aboutsummaryrefslogtreecommitdiffstats
path: root/src/crypto
Commit message (Collapse)AuthorAgeFilesLines
* Use keystore ENGINE for private key operationsKenny Root2012-08-021-0/+9
| | | | | | | | | | | The new keystore ENGINE is usable to perform private key operations when we can't get the actual private key data. This is the case when hardware crypto is enabled: the private key never leaves the hardware. Subsequently, we need to be able to talk to OpenSSL ENGINEs that aren't PKCS#11 or OpenSC. This just changes a few #define variables to allow us to talk to our keystore engine without having one of those enabled and without using a PIN.
* OpenSSL: Add support for HMAC functions with 0.9.8 and olderJouni Malinen2012-07-071-0/+9
| | | | | | | | | | Commit d9cc4646eb0255be31f11d8a8edad857431fdf49 added crypto_hash_{init,update,finish}() wrappers for OpenSSL, but it assumed the current HMAC API in OpenSSL. This was changed in 0.9.9 to return error codes from the functions while older versions used void functions. Add support for the older versions, too. Signed-hostap: Jouni Malinen <j@w1.fi>
* OpenSSL: Add support for crypto_hash_{init,update,finish}()Jouni Malinen2012-07-021-0/+82
| | | | | | | This adds initial support for HMAC operations using the crypto_hash_{init,update,finish}() wrappers. Signed-hostap: Jouni Malinen <j@w1.fi>
* Add dh5_init_fixed() to allow fixed DH parameters to be usedJouni Malinen2012-06-273-3/+45
| | | | | | | This allows pre-configured private and public key to be used when initializing DH for group 5. Signed-hostap: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Report EAP connection progress to DBusPaul Stewart2012-06-042-1/+22
| | | | | | | | | | | | | | | | | | | | | Send an "EAP" signal via the new DBus interface under various conditions during EAP authentication: - During method selection (ACK and NAK) - During certificate verification - While sending and receiving TLS alert messages - EAP success and failure messages This provides DBus callers a number of new tools: - The ability to probe an AP for available EAP methods (given an identity). - The ability to identify why the remote certificate was not verified. - The ability to identify why the remote peer refused a TLS connection. Signed-hostap: Paul Stewart <pstew@chromium.org>
* Make random_add_randomness() debug print less verboseJouni Malinen2012-04-081-2/+2
| | | | | | | Mark the debug print excessive and print it only in case the entropy collection is used since this function can get called pretty frequently. Signed-hostap: Jouni Malinen <j@w1.fi>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-1167-536/+134
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Rename tls_prf() to tls_prf_sha1_md5()Jouni Malinen2011-11-273-7/+7
| | | | | | | | Prepare for multiple TLS PRF functions by renaming the SHA1+MD5 based TLS PRF function to more specific name and add tls_prf() within the internal TLS implementation as a wrapper for this for now. Signed-hostap: Jouni Malinen <j@w1.fi>
* Add implementation of TLS v1.2 PRF (P_SHA256)Jouni Malinen2011-11-273-1/+77
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Add SHA256-hash functions to generic crypto_hash_* functionsJouni Malinen2011-11-275-20/+115
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* OpenSSL: Read certificate chain from server_cert fileMaciej Szmigiero2011-11-191-0/+1
| | | | | | | | Currently OpenSSL implementation of TLS in hostapd loads only top certificate in server certificate file. Change this to try to the whole chain first and only if that fails, revert to old behavior. Signed-off-by: Maciej Szmigiero <mhej@o2.pl>
* Use NULL instead of 0 for pointersJouni Malinen2011-11-181-1/+1
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Mark local functions staticJouni Malinen2011-11-182-2/+2
| | | | | | These functions are not used outside the file in which they are defined. Signed-hostap: Jouni Malinen <j@w1.fi>
* Make crypto_hash_init() easier for static analyzersJouni Malinen2011-11-131-1/+2
