aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/eap_peer/eap.c1
-rw-r--r--src/eap_peer/eap.h8
-rw-r--r--src/eap_peer/eap_config.h9
-rw-r--r--src/eap_peer/eap_tls_common.c2
-rw-r--r--src/eapol_supp/eapol_supp_sm.c1
-rw-r--r--src/eapol_supp/eapol_supp_sm.h9
-rw-r--r--wpa_supplicant/config.c4
-rw-r--r--wpa_supplicant/config.h9
-rw-r--r--wpa_supplicant/config_file.c2
-rw-r--r--wpa_supplicant/eapol_test.c1
-rw-r--r--wpa_supplicant/wpa_cli.c3
-rw-r--r--wpa_supplicant/wpa_supplicant.c2
-rw-r--r--wpa_supplicant/wpa_supplicant.conf14
-rw-r--r--wpa_supplicant/wpas_glue.c1
14 files changed, 64 insertions, 2 deletions
diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 9880d3b..148d515 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -1418,6 +1418,7 @@ struct eap_sm * eap_peer_sm_init(void *eapol_ctx,
tlsconf.opensc_engine_path = conf->opensc_engine_path;
tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path;
tlsconf.pkcs11_module_path = conf->pkcs11_module_path;
+ tlsconf.openssl_ciphers = conf->openssl_ciphers;
#ifdef CONFIG_FIPS
tlsconf.fips_mode = 1;
#endif /* CONFIG_FIPS */
diff --git a/src/eap_peer/eap.h b/src/eap_peer/eap.h
index 712e929..28b6f8d 100644
--- a/src/eap_peer/eap.h
+++ b/src/eap_peer/eap.h
@@ -268,6 +268,14 @@ struct eap_config {
*/
const char *pkcs11_module_path;
/**
+ * openssl_ciphers - OpenSSL cipher string
+ *
+ * This is an OpenSSL specific configuration option for configuring the
+ * default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the
+ * default.
+ */
+ const char *openssl_ciphers;
+ /**
* wps - WPS context data
*
* This is only used by EAP-WSC and can be left %NULL if not available.
diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index 2591e11..106435f 100644
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -686,6 +686,15 @@ struct eap_peer_config {
* has more than one.
*/
int sim_num;
+
+ /**
+ * openssl_ciphers - OpenSSL cipher string
+ *
+ * This is an OpenSSL specific configuration option for configuring the
+ * ciphers for this connection. If not set, the default cipher suite
+ * list is used.
+ */
+ char *openssl_ciphers;
};
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index fe9bfe0..06fb10e 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -167,6 +167,8 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
return -1;
}
+ params->openssl_ciphers = config->openssl_ciphers;
+
return 0;
}
diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
index 70258be..ef8d6ee 100644
--- a/src/eapol_supp/eapol_supp_sm.c
+++ b/src/eapol_supp/eapol_supp_sm.c
@@ -2026,6 +2026,7 @@ struct eapol_sm *eapol_sm_init(struct eapol_ctx *ctx)
conf.opensc_engine_path = ctx->opensc_engine_path;
conf.pkcs11_engine_path = ctx->pkcs11_engine_path;
conf.pkcs11_module_path = ctx->pkcs11_module_path;
+ conf.openssl_ciphers = ctx->openssl_ciphers;
conf.wps = ctx->wps;
conf.cert_in_cb = ctx->cert_in_cb;
diff --git a/src/eapol_supp/eapol_supp_sm.h b/src/eapol_supp/eapol_supp_sm.h
index 5b37314..2a79052 100644
--- a/src/eapol_supp/eapol_supp_sm.h
+++ b/src/eapol_supp/eapol_supp_sm.h
@@ -210,6 +210,15 @@ struct eapol_ctx {
const char *pkcs11_module_path;
/**
+ * openssl_ciphers - OpenSSL cipher string
+ *
+ * This is an OpenSSL specific configuration option for configuring the
+ * default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the
+ * default.
+ */
+ const char *openssl_ciphers;
+
+ /**
* wps - WPS context data
*
* This is only used by EAP-WSC and can be left %NULL if not available.
