aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2017-09-16 21:11:37 (GMT)
committerJouni Malinen <j@w1.fi>2017-09-18 09:12:48 (GMT)
commit6418400db9c2707b5b37789cde67ef96507c08cb (patch)
tree8d11b7dca88ff672dde4321168ec09d23b160d83
parent60ed2f24ebd2515854eed9fc59be75d137cccfb0 (diff)
downloadhostap-6418400db9c2707b5b37789cde67ef96507c08cb.zip
hostap-6418400db9c2707b5b37789cde67ef96507c08cb.tar.gz
hostap-6418400db9c2707b5b37789cde67ef96507c08cb.tar.bz2
Add hostapd tls_flags parameter
This can be used to set the TLS flags for authentication server. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
-rw-r--r--hostapd/config_file.c26
-rw-r--r--src/ap/ap_config.h1
-rw-r--r--src/ap/authsrv.c2
-rw-r--r--src/ap/ieee802_1x.c1
-rw-r--r--src/crypto/tls.h1
-rw-r--r--src/eap_server/eap.h1
-rw-r--r--src/eap_server/eap_i.h1
-rw-r--r--src/eap_server/eap_server.c1
-rw-r--r--src/eap_server/eap_server_tls_common.c2
-rw-r--r--src/eapol_auth/eapol_auth_sm.c2
-rw-r--r--src/eapol_auth/eapol_auth_sm.h1
-rw-r--r--src/radius/radius_server.c4
-rw-r--r--src/radius/radius_server.h2
13 files changed, 44 insertions, 1 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 958fdbf..41612cb 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -15,6 +15,7 @@
#include "utils/uuid.h"
#include "common/ieee802_11_defs.h"
#include "crypto/sha256.h"
+#include "crypto/tls.h"
#include "drivers/driver.h"
#include "eap_server/eap.h"
#include "radius/radius_client.h"
@@ -2059,6 +2060,29 @@ static int parse_fils_realm(struct hostapd_bss_config *bss, const char *val)
#endif /* CONFIG_FILS */
+#ifdef EAP_SERVER
+static unsigned int parse_tls_flags(const char *val)
+{
+ unsigned int flags = 0;
+
+ if (os_strstr(val, "[ALLOW-SIGN-RSA-MD5]"))
+ flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
+ if (os_strstr(val, "[DISABLE-TIME-CHECKS]"))
+ flags |= TLS_CONN_DISABLE_TIME_CHECKS;
+ if (os_strstr(val, "[DISABLE-TLSv1.0]"))
+ flags |= TLS_CONN_DISABLE_TLSv1_0;
+ if (os_strstr(val, "[DISABLE-TLSv1.1]"))
+ flags |= TLS_CONN_DISABLE_TLSv1_1;
+ if (os_strstr(val, "[DISABLE-TLSv1.2]"))
+ flags |= TLS_CONN_DISABLE_TLSv1_2;
+ if (os_strstr(val, "[SUITEB]"))
+ flags |= TLS_CONN_SUITEB;
+
+ return flags;
+}
+#endif /* EAP_SERVER */
+
+
static int hostapd_config_fill(struct hostapd_config *conf,
struct hostapd_bss_config *bss,
const char *buf, char *pos, int line)
@@ -2212,6 +2236,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->check_crl = atoi(pos);
} else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
bss->tls_session_lifetime = atoi(pos);
+ } else if (os_strcmp(buf, "tls_flags") == 0) {
+ bss->tls_flags = parse_tls_flags(pos);
} else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
os_free(bss->ocsp_stapling_response);
bss->ocsp_stapling_response = os_strdup(pos);
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 28569ed..48d4280 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -367,6 +367,7 @@ struct hostapd_bss_config {
char *private_key_passwd;
int check_crl;
unsigned int tls_session_lifetime;
+ unsigned int tls_flags;
char *ocsp_stapling_response;
char *ocsp_stapling_response_multi;
char *dh_file;
diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index 8a65824..a20f49f 100644
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -132,6 +132,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
srv.erp = conf->eap_server_erp;
srv.erp_domain = conf->erp_domain;
srv.tls_session_lifetime = conf->tls_session_lifetime;
+ srv.tls_flags = conf->tls_flags;
hapd->radius_srv = radius_server_init(&srv);
if (hapd->radius_srv == NULL) {
@@ -156,6 +157,7 @@ int authsrv_init(struct hostapd_data *hapd)
os_memset(&conf, 0, sizeof(conf));
conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
+ conf.tls_flags = hapd->conf->tls_flags;
hapd->ssl_ctx = tls_init(&conf);
if (hapd->ssl_ctx == NULL) {
wpa_printf(MSG_ERROR, "Failed to initialize TLS");
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 6ea1ebe..793d381 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -2230,6 +2230,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
conf.erp_domain = hapd->conf->erp_domain;
conf.erp = hapd->conf->eap_server_erp;
conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
+ conf.tls_flags = hapd->conf->tls_flags;
conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 9b3a7a2..4c8061c 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -80,6 +80,7 @@ struct tls_config {
int cert_in_cb;
const char *openssl_ciphers;
unsigned int tls_session_lifetime;
+ unsigned int tls_flags;
void (*event_cb)(void *ctx, enum tls_event ev,
union tls_event_data *data);
diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index 93eab62..c67fa82 100644
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -132,6 +132,7 @@ struct eap_config {
size_t server_id_len;
int erp;
unsigned int tls_session_lifetime;
+ unsigned int tls_flags;
#ifdef CONFIG_TESTING_OPTIONS
u32 tls_test_flags;
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index c90443d..3d6f8d5 100644
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -211,6 +211,7 @@ struct eap_sm {
Boolean try_initiate_reauth;
int erp;
unsigned int tls_session_lifetime;
+ unsigned int tls_flags;
#ifdef CONFIG_TESTING_OPTIONS
u32 tls_test_flags;
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 1b571cf..9706e25 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -1868,6 +1868,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
sm->server_id_len = conf->server_id_len;
sm->erp = conf->erp;
sm->tls_session_lifetime = conf->tls_session_lifetime;
+ sm->tls_flags = conf->tls_flags;
#ifdef CONFIG_TESTING_OPTIONS
sm->tls_test_flags = conf->tls_test_flags;
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 6909695..3c9027b 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -47,7 +47,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
int verify_peer, int eap_type)
{
u8 session_ctx[8];
- unsigned int flags = 0;
+ unsigned int flags = sm->tls_flags;
if (sm->ssl_ctx == NULL) {
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c
index bb50da5..36074d3 100644
--- a/src/eapol_auth/eapol_auth_sm.c
+++ b/src/eapol_auth/eapol_auth_sm.c
@@ -848,6 +848,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
eap_conf.server_id_len = eapol->conf.server_id_len;
eap_conf.erp = eapol->conf.erp;
eap_conf.tls_session_lifetime = eapol->conf.tls_session_lifetime;
+ eap_conf.tls_flags = eapol->conf.tls_flags;
sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
if (sm->eap == NULL) {
eapol_auth_free(sm);
@@ -1246,6 +1247,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
dst->erp_send_reauth_start = src->erp_send_reauth_start;
dst->erp = src->erp;
dst->tls_session_lifetime = src->tls_session_lifetime;
+ dst->tls_flags = src->tls_flags;
return 0;
diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h
index e1974e4..44f3f31 100644
--- a/src/eapol_auth/eapol_auth_sm.h
+++ b/src/eapol_auth/eapol_auth_sm.h
@@ -28,6 +28,7 @@ struct eapol_auth_config {
char *erp_domain; /* a copy of this will be allocated */
int erp; /* Whether ERP is enabled on authentication server */
unsigned int tls_session_lifetime;
+ unsigned int tls_flags;
u8 *pac_opaque_encr_key;
u8 *eap_fast_a_id;
size_t eap_fast_a_id_len;
diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index 6cce2ff..c76bb22 100644
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -272,6 +272,8 @@ struct radius_server_data {
unsigned int tls_session_lifetime;
+ unsigned int tls_flags;
+
/**
* wps - Wi-Fi Protected Setup context
*
@@ -696,6 +698,7 @@ radius_server_get_new_session(struct radius_server_data *data,
eap_conf.server_id_len = os_strlen(data->server_id);
eap_conf.erp = data->erp;
eap_conf.tls_session_lifetime = data->tls_session_lifetime;
+ eap_conf.tls_flags = data->tls_flags;
radius_server_testing_options(sess, &eap_conf);
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
&eap_conf);
@@ -1754,6 +1757,7 @@ radius_server_init(struct radius_server_conf *conf)
data->erp = conf->erp;
data->erp_domain = conf->erp_domain;
data->tls_session_lifetime = conf->tls_session_lifetime;
+ data->tls_flags = conf->tls_flags;
if (conf->subscr_remediation_url) {
data->subscr_remediation_url =
diff --git a/src/radius/radius_server.h b/src/radius/radius_server.h
index 7a25802..996f00e 100644
--- a/src/radius/radius_server.h
+++ b/src/radius/radius_server.h
@@ -172,6 +172,8 @@ struct radius_server_conf {
unsigned int tls_session_lifetime;
+ unsigned int tls_flags;
+
/**
* wps - Wi-Fi Protected Setup context
*