Suite B: Add tls_suiteb=1 parameter for RSA 3k key case

This adds phase1 parameter tls_suiteb=1 into wpa_supplicant
configuration to allow TLS library (only OpenSSL supported for now) to
use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 11d504a97fc05465f37e0850f1832ef9f5468bf0..9b3a7a259e1a43f60f119be8f0e8c6dba5b0595f 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -97,6 +97,7 @@ struct tls_config {
 #define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
 #define TLS_CONN_EXT_CERT_CHECK BIT(9)
 #define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
+#define TLS_CONN_SUITEB BIT(11)
 
 /**
  * struct tls_connection_params - Parameters for TLS connection

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 903c38cff33418371ecde05cb8e3e2f1236170c2..be91e3e00f86211dd01b86fc45b8200d4b63b032 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2257,7 +2257,7 @@ static int tls_connection_set_subject_match(struct tls_connection *conn,
 }
 
 
-static void tls_set_conn_flags(SSL *ssl, unsigned int flags)
+static int tls_set_conn_flags(SSL *ssl, unsigned int flags)
 {
 #ifdef SSL_OP_NO_TICKET
        if (flags & TLS_CONN_DISABLE_SESSION_TICKET)
@@ -2284,6 +2284,45 @@ static void tls_set_conn_flags(SSL *ssl, unsigned int flags)
        else
                SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
 #endif /* SSL_OP_NO_TLSv1_2 */
+#ifdef CONFIG_SUITEB
+       if (flags & TLS_CONN_SUITEB) {
+               EC_KEY *ecdh;
+               const char *ciphers =
+                       "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
+
+               if (SSL_set_cipher_list(ssl, ciphers) != 1) {
+                       wpa_printf(MSG_INFO,
+                                  "OpenSSL: Failed to set Suite B ciphers");
+                       return -1;
+               }
+
+               if (SSL_set1_curves_list(ssl, "P-384") != 1) {
+                       wpa_printf(MSG_INFO,
+                                  "OpenSSL: Failed to set Suite B curves");
+                       return -1;
+               }
+               /* ECDSA+SHA384 if need to add EC support here */
+               if (SSL_set1_sigalgs_list(ssl, "RSA+SHA384") != 1) {
+                       wpa_printf(MSG_INFO,
+                                  "OpenSSL: Failed to set Suite B sigalgs");
+                       return -1;
+               }
+
+               ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
+               if (!ecdh || SSL_set_tmp_ecdh(ssl, ecdh) != 1) {
+                       EC_KEY_free(ecdh);
+                       wpa_printf(MSG_INFO,
+                                  "OpenSSL: Failed to set ECDH parameter");
+                       return -1;
+               }
+               EC_KEY_free(ecdh);
+
+               SSL_set_options(ssl, SSL_OP_NO_TLSv1);
+               SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
+       }
+#endif /* CONFIG_SUITEB */
+
+       return 0;
 }
 
 
@@ -2307,7 +2346,8 @@ int tls_connection_set_verify(void *ssl_ctx, struct tls_connection *conn,
                SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
        }
 
-       tls_set_conn_flags(conn->ssl, flags);
+       if (tls_set_conn_flags(conn->ssl, flags) < 0)
+               return -1;
        conn->flags = flags;
 
        SSL_set_accept_state(conn->ssl);
@@ -4111,7 +4151,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
                return -1;
        }
 
-       tls_set_conn_flags(conn->ssl, params->flags);
+       if (tls_set_conn_flags(conn->ssl, params->flags) < 0)
+               return -1;
 
 #ifdef OPENSSL_IS_BORINGSSL
        if (params->flags & TLS_CONN_REQUEST_OCSP) {

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 0dcb9c138f81de21522f317a2622659f60c9717d..b387dea50815cf81feec86cc625625e311fe334a 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -84,6 +84,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
                params->flags |= TLS_CONN_EXT_CERT_CHECK;
        if (os_strstr(txt, "tls_ext_cert_check=0"))
                params->flags &= ~TLS_CONN_EXT_CERT_CHECK;
+       if (os_strstr(txt, "tls_suiteb=1"))
+               params->flags |= TLS_CONN_SUITEB;
+       if (os_strstr(txt, "tls_suiteb=0"))
+               params->flags &= ~TLS_CONN_SUITEB;
 }
 
 

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 68d0827c5e8a481c1a1cdbabccc004b6fa95e6ca..3430be0cf61a6e24503a91c39cc378b738c8f4c8 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1164,6 +1164,9 @@ fast_reauth=1
 #      chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control
 #      interface and report the result of the validation with
 #      CTRL-RSP_EXT_CERT_CHECK.
+# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
+# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
+#      particular when using Suite B with RSA keys of >= 3K (3072) bits
 #
 # Following certificate/private key fields are used in inner Phase2
 # authentication when using EAP-TTLS or EAP-PEAP.