New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mbedTLS support #106
Comments
Should be not a big problem to use libmbedtls instead of libopenssl. Unfortunately I can't test it here. Can you make a PR? |
OpenSSL is switching to v3.0.0, soon. Due to some API changes, many functions have to be recoded. Is there any good documentation how to replace the following OpenSSL functions by mbedTLS functions: static inline int mschapv2_challenge_hash(uint8_t *peer_challenge, uint8_t *auth_challenge, uint8_t *username, size_t usernamelen, uint8_t *challenge) int omac1_aes_128_vector(const uint8_t *key, size_t num_elem, const uint8_t *addr[], const size_t *len, uint8_t *mac) HMAC(EVP_sha1(), testpmk, 32, pkedata, 100, ptk + p *20, NULL); PKCS5_PBKDF2_HMAC_SHA1(zeroedpsk, 8, essid, essidlen, 4096, 32, calculatedpmk) Any information is appreciated. |
curl has some similar code: https://github.com/curl/curl/tree/master/lib
…On Mon, Feb 8, 2021 at 2:04 AM ZerBea ***@***.***> wrote:
OpenSSL is switching to v3.0.0, soon. Due to some API changes, many
functions have to be recoded.
Now it's time to think about switching to mbedTLS support.
Is there any good documentation how to replace the following OpenSSL
functions by mbedTLS functions:
static inline int mschapv2_challenge_hash(uint8_t *peer_challenge, uint8_t
*auth_challenge, uint8_t *username, size_t usernamelen, uint8_t *challenge)
https://github.com/ZerBea/hcxtools/blob/master/hcxpcapngtool.c#L1218
int omac1_aes_128_vector(const uint8_t *key, size_t num_elem, const
uint8_t *addr[], const size_t *len, uint8_t *mac)
https://github.com/ZerBea/hcxtools/blob/master/hcxpcapngtool.c#L1667
HMAC(EVP_sha1(), testpmk, 32, pkedata, 100, ptk + p *20, NULL);
HMAC(EVP_md5(), &ptk, 16, eapoldata, eapollen, miczero, NULL);
HMAC(EVP_sha256(), testpmk, 32, pkedata_prf, 2 + 98 + 2, ptk, NULL);
https://github.com/ZerBea/hcxtools/blob/master/hcxpcapngtool.c#L1739
PKCS5_PBKDF2_HMAC_SHA1(zeroedpsk, 8, essid, essidlen, 4096, 32,
calculatedpmk)
https://github.com/ZerBea/hcxtools/blob/master/hcxpcapngtool.c#L1790
Any information is appreciated.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#106 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAWITWI7EBT5OGU4HL7UE5DS56ZK3ANCNFSM4IF33Q5Q>
.
|
Got them from curl lib directory. Thanks |
According to this: |
Speed should be in that order. LibreSSL shouldn't really be used. It's mostly a BSD thing. Alpine Linux removed it because of all the patching that was needed. mbedTLS is nice for embedded devices. Note that hcxtools are available for OpenWrt where OpenSSL is huge. |
I aggree. Hcxdumptool and hcxtools are designed to run on small machines (e.g. Raspberry Pi Zero and some small BE systems - you may have noticed the massive code changes during the last past weeks, regarding endianess). That was the reason why I dropped libpcap and WiringPi completely. All the oversized functions are simply not required. BTW: Also, I aggree about the installed size: Packages (1) openssl-1.1.1.i-2 |
On OpenWrt it's 971.2 KB OpenSSL vs 175.1 KB mbedtls for mips architecture. If you don't need TLS, why use a TLS library? Taking the functions from hashcat sounds like a good idea. |
We need the TLS functions of the library on EAP-TLS. Luckily, I think I figured out how the libray works:
vs. mbedTLS:
After some speed tests, I noticed that the single thread calculation time is much more than expected. |
Unfortunate. There's also WolfSSL, which is smaller than OpenSSL and around 2x mbedTLS. It should be comparable to OpenSSL. |
Indeed, unfortunate. Everything looked fine, until a started the speed comparison. WolfSSL is no alternative, because it isn't part of Arch Linux package system. Looks like there will be no quick and easy solution. |
Closed this feature request due to massive speed impact. |
Looks like this patch is working and we have a tiny alternative, now: |
In OpenWrt, mbedTLS is used for libcurl as the default provider for TLS for size reasons. However with hcxtools, libopenssl must be present as well. This presents a challenge for flash size limited routers. Here are some sizes: https://downloads.openwrt.org/snapshots/packages/arc_arc700/base/
As far as I can tell, the only missing piece for mbedTLS is that CMAC is disabled by default. It can be compile time enabled.
libopenssl is faster, yes, but I don't think speed is important here.
The text was updated successfully, but these errors were encountered: