From patchwork Wed Jan 29 21:49:43 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Shmidt X-Patchwork-Id: 315458 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from maxx.maxx.shmoo.com (maxx.shmoo.com [205.134.188.171]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id CDBE02C009E for ; Fri, 31 Jan 2014 07:56:34 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 7C0589C1C0; Thu, 30 Jan 2014 15:56:32 -0500 (EST) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzRWzRZItTyU; Thu, 30 Jan 2014 15:56:32 -0500 (EST) Received: from maxx.shmoo.com (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id CDDC49C16E; Thu, 30 Jan 2014 15:56:27 -0500 (EST) X-Original-To: mailman-post+hostap@maxx.shmoo.com Delivered-To: mailman-post+hostap@maxx.shmoo.com Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 0F9249C16E for ; Thu, 30 Jan 2014 15:56:26 -0500 (EST) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxFhgITi1KTH for ; Thu, 30 Jan 2014 15:56:21 -0500 (EST) Received: from mail-pa0-f74.google.com (mail-pa0-f74.google.com [209.85.220.74]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (not verified)) by maxx.maxx.shmoo.com (Postfix) with ESMTPS id D0B0C9C13E for ; Thu, 30 Jan 2014 15:56:20 -0500 (EST) Received: by mail-pa0-f74.google.com with SMTP id fa1so507005pad.3 for ; Thu, 30 Jan 2014 12:56:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:date:subject:to:message-id; bh=yCh6jk0CersNkNCtRgaOGZDu3kK9D69jZbPegJZkEmU=; b=G3qTg7GLy8/qNmHeYEDqqjpmUsPt8OTz9ULeBLXti3ndO7Y1NHILgUkjGpW+KR2tSm Hz5R5er1d/X4mY6zlhK1WbhUdWMY83rMxxF6F0T9swUHxoU1aUI9fSkK3zdatNzNgS4+ jpVivFC81OndjchMNu8hv/tW0vKSx+zJ8XHMV8SwcmZski06sn/13TeM0wXUVUAuY73o bYZVT+kqXEiwEjBQmZijpR/lpiQRlb2XegXh2NgwFK1ZPm0HOHHooumXotXrCpOGCWxe nDjenDVeGpZiQSMo/mCYx/vgYPuzY30sCBVKXC7pQ2rpjw3VXpXzckq4jOrGqwZqh81p Wzlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:date:subject:to:message-id; bh=yCh6jk0CersNkNCtRgaOGZDu3kK9D69jZbPegJZkEmU=; b=LWx0C5rrrDSZLqxRxSu4t2BdTgAmJTXrxuMhFVxR+I3Bp57acE/BpPuD5lUpWXUhkM dpf1xTD26vm3Mn9B8wWag4GAPqg3JcgphHhuirW9kGsxmgoWmGD3hrT05BuGWoNRwHDi GGMa/bb9TZ9JEJpz7THPbb3dOUVpqRInzcYaIVPNMLOFjWNsXDTDryvZCPWSVwQyMMO4 S6GljVdReptIUvUPXC3Z28z47rhitcj5QhhcOdThHYdQcXEnxCQ7+dqlzT2Eiy1u5lIV XHc3ybKQCgM+64cT4cjKb9lqvn2tg0uP7JamPRJRlcmuXQ+X4U2sqg5GY8H49v8Iw2q4 +6Sg== X-Gm-Message-State: ALoCoQnhCLfFyIOQmae2iOM/iKVS/VOB7wzV48yO+GdR5XUMvBpOSCQYc5l6Zp5dO6JrSN9LCzc11Q6Q7amMBqc+nDD2ZIv/lppgrKWlXbuhukhuoIVyUnWVraf1l2ZKCtMeZnbn+qWuA60NUVx617vQiWbXKULlh4JSi7W+9i8V7nH/VU9sYic15AmUeWfyqIqSs78/zSggac7rlc4Avf9p+hwKK4/K+Q6O9JO7KyR/zYhfBne/XGA= X-Received: by 10.68.201.7 with SMTP id jw7mr6312817pbc.8.1391115379636; Thu, 30 Jan 2014 12:56:19 -0800 (PST) Received: from corp2gmr1-1.hot.corp.google.com (corp2gmr1-1.hot.corp.google.com [172.24.189.92]) by gmr-mx.google.com with ESMTPS id k45si461069yhn.4.2014.01.30.12.56.19 for (version=TLSv1.1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 30 Jan 2014 12:56:19 -0800 (PST) Received: from ushik.mtv.corp.google.com (ushik.mtv.corp.google.com [172.18.120.113]) by corp2gmr1-1.hot.corp.google.com (Postfix) with ESMTP id 700A431C2D6 for ; Thu, 30 Jan 2014 12:56:19 -0800 (PST) Received: by ushik.mtv.corp.google.com (Postfix, from userid 57417) id 06C5513FE69; Thu, 30 Jan 2014 