aboutsummaryrefslogtreecommitdiffstats
path: root/src/crypto
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2019-07-09 13:37:19 (GMT)
committerJouni Malinen <j@w1.fi>2019-07-09 13:38:32 (GMT)
commit3ec65a8e38a0ad37bafe7dc9459a400db97cbaa4 (patch)
treef6ed3aac19fe3ceaefe5053e422a1f0e869f24ae /src/crypto
parent94714ec341cc278db386fd998b8dd7a2aa4180bb (diff)
downloadhostap-3ec65a8e38a0ad37bafe7dc9459a400db97cbaa4.zip
hostap-3ec65a8e38a0ad37bafe7dc9459a400db97cbaa4.tar.gz
hostap-3ec65a8e38a0ad37bafe7dc9459a400db97cbaa4.tar.bz2
OpenSSL: Allow anon-DH cipher suites to be added for TEAP
Add a new TLS_CONN_* flag to provide a higher level mechanism for adding (instead of fully replacing) allowed list of TLS ciphersuites for TEAP provisioning purposes. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/crypto')
-rw-r--r--src/crypto/tls.h1
-rw-r--r--src/crypto/tls_openssl.c31
2 files changed, 32 insertions, 0 deletions
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 3e7e9c7..a9ba7d1 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -111,6 +111,7 @@ struct tls_config {
#define TLS_CONN_ENABLE_TLSv1_0 BIT(14)
#define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
#define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
+#define TLS_CONN_TEAP_ANON_DH BIT(17)
/**
* struct tls_connection_params - Parameters for TLS connection
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 19271d3..ff6f72b 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3079,6 +3079,37 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
}
#endif /* CONFIG_SUITEB */
+ if (flags & TLS_CONN_TEAP_ANON_DH) {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#ifndef TEAP_DH_ANON_CS
+#define TEAP_DH_ANON_CS \
+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:" \
+ "ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:" \
+ "ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:" \
+ "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" \
+ "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:" \
+ "DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" \
+ "ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:" \
+ "ADH-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA:ADH-AES128-SHA"
+#endif
+ static const char *cs = TEAP_DH_ANON_CS;
+ /*
+ * Need to drop to security level 0 to allow anonymous
+ * cipher suites for EAP-TEAP.
+ */
+ SSL_set_security_level(conn->ssl, 0);
+#endif
+
+ wpa_printf(MSG_DEBUG,
+ "OpenSSL: Enable cipher suites for anonymous EAP-TEAP provisioning: %s",
+ cs);
+ if (SSL_set_cipher_list(conn->ssl, cs) != 1) {
+ tls_show_errors(MSG_INFO, __func__,
+ "Cipher suite configuration failed");
+ return -1;
+ }
+ }
+
return 0;
}