[PATCH] TLS: Add tls_options field per network to set addition TLS options

[Dmitry Shmidt]

Change-Id: I037dc8d7bdf54ef281e139bd778d8a3fc572d72c
Signed-off-by: Dmitry Shmidt <dimitrysh at google.com>
---
 src/crypto/tls.h              |  1 +
 src/crypto/tls_openssl.c      | 19 +++++++++++++++++++
 src/eap_peer/eap_config.h     |  7 +++++++
 src/eap_peer/eap_tls_common.c |  1 +
 wpa_supplicant/config.c       |  1 +
 5 files changed, 29 insertions(+)

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 287fd33..b85dfb1 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -163,6 +163,7 @@ struct tls_connection_params {
 
 	unsigned int flags;
 	const char *ocsp_stapling_response;
+	const char *tls_options;
 };
 
 
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 4cfa5f4..5127e09 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3117,11 +3117,26 @@ static int ocsp_status_cb(SSL *s, void *arg)
 #endif /* HAVE_OCSP */
 
 
+static long tls_connection_get_opt(const struct tls_connection_params *params)
+{
+	long options = 0;
+
+	if (params->tls_options == NULL)
+		return options;
+	if (os_strstr(params->tls_options, "tls_no_tlsv1_1"))
+		options |= SSL_OP_NO_TLSv1_1;
+	if (os_strstr(params->tls_options, "tls_no_tlsv1_2"))
+		options |= SSL_OP_NO_TLSv1_2;
+	return options;
+}
+
+
 int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 			      const struct tls_connection_params *params)
 {
 	int ret;
 	unsigned long err;
+	long options;
 
 	if (conn == NULL)
 		return -1;
@@ -3192,6 +3207,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 #endif /* SSL_clear_options */
 #endif /*  SSL_OP_NO_TICKET */
 
+	options = tls_connection_get_opt(params);
+	if (options)
+		SSL_set_options(conn->ssl, options);
+
 #ifdef HAVE_OCSP
 	if (params->flags & TLS_CONN_REQUEST_OCSP) {
 		SSL_CTX *ssl_ctx = tls_ctx;
diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index 98ec1f7..34470b5 100644
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -678,6 +678,13 @@ struct eap_peer_config {
 	 * SIM/USIM processing.
 	 */
 	char *external_sim_resp;
+
+	/**
+	 * tls_options - Additional options for TLS connection
+	 *
+	 * This filed allows to set additional TLS options per network.
+	 */
+	char *tls_options;
 };
 
 
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 008af37..54e8098 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -85,6 +85,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params,
 	params->key_id = config->key_id;
 	params->cert_id = config->cert_id;
 	params->ca_cert_id = config->ca_cert_id;
+	params->tls_options = config->tls_options;
 	eap_tls_params_flags(params, config->phase1);
 }
 
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index b43a72a..c604b07 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1652,6 +1652,7 @@ static const struct parse_data ssid_fields[] = {
 	{ INTe(engine) },
 	{ INTe(engine2) },
 	{ INT(eapol_flags) },
+	{ STRe(tls_options) },
 #endif /* IEEE8021X_EAPOL */
 	{ FUNC_KEY(wep_key0) },
 	{ FUNC_KEY(wep_key1) },
-- 
1.8.5.3