The n argument to this function is number of bits, not bytes, to shift.
As such, need to use mp_rshb() instead of mp_rshd(). This fixes EAP-pwd
with P-521 curve.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Implement tls_connection_get_eap_fast_key() using cryptographic
primitives as wolfSSL implements different spec.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Depend on proper wolfSSL configuration instead of trying to define these
build configuration values externally.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Use the correct intermediate result from mp_sqrmod() in the following
mp_mulmod() call (t is not initialized here; it is used only after this
step).
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Provide full uncompressed DER data length to wc_ecc_import_point_der()
even though a compressed form is used here. In addition, use
ECC_POINT_COMP_* defined values to make this more readable.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
This may be needed to avoid interoperability issues with the new
protocol version and significant changes for EAP use cases in both key
derivation and handshake termination.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes this more easily available throughout the handshake
processing, if needed, compared to having to pass through the function
argument through the full path from
tls_connection{,_server}_handshake().
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 1.1.1 added cases where ClientHello generation may fail due to
"no ciphers available". There is no point in sending out the resulting
TLS Alert message to the server since the server does not know what to
do with it before ClientHello. Instead, simply terminate the TLS
handshake locally and report EAP failure to avoid getting stuck waiting
for a timeout.
Signed-off-by: Jouni Malinen <j@w1.fi>
LibreSSL v2.7 claims an OPENSSL_VERSION_NUMBER value that would indicate
that SSL_OP_NO_TLSv1_3 is available, but that does not seem to be the
case with LibreSSL. As such, skip this step based on whether
SSL_OP_NO_TLSv1_3 is defined to avoid build issues.
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit takes care of the sigalg configuration using the relatively
recent SSL_CTX_set_verify_algorithm_prefs() addition from April 2017 to
address the functionality that was already there with OpenSSL using
SSL_set1_sigalgs_list().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
BoringSSL removed the special OpenSSL cipher suite value "SUITEB192", so
need to map that to the explicit ciphersuite
(ECDHE-ECDSA-AES256-GCM-SHA384), curve (P-384), and sigalg
(SSL_SIGN_ECDSA_SECP384R1_SHA384) to allow 192-bit level Suite B with
ECDSA to be used.
This commit takes care of the sigalg configuration using the relatively
recent SSL_CTX_set_verify_algorithm_prefs() addition from April 2017.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
BoringSSL removed the special OpenSSL cipher suite value "SUITEB192", so
need to map that to the explicit ciphersuite
(ECDHE-ECDSA-AES256-GCM-SHA384), curve (P-384), and sigalg
(SSL_SIGN_ECDSA_SECP384R1_SHA384) to allow 192-bit level Suite B with
ECDSA to be used.
This commit takes care of the ciphersuite and curve configuration.
sigalg change is in a separate commit since it requires a newer
BoringSSL API function that may not be available in all builds.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
In practice, this does the same thing (i.e., allows only the P-384 curve
to be used), but using an older API function that happens to be
available in some BoringSSL builds while the newer one is not.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
TLS v1.3 needs to be explicitly disabled to allow cipher suite selection
for EAP-FAST to work with OpenSSL builds that include TLS v1.3 support.
Without this, OpenSSL refuses to generate ClientHello due to the cipher
suite list including only ciphers allowed with older versions than TLS
v1.3.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
GnuTLS-based builds can now be done using either libnettle or libgcrypt
for crypto functionality:
CONFIG_TLS=gnutls
CONFIG_CRYPTO=nettle
CONFIG_TLS=gnutls
CONFIG_CRYPTO=gnutls
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows OpenSSL-style configuration of Suite B parameters to be used
in the wpa_supplicant network profile. 128-bit and 192-bit level
requirements for ECDHE-ECDSA cases are supported. RSA >=3K case is
enforced using GnuTLS %PROFILE_HIGH special priority string keyword.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends GnuTLS support for tls_disable_v1_{0,1,2}=1 flags in the
phase1 network profile parameter in wpa_supplicant.
Signed-off-by: Jouni Malinen <j@w1.fi>
Indicate more clearly when the parsing succeeds to avoid ending the
debug prints with various internal GnuTLS internal error messages even
when the parsing actually succeeded in the end.
Signed-off-by: Jouni Malinen <j@w1.fi>
Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with
the ones from libgcrypt and also add the SHA384 and SHA512 versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Replace the internal SHA256 implementation with the one from libgcrypt
and also add the SHA384 and SHA512 versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a shared helper function instead of implementing practically same
sequence separately for each hash function.
Signed-off-by: Jouni Malinen <j@w1.fi>
The patch offers alternate implementations of some functions using the
abstract cryptographic API.
This work was done in preparation for the changes to allow hostap to be
compiled with the wolfSSL cryptography and TLS library.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
This implements crypto_dh_init() and crypto_dh_derive_secret() using
os_get_random() and crypto_mod_exp() for all crypto_*.c wrappers that
include crypto_mod_exp() implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
The BoringSSL version of crypto_ecdh_init() and dpp_gen_keypair() works
fine with OpenSSL as well, so use that same implementation for both to
avoid unnecessary maintanence of multiple versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to go through EC_GROUP_new_by_curve_name(),
EC_KEY_new(), and EC_KEY_set_group() when a single call to
EC_KEY_new_by_curve_name() takes care of all that.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows wpa_supplicant configuration with phase1="tls_suiteb=1" to
use openssl_ciphers="ECDHE-RSA-AES256-GCM-SHA384" to further limit the
possible TLS cipher suites when using Suite B with RSA >3K keys. This
combination disables use of DHE and as such, mandates ECDHE to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
These functions are a bit awkward to use for one-off file loads, as
suggested by the tls_clear_default_passwd_cb() logic. There was also
some historical mess with OpenSSL versions and either not having per-SSL
settings, having per-SSL settings but ignoring them, and requiring the
per-SSL settings.
Instead, loading the key with the lower-level functions seems a bit
tidier and also allows abstracting away trying both formats, one after
another.
Signed-off-by: David Benjamin <davidben@google.com>
There's no need to make an extra copy of private_key_passwd for
SSL_{CTX_,}set_default_passwd_cb().
Signed-off-by: David Benjamin <davidben@google.com>
