From 6418400db9c2707b5b37789cde67ef96507c08cb Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Sun, 17 Sep 2017 00:11:37 +0300
Subject: [PATCH] Add hostapd tls_flags parameter

This can be used to set the TLS flags for authentication server.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 hostapd/config_file.c                  | 26 ++++++++++++++++++++++++++
 src/ap/ap_config.h                     |  1 +
 src/ap/authsrv.c                       |  2 ++
 src/ap/ieee802_1x.c                    |  1 +
 src/crypto/tls.h                       |  1 +
 src/eap_server/eap.h                   |  1 +
 src/eap_server/eap_i.h                 |  1 +
 src/eap_server/eap_server.c            |  1 +
 src/eap_server/eap_server_tls_common.c |  2 +-
 src/eapol_auth/eapol_auth_sm.c         |  2 ++
 src/eapol_auth/eapol_auth_sm.h         |  1 +
 src/radius/radius_server.c             |  4 ++++
 src/radius/radius_server.h             |  2 ++
 13 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 958fdbf13..41612cb9a 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -15,6 +15,7 @@
 #include "utils/uuid.h"
 #include "common/ieee802_11_defs.h"
 #include "crypto/sha256.h"
+#include "crypto/tls.h"
 #include "drivers/driver.h"
 #include "eap_server/eap.h"
 #include "radius/radius_client.h"
@@ -2059,6 +2060,29 @@ static int parse_fils_realm(struct hostapd_bss_config *bss, const char *val)
 #endif /* CONFIG_FILS */
 
 
+#ifdef EAP_SERVER
+static unsigned int parse_tls_flags(const char *val)
+{
+	unsigned int flags = 0;
+
+	if (os_strstr(val, "[ALLOW-SIGN-RSA-MD5]"))
+		flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
+	if (os_strstr(val, "[DISABLE-TIME-CHECKS]"))
+		flags |= TLS_CONN_DISABLE_TIME_CHECKS;
+	if (os_strstr(val, "[DISABLE-TLSv1.0]"))
+		flags |= TLS_CONN_DISABLE_TLSv1_0;
+	if (os_strstr(val, "[DISABLE-TLSv1.1]"))
+		flags |= TLS_CONN_DISABLE_TLSv1_1;
+	if (os_strstr(val, "[DISABLE-TLSv1.2]"))
+		flags |= TLS_CONN_DISABLE_TLSv1_2;
+	if (os_strstr(val, "[SUITEB]"))
+		flags |= TLS_CONN_SUITEB;
+
+	return flags;
+}
+#endif /* EAP_SERVER */
+
+
 static int hostapd_config_fill(struct hostapd_config *conf,
 			       struct hostapd_bss_config *bss,
 			       const char *buf, char *pos, int line)
@@ -2212,6 +2236,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 		bss->check_crl = atoi(pos);
 	} else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
 		bss->tls_session_lifetime = atoi(pos);
+	} else if (os_strcmp(buf, "tls_flags") == 0) {
+		bss->tls_flags = parse_tls_flags(pos);
 	} else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
 		os_free(bss->ocsp_stapling_response);
 		bss->ocsp_stapling_response = os_strdup(pos);
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 28569ede3..48d4280ed 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -367,6 +367,7 @@ struct hostapd_bss_config {
 	char *private_key_passwd;
 	int check_crl;
 	unsigned int tls_session_lifetime;
+	unsigned int tls_flags;
 	char *ocsp_stapling_response;
 	char *ocsp_stapling_response_multi;
 	char *dh_file;
diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index 8a658244a..a20f49f28 100644
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -132,6 +132,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
 	srv.erp = conf->eap_server_erp;
 	srv.erp_domain = conf->erp_domain;
 	srv.tls_session_lifetime = conf->tls_session_lifetime;
+	srv.tls_flags = conf->tls_flags;
 
 	hapd->radius_srv = radius_server_init(&srv);
 	if (hapd->radius_srv == NULL) {
@@ -156,6 +157,7 @@ int authsrv_init(struct hostapd_data *hapd)
 
 		os_memset(&conf, 0, sizeof(conf));
 		conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
+		conf.tls_flags = hapd->conf->tls_flags;
 		hapd->ssl_ctx = tls_init(&conf);
 		if (hapd->ssl_ctx == NULL) {
 			wpa_printf(MSG_ERROR, "Failed to initialize TLS");
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 6ea1ebe54..793d381ed 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -2230,6 +2230,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
 	conf.erp_domain = hapd->conf->erp_domain;
 	conf.erp = hapd->conf->eap_server_erp;
 	conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
+	conf.tls_flags = hapd->conf->tls_flags;
 	conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
 	conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
 	conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 9b3a7a259..4c8061c2b 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -80,6 +80,7 @@ struct tls_config {
 	int cert_in_cb;
 	const char *openssl_ciphers;
 	unsigned int tls_session_lifetime;
+	unsigned int tls_flags;
 
 	void (*event_cb)(void *ctx, enum tls_event ev,
 			 union tls_event_data *data);
diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index 93eab6210..c67fa82f6 100644
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -132,6 +132,7 @@ struct eap_config {
 	size_t server_id_len;
 	int erp;
 	unsigned int tls_session_lifetime;
+	unsigned int tls_flags;
 
