DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSL

Browse source 
This extends the list of TLS cipher suites enabled for EAP-FAST to
include AES256-based suites.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2015-12-31 20:52:58 +02:00 committed by Jouni Malinen
parent 1ebb24bbfb
commit 750f5d9964
4 changed files with 16 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/crypto/tls.h
View file

@ -461,7 +461,9 @@ enum {
TLS_CIPHER_RC4_SHA /* 0x0005 */, TLS_CIPHER_RC4_SHA /* 0x0005 */,
TLS_CIPHER_AES128_SHA /* 0x002f */, TLS_CIPHER_AES128_SHA /* 0x002f */,
TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */, TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */,
TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */ TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */,
TLS_CIPHER_RSA_DHE_AES256_SHA /* 0x0039 */,
TLS_CIPHER_AES256_SHA /* 0x0035 */,
}; };
/** /**

8
src/crypto/tls_openssl.c
View file

@ -3407,7 +3407,7 @@ int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn, int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
u8 *ciphers) u8 *ciphers)
{ {
char buf[100], *pos, *end; char buf[500], *pos, *end;
u8 *c; u8 *c;
int ret; int ret;
@ -3435,6 +3435,12 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
case TLS_CIPHER_ANON_DH_AES128_SHA: case TLS_CIPHER_ANON_DH_AES128_SHA:
suite = "ADH-AES128-SHA"; suite = "ADH-AES128-SHA";
break; break;
case TLS_CIPHER_RSA_DHE_AES256_SHA:
suite = "DHE-RSA-AES256-SHA";
break;
case TLS_CIPHER_AES256_SHA:
suite = "AES256-SHA";
break;
default: default:
wpa_printf(MSG_DEBUG, "TLS: Unsupported " wpa_printf(MSG_DEBUG, "TLS: Unsupported "
"cipher selection: %d", *c); "cipher selection: %d", *c);

4
src/eap_peer/eap_fast.c
View file

@ -1446,7 +1446,7 @@ static int eap_fast_clear_pac_opaque_ext(struct eap_sm *sm,
static int eap_fast_set_provisioning_ciphers(struct eap_sm *sm, static int eap_fast_set_provisioning_ciphers(struct eap_sm *sm,
struct eap_fast_data *data) struct eap_fast_data *data)
{ {
u8 ciphers[5]; u8 ciphers[7];
int count = 0; int count = 0;
if (data->provisioning_allowed & EAP_FAST_PROV_UNAUTH) { if (data->provisioning_allowed & EAP_FAST_PROV_UNAUTH) {
@ -1458,7 +1458,9 @@ static int eap_fast_set_provisioning_ciphers(struct eap_sm *sm,
if (data->provisioning_allowed & EAP_FAST_PROV_AUTH) { if (data->provisioning_allowed & EAP_FAST_PROV_AUTH) {
wpa_printf(MSG_DEBUG, "EAP-FAST: Enabling authenticated " wpa_printf(MSG_DEBUG, "EAP-FAST: Enabling authenticated "
"provisioning TLS cipher suites"); "provisioning TLS cipher suites");
ciphers[count++] = TLS_CIPHER_RSA_DHE_AES256_SHA;
ciphers[count++] = TLS_CIPHER_RSA_DHE_AES128_SHA; ciphers[count++] = TLS_CIPHER_RSA_DHE_AES128_SHA;
ciphers[count++] = TLS_CIPHER_AES256_SHA;
ciphers[count++] = TLS_CIPHER_AES128_SHA; ciphers[count++] = TLS_CIPHER_AES128_SHA;
ciphers[count++] = TLS_CIPHER_RC4_SHA; ciphers[count++] = TLS_CIPHER_RC4_SHA;
} }

4
src/eap_server/eap_server_fast.c
View file

@ -412,11 +412,13 @@ static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data)
static void * eap_fast_init(struct eap_sm *sm) static void * eap_fast_init(struct eap_sm *sm)
{ {
struct eap_fast_data *data; struct eap_fast_data *data;
u8 ciphers[5] = { u8 ciphers[7] = {
TLS_CIPHER_ANON_DH_AES128_SHA, TLS_CIPHER_ANON_DH_AES128_SHA,
TLS_CIPHER_AES128_SHA, TLS_CIPHER_AES128_SHA,
TLS_CIPHER_RSA_DHE_AES128_SHA, TLS_CIPHER_RSA_DHE_AES128_SHA,
TLS_CIPHER_RC4_SHA, TLS_CIPHER_RC4_SHA,
TLS_CIPHER_RSA_DHE_AES256_SHA,
TLS_CIPHER_AES256_SHA,
TLS_CIPHER_NONE TLS_CIPHER_NONE
}; };