Message ID | 20140130205619.06C5513FE69@ushik.mtv.corp.google.com |
---|---|
State | Superseded |
Headers | show |
On Wed, Jan 29, 2014 at 01:49:43PM -0800, Dmitry Shmidt wrote: > diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c > +static long tls_connection_get_opt(const struct tls_connection_params *params) > +{ > + long options = 0; > + > + if (params->tls_options == NULL) > + return options; > + if (os_strstr(params->tls_options, "tls_no_tlsv1_1")) > + options |= SSL_OP_NO_TLSv1_1; > + if (os_strstr(params->tls_options, "tls_no_tlsv1_2")) > + options |= SSL_OP_NO_TLSv1_2; > + return options; > +} There is already a mechanism for passing TLS parameters that are similar to disabling TLS v1.1/v1.2. struct tls_connection_params::flags is a bitfield of TLS_CONN* flags (see src/crypto/tls.h). TLS_CONN_DISABLE_TLSv1_1 and _2 would fit in there nicely. > diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h > @@ -678,6 +678,13 @@ struct eap_peer_config { > + /** > + * tls_options - Additional options for TLS connection > + * > + * This filed allows to set additional TLS options per network. > + */ > + char *tls_options; And this new parameter would not be needed with TLS_CONN_* flags, i.e., these flags are set based on the existing phase1 parameter (e.g., phase1="tls_disable_session_ticket=1"). (This patch was missing saving of this new parameter in config write options, but anyway, I'd rather handle this through the existing configuration parameter.)
On Wed, Feb 19, 2014 at 4:16 AM, Jouni Malinen <j@w1.fi> wrote: > On Wed, Jan 29, 2014 at 01:49:43PM -0800, Dmitry Shmidt wrote: >> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c >> +static long tls_connection_get_opt(const struct tls_connection_params *params) >> +{ >> + long options = 0; >> + >> + if (params->tls_options == NULL) >> + return options; >> + if (os_strstr(params->tls_options, "tls_no_tlsv1_1")) >> + options |= SSL_OP_NO_TLSv1_1; >> + if (os_strstr(params->tls_options, "tls_no_tlsv1_2")) >> + options |= SSL_OP_NO_TLSv1_2; >> + return options; >> +} > > There is already a mechanism for passing TLS parameters that are similar > to disabling TLS v1.1/v1.2. struct tls_connection_params::flags is a > bitfield of TLS_CONN* flags (see src/crypto/tls.h). > TLS_CONN_DISABLE_TLSv1_1 and _2 would fit in there nicely. > > >> diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h >> @@ -678,6 +678,13 @@ struct eap_peer_config { >> + /** >> + * tls_options - Additional options for TLS connection >> + * >> + * This filed allows to set additional TLS options per network. >> + */ >> + char *tls_options; > > And this new parameter would not be needed with TLS_CONN_* flags, i.e., > these flags are set based on the existing phase1 parameter (e.g., > phase1="tls_disable_session_ticket=1"). You mean something like this: http://patchwork.ozlabs.org/patch/322016/ > > > (This patch was missing saving of this new parameter in config write > options, but anyway, I'd rather handle this through the existing > configuration parameter.) > > -- > Jouni Malinen PGP id EFC895FA
diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 287fd33..b85dfb1 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -163,6 +163,7 @@ struct tls_connection_params { unsigned int flags; const char *ocsp_stapling_response; + const char *tls_options; }; diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 4cfa5f4..5127e09 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -3117,11 +3117,26 @@ static int ocsp_status_cb(SSL *s, void *arg) #endif /* HAVE_OCSP */ +static long tls_connection_get_opt(const struct tls_connection_params *params) +{ + long options = 0; + + if (params->tls_options == NULL) + return options; + if (os_strstr(params->tls_options, "tls_no_tlsv1_1")) + options |= SSL_OP_NO_TLSv1_1; + if (os_strstr(params->tls_options, "tls_no_tlsv1_2")) + options |= SSL_OP_NO_TLSv1_2; + return options; +} + + int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, const struct tls_connection_params *params) { int ret; unsigned long err; + long options; if (conn == NULL) return -1; @@ -3192,6 +3207,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, #endif /* SSL_clear_options */ #endif /* SSL_OP_NO_TICKET */ + options = tls_connection_get_opt(params); + if (options) + SSL_set_options(conn->ssl, options); + #ifdef HAVE_OCSP if (params->flags & TLS_CONN_REQUEST_OCSP) { SSL_CTX *ssl_ctx = tls_ctx; diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index 98ec1f7..34470b5 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -678,6 +678,13 @@ struct eap_peer_config { * SIM/USIM processing. */ char *external_sim_resp; + + /** + * tls_options - Additional options for TLS connection + * + * This filed allows to set additional TLS options per network. + */ + char *tls_options; }; diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 008af37..54e8098 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -85,6 +85,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params, params->key_id = config->key_id; params->cert_id = config->cert_id; params->ca_cert_id = config->ca_cert_id; + params->tls_options = config->tls_options; eap_tls_params_flags(params, config->phase1); } diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index b43a72a..c604b07 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -1652,6 +1652,7 @@ static const struct parse_data ssid_fields[] = { { INTe(engine) }, { INTe(engine2) }, { INT(eapol_flags) }, + { STRe(tls_options) }, #endif /* IEEE8021X_EAPOL */ { FUNC_KEY(wep_key0) }, { FUNC_KEY(wep_key1) },
Change-Id: I037dc8d7bdf54ef281e139bd778d8a3fc572d72c Signed-off-by: Dmitry Shmidt <dimitrysh@google.com> --- src/crypto/tls.h | 1 + src/crypto/tls_openssl.c | 19 +++++++++++++++++++ src/eap_peer/eap_config.h | 7 +++++++ src/eap_peer/eap_tls_common.c | 1 + wpa_supplicant/config.c | 1 + 5 files changed, 29 insertions(+)