OpenSSL: Add option to disable ECDHE with Suite B RSA
The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite B RSA constraints with ECDHE disabled. This is mainly to allow the DHE TLS cipher suite to be tested. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
4eb8cfe06b
commit
2ed70c7586
4 changed files with 24 additions and 7 deletions
|
|
@ -2077,6 +2077,8 @@ static unsigned int parse_tls_flags(const char *val)
|
||||||
flags |= TLS_CONN_DISABLE_TLSv1_2;
|
flags |= TLS_CONN_DISABLE_TLSv1_2;
|
||||||
if (os_strstr(val, "[SUITEB]"))
|
if (os_strstr(val, "[SUITEB]"))
|
||||||
flags |= TLS_CONN_SUITEB;
|
flags |= TLS_CONN_SUITEB;
|
||||||
|
if (os_strstr(val, "[SUITEB-NO-ECDH]"))
|
||||||
|
flags |= TLS_CONN_SUITEB_NO_ECDH | TLS_CONN_SUITEB;
|
||||||
|
|
||||||
return flags;
|
return flags;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -100,6 +100,7 @@ struct tls_config {
|
||||||
#define TLS_CONN_EXT_CERT_CHECK BIT(9)
|
#define TLS_CONN_EXT_CERT_CHECK BIT(9)
|
||||||
#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
|
#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
|
||||||
#define TLS_CONN_SUITEB BIT(11)
|
#define TLS_CONN_SUITEB BIT(11)
|
||||||
|
#define TLS_CONN_SUITEB_NO_ECDH BIT(12)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* struct tls_connection_params - Parameters for TLS connection
|
* struct tls_connection_params - Parameters for TLS connection
|
||||||
|
|
|
||||||
|
|
@ -2325,7 +2325,15 @@ static int tls_set_conn_flags(SSL *ssl, unsigned int flags)
|
||||||
SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
|
SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
|
||||||
#endif /* SSL_OP_NO_TLSv1_2 */
|
#endif /* SSL_OP_NO_TLSv1_2 */
|
||||||
#ifdef CONFIG_SUITEB
|
#ifdef CONFIG_SUITEB
|
||||||
if (flags & TLS_CONN_SUITEB) {
|
if (flags & TLS_CONN_SUITEB_NO_ECDH) {
|
||||||
|
const char *ciphers = "DHE-RSA-AES256-GCM-SHA384";
|
||||||
|
|
||||||
|
if (SSL_set_cipher_list(ssl, ciphers) != 1) {
|
||||||
|
wpa_printf(MSG_INFO,
|
||||||
|
"OpenSSL: Failed to set Suite B ciphers");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
} else if (flags & TLS_CONN_SUITEB) {
|
||||||
EC_KEY *ecdh;
|
EC_KEY *ecdh;
|
||||||
const char *ciphers =
|
const char *ciphers =
|
||||||
"ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
|
"ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
|
||||||
|
|
@ -2341,12 +2349,6 @@ static int tls_set_conn_flags(SSL *ssl, unsigned int flags)
|
||||||
"OpenSSL: Failed to set Suite B curves");
|
"OpenSSL: Failed to set Suite B curves");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
/* ECDSA+SHA384 if need to add EC support here */
|
|
||||||
if (SSL_set1_sigalgs_list(ssl, "RSA+SHA384") != 1) {
|
|
||||||
wpa_printf(MSG_INFO,
|
|
||||||
"OpenSSL: Failed to set Suite B sigalgs");
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
|
ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
|
||||||
if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) {
|
if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) {
|
||||||
|
|
@ -2356,6 +2358,14 @@ static int tls_set_conn_flags(SSL *ssl, unsigned int flags)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
EC_KEY_free(ecdh);
|
EC_KEY_free(ecdh);
|
||||||
|
}
|
||||||
|
if (flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) {
|
||||||
|
/* ECDSA+SHA384 if need to add EC support here */
|
||||||
|
if (SSL_set1_sigalgs_list(ssl, "RSA+SHA384") != 1) {
|
||||||
|
wpa_printf(MSG_INFO,
|
||||||
|
"OpenSSL: Failed to set Suite B sigalgs");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
SSL_set_options(ssl, SSL_OP_NO_TLSv1);
|
SSL_set_options(ssl, SSL_OP_NO_TLSv1);
|
||||||
SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
|
SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
|
||||||
|
|
|
||||||
|
|
@ -88,6 +88,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
|
||||||
params->flags |= TLS_CONN_SUITEB;
|
params->flags |= TLS_CONN_SUITEB;
|
||||||
if (os_strstr(txt, "tls_suiteb=0"))
|
if (os_strstr(txt, "tls_suiteb=0"))
|
||||||
params->flags &= ~TLS_CONN_SUITEB;
|
params->flags &= ~TLS_CONN_SUITEB;
|
||||||
|
if (os_strstr(txt, "tls_suiteb_no_ecdh=1"))
|
||||||
|
params->flags |= TLS_CONN_SUITEB_NO_ECDH;
|
||||||
|
if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
|
||||||
|
params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue