Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSL

This extends the list of TLS cipher suites enabled for EAP-FAST to
include AES256-based suites.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen 9 years ago
parent
1ebb24bbfb
commit
750f5d9964
4 changed files with 16 additions and 4 deletions
Split View Show Diff Stats
  1. 3 1
      src/crypto/tls.h
  2. 7 1
      src/crypto/tls_openssl.c
  3. 3 1
      src/eap_peer/eap_fast.c
  4. 3 1
      src/eap_server/eap_server_fast.c

+ 3 - 1
src/crypto/tls.h
View File 

@@ -461,7 +461,9 @@ enum {
 
 	TLS_CIPHER_RC4_SHA /* 0x0005 */,
 
 	TLS_CIPHER_AES128_SHA /* 0x002f */,
 
 	TLS_CIPHER_RSA_DHE_AES128_SHA /* 0x0031 */,
 
-	TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */
 
+	TLS_CIPHER_ANON_DH_AES128_SHA /* 0x0034 */,
 
+	TLS_CIPHER_RSA_DHE_AES256_SHA /* 0x0039 */,
 
+	TLS_CIPHER_AES256_SHA /* 0x0035 */,
 
 };
 
 
 /**

+ 7 - 1
src/crypto/tls_openssl.c
View File 

@@ -3407,7 +3407,7 @@ int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
 
 int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
 
 				   u8 *ciphers)
 
 {
 
-	char buf[100], *pos, *end;
 
+	char buf[500], *pos, *end;
 
 	u8 *c;
 
 	int ret;
 
 
@@ -3435,6 +3435,12 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
 
 		case TLS_CIPHER_ANON_DH_AES128_SHA:
 
 			suite = "ADH-AES128-SHA";
 
 			break;
 
+		case TLS_CIPHER_RSA_DHE_AES256_SHA:
 
+			suite = "DHE-RSA-AES256-SHA";
 
+			break;
 
+		case TLS_CIPHER_AES256_SHA:
 
+			suite = "AES256-SHA";
 
+			break;
 
 		default:
 
 			wpa_printf(MSG_DEBUG, "TLS: Unsupported "
 
 				   "cipher selection: %d", *c);

+ 3 - 1
src/eap_peer/eap_fast.c
View File 

@@ -1446,7 +1446,7 @@ static int eap_fast_clear_pac_opaque_ext(struct eap_sm *sm,
 
 static int eap_fast_set_provisioning_ciphers(struct eap_sm *sm,
 
 					     struct eap_fast_data *data)
 
 {
 
-	u8 ciphers[5];
 
+	u8 ciphers[7];
 
 	int count = 0;
 
 
 	if (data->provisioning_allowed & EAP_FAST_PROV_UNAUTH) {
 
@@ -1458,7 +1458,9 @@ static int eap_fast_set_provisioning_ciphers(struct eap_sm *sm,
 
 	if (data->provisioning_allowed & EAP_FAST_PROV_AUTH) {
 
 		wpa_printf(MSG_DEBUG, "EAP-FAST: Enabling authenticated "
 
 			   "provisioning TLS cipher suites");
 
+		ciphers[count++] = TLS_CIPHER_RSA_DHE_AES256_SHA;
 
 		ciphers[count++] = TLS_CIPHER_RSA_DHE_AES128_SHA;
 
+		ciphers[count++] = TLS_CIPHER_AES256_SHA;
 
 		ciphers[count++] = TLS_CIPHER_AES128_SHA;
 
 		ciphers[count++] = TLS_CIPHER_RC4_SHA;
 
 	}

+ 3 - 1
src/eap_server/eap_server_fast.c
View File 

@@ -412,11 +412,13 @@ static int eap_fast_update_icmk(struct eap_sm *sm, struct eap_fast_data *data)
 
 static void * eap_fast_init(struct eap_sm *sm)
 
 {
 
 	struct eap_fast_data *data;
 
-	u8 ciphers[5] = {
 
+	u8 ciphers[7] = {
 
 		TLS_CIPHER_ANON_DH_AES128_SHA,
 
 		TLS_CIPHER_AES128_SHA,
 
 		TLS_CIPHER_RSA_DHE_AES128_SHA,
 
 		TLS_CIPHER_RC4_SHA,
 
+		TLS_CIPHER_RSA_DHE_AES256_SHA,
 
+		TLS_CIPHER_AES256_SHA,
 
 		TLS_CIPHER_NONE
 
 	};