diff --git a/hostapd/Makefile b/hostapd/Makefile index 2dfb7d611..22c09c1a2 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -440,6 +440,11 @@ ifdef CONFIG_TLSV11 CFLAGS += -DCONFIG_TLSV11 endif +ifdef CONFIG_TLSV12 +CFLAGS += -DCONFIG_TLSV12 +NEED_SHA256=y +endif + ifeq ($(CONFIG_TLS), openssl) ifdef TLS_FUNCS OBJS += ../src/crypto/tls_openssl.o @@ -519,6 +524,9 @@ OBJS += ../src/tls/pkcs8.o NEED_SHA256=y NEED_BASE64=y NEED_TLS_PRF=y +ifdef CONFIG_TLSV12 +NEED_TLS_PRF_SHA256=y +endif NEED_MODEXP=y NEED_CIPHER=y CFLAGS += -DCONFIG_TLS_INTERNAL diff --git a/hostapd/defconfig b/hostapd/defconfig index 36f286f0c..bae5ba2f8 100644 --- a/hostapd/defconfig +++ b/hostapd/defconfig @@ -221,6 +221,10 @@ CONFIG_IPV6=y # are used. #CONFIG_TLSV11=y +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) +# can be enabled to enable use of stronger crypto algorithms. +#CONFIG_TLSV12=y + # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of # LibTomMath can be used. See beginning of libtommath.c for details on benefits diff --git a/src/tls/tlsv1_common.c b/src/tls/tlsv1_common.c index a9ffc1031..19c50c2f0 100644 --- a/src/tls/tlsv1_common.c +++ b/src/tls/tlsv1_common.c @@ -16,6 +16,7 @@ #include "common.h" #include "crypto/sha1.h" +#include "crypto/sha256.h" #include "x509v3.h" #include "tlsv1_common.h" @@ -250,6 +251,10 @@ int tls_version_ok(u16 ver) if (ver == TLS_VERSION_1_1) return 1; #endif /* CONFIG_TLSV11 */ +#ifdef CONFIG_TLSV12 + if (ver == TLS_VERSION_1_2) + return 1; +#endif /* CONFIG_TLSV12 */ return 0; } @@ -262,6 +267,8 @@ const char * tls_version_str(u16 ver) return "1.0"; case TLS_VERSION_1_1: return "1.1"; + case TLS_VERSION_1_2: + return "1.2"; } return "?"; @@ -271,6 +278,14 @@ const char * tls_version_str(u16 ver) int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label, const u8 *seed, size_t seed_len, u8 *out, size_t outlen) { +#ifdef CONFIG_TLSV12 + if (ver >= TLS_VERSION_1_2) { + tls_prf_sha256(secret, secret_len, label, seed, seed_len, + out, outlen); + return 0; + } +#endif /* CONFIG_TLSV12 */ + return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out, outlen); } diff --git a/src/tls/tlsv1_common.h b/src/tls/tlsv1_common.h index 855a40788..91a03806b 100644 --- a/src/tls/tlsv1_common.h +++ b/src/tls/tlsv1_common.h @@ -19,11 +19,16 @@ #define TLS_VERSION_1 0x0301 /* TLSv1 */ #define TLS_VERSION_1_1 0x0302 /* TLSv1.1 */ +#define TLS_VERSION_1_2 0x0303 /* TLSv1.2 */ +#ifdef CONFIG_TLSV12 +#define TLS_VERSION TLS_VERSION_1_2 +#else /* CONFIG_TLSV12 */ #ifdef CONFIG_TLSV11 #define TLS_VERSION TLS_VERSION_1_1 #else /* CONFIG_TLSV11 */ #define TLS_VERSION TLS_VERSION_1 #endif /* CONFIG_TLSV11 */ +#endif /* CONFIG_TLSV12 */ #define TLS_RANDOM_LEN 32 #define TLS_PRE_MASTER_SECRET_LEN 48 #define TLS_MASTER_SECRET_LEN 48 diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index dad156cae..0bc96c7a3 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -827,6 +827,11 @@ ifdef CONFIG_TLSV11 CFLAGS += -DCONFIG_TLSV11 endif +ifdef CONFIG_TLSV12 +CFLAGS += -DCONFIG_TLSV12 +NEED_SHA256=y +endif + ifeq ($(CONFIG_TLS), openssl) ifdef TLS_FUNCS CFLAGS += -DEAP_TLS_OPENSSL @@ -911,6 +916,9 @@ OBJS += ../src/tls/pkcs8.o NEED_SHA256=y NEED_BASE64=y NEED_TLS_PRF=y +ifdef CONFIG_TLSV12 +NEED_TLS_PRF_SHA256=y +endif NEED_MODEXP=y NEED_CIPHER=y CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig index 03a422371..cff25d6c8 100644 --- a/wpa_supplicant/defconfig +++ b/wpa_supplicant/defconfig @@ -332,6 +332,13 @@ CONFIG_PEERKEY=y # sent prior to negotiating which version will be used) #CONFIG_TLSV11=y +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) +# can be enabled to enable use of stronger crypto algorithms. It should be +# noted that some existing TLS v1.0 -based implementation may not be compatible +# with TLS v1.2 message (ClientHello is sent prior to negotiating which version +# will be used) +#CONFIG_TLSV12=y + # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of # LibTomMath can be used. See beginning of libtommath.c for details on benefits