EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSL

author Jouni Malinen <jouni@qca.qualcomm.com>

Thu, 31 Dec 2015 18:52:58 +0000 (20:52 +0200)

committer Jouni Malinen <j@w1.fi>

Thu, 31 Dec 2015 18:52:58 +0000 (20:52 +0200)
author Jouni Malinen <jouni@qca.qualcomm.com>
Thu, 31 Dec 2015 18:52:58 +0000 (20:52 +0200)
committer Jouni Malinen <j@w1.fi>
Thu, 31 Dec 2015 18:52:58 +0000 (20:52 +0200)
diff --git a/src/crypto/tls.h b/src/crypto/tls.h

index 453b4deb5e35c09097db1426d21d74278810def9..15a3bcfb248342860bb19a2c68f901f9f9493e04 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -461,7 +461,9 @@ enum {
         TLS_CIPHER_RC4_SHA /* 0x0005 */,
         TLS_CIPHER_AES128_SHA /* 0x002f */,
         TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */,
-       TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */
+       TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */,
+       TLS_CIPHER_RSA_DHE_AES256_SHA /* 0x0039 */,
+       TLS_CIPHER_AES256_SHA /* 0x0035 */,
  };
  
  /**
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c

index d1c001f18ce3d13e2ebc27e6155541ce4fc67e7b..f4a8ff99f140cae0abd7b52dbb50b5f0da3136eb 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3407,7 +3407,7 @@ int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
  int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
                                    u8 *ciphers)
  {
-       char buf[100], *pos, *end;
+       char buf[500], *pos, *end;
         u8 *c;
         int ret;
  
@@ -3435,6 +3435,12 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
                 case TLS_CIPHER_ANON_DH_AES128_SHA:
                         suite = "ADH-AES128-SHA";
                         break;
+               case TLS_CIPHER_RSA_DHE_AES256_SHA:
+                       suite = "DHE-RSA-AES256-SHA";
+                       break;
+               case TLS_CIPHER_AES256_SHA:
+                       suite = "AES256-SHA";
+                       break;
                 default:
                         wpa_printf(MSG_DEBUG, "TLS: Unsupported "
                                    "cipher selection: %d", *c);
diff --git a/src/eap_peer/eap_fast.c b/src/eap_peer/eap_fast.c

index a7f6befa0f656781c49e920b0dae7f00b1c9d3a3..57390aed880cba9ff8e41eac4787e6b5c5a0a694 100644 (file)
--- a/src/eap_peer/eap_fast.c
+++ b/src/eap_peer/eap_fast.c
@@ -1446,7 +1446,7 @@ static int eap_fast_clear_pac_opaque_ext(struct eap_sm *sm,
  static int eap_fast_set_provisioning_ciphers(struct eap_sm *sm,
                                              struct eap_fast_data *data)
  {
-       u8 ciphers[5];
+       u8 ciphers[7];
         int count = 0;
  
         if (data->provisioning_allowed & EAP_FAST_PROV_UNAUTH) {
@@ -1458,7 +1458,9 @@ static int eap_fast_set_provisioning_ciphers(struct eap_sm *sm,
         if (data->provisioning_allowed & EAP_FAST_PROV_AUTH) {
                 wpa_printf(MSG_DEBUG, "EAP-FAST: Enabling authenticated "
                            "provisioning TLS cipher suites");
+               ciphers[count++] = TLS_CIPHER_RSA_DHE_AES256_SHA;
                 ciphers[count++] = TLS_CIPHER_RSA_DHE_AES128_SHA;
+               ciphers[count++] = TLS_CIPHER_AES256_SHA;
                 ciphers[count++] = TLS_CIPHER_AES128_SHA;
                 ciphers[count++] = TLS_CIPHER_RC4_SHA;
         }
diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c

index e348eb3e2559962e62fdf9e68bf397971e272fbd..2e03f8840a0075fad978187ac29add6c8c9e54cc 100644 (file)
--- a/src/eap_server/eap_server_fast.c
+++ b/src/eap_server/eap_server_fast.c
@@ -412,11 +412,13 @@ static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data)
  static void * eap_fast_init(struct eap_sm *sm)
  {
         struct eap_fast_data *data;
-       u8 ciphers[5] = {
+       u8 ciphers[7] = {
                 TLS_CIPHER_ANON_DH_AES128_SHA,
                 TLS_CIPHER_AES128_SHA,
                 TLS_CIPHER_RSA_DHE_AES128_SHA,
                 TLS_CIPHER_RC4_SHA,
+               TLS_CIPHER_RSA_DHE_AES256_SHA,
+               TLS_CIPHER_AES256_SHA,
                 TLS_CIPHER_NONE
         };
author	Jouni Malinen <jouni@qca.qualcomm.com>
	Thu, 31 Dec 2015 18:52:58 +0000 (20:52 +0200)
committer	Jouni Malinen <j@w1.fi>
	Thu, 31 Dec 2015 18:52:58 +0000 (20:52 +0200)
src/crypto/tls.h		patch \| blob \| blame \| history
src/crypto/tls_openssl.c		patch \| blob \| blame \| history
src/eap_peer/eap_fast.c		patch \| blob \| blame \| history
src/eap_server/eap_server_fast.c		patch \| blob \| blame \| history