From b7328434f73d7bd274e7be914d626771f32079c2 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 12 Oct 2014 11:45:21 +0300 Subject: [PATCH] OpenSSL: Add a mechanism to configure cipher suites This extends the TLS wrapper code to allow OpenSSL cipherlist string to be configured. In addition, the default value is now set to DEFAULT:!EXP:!LOW to ensure cipher suites with low and export encryption algoriths (40-64 bit keys) do not get enabled in default configuration regardless of how OpenSSL build was configured. Signed-off-by: Jouni Malinen --- src/crypto/tls.h | 3 +++ src/crypto/tls_openssl.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 65e0f797c..1d3f59287 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -74,6 +74,7 @@ struct tls_config { const char *pkcs11_module_path; int fips_mode; int cert_in_cb; + const char *openssl_ciphers; void (*event_cb)(void *ctx, enum tls_event ev, union tls_event_data *data); @@ -123,6 +124,7 @@ struct tls_config { * specific for now) * @cert_id: the certificate's id when using engine * @ca_cert_id: the CA certificate's id when using engine + * @openssl_ciphers: OpenSSL cipher configuration * @flags: Parameter options (TLS_CONN_*) * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response * or %NULL if OCSP is not enabled @@ -161,6 +163,7 @@ struct tls_connection_params { const char *key_id; const char *cert_id; const char *ca_cert_id; + const char *openssl_ciphers; unsigned int flags; const char *ocsp_stapling_response; diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index e1534224c..c9e561120 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -747,6 +747,7 @@ void * tls_init(const struct tls_config *conf) { SSL_CTX *ssl; struct tls_context *context; + const char *ciphers; if (tls_openssl_ref_count == 0) { tls_global = context = tls_context_new(conf); @@ -845,6 +846,18 @@ void * tls_init(const struct tls_config *conf) } #endif /* OPENSSL_NO_ENGINE */ + if (conf && conf->openssl_ciphers) + ciphers = conf->openssl_ciphers; + else + ciphers = "DEFAULT:!EXP:!LOW"; + if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) { + wpa_printf(MSG_ERROR, + "OpenSSL: Failed to set cipher string '%s'", + ciphers); + tls_deinit(ssl); + return NULL; + } + return ssl; } @@ -3262,6 +3275,14 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } + if (params->openssl_ciphers && + SSL_set_cipher_list(conn->ssl, params->openssl_ciphers) != 1) { + wpa_printf(MSG_INFO, + "OpenSSL: Failed to set cipher string '%s'", + params->openssl_ciphers); + return -1; + } + #ifdef SSL_OP_NO_TICKET if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET) SSL_set_options(conn->ssl, SSL_OP_NO_TICKET); @@ -3328,6 +3349,14 @@ int tls_global_set_params(void *tls_ctx, return -1; } + if (params->openssl_ciphers && + SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) { + wpa_printf(MSG_INFO, + "OpenSSL: Failed to set cipher string '%s'", + params->openssl_ciphers); + return -1; + } + #ifdef SSL_OP_NO_TICKET if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET) SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);