hostapd: Allow OpenSSL cipherlist string to be configured

The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled when hostapd is used as an EAP
server with OpenSSL as the TLS library.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 32e3c49dd3c159f59d5bd8865a2a9e8a01ca5943..d4ba7cc0cf882c73df8e03b441c7e2f03d0ab49f 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -1984,6 +1984,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
        } else if (os_strcmp(buf, "dh_file") == 0) {
                os_free(bss->dh_file);
                bss->dh_file = os_strdup(pos);
+       } else if (os_strcmp(buf, "openssl_ciphers") == 0) {
+               os_free(bss->openssl_ciphers);
+               bss->openssl_ciphers = os_strdup(pos);
        } else if (os_strcmp(buf, "fragment_size") == 0) {
                bss->fragment_size = atoi(pos);
 #ifdef EAP_SERVER_FAST

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index a7ab0f6bc60e5a1f7c89c862f1c4078c5fbb5d13..d4e5bf0af26a8fab44861af7f56dada7ff4324d7 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -763,6 +763,15 @@ eap_server=0
 # "openssl dhparam -out /etc/hostapd.dh.pem 1024"
 #dh_file=/etc/hostapd.dh.pem
 
+# OpenSSL cipher string
+#
+# This is an OpenSSL specific configuration option for configuring the default
+# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
+# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
+# on cipher suite configuration. This is applicable only if hostapd is built to
+# use OpenSSL.
+#openssl_ciphers=DEFAULT:!EXP:!LOW
+
 # Fragment size for EAP methods
 #fragment_size=1400
 

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index d7d5c3b089255f2db7fe502d42ff3e5928a8d9be..90f1630da2b9307760f78da34cfe84444597b792 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -444,6 +444,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
        os_free(conf->private_key_passwd);
        os_free(conf->ocsp_stapling_response);
        os_free(conf->dh_file);
+       os_free(conf->openssl_ciphers);
        os_free(conf->pac_opaque_encr_key);
        os_free(conf->eap_fast_a_id);
        os_free(conf->eap_fast_a_id_info);

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 905aec32c7572d9ca27709fa913a901cab18dc79..e37a796596ce1234655b1ea4684e63661f40d5d6 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -302,6 +302,7 @@ struct hostapd_bss_config {
        int check_crl;
        char *ocsp_stapling_response;
        char *dh_file;
+       char *openssl_ciphers;
        u8 *pac_opaque_encr_key;
        u8 *eap_fast_a_id;
        size_t eap_fast_a_id_len;

diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index 86f1cbe1fdd809e649d298d72f8997f796428cb1..690f1dc419ad81bb457b0b2341d711e0c76d4df0 100644 (file)
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -158,6 +158,7 @@ int authsrv_init(struct hostapd_data *hapd)
                params.private_key = hapd->conf->private_key;
                params.private_key_passwd = hapd->conf->private_key_passwd;
                params.dh_file = hapd->conf->dh_file;
+               params.openssl_ciphers = hapd->conf->openssl_ciphers;
                params.ocsp_stapling_response =
                        hapd->conf->ocsp_stapling_response;