From 07e2de3193b0a10d1e0a6d0343698b740b279047 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 12 Oct 2014 11:53:51 +0300 Subject: [PATCH] wpa_supplicant: Allow OpenSSL cipherlist string to be configured The new openssl_cipher configuration parameter can be used to select which TLS cipher suites are enabled for TLS-based EAP methods when OpenSSL is used as the TLS library. This parameter can be used both as a global parameter to set the default for all network blocks and as a network block parameter to override the default for each network profile. Signed-off-by: Jouni Malinen --- src/eap_peer/eap.c | 1 + src/eap_peer/eap.h | 8 ++++++++ src/eap_peer/eap_config.h | 9 +++++++++ src/eap_peer/eap_tls_common.c | 2 ++ src/eapol_supp/eapol_supp_sm.c | 1 + src/eapol_supp/eapol_supp_sm.h | 9 +++++++++ wpa_supplicant/config.c | 4 ++++ wpa_supplicant/config.h | 9 +++++++++ wpa_supplicant/config_file.c | 2 ++ wpa_supplicant/eapol_test.c | 1 + wpa_supplicant/wpa_cli.c | 3 ++- wpa_supplicant/wpa_supplicant.c | 2 +- wpa_supplicant/wpa_supplicant.conf | 14 ++++++++++++++ wpa_supplicant/wpas_glue.c | 1 + 14 files changed, 64 insertions(+), 2 deletions(-) diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index 9880d3bce..148d5156c 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -1418,6 +1418,7 @@ struct eap_sm * eap_peer_sm_init(void *eapol_ctx, tlsconf.opensc_engine_path = conf->opensc_engine_path; tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path; tlsconf.pkcs11_module_path = conf->pkcs11_module_path; + tlsconf.openssl_ciphers = conf->openssl_ciphers; #ifdef CONFIG_FIPS tlsconf.fips_mode = 1; #endif /* CONFIG_FIPS */ diff --git a/src/eap_peer/eap.h b/src/eap_peer/eap.h index 712e929dc..28b6f8d8c 100644 --- a/src/eap_peer/eap.h +++ b/src/eap_peer/eap.h @@ -267,6 +267,14 @@ struct eap_config { * Usually, path to opensc-pkcs11.so. */ const char *pkcs11_module_path; + /** + * openssl_ciphers - OpenSSL cipher string + * + * This is an OpenSSL specific configuration option for configuring the + * default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the + * default. + */ + const char *openssl_ciphers; /** * wps - WPS context data * diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index 2591e113a..106435fe4 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -686,6 +686,15 @@ struct eap_peer_config { * has more than one. */ int sim_num; + + /** + * openssl_ciphers - OpenSSL cipher string + * + * This is an OpenSSL specific configuration option for configuring the + * ciphers for this connection. If not set, the default cipher suite + * list is used. + */ + char *openssl_ciphers; }; diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index fe9bfe000..06fb10ee6 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -167,6 +167,8 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, return -1; } + params->openssl_ciphers = config->openssl_ciphers; + return 0; } diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c index 70258be27..ef8d6eebd 100644 --- a/src/eapol_supp/eapol_supp_sm.c +++ b/src/eapol_supp/eapol_supp_sm.c @@ -2026,6 +2026,7 @@ struct eapol_sm *eapol_sm_init(struct eapol_ctx *ctx) conf.opensc_engine_path = ctx->opensc_engine_path; conf.pkcs11_engine_path = ctx->pkcs11_engine_path; conf.pkcs11_module_path = ctx->pkcs11_module_path; + conf.openssl_ciphers = ctx->openssl_ciphers; conf.wps = ctx->wps; conf.cert_in_cb = ctx->cert_in_cb; diff --git a/src/eapol_supp/eapol_supp_sm.h b/src/eapol_supp/eapol_supp_sm.h index 5b37314ff..2a790524e 100644 --- a/src/eapol_supp/eapol_supp_sm.h +++ b/src/eapol_supp/eapol_supp_sm.h @@ -209,6 +209,15 @@ struct eapol_ctx { */ const char *pkcs11_module_path; + /** + * openssl_ciphers - OpenSSL cipher string + * + * This is an OpenSSL specific configuration option for configuring the + * default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the + * default. + */ + const char *openssl_ciphers; + /** * wps - WPS context data * diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index b7f259b6c..d56e2031b 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -1682,6 +1682,7 @@ static const struct parse_data ssid_fields[] = { { INTe(engine2) }, { INT(eapol_flags) }, { INTe(sim_num) }, + { STRe(openssl_ciphers) }, #endif /* IEEE8021X_EAPOL */ { FUNC_KEY(wep_key0) }, { FUNC_KEY(wep_key1) }, @@ -1903,6 +1904,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap) os_free(eap->pac_file); bin_clear_free(eap->new_password, eap->new_password_len); str_clear_free(eap->external_sim_resp); + os_free(eap->openssl_ciphers); } #endif /* IEEE8021X_EAPOL */ @@ -2023,6 +2025,7 @@ void wpa_config_free(struct wpa_config *config) os_free(config->opensc_engine_path); os_free(config->pkcs11_engine_path); os_free(config->pkcs11_module_path); + os_free(config->openssl_ciphers); os_free(config->pcsc_reader); str_clear_free(config->pcsc_pin); os_free(config->driver_param); @@ -3823,6 +3826,7 @@ static const struct global_parse_data global_fields[] = { { STR(opensc_engine_path), 0 }, { STR(pkcs11_engine_path), 0 }, { STR(pkcs11_module_path), 0 }, + { STR(openssl_ciphers), 0 }, { STR(pcsc_reader), 0 }, { STR(pcsc_pin), 0 }, { INT(external_sim), 0 }, diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h index 3fd4192c5..f4c2f8883 100644 --- a/wpa_supplicant/config.h +++ b/wpa_supplicant/config.h @@ -516,6 +516,15 @@ struct wpa_config { */ char *pkcs11_module_path; + /** + * openssl_ciphers - OpenSSL cipher string + * + * This is an OpenSSL specific configuration option for configuring the + * default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the + * default. + */ + char *openssl_ciphers; + /** * pcsc_reader - PC/SC reader name prefix * diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 5c8f04509..17dbab6f3 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -938,6 +938,8 @@ static void wpa_config_write_global(FILE *f, struct wpa_config *config) if (config->pkcs11_module_path) fprintf(f, "pkcs11_module_path=%s\n", config->pkcs11_module_path); + if (config->openssl_ciphers) + fprintf(f, "openssl_ciphers=%s\n", config->openssl_ciphers); if (config->pcsc_reader) fprintf(f, "pcsc_reader=%s\n", config->pcsc_reader); if (config->pcsc_pin) diff --git a/wpa_supplicant/eapol_test.c b/wpa_supplicant/eapol_test.c index e576c1a84..f2058b8a7 100644 --- a/wpa_supplicant/eapol_test.c +++ b/wpa_supplicant/eapol_test.c @@ -568,6 +568,7 @@ static int test_eapol(struct eapol_test_data *e, struct wpa_supplicant *wpa_s, ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path; ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path; ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path; + ctx->openssl_ciphers = wpa_s->conf->openssl_ciphers; ctx->eap_param_needed = eapol_test_eap_param_needed; ctx->cert_cb = eapol_test_cert_cb; ctx->cert_in_cb = 1; diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c index fe30b4145..2bb3b6583 100644 --- a/wpa_supplicant/wpa_cli.c +++ b/wpa_supplicant/wpa_cli.c @@ -610,7 +610,8 @@ static char ** wpa_cli_complete_set(const char *str, int pos) /* global configuration parameters */ "eapol_version", "ap_scan", "disable_scan_offload", "fast_reauth", "opensc_engine_path", "pkcs11_engine_path", - "pkcs11_module_path", "pcsc_reader", "pcsc_pin", + "pkcs11_module_path", "openssl_ciphers", + "pcsc_reader", "pcsc_pin", "driver_param", "dot11RSNAConfigPMKLifetime", "dot11RSNAConfigPMKReauthThreshold", "dot11RSNAConfigSATimeout", diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 18ae24508..14fd325ef 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -842,7 +842,7 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s) /* * TODO: should notify EAPOL SM about changes in opensc_engine_path, - * pkcs11_engine_path, pkcs11_module_path. + * pkcs11_engine_path, pkcs11_module_path, openssl_ciphers. */ if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) { /* diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 89da0dafd..9f5ad536a 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -132,6 +132,16 @@ fast_reauth=1 # configure the path to the pkcs11 module required by the pkcs11 engine #pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so +# OpenSSL cipher string +# +# This is an OpenSSL specific configuration option for configuring the default +# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default. +# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation +# on cipher suite configuration. This is applicable only if wpa_supplicant is +# built to use OpenSSL. +#openssl_ciphers=DEFAULT:!EXP:!LOW + + # Dynamic EAP methods # If EAP methods were built dynamically as shared object files, they need to be # loaded here before being used in the network blocks. By default, EAP methods @@ -932,6 +942,10 @@ fast_reauth=1 # 1 = try to use OCSP stapling, but not require response # 2 = require valid OCSP stapling response # +# openssl_ciphers: OpenSSL specific cipher configuration +# This can be used to override the global openssl_ciphers configuration +# parameter (see above). +# # EAP-FAST variables: # pac_file: File path for the PAC entries. wpa_supplicant will need to be able # to create this file and write updates to it when PAC is being diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c index fcfa9fba5..ea95a4ce0 100644 --- a/wpa_supplicant/wpas_glue.c +++ b/wpa_supplicant/wpas_glue.c @@ -881,6 +881,7 @@ int wpa_supplicant_init_eapol(struct wpa_supplicant *wpa_s) ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path; ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path; ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path; + ctx->openssl_ciphers = wpa_s->conf->openssl_ciphers; ctx->wps = wpa_s->wps; ctx->eap_param_needed = wpa_supplicant_eap_param_needed; ctx->port_cb = wpa_supplicant_port_cb;