mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2025-02-16 09:03:05 -05:00
Add hostapd tls_flags parameter
This can be used to set the TLS flags for authentication server. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
60ed2f24eb
commit
6418400db9
@ -15,6 +15,7 @@
|
||||
#include "utils/uuid.h"
|
||||
#include "common/ieee802_11_defs.h"
|
||||
#include "crypto/sha256.h"
|
||||
#include "crypto/tls.h"
|
||||
#include "drivers/driver.h"
|
||||
#include "eap_server/eap.h"
|
||||
#include "radius/radius_client.h"
|
||||
@ -2059,6 +2060,29 @@ static int parse_fils_realm(struct hostapd_bss_config *bss, const char *val)
|
||||
#endif /* CONFIG_FILS */
|
||||
|
||||
|
||||
#ifdef EAP_SERVER
|
||||
static unsigned int parse_tls_flags(const char *val)
|
||||
{
|
||||
unsigned int flags = 0;
|
||||
|
||||
if (os_strstr(val, "[ALLOW-SIGN-RSA-MD5]"))
|
||||
flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
|
||||
if (os_strstr(val, "[DISABLE-TIME-CHECKS]"))
|
||||
flags |= TLS_CONN_DISABLE_TIME_CHECKS;
|
||||
if (os_strstr(val, "[DISABLE-TLSv1.0]"))
|
||||
flags |= TLS_CONN_DISABLE_TLSv1_0;
|
||||
if (os_strstr(val, "[DISABLE-TLSv1.1]"))
|
||||
flags |= TLS_CONN_DISABLE_TLSv1_1;
|
||||
if (os_strstr(val, "[DISABLE-TLSv1.2]"))
|
||||
flags |= TLS_CONN_DISABLE_TLSv1_2;
|
||||
if (os_strstr(val, "[SUITEB]"))
|
||||
flags |= TLS_CONN_SUITEB;
|
||||
|
||||
return flags;
|
||||
}
|
||||
#endif /* EAP_SERVER */
|
||||
|
||||
|
||||
static int hostapd_config_fill(struct hostapd_config *conf,
|
||||
struct hostapd_bss_config *bss,
|
||||
const char *buf, char *pos, int line)
|
||||
@ -2212,6 +2236,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
||||
bss->check_crl = atoi(pos);
|
||||
} else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
|
||||
bss->tls_session_lifetime = atoi(pos);
|
||||
} else if (os_strcmp(buf, "tls_flags") == 0) {
|
||||
bss->tls_flags = parse_tls_flags(pos);
|
||||
} else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
|
||||
os_free(bss->ocsp_stapling_response);
|
||||
bss->ocsp_stapling_response = os_strdup(pos);
|
||||
|
||||
@ -367,6 +367,7 @@ struct hostapd_bss_config {
|
||||
char *private_key_passwd;
|
||||
int check_crl;
|
||||
unsigned int tls_session_lifetime;
|
||||
unsigned int tls_flags;
|
||||
char *ocsp_stapling_response;
|
||||
char *ocsp_stapling_response_multi;
|
||||
char *dh_file;
|
||||
|
||||
@ -132,6 +132,7 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
|
||||
srv.erp = conf->eap_server_erp;
|
||||
srv.erp_domain = conf->erp_domain;
|
||||
srv.tls_session_lifetime = conf->tls_session_lifetime;
|
||||
srv.tls_flags = conf->tls_flags;
|
||||
|
||||
hapd->radius_srv = radius_server_init(&srv);
|
||||
if (hapd->radius_srv == NULL) {
|
||||
@ -156,6 +157,7 @@ int authsrv_init(struct hostapd_data *hapd)
|
||||
|
||||
os_memset(&conf, 0, sizeof(conf));
|
||||
conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
|
||||
conf.tls_flags = hapd->conf->tls_flags;
|
||||
hapd->ssl_ctx = tls_init(&conf);
|
||||
if (hapd->ssl_ctx == NULL) {
|
||||
wpa_printf(MSG_ERROR, "Failed to initialize TLS");
|
||||
|
||||
@ -2230,6 +2230,7 @@ int ieee802_1x_init(struct hostapd_data *hapd)
|
||||
conf.erp_domain = hapd->conf->erp_domain;
|
||||
conf.erp = hapd->conf->eap_server_erp;
|
||||
conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
|
||||
conf.tls_flags = hapd->conf->tls_flags;
|
||||
conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
|
||||
conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
|
||||
conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
|
||||
|
||||
@ -80,6 +80,7 @@ struct tls_config {
|
||||
int cert_in_cb;
|
||||
const char *openssl_ciphers;
|
