TLS: Add build configuration for TLS v1.2 support

This allows the internal TLS implementation to be built for TLS v1.2
support. In addition to the build option, this changes the TLS PRF
based on the negotiated version number. Though, this commit does not
yet complete support for TLS v1.2.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/Makefile b/hostapd/Makefile
index 2dfb7d611a3fa456d1cea02bbf6dc604c69e1aa8..22c09c1a2565e0abf6cfc68ab65f0b083ee96084 100644 (file)
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -440,6 +440,11 @@ ifdef CONFIG_TLSV11
 CFLAGS += -DCONFIG_TLSV11
 endif
 
+ifdef CONFIG_TLSV12
+CFLAGS += -DCONFIG_TLSV12
+NEED_SHA256=y
+endif
+
 ifeq ($(CONFIG_TLS), openssl)
 ifdef TLS_FUNCS
 OBJS += ../src/crypto/tls_openssl.o
@@ -519,6 +524,9 @@ OBJS += ../src/tls/pkcs8.o
 NEED_SHA256=y
 NEED_BASE64=y
 NEED_TLS_PRF=y
+ifdef CONFIG_TLSV12
+NEED_TLS_PRF_SHA256=y
+endif
 NEED_MODEXP=y
 NEED_CIPHER=y
 CFLAGS += -DCONFIG_TLS_INTERNAL

diff --git a/hostapd/defconfig b/hostapd/defconfig
index 36f286f0c51719da58449a95968d12cec3fbd059..bae5ba2f80304fb941ff558929f155f0e8b2a976 100644 (file)
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -221,6 +221,10 @@ CONFIG_IPV6=y
 # are used.
 #CONFIG_TLSV11=y
 
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms.
+#CONFIG_TLSV12=y
+
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits

diff --git a/src/tls/tlsv1_common.c b/src/tls/tlsv1_common.c
index a9ffc10312a17a209d4f6504c439e403a0eb899c..19c50c2f0ca3815c201caa994b6efc50c73f8a6f 100644 (file)
--- a/src/tls/tlsv1_common.c
+++ b/src/tls/tlsv1_common.c
@@ -16,6 +16,7 @@
 
 #include "common.h"
 #include "crypto/sha1.h"
+#include "crypto/sha256.h"
 #include "x509v3.h"
 #include "tlsv1_common.h"
 
@@ -250,6 +251,10 @@ int tls_version_ok(u16 ver)
        if (ver == TLS_VERSION_1_1)
                return 1;
 #endif /* CONFIG_TLSV11 */
+#ifdef CONFIG_TLSV12
+       if (ver == TLS_VERSION_1_2)
+               return 1;
+#endif /* CONFIG_TLSV12 */
 
        return 0;
 }
@@ -262,6 +267,8 @@ const char * tls_version_str(u16 ver)
                return "1.0";
        case TLS_VERSION_1_1:
                return "1.1";
+       case TLS_VERSION_1_2:
+               return "1.2";
        }
 
        return "?";
@@ -271,6 +278,14 @@ const char * tls_version_str(u16 ver)
 int tls_prf(u16 ver, const u8 *secret, size_t secret_len, const char *label,
            const u8 *seed, size_t seed_len, u8 *out, size_t outlen)
 {
+#ifdef CONFIG_TLSV12
+       if (ver >= TLS_VERSION_1_2) {
+               tls_prf_sha256(secret, secret_len, label, seed, seed_len,
+                              out, outlen);
+               return 0;
+       }
+#endif /* CONFIG_TLSV12 */
+
        return tls_prf_sha1_md5(secret, secret_len, label, seed, seed_len, out,
                                outlen);
 }

diff --git a/src/tls/tlsv1_common.h b/src/tls/tlsv1_common.h
index 855a407888992dab7824220946625b969b018000..91a03806b4cd915d1b71e89a959339f4bde1f33e 100644 (file)
--- a/src/tls/tlsv1_common.h
+++ b/src/tls/tlsv1_common.h
@@ -19,11 +19,16 @@
 
 #define TLS_VERSION_1 0x0301 /* TLSv1 */
 #define TLS_VERSION_1_1 0x0302 /* TLSv1.1 */
+#define TLS_VERSION_1_2 0x0303 /* TLSv1.2 */
+#ifdef CONFIG_TLSV12
+#define TLS_VERSION TLS_VERSION_1_2
+#else /* CONFIG_TLSV12 */
 #ifdef CONFIG_TLSV11
 #define TLS_VERSION TLS_VERSION_1_1
 #else /* CONFIG_TLSV11 */
 #define TLS_VERSION TLS_VERSION_1
 #endif /* CONFIG_TLSV11 */
+#endif /* CONFIG_TLSV12 */
 #define TLS_RANDOM_LEN 32
 #define TLS_PRE_MASTER_SECRET_LEN 48
 #define TLS_MASTER_SECRET_LEN 48

diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index dad156cae5f5ad6392dbc2c2e726f45c420ec68d..0bc96c7a3e6ad31f14f25970369e28e0f2c7da1e 100644 (file)
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -827,6 +827,11 @@ ifdef CONFIG_TLSV11
 CFLAGS += -DCONFIG_TLSV11
 endif
 
+ifdef CONFIG_TLSV12
+CFLAGS += -DCONFIG_TLSV12
+NEED_SHA256=y
+endif
+
 ifeq ($(CONFIG_TLS), openssl)
 ifdef TLS_FUNCS
 CFLAGS += -DEAP_TLS_OPENSSL
@@ -911,6 +916,9 @@ OBJS += ../src/tls/pkcs8.o
 NEED_SHA256=y
 NEED_BASE64=y
 NEED_TLS_PRF=y
+ifdef CONFIG_TLSV12
+NEED_TLS_PRF_SHA256=y
+endif
 NEED_MODEXP=y
 NEED_CIPHER=y
 CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT

diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index 03a422371b94236764f0a9ab3e8c415ba55db65c..cff25d6c83679b3e444cf684e727d67740b95cda 100644 (file)
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -332,6 +332,13 @@ CONFIG_PEERKEY=y
 # sent prior to negotiating which version will be used)
 #CONFIG_TLSV11=y
 
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms. It should be
+# noted that some existing TLS v1.0 -based implementation may not be compatible
+# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
+# will be used)
+#CONFIG_TLSV12=y
+
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits