DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

OpenSSL: Allow cipher list to be overridden for tls_suiteb=1 case

Browse source 
This allows wpa_supplicant configuration with phase1="tls_suiteb=1" to
use openssl_ciphers="ECDHE-RSA-AES256-GCM-SHA384" to further limit the
possible TLS cipher suites when using Suite B with RSA >3K keys. This
combination disables use of DHE and as such, mandates ECDHE to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2017-12-10 21:16:26 +02:00
parent c358bc4b5b
commit a2c442be25
1 changed files with 17 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/crypto/tls_openssl.c
View file

@ -2433,7 +2433,8 @@ static int suiteb_cert_cb(SSL *ssl, void *arg)
#endif /* CONFIG_SUITEB */
static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags)
static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
const char *openssl_ciphers)
{
SSL *ssl = conn->ssl;
@ -2467,6 +2468,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags)
if (flags & TLS_CONN_SUITEB_NO_ECDH) {
const char *ciphers = "DHE-RSA-AES256-GCM-SHA384";
if (openssl_ciphers) {
wpa_printf(MSG_DEBUG,
"OpenSSL: Override ciphers for Suite B (no ECDH): %s",
openssl_ciphers);
ciphers = openssl_ciphers;
}
if (SSL_set_cipher_list(ssl, ciphers) != 1) {
wpa_printf(MSG_INFO,
"OpenSSL: Failed to set Suite B ciphers");
@ -2477,6 +2484,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags)
const char *ciphers =
"ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
if (openssl_ciphers) {
wpa_printf(MSG_DEBUG,
"OpenSSL: Override ciphers for Suite B: %s",
openssl_ciphers);
ciphers = openssl_ciphers;
}
if (SSL_set_cipher_list(ssl, ciphers) != 1) {
wpa_printf(MSG_INFO,
"OpenSSL: Failed to set Suite B ciphers");
@ -2545,7 +2558,7 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
}
if (tls_set_conn_flags(conn, flags) < 0)
if (tls_set_conn_flags(conn, flags, NULL) < 0)
return -1;
conn->flags = flags;
@ -4362,7 +4375,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1;
}
if (tls_set_conn_flags(conn, params->flags) < 0)
if (tls_set_conn_flags(conn, params->flags,
params->openssl_ciphers) < 0)
return -1;
#ifdef OPENSSL_IS_BORINGSSL