From d785ed924e33f3f129cd9c62aac44edcf4b53cf1 Mon Sep 17 00:00:00 2001 From: shixuantong Date: Wed, 26 Jan 2022 17:24:07 +0800 Subject: [PATCH] fix CVE-2022-23303 CVE-2022-23304 --- ...t-0001-CVE-2022-23303-CVE-2022-23304.patch | 318 ++ ...t-0002-CVE-2022-23303-CVE-2022-23304.patch | 72 + ...t-0003-CVE-2022-23303-CVE-2022-23304.patch | 100 + ...t-0004-CVE-2022-23303-CVE-2022-23304.patch | 109 + ...rt-for-wolfSSL-cryptographic-library.patch | 4084 +++++++++++++++++ ...-and-EAP-pwd-functionality-suitable-.patch | 219 + wpa_supplicant.spec | 14 +- 7 files changed, 4915 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2022-23303-CVE-2022-23304.patch create mode 100644 backport-0002-CVE-2022-23303-CVE-2022-23304.patch create mode 100644 backport-0003-CVE-2022-23303-CVE-2022-23304.patch create mode 100644 backport-0004-CVE-2022-23303-CVE-2022-23304.patch create mode 100644 backport-Add-support-for-wolfSSL-cryptographic-library.patch create mode 100644 backport-Share-common-SAE-and-EAP-pwd-functionality-suitable-.patch diff --git a/backport-0001-CVE-2022-23303-CVE-2022-23304.patch b/backport-0001-CVE-2022-23303-CVE-2022-23304.patch new file mode 100644 index 0000000..4dd3b0d --- /dev/null +++ b/backport-0001-CVE-2022-23303-CVE-2022-23304.patch @@ -0,0 +1,318 @@ +From 208e5687ff2e48622e28d8888ce5444a54353bbd Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 27 Aug 2019 16:33:15 +0300 +Subject: [PATCH 1/4] crypto: Add more bignum/EC helper functions + +These are needed for implementing SAE hash-to-element. + +Signed-off-by: Jouni Malinen +--- + src/crypto/crypto.h | 45 ++++++++++++++++++++++ + src/crypto/crypto_openssl.c | 94 +++++++++++++++++++++++++++++++++++++++++++++ + src/crypto/crypto_wolfssl.c | 66 +++++++++++++++++++++++++++++++ + 3 files changed, 205 insertions(+) + +diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h +index bdc3ba6..0bc9df4 100644 +--- a/src/crypto/crypto.h ++++ b/src/crypto/crypto.h +@@ -508,6 +508,13 @@ struct crypto_bignum * crypto_bignum_init(void); + struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len); + + /** ++ * crypto_bignum_init_set - Allocate memory for bignum and set the value (uint) ++ * @val: Value to set ++ * Returns: Pointer to allocated bignum or %NULL on failure ++ */ ++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val); ++ ++/** + * crypto_bignum_deinit - Free bignum + * @n: Bignum from crypto_bignum_init() or crypto_bignum_init_set() + * @clear: Whether to clear the value from memory +@@ -594,6 +601,19 @@ int crypto_bignum_div(const struct crypto_bignum *a, + struct crypto_bignum *c); + + /** ++ * crypto_bignum_addmod - d = a + b (mod c) ++ * @a: Bignum ++ * @b: Bignum ++ * @c: Bignum ++ * @d: Bignum; used to store the result of (a + b) % c ++ * Returns: 0 on success, -1 on failure ++ */ ++int crypto_bignum_addmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ const struct crypto_bignum *c, ++ struct crypto_bignum *d); ++ ++/** + * crypto_bignum_mulmod - d = a * b (mod c) + * @a: Bignum + * @b: Bignum +@@ -607,6 +627,28 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a, + struct crypto_bignum *d); + + /** ++ * crypto_bignum_sqrmod - c = a^2 (mod b) ++ * @a: Bignum ++ * @b: Bignum ++ * @c: Bignum; used to store the result of a^2 % b ++ * Returns: 0 on success, -1 on failure ++ */ ++int crypto_bignum_sqrmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c); ++ ++/** ++ * crypto_bignum_sqrtmod - returns sqrt(a) (mod b) ++ * @a: Bignum ++ * @b: Bignum ++ * @c: Bignum; used to store the result ++ * Returns: 0 on success, -1 on failure ++ */ ++int crypto_bignum_sqrtmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c); ++ ++/** + * crypto_bignum_cmp - Compare two bignums + * @a: Bignum + * @b: Bignum +@@ -695,6 +737,9 @@ const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e); + */ + const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e); + ++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e); ++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e); ++ + /** + * struct crypto_ec_point - Elliptic curve point + * +diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c +index 00b61b9..80867b6 100644 +--- a/src/crypto/crypto_openssl.c ++++ b/src/crypto/crypto_openssl.c +@@ -1117,6 +1117,24 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) + } + + ++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val) ++{ ++ BIGNUM *bn; ++ ++ if (TEST_FAIL()) ++ return NULL; ++ ++ bn = BN_new(); ++ if (!bn) ++ return NULL; ++ if (BN_set_word(bn, val) != 1) { ++ BN_free(bn); ++ return NULL; ++ } ++ return (struct crypto_bignum *) bn; ++} ++ ++ + void crypto_bignum_deinit(struct crypto_bignum *n, int clear) + { + if (clear) +@@ -1278,6 +1296,28 @@ int crypto_bignum_div(const struct crypto_bignum *a, + } + + ++int crypto_bignum_addmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ const struct crypto_bignum *c, ++ struct crypto_bignum *d) ++{ ++ int res; ++ BN_CTX *bnctx; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ bnctx = BN_CTX_new(); ++ if (!bnctx) ++ return -1; ++ res = BN_mod_add((BIGNUM *) d, (const BIGNUM *) a, (const BIGNUM *) b, ++ (const BIGNUM *) c, bnctx); ++ BN_CTX_free(bnctx); ++ ++ return res ? 0 : -1; ++} ++ ++ + int crypto_bignum_mulmod(const struct crypto_bignum *a, + const struct crypto_bignum *b, + const struct crypto_bignum *c, +@@ -1301,6 +1341,48 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a, + } + + ++int crypto_bignum_sqrmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c) ++{ ++ int res; ++ BN_CTX *bnctx; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ bnctx = BN_CTX_new(); ++ if (!bnctx) ++ return -1; ++ res = BN_mod_sqr((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, ++ bnctx); ++ BN_CTX_free(bnctx); ++ ++ return res ? 0 : -1; ++} ++ ++ ++int crypto_bignum_sqrtmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c) ++{ ++ BN_CTX *bnctx; ++ BIGNUM *res; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ bnctx = BN_CTX_new(); ++ if (!bnctx) ++ return -1; ++ res = BN_mod_sqrt((BIGNUM *) c, (const BIGNUM *) a, (const BIGNUM *) b, ++ bnctx); ++ BN_CTX_free(bnctx); ++ ++ return res ? 0 : -1; ++} ++ ++ + int crypto_bignum_cmp(const struct crypto_bignum *a, + const struct crypto_bignum *b) + { +@@ -1494,6 +1576,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) + } + + ++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e) ++{ ++ return (const struct crypto_bignum *) e->a; ++} ++ ++ ++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e) ++{ ++ return (const struct crypto_bignum *) e->b; ++} ++ ++ + void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) + { + if (clear) +diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c +index 90163c4..683c553 100644 +--- a/src/crypto/crypto_wolfssl.c ++++ b/src/crypto/crypto_wolfssl.c +@@ -1043,6 +1043,26 @@ struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) + } + + ++struct crypto_bignum * crypto_bignum_init_uint(unsigned int val) ++{ ++ mp_int *a; ++ ++ if (TEST_FAIL()) ++ return NULL; ++ ++ a = (mp_int *) crypto_bignum_init(); ++ if (!a) ++ return NULL; ++ ++ if (mp_set_int(a, val) != MP_OKAY) { ++ os_free(a); ++ a = NULL; ++ } ++ ++ return (struct crypto_bignum *) a; ++} ++ ++ + void crypto_bignum_deinit(struct crypto_bignum *n, int clear) + { + if (!n) +@@ -1167,6 +1187,19 @@ int crypto_bignum_div(const struct crypto_bignum *a, + } + + ++int crypto_bignum_addmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ const struct crypto_bignum *c, ++ struct crypto_bignum *d) ++{ ++ if (TEST_FAIL()) ++ return -1; ++ ++ return mp_addmod((mp_int *) a, (mp_int *) b, (mp_int *) c, ++ (mp_int *) d) == MP_OKAY ? 0 : -1; ++} ++ ++ + int crypto_bignum_mulmod(const struct crypto_bignum *a, + const struct crypto_bignum *b, + const struct crypto_bignum *m, +@@ -1180,6 +1213,27 @@ int crypto_bignum_mulmod(const struct crypto_bignum *a, + } + + ++int crypto_bignum_sqrmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c) ++{ ++ if (TEST_FAIL()) ++ return -1; ++ ++ return mp_sqrmod((mp_int *) a, (mp_int *) b, ++ (mp_int *) c) == MP_OKAY ? 0 : -1; ++} ++ ++ ++int crypto_bignum_sqrtmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *c) ++{ ++ /* TODO */ ++ return -1; ++} ++ ++ + int crypto_bignum_rshift(const struct crypto_bignum *a, int n, + struct crypto_bignum *r) + { +@@ -1401,6 +1455,18 @@ const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) + } + + ++const struct crypto_bignum * crypto_ec_get_a(struct crypto_ec *e) ++{ ++ return (const struct crypto_bignum *) &e->a; ++} ++ ++ ++const struct crypto_bignum * crypto_ec_get_b(struct crypto_ec *e) ++{ ++ return (const struct crypto_bignum *) &e->b; ++} ++ ++ + void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) + { + ecc_point *point = (ecc_point *) p; +-- +1.8.3.1 + diff --git a/backport-0002-CVE-2022-23303-CVE-2022-23304.patch b/backport-0002-CVE-2022-23303-CVE-2022-23304.patch new file mode 100644 index 0000000..c3a1e3d --- /dev/null +++ b/backport-0002-CVE-2022-23303-CVE-2022-23304.patch @@ -0,0 +1,72 @@ +From 2232d3d5f188b65dbb6c823ac62175412739eb16 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Fri, 7 Jan 2022 13:47:16 +0200 +Subject: [PATCH 2/4] dragonfly: Add sqrt() helper function + +This is a backport of "SAE: Move sqrt() implementation into a helper +function" to introduce the helper function needed for the following +patches. + +Signed-off-by: Jouni Malinen +--- + src/common/dragonfly.c | 34 ++++++++++++++++++++++++++++++++++ + src/common/dragonfly.h | 3 +++ + 2 files changed, 37 insertions(+) + +diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c +index 1e80404..7dcc6de 100644 +--- a/src/common/dragonfly.c ++++ b/src/common/dragonfly.c +@@ -25,3 +25,37 @@ int dragonfly_suitable_group(int group, int ecc_only) + (!ecc_only && + (group == 15 || group == 16 || group == 17 || group == 18)); + } ++ ++ ++/* res = sqrt(val) */ ++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val, ++ struct crypto_bignum *res) ++{ ++ const struct crypto_bignum *prime; ++ struct crypto_bignum *tmp, *one; ++ int ret = 0; ++ u8 prime_bin[DRAGONFLY_MAX_ECC_PRIME_LEN]; ++ size_t prime_len; ++ ++ /* For prime p such that p = 3 mod 4, sqrt(w) = w^((p+1)/4) mod p */ ++ ++ prime = crypto_ec_get_prime(ec); ++ prime_len = crypto_ec_prime_len(ec); ++ tmp = crypto_bignum_init(); ++ one = crypto_bignum_init_uint(1); ++ ++ if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), ++ prime_len) < 0 || ++ (prime_bin[prime_len - 1] & 0x03) != 3 || ++ !tmp || !one || ++ /* tmp = (p+1)/4 */ ++ crypto_bignum_add(prime, one, tmp) < 0 || ++ crypto_bignum_rshift(tmp, 2, tmp) < 0 || ++ /* res = sqrt(val) */ ++ crypto_bignum_exptmod(val, tmp, prime, res) < 0) ++ ret = -1; ++ ++ crypto_bignum_deinit(tmp, 0); ++ crypto_bignum_deinit(one, 0); ++ return ret; ++} +diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h +index 9f3c428..f0f49d0 100644 +--- a/src/common/dragonfly.h ++++ b/src/common/dragonfly.h +@@ -12,4 +12,7 @@ + + int dragonfly_suitable_group(int group, int ecc_only); + ++int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val, ++ struct crypto_bignum *res); ++ + #endif /* DRAGONFLY_H */ +-- +1.8.3.1 + diff --git a/backport-0003-CVE-2022-23303-CVE-2022-23304.patch b/backport-0003-CVE-2022-23303-CVE-2022-23304.patch new file mode 100644 index 0000000..4f703cc --- /dev/null +++ b/backport-0003-CVE-2022-23303-CVE-2022-23304.patch @@ -0,0 +1,100 @@ +From fe534b0baaa8c0e6ddeb24cf529d6e50e33dc501 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Fri, 7 Jan 2022 13:47:16 +0200 +Subject: [PATCH 3/4] SAE: Derive the y coordinate for PWE with own + implementation + +The crypto_ec_point_solve_y_coord() wrapper function might not use +constant time operations in the crypto library and as such, could leak +side channel information about the password that is used to generate the +PWE in the hunting and pecking loop. As such, calculate the two possible +y coordinate values and pick the correct one to use with constant time +selection. + +Signed-off-by: Jouni Malinen +--- + src/common/sae.c | 47 +++++++++++++++++++++++++++++++++-------------- + 1 file changed, 33 insertions(+), 14 deletions(-) + +diff --git a/src/common/sae.c b/src/common/sae.c +index b35821d..c168bf1 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -459,15 +459,17 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, + int pwd_seed_odd = 0; + u8 prime[SAE_MAX_ECC_PRIME_LEN]; + size_t prime_len; +- struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL; ++ struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL; + u8 x_bin[SAE_MAX_ECC_PRIME_LEN]; + u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN]; + u8 qr_bin[SAE_MAX_ECC_PRIME_LEN]; + u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN]; ++ u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN]; + size_t bits; + int res = -1; + u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_* + * mask */ ++ unsigned int is_eq; + + os_memset(x_bin, 0, sizeof(x_bin)); + +@@ -567,25 +569,42 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1, + goto fail; + } + +- if (!sae->tmp->pwe_ecc) +- sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec); +- if (!sae->tmp->pwe_ecc) +- res = -1; +- else +- res = crypto_ec_point_solve_y_coord(sae->tmp->ec, +- sae->tmp->pwe_ecc, x, +- pwd_seed_odd); +- if (res < 0) { +- /* +- * This should not happen since we already checked that there +- * is a result. +- */ ++ /* y = sqrt(x^3 + ax + b) mod p ++ * if LSB(save) == LSB(y): PWE = (x, y) ++ * else: PWE = (x, p - y) ++ * ++ * Calculate y and the two possible values for PWE and after that, ++ * use constant time selection to copy the correct alternative. ++ */ ++ y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x); ++ if (!y || ++ dragonfly_sqrt(sae->tmp->ec, y, y) < 0 || ++ crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN, ++ prime_len) < 0 || ++ crypto_bignum_sub(sae->tmp->prime, y, y) < 0 || ++ crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN, ++ SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) { + wpa_printf(MSG_DEBUG, "SAE: Could not solve y"); ++ goto fail; ++ } ++ ++ is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01); ++ const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN, ++ prime_len, x_y + prime_len); ++ os_memcpy(x_y, x_bin, prime_len); ++ wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len); ++ crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1); ++ sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y); ++ if (!sae->tmp->pwe_ecc) { ++ wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE"); ++ res = -1; + } + + fail: ++ forced_memzero(x_y, sizeof(x_y)); + crypto_bignum_deinit(qr, 0); + crypto_bignum_deinit(qnr, 0); ++ crypto_bignum_deinit(y, 1); + os_free(dummy_password); + bin_clear_free(tmp_password, password_len); + crypto_bignum_deinit(x, 1); +-- +1.8.3.1 + diff --git a/backport-0004-CVE-2022-23303-CVE-2022-23304.patch b/backport-0004-CVE-2022-23303-CVE-2022-23304.patch new file mode 100644 index 0000000..f5fdd29 --- /dev/null +++ b/backport-0004-CVE-2022-23303-CVE-2022-23304.patch @@ -0,0 +1,109 @@ +From 603cd880e7f90595482658a7136fa6a7be5cb485 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Fri, 7 Jan 2022 18:52:27 +0200 +Subject: [PATCH 4/4] EAP-pwd: Derive the y coordinate for PWE with own + implementation + +The crypto_ec_point_solve_y_coord() wrapper function might not use +constant time operations in the crypto library and as such, could leak +side channel information about the password that is used to generate the +PWE in the hunting and pecking loop. As such, calculate the two possible +y coordinate values and pick the correct one to use with constant time +selection. + +Signed-off-by: Jouni Malinen +--- + src/eap_common/eap_pwd_common.c | 42 +++++++++++++++++++++++++++++++++++------ + 1 file changed, 36 insertions(+), 6 deletions(-) + +diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c +index 755aafb..ab8eb92 100644 +--- a/src/eap_common/eap_pwd_common.c ++++ b/src/eap_common/eap_pwd_common.c +@@ -137,7 +137,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; + u8 x_bin[MAX_ECC_PRIME_LEN]; + u8 prime_bin[MAX_ECC_PRIME_LEN]; +- struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL; ++ u8 x_y[2 * MAX_ECC_PRIME_LEN]; ++ struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL, *y = NULL; + struct crypto_hash *hash; + unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; + int ret = 0, check, res; +@@ -149,6 +150,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + u8 mask, found_ctr = 0, is_odd = 0; + int cmp_prime; + unsigned int in_range; ++ unsigned int is_eq; + + if (grp->pwe) + return -1; +@@ -161,7 +163,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), + primebytelen) < 0) + return -1; +- grp->pwe = crypto_ec_point_init(grp->group); + tmp1 = crypto_bignum_init(); + pm1 = crypto_bignum_init(); + one = crypto_bignum_init_set((const u8 *) "\x01", 1); +@@ -323,10 +324,37 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + */ + crypto_bignum_deinit(x_candidate, 1); + x_candidate = crypto_bignum_init_set(x_bin, primebytelen); +- if (!x_candidate || +- crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate, +- is_odd) != 0) { +- wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y"); ++ if (!x_candidate) ++ goto fail; ++ ++ /* y = sqrt(x^3 + ax + b) mod p ++ * if LSB(y) == LSB(pwd-seed): PWE = (x, y) ++ * else: PWE = (x, p - y) ++ * ++ * Calculate y and the two possible values for PWE and after that, ++ * use constant time selection to copy the correct alternative. ++ */ ++ y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate); ++ if (!y || ++ dragonfly_sqrt(grp->group, y, y) < 0 || ++ crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 || ++ crypto_bignum_sub(prime, y, y) < 0 || ++ crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN, ++ MAX_ECC_PRIME_LEN, primebytelen) < 0) { ++ wpa_printf(MSG_DEBUG, "SAE: Could not solve y"); ++ goto fail; ++ } ++ ++ /* Constant time selection of the y coordinate from the two ++ * options */ ++ is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01); ++ const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN, ++ primebytelen, x_y + primebytelen); ++ os_memcpy(x_y, x_bin, primebytelen); ++ wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen); ++ grp->pwe = crypto_ec_point_from_bin(grp->group, x_y); ++ if (!grp->pwe) { ++ wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE"); + goto fail; + } + +@@ -353,6 +381,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + crypto_bignum_deinit(pm1, 0); + crypto_bignum_deinit(tmp1, 1); + crypto_bignum_deinit(tmp2, 1); ++ crypto_bignum_deinit(y, 1); + crypto_bignum_deinit(qr, 1); + crypto_bignum_deinit(qnr, 1); + crypto_bignum_deinit(qr_or_qnr, 1); +@@ -362,6 +391,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, + os_memset(qnr_bin, 0, sizeof(qnr_bin)); + os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin)); + os_memset(pwe_digest, 0, sizeof(pwe_digest)); ++ forced_memzero(x_y, sizeof(x_y)); + + return ret; + } +-- +1.8.3.1 + diff --git a/backport-Add-support-for-wolfSSL-cryptographic-library.patch b/backport-Add-support-for-wolfSSL-cryptographic-library.patch new file mode 100644 index 0000000..f1a5b34 --- /dev/null +++ b/backport-Add-support-for-wolfSSL-cryptographic-library.patch @@ -0,0 +1,4084 @@ +From fec03f98383ede92646fca4da63ed416f8dab4de Mon Sep 17 00:00:00 2001 +From: Sean Parkinson +Date: Thu, 18 Jan 2018 12:26:39 +1000 +Subject: Add support for wolfSSL cryptographic library + +Allow hostapd/wpa_supplicant to be compiled with the wolfSSL +cryptography and TLS library. + +Signed-off-by: Sean Parkinson +--- + src/crypto/crypto_wolfssl.c | 1670 ++++++++++++++++++++++++++++++++ + src/crypto/fips_prf_wolfssl.c | 86 ++ + src/crypto/tls_wolfssl.c | 2150 +++++++++++++++++++++++++++++++++++++++++ + wpa_supplicant/Makefile | 36 + + 4 files changed, 3942 insertions(+) + create mode 100644 src/crypto/crypto_wolfssl.c + create mode 100644 src/crypto/fips_prf_wolfssl.c + create mode 100644 src/crypto/tls_wolfssl.c + +diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c +new file mode 100644 +index 0000000..90163c4 +--- /dev/null ++++ b/src/crypto/crypto_wolfssl.c +@@ -0,0 +1,1670 @@ ++/* ++ * Wrapper functions for libwolfssl ++ * Copyright (c) 2004-2017, Jouni Malinen ++ * ++ * This software may be distributed under the terms of the BSD license. ++ * See README for more details. ++ */ ++ ++#include "includes.h" ++ ++#include "common.h" ++#include "crypto.h" ++ ++#define WOLFSSL_AES_DIRECT ++#define HAVE_AESGCM ++#define HAVE_AES_KEYWRAP ++#define WOLFSSL_SHA384 ++#define WOLFSSL_SHA512 ++#define WOLFSSL_CMAC ++#define HAVE_ECC ++#define USE_FAST_MATH ++#define WOLFSSL_KEY_GEN ++ ++#include ++/* wolfSSL headers */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++ ++#ifndef CONFIG_FIPS ++ ++int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) ++{ ++ Md4 md4; ++ size_t i; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ wc_InitMd4(&md4); ++ ++ for (i = 0; i < num_elem; i++) ++ wc_Md4Update(&md4, addr[i], len[i]); ++ ++ wc_Md4Final(&md4, mac); ++ ++ return 0; ++} ++ ++ ++int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) ++{ ++ Md5 md5; ++ size_t i; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ wc_InitMd5(&md5); ++ ++ for (i = 0; i < num_elem; i++) ++ wc_Md5Update(&md5, addr[i], len[i]); ++ ++ wc_Md5Final(&md5, mac); ++ ++ return 0; ++} ++ ++#endif /* CONFIG_FIPS */ ++ ++ ++int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) ++{ ++ Sha sha; ++ size_t i; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ wc_InitSha(&sha); ++ ++ for (i = 0; i < num_elem; i++) ++ wc_ShaUpdate(&sha, addr[i], len[i]); ++ ++ wc_ShaFinal(&sha, mac); ++ ++ return 0; ++} ++ ++ ++#ifndef NO_SHA256_WRAPPER ++int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, ++ u8 *mac) ++{ ++ Sha256 sha256; ++ size_t i; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ wc_InitSha256(&sha256); ++ ++ for (i = 0; i < num_elem; i++) ++ wc_Sha256Update(&sha256, addr[i], len[i]); ++ ++ wc_Sha256Final(&sha256, mac); ++ ++ return 0; ++} ++#endif /* NO_SHA256_WRAPPER */ ++ ++ ++#ifdef CONFIG_SHA384 ++int sha384_vector(size_t num_elem, const u8 *addr[], const size_t *len, ++ u8 *mac) ++{ ++ Sha384 sha384; ++ size_t i; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ wc_InitSha384(&sha384); ++ ++ for (i = 0; i < num_elem; i++) ++ wc_Sha384Update(&sha384, addr[i], len[i]); ++ ++ wc_Sha384Final(&sha384, mac); ++ ++ return 0; ++} ++#endif /* CONFIG_SHA384 */ ++ ++ ++#ifdef CONFIG_SHA512 ++int sha512_vector(size_t num_elem, const u8 *addr[], const size_t *len, ++ u8 *mac) ++{ ++ Sha512 sha512; ++ size_t i; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ wc_InitSha512(&sha512); ++ ++ for (i = 0; i < num_elem; i++) ++ wc_Sha512Update(&sha512, addr[i], len[i]); ++ ++ wc_Sha512Final(&sha512, mac); ++ ++ return 0; ++} ++#endif /* CONFIG_SHA512 */ ++ ++ ++static int wolfssl_hmac_vector(int type, const u8 *key, ++ size_t key_len, size_t num_elem, ++ const u8 *addr[], const size_t *len, u8 *mac, ++ unsigned int mdlen) ++{ ++ Hmac hmac; ++ size_t i; ++ ++ (void) mdlen; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ if (wc_HmacSetKey(&hmac, type, key, (word32) key_len) != 0) ++ return -1; ++ for (i = 0; i < num_elem; i++) ++ if (wc_HmacUpdate(&hmac, addr[i], len[i]) != 0) ++ return -1; ++ if (wc_HmacFinal(&hmac, mac) != 0) ++ return -1; ++ return 0; ++} ++ ++ ++#ifndef CONFIG_FIPS ++ ++int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem, ++ const u8 *addr[], const size_t *len, u8 *mac) ++{ ++ return wolfssl_hmac_vector(MD5, key, key_len, num_elem, addr, len, mac, ++ 16); ++} ++ ++ ++int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len, ++ u8 *mac) ++{ ++ return hmac_md5_vector(key, key_len, 1, &data, &data_len, mac); ++} ++ ++#endif /* CONFIG_FIPS */ ++ ++ ++int hmac_sha1_vector(const u8 *key, size_t key_len, size_t num_elem, ++ const u8 *addr[], const size_t *len, u8 *mac) ++{ ++ return wolfssl_hmac_vector(SHA, key, key_len, num_elem, addr, len, mac, ++ 20); ++} ++ ++ ++int hmac_sha1(const u8 *key, size_t key_len, const u8 *data, size_t data_len, ++ u8 *mac) ++{ ++ return hmac_sha1_vector(key, key_len, 1, &data, &data_len, mac); ++} ++ ++ ++#ifdef CONFIG_SHA256 ++ ++int hmac_sha256_vector(const u8 *key, size_t key_len, size_t num_elem, ++ const u8 *addr[], const size_t *len, u8 *mac) ++{ ++ return wolfssl_hmac_vector(SHA256, key, key_len, num_elem, addr, len, ++ mac, 32); ++} ++ ++ ++int hmac_sha256(const u8 *key, size_t key_len, const u8 *data, ++ size_t data_len, u8 *mac) ++{ ++ return hmac_sha256_vector(key, key_len, 1, &data, &data_len, mac); ++} ++ ++#endif /* CONFIG_SHA256 */ ++ ++ ++#ifdef CONFIG_SHA384 ++ ++int hmac_sha384_vector(const u8 *key, size_t key_len, size_t num_elem, ++ const u8 *addr[], const size_t *len, u8 *mac) ++{ ++ return wolfssl_hmac_vector(SHA384, key, key_len, num_elem, addr, len, ++ mac, 48); ++} ++ ++ ++int hmac_sha384(const u8 *key, size_t key_len, const u8 *data, ++ size_t data_len, u8 *mac) ++{ ++ return hmac_sha384_vector(key, key_len, 1, &data, &data_len, mac); ++} ++ ++#endif /* CONFIG_SHA384 */ ++ ++ ++#ifdef CONFIG_SHA512 ++ ++int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem, ++ const u8 *addr[], const size_t *len, u8 *mac) ++{ ++ return wolfssl_hmac_vector(SHA512, key, key_len, num_elem, addr, len, ++ mac, 64); ++} ++ ++ ++int hmac_sha512(const u8 *key, size_t key_len, const u8 *data, ++ size_t data_len, u8 *mac) ++{ ++ return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac); ++} ++ ++#endif /* CONFIG_SHA512 */ ++ ++ ++int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len, ++ int iterations, u8 *buf, size_t buflen) ++{ ++ if (wc_PBKDF2(buf, (const byte*)passphrase, os_strlen(passphrase), ssid, ++ ssid_len, iterations, buflen, SHA) != 0) ++ return -1; ++ return 0; ++} ++ ++ ++#ifdef CONFIG_DES ++int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher) ++{ ++ Des des; ++ u8 pkey[8], next, tmp; ++ int i; ++ ++ /* Add parity bits to the key */ ++ next = 0; ++ for (i = 0; i < 7; i++) { ++ tmp = key[i]; ++ pkey[i] = (tmp >> i) | next | 1; ++ next = tmp << (7 - i); ++ } ++ pkey[i] = next | 1; ++ ++ wc_Des_SetKey(&des, pkey, NULL, DES_ENCRYPTION); ++ wc_Des_EcbEncrypt(&des, cypher, clear, DES_BLOCK_SIZE); ++ ++ return 0; ++} ++#endif /* CONFIG_DES */ ++ ++ ++void * aes_encrypt_init(const u8 *key, size_t len) ++{ ++ Aes *aes; ++ ++ if (TEST_FAIL()) ++ return NULL; ++ ++ aes = os_malloc(sizeof(Aes)); ++ if (!aes) ++ return NULL; ++ ++ if (wc_AesSetKey(aes, key, len, NULL, AES_ENCRYPTION) < 0) { ++ os_free(aes); ++ return NULL; ++ } ++ ++ return aes; ++} ++ ++ ++int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) ++{ ++ wc_AesEncryptDirect(ctx, crypt, plain); ++ return 0; ++} ++ ++ ++void aes_encrypt_deinit(void *ctx) ++{ ++ os_free(ctx); ++} ++ ++ ++void * aes_decrypt_init(const u8 *key, size_t len) ++{ ++ Aes *aes; ++ ++ if (TEST_FAIL()) ++ return NULL; ++ ++ aes = os_malloc(sizeof(Aes)); ++ if (!aes) ++ return NULL; ++ ++ if (wc_AesSetKey(aes, key, len, NULL, AES_DECRYPTION) < 0) { ++ os_free(aes); ++ return NULL; ++ } ++ ++ return aes; ++} ++ ++ ++int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) ++{ ++ wc_AesDecryptDirect(ctx, plain, crypt); ++ return 0; ++} ++ ++ ++void aes_decrypt_deinit(void *ctx) ++{ ++ os_free(ctx); ++} ++ ++ ++int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) ++{ ++ Aes aes; ++ int ret; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ ret = wc_AesSetKey(&aes, key, 16, iv, AES_ENCRYPTION); ++ if (ret != 0) ++ return -1; ++ ++ ret = wc_AesCbcEncrypt(&aes, data, data, data_len); ++ if (ret != 0) ++ return -1; ++ return 0; ++} ++ ++ ++int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len) ++{ ++ Aes aes; ++ int ret; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ ret = wc_AesSetKey(&aes, key, 16, iv, AES_DECRYPTION); ++ if (ret != 0) ++ return -1; ++ ++ ret = wc_AesCbcDecrypt(&aes, data, data, data_len); ++ if (ret != 0) ++ return -1; ++ return 0; ++} ++ ++ ++int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) ++{ ++ int ret; ++ ++ ret = wc_AesKeyWrap(kek, kek_len, plain, n * 8, cipher, (n + 1) * 8, ++ NULL); ++ return ret != (n + 1) * 8 ? -1 : 0; ++} ++ ++ ++int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, ++ u8 *plain) ++{ ++ int ret; ++ ++ ret = wc_AesKeyUnWrap(kek, kek_len, cipher, (n + 1) * 8, plain, n * 8, ++ NULL); ++ return ret != n * 8 ? -1 : 0; ++} ++ ++ ++#ifndef CONFIG_NO_RC4 ++int rc4_skip(const u8 *key, size_t keylen, size_t skip, u8 *data, ++ size_t data_len) ++{ ++#ifndef NO_RC4 ++ Arc4 arc4; ++ unsigned char skip_buf[16]; ++ ++ wc_Arc4SetKey(&arc4, key, keylen); ++ ++ while (skip >= sizeof(skip_buf)) { ++ size_t len = skip; ++ ++ if (len > sizeof(skip_buf)) ++ len = sizeof(skip_buf); ++ wc_Arc4Process(&arc4, skip_buf, skip_buf, len); ++ skip -= len; ++ } ++ ++ wc_Arc4Process(&arc4, data, data, data_len); ++ ++ return 0; ++#else /* NO_RC4 */ ++ return -1; ++#endif /* NO_RC4 */ ++} ++#endif /* CONFIG_NO_RC4 */ ++ ++ ++#if defined(EAP_IKEV2) || defined(EAP_IKEV2_DYNAMIC) \ ++ || defined(EAP_SERVER_IKEV2) ++union wolfssl_cipher { ++ Aes aes; ++ Des3 des3; ++ Arc4 arc4; ++}; ++ ++struct crypto_cipher { ++ enum crypto_cipher_alg alg; ++ union wolfssl_cipher enc; ++ union wolfssl_cipher dec; ++}; ++ ++struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, ++ const u8 *iv, const u8 *key, ++ size_t key_len) ++{ ++ struct crypto_cipher *ctx; ++ ++ ctx = os_zalloc(sizeof(*ctx)); ++ if (!ctx) ++ return NULL; ++ ++ switch (alg) { ++#ifndef CONFIG_NO_RC4 ++#ifndef NO_RC4 ++ case CRYPTO_CIPHER_ALG_RC4: ++ wc_Arc4SetKey(&ctx->enc.arc4, key, key_len); ++ wc_Arc4SetKey(&ctx->dec.arc4, key, key_len); ++ break; ++#endif /* NO_RC4 */ ++#endif /* CONFIG_NO_RC4 */ ++#ifndef NO_AES ++ case CRYPTO_CIPHER_ALG_AES: ++ switch (key_len) { ++ case 16: ++ case 24: ++ case 32: ++ break; ++ default: ++ os_free(ctx); ++ return NULL; ++ } ++ if (wc_AesSetKey(&ctx->enc.aes, key, key_len, iv, ++ AES_ENCRYPTION) || ++ wc_AesSetKey(&ctx->dec.aes, key, key_len, iv, ++ AES_DECRYPTION)) { ++ os_free(ctx); ++ return NULL; ++ } ++ break; ++#endif /* NO_AES */ ++#ifndef NO_DES3 ++ case CRYPTO_CIPHER_ALG_3DES: ++ if (key_len != DES3_KEYLEN || ++ wc_Des3_SetKey(&ctx->enc.des3, key, iv, DES_ENCRYPTION) || ++ wc_Des3_SetKey(&ctx->dec.des3, key, iv, DES_DECRYPTION)) { ++ os_free(ctx); ++ return NULL; ++ } ++ break; ++#endif /* NO_DES3 */ ++ case CRYPTO_CIPHER_ALG_RC2: ++ case CRYPTO_CIPHER_ALG_DES: ++ default: ++ os_free(ctx); ++ return NULL; ++ } ++ ++ ctx->alg = alg; ++ ++ return ctx; ++} ++ ++ ++int crypto_cipher_encrypt(struct crypto_cipher *ctx, const u8 *plain, ++ u8 *crypt, size_t len) ++{ ++ switch (ctx->alg) { ++#ifndef CONFIG_NO_RC4 ++#ifndef NO_RC4 ++ case CRYPTO_CIPHER_ALG_RC4: ++ wc_Arc4Process(&ctx->enc.arc4, crypt, plain, len); ++ return 0; ++#endif /* NO_RC4 */ ++#endif /* CONFIG_NO_RC4 */ ++#ifndef NO_AES ++ case CRYPTO_CIPHER_ALG_AES: ++ if (wc_AesCbcEncrypt(&ctx->enc.aes, crypt, plain, len) != 0) ++ return -1; ++ return 0; ++#endif /* NO_AES */ ++#ifndef NO_DES3 ++ case CRYPTO_CIPHER_ALG_3DES: ++ if (wc_Des3_CbcEncrypt(&ctx->enc.des3, crypt, plain, len) != 0) ++ return -1; ++ return 0; ++#endif /* NO_DES3 */ ++ default: ++ return -1; ++ } ++ return -1; ++} ++ ++ ++int crypto_cipher_decrypt(struct crypto_cipher *ctx, const u8 *crypt, ++ u8 *plain, size_t len) ++{ ++ switch (ctx->alg) { ++#ifndef CONFIG_NO_RC4 ++#ifndef NO_RC4 ++ case CRYPTO_CIPHER_ALG_RC4: ++ wc_Arc4Process(&ctx->dec.arc4, plain, crypt, len); ++ return 0; ++#endif /* NO_RC4 */ ++#endif /* CONFIG_NO_RC4 */ ++#ifndef NO_AES ++ case CRYPTO_CIPHER_ALG_AES: ++ if (wc_AesCbcDecrypt(&ctx->dec.aes, plain, crypt, len) != 0) ++ return -1; ++ return 0; ++#endif /* NO_AES */ ++#ifndef NO_DES3 ++ case CRYPTO_CIPHER_ALG_3DES: ++ if (wc_Des3_CbcDecrypt(&ctx->dec.des3, plain, crypt, len) != 0) ++ return -1; ++ return 0; ++#endif /* NO_DES3 */ ++ default: ++ return -1; ++ } ++ return -1; ++} ++ ++ ++void crypto_cipher_deinit(struct crypto_cipher *ctx) ++{ ++ os_free(ctx); ++} ++ ++#endif ++ ++ ++#ifdef CONFIG_WPS_NFC ++ ++static const unsigned char RFC3526_PRIME_1536[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, ++ 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, ++ 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, ++ 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, ++ 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, ++ 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, ++ 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, ++ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, ++ 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, ++ 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, ++ 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, ++ 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, ++ 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, ++ 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, ++ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, ++ 0xCA, 0x23, 0x73, 0x27, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ++}; ++ ++static const unsigned char RFC3526_GENERATOR_1536[] = { ++ 0x02 ++}; ++ ++#define RFC3526_LEN sizeof(RFC3526_PRIME_1536) ++ ++ ++void * dh5_init(struct wpabuf **priv, struct wpabuf **publ) ++{ ++ WC_RNG rng; ++ DhKey *ret = NULL; ++ DhKey *dh = NULL; ++ struct wpabuf *privkey = NULL; ++ struct wpabuf *pubkey = NULL; ++ word32 priv_sz, pub_sz; ++ ++ *priv = NULL; ++ wpabuf_free(*publ); ++ *publ = NULL; ++ ++ dh = os_malloc(sizeof(DhKey)); ++ if (!dh) ++ return NULL; ++ wc_InitDhKey(dh); ++ ++ if (wc_InitRng(&rng) != 0) { ++ os_free(dh); ++ return NULL; ++ } ++ ++ privkey = wpabuf_alloc(RFC3526_LEN); ++ pubkey = wpabuf_alloc(RFC3526_LEN); ++ if (!privkey || !pubkey) ++ goto done; ++ ++ if (wc_DhSetKey(dh, RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), ++ RFC3526_GENERATOR_1536, sizeof(RFC3526_GENERATOR_1536)) ++ != 0) ++ goto done; ++ ++ if (wc_DhGenerateKeyPair(dh, &rng, wpabuf_mhead(privkey), &priv_sz, ++ wpabuf_mhead(pubkey), &pub_sz) != 0) ++ goto done; ++ ++ wpabuf_put(privkey, priv_sz); ++ wpabuf_put(pubkey, pub_sz); ++ ++ ret = dh; ++ *priv = privkey; ++ *publ = pubkey; ++ dh = NULL; ++ privkey = NULL; ++ pubkey = NULL; ++done: ++ wpabuf_clear_free(pubkey); ++ wpabuf_clear_free(privkey); ++ if (dh) { ++ wc_FreeDhKey(dh); ++ os_free(dh); ++ } ++ wc_FreeRng(&rng); ++ return ret; ++} ++ ++ ++void * dh5_init_fixed(const struct wpabuf *priv, const struct wpabuf *publ) ++{ ++ DhKey *ret = NULL; ++ DhKey *dh; ++ byte *secret; ++ word32 secret_sz; ++ ++ dh = os_malloc(sizeof(DhKey)); ++ if (!dh) ++ return NULL; ++ wc_InitDhKey(dh); ++ ++ secret = os_malloc(RFC3526_LEN); ++ if (!secret) ++ goto done; ++ ++ if (wc_DhSetKey(dh, RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), ++ RFC3526_GENERATOR_1536, sizeof(RFC3526_GENERATOR_1536)) ++ != 0) ++ goto done; ++ ++ if (wc_DhAgree(dh, secret, &secret_sz, wpabuf_head(priv), ++ wpabuf_len(priv), RFC3526_GENERATOR_1536, ++ sizeof(RFC3526_GENERATOR_1536)) != 0) ++ goto done; ++ ++ if (secret_sz != wpabuf_len(publ) || ++ os_memcmp(secret, wpabuf_head(publ), secret_sz) != 0) ++ goto done; ++ ++ ret = dh; ++ dh = NULL; ++done: ++ if (dh) { ++ wc_FreeDhKey(dh); ++ os_free(dh); ++ } ++ os_free(secret); ++ return ret; ++} ++ ++ ++struct wpabuf * dh5_derive_shared(void *ctx, const struct wpabuf *peer_public, ++ const struct wpabuf *own_private) ++{ ++ struct wpabuf *ret = NULL; ++ struct wpabuf *secret; ++ word32 secret_sz; ++ ++ secret = wpabuf_alloc(RFC3526_LEN); ++ if (!secret) ++ goto done; ++ ++ if (wc_DhAgree(ctx, wpabuf_mhead(secret), &secret_sz, ++ wpabuf_head(own_private), wpabuf_len(own_private), ++ wpabuf_head(peer_public), wpabuf_len(peer_public)) != 0) ++ goto done; ++ ++ wpabuf_put(secret, secret_sz); ++ ++ ret = secret; ++ secret = NULL; ++done: ++ wpabuf_clear_free(secret); ++ return ret; ++} ++ ++ ++void dh5_free(void *ctx) ++{ ++ if (!ctx) ++ return; ++ ++ wc_FreeDhKey(ctx); ++ os_free(ctx); ++} ++ ++#endif /* CONFIG_WPS_NFC */ ++ ++ ++int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey, ++ u8 *pubkey) ++{ ++ int ret = -1; ++ WC_RNG rng; ++ DhKey *dh = NULL; ++ word32 priv_sz, pub_sz; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ dh = os_malloc(sizeof(DhKey)); ++ if (!dh) ++ return -1; ++ wc_InitDhKey(dh); ++ ++ if (wc_InitRng(&rng) != 0) { ++ os_free(dh); ++ return -1; ++ } ++ ++ if (wc_DhSetKey(dh, prime, prime_len, &generator, 1) != 0) ++ goto done; ++ ++ if (wc_DhGenerateKeyPair(dh, &rng, privkey, &priv_sz, pubkey, &pub_sz) ++ != 0) ++ goto done; ++ ++ if (priv_sz < prime_len) { ++ size_t pad_sz = prime_len - priv_sz; ++ ++ os_memmove(privkey + pad_sz, privkey, priv_sz); ++ os_memset(privkey, 0, pad_sz); ++ } ++ ++ if (pub_sz < prime_len) { ++ size_t pad_sz = prime_len - pub_sz; ++ ++ os_memmove(pubkey + pad_sz, pubkey, pub_sz); ++ os_memset(pubkey, 0, pad_sz); ++ } ++ ret = 0; ++done: ++ wc_FreeDhKey(dh); ++ os_free(dh); ++ wc_FreeRng(&rng); ++ return ret; ++} ++ ++ ++int crypto_dh_derive_secret(u8 generator, const u8 *prime, size_t prime_len, ++ const u8 *privkey, size_t privkey_len, ++ const u8 *pubkey, size_t pubkey_len, ++ u8 *secret, size_t *len) ++{ ++ int ret = -1; ++ DhKey *dh; ++ word32 secret_sz; ++ ++ dh = os_malloc(sizeof(DhKey)); ++ if (!dh) ++ return -1; ++ wc_InitDhKey(dh); ++ ++ if (wc_DhSetKey(dh, prime, prime_len, &generator, 1) != 0) ++ goto done; ++ ++ if (wc_DhAgree(dh, secret, &secret_sz, privkey, privkey_len, pubkey, ++ pubkey_len) != 0) ++ goto done; ++ ++ *len = secret_sz; ++ ret = 0; ++done: ++ wc_FreeDhKey(dh); ++ os_free(dh); ++ return ret; ++} ++ ++ ++#ifdef CONFIG_FIPS ++int crypto_get_random(void *buf, size_t len) ++{ ++ int ret = 0; ++ WC_RNG rng; ++ ++ if (wc_InitRng(&rng) != 0) ++ return -1; ++ if (wc_RNG_GenerateBlock(&rng, buf, len) != 0) ++ ret = -1; ++ wc_FreeRng(&rng); ++ return ret; ++} ++#endif /* CONFIG_FIPS */ ++ ++ ++#if defined(EAP_PWD) || defined(EAP_SERVER_PWD) ++struct crypto_hash { ++ Hmac hmac; ++ int size; ++}; ++ ++ ++struct crypto_hash * crypto_hash_init(enum crypto_hash_alg alg, const u8 *key, ++ size_t key_len) ++{ ++ struct crypto_hash *ret = NULL; ++ struct crypto_hash *hash; ++ int type; ++ ++ hash = os_malloc(sizeof(*hash)); ++ if (!hash) ++ goto done; ++ ++ switch (alg) { ++#ifndef NO_MD5 ++ case CRYPTO_HASH_ALG_HMAC_MD5: ++ hash->size = 16; ++ type = MD5; ++ break; ++#endif /* NO_MD5 */ ++#ifndef NO_SHA ++ case CRYPTO_HASH_ALG_HMAC_SHA1: ++ type = SHA; ++ hash->size = 20; ++ break; ++#endif /* NO_SHA */ ++#ifdef CONFIG_SHA256 ++#ifndef NO_SHA256 ++ case CRYPTO_HASH_ALG_HMAC_SHA256: ++ type = SHA256; ++ hash->size = 32; ++ break; ++#endif /* NO_SHA256 */ ++#endif /* CONFIG_SHA256 */ ++ default: ++ goto done; ++ } ++ ++ if (wc_HmacSetKey(&hash->hmac, type, key, key_len) != 0) ++ goto done; ++ ++ ret = hash; ++ hash = NULL; ++done: ++ os_free(hash); ++ return ret; ++} ++ ++ ++void crypto_hash_update(struct crypto_hash *ctx, const u8 *data, size_t len) ++{ ++ if (!ctx) ++ return; ++ wc_HmacUpdate(&ctx->hmac, data, len); ++} ++ ++ ++int crypto_hash_finish(struct crypto_hash *ctx, u8 *mac, size_t *len) ++{ ++ int ret = 0; ++ ++ if (!ctx) ++ return -2; ++ ++ if (!mac || !len) ++ goto done; ++ ++ if (wc_HmacFinal(&ctx->hmac, mac) != 0) { ++ ret = -1; ++ goto done; ++ } ++ ++ *len = ctx->size; ++ ret = 0; ++done: ++ bin_clear_free(ctx, sizeof(*ctx)); ++ return ret; ++} ++ ++#endif ++ ++ ++int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem, ++ const u8 *addr[], const size_t *len, u8 *mac) ++{ ++ Cmac cmac; ++ size_t i; ++ word32 sz; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ if (wc_InitCmac(&cmac, key, key_len, WC_CMAC_AES, NULL) != 0) ++ return -1; ++ ++ for (i = 0; i < num_elem; i++) ++ if (wc_CmacUpdate(&cmac, addr[i], len[i]) != 0) ++ return -1; ++ ++ sz = AES_BLOCK_SIZE; ++ if (wc_CmacFinal(&cmac, mac, &sz) != 0 || sz != AES_BLOCK_SIZE) ++ return -1; ++ ++ return 0; ++} ++ ++ ++int omac1_aes_128_vector(const u8 *key, size_t num_elem, ++ const u8 *addr[], const size_t *len, u8 *mac) ++{ ++ return omac1_aes_vector(key, 16, num_elem, addr, len, mac); ++} ++ ++ ++int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) ++{ ++ return omac1_aes_128_vector(key, 1, &data, &data_len, mac); ++} ++ ++ ++int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac) ++{ ++ return omac1_aes_vector(key, 32, 1, &data, &data_len, mac); ++} ++ ++ ++struct crypto_bignum * crypto_bignum_init(void) ++{ ++ mp_int *a; ++ ++ if (TEST_FAIL()) ++ return NULL; ++ ++ a = os_malloc(sizeof(*a)); ++ if (!a || mp_init(a) != MP_OKAY) { ++ os_free(a); ++ a = NULL; ++ } ++ ++ return (struct crypto_bignum *) a; ++} ++ ++ ++struct crypto_bignum * crypto_bignum_init_set(const u8 *buf, size_t len) ++{ ++ mp_int *a; ++ ++ if (TEST_FAIL()) ++ return NULL; ++ ++ a = (mp_int *) crypto_bignum_init(); ++ if (!a) ++ return NULL; ++ ++ if (mp_read_unsigned_bin(a, buf, len) != MP_OKAY) { ++ os_free(a); ++ a = NULL; ++ } ++ ++ return (struct crypto_bignum *) a; ++} ++ ++ ++void crypto_bignum_deinit(struct crypto_bignum *n, int clear) ++{ ++ if (!n) ++ return; ++ ++ if (clear) ++ mp_forcezero((mp_int *) n); ++ mp_clear((mp_int *) n); ++ os_free((mp_int *) n); ++} ++ ++ ++int crypto_bignum_to_bin(const struct crypto_bignum *a, ++ u8 *buf, size_t buflen, size_t padlen) ++{ ++ int num_bytes, offset; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ if (padlen > buflen) ++ return -1; ++ ++ num_bytes = (mp_count_bits((mp_int *) a) + 7) / 8; ++ if ((size_t) num_bytes > buflen) ++ return -1; ++ if (padlen > (size_t) num_bytes) ++ offset = padlen - num_bytes; ++ else ++ offset = 0; ++ ++ os_memset(buf, 0, offset); ++ mp_to_unsigned_bin((mp_int *) a, buf + offset); ++ ++ return num_bytes + offset; ++} ++ ++ ++int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m) ++{ ++ int ret = 0; ++ WC_RNG rng; ++ ++ if (wc_InitRng(&rng) != 0) ++ return -1; ++ if (mp_rand_prime((mp_int *) r, ++ (mp_count_bits((mp_int *) m) + 7) / 8 * 2, ++ &rng, NULL) != 0) ++ ret = -1; ++ if (ret == 0 && ++ mp_mod((mp_int *) r, (mp_int *) m, (mp_int *) r) != 0) ++ ret = -1; ++ wc_FreeRng(&rng); ++ return ret; ++} ++ ++ ++int crypto_bignum_add(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *r) ++{ ++ return mp_add((mp_int *) a, (mp_int *) b, ++ (mp_int *) r) == MP_OKAY ? 0 : -1; ++} ++ ++ ++int crypto_bignum_mod(const struct crypto_bignum *a, ++ const struct crypto_bignum *m, ++ struct crypto_bignum *r) ++{ ++ return mp_mod((mp_int *) a, (mp_int *) m, ++ (mp_int *) r) == MP_OKAY ? 0 : -1; ++} ++ ++ ++int crypto_bignum_exptmod(const struct crypto_bignum *b, ++ const struct crypto_bignum *e, ++ const struct crypto_bignum *m, ++ struct crypto_bignum *r) ++{ ++ if (TEST_FAIL()) ++ return -1; ++ ++ return mp_exptmod((mp_int *) b, (mp_int *) e, (mp_int *) m, ++ (mp_int *) r) == MP_OKAY ? 0 : -1; ++} ++ ++ ++int crypto_bignum_inverse(const struct crypto_bignum *a, ++ const struct crypto_bignum *m, ++ struct crypto_bignum *r) ++{ ++ if (TEST_FAIL()) ++ return -1; ++ ++ return mp_invmod((mp_int *) a, (mp_int *) m, ++ (mp_int *) r) == MP_OKAY ? 0 : -1; ++} ++ ++ ++int crypto_bignum_sub(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *r) ++{ ++ if (TEST_FAIL()) ++ return -1; ++ ++ return mp_add((mp_int *) a, (mp_int *) b, ++ (mp_int *) r) == MP_OKAY ? 0 : -1; ++} ++ ++ ++int crypto_bignum_div(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ struct crypto_bignum *d) ++{ ++ if (TEST_FAIL()) ++ return -1; ++ ++ return mp_div((mp_int *) a, (mp_int *) b, (mp_int *) d, ++ NULL) == MP_OKAY ? 0 : -1; ++} ++ ++ ++int crypto_bignum_mulmod(const struct crypto_bignum *a, ++ const struct crypto_bignum *b, ++ const struct crypto_bignum *m, ++ struct crypto_bignum *d) ++{ ++ if (TEST_FAIL()) ++ return -1; ++ ++ return mp_mulmod((mp_int *) a, (mp_int *) b, (mp_int *) m, ++ (mp_int *) d) == MP_OKAY ? 