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index b7f259b..d56e203 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -1682,6 +1682,7 @@ static const struct parse_data ssid_fields[] = {
{ INTe(engine2) },
{ INT(eapol_flags) },
{ INTe(sim_num) },
+ { STRe(openssl_ciphers) },
#endif /* IEEE8021X_EAPOL */
{ FUNC_KEY(wep_key0) },
{ FUNC_KEY(wep_key1) },
@@ -1903,6 +1904,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
os_free(eap->pac_file);
bin_clear_free(eap->new_password, eap->new_password_len);
str_clear_free(eap->external_sim_resp);
+ os_free(eap->openssl_ciphers);
}
#endif /* IEEE8021X_EAPOL */
@@ -2023,6 +2025,7 @@ void wpa_config_free(struct wpa_config *config)
os_free(config->opensc_engine_path);
os_free(config->pkcs11_engine_path);
os_free(config->pkcs11_module_path);
+ os_free(config->openssl_ciphers);
os_free(config->pcsc_reader);
str_clear_free(config->pcsc_pin);
os_free(config->driver_param);
@@ -3823,6 +3826,7 @@ static const struct global_parse_data global_fields[] = {
{ STR(opensc_engine_path), 0 },
{ STR(pkcs11_engine_path), 0 },
{ STR(pkcs11_module_path), 0 },
+ { STR(openssl_ciphers), 0 },
{ STR(pcsc_reader), 0 },
{ STR(pcsc_pin), 0 },
{ INT(external_sim), 0 },
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index 3fd4192..f4c2f88 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -517,6 +517,15 @@ struct wpa_config {
char *pkcs11_module_path;
/**
+ * openssl_ciphers - OpenSSL cipher string
+ *
+ * This is an OpenSSL specific configuration option for configuring the
+ * default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the
+ * default.
+ */
+ char *openssl_ciphers;
+
+ /**
* pcsc_reader - PC/SC reader name prefix
*
* If not %NULL, PC/SC reader with a name that matches this prefix is
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 5c8f045..17dbab6 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -938,6 +938,8 @@ static void wpa_config_write_global(FILE *f, struct wpa_config *config)
if (config->pkcs11_module_path)
fprintf(f, "pkcs11_module_path=%s\n",
config->pkcs11_module_path);
+ if (config->openssl_ciphers)
+ fprintf(f, "openssl_ciphers=%s\n", config->openssl_ciphers);
if (config->pcsc_reader)
fprintf(f, "pcsc_reader=%s\n", config->pcsc_reader);
if (config->pcsc_pin)
diff --git a/wpa_supplicant/eapol_test.c b/wpa_supplicant/eapol_test.c
index e576c1a..f2058b8 100644
--- a/wpa_supplicant/eapol_test.c
+++ b/wpa_supplicant/eapol_test.c
@@ -568,6 +568,7 @@ static int test_eapol(struct eapol_test_data *e, struct wpa_supplicant *wpa_s,
ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path;
ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path;
ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path;
+ ctx->openssl_ciphers = wpa_s->conf->openssl_ciphers;
ctx->eap_param_needed = eapol_test_eap_param_needed;
ctx->cert_cb = eapol_test_cert_cb;
ctx->cert_in_cb = 1;
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index fe30b41..2bb3b65 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -610,7 +610,8 @@ static char ** wpa_cli_complete_set(const char *str, int pos)
/* global configuration parameters */
"eapol_version", "ap_scan", "disable_scan_offload",
"fast_reauth", "opensc_engine_path", "pkcs11_engine_path",
- "pkcs11_module_path", "pcsc_reader", "pcsc_pin",
+ "pkcs11_module_path", "openssl_ciphers",
+ "pcsc_reader", "pcsc_pin",
"driver_param", "dot11RSNAConfigPMKLifetime",
"dot11RSNAConfigPMKReauthThreshold",
"dot11RSNAConfigSATimeout",
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 18ae245..14fd325 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -842,7 +842,7 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
/*
* TODO: should notify EAPOL SM about changes in opensc_engine_path,
- * pkcs11_engine_path, pkcs11_module_path.
+ * pkcs11_engine_path, pkcs11_module_path, openssl_ciphers.
*/
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) {
/*
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 89da0da..9f5ad53 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -132,6 +132,16 @@ fast_reauth=1
# configure the path to the pkcs11 module required by the pkcs11 engine
#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
+# OpenSSL cipher string
+#
+# This is an OpenSSL specific configuration option for configuring the default
+# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
+# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
+# on cipher suite configuration. This is applicable only if wpa_supplicant is
+# built to use OpenSSL.
+#openssl_ciphers=DEFAULT:!EXP:!LOW
+
+
# Dynamic EAP methods
# If EAP methods were built dynamically as shared object files, they need to be
# loaded here before being used in the network blocks. By default, EAP methods
@@ -932,6 +942,10 @@ fast_reauth=1
# 1 = try to use OCSP stapling, but not require response
# 2 = require valid OCSP stapling response
#
+# openssl_ciphers: OpenSSL specific cipher configuration
+# This can be used to override the global openssl_ciphers configuration
+# parameter (see above).
+#
# EAP-FAST variables:
# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
# to create this file and write updates to it when PAC is being
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index fcfa9fb..ea95a4c 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -881,6 +881,7 @@ int wpa_supplicant_init_eapol(struct wpa_supplicant *wpa_s)
ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path;
ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path;
ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path;
+ ctx->openssl_ciphers = wpa_s->conf->openssl_ciphers;
ctx->wps = wpa_s->wps;
ctx->eap_param_needed = wpa_supplicant_eap_param_needed;
ctx->port_cb = wpa_supplicant_port_cb;