From 60ed2f24ebd2515854eed9fc59be75d137cccfb0 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 17 Sep 2017 00:09:47 +0300 Subject: [PATCH] Suite B: Add tls_suiteb=1 parameter for RSA 3k key case This adds phase1 parameter tls_suiteb=1 into wpa_supplicant configuration to allow TLS library (only OpenSSL supported for now) to use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys. Signed-off-by: Jouni Malinen --- src/crypto/tls.h | 1 + src/crypto/tls_openssl.c | 47 ++++++++++++++++++++++++++++-- src/eap_peer/eap_tls_common.c | 4 +++ wpa_supplicant/wpa_supplicant.conf | 3 ++ 4 files changed, 52 insertions(+), 3 deletions(-) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 11d504a97..9b3a7a259 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -97,6 +97,7 @@ struct tls_config { #define TLS_CONN_DISABLE_TLSv1_0 BIT(8) #define TLS_CONN_EXT_CERT_CHECK BIT(9) #define TLS_CONN_REQUIRE_OCSP_ALL BIT(10) +#define TLS_CONN_SUITEB BIT(11) /** * struct tls_connection_params - Parameters for TLS connection diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 903c38cff..be91e3e00 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2257,7 +2257,7 @@ static int tls_connection_set_subject_match(struct tls_connection *conn, } -static void tls_set_conn_flags(SSL *ssl, unsigned int flags) +static int tls_set_conn_flags(SSL *ssl, unsigned int flags) { #ifdef SSL_OP_NO_TICKET if (flags & TLS_CONN_DISABLE_SESSION_TICKET) @@ -2284,6 +2284,45 @@ static void tls_set_conn_flags(SSL *ssl, unsigned int flags) else SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2); #endif /* SSL_OP_NO_TLSv1_2 */ +#ifdef CONFIG_SUITEB + if (flags & TLS_CONN_SUITEB) { + EC_KEY *ecdh; + const char *ciphers = + "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"; + + if (SSL_set_cipher_list(ssl, ciphers) != 1) { + wpa_printf(MSG_INFO, + "OpenSSL: Failed to set Suite B ciphers"); + return -1; + } + + if (SSL_set1_curves_list(ssl, "P-384") != 1) { + wpa_printf(MSG_INFO, + "OpenSSL: Failed to set Suite B curves"); + return -1; + } + /* ECDSA+SHA384 if need to add EC support here */ + if (SSL_set1_sigalgs_list(ssl, "RSA+SHA384") != 1) { + wpa_printf(MSG_INFO, + "OpenSSL: Failed to set Suite B sigalgs"); + return -1; + } + + ecdh = EC_KEY_new_by_curve_name(NID_secp384r1); + if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) { + EC_KEY_free(ecdh); + wpa_printf(MSG_INFO, + "OpenSSL: Failed to set ECDH parameter"); + return -1; + } + EC_KEY_free(ecdh); + + SSL_set_options(ssl, SSL_OP_NO_TLSv1); + SSL_set_options(ssl, SSL_OP_NO_TLSv1_1); + } +#endif /* CONFIG_SUITEB */ + + return 0; } @@ -2307,7 +2346,8 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn, SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL); } - tls_set_conn_flags(conn->ssl, flags); + if (tls_set_conn_flags(conn->ssl, flags) < 0) + return -1; conn->flags = flags; SSL_set_accept_state(conn->ssl); @@ -4111,7 +4151,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } - tls_set_conn_flags(conn->ssl, params->flags); + if (tls_set_conn_flags(conn->ssl, params->flags) < 0) + return -1; #ifdef OPENSSL_IS_BORINGSSL if (params->flags & TLS_CONN_REQUEST_OCSP) { diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 0dcb9c138..b387dea50 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -84,6 +84,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params, params->flags |= TLS_CONN_EXT_CERT_CHECK; if (os_strstr(txt, "tls_ext_cert_check=0")) params->flags &= ~TLS_CONN_EXT_CERT_CHECK; + if (os_strstr(txt, "tls_suiteb=1")) + params->flags |= TLS_CONN_SUITEB; + if (os_strstr(txt, "tls_suiteb=0")) + params->flags &= ~TLS_CONN_SUITEB; } diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 68d0827c5..3430be0cf 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1164,6 +1164,9 @@ fast_reauth=1 # chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control # interface and report the result of the validation with # CTRL-RSP_EXT_CERT_CHECK. +# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default) +# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in +# particular when using Suite B with RSA keys of >= 3K (3072) bits # # Following certificate/private key fields are used in inner Phase2 # authentication when using EAP-TTLS or EAP-PEAP.