0 : -1; ++} ++ ++ ++int crypto_bignum_rshift(const struct crypto_bignum *a, int n, ++ struct crypto_bignum *r) ++{ ++ if (mp_copy((mp_int *) a, (mp_int *) r) != MP_OKAY) ++ return -1; ++ mp_rshd((mp_int *) r, n); ++ return 0; ++} ++ ++ ++int crypto_bignum_cmp(const struct crypto_bignum *a, ++ const struct crypto_bignum *b) ++{ ++ return mp_cmp((mp_int *) a, (mp_int *) b); ++} ++ ++ ++int crypto_bignum_bits(const struct crypto_bignum *a) ++{ ++ return mp_count_bits((mp_int *) a); ++} ++ ++ ++int crypto_bignum_is_zero(const struct crypto_bignum *a) ++{ ++ return mp_iszero((mp_int *) a); ++} ++ ++ ++int crypto_bignum_is_one(const struct crypto_bignum *a) ++{ ++ return mp_isone((const mp_int *) a); ++} ++ ++int crypto_bignum_is_odd(const struct crypto_bignum *a) ++{ ++ return mp_isodd((mp_int *) a); ++} ++ ++ ++int crypto_bignum_legendre(const struct crypto_bignum *a, ++ const struct crypto_bignum *p) ++{ ++ mp_int t; ++ int ret; ++ int res = -2; ++ ++ if (TEST_FAIL()) ++ return -2; ++ ++ if (mp_init(&t) != MP_OKAY) ++ return -2; ++ ++ /* t = (p-1) / 2 */ ++ ret = mp_sub_d((mp_int *) p, 1, &t); ++ if (ret == MP_OKAY) ++ mp_rshb(&t, 1); ++ if (ret == MP_OKAY) ++ ret = mp_exptmod((mp_int *) a, &t, (mp_int *) p, &t); ++ if (ret == MP_OKAY) { ++ if (mp_isone(&t)) ++ res = 1; ++ else if (mp_iszero(&t)) ++ res = 0; ++ else ++ res = -1; ++ } ++ ++ mp_clear(&t); ++ return res; ++} ++ ++ ++#ifdef CONFIG_ECC ++ ++int ecc_map(ecc_point *, mp_int *, mp_digit); ++int ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, ++ mp_int *a, mp_int *modulus, mp_digit mp); ++ ++struct crypto_ec { ++ ecc_key key; ++ mp_int a; ++ mp_int prime; ++ mp_int order; ++ mp_digit mont_b; ++ mp_int b; ++}; ++ ++ ++struct crypto_ec * crypto_ec_init(int group) ++{ ++ int built = 0; ++ struct crypto_ec *e; ++ int curve_id; ++ ++ /* Map from IANA registry for IKE D-H groups to OpenSSL NID */ ++ switch (group) { ++ case 19: ++ curve_id = ECC_SECP256R1; ++ break; ++ case 20: ++ curve_id = ECC_SECP384R1; ++ break; ++ case 21: ++ curve_id = ECC_SECP521R1; ++ break; ++ case 25: ++ curve_id = ECC_SECP192R1; ++ break; ++ case 26: ++ curve_id = ECC_SECP224R1; ++ break; ++#ifdef HAVE_ECC_BRAINPOOL ++ case 27: ++ curve_id = ECC_BRAINPOOLP224R1; ++ break; ++ case 28: ++ curve_id = ECC_BRAINPOOLP256R1; ++ break; ++ case 29: ++ curve_id = ECC_BRAINPOOLP384R1; ++ break; ++ case 30: ++ curve_id = ECC_BRAINPOOLP512R1; ++ break; ++#endif /* HAVE_ECC_BRAINPOOL */ ++ default: ++ return NULL; ++ } ++ ++ e = os_zalloc(sizeof(*e)); ++ if (!e) ++ return NULL; ++ ++ if (wc_ecc_init(&e->key) != 0 || ++ wc_ecc_set_curve(&e->key, 0, curve_id) != 0 || ++ mp_init(&e->a) != MP_OKAY || ++ mp_init(&e->prime) != MP_OKAY || ++ mp_init(&e->order) != MP_OKAY || ++ mp_init(&e->b) != MP_OKAY || ++ mp_read_radix(&e->a, e->key.dp->Af, 16) != MP_OKAY || ++ mp_read_radix(&e->b, e->key.dp->Bf, 16) != MP_OKAY || ++ mp_read_radix(&e->prime, e->key.dp->prime, 16) != MP_OKAY || ++ mp_read_radix(&e->order, e->key.dp->order, 16) != MP_OKAY || ++ mp_montgomery_setup(&e->prime, &e->mont_b) != MP_OKAY) ++ goto done; ++ ++ built = 1; ++done: ++ if (!built) { ++ crypto_ec_deinit(e); ++ e = NULL; ++ } ++ return e; ++} ++ ++ ++void crypto_ec_deinit(struct crypto_ec* e) ++{ ++ if (!e) ++ return; ++ ++ mp_clear(&e->b); ++ mp_clear(&e->order); ++ mp_clear(&e->prime); ++ mp_clear(&e->a); ++ wc_ecc_free(&e->key); ++ os_free(e); ++} ++ ++ ++int crypto_ec_cofactor(struct crypto_ec *e, struct crypto_bignum *cofactor) ++{ ++ if (!e || !cofactor) ++ return -1; ++ ++ mp_set((mp_int *) cofactor, e->key.dp->cofactor); ++ return 0; ++} ++ ++ ++struct crypto_ec_point * crypto_ec_point_init(struct crypto_ec *e) ++{ ++ if (TEST_FAIL()) ++ return NULL; ++ if (!e) ++ return NULL; ++ return (struct crypto_ec_point *) wc_ecc_new_point(); ++} ++ ++ ++size_t crypto_ec_prime_len(struct crypto_ec *e) ++{ ++ return (mp_count_bits(&e->prime) + 7) / 8; ++} ++ ++ ++size_t crypto_ec_prime_len_bits(struct crypto_ec *e) ++{ ++ return mp_count_bits(&e->prime); ++} ++ ++ ++size_t crypto_ec_order_len(struct crypto_ec *e) ++{ ++ return (mp_count_bits(&e->order) + 7) / 8; ++} ++ ++ ++const struct crypto_bignum * crypto_ec_get_prime(struct crypto_ec *e) ++{ ++ return (const struct crypto_bignum *) &e->prime; ++} ++ ++ ++const struct crypto_bignum * crypto_ec_get_order(struct crypto_ec *e) ++{ ++ return (const struct crypto_bignum *) &e->order; ++} ++ ++ ++void crypto_ec_point_deinit(struct crypto_ec_point *p, int clear) ++{ ++ ecc_point *point = (ecc_point *) p; ++ ++ if (!p) ++ return; ++ ++ if (clear) { ++ mp_forcezero(point->x); ++ mp_forcezero(point->y); ++ mp_forcezero(point->z); ++ } ++ wc_ecc_del_point(point); ++} ++ ++ ++int crypto_ec_point_x(struct crypto_ec *e, const struct crypto_ec_point *p, ++ struct crypto_bignum *x) ++{ ++ return mp_copy(((ecc_point *) p)->x, (mp_int *) x) == MP_OKAY ? 0 : -1; ++} ++ ++ ++int crypto_ec_point_to_bin(struct crypto_ec *e, ++ const struct crypto_ec_point *point, u8 *x, u8 *y) ++{ ++ ecc_point *p = (ecc_point *) point; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ if (!mp_isone(p->z)) { ++ if (ecc_map(p, &e->prime, e->mont_b) != MP_OKAY) ++ return -1; ++ } ++ ++ if (x) { ++ if (crypto_bignum_to_bin((struct crypto_bignum *)p->x, x, ++ e->key.dp->size, ++ e->key.dp->size) <= 0) ++ return -1; ++ } ++ ++ if (y) { ++ if (crypto_bignum_to_bin((struct crypto_bignum *) p->y, y, ++ e->key.dp->size, ++ e->key.dp->size) <= 0) ++ return -1; ++ } ++ ++ return 0; ++} ++ ++ ++struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e, ++ const u8 *val) ++{ ++ ecc_point *point = NULL; ++ int loaded = 0; ++ ++ if (TEST_FAIL()) ++ return NULL; ++ ++ point = wc_ecc_new_point(); ++ if (!point) ++ goto done; ++ ++ if (mp_read_unsigned_bin(point->x, val, e->key.dp->size) != MP_OKAY) ++ goto done; ++ val += e->key.dp->size; ++ if (mp_read_unsigned_bin(point->y, val, e->key.dp->size) != MP_OKAY) ++ goto done; ++ mp_set(point->z, 1); ++ ++ loaded = 1; ++done: ++ if (!loaded) { ++ wc_ecc_del_point(point); ++ point = NULL; ++ } ++ return (struct crypto_ec_point *) point; ++} ++ ++ ++int crypto_ec_point_add(struct crypto_ec *e, const struct crypto_ec_point *a, ++ const struct crypto_ec_point *b, ++ struct crypto_ec_point *c) ++{ ++ mp_int mu; ++ ecc_point *ta = NULL, *tb = NULL; ++ ecc_point *pa = (ecc_point *) a, *pb = (ecc_point *) b; ++ mp_int *modulus = &e->prime; ++ int ret; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ ret = mp_init(&mu); ++ if (ret != MP_OKAY) ++ return -1; ++ ++ ret = mp_montgomery_calc_normalization(&mu, modulus); ++ if (ret != MP_OKAY) { ++ mp_clear(&mu); ++ return -1; ++ } ++ ++ if (!mp_isone(&mu)) { ++ ta = wc_ecc_new_point(); ++ if (!ta) { ++ mp_clear(&mu); ++ return -1; ++ } ++ tb = wc_ecc_new_point(); ++ if (!tb) { ++ wc_ecc_del_point(ta); ++ mp_clear(&mu); ++ return -1; ++ } ++ ++ if (mp_mulmod(pa->x, &mu, modulus, ta->x) != MP_OKAY || ++ mp_mulmod(pa->y, &mu, modulus, ta->y) != MP_OKAY || ++ mp_mulmod(pa->z, &mu, modulus, ta->z) != MP_OKAY || ++ mp_mulmod(pb->x, &mu, modulus, tb->x) != MP_OKAY || ++ mp_mulmod(pb->y, &mu, modulus, tb->y) != MP_OKAY || ++ mp_mulmod(pb->z, &mu, modulus, tb->z) != MP_OKAY) { ++ ret = -1; ++ goto end; ++ } ++ pa = ta; ++ pb = tb; ++ } ++ ++ ret = ecc_projective_add_point(pa, pb, (ecc_point *) c, &e->a, ++ &e->prime, e->mont_b); ++ if (ret != 0) { ++ ret = -1; ++ goto end; ++ } ++ ++ if (ecc_map((ecc_point *) c, &e->prime, e->mont_b) != MP_OKAY) ++ ret = -1; ++ else ++ ret = 0; ++end: ++ wc_ecc_del_point(tb); ++ wc_ecc_del_point(ta); ++ mp_clear(&mu); ++ return ret; ++} ++ ++ ++int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p, ++ const struct crypto_bignum *b, ++ struct crypto_ec_point *res) ++{ ++ int ret; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ ret = wc_ecc_mulmod((mp_int *) b, (ecc_point *) p, (ecc_point *) res, ++ &e->a, &e->prime, 1); ++ return ret == 0 ? 0 : -1; ++} ++ ++ ++int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p) ++{ ++ ecc_point *point = (ecc_point *) p; ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ if (mp_sub(&e->prime, point->y, point->y) != MP_OKAY) ++ return -1; ++ ++ return 0; ++} ++ ++ ++int crypto_ec_point_solve_y_coord(struct crypto_ec *e, ++ struct crypto_ec_point *p, ++ const struct crypto_bignum *x, int y_bit) ++{ ++ byte buf[MAX_ECC_BYTES + 1]; ++ int ret; ++ int prime_len = crypto_ec_prime_len(e); ++ ++ if (TEST_FAIL()) ++ return -1; ++ ++ buf[0] = 0x2 + (byte) y_bit; ++ ret = crypto_bignum_to_bin(x, buf + 1, prime_len, prime_len); ++ if (ret <= 0) ++ return -1; ++ ret = wc_ecc_import_point_der(buf, ret + 1, e->key.idx, ++ (ecc_point *) p); ++ if (ret != 0) ++ return -1; ++ ++ return 0; ++} ++ ++ ++struct crypto_bignum * ++crypto_ec_point_compute_y_sqr(struct crypto_ec *e, ++ const struct crypto_bignum *x) ++{ ++ mp_int *y2 = NULL; ++ mp_int t; ++ int calced = 0; ++ ++ if (TEST_FAIL()) ++ return NULL; ++ ++ if (mp_init(&t) != MP_OKAY) ++ return NULL; ++ ++ y2 = (mp_int *) crypto_bignum_init(); ++ if (!y2) ++ goto done; ++ ++ if (mp_sqrmod((mp_int *) x, &e->prime, y2) != 0 || ++ mp_mulmod((mp_int *) x, &t, &e->prime, y2) != 0 || ++ mp_mulmod((mp_int *) x, &e->a, &e->prime, &t) != 0 || ++ mp_addmod(y2, &t, &e->prime, y2) != 0 || ++ mp_addmod(y2, &e->b, &e->prime, y2) != 0) ++ goto done; ++ ++ calced = 1; ++done: ++ if (!calced) { ++ if (y2) { ++ mp_clear(y2); ++ os_free(y2); ++ } ++ mp_clear(&t); ++ } ++ ++ return (struct crypto_bignum *) y2; ++} ++ ++ ++int crypto_ec_point_is_at_infinity(struct crypto_ec *e, ++ const struct crypto_ec_point *p) ++{ ++ return wc_ecc_point_is_at_infinity((ecc_point *) p); ++} ++ ++ ++int crypto_ec_point_is_on_curve(struct crypto_ec *e, ++ const struct crypto_ec_point *p) ++{ ++ return wc_ecc_is_point((ecc_point *) p, &e->a, &e->b, &e->prime) == ++ MP_OKAY; ++} ++ ++ ++int crypto_ec_point_cmp(const struct crypto_ec *e, ++ const struct crypto_ec_point *a, ++ const struct crypto_ec_point *b) ++{ ++ return wc_ecc_cmp_point((ecc_point *) a, (ecc_point *) b); ++} ++ ++#endif /* CONFIG_ECC */ +diff --git a/src/crypto/fips_prf_wolfssl.c b/src/crypto/fips_prf_wolfssl.c +new file mode 100644 +index 0000000..1709932 +--- /dev/null ++++ b/src/crypto/fips_prf_wolfssl.c +@@ -0,0 +1,86 @@ ++/* ++ * FIPS 186-2 PRF for libcrypto ++ * Copyright (c) 2004-2017, Jouni Malinen ++ * ++ * This software may be distributed under the terms of the BSD license. ++ * See README for more details. ++ */ ++ ++#include "includes.h" ++#include ++ ++#include "common.h" ++#include "crypto.h" ++ ++ ++static void sha1_transform(u32 *state, const u8 data[64]) ++{ ++ Sha sha; ++ ++ os_memset(&sha, 0, sizeof(sha)); ++ sha.digest[0] = state[0]; ++ sha.digest[1] = state[1]; ++ sha.digest[2] = state[2]; ++ sha.digest[3] = state[3]; ++ sha.digest[4] = state[4]; ++ wc_ShaUpdate(&sha, data, 64); ++ state[0] = sha.digest[0]; ++ state[1] = sha.digest[1]; ++ state[2] = sha.digest[2]; ++ state[3] = sha.digest[3]; ++ state[4] = sha.digest[4]; ++} ++ ++ ++int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen) ++{ ++ u8 xkey[64]; ++ u32 t[5], _t[5]; ++ int i, j, m, k; ++ u8 *xpos = x; ++ u32 carry; ++ ++ if (seed_len < sizeof(xkey)) ++ os_memset(xkey + seed_len, 0, sizeof(xkey) - seed_len); ++ else ++ seed_len = sizeof(xkey); ++ ++ /* FIPS 186-2 + change notice 1 */ ++ ++ os_memcpy(xkey, seed, seed_len); ++ t[0] = 0x67452301; ++ t[1] = 0xEFCDAB89; ++ t[2] = 0x98BADCFE; ++ t[3] = 0x10325476; ++ t[4] = 0xC3D2E1F0; ++ ++ m = xlen / 40; ++ for (j = 0; j < m; j++) { ++ /* XSEED_j = 0 */ ++ for (i = 0; i < 2; i++) { ++ /* XVAL = (XKEY + XSEED_j) mod 2^b */ ++ ++ /* w_i = G(t, XVAL) */ ++ os_memcpy(_t, t, 20); ++ sha1_transform(_t, xkey); ++ WPA_PUT_BE32(xpos, _t[0]); ++ WPA_PUT_BE32(xpos + 4, _t[1]); ++ WPA_PUT_BE32(xpos + 8, _t[2]); ++ WPA_PUT_BE32(xpos + 12, _t[3]); ++ WPA_PUT_BE32(xpos + 16, _t[4]); ++ ++ /* XKEY = (1 + XKEY + w_i) mod 2^b */ ++ carry = 1; ++ for (k = 19; k >= 0; k--) { ++ carry += xkey[k] + xpos[k]; ++ xkey[k] = carry & 0xff; ++ carry >>= 8; ++ } ++ ++ xpos += 20; ++ } ++ /* x_j = w_0|w_1 */ ++ } ++ ++ return 0; ++} +diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c +new file mode 100644 +index 0000000..b7c452e +--- /dev/null ++++ b/src/crypto/tls_wolfssl.c +@@ -0,0 +1,2150 @@ ++/* ++ * SSL/TLS interface functions for wolfSSL TLS case ++ * Copyright (c) 2004-2017, Jouni Malinen ++ * ++ * This software may be distributed under the terms of the BSD license. ++ * See README for more details. ++ */ ++ ++#include "includes.h" ++ ++#include "common.h" ++#include "crypto.h" ++#include "tls.h" ++ ++#define OPENSSL_EXTRA ++#define HAVE_STUNNEL ++#define HAVE_SECRET_CALLBACK ++#define HAVE_SESSION_TICKET ++#define HAVE_OCSP ++#define HAVE_CERTIFICATE_STATUS_REQUEST ++#define HAVE_CERTIFICATE_STATUS_REQUEST_V2 ++#ifndef WOLFSSL_DER_LOAD ++#define WOLFSSL_DER_LOAD ++#endif ++#if 0 ++/* Enable if a debug build of wolfSSL is installed. */ ++#define DEBUG_WOLFSSL ++#endif ++ ++/* wolfSSL includes */ ++#include ++#include ++#include ++ ++#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) ++#define HAVE_AESGCM ++#include ++#endif ++ ++#if !defined(CONFIG_FIPS) && \ ++ (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \ ++ defined(EAP_SERVER_FAST)) ++#define WOLFSSL_NEED_EAP_FAST_PRF ++#endif ++ ++#define SECRET_LEN 48 ++#define RAN_LEN 32 ++#define SESSION_TICKET_LEN 256 ++ ++static int tls_ref_count = 0; ++ ++static int tls_ex_idx_session = 0; ++ ++ ++/* tls input data for wolfSSL Read Callback */ ++struct tls_in_data { ++ const struct wpabuf *in_data; ++ size_t consumed; /* how many bytes have we used already */ ++}; ++ ++/* tls output data for wolfSSL Write Callback */ ++struct tls_out_data { ++ struct wpabuf *out_data; ++}; ++ ++struct tls_context { ++ void (*event_cb)(void *ctx, enum tls_event ev, ++ union tls_event_data *data); ++ void *cb_ctx; ++ int cert_in_cb; ++ char *ocsp_stapling_response; ++}; ++ ++static struct tls_context *tls_global = NULL; ++ ++/* wolfssl tls_connection */ ++struct tls_connection { ++ struct tls_context *context; ++ WOLFSSL *ssl; ++ int read_alerts; ++ int write_alerts; ++ int failed; ++ struct tls_in_data input; ++ struct tls_out_data output; ++ char *subject_match; ++ char *alt_subject_match; ++ char *suffix_match; ++ char *domain_match; ++ ++ u8 srv_cert_hash[32]; ++ ++ unsigned char client_random[RAN_LEN]; ++ unsigned char server_random[RAN_LEN]; ++ unsigned int flags; ++#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) ++ tls_session_ticket_cb session_ticket_cb; ++ void *session_ticket_cb_ctx; ++ byte session_ticket[SESSION_TICKET_LEN]; ++#endif ++ unsigned int ca_cert_verify:1; ++ unsigned int cert_probe:1; ++ unsigned int server_cert_only:1; ++ unsigned int success_data:1; ++ ++ WOLFSSL_X509 *peer_cert; ++ WOLFSSL_X509 *peer_issuer; ++ WOLFSSL_X509 *peer_issuer_issuer; ++}; ++ ++ ++static struct tls_context * tls_context_new(const struct tls_config *conf) ++{ ++ struct tls_context *context = os_zalloc(sizeof(*context)); ++ ++ if (!context) ++ return NULL; ++ ++ if (conf) { ++ context->event_cb = conf->event_cb; ++ context->cb_ctx = conf->cb_ctx; ++ context->cert_in_cb = conf->cert_in_cb; ++ } ++ ++ return context; ++} ++ ++ ++static void wolfssl_reset_in_data(struct tls_in_data *in, ++ const struct wpabuf *buf) ++{ ++ /* old one not owned by us so don't free */ ++ in->in_data = buf; ++ in->consumed = 0; ++} ++ ++ ++static void wolfssl_reset_out_data(struct tls_out_data *out) ++{ ++ /* old one not owned by us so don't free */ ++ out->out_data = wpabuf_alloc_copy("", 0); ++} ++ ++ ++/* wolfSSL I/O Receive CallBack */ ++static int wolfssl_receive_cb(WOLFSSL *ssl, char *buf, int sz, void *ctx) ++{ ++ size_t get = sz; ++ struct tls_in_data *data = ctx; ++ ++ if (!data) ++ return -1; ++ ++ if (get > (wpabuf_len(data->in_data) - data->consumed)) ++ get = wpabuf_len(data->in_data) - data->consumed; ++ ++ os_memcpy(buf, wpabuf_head(data->in_data) + data->consumed, get); ++ data->consumed += get; ++ ++ if (get == 0) ++ return -2; /* WANT_READ */ ++ ++ return (int) get; ++} ++ ++ ++/* wolfSSL I/O Send CallBack */ ++static int wolfssl_send_cb(WOLFSSL *ssl, char *buf, int sz, void *ctx) ++{ ++ struct wpabuf *tmp; ++ struct tls_out_data *data = ctx; ++ ++ if (!data) ++ return -1; ++ ++ wpa_printf(MSG_DEBUG, "SSL: adding %d bytes", sz); ++ ++ tmp = wpabuf_alloc_copy(buf, sz); ++ if (!tmp) ++ return -1; ++ data->out_data = wpabuf_concat(data->out_data, tmp); ++ if (!data->out_data) ++ return -1; ++ ++ return sz; ++} ++ ++ ++static void remove_session_cb(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *sess) ++{ ++ struct wpabuf *buf; ++ ++ buf = wolfSSL_SESSION_get_ex_data(sess, tls_ex_idx_session); ++ if (!buf) ++ return; ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Free application session data %p (sess %p)", ++ buf, sess); ++ wpabuf_free(buf); ++ ++ wolfSSL_SESSION_set_ex_data(sess, tls_ex_idx_session, NULL); ++} ++ ++ ++void * tls_init(const struct tls_config *conf) ++{ ++ WOLFSSL_CTX *ssl_ctx; ++ struct tls_context *context; ++ const char *ciphers; ++ ++#ifdef