mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-28 10:18:21 -05:00
Internal X.509/TLSv1: Support SHA-256 in X.509 certificate digest
This commit is contained in:
parent
a9141cffb0
commit
1d8ce433c9
@ -1,5 +1,9 @@
|
||||
ChangeLog for hostapd
|
||||
|
||||
????-??-?? - v0.6.5
|
||||
* added support for SHA-256 as X.509 certificate digest when using the
|
||||
internal X.509/TLSv1 implementation
|
||||
|
||||
2008-08-10 - v0.6.4
|
||||
* added peer identity into EAP-FAST PAC-Opaque and skip Phase 2
|
||||
Identity Request if identity is already known
|
||||
|
@ -1185,6 +1185,21 @@ static int x509_sha1_oid(struct asn1_oid *oid)
|
||||
}
|
||||
|
||||
|
||||
static int x509_sha256_oid(struct asn1_oid *oid)
|
||||
{
|
||||
return oid->len == 9 &&
|
||||
oid->oid[0] == 2 /* joint-iso-itu-t */ &&
|
||||
oid->oid[1] == 16 /* country */ &&
|
||||
oid->oid[2] == 840 /* us */ &&
|
||||
oid->oid[3] == 1 /* organization */ &&
|
||||
oid->oid[4] == 101 /* gov */ &&
|
||||
oid->oid[5] == 3 /* csor */ &&
|
||||
oid->oid[6] == 4 /* nistAlgorithm */ &&
|
||||
oid->oid[7] == 2 /* hashAlgs */ &&
|
||||
oid->oid[8] == 1 /* sha256 */;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* x509_certificate_parse - Parse a X.509 certificate in DER format
|
||||
* @buf: Pointer to the X.509 certificate in DER format
|
||||
@ -1309,7 +1324,7 @@ int x509_certificate_check_signature(struct x509_certificate *issuer,
|
||||
size_t data_len;
|
||||
struct asn1_hdr hdr;
|
||||
struct asn1_oid oid;
|
||||
u8 hash[20];
|
||||
u8 hash[32];
|
||||
size_t hash_len;
|
||||
|
||||
if (!x509_pkcs_oid(&cert->signature.oid) ||
|
||||
@ -1408,6 +1423,19 @@ int x509_certificate_check_signature(struct x509_certificate *issuer,
|
||||
goto skip_digest_oid;
|
||||
}
|
||||
|
||||
if (x509_sha256_oid(&oid)) {
|
||||
if (cert->signature.oid.oid[6] !=
|
||||
11 /* sha2561WithRSAEncryption */) {
|
||||
wpa_printf(MSG_DEBUG, "X509: digestAlgorithm SHA256 "
|
||||
"does not match with certificate "
|
||||
"signatureAlgorithm (%lu)",
|
||||
cert->signature.oid.oid[6]);
|
||||
os_free(data);
|
||||
return -1;
|
||||
}
|
||||
goto skip_digest_oid;
|
||||
}
|
||||
|
||||
if (!x509_digest_oid(&oid)) {
|
||||
wpa_printf(MSG_DEBUG, "X509: Unrecognized digestAlgorithm");
|
||||
os_free(data);
|
||||
@ -1466,8 +1494,20 @@ skip_digest_oid:
|
||||
wpa_hexdump(MSG_MSGDUMP, "X509: Certificate hash (SHA1)",
|
||||
hash, hash_len);
|
||||
break;
|
||||
case 2: /* md2WithRSAEncryption */
|
||||
case 11: /* sha256WithRSAEncryption */
|
||||
#ifdef NEED_SHA256
|
||||
sha256_vector(1, &cert->tbs_cert_start, &cert->tbs_cert_len,
|
||||
hash);
|
||||
hash_len = 32;
|
||||
wpa_hexdump(MSG_MSGDUMP, "X509: Certificate hash (SHA256)",
|
||||
hash, hash_len);
|
||||
break;
|
||||
#else /* NEED_SHA256 */
|
||||
wpa_printf(MSG_INFO, "X509: SHA256 support disabled");
|
||||
os_free(data);
|
||||
return -1;
|
||||
#endif /* NEED_SHA256 */
|
||||
case 2: /* md2WithRSAEncryption */
|
||||
case 12: /* sha384WithRSAEncryption */
|
||||
case 13: /* sha512WithRSAEncryption */
|
||||
default:
|
||||
|
@ -1,5 +1,9 @@
|
||||
ChangeLog for wpa_supplicant
|
||||
|
||||
????-??-?? - v0.6.5
|
||||
* added support for SHA-256 as X.509 certificate digest when using the
|
||||
internal X.509/TLSv1 implementation
|
||||
|
||||
2008-08-10 - v0.6.4
|
||||
* added support for EAP Sequences in EAP-FAST Phase 2
|
||||
* added support for using TNC with EAP-FAST
|
||||
|
@ -776,8 +776,14 @@ ifdef CONFIG_IEEE80211R
|
||||
NEED_SHA256=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_IEEE80211W
|
||||
CFLAGS += -DCONFIG_IEEE80211W
|
||||
NEED_SHA256=y
|
||||
endif
|
||||
|
||||
ifdef NEED_SHA256
|
||||
OBJS += ../src/crypto/sha256.o
|
||||
CFLAGS += -DNEED_SHA256
|
||||
endif
|
||||
|
||||
ifdef CONFIG_WIRELESS_EXTENSION
|
||||
@ -861,11 +867,6 @@ ifdef CONFIG_PEERKEY
|
||||
CFLAGS += -DCONFIG_PEERKEY
|
||||
endif
|
||||
|
||||
ifdef CONFIG_IEEE80211W
|
||||
CFLAGS += -DCONFIG_IEEE80211W
|
||||
NEED_SHA256=y
|
||||
endif
|
||||
|
||||
ifdef CONFIG_IEEE80211R
|
||||
CFLAGS += -DCONFIG_IEEE80211R
|
||||
OBJS += ../src/rsn_supp/wpa_ft.o
|
||||
@ -1036,6 +1037,7 @@ OBJSx=tests/test_x509v3.o ../src/tls/asn1.o ../src/tls/x509v3.o \
|
||||
../src/crypto/crypto_$(CONFIG_CRYPTO).o \
|
||||
../src/crypto/md5.o ../src/crypto/sha1.o ../src/crypto/aes.o \
|
||||
../src/crypto/rc4.o ../src/crypto/des.o ../src/crypto/aes_wrap.o \
|
||||
../src/crypto/sha256.o \
|
||||
../src/tls/bignum.o ../src/tls/rsa.o
|
||||
test_x509v3: $(OBJSx)
|
||||
$(LDO) $(LDFLAGS) -o test_x509v3 $(OBJSx)
|
||||
|
Loading…
Reference in New Issue
Block a user