hostapd: Allow OpenSSL cipherlist string to be configured

The new openssl_cipher configuration parameter can be used to select which TLS cipher suites are enabled when hostapd is used as an EAP server with OpenSSL as the TLS library. Signed-off-by: Jouni Malinen <j@w1.fi>
10 years ago · f8995f8f1c
parent b7328434f7
commit f8995f8f1c
5 changed files with 15 additions and 0 deletions
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@ -1984,6 +1984,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 	} else if (os_strcmp(buf, "dh_file") == 0) {
 		os_free(bss->dh_file);
 		bss->dh_file = os_strdup(pos);
+	} else if (os_strcmp(buf, "openssl_ciphers") == 0) {
+		os_free(bss->openssl_ciphers);
+		bss->openssl_ciphers = os_strdup(pos);
 	} else if (os_strcmp(buf, "fragment_size") == 0) {
 		bss->fragment_size = atoi(pos);
 #ifdef EAP_SERVER_FAST
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@ -763,6 +763,15 @@ eap_server=0
 # "openssl dhparam -out /etc/hostapd.dh.pem 1024"
 #dh_file=/etc/hostapd.dh.pem

+# OpenSSL cipher string
+#
+# This is an OpenSSL specific configuration option for configuring the default
+# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
+# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
+# on cipher suite configuration. This is applicable only if hostapd is built to
+# use OpenSSL.
+#openssl_ciphers=DEFAULT:!EXP:!LOW
+
 # Fragment size for EAP methods
 #fragment_size=1400

--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@ -444,6 +444,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
 	os_free(conf->private_key_passwd);
 	os_free(conf->ocsp_stapling_response);
 	os_free(conf->dh_file);
+	os_free(conf->openssl_ciphers);
 	os_free(conf->pac_opaque_encr_key);
 	os_free(conf->eap_fast_a_id);
 	os_free(conf->eap_fast_a_id_info);
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@ -302,6 +302,7 @@ struct hostapd_bss_config {
 	int check_crl;
 	char *ocsp_stapling_response;
 	char *dh_file;
+	char *openssl_ciphers;
 	u8 *pac_opaque_encr_key;
 	u8 *eap_fast_a_id;
 	size_t eap_fast_a_id_len;
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@ -158,6 +158,7 @@ int authsrv_init(struct hostapd_data *hapd)
 		params.private_key = hapd->conf->private_key;
 		params.private_key_passwd = hapd->conf->private_key_passwd;
 		params.dh_file = hapd->conf->dh_file;
+		params.openssl_ciphers = hapd->conf->openssl_ciphers;
 		params.ocsp_stapling_response =
 			hapd->conf->ocsp_stapling_response;