift() wrapper 2018-05-17 22:02:02 +03:00
des-internal.c crypto: Add return value to DES and AES encrypt/decrypt 2017-02-28 11:23:54 +02:00
des_i.h Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
dh_group5.c Fix memory leak on NFC DH generation error path 2015-11-29 20:53:20 +02:00
dh_group5.h Add dh5_init_fixed() to allow fixed DH parameters to be used 2012-06-27 21:22:12 +03:00
dh_groups.c Enhance crypto abstract API for DH 2017-12-24 17:38:10 +02:00
dh_groups.h Add Diffie-Hellman group definitions for MODP groups in RFC 5114 2013-01-12 17:51:54 +02:00
fips_prf_internal.c Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
fips_prf_openssl.c OpenSSL: Silence sparse warnings in fips186_2_prf() 2016-06-24 19:02:58 +03:00
fips_prf_wolfssl.c wolfSSL: Use new digest namespace 2018-05-02 12:04:46 +03:00
Makefile Add SHA-384 routines to libcrypto.a 2017-09-05 18:58:59 +03:00
md4-internal.c crypto internal: Make MD4 PADDING array const 2019-01-02 17:26:57 +02:00
md5-internal.c Add TEST_FAIL() support for internal hash functions 2015-11-29 21:01:33 +02:00
md5.c crypto: Clear temporary stack buffers after use 2015-01-06 02:49:13 +02:00
md5.h FIPS: Remove md5-non-fips.c 2012-08-19 16:53:15 +03:00
md5_i.h Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
milenage.c Milenage: Use os_memcmp_const() for hash/password comparisons 2014-07-02 12:38:47 +03:00
milenage.h Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
ms_funcs.c crypto: Process des_encrypt() error returns in callers 2017-02-28 11:24:05 +02:00
ms_funcs.h crypto: Process des_encrypt() error returns in callers 2017-02-28 11:24:05 +02:00
random.c crypto: Add option to use getrandom() 2019-01-02 01:24:18 +02:00
random.h Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
rc4.c Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
sha1-internal.c Remove trailing whitespace 2016-12-28 14:31:42 +02:00
sha1-pbkdf2.c Convert remaining SSID routines from char* to u8* 2012-08-07 16:07:25 +03:00
sha1-prf.c crypto: Clear temporary stack buffers after use 2015-01-06 02:49:13 +02:00
sha1-tlsprf.c Explicitly clear temporary stack buffers in tls_prf_sha1_md5() 2015-03-29 16:43:03 +03:00
sha1-tprf.c Explicitly clear temporary stack buffer in sha1_t_prf() 2015-03-29 16:40:55 +03:00
sha1.c crypto: Clear temporary stack buffers after use 2015-01-06 02:49:13 +02:00
sha1.h Convert remaining SSID routines from char* to u8* 2012-08-07 16:07:25 +03:00
sha1_i.h Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
sha256-internal.c Remove trailing whitespace 2016-12-28 14:31:42 +02:00
sha256-kdf.c Extend hmac_sha256_kdf() to support HKDF-Expand() as defined in RFC 5869 2017-03-11 22:40:10 +02:00
sha256-prf.c SAE: Check SHA256-PRF operation result 2016-03-27 21:44:49 +03:00
sha256-tlsprf.c Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
sha256.c OpenSSL: Implement SHA256 HMAC functions using HMAC API 2012-08-16 22:34:35 +03:00
sha256.h SAE: Check SHA256-PRF operation result 2016-03-27 21:44:49 +03:00
sha256_i.h Remove the GPL notification from files contributed by Jouni Malinen 2012-02-11 19:39:36 +02:00
sha384-internal.c Add SHA384 and SHA512 implementations from LibTomCrypt library 2015-11-29 18:19:32 +02:00
sha384-kdf.c Extend SHA-384 and SHA-512 support to match SHA-256 2017-06-17 18:04:12 +03:00
sha384-prf.c Return success/failure result from sha384_prf() 2017-03-12 20:43:06 +02:00
sha384.c Add HMAC-SHA384 with internal crypto 2017-02-16 22:15:29 +02:00
sha384.h Extend SHA-384 and SHA-512 support to match SHA-256 2017-06-17 18:04:12 +03:00
sha384_i.h Add SHA384 and SHA512 implementations from LibTomCrypt library 2015-11-29 18:19:32 +02:00
sha512-internal.c crypto: Reduce the size of sha512_compress() stack frame 2019-01-02 16:31:19 +02:00
sha512-kdf.c Extend SHA-384 and SHA-512 support to match SHA-256 2017-06-17 18:04:12 +03:00
sha512-prf.c Extend SHA-384 and SHA-512 support to match SHA-256 2017-06-17 18:04:12 +03:00
sha512.c Add internal HMAC-SHA512 implementation to fix NEED_SHA512 builds 2018-12-31 11:57:37 +02:00
sha512.h Extend SHA-384 and SHA-512 support to match SHA-256 2017-06-17 18:04:12 +03:00
sha512_i.h Add SHA384 and SHA512 implementations from LibTomCrypt library 2015-11-29 18:19:32 +02:00
tls.h OpenSSL: Allow systemwide policies to be overridden 2019-01-05 17:14:26 +02:00
tls_gnutls.c hostapd: Add configuration option check_crl_strict 2018-12-31 12:51:51 +02:00
tls_internal.c hostapd: Add configuration option check_crl_strict 2018-12-31 12:51:51 +02:00
tls_none.c hostapd: Add configuration option check_crl_strict 2018-12-31 12:51:51 +02:00
tls_openssl.c OpenSSL: Allow systemwide policies to be overridden 2019-01-05 17:14:26 +02:00
tls_openssl.h BoringSSL: Move OCSP implementation into a separate file 2015-12-04 20:08:31 +02:00
tls_openssl_ocsp.c BoringSSL: Keep static analyzers happier with X509_get0_pubkey_bitstr() 2016-03-16 21:34:01 +02:00
tls_wolfssl.c hostapd: Add configuration option check_crl_strict 2018-12-31 12:51:51 +02:00