 #ifdef CONFIG_TESTING_OPTIONS
 	u32 tls_test_flags;
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index c90443d19..3d6f8d53a 100644
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -211,6 +211,7 @@ struct eap_sm {
 	Boolean try_initiate_reauth;
 	int erp;
 	unsigned int tls_session_lifetime;
+	unsigned int tls_flags;
 
 #ifdef CONFIG_TESTING_OPTIONS
 	u32 tls_test_flags;
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 1b571cf59..9706e2576 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -1868,6 +1868,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
 	sm->server_id_len = conf->server_id_len;
 	sm->erp = conf->erp;
 	sm->tls_session_lifetime = conf->tls_session_lifetime;
+	sm->tls_flags = conf->tls_flags;
 
 #ifdef CONFIG_TESTING_OPTIONS
 	sm->tls_test_flags = conf->tls_test_flags;
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 69096954b..3c9027b33 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -47,7 +47,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
 			    int verify_peer, int eap_type)
 {
 	u8 session_ctx[8];
-	unsigned int flags = 0;
+	unsigned int flags = sm->tls_flags;
 
 	if (sm->ssl_ctx == NULL) {
 		wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c
index bb50da554..36074d3e0 100644
--- a/src/eapol_auth/eapol_auth_sm.c
+++ b/src/eapol_auth/eapol_auth_sm.c
@@ -848,6 +848,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
 	eap_conf.server_id_len = eapol->conf.server_id_len;
 	eap_conf.erp = eapol->conf.erp;
 	eap_conf.tls_session_lifetime = eapol->conf.tls_session_lifetime;
+	eap_conf.tls_flags = eapol->conf.tls_flags;
 	sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
 	if (sm->eap == NULL) {
 		eapol_auth_free(sm);
@@ -1246,6 +1247,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
 	dst->erp_send_reauth_start = src->erp_send_reauth_start;
 	dst->erp = src->erp;
 	dst->tls_session_lifetime = src->tls_session_lifetime;
+	dst->tls_flags = src->tls_flags;
 
 	return 0;
 
diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h
index e1974e435..44f3f31cc 100644
--- a/src/eapol_auth/eapol_auth_sm.h
+++ b/src/eapol_auth/eapol_auth_sm.h
@@ -28,6 +28,7 @@ struct eapol_auth_config {
 	char *erp_domain; /* a copy of this will be allocated */
 	int erp; /* Whether ERP is enabled on authentication server */
 	unsigned int tls_session_lifetime;
+	unsigned int tls_flags;
 	u8 *pac_opaque_encr_key;
 	u8 *eap_fast_a_id;
 	size_t eap_fast_a_id_len;
diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index 6cce2ff00..c76bb2226 100644
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -272,6 +272,8 @@ struct radius_server_data {
 
 	unsigned int tls_session_lifetime;
 
+	unsigned int tls_flags;
+
 	/**
 	 * wps - Wi-Fi Protected Setup context
 	 *
@@ -696,6 +698,7 @@ radius_server_get_new_session(struct radius_server_data *data,
 	eap_conf.server_id_len = os_strlen(data->server_id);
 	eap_conf.erp = data->erp;
 	eap_conf.tls_session_lifetime = data->tls_session_lifetime;
+	eap_conf.tls_flags = data->tls_flags;
 	radius_server_testing_options(sess, &eap_conf);
 	sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
 				       &eap_conf);
@@ -1754,6 +1757,7 @@ radius_server_init(struct radius_server_conf *conf)
 	data->erp = conf->erp;
 	data->erp_domain = conf->erp_domain;
 	data->tls_session_lifetime = conf->tls_session_lifetime;
+	data->tls_flags = conf->tls_flags;
 
 	if (conf->subscr_remediation_url) {
 		data->subscr_remediation_url =
diff --git a/src/radius/radius_server.h b/src/radius/radius_server.h
index 7a25802c8..996f00eed 100644
--- a/src/radius/radius_server.h
+++ b/src/radius/radius_server.h
@@ -172,6 +172,8 @@ struct radius_server_conf {
 
 	unsigned int tls_session_lifetime;
 
+	unsigned int tls_flags;
+
 	/**
 	 * wps - Wi-Fi Protected Setup context
 	 *