DEBUG_WOLFSSL ++ wolfSSL_Debugging_ON(); ++#endif /* DEBUG_WOLFSSL */ ++ ++ context = tls_context_new(conf); ++ if (!context) ++ return NULL; ++ ++ if (tls_ref_count == 0) { ++ tls_global = context; ++ ++ if (wolfSSL_Init() < 0) ++ return NULL; ++ /* wolfSSL_Debugging_ON(); */ ++ } ++ ++ tls_ref_count++; ++ ++ /* start as client */ ++ ssl_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); ++ if (!ssl_ctx) { ++ tls_ref_count--; ++ if (context != tls_global) ++ os_free(context); ++ if (tls_ref_count == 0) { ++ os_free(tls_global); ++ tls_global = NULL; ++ } ++ } ++ wolfSSL_SetIORecv(ssl_ctx, wolfssl_receive_cb); ++ wolfSSL_SetIOSend(ssl_ctx, wolfssl_send_cb); ++ wolfSSL_CTX_set_ex_data(ssl_ctx, 0, context); ++ ++ if (conf->tls_session_lifetime > 0) { ++ wolfSSL_CTX_set_quiet_shutdown(ssl_ctx, 1); ++ wolfSSL_CTX_set_session_cache_mode(ssl_ctx, ++ SSL_SESS_CACHE_SERVER); ++ wolfSSL_CTX_set_timeout(ssl_ctx, conf->tls_session_lifetime); ++ wolfSSL_CTX_sess_set_remove_cb(ssl_ctx, remove_session_cb); ++ } else { ++ wolfSSL_CTX_set_session_cache_mode(ssl_ctx, ++ SSL_SESS_CACHE_CLIENT); ++ } ++ ++ if (conf && conf->openssl_ciphers) ++ ciphers = conf->openssl_ciphers; ++ else ++ ciphers = "ALL"; ++ if (wolfSSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) { ++ wpa_printf(MSG_ERROR, ++ "wolfSSL: Failed to set cipher string '%s'", ++ ciphers); ++ tls_deinit(ssl_ctx); ++ return NULL; ++ } ++ ++ return ssl_ctx; ++} ++ ++ ++void tls_deinit(void *ssl_ctx) ++{ ++ struct tls_context *context = wolfSSL_CTX_get_ex_data(ssl_ctx, 0); ++ ++ if (context != tls_global) ++ os_free(context); ++ ++ wolfSSL_CTX_free((WOLFSSL_CTX *) ssl_ctx); ++ ++ tls_ref_count--; ++ if (tls_ref_count == 0) { ++ wolfSSL_Cleanup(); ++ os_free(tls_global); ++ tls_global = NULL; ++ } ++} ++ ++ ++int tls_get_errors(void *tls_ctx) ++{ ++#ifdef DEBUG_WOLFSSL ++#if 0 ++ unsigned long err; ++ ++ err = wolfSSL_ERR_peek_last_error_line(NULL, NULL); ++ if (err != 0) { ++ wpa_printf(MSG_INFO, "TLS - SSL error: %s", ++ wolfSSL_ERR_error_string(err, NULL)); ++ return 1; ++ } ++#endif ++#endif /* DEBUG_WOLFSSL */ ++ return 0; ++} ++ ++ ++struct tls_connection * tls_connection_init(void *tls_ctx) ++{ ++ WOLFSSL_CTX *ssl_ctx = tls_ctx; ++ struct tls_connection *conn; ++ ++ wpa_printf(MSG_DEBUG, "SSL: connection init"); ++ ++ conn = os_zalloc(sizeof(*conn)); ++ if (!conn) ++ return NULL; ++ conn->ssl = wolfSSL_new(ssl_ctx); ++ if (!conn->ssl) { ++ os_free(conn); ++ return NULL; ++ } ++ ++ wolfSSL_SetIOReadCtx(conn->ssl, &conn->input); ++ wolfSSL_SetIOWriteCtx(conn->ssl, &conn->output); ++ wolfSSL_set_ex_data(conn->ssl, 0, conn); ++ conn->context = wolfSSL_CTX_get_ex_data(ssl_ctx, 0); ++ ++ /* Need randoms post-hanshake for EAP-FAST, export key and deriving ++ * session ID in EAP methods. */ ++ wolfSSL_KeepArrays(conn->ssl); ++ wolfSSL_KeepHandshakeResources(conn->ssl); ++ wolfSSL_UseClientSuites(conn->ssl); ++ ++ return conn; ++} ++ ++ ++void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn) ++{ ++ if (!conn) ++ return; ++ ++ wpa_printf(MSG_DEBUG, "SSL: connection deinit"); ++ ++ /* parts */ ++ wolfSSL_free(conn->ssl); ++ os_free(conn->subject_match); ++ os_free(conn->alt_subject_match); ++ os_free(conn->suffix_match); ++ os_free(conn->domain_match); ++ ++ /* self */ ++ os_free(conn); ++} ++ ++ ++int tls_connection_established(void *tls_ctx, struct tls_connection *conn) ++{ ++ return conn ? wolfSSL_is_init_finished(conn->ssl) : 0; ++} ++ ++ ++int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn) ++{ ++ WOLFSSL_SESSION *session; ++ ++ if (!conn) ++ return -1; ++ ++ wpa_printf(MSG_DEBUG, "SSL: connection shutdown"); ++ ++ /* Set quiet as OpenSSL does */ ++ wolfSSL_set_quiet_shutdown(conn->ssl, 1); ++ wolfSSL_shutdown(conn->ssl); ++ ++ session = wolfSSL_get_session(conn->ssl); ++ if (wolfSSL_clear(conn->ssl) != 1) ++ return -1; ++ wolfSSL_set_session(conn->ssl, session); ++ ++ return 0; ++} ++ ++ ++static int tls_connection_set_subject_match(struct tls_connection *conn, ++ const char *subject_match, ++ const char *alt_subject_match, ++ const char *suffix_match, ++ const char *domain_match) ++{ ++ os_free(conn->subject_match); ++ conn->subject_match = NULL; ++ if (subject_match) { ++ conn->subject_match = os_strdup(subject_match); ++ if (!conn->subject_match) ++ return -1; ++ } ++ ++ os_free(conn->alt_subject_match); ++ conn->alt_subject_match = NULL; ++ if (alt_subject_match) { ++ conn->alt_subject_match = os_strdup(alt_subject_match); ++ if (!conn->alt_subject_match) ++ return -1; ++ } ++ ++ os_free(conn->suffix_match); ++ conn->suffix_match = NULL; ++ if (suffix_match) { ++ conn->suffix_match = os_strdup(suffix_match); ++ if (!conn->suffix_match) ++ return -1; ++ } ++ ++ os_free(conn->domain_match); ++ conn->domain_match = NULL; ++ if (domain_match) { ++ conn->domain_match = os_strdup(domain_match); ++ if (!conn->domain_match) ++ return -1; ++ } ++ ++ return 0; ++} ++ ++ ++static int tls_connection_dh(struct tls_connection *conn, const char *dh_file, ++ const u8 *dh_blob, size_t blob_len) ++{ ++ if (!dh_file && !dh_blob) ++ return 0; ++ ++ wolfSSL_set_accept_state(conn->ssl); ++ ++ if (dh_blob) { ++ if (wolfSSL_SetTmpDH_buffer(conn->ssl, dh_blob, blob_len, ++ SSL_FILETYPE_ASN1) < 0) { ++ wpa_printf(MSG_INFO, "SSL: use DH DER blob failed"); ++ return -1; ++ } ++ wpa_printf(MSG_DEBUG, "SSL: use DH blob OK"); ++ return 0; ++ } ++ ++ if (dh_file) { ++ wpa_printf(MSG_INFO, "SSL: use DH PEM file: %s", dh_file); ++ if (wolfSSL_SetTmpDH_file(conn->ssl, dh_file, ++ SSL_FILETYPE_PEM) < 0) { ++ wpa_printf(MSG_INFO, "SSL: use DH PEM file failed"); ++ if (wolfSSL_SetTmpDH_file(conn->ssl, dh_file, ++ SSL_FILETYPE_ASN1) < 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: use DH DER file failed"); ++ return -1; ++ } ++ } ++ wpa_printf(MSG_DEBUG, "SSL: use DH file OK"); ++ return 0; ++ } ++ ++ return 0; ++} ++ ++ ++static int tls_connection_client_cert(struct tls_connection *conn, ++ const char *client_cert, ++ const u8 *client_cert_blob, ++ size_t blob_len) ++{ ++ if (!client_cert && !client_cert_blob) ++ return 0; ++ ++ if (client_cert_blob) { ++ if (wolfSSL_use_certificate_buffer(conn->ssl, client_cert_blob, ++ blob_len, ++ SSL_FILETYPE_ASN1) < 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: use client cert DER blob failed"); ++ return -1; ++ } ++ wpa_printf(MSG_DEBUG, "SSL: use client cert blob OK"); ++ return 0; ++ } ++ ++ if (client_cert) { ++ if (wolfSSL_use_certificate_file(conn->ssl, client_cert, ++ SSL_FILETYPE_PEM) < 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: use client cert PEM file failed"); ++ if (wolfSSL_use_certificate_file( ++ conn->ssl, client_cert, ++ SSL_FILETYPE_ASN1) < 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: use client cert DER file failed"); ++ return -1; ++ } ++ } ++ wpa_printf(MSG_DEBUG, "SSL: use client cert file OK"); ++ return 0; ++ } ++ ++ return 0; ++} ++ ++ ++static int tls_passwd_cb(char *buf, int size, int rwflag, void *password) ++{ ++ if (!password) ++ return 0; ++ os_strlcpy(buf, (char *) password, size); ++ return os_strlen(buf); ++} ++ ++ ++static int tls_connection_private_key(void *tls_ctx, ++ struct tls_connection *conn, ++ const char *private_key, ++ const char *private_key_passwd, ++ const u8 *private_key_blob, ++ size_t blob_len) ++{ ++ WOLFSSL_CTX *ctx = tls_ctx; ++ char *passwd = NULL; ++ int ok = 0; ++ ++ if (!private_key && !private_key_blob) ++ return 0; ++ ++ if (private_key_passwd) { ++ passwd = os_strdup(private_key_passwd); ++ if (!passwd) ++ return -1; ++ } ++ ++ wolfSSL_CTX_set_default_passwd_cb(ctx, tls_passwd_cb); ++ wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, passwd); ++ ++ if (private_key_blob) { ++ if (wolfSSL_use_PrivateKey_buffer(conn->ssl, ++ private_key_blob, blob_len, ++ SSL_FILETYPE_ASN1) < 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: use private DER blob failed"); ++ } else { ++ wpa_printf(MSG_DEBUG, "SSL: use private key blob OK"); ++ ok = 1; ++ } ++ } ++ ++ if (!ok && private_key) { ++ if (wolfSSL_use_PrivateKey_file(conn->ssl, private_key, ++ SSL_FILETYPE_PEM) < 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: use private key PEM file failed"); ++ if (wolfSSL_use_PrivateKey_file(conn->ssl, private_key, ++ SSL_FILETYPE_ASN1) < 0) ++ { ++ wpa_printf(MSG_INFO, ++ "SSL: use private key DER file failed"); ++ } else { ++ ok = 1; ++ } ++ } else { ++ ok = 1; ++ } ++ ++ if (ok) ++ wpa_printf(MSG_DEBUG, "SSL: use private key file OK"); ++ } ++ ++ wolfSSL_CTX_set_default_passwd_cb(ctx, NULL); ++ os_free(passwd); ++ ++ if (!ok) ++ return -1; ++ ++ return 0; ++} ++ ++ ++#define GEN_EMAIL 1 ++#define GEN_DNS ALT_NAMES_OID ++#define GEN_URI 6 ++ ++static int tls_match_alt_subject_component(WOLFSSL_X509 *cert, int type, ++ const char *value, size_t len) ++{ ++ WOLFSSL_ASN1_OBJECT *gen; ++ void *ext; ++ int found = 0; ++ int i; ++ ++ ext = wolfSSL_X509_get_ext_d2i(cert, ALT_NAMES_OID, NULL, NULL); ++ ++ for (i = 0; ext && i < wolfSSL_sk_num(ext); i++) { ++ gen = wolfSSL_sk_value(ext, i); ++ if (gen->type != type) ++ continue; ++ if (os_strlen((char *) gen->obj) == len && ++ os_memcmp(value, gen->obj, len) == 0) ++ found++; ++ } ++ ++ wolfSSL_sk_ASN1_OBJECT_free(ext); ++ ++ return found; ++} ++ ++ ++static int tls_match_alt_subject(WOLFSSL_X509 *cert, const char *match) ++{ ++ int type; ++ const char *pos, *end; ++ size_t len; ++ ++ pos = match; ++ do { ++ if (os_strncmp(pos, "EMAIL:", 6) == 0) { ++ type = GEN_EMAIL; ++ pos += 6; ++ } else if (os_strncmp(pos, "DNS:", 4) == 0) { ++ type = GEN_DNS; ++ pos += 4; ++ } else if (os_strncmp(pos, "URI:", 4) == 0) { ++ type = GEN_URI; ++ pos += 4; ++ } else { ++ wpa_printf(MSG_INFO, ++ "TLS: Invalid altSubjectName match '%s'", ++ pos); ++ return 0; ++ } ++ end = os_strchr(pos, ';'); ++ while (end) { ++ if (os_strncmp(end + 1, "EMAIL:", 6) == 0 || ++ os_strncmp(end + 1, "DNS:", 4) == 0 || ++ os_strncmp(end + 1, "URI:", 4) == 0) ++ break; ++ end = os_strchr(end + 1, ';'); ++ } ++ if (end) ++ len = end - pos; ++ else ++ len = os_strlen(pos); ++ if (tls_match_alt_subject_component(cert, type, pos, len) > 0) ++ return 1; ++ pos = end + 1; ++ } while (end); ++ ++ return 0; ++} ++ ++ ++static int domain_suffix_match(const char *val, size_t len, const char *match, ++ int full) ++{ ++ size_t i, match_len; ++ ++ /* Check for embedded nuls that could mess up suffix matching */ ++ for (i = 0; i < len; i++) { ++ if (val[i] == '\0') { ++ wpa_printf(MSG_DEBUG, ++ "TLS: Embedded null in a string - reject"); ++ return 0; ++ } ++ } ++ ++ match_len = os_strlen(match); ++ if (match_len > len || (full && match_len != len)) ++ return 0; ++ ++ if (os_strncasecmp(val + len - match_len, match, match_len) != 0) ++ return 0; /* no match */ ++ ++ if (match_len == len) ++ return 1; /* exact match */ ++ ++ if (val[len - match_len - 1] == '.') ++ return 1; /* full label match completes suffix match */ ++ ++ wpa_printf(MSG_DEBUG, "TLS: Reject due to incomplete label match"); ++ return 0; ++} ++ ++ ++static int tls_match_suffix(WOLFSSL_X509 *cert, const char *match, int full) ++{ ++ WOLFSSL_ASN1_OBJECT *gen; ++ void *ext; ++ int i; ++ int j; ++ int dns_name = 0; ++ WOLFSSL_X509_NAME *name; ++ ++ wpa_printf(MSG_DEBUG, "TLS: Match domain against %s%s", ++ full ? "" : "suffix ", match); ++ ++ ext = wolfSSL_X509_get_ext_d2i(cert, ALT_NAMES_OID, NULL, NULL); ++ ++ for (j = 0; ext && j < wolfSSL_sk_num(ext); j++) { ++ gen = wolfSSL_sk_value(ext, j); ++ if (gen->type != ALT_NAMES_OID) ++ continue; ++ dns_name++; ++ wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName", ++ gen->obj, os_strlen((char *)gen->obj)); ++ if (domain_suffix_match((const char *) gen->obj, ++ os_strlen((char *) gen->obj), match, ++ full) == 1) { ++ wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found", ++ full ? "Match" : "Suffix match"); ++ wolfSSL_sk_ASN1_OBJECT_free(ext); ++ return 1; ++ } ++ } ++ wolfSSL_sk_ASN1_OBJECT_free(ext); ++ ++ if (dns_name) { ++ wpa_printf(MSG_DEBUG, "TLS: None of the dNSName(s) matched"); ++ return 0; ++ } ++ ++ name = wolfSSL_X509_get_subject_name(cert); ++ i = -1; ++ for (;;) { ++ WOLFSSL_X509_NAME_ENTRY *e; ++ WOLFSSL_ASN1_STRING *cn; ++ ++ i = wolfSSL_X509_NAME_get_index_by_NID(name, ASN_COMMON_NAME, ++ i); ++ if (i == -1) ++ break; ++ e = wolfSSL_X509_NAME_get_entry(name, i); ++ if (!e) ++ continue; ++ cn = wolfSSL_X509_NAME_ENTRY_get_data(e); ++ if (!cn) ++ continue; ++ wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName", ++ cn->data, cn->length); ++ if (domain_suffix_match(cn->data, cn->length, match, full) == 1) ++ { ++ wpa_printf(MSG_DEBUG, "TLS: %s in commonName found", ++ full ? "Match" : "Suffix match"); ++ return 1; ++ } ++ } ++ ++ wpa_printf(MSG_DEBUG, "TLS: No CommonName %smatch found", ++ full ? "" : "suffix "); ++ return 0; ++} ++ ++ ++static enum tls_fail_reason wolfssl_tls_fail_reason(int err) ++{ ++ switch (err) { ++ case X509_V_ERR_CERT_REVOKED: ++ return TLS_FAIL_REVOKED; ++ case ASN_BEFORE_DATE_E: ++ case X509_V_ERR_CERT_NOT_YET_VALID: ++ case X509_V_ERR_CRL_NOT_YET_VALID: ++ return TLS_FAIL_NOT_YET_VALID; ++ case ASN_AFTER_DATE_E: ++ case X509_V_ERR_CERT_HAS_EXPIRED: ++ case X509_V_ERR_CRL_HAS_EXPIRED: ++ return TLS_FAIL_EXPIRED; ++ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: ++ case X509_V_ERR_UNABLE_TO_GET_CRL: ++ case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: ++ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: ++ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: ++ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: ++ case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: ++ case X509_V_ERR_CERT_CHAIN_TOO_LONG: ++ case X509_V_ERR_PATH_LENGTH_EXCEEDED: ++ case X509_V_ERR_INVALID_CA: ++ return TLS_FAIL_UNTRUSTED; ++ case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: ++ case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: ++ case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: ++ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: ++ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: ++ case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: ++ case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: ++ case X509_V_ERR_CERT_UNTRUSTED: ++ case X509_V_ERR_CERT_REJECTED: ++ return TLS_FAIL_BAD_CERTIFICATE; ++ default: ++ return TLS_FAIL_UNSPECIFIED; ++ } ++} ++ ++ ++static const char * wolfssl_tls_err_string(int err, const char *err_str) ++{ ++ switch (err) { ++ case ASN_BEFORE_DATE_E: ++ return "certificate is not yet valid"; ++ case ASN_AFTER_DATE_E: ++ return "certificate has expired"; ++ default: ++ return err_str; ++ } ++} ++ ++ ++static struct wpabuf * get_x509_cert(WOLFSSL_X509 *cert) ++{ ++ struct wpabuf *buf = NULL; ++ const u8 *data; ++ int cert_len; ++ ++ data = wolfSSL_X509_get_der(cert, &cert_len); ++ if (!data) ++ buf = wpabuf_alloc_copy(data, cert_len); ++ ++ return buf; ++} ++ ++ ++static void wolfssl_tls_fail_event(struct tls_connection *conn, ++ WOLFSSL_X509 *err_cert, int err, int depth, ++ const char *subject, const char *err_str, ++ enum tls_fail_reason reason) ++{ ++ union tls_event_data ev; ++ struct wpabuf *cert = NULL; ++ struct tls_context *context = conn->context; ++ ++ if (!context->event_cb) ++ return; ++ ++ cert = get_x509_cert(err_cert); ++ os_memset(&ev, 