OpenSSL: Add a mechanism to configure cipher suites

This extends the TLS wrapper code to allow OpenSSL cipherlist string to
be configured. In addition, the default value is now set to
DEFAULT:!EXP:!LOW to ensure cipher suites with low and export encryption
algoriths (40-64 bit keys) do not get enabled in default configuration
regardless of how OpenSSL build was configured.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 65e0f797cd61f806df966c22f6e4a420f7f800b2..1d3f592879816ad4f5c05a1f7c7dc90990e3f22e 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -74,6 +74,7 @@ struct tls_config {
        const char *pkcs11_module_path;
        int fips_mode;
        int cert_in_cb;
+       const char *openssl_ciphers;
 
        void (*event_cb)(void *ctx, enum tls_event ev,
                         union tls_event_data *data);
@@ -123,6 +124,7 @@ struct tls_config {
  * specific for now)
  * @cert_id: the certificate's id when using engine
  * @ca_cert_id: the CA certificate's id when using engine
+ * @openssl_ciphers: OpenSSL cipher configuration
  * @flags: Parameter options (TLS_CONN_*)
  * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response
  *     or %NULL if OCSP is not enabled
@@ -161,6 +163,7 @@ struct tls_connection_params {
        const char *key_id;
        const char *cert_id;
        const char *ca_cert_id;
+       const char *openssl_ciphers;
 
        unsigned int flags;
        const char *ocsp_stapling_response;

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index e1534224c51959c0ea70c38ad888ae3917045ec5..c9e5611202f668a3bc8138c47a228c694b314d7f 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -747,6 +747,7 @@ void * tls_init(const struct tls_config *conf)
 {
        SSL_CTX *ssl;
        struct tls_context *context;
+       const char *ciphers;
 
        if (tls_openssl_ref_count == 0) {
                tls_global = context = tls_context_new(conf);
@@ -845,6 +846,18 @@ void * tls_init(const struct tls_config *conf)
        }
 #endif /* OPENSSL_NO_ENGINE */
 
+       if (conf && conf->openssl_ciphers)
+               ciphers = conf->openssl_ciphers;
+       else
+               ciphers = "DEFAULT:!EXP:!LOW";
+       if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
+               wpa_printf(MSG_ERROR,
+                          "OpenSSL: Failed to set cipher string '%s'",
+                          ciphers);
+               tls_deinit(ssl);
+               return NULL;
+       }
+
        return ssl;
 }
 
@@ -3262,6 +3275,14 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
                return -1;
        }
 
+       if (params->openssl_ciphers &&
+           SSL_set_cipher_list(conn->ssl, params->openssl_ciphers) != 1) {
+               wpa_printf(MSG_INFO,
+                          "OpenSSL: Failed to set cipher string '%s'",
+                          params->openssl_ciphers);
+               return -1;
+       }
+
 #ifdef SSL_OP_NO_TICKET
        if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
                SSL_set_options(conn->ssl, SSL_OP_NO_TICKET);
@@ -3328,6 +3349,14 @@ int tls_global_set_params(void *tls_ctx,
                return -1;
        }
 
+       if (params->openssl_ciphers &&
+           SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) {
+               wpa_printf(MSG_INFO,
+                          "OpenSSL: Failed to set cipher string '%s'",
+                          params->openssl_ciphers);
+               return -1;
+       }
+
 #ifdef SSL_OP_NO_TICKET
        if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
                SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);