| | | | | | | Avoid zero-length memset at the end of the buffer. This is not really needed, but it makes the code a bit easier for static analyzers. Signed-hostap: Jouni Malinen <j@w1.fi>
* Make crypto_hash_init() easier for static analyzersJouni Malinen2011-11-131-1/+2
| | | | | | | Avoid zero-length memset at the end of the buffer. This is not really needed, but it makes the code a bit easier for static analyzers. Signed-hostap: Jouni Malinen <j@w1.fi>
* Make fips186_2_prf() easier for static analyzersJouni Malinen2011-11-131-2/+3
| | | | | | | | Explicitly validate seed_len to skip memset call with zero length of copied data at the end of the buffer. This is not really needed, but it makes the code a bit easier for static analyzers. Signed-hostap: Jouni Malinen <j@w1.fi>
* Remove unnecessary include file inclusionJouni Malinen2011-11-133-4/+0
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Use shared SHA-256 define for the block sizeJouni Malinen2011-11-131-11/+12
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Make sha256_process() easier for static analyzersJouni Malinen2011-11-131-1/+1
| | | | | | | | | md->curlen cannot indicate full buffer size here since the buffered data is processed whenever the full block size of data is available. Avoid invalid warnings from static analyzers on memcpy() outside the buffer length by verifying that curlen is smaller than block size. Signed-hostap: Jouni Malinen <j@w1.fi>
* TLS: Add preliminary support for partial message processingJouni Malinen2011-11-132-16/+38
| | | | | | | Reassemble partial TLS records to make the internal TLS client implementation more convenient for stream sockets. Signed-hostap: Jouni Malinen <j@w1.fi>
* Add random.c into libcrypto.aJouni Malinen2011-11-051-0/+1
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* random: Improve error messages about writing to entropy filePavel Roskin2011-10-301-4/+4
|
* For MS-CHAP, convert the password from UTF-8 to UCS-2Evan Broder2011-10-291-26/+80
| | | | | | | | | | | | | The MS-CHAPv1 and MS-CHAPv2 RFCs specify that the password is a string of "Unicode characters", which for Windows means UCS-2; thus the password could be any even-length string of up to 512 bytes. Instead of making the incompatible change of requiring the incoming password to be UCS-2 encoded, assume the password is UTF-8 encoded and convert it before using it in NtPasswordHash and EncryptPwBlockWithPasswordHash. Signed-off-by: Evan Broder <ebroder@mokafive.com>
* Remove EAP-TTLSv1 and TLS/IAJouni Malinen2011-09-257-482/+2
| | | | | | | | | | | | | | These protocols seem to be abandoned: latest IETF drafts have expired years ago and it does not seem likely that EAP-TTLSv1 would be deployed. The implementation in hostapd/wpa_supplicant was not complete and not fully tested. In addition, the TLS/IA functionality was only available when GnuTLS was used. Since GnuTLS removed this functionality in 3.0.0, there is no available TLS/IA implementation in the latest version of any supported TLS library. Remove the EAP-TTLSv1 and TLS/IA implementation to clean up unwanted complexity from hostapd and wpa_supplicant. In addition, this removes any potential use of the GnuTLS extra library.
* GnuTLS: Fix build bit various GnuTLS versionsJouni Malinen2011-09-251-15/+36
| | | | | | This fixes some build issues in GnuTLS wrapper to be compatible with at least following GnuTLS versions: 2.2.5, 2.4.3, 2.6.6, 2.8.6, 2.10.5, 2.12.11, 3.0.3.
* Fix typos found by codespellPavel Roskin2011-09-221-1/+1
| | | | Signed-off-by: Pavel Roskin <proski@gnu.org>
* eapol_test: Add option for writing server certificate chain to a fileJouni Malinen2011-09-172-1/+4
| | | | | | eapol_test command line argument -o<file> can now be used to request the received server certificate chain to be written to the specified file. The certificates will be written in PEM format. [Bug 391]
* random: Check fwrite return value to avoid warningsJouni Malinen2011-08-061-2/+9
| | | | | | Some compilers complain about fwrite calls if the return value is not checked, so check the value even if it does not really make much of a difference in this particular case.