0, sizeof(ev)); ++ ev.cert_fail.reason = reason != TLS_FAIL_UNSPECIFIED ? ++ reason : wolfssl_tls_fail_reason(err); ++ ev.cert_fail.depth = depth; ++ ev.cert_fail.subject = subject; ++ ev.cert_fail.reason_txt = wolfssl_tls_err_string(err, err_str); ++ ev.cert_fail.cert = cert; ++ context->event_cb(context->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev); ++ wpabuf_free(cert); ++} ++ ++ ++static void wolfssl_tls_cert_event(struct tls_connection *conn, ++ WOLFSSL_X509 *err_cert, int depth, ++ const char *subject) ++{ ++ struct wpabuf *cert = NULL; ++ union tls_event_data ev; ++ struct tls_context *context = conn->context; ++ char *alt_subject[TLS_MAX_ALT_SUBJECT]; ++ int alt, num_alt_subject = 0; ++ WOLFSSL_ASN1_OBJECT *gen; ++ void *ext; ++ int i; ++#ifdef CONFIG_SHA256 ++ u8 hash[32]; ++#endif /* CONFIG_SHA256 */ ++ ++ if (!context->event_cb) ++ return; ++ ++ os_memset(&ev, 0, sizeof(ev)); ++ if (conn->cert_probe || (conn->flags & TLS_CONN_EXT_CERT_CHECK) || ++ context->cert_in_cb) { ++ cert = get_x509_cert(err_cert); ++ ev.peer_cert.cert = cert; ++ } ++ ++#ifdef CONFIG_SHA256 ++ if (cert) { ++ const u8 *addr[1]; ++ size_t len[1]; ++ ++ addr[0] = wpabuf_head(cert); ++ len[0] = wpabuf_len(cert); ++ if (sha256_vector(1, addr, len, hash) == 0) { ++ ev.peer_cert.hash = hash; ++ ev.peer_cert.hash_len = sizeof(hash); ++ } ++ } ++#endif /* CONFIG_SHA256 */ ++ ++ ev.peer_cert.depth = depth; ++ ev.peer_cert.subject = subject; ++ ++ ext = wolfSSL_X509_get_ext_d2i(err_cert, ALT_NAMES_OID, NULL, NULL); ++ for (i = 0; ext && i < wolfSSL_sk_num(ext); i++) { ++ char *pos; ++ ++ if (num_alt_subject == TLS_MAX_ALT_SUBJECT) ++ break; ++ gen = wolfSSL_sk_value((void *) ext, i); ++#if 0 ++ if (gen->type != GEN_EMAIL && ++ gen->type != GEN_DNS && ++ gen->type != GEN_URI) ++ continue; ++#endif ++ ++ pos = os_malloc(10 + os_strlen((char *) gen->obj) + 1); ++ if (!pos) ++ break; ++ alt_subject[num_alt_subject++] = pos; ++ ++#if 0 ++ switch (gen->type) { ++ case GEN_EMAIL: ++ os_memcpy(pos, "EMAIL:", 6); ++ pos += 6; ++ break; ++ case GEN_DNS: ++ os_memcpy(pos, "DNS:", 4); ++ pos += 4; ++ break; ++ case GEN_URI: ++ os_memcpy(pos, "URI:", 4); ++ pos += 4; ++ break; ++ } ++#else ++ os_memcpy(pos, "DNS:", 4); ++ pos += 4; ++#endif ++ ++ os_memcpy(pos, gen->obj, os_strlen((char *)gen->obj)); ++ pos += os_strlen((char *)gen->obj); ++ *pos = '\0'; ++ } ++ wolfSSL_sk_ASN1_OBJECT_free(ext); ++ ++ for (alt = 0; alt < num_alt_subject; alt++) ++ ev.peer_cert.altsubject[alt] = alt_subject[alt]; ++ ev.peer_cert.num_altsubject = num_alt_subject; ++ ++ context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev); ++ wpabuf_free(cert); ++ for (alt = 0; alt < num_alt_subject; alt++) ++ os_free(alt_subject[alt]); ++} ++ ++ ++static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) ++{ ++ char buf[256]; ++ WOLFSSL_X509 *err_cert; ++ int err, depth; ++ WOLFSSL *ssl; ++ struct tls_connection *conn; ++ struct tls_context *context; ++ char *match, *altmatch, *suffix_match, *domain_match; ++ const char *err_str; ++ ++ err_cert = wolfSSL_X509_STORE_CTX_get_current_cert(x509_ctx); ++ if (!err_cert) { ++ wpa_printf(MSG_DEBUG, "wolfSSL: No Cert"); ++ return 0; ++ } ++ ++ err = wolfSSL_X509_STORE_CTX_get_error(x509_ctx); ++ depth = wolfSSL_X509_STORE_CTX_get_error_depth(x509_ctx); ++ ssl = wolfSSL_X509_STORE_CTX_get_ex_data( ++ x509_ctx, wolfSSL_get_ex_data_X509_STORE_CTX_idx()); ++ wolfSSL_X509_NAME_oneline(wolfSSL_X509_get_subject_name(err_cert), buf, ++ sizeof(buf)); ++ ++ conn = wolfSSL_get_ex_data(ssl, 0); ++ if (!conn) { ++ wpa_printf(MSG_DEBUG, "wolfSSL: No ex_data"); ++ return 0; ++ } ++ ++ if (depth == 0) ++ conn->peer_cert = err_cert; ++ else if (depth == 1) ++ conn->peer_issuer = err_cert; ++ else if (depth == 2) ++ conn->peer_issuer_issuer = err_cert; ++ ++ context = conn->context; ++ match = conn->subject_match; ++ altmatch = conn->alt_subject_match; ++ suffix_match = conn->suffix_match; ++ domain_match = conn->domain_match; ++ ++ if (!preverify_ok && !conn->ca_cert_verify) ++ preverify_ok = 1; ++ if (!preverify_ok && depth > 0 && conn->server_cert_only) ++ preverify_ok = 1; ++ if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) && ++ (err == X509_V_ERR_CERT_HAS_EXPIRED || ++ err == ASN_AFTER_DATE_E || err == ASN_BEFORE_DATE_E || ++ err == X509_V_ERR_CERT_NOT_YET_VALID)) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Ignore certificate validity time mismatch"); ++ preverify_ok = 1; ++ } ++ ++ err_str = wolfSSL_X509_verify_cert_error_string(err); ++ ++#ifdef CONFIG_SHA256 ++ /* ++ * Do not require preverify_ok so we can explicity allow otherwise ++ * invalid pinned server certificates. ++ */ ++ if (depth == 0 && conn->server_cert_only) { ++ struct wpabuf *cert; ++ ++ cert = get_x509_cert(err_cert); ++ if (!cert) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Could not fetch server certificate data"); ++ preverify_ok = 0; ++ } else { ++ u8 hash[32]; ++ const u8 *addr[1]; ++ size_t len[1]; ++ ++ addr[0] = wpabuf_head(cert); ++ len[0] = wpabuf_len(cert); ++ if (sha256_vector(1, addr, len, hash) < 0 || ++ os_memcmp(conn->srv_cert_hash, hash, 32) != 0) { ++ err_str = "Server certificate mismatch"; ++ err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; ++ preverify_ok = 0; ++ } else if (!preverify_ok) { ++ /* ++ * Certificate matches pinned certificate, allow ++ * regardless of other problems. ++ */ ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Ignore validation issues for a pinned server certificate"); ++ preverify_ok = 1; ++ } ++ wpabuf_free(cert); ++ } ++ } ++#endif /* CONFIG_SHA256 */ ++ ++ if (!preverify_ok) { ++ wpa_printf(MSG_WARNING, ++ "TLS: Certificate verification failed, error %d (%s) depth %d for '%s'", ++ err, err_str, depth, buf); ++ wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, ++ err_str, TLS_FAIL_UNSPECIFIED); ++ return preverify_ok; ++ } ++ ++ wpa_printf(MSG_DEBUG, ++ "TLS: %s - preverify_ok=%d err=%d (%s) ca_cert_verify=%d depth=%d buf='%s'", ++ __func__, preverify_ok, err, err_str, ++ conn->ca_cert_verify, depth, buf); ++ if (depth == 0 && match && os_strstr(buf, match) == NULL) { ++ wpa_printf(MSG_WARNING, ++ "TLS: Subject '%s' did not match with '%s'", ++ buf, match); ++ preverify_ok = 0; ++ wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, ++ "Subject mismatch", ++ TLS_FAIL_SUBJECT_MISMATCH); ++ } else if (depth == 0 && altmatch && ++ !tls_match_alt_subject(err_cert, altmatch)) { ++ wpa_printf(MSG_WARNING, ++ "TLS: altSubjectName match '%s' not found", ++ altmatch); ++ preverify_ok = 0; ++ wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, ++ "AltSubject mismatch", ++ TLS_FAIL_ALTSUBJECT_MISMATCH); ++ } else if (depth == 0 && suffix_match && ++ !tls_match_suffix(err_cert, suffix_match, 0)) { ++ wpa_printf(MSG_WARNING, ++ "TLS: Domain suffix match '%s' not found", ++ suffix_match); ++ preverify_ok = 0; ++ wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, ++ "Domain suffix mismatch", ++ TLS_FAIL_DOMAIN_SUFFIX_MISMATCH); ++ } else if (depth == 0 && domain_match && ++ !tls_match_suffix(err_cert, domain_match, 1)) { ++ wpa_printf(MSG_WARNING, "TLS: Domain match '%s' not found", ++ domain_match); ++ preverify_ok = 0; ++ wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, ++ "Domain mismatch", ++ TLS_FAIL_DOMAIN_MISMATCH); ++ } else { ++ wolfssl_tls_cert_event(conn, err_cert, depth, buf); ++ } ++ ++ if (conn->cert_probe && preverify_ok && depth == 0) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Reject server certificate on probe-only run"); ++ preverify_ok = 0; ++ wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, ++ "Server certificate chain probe", ++ TLS_FAIL_SERVER_CHAIN_PROBE); ++ } ++ ++#ifdef HAVE_OCSP_OPENSSL ++ if (depth == 0 && (conn->flags & TLS_CONN_REQUEST_OCSP) && ++ preverify_ok) { ++ enum ocsp_result res; ++ ++ res = check_ocsp_resp(conn->ssl_ctx, conn->ssl, err_cert, ++ conn->peer_issuer, ++ conn->peer_issuer_issuer); ++ if (res == OCSP_REVOKED) { ++ preverify_ok = 0; ++ wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, ++ "certificate revoked", ++ TLS_FAIL_REVOKED); ++ if (err == X509_V_OK) ++ X509_STORE_CTX_set_error( ++ x509_ctx, X509_V_ERR_CERT_REVOKED); ++ } else if (res != OCSP_GOOD && ++ (conn->flags & TLS_CONN_REQUIRE_OCSP)) { ++ preverify_ok = 0; ++ wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, ++ "bad certificate status response", ++ TLS_FAIL_UNSPECIFIED); ++ } ++ } ++#endif /* HAVE_OCSP */ ++ if (depth == 0 && preverify_ok && context->event_cb != NULL) ++ context->event_cb(context->cb_ctx, ++ TLS_CERT_CHAIN_SUCCESS, NULL); ++ ++ return preverify_ok; ++} ++ ++ ++static int tls_connection_ca_cert(void *tls_ctx, struct tls_connection *conn, ++ const char *ca_cert, ++ const u8 *ca_cert_blob, size_t blob_len, ++ const char *ca_path) ++{ ++ WOLFSSL_CTX *ctx = tls_ctx; ++ ++ wolfSSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); ++ conn->ca_cert_verify = 1; ++ ++ if (ca_cert && os_strncmp(ca_cert, "probe://", 8) == 0) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Probe for server certificate chain"); ++ conn->cert_probe = 1; ++ conn->ca_cert_verify = 0; ++ return 0; ++ } ++ ++ if (ca_cert && os_strncmp(ca_cert, "hash://", 7) == 0) { ++#ifdef CONFIG_SHA256 ++ const char *pos = ca_cert + 7; ++ ++ if (os_strncmp(pos, "server/sha256/", 14) != 0) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Unsupported ca_cert hash value '%s'", ++ ca_cert); ++ return -1; ++ } ++ pos += 14; ++ if (os_strlen(pos) != 32 * 2) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Unexpected SHA256 hash length in ca_cert '%s'", ++ ca_cert); ++ return -1; ++ } ++ if (hexstr2bin(pos, conn->srv_cert_hash, 32) < 0) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Invalid SHA256 hash value in ca_cert '%s'", ++ ca_cert); ++ return -1; ++ } ++ conn->server_cert_only = 1; ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Checking only server certificate match"); ++ return 0; ++#else /* CONFIG_SHA256 */ ++ wpa_printf(MSG_INFO, ++ "No SHA256 included in the build - cannot validate server certificate hash"); ++ return -1; ++#endif /* CONFIG_SHA256 */ ++ } ++ ++ if (ca_cert_blob) { ++ if (wolfSSL_CTX_load_verify_buffer(ctx, ca_cert_blob, blob_len, ++ SSL_FILETYPE_ASN1) != ++ SSL_SUCCESS) { ++ wpa_printf(MSG_INFO, "SSL: failed to load CA blob"); ++ return -1; ++ } ++ wpa_printf(MSG_DEBUG, "SSL: use CA cert blob OK"); ++ return 0; ++ } ++ ++ if (ca_cert || ca_path) { ++ WOLFSSL_X509_STORE *cm = wolfSSL_X509_STORE_new(); ++ ++ if (!cm) { ++ wpa_printf(MSG_INFO, ++ "SSL: failed to create certificate store"); ++ return -1; ++ } ++ wolfSSL_CTX_set_cert_store(ctx, cm); ++ XFREE(cm, NULL, DYNAMIC_TYPE_X509_STORE); ++ ++ if (wolfSSL_CTX_load_verify_locations(ctx, ca_cert, ca_path) != ++ SSL_SUCCESS) { ++ wpa_printf(MSG_INFO, ++ "SSL: failed to load ca_cert as PEM"); ++ ++ if (!ca_cert) ++ return -1; ++ ++ if (wolfSSL_CTX_der_load_verify_locations( ++ ctx, ca_cert, SSL_FILETYPE_ASN1) != ++ SSL_SUCCESS) { ++ wpa_printf(MSG_INFO, ++ "SSL: failed to load ca_cert as DER"); ++ return -1; ++ } ++ } ++ return 0; ++ } ++ ++ conn->ca_cert_verify = 0; ++ return 0; ++} ++ ++ ++static void tls_set_conn_flags(WOLFSSL *ssl, unsigned int flags) ++{ ++#ifdef HAVE_SESSION_TICKET ++#if 0 ++ if (!(flags & TLS_CONN_DISABLE_SESSION_TICKET)) ++ wolfSSL_UseSessionTicket(ssl); ++#endif ++#endif /* HAVE_SESSION_TICKET */ ++ ++ if (flags & TLS_CONN_DISABLE_TLSv1_0) ++ wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1); ++ if (flags & TLS_CONN_DISABLE_TLSv1_1) ++ wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_1); ++ if (flags & TLS_CONN_DISABLE_TLSv1_2) ++ wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_2); ++} ++ ++ ++int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, ++ const struct tls_connection_params *params) ++{ ++ wpa_printf(MSG_DEBUG, "SSL: set params"); ++ ++ if (tls_connection_set_subject_match(conn, params->subject_match, ++ params->altsubject_match, ++ params->suffix_match, ++ params->domain_match) < 0) { ++ wpa_printf(MSG_INFO, "Error setting subject match"); ++ return -1; ++ } ++ ++ if (tls_connection_ca_cert(tls_ctx, conn, params->ca_cert, ++ params->ca_cert_blob, ++ params->ca_cert_blob_len, ++ params->ca_path) < 0) { ++ wpa_printf(MSG_INFO, "Error setting CA cert"); ++ return -1; ++ } ++ ++ if (tls_connection_client_cert(conn, params->client_cert, ++ params->client_cert_blob, ++ params->client_cert_blob_len) < 0) { ++ wpa_printf(MSG_INFO, "Error setting client cert"); ++ return -1; ++ } ++ ++ if (tls_connection_private_key(tls_ctx, conn, params->private_key, ++ params->private_key_passwd, ++ params->private_key_blob, ++ params->private_key_blob_len) < 0) { ++ wpa_printf(MSG_INFO, "Error setting private key"); ++ return -1; ++ } ++ ++ if (tls_connection_dh(conn, params->dh_file, params->dh_blob, ++ params->dh_blob_len) < 0) { ++ wpa_printf(MSG_INFO, "Error setting DH"); ++ return -1; ++ } ++ ++ if (params->openssl_ciphers && ++ wolfSSL_set_cipher_list(conn->ssl, params->openssl_ciphers) != 1) { ++ wpa_printf(MSG_INFO, ++ "wolfSSL: Failed to set cipher string '%s'", ++ params->openssl_ciphers); ++ return -1; ++ } ++ ++ tls_set_conn_flags(conn->ssl, params->flags); ++ ++#ifdef HAVE_CERTIFICATE_STATUS_REQUEST ++ if (params->flags & TLS_CONN_REQUEST_OCSP) { ++ if (wolfSSL_UseOCSPStapling(conn->ssl, WOLFSSL_CSR_OCSP, ++ WOLFSSL_CSR_OCSP_USE_NONCE) != ++ SSL_SUCCESS) ++ return -1; ++ wolfSSL_CTX_EnableOCSP(tls_ctx, 0); ++ } ++#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ ++#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 ++ if (params->flags & TLS_CONN_REQUEST_OCSP) { ++ if (wolfSSL_UseOCSPStaplingV2(conn->ssl, ++ WOLFSSL_CSR2_OCSP_MULTI, 0) != ++ SSL_SUCCESS) ++ return -1; ++ wolfSSL_CTX_EnableOCSP(tls_ctx, 0); ++ } ++#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ ++#if !defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ ++ !defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) ++#ifdef HAVE_OCSP ++ if (params->flags & TLS_CONN_REQUEST_OCSP) ++ wolfSSL_CTX_EnableOCSP(ctx, 0); ++#else /* HAVE_OCSP */ ++ if (params->flags & TLS_CONN_REQUIRE_OCSP) { ++ wpa_printf(MSG_INFO, ++ "wolfSSL: No OCSP support included - reject configuration"); ++ return -1; ++ } ++ if (params->flags & TLS_CONN_REQUEST_OCSP) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: No OCSP support included - allow optional OCSP case to continue"); ++ } ++#endif /* HAVE_OCSP */ ++#endif /* !HAVE_CERTIFICATE_STATUS_REQUEST && ++ * !HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ ++ ++ conn->flags = params->flags; ++ ++ return 0; ++} ++ ++ ++static int tls_global_ca_cert(void *ssl_ctx, const char *ca_cert) ++{ ++ WOLFSSL_CTX *ctx = ssl_ctx; ++ ++ if (ca_cert) { ++ if (wolfSSL_CTX_load_verify_locations(ctx, ca_cert, NULL) != 1) ++ { ++ wpa_printf(MSG_WARNING, ++ "Failed to load root certificates"); ++ return -1; ++ } ++ ++ wpa_printf(MSG_DEBUG, ++ "TLS: Trusted root certificate(s) loaded"); ++ } ++ ++ return 0; ++} ++ ++ ++static int tls_global_client_cert(void *ssl_ctx, const char *client_cert) ++{ ++ WOLFSSL_CTX *ctx = ssl_ctx; ++ ++ if (!client_cert) ++ return 0; ++ ++ if (wolfSSL_CTX_use_certificate_file(ctx, client_cert, ++ SSL_FILETYPE_ASN1) != ++ SSL_SUCCESS && ++ wolfSSL_CTX_use_certificate_file(ctx, client_cert, ++ SSL_FILETYPE_PEM) != SSL_SUCCESS) { ++ wpa_printf(MSG_INFO, "Failed to load client certificate"); ++ return -1; ++ } ++ ++ wpa_printf(MSG_DEBUG, "SSL: Loaded global client certificate: %s", ++ client_cert); ++ ++ return 0; ++} ++ ++ ++static int tls_global_private_key(void *ssl_ctx, const char *private_key, ++ const char *private_key_passwd) ++{ ++ WOLFSSL_CTX *ctx = ssl_ctx; ++ char *passwd = NULL; ++ int ret = 0; ++ ++ if (!private_key) ++ return 0; ++ ++ if (private_key_passwd) { ++ passwd = os_strdup(private_key_passwd); ++ if (!passwd) ++ return -1; ++ } ++ ++ wolfSSL_CTX_set_default_passwd_cb(ctx, tls_passwd_cb); ++ wolfSSL_CTX_set_default_passwd_cb_userdata(ctx, passwd); ++ ++ if (wolfSSL_CTX_use_PrivateKey_file(ctx, private_key, ++ SSL_FILETYPE_ASN1) != 1 && ++ wolfSSL_CTX_use_PrivateKey_file(ctx, private_key, ++ SSL_FILETYPE_PEM) != 1) { ++ wpa_printf(MSG_INFO, "Failed to load private key"); ++ ret = -1; ++ } ++ ++ wpa_printf(MSG_DEBUG, "SSL: Loaded global private key"); ++ ++ os_free(passwd); ++ wolfSSL_CTX_set_default_passwd_cb(ctx, NULL); ++ ++ return ret; ++} ++ ++ ++static int tls_global_dh(void *ssl_ctx, const char *dh_file, ++ const u8 *dh_blob, size_t blob_len) ++{ ++ WOLFSSL_CTX *ctx = ssl_ctx; ++ ++ if (!dh_file && !dh_blob) ++ return 0; ++ ++ if (dh_blob) { ++ if (wolfSSL_CTX_SetTmpDH_buffer(ctx, dh_blob, blob_len, ++ SSL_FILETYPE_ASN1) < 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: global use DH DER blob failed"); ++ return -1; ++ } ++ wpa_printf(MSG_DEBUG, "SSL: global use DH blob OK"); ++ return 0; ++ } ++ ++ if (dh_file) { ++ if (wolfSSL_CTX_SetTmpDH_file(ctx, dh_file, SSL_FILETYPE_PEM) < ++ 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: global use DH PEM file failed"); ++ if (wolfSSL_CTX_SetTmpDH_file(ctx, dh_file, ++ SSL_FILETYPE_ASN1) < 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: global use DH DER file failed"); ++ return -1; ++ } ++ } ++ wpa_printf(MSG_DEBUG, "SSL: global use DH file OK"); ++ return 0; ++ } ++ ++ return 0; ++} ++ ++ ++#ifdef HAVE_OCSP ++ ++int ocsp_status_cb(void *unused, const char *url, int url_sz, ++ unsigned char *request, int request_sz, ++ unsigned char **response) ++{ ++ size_t len; ++ ++ (void) unused; ++ ++ if (!url) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: OCSP status callback - no response configured"); ++ *response = NULL; ++ return 0; ++ } ++ ++ *response = (unsigned char *) os_readfile(url, &len); ++ if (!*response) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: OCSP status callback - could not read response file"); ++ return -1; ++ } ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: OCSP status callback - send cached response"); ++ return len; ++} ++ ++ ++void ocsp_resp_free_cb(void *ocsp_stapling_response, unsigned char *response) ++{ ++ os_free(response); ++} ++ ++#endif /* HAVE_OCSP */ ++ ++ ++int tls_global_set_params(void *tls_ctx, ++ const struct tls_connection_params *params) ++{ ++ wpa_printf(MSG_DEBUG, "SSL: global set params"); ++ ++ if (tls_global_ca_cert(tls_ctx, params->ca_cert) < 0) { ++ wpa_printf(MSG_INFO, "SSL: Failed to load ca cert file '%s'", ++ params->ca_cert); ++ return -1; ++ } ++ ++ if (tls_global_client_cert(tls_ctx, params->client_cert) < 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: Failed to load client cert file '%s'", ++ params->client_cert); ++ return -1; ++ } ++ ++ if (tls_global_private_key(tls_ctx, params->private_key, ++ params->private_key_passwd) < 0) { ++ wpa_printf(MSG_INFO, ++ "SSL: Failed to load private key file '%s'", ++ params->private_key); ++ return -1; ++ } ++ ++ if (tls_global_dh(tls_ctx, params->dh_file, params->dh_blob, ++ params->dh_blob_len) < 0) { ++ wpa_printf(MSG_INFO, "SSL: Failed to load DH file '%s'", ++ params->dh_file); ++ return -1; ++ } ++ ++ if (params->openssl_ciphers && ++ wolfSSL_CTX_set_cipher_list(tls_ctx, ++ params->openssl_ciphers) != 1) { ++ wpa_printf(MSG_INFO, ++ "wolfSSL: Failed to set cipher string '%s'", ++ params->openssl_ciphers); ++ return -1; ++ } ++ ++#ifdef HAVE_SESSION_TICKET ++ /* Session ticket is off by default - can't disable once on. */ ++ if (!(params->flags & TLS_CONN_DISABLE_SESSION_TICKET)) ++ wolfSSL_CTX_UseSessionTicket(tls_ctx); ++#endif /* HAVE_SESSION_TICKET */ ++ ++#ifdef HAVE_OCSP ++ if (params->ocsp_stapling_response) { ++ wolfSSL_CTX_SetOCSP_OverrideURL(tls_ctx, ++ params->ocsp_stapling_response); ++ wolfSSL_CTX_SetOCSP_Cb(tls_ctx, ocsp_status_cb, ++ ocsp_resp_free_cb, NULL); ++ } ++#endif /* HAVE_OCSP */ ++ ++ return 0; ++} ++ ++ ++int tls_global_set_verify(void *tls_ctx, int check_crl) ++{ ++ wpa_printf(MSG_DEBUG, "SSL: global set verify: %d", check_crl); ++ ++ if (check_crl) { ++ /* Hack to Enable CRLs. */ ++ wolfSSL_CTX_LoadCRLBuffer(tls_ctx, NULL, 0, SSL_FILETYPE_PEM); ++ } ++ ++ return 0; ++} ++ ++ ++int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, ++ int verify_peer, unsigned int flags, ++ const u8 *session_ctx, size_t session_ctx_len) ++{ ++ if (!conn) ++ return -1; ++ ++ wpa_printf(MSG_DEBUG, "SSL: set verify: %d", verify_peer); ++ ++ if (verify_peer) { ++ conn->ca_cert_verify = 1; ++ wolfSSL_set_verify(conn->ssl, SSL_VERIFY_PEER | ++ SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ++ tls_verify_cb); ++ } else { ++ conn->ca_cert_verify = 0; ++ wolfSSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); ++ } ++ ++ wolfSSL_set_accept_state(conn->ssl); ++ ++ /* TODO: do we need to fake a session like OpenSSL does here? */ ++ ++ return 0; ++} ++ ++ ++static struct wpabuf * wolfssl_handshake(struct tls_connection *conn, ++ const struct wpabuf *in_data, ++ int server) ++{ ++ int res; ++ ++ wolfssl_reset_out_data(&conn->output); ++ ++ /* Initiate TLS handshake or continue the existing handshake */ ++ if (server) { ++ wolfSSL_set_accept_state(conn->ssl); ++ res = wolfSSL_accept(conn->ssl); ++ wpa_printf(MSG_DEBUG, "SSL: wolfSSL_accept: %d", res); ++ } else { ++ wolfSSL_set_connect_state(conn->ssl); ++ res = wolfSSL_connect(conn->ssl); ++ wpa_printf(MSG_DEBUG, "SSL: wolfSSL_connect: %d", res); ++ } ++ ++ if (res != 1) { ++ int err = wolfSSL_get_error(conn->ssl, res); ++ ++ if (err == SSL_ERROR_WANT_READ) { ++ wpa_printf(MSG_DEBUG, ++ "SSL: wolfSSL_connect - want more data"); ++ } else if (err == SSL_ERROR_WANT_WRITE) { ++ wpa_printf(MSG_DEBUG, ++ "SSL: wolfSSL_connect - want to write"); ++ } else { ++ char msg[80]; ++ ++ wpa_printf(MSG_DEBUG, ++ "SSL: wolfSSL_connect - failed %s", ++ wolfSSL_ERR_error_string(err, msg)); ++ conn->failed++; ++ } ++ } ++ ++ return conn->output.out_data; ++} ++ ++ ++static struct wpabuf * wolfssl_get_appl_data(struct tls_connection *conn, ++ size_t max_len) ++{ ++ int res; ++ struct wpabuf *appl_data = wpabuf_alloc(max_len + 100); ++ ++ if (!appl_data) ++ return NULL; ++ ++ res = wolfSSL_read(conn->ssl, wpabuf_mhead(appl_data), ++ wpabuf_size(appl_data)); ++ if (res < 0) { ++ int err = wolfSSL_get_error(conn->ssl, res); ++ ++ if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE) { ++ wpa_printf(MSG_DEBUG, ++ "SSL: No Application Data included"); ++ } else { ++ char msg[80]; ++ ++ wpa_printf(MSG_DEBUG, ++ "Failed to read possible Application Data %s", ++ wolfSSL_ERR_error_string(err, msg)); ++ } ++ ++ wpabuf_free(appl_data); ++ return NULL; ++ } ++ ++ wpabuf_put(appl_data, res); ++ wpa_hexdump_buf_key(MSG_MSGDUMP, ++ "SSL: Application Data in Finished message", ++ appl_data); ++ return appl_data; ++} ++ ++ ++static struct wpabuf * ++wolfssl_connection_handshake(struct tls_connection *conn, ++ const struct wpabuf *in_data, ++ struct wpabuf **appl_data, int server) ++{ ++ struct wpabuf *out_data; ++ ++ wolfssl_reset_in_data(&conn->input, in_data); ++ ++ if (appl_data) ++ *appl_data = NULL; ++ ++ out_data = wolfssl_handshake(conn, in_data, server); ++ if (!out_data) ++ return NULL; ++ ++ if (wolfSSL_is_init_finished(conn->ssl)) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Handshake finished - resumed=%d", ++ tls_connection_resumed(NULL, conn)); ++ if (appl_data && in_data) ++ *appl_data = wolfssl_get_appl_data(conn, ++ wpabuf_len(in_data)); ++ } ++ ++ return out_data; ++} ++ ++ ++struct wpabuf * tls_connection_handshake(void *tls_ctx, ++ struct tls_connection *conn, ++ const struct wpabuf *in_data, ++ struct wpabuf **appl_data) ++{ ++ return wolfssl_connection_handshake(conn, in_data, appl_data, 0); ++} ++ ++ ++struct wpabuf * tls_connection_server_handshake(void *tls_ctx, ++ struct tls_connection *conn, ++ const struct wpabuf *in_data, ++ struct wpabuf **appl_data) ++{ ++ return wolfssl_connection_handshake(conn, in_data, appl_data, 1); ++} ++ ++ ++struct wpabuf * tls_connection_encrypt(void *tls_ctx, ++ struct tls_connection *conn, ++ const struct wpabuf *in_data) ++{ ++ int res; ++ ++ if (!conn) ++ return NULL; ++ ++ wpa_printf(MSG_DEBUG, "SSL: encrypt: %ld bytes", wpabuf_len(in_data)); ++ ++ wolfssl_reset_out_data(&conn->output); ++ ++ res = wolfSSL_write(conn->ssl, wpabuf_head(in_data), ++ wpabuf_len(in_data)); ++ if (res < 0) { ++ int err = wolfSSL_get_error(conn->ssl, res); ++ char msg[80]; ++ ++ wpa_printf(MSG_INFO, "Encryption failed - SSL_write: %s", ++ wolfSSL_ERR_error_string(err, msg)); ++ return NULL; ++ } ++ ++ return conn->output.out_data; ++} ++ ++ ++struct wpabuf * tls_connection_decrypt(void *tls_ctx, ++ struct tls_connection *conn, ++ const struct wpabuf *in_data) ++{ ++ int res; ++ struct wpabuf *buf; ++ ++ if (!conn) ++ return NULL; ++ ++ wpa_printf(MSG_DEBUG, "SSL: decrypt"); ++ ++ wolfssl_reset_in_data(&conn->input, in_data); ++ ++ /* Read decrypted data for further processing */ ++ /* ++ * Even though we try to disable TLS compression, it is possible that ++ * this cannot be done with all TLS libraries. Add extra buffer space ++ * to handle the possibility of the decrypted data being longer than ++ * input data. ++ */ ++ buf = wpabuf_alloc((wpabuf_len(in_data) + 500) * 3); ++ if (!buf) ++ return NULL; ++ res = wolfSSL_read(conn->ssl, wpabuf_mhead(buf), wpabuf_size(buf)); ++ if (res < 0) { ++ wpa_printf(MSG_INFO, "Decryption failed - SSL_read"); ++ wpabuf_free(buf); ++ return NULL; ++ } ++ wpabuf_put(buf, res); ++ ++ wpa_printf(MSG_DEBUG, "SSL: decrypt: %ld bytes", wpabuf_len(buf)); ++ ++ return buf; ++} ++ ++ ++int tls_connection_resumed(void *tls_ctx, struct tls_connection *conn) ++{ ++ return conn ? wolfSSL_session_reused(conn->ssl) : 0; ++} ++ ++ ++int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, ++ u8 *ciphers) ++{ ++ char buf[128], *pos, *end; ++ u8 *c; ++ int ret; ++ ++ if (!conn || !conn->ssl || !ciphers) ++ return -1; ++ ++ buf[0] = '\0'; ++ pos = buf; ++ end = pos + sizeof(buf); ++ ++ c = ciphers; ++ while (*c != TLS_CIPHER_NONE) { ++ const char *suite; ++ ++ switch (*c) { ++ case TLS_CIPHER_RC4_SHA: ++ suite = "RC4-SHA"; ++ break; ++ case TLS_CIPHER_AES128_SHA: ++ suite = "AES128-SHA"; ++ break; ++ case TLS_CIPHER_RSA_DHE_AES128_SHA: ++ suite = "DHE-RSA-AES128-SHA"; ++ break; ++ case TLS_CIPHER_ANON_DH_AES128_SHA: ++ suite = "ADH-AES128-SHA"; ++ break; ++ case TLS_CIPHER_RSA_DHE_AES256_SHA: ++ suite = "DHE-RSA-AES256-SHA"; ++ break; ++ case TLS_CIPHER_AES256_SHA: ++ suite = "AES256-SHA"; ++ break; ++ default: ++ wpa_printf(MSG_DEBUG, ++ "TLS: Unsupported cipher selection: %d", *c); ++ return -1; ++ } ++ ret = os_snprintf(pos, end - pos, ":%s", suite); ++ if (os_snprintf_error(end - pos, ret)) ++ break; ++ pos += ret; ++ ++ c++; ++ } ++ ++ wpa_printf(MSG_DEBUG, "wolfSSL: cipher suites: %s", buf + 1); ++ ++ if (wolfSSL_set_cipher_list(conn->ssl, buf + 1) != 1) { ++ wpa_printf(MSG_DEBUG, "Cipher suite configuration failed"); ++ return -1; ++ } ++ ++ return 0; ++} ++ ++ ++int tls_get_cipher(void *tls_ctx, struct tls_connection *conn, ++ char *buf, size_t buflen) ++{ ++ WOLFSSL_CIPHER *cipher; ++ const char *name; ++ ++ if (!conn || !conn->ssl) ++ return -1; ++ ++ cipher = wolfSSL_get_current_cipher(conn->ssl); ++ if (!cipher) ++ return -1; ++ ++ name = wolfSSL_CIPHER_get_name(cipher); ++ if (!name) ++ return -1; ++ ++ if (os_strcmp(name, "SSL_RSA_WITH_RC4_128_SHA") == 0) ++ os_strlcpy(buf, "RC4-SHA", buflen); ++ else if (os_strcmp(name, "TLS_RSA_WITH_AES_128_CBC_SHA") == 0) ++ os_strlcpy(buf, "AES128-SHA", buflen); ++ else if (os_strcmp(name, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA") == 0) ++ os_strlcpy(buf, "DHE-RSA-AES128-SHA", buflen); ++ else if (os_strcmp(name, "TLS_DH_anon_WITH_AES_128_CBC_SHA") == 0) ++ os_strlcpy(buf, "ADH-AES128-SHA", buflen); ++ else if (os_strcmp(name, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA") == 0) ++ os_strlcpy(buf, "DHE-RSA-AES256-SHA", buflen); ++ else if (os_strcmp(name, "TLS_RSA_WITH_AES_256_CBC_SHA") == 0) ++ os_strlcpy(buf, "AES256-SHA", buflen); ++ else ++ os_strlcpy(buf, name, buflen); ++ ++ return 0; ++} ++ ++ ++int tls_connection_enable_workaround(void *tls_ctx, ++ struct tls_connection *conn) ++{ ++ /* no empty fragments in wolfSSL for now */ ++ return 0; ++} ++ ++ ++int tls_connection_get_failed(void *tls_ctx, struct tls_connection *conn) ++{ ++ if (!conn) ++ return -1; ++ ++ return conn->failed; ++} ++ ++ ++int tls_connection_get_read_alerts(void *tls_ctx, struct tls_connection *conn) ++{ ++ if (!conn) ++ return -1; ++ ++ /* TODO: this is not incremented anywhere */ ++ return conn->read_alerts; ++} ++ ++ ++int tls_connection_get_write_alerts(void *tls_ctx, ++ struct tls_connection *conn) ++{ ++ if (!conn) ++ return -1; ++ ++ /* TODO: this is not incremented anywhere */ ++ return conn->write_alerts; ++} ++ ++ ++ ++int tls_get_library_version(char *buf, size_t buf_len) ++{ ++ return os_snprintf(buf, buf_len, "wolfSSL build=%s run=%s", ++ WOLFSSL_VERSION, wolfSSL_lib_version()); ++} ++ ++int tls_get_version(void *ssl_ctx, struct tls_connection *conn, ++ char *buf, size_t buflen) ++{ ++ const char *name; ++ ++ if (!conn || !conn->ssl) ++ return -1; ++ ++ name = wolfSSL_get_version(conn->ssl); ++ if (!name) ++ return -1; ++ ++ os_strlcpy(buf, name, buflen); ++ return 0; ++} ++ ++ ++int tls_connection_get_random(void *ssl_ctx, struct tls_connection *conn, ++ struct tls_random *keys) ++{ ++ WOLFSSL *ssl; ++ ++ if (!conn || !keys) ++ return -1; ++ ssl = conn->ssl; ++ if (!ssl) ++ return -1; ++ ++ os_memset(keys, 0, sizeof(*keys)); ++ keys->client_random = conn->client_random; ++ keys->client_random_len = wolfSSL_get_client_random( ++ ssl, conn->client_random, sizeof(conn->client_random)); ++ keys->server_random = conn->server_random; ++ keys->server_random_len = wolfSSL_get_server_random( ++ ssl, conn->server_random, sizeof(conn->server_random)); ++ ++ return 0; ++} ++ ++ ++int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn, ++ const char *label, u8 *out, size_t out_len) ++{ ++ if (!conn || wolfSSL_make_eap_keys(conn->ssl, out, out_len, label) != 0) ++ return -1; ++ return 0; ++} ++ ++ ++int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn, ++ u8 *out, size_t out_len) ++{ ++ int ret; ++ ++ if (!conn || !conn->ssl) ++ return -1; ++ ++ ret = wolfSSL_make_eap_keys(conn->ssl, out, out_len, "key expansion"); ++ if (ret != 0) ++ return -1; ++ return 0; ++} ++ ++ ++#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) ++ ++int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn, ++ int ext_type, const u8 *data, ++ size_t data_len) ++{ ++ (void) ssl_ctx; ++ ++ if (!conn || !conn->ssl || ext_type != 35) ++ return -1; ++ ++ if (wolfSSL_set_SessionTicket(conn->ssl, data, ++ (unsigned int) data_len) != 1) ++ return -1; ++ ++ return 0; ++} ++ ++ ++static int tls_sess_sec_cb(WOLFSSL *s, void *secret, int *secret_len, void *arg) ++{ ++ struct tls_connection *conn = arg; ++ int ret; ++ unsigned char client_random[RAN_LEN]; ++ unsigned char server_random[RAN_LEN]; ++ word32 ticket_len = sizeof(conn->session_ticket); ++ ++ if (!conn || !conn->session_ticket_cb) ++ return 1; ++ ++ if (wolfSSL_get_client_random(s, client_random, ++ sizeof(client_random)) == 0 || ++ wolfSSL_get_server_random(s, server_random, ++ sizeof(server_random)) == 0 || ++ wolfSSL_get_SessionTicket(s, conn->session_ticket, &ticketLen) != 1) ++ return 1; ++ ++ if (ticket_len == 0) ++ return 0; ++ ++ ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx, ++ conn->session_ticket, ticketLen, ++ client_random, server_random, secret); ++ if (ret <= 0) ++ return 1; ++ ++ *secret_len = SECRET_LEN; ++ return 0; ++} ++ ++#endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */ ++ ++ ++int tls_connection_set_session_ticket_cb(void *tls_ctx, ++ struct tls_connection *conn, ++ tls_session_ticket_cb cb, ++ void *ctx) ++{ ++#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) ++ conn->session_ticket_cb = cb; ++ conn->session_ticket_cb_ctx = ctx; ++ ++ if (cb) { ++ if (wolfSSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb, ++ conn) != 1) ++ return -1; ++ } else { ++ if (wolfSSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1) ++ return -1; ++ } ++ ++ return 0; ++#else /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */ ++ return -1; ++#endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */ ++} ++ ++ ++void tls_connection_set_success_data_resumed(struct tls_connection *conn) ++{ ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Success data accepted for resumed session"); ++} ++ ++ ++void tls_connection_remove_session(struct tls_connection *conn) ++{ ++ WOLFSSL_SESSION *sess; ++ ++ sess = wolfSSL_get_session(conn->ssl); ++ if (!sess) ++ return; ++ ++ wolfSSL_SSL_SESSION_set_timeout(sess, 0); ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: Removed cached session to disable session resumption"); ++} ++ ++ ++void tls_connection_set_success_data(struct tls_connection *conn, ++ struct wpabuf *data) ++{ ++ WOLFSSL_SESSION *sess; ++ struct wpabuf *old; ++ ++ wpa_printf(MSG_DEBUG, "wolfSSL: Set success data"); ++ ++ sess = wolfSSL_get_session(conn->ssl); ++ if (!sess) { ++ wpa_printf(MSG_DEBUG, ++ "wolfSSL: No session found for success data"); ++ goto fail; ++ } ++ ++ old = wolfSSL_SESSION_get_ex_data(sess, tls_ex_idx_session); ++ if (old) { ++ wpa_printf(MSG_DEBUG, "wolfSSL: Replacing old success data %p", ++ old); ++ wpabuf_free(old); ++ } ++ if (wolfSSL_SESSION_set_ex_data(sess, tls_ex_idx_session, data) != 1) ++ goto fail; ++ ++ wpa_printf(MSG_DEBUG, "wolfSSL: Stored success data %p", data); ++ conn->success_data = 1; ++ return; ++ ++fail: ++ wpa_printf(MSG_INFO, "wolfSSL: Failed to store success data"); ++ wpabuf_free(data); ++} ++ ++ ++const struct wpabuf * ++tls_connection_get_success_data(struct tls_connection *conn) ++{ ++ WOLFSSL_SESSION *sess; ++ ++ wpa_printf(MSG_DEBUG, "wolfSSL: Get success data"); ++ ++ sess = wolfSSL_get_session(conn->ssl); ++ if (!sess) ++ return NULL; ++ return wolfSSL_SESSION_get_ex_data(sess, tls_ex_idx_session); ++} +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index 4b531fe..d70189b 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -666,6 +666,9 @@ endif + + ifdef CONFIG_EAP_PWD + CFLAGS += -DEAP_PWD ++ifeq ($(CONFIG_TLS), wolfssl) ++CFLAGS += -DCONFIG_ECC ++endif + OBJS += ../src/eap_peer/eap_pwd.o ../src/eap_common/eap_pwd_common.o + CONFIG_IEEE8021X_EAPOL=y + NEED_SHA256=y +@@ -998,6 +1001,20 @@ CFLAGS += -DCONFIG_TLSV12 + NEED_SHA256=y + endif + ++ifeq ($(CONFIG_TLS), wolfssl) ++ifdef TLS_FUNCS ++CFLAGS += -DWOLFSSL_DER_LOAD -I/usr/local/include/wolfssl ++OBJS += ../src/crypto/tls_wolfssl.o ++endif ++OBJS += ../src/crypto/crypto_wolfssl.o ++OBJS_p += ../src/crypto/crypto_wolfssl.o ++ifdef NEED_FIPS186_2_PRF ++OBJS += ../src/crypto/fips_prf_wolfssl.o ++endif ++LIBS += -lwolfssl -lm ++LIBS_p += -lwolfssl -lm ++endif ++ + ifeq ($(CONFIG_TLS), openssl) + ifdef TLS_FUNCS + CFLAGS += -DEAP_TLS_OPENSSL +@@ -1165,8 +1182,10 @@ AESOBJS += ../src/crypto/aes-internal.o ../src/crypto/aes-internal-dec.o + endif + + ifneq ($(CONFIG_TLS), openssl) ++ifneq ($(CONFIG_TLS), wolfssl) + NEED_INTERNAL_AES_WRAP=y + endif ++endif + ifdef CONFIG_OPENSSL_INTERNAL_AES_WRAP + # Seems to be needed at least with BoringSSL + NEED_INTERNAL_AES_WRAP=y +@@ -1196,9 +1215,11 @@ NEED_AES_ENC=y + ifdef CONFIG_OPENSSL_CMAC + CFLAGS += -DCONFIG_OPENSSL_CMAC + else ++ifneq ($(CONFIG_TLS), wolfssl) + AESOBJS += ../src/crypto/aes-omac1.o + endif + endif ++endif + ifdef NEED_AES_SIV + AESOBJS += ../src/crypto/aes-siv.o + endif +@@ -1211,9 +1232,11 @@ endif + ifdef NEED_AES_CBC + NEED_AES_ENC=y + ifneq ($(CONFIG_TLS), openssl) ++ifneq ($(CONFIG_TLS), wolfssl) + AESOBJS += ../src/crypto/aes-cbc.o + endif + endif ++endif + ifdef NEED_AES_ENC + ifdef CONFIG_INTERNAL_AES + AESOBJS += ../src/crypto/aes-internal-enc.o +@@ -1225,8 +1248,10 @@ endif + + ifdef NEED_SHA1 + ifneq ($(CONFIG_TLS), openssl) ++ifneq ($(CONFIG_TLS), wolfssl) + SHA1OBJS += ../src/crypto/sha1.o + endif ++endif + SHA1OBJS += ../src/crypto/sha1-prf.o + ifdef CONFIG_INTERNAL_SHA1 + SHA1OBJS += ../src/crypto/sha1-internal.o +@@ -1238,9 +1263,11 @@ ifdef CONFIG_NO_WPA_PASSPHRASE + CFLAGS += -DCONFIG_NO_PBKDF2 + else + ifneq ($(CONFIG_TLS), openssl) ++ifneq ($(CONFIG_TLS), wolfssl) + SHA1OBJS += ../src/crypto/sha1-pbkdf2.o + endif + endif ++endif + ifdef NEED_T_PRF + SHA1OBJS += ../src/crypto/sha1-tprf.o + endif +@@ -1251,9 +1278,11 @@ endif + + ifndef CONFIG_FIPS + ifneq ($(CONFIG_TLS), openssl) ++ifneq ($(CONFIG_TLS), wolfssl) + MD5OBJS += ../src/crypto/md5.o + endif + endif ++endif + ifdef NEED_MD5 + ifdef CONFIG_INTERNAL_MD5 + MD5OBJS += ../src/crypto/md5-internal.o +@@ -1271,6 +1300,9 @@ endif + + DESOBJS = # none needed when not internal + ifdef NEED_DES ++ifndef CONFIG_FIPS ++CFLAGS += -DCONFIG_DES ++endif + ifdef CONFIG_INTERNAL_DES + DESOBJS += ../src/crypto/des-internal.o + endif +@@ -1292,8 +1324,10 @@ SHA256OBJS = # none by default + ifdef NEED_SHA256 + CFLAGS += -DCONFIG_SHA256 + ifneq ($(CONFIG_TLS), openssl) ++ifneq ($(CONFIG_TLS), wolfssl) + SHA256OBJS += ../src/crypto/sha256.o + endif ++endif + SHA256OBJS += ../src/crypto/sha256-prf.o + ifdef CONFIG_INTERNAL_SHA256 + SHA256OBJS += ../src/crypto/sha256-internal.o +@@ -1512,9 +1546,11 @@ endif + ifdef CONFIG_FIPS + CFLAGS += -DCONFIG_FIPS + ifneq ($(CONFIG_TLS), openssl) ++ifneq ($(CONFIG_TLS), wolfssl) + $(error CONFIG_FIPS=y requires CONFIG_TLS=openssl) + endif + endif ++endif + + OBJS += $(SHA1OBJS) $(DESOBJS) + +-- +1.8.3.1 + diff --git a/backport-Share-common-SAE-and-EAP-pwd-functionality-suitable-.patch b/backport-Share-common-SAE-and-EAP-pwd-functionality-suitable-.patch new file mode 100644 index 0000000..c79c444 --- /dev/null +++ b/backport-Share-common-SAE-and-EAP-pwd-functionality-suitable-.patch @@ -0,0 +1,219 @@ +From 2b84ca4dd96459b661b0ebaf40ec43074fc9f42c Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Thu, 25 Apr 2019 19:45:27 +0300 +Subject: Share common SAE and EAP-pwd functionality: suitable groups + +Start sharing common SAE and EAP-pwd functionality by adding a new +source code file that can be included into both. This first step is +bringing in a shared function to check whether a group is suitable. + +Signed-off-by: Jouni Malinen +--- + src/common/dragonfly.c | 27 +++++++++++++++++++++++++++ + src/common/dragonfly.h | 15 +++++++++++++++ + src/common/sae.c | 27 ++++++--------------------- + src/eap_common/eap_pwd_common.c | 9 ++------- + wpa_supplicant/Android.mk | 6 ++++++ + wpa_supplicant/Makefile | 6 ++++++ + 6 files changed, 62 insertions(+), 28 deletions(-) + create mode 100644 src/common/dragonfly.c + create mode 100644 src/common/dragonfly.h + +diff --git a/src/common/dragonfly.c b/src/common/dragonfly.c +new file mode 100644 +index 0000000..1e80404 +--- /dev/null ++++ b/src/common/dragonfly.c +@@ -0,0 +1,27 @@ ++/* ++ * Shared Dragonfly functionality ++ * Copyright (c) 2012-2016, Jouni Malinen ++ * Copyright (c) 2019, The Linux Foundation ++ * ++ * This software may be distributed under the terms of the BSD license. ++ * See README for more details. ++ */ ++ ++#include "utils/includes.h" ++ ++#include "utils/common.h" ++#include "dragonfly.h" ++ ++ ++int dragonfly_suitable_group(int group, int ecc_only) ++{ ++ /* Enforce REVmd rules on which SAE groups are suitable for production ++ * purposes: FFC groups whose prime is >= 3072 bits and ECC groups ++ * defined over a prime field whose prime is >= 256 bits. Furthermore, ++ * ECC groups defined over a characteristic 2 finite field and ECC ++ * groups with a co-factor greater than 1 are not suitable. */ ++ return group == 19 || group == 20 || group == 21 || ++ group == 28 || group == 29 || group == 30 || ++ (!ecc_only && ++ (group == 15 || group == 16 || group == 17 || group == 18)); ++} +diff --git a/src/common/dragonfly.h b/src/common/dragonfly.h +new file mode 100644 +index 0000000..9f3c428 +--- /dev/null ++++ b/src/common/dragonfly.h +@@ -0,0 +1,15 @@ ++/* ++ * Shared Dragonfly functionality ++ * Copyright (c) 2012-2016, Jouni Malinen ++ * Copyright (c) 2019, The Linux Foundation ++ * ++ * This software may be distributed under the terms of the BSD license. ++ * See README for more details. ++ */ ++ ++#ifndef DRAGONFLY_H ++#define DRAGONFLY_H ++ ++int dragonfly_suitable_group(int group, int ecc_only); ++ ++#endif /* DRAGONFLY_H */ +diff --git a/src/common/sae.c b/src/common/sae.c +index 5ef6c4c..b35821d 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -15,36 +15,21 @@ + #include "crypto/random.h" + #include "crypto/dh_groups.h" + #include "ieee802_11_defs.h" ++#include "dragonfly.h" + #include "sae.h" + +-static int sae_suitable_group(int group) +-{ +-#ifdef CONFIG_TESTING_OPTIONS +- /* Allow all groups for testing purposes in non-production builds. */ +- return 1; +-#else /* CONFIG_TESTING_OPTIONS */ +- /* Enforce REVmd rules on which SAE groups are suitable for production +- * purposes: FFC groups whose prime is >= 3072 bits and ECC groups +- * defined over a prime field whose prime is >= 256 bits. Furthermore, +- * ECC groups defined over a characteristic 2 finite field and ECC +- * groups with a co-factor greater than 1 are not suitable. Disable +- * groups that use Brainpool curves as well for now since they leak more +- * timing information due to the prime not being close to a power of +- * two. */ +- +- return group == 19 || group == 20 || group == 21 || +- group == 15 || group == 16 || group == 17 || group == 18; +-#endif /* CONFIG_TESTING_OPTIONS */ +-} +- + int sae_set_group(struct sae_data *sae, int group) + { + struct sae_temporary_data *tmp; + +- if (!sae_suitable_group(group)) { ++#ifdef CONFIG_TESTING_OPTIONS ++ /* Allow all groups for testing purposes in non-production builds. */ ++#else /* CONFIG_TESTING_OPTIONS */ ++ if (!dragonfly_suitable_group(group, 0)) { + wpa_printf(MSG_DEBUG, "SAE: Reject unsuitable group %d", group); + return -1; + } ++#endif /* CONFIG_TESTING_OPTIONS */ + + sae_clear_data(sae); + tmp = sae->tmp = os_zalloc(sizeof(*tmp)); +diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c +index bac2796..755aafb 100644 +--- a/src/eap_common/eap_pwd_common.c ++++ b/src/eap_common/eap_pwd_common.c +@@ -9,6 +9,7 @@ + #include "includes.h" + #include "common.h" + #include "utils/const_time.h" ++#include "common/dragonfly.h" + #include "crypto/sha256.h" + #include "crypto/crypto.h" + #include "eap_defs.h" +@@ -84,18 +85,12 @@ static int eap_pwd_kdf(const u8 *key, size_t keylen, const u8 *label, + return 0; + } + +-static int eap_pwd_suitable_group(u16 num) +-{ +- /* Do not allow ECC groups with prime under 256 bits based on guidance +- * for the similar design in SAE. */ +- return num == 19 || num == 20 || num == 21; +-} + EAP_PWD_group * get_eap_pwd_group(u16 num) + { + EAP_PWD_group *grp; + + grp = os_zalloc(sizeof(EAP_PWD_group)); +- if (!eap_pwd_suitable_group(num)) { ++ if (!dragonfly_suitable_group(num, 1)) { + wpa_printf(MSG_INFO, "EAP-pwd: unsuitable group %u", num); + return NULL; + } +diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk +index 924ac07..aa5ac8c 100644 +--- a/wpa_supplicant/Android.mk ++++ b/wpa_supplicant/Android.mk +@@ -236,6 +236,7 @@ L_CFLAGS += -DCONFIG_SAE + OBJS += src/common/sae.c + NEED_ECC=y + NEED_DH_GROUPS=y ++NEED_DRAGONFLY=y + endif + + ifdef CONFIG_WNM +@@ -641,6 +642,7 @@ OBJS += src/eap_peer/eap_pwd.c src/eap_common/eap_pwd_common.c + CONFIG_IEEE8021X_EAPOL=y + NEED_SHA256=y + NEED_ECC=y ++NEED_DRAGONFLY=y + endif + + ifdef CONFIG_EAP_EKE +@@ -918,6 +920,10 @@ ifdef CONFIG_SMARTCARD + L_CFLAGS += -DCONFIG_SMARTCARD + endif + ++ifdef NEED_DRAGONFLY ++OBJS += src/common/dragonfly.c ++endif ++ + ifdef MS_FUNCS + OBJS += src/crypto/ms_funcs.c + NEED_DES=y +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index d70189b..8fce344 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -270,6 +270,7 @@ CFLAGS += -DCONFIG_SAE + OBJS += ../src/common/sae.o + NEED_ECC=y + NEED_DH_GROUPS=y ++NEED_DRAGONFLY=y + endif + + ifdef CONFIG_WNM +@@ -673,6 +674,7 @@ OBJS += ../src/eap_peer/eap_pwd.o ../src/eap_common/eap_pwd_common.o + CONFIG_IEEE8021X_EAPOL=y + NEED_SHA256=y + NEED_ECC=y ++NEED_DRAGONFLY=y + endif + + ifdef CONFIG_EAP_EKE +@@ -967,6 +969,10 @@ ifdef CONFIG_SMARTCARD + CFLAGS += -DCONFIG_SMARTCARD + endif + ++ifdef NEED_DRAGONFLY ++OBJS += ../src/common/dragonfly.o ++endif ++ + ifdef MS_FUNCS + OBJS += ../src/crypto/ms_funcs.o + NEED_DES=y +-- +1.8.3.1 + diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec index 06ee1c9..32b9394 100644 --- a/wpa_supplicant.spec +++ b/wpa_supplicant.spec @@ -1,7 +1,7 @@ Name: wpa_supplicant Epoch: 1 Version: 2.6 -Release: 29 +Release: 30 Summary: A WPA Supplicant with support for WPA and WPA2 (IEEE 802.11i / RSN) License: BSD or GPLv2 Url: https://w1.fi/wpa_supplicant/ @@ -100,6 +100,12 @@ Patch83: add-options-of-wpa_supplicant-service.patch Patch84: allow-to-override-names-of-qt4-tools.patch Patch85: CVE-2021-27803.patch Patch86: CVE-2021-0326.patch +Patch87: backport-Add-support-for-wolfSSL-cryptographic-library.patch +Patch88: backport-Share-common-SAE-and-EAP-pwd-functionality-suitable-.patch +Patch89: backport-0001-CVE-2022-23303-CVE-2022-23304.patch +Patch90: backport-0002-CVE-2022-23303-CVE-2022-23304.patch +Patch91: backport-0003-CVE-2022-23303-CVE-2022-23304.patch +Patch92: backport-0004-CVE-2022-23303-CVE-2022-23304.patch BuildRequires: qt-devel >= 4.0 openssl-devel readline-devel dbus-devel libnl3-devel systemd-units docbook-utils Requires(post): systemd-sysv @@ -193,6 +199,12 @@ install -m644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5 %{_mandir}/man5/* %changelog +* Wed Jan 26 2022 shixuantong - 1:2.6-30 +- Type:cves +- ID:CVE-2022-23303 CVE-2022-23304 +- SUG:NA +- DESC:fix CVE-2022-23303 CVE-2022-23304 + * Wed Sep 22 2021 gaoyusong - 1:2.6-29 - Type:cves - ID: CVE-2021-0326 -- Gitee