Patchwork TLS: Add tls_options field per network to set addition TLS options

login
register
mail settings
Submitter Dmitry Shmidt
Date Jan. 29, 2014, 9:49 p.m.
Message ID <20140130205619.06C5513FE69@ushik.mtv.corp.google.com>
Download mbox | patch
Permalink /patch/315458/
State Superseded
Headers show

Comments

Dmitry Shmidt - Jan. 29, 2014, 9:49 p.m.
Change-Id: I037dc8d7bdf54ef281e139bd778d8a3fc572d72c
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
---
 src/crypto/tls.h              |  1 +
 src/crypto/tls_openssl.c      | 19 +++++++++++++++++++
 src/eap_peer/eap_config.h     |  7 +++++++
 src/eap_peer/eap_tls_common.c |  1 +
 wpa_supplicant/config.c       |  1 +
 5 files changed, 29 insertions(+)
Jouni Malinen - Feb. 19, 2014, 12:16 p.m.
On Wed, Jan 29, 2014 at 01:49:43PM -0800, Dmitry Shmidt wrote:
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> +static long tls_connection_get_opt(const struct tls_connection_params *params)
> +{
> +	long options = 0;
> +
> +	if (params->tls_options == NULL)
> +		return options;
> +	if (os_strstr(params->tls_options, "tls_no_tlsv1_1"))
> +		options |= SSL_OP_NO_TLSv1_1;
> +	if (os_strstr(params->tls_options, "tls_no_tlsv1_2"))
> +		options |= SSL_OP_NO_TLSv1_2;
> +	return options;
> +}

There is already a mechanism for passing TLS parameters that are similar
to disabling TLS v1.1/v1.2. struct tls_connection_params::flags is a
bitfield of TLS_CONN* flags (see src/crypto/tls.h).
TLS_CONN_DISABLE_TLSv1_1 and _2 would fit in there nicely.


> diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
> @@ -678,6 +678,13 @@ struct eap_peer_config {
> +	/**
> +	 * tls_options - Additional options for TLS connection
> +	 *
> +	 * This filed allows to set additional TLS options per network.
> +	 */
> +	char *tls_options;

And this new parameter would not be needed with TLS_CONN_* flags, i.e.,
these flags are set based on the existing phase1 parameter (e.g.,
phase1="tls_disable_session_ticket=1").


(This patch was missing saving of this new parameter in config write
options, but anyway, I'd rather handle this through the existing
configuration parameter.)
Dmitry Shmidt - Feb. 19, 2014, 9:24 p.m.
On Wed, Feb 19, 2014 at 4:16 AM, Jouni Malinen <j@w1.fi> wrote:
> On Wed, Jan 29, 2014 at 01:49:43PM -0800, Dmitry Shmidt wrote:
>> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
>> +static long tls_connection_get_opt(const struct tls_connection_params *params)
>> +{
>> +     long options = 0;
>> +
>> +     if (params->tls_options == NULL)
>> +             return options;
>> +     if (os_strstr(params->tls_options, "tls_no_tlsv1_1"))
>> +             options |= SSL_OP_NO_TLSv1_1;
>> +     if (os_strstr(params->tls_options, "tls_no_tlsv1_2"))
>> +             options |= SSL_OP_NO_TLSv1_2;
>> +     return options;
>> +}
>
> There is already a mechanism for passing TLS parameters that are similar
> to disabling TLS v1.1/v1.2. struct tls_connection_params::flags is a
> bitfield of TLS_CONN* flags (see src/crypto/tls.h).
> TLS_CONN_DISABLE_TLSv1_1 and _2 would fit in there nicely.
>
>
>> diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
>> @@ -678,6 +678,13 @@ struct eap_peer_config {
>> +     /**
>> +      * tls_options - Additional options for TLS connection
>> +      *
>> +      * This filed allows to set additional TLS options per network.
>> +      */
>> +     char *tls_options;
>
> And this new parameter would not be needed with TLS_CONN_* flags, i.e.,
> these flags are set based on the existing phase1 parameter (e.g.,
> phase1="tls_disable_session_ticket=1").

You mean something like this:
http://patchwork.ozlabs.org/patch/322016/

>
>
> (This patch was missing saving of this new parameter in config write
> options, but anyway, I'd rather handle this through the existing
> configuration parameter.)
>
> --
> Jouni Malinen                                            PGP id EFC895FA

Patch

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 287fd33..b85dfb1 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -163,6 +163,7 @@  struct tls_connection_params {
 
 	unsigned int flags;
 	const char *ocsp_stapling_response;
+	const char *tls_options;
 };
 
 
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 4cfa5f4..5127e09 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3117,11 +3117,26 @@  static int ocsp_status_cb(SSL *s, void *arg)
 #endif /* HAVE_OCSP */
 
 
+static long tls_connection_get_opt(const struct tls_connection_params *params)
+{
+	long options = 0;
+
+	if (params->tls_options == NULL)
+		return options;
+	if (os_strstr(params->tls_options, "tls_no_tlsv1_1"))
+		options |= SSL_OP_NO_TLSv1_1;
+	if (os_strstr(params->tls_options, "tls_no_tlsv1_2"))
+		options |= SSL_OP_NO_TLSv1_2;
+	return options;
+}
+
+
 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 			      const struct tls_connection_params *params)
 {
 	int ret;
 	unsigned long err;
+	long options;
 
 	if (conn == NULL)
 		return -1;
@@ -3192,6 +3207,10 @@  int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 #endif /* SSL_clear_options */
 #endif /*  SSL_OP_NO_TICKET */
 
+	options = tls_connection_get_opt(params);
+	if (options)
+		SSL_set_options(conn->ssl, options);
+
 #ifdef HAVE_OCSP
 	if (params->flags & TLS_CONN_REQUEST_OCSP) {
 		SSL_CTX *ssl_ctx = tls_ctx;
diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index 98ec1f7..34470b5 100644
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -678,6 +678,13 @@  struct eap_peer_config {
 	 * SIM/USIM processing.
 	 */
 	char *external_sim_resp;
+
+	/**
+	 * tls_options - Additional options for TLS connection
+	 *
+	 * This filed allows to set additional TLS options per network.
+	 */
+	char *tls_options;
 };
 
 
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 008af37..54e8098 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -85,6 +85,7 @@  static void eap_tls_params_from_conf1(struct tls_connection_params *params,
 	params->key_id = config->key_id;
 	params->cert_id = config->cert_id;
 	params->ca_cert_id = config->ca_cert_id;
+	params->tls_options = config->tls_options;
 	eap_tls_params_flags(params, config->phase1);
 }
 
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index b43a72a..c604b07 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1652,6 +1652,7 @@  static const struct parse_data ssid_fields[] = {
 	{ INTe(engine) },
 	{ INTe(engine2) },
 	{ INT(eapol_flags) },
+	{ STRe(tls_options) },
 #endif /* IEEE8021X_EAPOL */
 	{ FUNC_KEY(wep_key0) },
 	{ FUNC_KEY(wep_key1) },