* Check random_get_bytes() result before writing entropy fileJouni Malinen2011-07-151-1/+2
|
* MD5: Fix clearing of temporary stack memory to use correct lengthJouni Malinen2011-07-151-1/+1
| | | | | sizeof of the structure instead of the pointer was supposed to be used here. Fix this to clear the full structure at the end of MD5Final().
* TLS: Add support for tls_disable_time_checks=1 in client modeJouni Malinen2011-07-052-2/+16
| | | | | | This phase1 parameter for TLS-based EAP methods was already supported with GnuTLS and this commit extends that support for OpenSSL and the internal TLS implementation.
* random: Add support for maintaining internal entropy store over restartsJouni Malinen2011-05-312-5/+90
| | | | | | | This can be used to avoid rejection of first two 4-way handshakes every time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new command line parameter, -e, can now be used to specify an entropy file that will be used to maintain the needed state.
* OpenSSL: Use consistent SSL_get_app_data validation in tls_verify_cbJouni Malinen2011-04-141-2/+4
| | | | | The returned value cannot really be NULL, but better keep this function consistent on whether the returned value is checked or not.
* Fix #ifdef check for older openssl versionsAdam Kent2011-04-111-1/+1
| | | | | Small compile fix for older versions of openssl that do not have SHA256 support and hence do not define OPENSSL_NO_SHA256.
* random: Read /dev/random in the background with eloop read socketJouni Malinen2011-03-222-2/+81
| | | | | | This makes it more likely to be able to fetch the 20 octet seed from /dev/random in cases where other programs may also be competing for this.
* OpenSSL: Add access to Android certificatesDmitry Shmidt2011-02-261-0/+86
| | | | | | | This allows keystore:// prefix to be used with client_cert and private_key configuration parameters. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
* Remove unneeded OpenSSL error messages from key/cert parsingJouni Malinen2011-02-221-27/+6
| | | | | | | If parsing of the certificate or private key succeeds using any of the tried encoding types, clear the OpenSSL error queue without showing the pending errors in debug log since they do not really provide any useful output and can be confusing.
* Removed unused variable from non-Linux buildsJouni Malinen2010-12-141-0/+2
|
* random: Fix a compiler warning about unused variableJouni Malinen2010-11-251-0/+2
| | | | In CONFIG_NO_STDOUT_DEBUG=y case, the error variable was not used.
* hostapd: Verify availability of random data when using WPA/WPA2Jouni Malinen2010-11-242-1/+87
| | | | | | | | | | On Linux, verify that the kernel entropy pool is capable of providing strong random data before allowing WPA/WPA2 connection to be established. If 20 bytes of data cannot be read from /dev/random, force first two 4-way handshakes to fail while collecting entropy into the internal pool in hostapd. After that, give up on /dev/random and allow the AP to function based on the combination of /dev/urandom and whatever data has been collected into the internal entropy pool.
* Maintain internal entropy pool for augmenting random number generationJouni Malinen2010-11-242-0/+182
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By default, make hostapd and wpa_supplicant maintain an internal entropy pool that is fed with following information: hostapd: - Probe Request frames (timing, RSSI) - Association events (timing) - SNonce from Supplicants wpa_supplicant: - Scan results (timing, signal/noise) - Association events (timing) The internal pool is used to augment the random numbers generated with the OS mechanism (os_get_random()). While the internal implementation is not expected to be very strong due to limited amount of generic (non-platform specific) information to feed the pool, this may strengthen key derivation on some devices that are not configured to provide strong random numbers through os_get_random() (e.g., /dev/urandom on Linux/BSD). This new mechanism is not supposed to replace proper OS provided random number generation mechanism. The OS mechanism needs to be initialized properly (e.g., hw random number generator, maintaining entropy pool over reboots, etc.) for any of the security assumptions to hold. If the os_get_random() is known to provide strong ramdom data (e.g., on Linux/BSD, the board in question is known to have reliable source of random data from /dev/urandom), the internal hostapd random pool can be disabled. This will save some in binary size and CPU use. However, this should only be considered for builds that are known to be used on devices that meet the requirements described above. The internal pool is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
* Annotate places depending on strong random numbersJouni Malinen2010-11-242-1/+23
| | | | | | | | | | | | | This commit adds a new wrapper, random_get_bytes(), that is currently defined to use os_get_random() as is. The places using random_get_bytes() depend on the returned value being strong random number, i.e., something that is infeasible for external device to figure out. These values are used either directly as a key or as nonces/challenges that are used as input for key derivation or authentication. The remaining direct uses of os_get_random() do not need as strong random numbers to function correctly.
