From 09eef142eabb14d3f4242af7aafb909dd9cda9b8 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 11 Mar 2014 16:33:05 +0200 Subject: [PATCH] Use internal FIPS 186-2 PRF if needed Previously, EAP-SIM/AKA/AKA' did not work with number of crypto libraries (GnuTLS, CryptoAPI, NSS) since the required FIPS 186-2 PRF function was not implemented. This resulted in somewhat confusing error messages since the placeholder functions were silently returning an error. Fix this by using the internal implementation of FIP 186-2 PRF (including internal SHA-1 implementation) with crypto libraries that do not implement this in case EAP-SIM/AKA/AKA' is included in the build. Signed-off-by: Jouni Malinen --- hostapd/Android.mk | 6 ++++-- hostapd/Makefile | 6 ++++-- src/crypto/Makefile | 1 + src/crypto/fips_prf_cryptoapi.c | 19 ------------------- src/crypto/fips_prf_gnutls.c | 20 -------------------- src/crypto/fips_prf_nss.c | 19 ------------------- src/crypto/sha1-internal.c | 2 ++ wpa_supplicant/Android.mk | 9 ++++++--- wpa_supplicant/Makefile | 9 ++++++--- 9 files changed, 23 insertions(+), 68 deletions(-) delete mode 100644 src/crypto/fips_prf_cryptoapi.c delete mode 100644 src/crypto/fips_prf_gnutls.c delete mode 100644 src/crypto/fips_prf_nss.c diff --git a/hostapd/Android.mk b/hostapd/Android.mk index 888ee2bb7..b96345f58 100644 --- a/hostapd/Android.mk +++ b/hostapd/Android.mk @@ -539,7 +539,8 @@ endif OBJS += src/crypto/crypto_gnutls.c HOBJS += src/crypto/crypto_gnutls.c ifdef NEED_FIPS186_2_PRF -OBJS += src/crypto/fips_prf_gnutls.c +OBJS += src/crypto/fips_prf_internal.c +OBJS += src/crypto/sha1-internal.c endif LIBS += -lgcrypt LIBS_h += -lgcrypt @@ -566,7 +567,8 @@ LIBS += -lssl3 endif OBJS += src/crypto/crypto_nss.c ifdef NEED_FIPS186_2_PRF -OBJS += src/crypto/fips_prf_nss.c +OBJS += src/crypto/fips_prf_internal.c +OBJS += src/crypto/sha1-internal.c endif LIBS += -lnss3 LIBS_h += -lnss3 diff --git a/hostapd/Makefile b/hostapd/Makefile index c541d434a..149688897 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -522,7 +522,8 @@ endif OBJS += ../src/crypto/crypto_gnutls.o HOBJS += ../src/crypto/crypto_gnutls.o ifdef NEED_FIPS186_2_PRF -OBJS += ../src/crypto/fips_prf_gnutls.o +OBJS += ../src/crypto/fips_prf_internal.o +SHA1OBJS += ../src/crypto/sha1-internal.o endif LIBS += -lgcrypt LIBS_h += -lgcrypt @@ -549,7 +550,8 @@ LIBS += -lssl3 endif OBJS += ../src/crypto/crypto_nss.o ifdef NEED_FIPS186_2_PRF -OBJS += ../src/crypto/fips_prf_nss.o +OBJS += ../src/crypto/fips_prf_internal.o +SHA1OBJS += ../src/crypto/sha1-internal.o endif LIBS += -lnss3 LIBS_h += -lnss3 diff --git a/src/crypto/Makefile b/src/crypto/Makefile index fcf958629..2a921098c 100644 --- a/src/crypto/Makefile +++ b/src/crypto/Makefile @@ -9,6 +9,7 @@ install: include ../lib.rules +CFLAGS += -DCONFIG_CRYPTO_INTERNAL CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER #CFLAGS += -DALL_DH_GROUPS diff --git a/src/crypto/fips_prf_cryptoapi.c b/src/crypto/fips_prf_cryptoapi.c deleted file mode 100644 index dca93a3d3..000000000 --- a/src/crypto/fips_prf_cryptoapi.c +++ /dev/null @@ -1,19 +0,0 @@ -/* - * FIPS 186-2 PRF for Microsoft CryptoAPI - * Copyright (c) 2009, Jouni Malinen - * - * This software may be distributed under the terms of the BSD license. - * See README for more details. - */ - -#include "includes.h" - -#include "common.h" -#include "crypto.h" - - -int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen) -{ - /* FIX: how to do this with CryptoAPI? */ - return -1; -} diff --git a/src/crypto/fips_prf_gnutls.c b/src/crypto/fips_prf_gnutls.c deleted file mode 100644 index 947e6f641..000000000 --- a/src/crypto/fips_prf_gnutls.c +++ /dev/null @@ -1,20 +0,0 @@ -/* - * FIPS 186-2 PRF for libgcrypt - * Copyright (c) 2004-2009, Jouni Malinen - * - * This software may be distributed under the terms of the BSD license. - * See README for more details. - */ - -#include "includes.h" -#include - -#include "common.h" -#include "crypto.h" - - -int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen) -{ - /* FIX: how to do this with libgcrypt? */ - return -1; -} diff --git a/src/crypto/fips_prf_nss.c b/src/crypto/fips_prf_nss.c deleted file mode 100644 index 2c962f4f1..000000000 --- a/src/crypto/fips_prf_nss.c +++ /dev/null @@ -1,19 +0,0 @@ -/* - * FIPS 186-2 PRF for NSS - * Copyright (c) 2009, Jouni Malinen - * - * This software may be distributed under the terms of the BSD license. - * See README for more details. - */ - -#include "includes.h" -#include - -#include "common.h" -#include "crypto.h" - - -int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen) -{ - return -1; -} diff --git a/src/crypto/sha1-internal.c b/src/crypto/sha1-internal.c index 10bf153ca..24bc3ffe1 100644 --- a/src/crypto/sha1-internal.c +++ b/src/crypto/sha1-internal.c @@ -19,6 +19,7 @@ typedef struct SHA1Context SHA1_CTX; void SHA1Transform(u32 state[5], const unsigned char buffer[64]); +#ifdef CONFIG_CRYPTO_INTERNAL /** * sha1_vector - SHA-1 hash for data vector * @num_elem: Number of elements in the data vector @@ -38,6 +39,7 @@ int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) SHA1Final(mac, &ctx); return 0; } +#endif /* CONFIG_CRYPTO_INTERNAL */ /* ===== start - public domain SHA1 implementation ===== */ diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index c745cb209..b8690f505 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -962,7 +962,8 @@ endif OBJS += src/crypto/crypto_gnutls.c OBJS_p += src/crypto/crypto_gnutls.c ifdef NEED_FIPS186_2_PRF -OBJS += src/crypto/fips_prf_gnutls.c +OBJS += src/crypto/fips_prf_internal.c +OBJS += src/crypto/sha1-internal.c endif LIBS += -lgcrypt LIBS_p += -lgcrypt @@ -978,7 +979,8 @@ endif OBJS += src/crypto/crypto_cryptoapi.c OBJS_p += src/crypto/crypto_cryptoapi.c ifdef NEED_FIPS186_2_PRF -OBJS += src/crypto/fips_prf_cryptoapi.c +OBJS += src/crypto/fips_prf_internal.c +OBJS += src/crypto/sha1-internal.c endif CONFIG_INTERNAL_SHA256=y CONFIG_INTERNAL_RC4=y @@ -993,7 +995,8 @@ endif OBJS += src/crypto/crypto_nss.c OBJS_p += src/crypto/crypto_nss.c ifdef NEED_FIPS186_2_PRF -OBJS += src/crypto/fips_prf_nss.c +OBJS += src/crypto/fips_prf_internal.c +OBJS += src/crypto/sha1-internal.c endif LIBS += -lnss3 LIBS_p += -lnss3 diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 2b8cb93e4..ce9806880 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -967,7 +967,8 @@ endif OBJS += ../src/crypto/crypto_gnutls.o OBJS_p += ../src/crypto/crypto_gnutls.o ifdef NEED_FIPS186_2_PRF -OBJS += ../src/crypto/fips_prf_gnutls.o +OBJS += ../src/crypto/fips_prf_internal.o +SHA1OBJS += ../src/crypto/sha1-internal.o endif LIBS += -lgcrypt LIBS_p += -lgcrypt @@ -983,7 +984,8 @@ endif OBJS += ../src/crypto/crypto_cryptoapi.o OBJS_p += ../src/crypto/crypto_cryptoapi.o ifdef NEED_FIPS186_2_PRF -OBJS += ../src/crypto/fips_prf_cryptoapi.o +OBJS += ../src/crypto/fips_prf_internal.o +SHA1OBJS += ../src/crypto/sha1-internal.o endif CONFIG_INTERNAL_SHA256=y CONFIG_INTERNAL_RC4=y @@ -998,7 +1000,8 @@ endif OBJS += ../src/crypto/crypto_nss.o OBJS_p += ../src/crypto/crypto_nss.o ifdef NEED_FIPS186_2_PRF -OBJS += ../src/crypto/fips_prf_nss.o +OBJS += ../src/crypto/fips_prf_internal.o +SHA1OBJS += ../src/crypto/sha1-internal.o endif LIBS += -lnss3 LIBS_p += -lnss3