TLS: Add support for SHA256-based cipher suites from RFC 5246
Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
48f24f93a5
commit
cdc6e5d084
4 changed files with 41 additions and 2 deletions
|
@ -466,8 +466,10 @@ struct tlsv1_client * tlsv1_client_init(void)
|
||||||
count = 0;
|
count = 0;
|
||||||
suites = conn->cipher_suites;
|
suites = conn->cipher_suites;
|
||||||
#ifndef CONFIG_CRYPTO_INTERNAL
|
#ifndef CONFIG_CRYPTO_INTERNAL
|
||||||
|
suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
|
||||||
suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
|
suites[count++] = TLS_RSA_WITH_AES_256_CBC_SHA;
|
||||||
#endif /* CONFIG_CRYPTO_INTERNAL */
|
#endif /* CONFIG_CRYPTO_INTERNAL */
|
||||||
|
suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
|
||||||
suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
|
suites[count++] = TLS_RSA_WITH_AES_128_CBC_SHA;
|
||||||
suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
|
suites[count++] = TLS_RSA_WITH_3DES_EDE_CBC_SHA;
|
||||||
suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
|
suites[count++] = TLS_RSA_WITH_RC4_128_SHA;
|
||||||
|
@ -571,15 +573,24 @@ int tlsv1_client_get_cipher(struct tlsv1_client *conn, char *buf,
|
||||||
case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
|
case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
|
||||||
cipher = "DES-CBC3-SHA";
|
cipher = "DES-CBC3-SHA";
|
||||||
break;
|
break;
|
||||||
|
case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
|
||||||
|
cipher = "ADH-AES-128-SHA256";
|
||||||
|
break;
|
||||||
case TLS_DH_anon_WITH_AES_128_CBC_SHA:
|
case TLS_DH_anon_WITH_AES_128_CBC_SHA:
|
||||||
cipher = "ADH-AES-128-SHA";
|
cipher = "ADH-AES-128-SHA";
|
||||||
break;
|
break;
|
||||||
case TLS_RSA_WITH_AES_256_CBC_SHA:
|
case TLS_RSA_WITH_AES_256_CBC_SHA:
|
||||||
cipher = "AES-256-SHA";
|
cipher = "AES-256-SHA";
|
||||||
break;
|
break;
|
||||||
|
case TLS_RSA_WITH_AES_256_CBC_SHA256:
|
||||||
|
cipher = "AES-256-SHA256";
|
||||||
|
break;
|
||||||
case TLS_RSA_WITH_AES_128_CBC_SHA:
|
case TLS_RSA_WITH_AES_128_CBC_SHA:
|
||||||
cipher = "AES-128-SHA";
|
cipher = "AES-128-SHA";
|
||||||
break;
|
break;
|
||||||
|
case TLS_RSA_WITH_AES_128_CBC_SHA256:
|
||||||
|
cipher = "AES-128-SHA256";
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -731,8 +742,10 @@ int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers)
|
||||||
count = 0;
|
count = 0;
|
||||||
suites = conn->cipher_suites;
|
suites = conn->cipher_suites;
|
||||||
#ifndef CONFIG_CRYPTO_INTERNAL
|
#ifndef CONFIG_CRYPTO_INTERNAL
|
||||||
|
suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA256;
|
||||||
suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA;
|
suites[count++] = TLS_DH_anon_WITH_AES_256_CBC_SHA;
|
||||||
#endif /* CONFIG_CRYPTO_INTERNAL */
|
#endif /* CONFIG_CRYPTO_INTERNAL */
|
||||||
|
suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA256;
|
||||||
suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
|
suites[count++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
|
||||||
suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
|
suites[count++] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
|
||||||
suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;
|
suites[count++] = TLS_DH_anon_WITH_RC4_128_MD5;
|
||||||
|
|
|
@ -52,7 +52,15 @@ static const struct tls_cipher_suite tls_cipher_suites[] = {
|
||||||
{ TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
|
{ TLS_RSA_WITH_AES_256_CBC_SHA, TLS_KEY_X_RSA, TLS_CIPHER_AES_256_CBC,
|
||||||
TLS_HASH_SHA },
|
TLS_HASH_SHA },
|
||||||
{ TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
|
{ TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KEY_X_DH_anon,
|
||||||
TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA }
|
TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA },
|
||||||
|
{ TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_KEY_X_RSA,
|
||||||
|
TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
|
||||||
|
{ TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_KEY_X_RSA,
|
||||||
|
TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 },
|
||||||
|
{ TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_KEY_X_DH_anon,
|
||||||
|
TLS_CIPHER_AES_128_CBC, TLS_HASH_SHA256 },
|
||||||
|
{ TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_KEY_X_DH_anon,
|
||||||
|
TLS_CIPHER_AES_256_CBC, TLS_HASH_SHA256 }
|
||||||
};
|
};
|
||||||
|
|
||||||
#define NUM_ELEMS(a) (sizeof(a) / sizeof((a)[0]))
|
#define NUM_ELEMS(a) (sizeof(a) / sizeof((a)[0]))
|
||||||
|
|
|
@ -93,6 +93,19 @@ enum {
|
||||||
#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 /* RFC 3268 */
|
#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 /* RFC 3268 */
|
||||||
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 /* RFC 3268 */
|
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 /* RFC 3268 */
|
||||||
#define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A /* RFC 3268 */
|
#define TLS_DH_anon_WITH_AES_256_CBC_SHA 0x003A /* RFC 3268 */
|
||||||
|
#define TLS_RSA_WITH_NULL_SHA256 0x003B /* RFC 5246 */
|
||||||
|
#define TLS_RSA_WITH_AES_128_CBC_SHA256 0x003C /* RFC 5246 */
|
||||||
|
#define TLS_RSA_WITH_AES_256_CBC_SHA256 0x003D /* RFC 5246 */
|
||||||
|
#define TLS_DH_DSS_WITH_AES_128_CBC_SHA256 0x003E /* RFC 5246 */
|
||||||
|
#define TLS_DH_RSA_WITH_AES_128_CBC_SHA256 0x003F /* RFC 5246 */
|
||||||
|
#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 0x0040 /* RFC 5246 */
|
||||||
|
#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x0067 /* RFC 5246 */
|
||||||
|
#define TLS_DH_DSS_WITH_AES_256_CBC_SHA256 0x0068 /* RFC 5246 */
|
||||||
|
#define TLS_DH_RSA_WITH_AES_256_CBC_SHA256 0x0069 /* RFC 5246 */
|
||||||
|
#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 0x006A /* RFC 5246 */
|
||||||
|
#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x006B /* RFC 5246 */
|
||||||
|
#define TLS_DH_anon_WITH_AES_128_CBC_SHA256 0x006C /* RFC 5246 */
|
||||||
|
#define TLS_DH_anon_WITH_AES_256_CBC_SHA256 0x006D /* RFC 5246 */
|
||||||
|
|
||||||
/* CompressionMethod */
|
/* CompressionMethod */
|
||||||
#define TLS_COMPRESSION_NULL 0
|
#define TLS_COMPRESSION_NULL 0
|
||||||
|
@ -199,7 +212,8 @@ typedef enum {
|
||||||
typedef enum {
|
typedef enum {
|
||||||
TLS_HASH_NULL,
|
TLS_HASH_NULL,
|
||||||
TLS_HASH_MD5,
|
TLS_HASH_MD5,
|
||||||
TLS_HASH_SHA
|
TLS_HASH_SHA,
|
||||||
|
TLS_HASH_SHA256
|
||||||
} tls_hash;
|
} tls_hash;
|
||||||
|
|
||||||
struct tls_cipher_suite {
|
struct tls_cipher_suite {
|
||||||
|
|
|
@ -17,6 +17,7 @@
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
#include "crypto/md5.h"
|
#include "crypto/md5.h"
|
||||||
#include "crypto/sha1.h"
|
#include "crypto/sha1.h"
|
||||||
|
#include "crypto/sha256.h"
|
||||||
#include "tlsv1_common.h"
|
#include "tlsv1_common.h"
|
||||||
#include "tlsv1_record.h"
|
#include "tlsv1_record.h"
|
||||||
|
|
||||||
|
@ -52,6 +53,9 @@ int tlsv1_record_set_cipher_suite(struct tlsv1_record_layer *rl,
|
||||||
} else if (suite->hash == TLS_HASH_SHA) {
|
} else if (suite->hash == TLS_HASH_SHA) {
|
||||||
rl->hash_alg = CRYPTO_HASH_ALG_HMAC_SHA1;
|
rl->hash_alg = CRYPTO_HASH_ALG_HMAC_SHA1;
|
||||||
rl->hash_size = SHA1_MAC_LEN;
|
rl->hash_size = SHA1_MAC_LEN;
|
||||||
|
} else if (suite->hash == TLS_HASH_SHA256) {
|
||||||
|
rl->hash_alg = CRYPTO_HASH_ALG_HMAC_SHA256;
|
||||||
|
rl->hash_size = SHA256_MAC_LEN;
|
||||||
}
|
}
|
||||||
|
|
||||||
data = tls_get_cipher_data(suite->cipher);
|
data = tls_get_cipher_data(suite->cipher);
|
||||||
|
|
Loading…
Reference in a new issue