* OpenSSL: Fix public key length in DH group 5 operationsJouni Malinen2010-06-261-1/+1
| | | | | | The length of the prime was used incorrectly and this resulted in WPS DH operation failing whenever the public key ended up having leading zeros (i.e., about every 1/256th time).
* Remove unnecessary SUBDIRS loops from src/*/MakefileJouni Malinen2010-04-171-1/+0
| | | | | | There are no subdirectories in any of these directories or plans for adding ones. As such, there is no point in running the loop that does not do anything and can cause problems with some shells.
* Fix internal DH implementation not to pad shared keyJouni Malinen2010-04-121-1/+2
| | | | | | | | | | The returned buffer length was hardcoded to be the prime length which resulted in shorter results being padded in the end. However, the results from DH code are supposed to be unpadded (and when used with WPS, the padding is done in WPS code and it is added to the beginning of the buffer). This fixes WPS key derivation errors in about 1/256 of runs ("WPS: Incorrect Authenticator") when using the internal crypto code.
* Use unsigned bitfield for 1-bit valuesJouni Malinen2010-04-111-3/+3
|
* Add TLS client events, server probing, and srv cert matchingJouni Malinen2010-02-132-23/+302
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows external programs (e.g., UI) to get more information about server certificate chain used during TLS handshake. This can be used both to automatically probe the authentication server to figure out most likely network configuration and to get information about reasons for failed authentications. The follow new control interface events are used for this: CTRL-EVENT-EAP-PEER-CERT CTRL-EVENT-EAP-TLS-CERT-ERROR In addition, there is now an option for matching the server certificate instead of the full certificate chain for cases where a trusted CA is not configured or even known. This can be used, e.g., by first probing the network and learning the server certificate hash based on the new events and then adding a network configuration with the server certificate hash after user have accepted it. Future connections will then be allowed as long as the same server certificate is used. Authentication server probing can be done, e.g., with following configuration options: eap=TTLS PEAP TLS identity="" ca_cert="probe://" Example set of control events for this: CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe' CTRL-EVENT-EAP-FAILURE EAP authentication failed Server certificate matching is configured with ca_cert, e.g.: ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" This functionality is currently available only with OpenSSL. Other TLS libraries (including internal implementation) may be added in the future.
* OpenSSL: Fix tls_init(NULL) with FIPS-enabled buildJouni Malinen2010-02-121-2/+2
| | | | | | The conf argument to tls_init() may be NULL (as it is when using hostapd), so we must check that here before dereferencing the pointer.
* Fix PKCS#12 use with OpenSSL 1.0.0Jouni Malinen2010-01-091-0/+9
| | | | | | | | | | | | | Add 40-bit RC2 CBC explicitly since OpenSSL 1.0.0 does not seem to that anymore with PKCS12_PBE_add(). Furthermore, at least 1.0.0-beta4 crashes if the needed cipher is not registered when parsing the PKCS#12 data (this crashing part should be fixed in newer 1.0.0 versions) Following bug reports are related to the issue: https://bugzilla.redhat.com/show_bug.cgi?id=541924 https://bugzilla.redhat.com/show_bug.cgi?id=538851 http://rt.openssl.org/Ticket/Display.html?id=2127 http://rt.openssl.org/Ticket/Display.html?id=2128
* Include header file to verify prototypesJouni Malinen2009-12-281-0/+1
|