||||
unsigned int tls_session_lifetime;
|
||||
unsigned int tls_flags;
|
||||
|
||||
void (*event_cb)(void *ctx, enum tls_event ev,
|
||||
union tls_event_data *data);
|
||||
|
||||
@ -132,6 +132,7 @@ struct eap_config {
|
||||
size_t server_id_len;
|
||||
int erp;
|
||||
unsigned int tls_session_lifetime;
|
||||
unsigned int tls_flags;
|
||||
|
||||
#ifdef CONFIG_TESTING_OPTIONS
|
||||
u32 tls_test_flags;
|
||||
|
||||
@ -211,6 +211,7 @@ struct eap_sm {
|
||||
Boolean try_initiate_reauth;
|
||||
int erp;
|
||||
unsigned int tls_session_lifetime;
|
||||
unsigned int tls_flags;
|
||||
|
||||
#ifdef CONFIG_TESTING_OPTIONS
|
||||
u32 tls_test_flags;
|
||||
|
||||
@ -1868,6 +1868,7 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
|
||||
sm->server_id_len = conf->server_id_len;
|
||||
sm->erp = conf->erp;
|
||||
sm->tls_session_lifetime = conf->tls_session_lifetime;
|
||||
sm->tls_flags = conf->tls_flags;
|
||||
|
||||
#ifdef CONFIG_TESTING_OPTIONS
|
||||
sm->tls_test_flags = conf->tls_test_flags;
|
||||
|
||||
@ -47,7 +47,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
|
||||
int verify_peer, int eap_type)
|
||||
{
|
||||
u8 session_ctx[8];
|
||||
unsigned int flags = 0;
|
||||
unsigned int flags = sm->tls_flags;
|
||||
|
||||
if (sm->ssl_ctx == NULL) {
|
||||
wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
|
||||
|
||||
@ -848,6 +848,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
|
||||
eap_conf.server_id_len = eapol->conf.server_id_len;
|
||||
eap_conf.erp = eapol->conf.erp;
|
||||
eap_conf.tls_session_lifetime = eapol->conf.tls_session_lifetime;
|
||||
eap_conf.tls_flags = eapol->conf.tls_flags;
|
||||
sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
|
||||
if (sm->eap == NULL) {
|
||||
eapol_auth_free(sm);
|
||||
@ -1246,6 +1247,7 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
|
||||
dst->erp_send_reauth_start = src->erp_send_reauth_start;
|
||||
dst->erp = src->erp;
|
||||
dst->tls_session_lifetime = src->tls_session_lifetime;
|
||||
dst->tls_flags = src->tls_flags;
|
||||
|
||||
return 0;
|
||||
|
||||
|
||||
@ -28,6 +28,7 @@ struct eapol_auth_config {
|
||||
char *erp_domain; /* a copy of this will be allocated */
|
||||
int erp; /* Whether ERP is enabled on authentication server */
|
||||
unsigned int tls_session_lifetime;
|
||||
unsigned int tls_flags;
|
||||
u8 *pac_opaque_encr_key;
|
||||
u8 *eap_fast_a_id;
|
||||
size_t eap_fast_a_id_len;
|
||||
|
||||
@ -272,6 +272,8 @@ struct radius_server_data {
|
||||
|
||||
unsigned int tls_session_lifetime;
|
||||
|
||||
unsigned int tls_flags;
|
||||
|
||||
/**
|
||||
* wps - Wi-Fi Protected Setup context
|
||||
*
|
||||
@ -696,6 +698,7 @@ radius_server_get_new_session(struct radius_server_data *data,
|
||||
eap_conf.server_id_len = os_strlen(data->server_id);
|
||||
eap_conf.erp = data->erp;
|
||||
eap_conf.tls_session_lifetime = data->tls_session_lifetime;
|
||||
eap_conf.tls_flags = data->tls_flags;
|
||||
radius_server_testing_options(sess, &eap_conf);
|
||||
sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
|
||||
&eap_conf);
|
||||
@ -1754,6 +1757,7 @@ radius_server_init(struct radius_server_conf *conf)
|
||||
data->erp = conf->erp;
|
||||
data->erp_domain = conf->erp_domain;
|
||||
data->tls_session_lifetime = conf->tls_session_lifetime;
|
||||
data->tls_flags = conf->tls_flags;
|
||||
|
||||
if (conf->subscr_remediation_url) {
|
||||
data->subscr_remediation_url =
|
||||
|
||||
@ -172,6 +172,8 @@ struct radius_server_conf {
|
||||
|
||||
unsigned int tls_session_lifetime;
|
||||
|
||||
unsigned int tls_flags;
|
||||
|
||||
/**
|
||||
* wps - Wi-Fi Protected Setup context
|
||||
*
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user