12:56:18 -0800 (PST) From: Dmitry Shmidt Date: Wed, 29 Jan 2014 13:49:43 -0800 Subject: [PATCH] TLS: Add tls_options field per network to set addition TLS options To: hostap@lists.shmoo.com Message-Id: <20140130205619.06C5513FE69@ushik.mtv.corp.google.com> X-BeenThere: hostap@lists.shmoo.com X-Mailman-Version: 2.1.11 Precedence: list List-Id: HostAP Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: hostap-bounces@lists.shmoo.com Errors-To: hostap-bounces@lists.shmoo.com Change-Id: I037dc8d7bdf54ef281e139bd778d8a3fc572d72c Signed-off-by: Dmitry Shmidt --- src/crypto/tls.h | 1 + src/crypto/tls_openssl.c | 19 +++++++++++++++++++ src/eap_peer/eap_config.h | 7 +++++++ src/eap_peer/eap_tls_common.c | 1 + wpa_supplicant/config.c | 1 + 5 files changed, 29 insertions(+) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 287fd33..b85dfb1 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -163,6 +163,7 @@ struct tls_connection_params { unsigned int flags; const char *ocsp_stapling_response; + const char *tls_options; }; diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 4cfa5f4..5127e09 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -3117,11 +3117,26 @@ static int ocsp_status_cb(SSL *s, void *arg) #endif /* HAVE_OCSP */ +static long tls_connection_get_opt(const struct tls_connection_params *params) +{ + long options = 0; + + if (params->tls_options == NULL) + return options; + if (os_strstr(params->tls_options, "tls_no_tlsv1_1")) + options |= SSL_OP_NO_TLSv1_1; + if (os_strstr(params->tls_options, "tls_no_tlsv1_2")) + options |= SSL_OP_NO_TLSv1_2; + return options; +} + + int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, const struct tls_connection_params *params) { int ret; unsigned long err; + long options; if (conn == NULL) return -1; @@ -3192,6 +3207,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, #endif /* SSL_clear_options */ #endif /* SSL_OP_NO_TICKET */ + options = tls_connection_get_opt(params); + if (options) + SSL_set_options(conn->ssl, options); + #ifdef HAVE_OCSP if (params->flags & TLS_CONN_REQUEST_OCSP) { SSL_CTX *ssl_ctx = tls_ctx; diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index 98ec1f7..34470b5 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -678,6 +678,13 @@ struct eap_peer_config { * SIM/USIM processing. */ char *external_sim_resp; + + /** + * tls_options - Additional options for TLS connection + * + * This filed allows to set additional TLS options per network. + */ + char *tls_options; }; diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 008af37..54e8098 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -85,6 +85,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params, params->key_id = config->key_id; params->cert_id = config->cert_id; params->ca_cert_id = config->ca_cert_id; + params->tls_options = config->tls_options; eap_tls_params_flags(params, config->phase1); } diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index b43a72a..c604b07 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -1652,6 +1652,7 @@ static const struct parse_data ssid_fields[] = { { INTe(engine) }, { INTe(engine2) }, { INT(eapol_flags) }, + { STRe(tls_options) }, #endif /* IEEE8021X_EAPOL */ { FUNC_KEY(wep_key0) }, { FUNC_KEY(wep_key1) },