From 1d8ce433c9491260005111812976ec0655ef1370 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 16 Aug 2008 11:21:22 +0300 Subject: [PATCH] Internal X.509/TLSv1: Support SHA-256 in X.509 certificate digest --- hostapd/ChangeLog | 4 ++++ src/tls/x509v3.c | 44 ++++++++++++++++++++++++++++++++++++++-- wpa_supplicant/ChangeLog | 4 ++++ wpa_supplicant/Makefile | 12 ++++++----- 4 files changed, 57 insertions(+), 7 deletions(-) diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog index 8b29ba8da..382b869f1 100644 --- a/hostapd/ChangeLog +++ b/hostapd/ChangeLog @@ -1,5 +1,9 @@ ChangeLog for hostapd +????-??-?? - v0.6.5 + * added support for SHA-256 as X.509 certificate digest when using the + internal X.509/TLSv1 implementation + 2008-08-10 - v0.6.4 * added peer identity into EAP-FAST PAC-Opaque and skip Phase 2 Identity Request if identity is already known diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c index 4da4891ec..59bf4ff05 100644 --- a/src/tls/x509v3.c +++ b/src/tls/x509v3.c @@ -1185,6 +1185,21 @@ static int x509_sha1_oid(struct asn1_oid *oid) } +static int x509_sha256_oid(struct asn1_oid *oid) +{ + return oid->len == 9 && + oid->oid[0] == 2 /* joint-iso-itu-t */ && + oid->oid[1] == 16 /* country */ && + oid->oid[2] == 840 /* us */ && + oid->oid[3] == 1 /* organization */ && + oid->oid[4] == 101 /* gov */ && + oid->oid[5] == 3 /* csor */ && + oid->oid[6] == 4 /* nistAlgorithm */ && + oid->oid[7] == 2 /* hashAlgs */ && + oid->oid[8] == 1 /* sha256 */; +} + + /** * x509_certificate_parse - Parse a X.509 certificate in DER format * @buf: Pointer to the X.509 certificate in DER format @@ -1309,7 +1324,7 @@ int x509_certificate_check_signature(struct x509_certificate *issuer, size_t data_len; struct asn1_hdr hdr; struct asn1_oid oid; - u8 hash[20]; + u8 hash[32]; size_t hash_len; if (!x509_pkcs_oid(&cert->signature.oid) || @@ -1408,6 +1423,19 @@ int x509_certificate_check_signature(struct x509_certificate *issuer, goto skip_digest_oid; } + if (x509_sha256_oid(&oid)) { + if (cert->signature.oid.oid[6] != + 11 /* sha2561WithRSAEncryption */) { + wpa_printf(MSG_DEBUG, "X509: digestAlgorithm SHA256 " + "does not match with certificate " + "signatureAlgorithm (%lu)", + cert->signature.oid.oid[6]); + os_free(data); + return -1; + } + goto skip_digest_oid; + } + if (!x509_digest_oid(&oid)) { wpa_printf(MSG_DEBUG, "X509: Unrecognized digestAlgorithm"); os_free(data); @@ -1466,8 +1494,20 @@ skip_digest_oid: wpa_hexdump(MSG_MSGDUMP, "X509: Certificate hash (SHA1)", hash, hash_len); break; - case 2: /* md2WithRSAEncryption */ case 11: /* sha256WithRSAEncryption */ +#ifdef NEED_SHA256 + sha256_vector(1, &cert->tbs_cert_start, &cert->tbs_cert_len, + hash); + hash_len = 32; + wpa_hexdump(MSG_MSGDUMP, "X509: Certificate hash (SHA256)", + hash, hash_len); + break; +#else /* NEED_SHA256 */ + wpa_printf(MSG_INFO, "X509: SHA256 support disabled"); + os_free(data); + return -1; +#endif /* NEED_SHA256 */ + case 2: /* md2WithRSAEncryption */ case 12: /* sha384WithRSAEncryption */ case 13: /* sha512WithRSAEncryption */ default: diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog index 399bcd873..07dc0f0bc 100644 --- a/wpa_supplicant/ChangeLog +++ b/wpa_supplicant/ChangeLog @@ -1,5 +1,9 @@ ChangeLog for wpa_supplicant +????-??-?? - v0.6.5 + * added support for SHA-256 as X.509 certificate digest when using the + internal X.509/TLSv1 implementation + 2008-08-10 - v0.6.4 * added support for EAP Sequences in EAP-FAST Phase 2 * added support for using TNC with EAP-FAST diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 7fd3fc51a..9920f1b94 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -776,8 +776,14 @@ ifdef CONFIG_IEEE80211R NEED_SHA256=y endif +ifdef CONFIG_IEEE80211W +CFLAGS += -DCONFIG_IEEE80211W +NEED_SHA256=y +endif + ifdef NEED_SHA256 OBJS += ../src/crypto/sha256.o +CFLAGS += -DNEED_SHA256 endif ifdef CONFIG_WIRELESS_EXTENSION @@ -861,11 +867,6 @@ ifdef CONFIG_PEERKEY CFLAGS += -DCONFIG_PEERKEY endif -ifdef CONFIG_IEEE80211W -CFLAGS += -DCONFIG_IEEE80211W -NEED_SHA256=y -endif - ifdef CONFIG_IEEE80211R CFLAGS += -DCONFIG_IEEE80211R OBJS += ../src/rsn_supp/wpa_ft.o @@ -1036,6 +1037,7 @@ OBJSx=tests/test_x509v3.o ../src/tls/asn1.o ../src/tls/x509v3.o \ ../src/crypto/crypto_$(CONFIG_CRYPTO).o \ ../src/crypto/md5.o ../src/crypto/sha1.o ../src/crypto/aes.o \ ../src/crypto/rc4.o ../src/crypto/des.o ../src/crypto/aes_wrap.o \ + ../src/crypto/sha256.o \ ../src/tls/bignum.o ../src/tls/rsa.o test_x509v3: $(OBJSx) $(LDO) $(LDFLAGS) -o test_x509v3 $(OBJSx)