OpenSSL: Allow cipher list to be overridden for tls_suiteb=1 case
This allows wpa_supplicant configuration with phase1="tls_suiteb=1" to use openssl_ciphers="ECDHE-RSA-AES256-GCM-SHA384" to further limit the possible TLS cipher suites when using Suite B with RSA >3K keys. This combination disables use of DHE and as such, mandates ECDHE to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
c358bc4b5b
commit
a2c442be25
1 changed files with 17 additions and 3 deletions
|
|
@ -2433,7 +2433,8 @@ static int suiteb_cert_cb(SSL *ssl, void *arg)
|
||||||
#endif /* CONFIG_SUITEB */
|
#endif /* CONFIG_SUITEB */
|
||||||
|
|
||||||
|
|
||||||
static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags)
|
static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
|
||||||
|
const char *openssl_ciphers)
|
||||||
{
|
{
|
||||||
SSL *ssl = conn->ssl;
|
SSL *ssl = conn->ssl;
|
||||||
|
|
||||||
|
|
@ -2467,6 +2468,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags)
|
||||||
if (flags & TLS_CONN_SUITEB_NO_ECDH) {
|
if (flags & TLS_CONN_SUITEB_NO_ECDH) {
|
||||||
const char *ciphers = "DHE-RSA-AES256-GCM-SHA384";
|
const char *ciphers = "DHE-RSA-AES256-GCM-SHA384";
|
||||||
|
|
||||||
|
if (openssl_ciphers) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"OpenSSL: Override ciphers for Suite B (no ECDH): %s",
|
||||||
|
openssl_ciphers);
|
||||||
|
ciphers = openssl_ciphers;
|
||||||
|
}
|
||||||
if (SSL_set_cipher_list(ssl, ciphers) != 1) {
|
if (SSL_set_cipher_list(ssl, ciphers) != 1) {
|
||||||
wpa_printf(MSG_INFO,
|
wpa_printf(MSG_INFO,
|
||||||
"OpenSSL: Failed to set Suite B ciphers");
|
"OpenSSL: Failed to set Suite B ciphers");
|
||||||
|
|
@ -2477,6 +2484,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags)
|
||||||
const char *ciphers =
|
const char *ciphers =
|
||||||
"ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
|
"ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
|
||||||
|
|
||||||
|
if (openssl_ciphers) {
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"OpenSSL: Override ciphers for Suite B: %s",
|
||||||
|
openssl_ciphers);
|
||||||
|
ciphers = openssl_ciphers;
|
||||||
|
}
|
||||||
if (SSL_set_cipher_list(ssl, ciphers) != 1) {
|
if (SSL_set_cipher_list(ssl, ciphers) != 1) {
|
||||||
wpa_printf(MSG_INFO,
|
wpa_printf(MSG_INFO,
|
||||||
"OpenSSL: Failed to set Suite B ciphers");
|
"OpenSSL: Failed to set Suite B ciphers");
|
||||||
|
|
@ -2545,7 +2558,7 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
|
||||||
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
|
SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (tls_set_conn_flags(conn, flags) < 0)
|
if (tls_set_conn_flags(conn, flags, NULL) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
conn->flags = flags;
|
conn->flags = flags;
|
||||||
|
|
||||||
|
|
@ -4362,7 +4375,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (tls_set_conn_flags(conn, params->flags) < 0)
|
if (tls_set_conn_flags(conn, params->flags,
|
||||||
|
params->openssl_ciphers) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
#ifdef OPENSSL_IS_BORINGSSL
|
#ifdef OPENSSL_IS_BORINGSSL
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue