OpenSSL: Allow anon-DH cipher suites to be added for TEAP

Add a new TLS_CONN_* flag to provide a higher level mechanism for adding (instead of fully replacing) allowed list of TLS ciphersuites for TEAP provisioning purposes. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:37:19 +03:00 · 2019-07-09 16:37:19 +03:00 · 3ec65a8e38
commit 3ec65a8e38
parent 94714ec341
2 changed files with 32 additions and 0 deletions
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@ -111,6 +111,7 @@ struct tls_config {
 #define TLS_CONN_ENABLE_TLSv1_0 BIT(14)
 #define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
 #define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
 #define TLS_CONN_TEAP_ANON_DH BIT(17)
 /**
 * struct tls_connection_params - Parameters for TLS connection
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -3079,6 +3079,37 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 	}
 #endif /* CONFIG_SUITEB */
 	if (flags & TLS_CONN_TEAP_ANON_DH) {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 #ifndef TEAP_DH_ANON_CS
 #define TEAP_DH_ANON_CS \
 	"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:" \
 	"ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:" \
 	"ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:" \
 	"DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:" \
 	"DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:" \
 	"DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:" \
 	"ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:" \
 	"ADH-AES256-SHA256:ADH-AES128-SHA256:ADH-AES256-SHA:ADH-AES128-SHA"
 #endif
 		static const char *cs = TEAP_DH_ANON_CS;
 		/*
 		 * Need to drop to security level 0 to allow anonymous
 		 * cipher suites for EAP-TEAP.
 		 */
 		SSL_set_security_level(conn->ssl, 0);
 #endif
 		wpa_printf(MSG_DEBUG,
 			   "OpenSSL: Enable cipher suites for anonymous EAP-TEAP provisioning: %s",
 			   cs);
 		if (SSL_set_cipher_list(conn->ssl, cs) != 1) {
 			tls_show_errors(MSG_INFO, __func__,
 					"Cipher suite configuration failed");
 			return -1;
 		}
 	}
 	return 0;
 }