Comments (13)
Should be not a big problem to use libmbedtls instead of libopenssl. Unfortunately I can't test it here. Can you make a PR?
from hcxtools.
OpenSSL is switching to v3.0.0, soon. Due to some API changes, many functions have to be recoded.
Now it's time to think about switching to mbedTLS support.
Is there any good documentation how to replace the following OpenSSL functions by mbedTLS functions:
static inline int mschapv2_challenge_hash(uint8_t *peer_challenge, uint8_t *auth_challenge, uint8_t *username, size_t usernamelen, uint8_t *challenge)
https://github.com/ZerBea/hcxtools/blob/master/hcxpcapngtool.c#L1218
int omac1_aes_128_vector(const uint8_t *key, size_t num_elem, const uint8_t *addr[], const size_t *len, uint8_t *mac)
https://github.com/ZerBea/hcxtools/blob/master/hcxpcapngtool.c#L1667
HMAC(EVP_sha1(), testpmk, 32, pkedata, 100, ptk + p *20, NULL);
HMAC(EVP_md5(), &ptk, 16, eapoldata, eapollen, miczero, NULL);
HMAC(EVP_sha256(), testpmk, 32, pkedata_prf, 2 + 98 + 2, ptk, NULL);
https://github.com/ZerBea/hcxtools/blob/master/hcxpcapngtool.c#L1739
PKCS5_PBKDF2_HMAC_SHA1(zeroedpsk, 8, essid, essidlen, 4096, 32, calculatedpmk)
https://github.com/ZerBea/hcxtools/blob/master/hcxpcapngtool.c#L1790
Any information is appreciated.
from hcxtools.
from hcxtools.
Got them from curl lib directory. Thanks
from hcxtools.
According to this:
https://wiki.archlinux.org/index.php/Transport_Layer_Security#Implementations
we have several implementations, running Arch Linux.
I'll do some tests on some of them (OpenSSL, LibreSSL and mbedTLS) and choose the one which is fast and well documented.
from hcxtools.
Speed should be in that order.
LibreSSL shouldn't really be used. It's mostly a BSD thing. Alpine Linux removed it because of all the patching that was needed.
mbedTLS is nice for embedded devices. Note that hcxtools are available for OpenWrt where OpenSSL is huge.
from hcxtools.
I aggree. Hcxdumptool and hcxtools are designed to run on small machines (e.g. Raspberry Pi Zero and some small BE systems - you may have noticed the massive code changes during the last past weeks, regarding endianess). That was the reason why I dropped libpcap and WiringPi completely. All the oversized functions are simply not required.
Also I'm a friend of the "KISS principle" and I don't like an oversized WiFi suite which can do everything but nothing really prefect.
Now I'm going to test the migration of the 6 HMAC functions and the TLS function to mbedTLS. Therefore I have to find a good documention of mbedTLS, without diving into the source code of curl. Unfortunately my first test (pkcs5) using mbedTLS failed.
Another option is to take the 6 HMAC functions from hashcat and to use TLS from mbedTLS, only.
But anyway, the HMAC functions are mandatory to identify initial PMKIDs/PTKs, calculated from a zeroed PMK. That is the only way to filter them out, because they are useless for us.
BTW:
mbedTLS is part of Arch Linux packages:
https://archlinux.org/packages/community/x86_64/mbedtls/
https://archlinuxarm.org/packages/arm/mbedtls
https://archlinuxarm.org/packages/armv6h/mbedtls
https://archlinuxarm.org/packages/armv7h/mbedtls
https://archlinuxarm.org/packages/aarch64/mbedtls
Also, I aggree about the installed size:
Packages (1) mbedtls-2.25.0-1
Total Installed Size: 5.07 MiB
Packages (1) openssl-1.1.1.i-2
Total Installed Size: 7.31 MiB
from hcxtools.
On OpenWrt it's 971.2 KB OpenSSL vs 175.1 KB mbedtls for mips architecture.
If you don't need TLS, why use a TLS library? Taking the functions from hashcat sounds like a good idea.
from hcxtools.
We need the TLS functions of the library on EAP-TLS.
Luckily, I think I figured out how the libray works:
openssl:
$ wlangenpmk -p passwort -e essid
essid (networkname)....: essid
password...............: passwort
plainmasterkey (SHA1)..: 0897f67a8db79ebadf8b1931d853373ef8b1ec7e80d69f4ecafba220f4d21541
Speedtest 1000 PMKs calculated:
$ time ./wlangenpmk -p passwort -e essid
real 0m1,895s
user 0m1,890s
sys 0m0,000s
vs. mbedTLS:
$ ./mbedtls
0897f67a8db79ebadf8b1931d853373ef8b1ec7e80d69f4ecafba220f4d21541
Speedtest 1000 PMKs calculated:
$ time ./mbedtls
real 0m7,826s
user 0m7,822s
sys 0m0,000s
After some speed tests, I noticed that the single thread calculation time is much more than expected.
We are nearly 4 times slower than running openssl. That will slow down the conversion process of pcapngfiles (containig many EAPOL messages and/or PMKIDs) extremely.
from hcxtools.
Unfortunate.
There's also WolfSSL, which is smaller than OpenSSL and around 2x mbedTLS. It should be comparable to OpenSSL.
from hcxtools.
Indeed, unfortunate. Everything looked fine, until a started the speed comparison.
WolfSSL is no alternative, because it isn't part of Arch Linux package system.
Looks like there will be no quick and easy solution.
But anyway, I started to add openssl 3.0 compatibility to hcxtools to avoid tons of warnings when Arch moved to 3.0, until I'll find a better solution (adding hashcat HMAC functions on time sensitive algo's).
from hcxtools.
Closed this feature request due to massive speed impact.
Now only 2 options remaining:
adding openssl 3.0.0 support - quick fix, only few test mandatory
adding hashcat has functions - will take a while, massive tests mandatory
from hcxtools.
Looks like this patch is working and we have a tiny alternative, now:
#184 (comment)
reference:
libressl/portable#651
from hcxtools.
Related Issues (20)
- implicit declaration of function βEVP_MAC_initβ HOT 13
- Hcxpcapngtool --csv option doesent include coordinates HOT 22
- When M1M3 NONCE is different HOT 6
- Please update to new version HOT 2
- hcxpmktool hangs HOT 3
- feature request: add NONCE ERROR CORRECTIONS to hcxpmktool HOT 52
- hcxtools 6.3.1 regression test failure (format WPA*01*: additional PMKID MESSAGEPAIR field) HOT 6
- Error = hcxpcapngtool.c:27:10: fatal error: openssl/core.h: No such file or directory due to missing dependency (openssl >= 3.0) HOT 2
- Nothing find with EWSA when converts hash file hccapx to cap with hcxhash2cap. HOT 4
- fatal error: openssl/core.h: No such file or directory HOT 4
- Short, greppable outputs
- Windows/MSYS Make support HOT 2
- handshake detection HOT 40
- NO
- No
- Warning: out of sequence timestamps! hcxpcapngtool/hcxdumptool HOT 9
- wifite ends in an infinite loop HOT 6
- About using - o some questions HOT 17
- atal error: openssl/core.h: No such file or directory HOT 3
- valid message pairs and nonce-error-corrections HOT 29
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hcxtools.