[PATCH 3/3] hostapd: set openssl_ecdh_curves

[Hristo Venev]

This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc.

Signed-off-by: Hristo Venev <hristo at venev.name>
---
 hostapd/config_file.c    |  3 +++
 src/ap/ap_config.h       |  1 +
 src/ap/authsrv.c         |  1 +
 src/crypto/tls_openssl.c | 22 ++++++++++++++++++++++
 4 files changed, 27 insertions(+)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 7b4380605..2d4eb6e76 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2195,6 +2195,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 	} else if (os_strcmp(buf, "openssl_ciphers") == 0) {
 		os_free(bss->openssl_ciphers);
 		bss->openssl_ciphers = os_strdup(pos);
+	} else if (os_strcmp(buf, "openssl_ecdh_curves") == 0) {
+		os_free(bss->openssl_ecdh_curves);
+		bss->openssl_ecdh_curves = os_strdup(pos);
 	} else if (os_strcmp(buf, "fragment_size") == 0) {
 		bss->fragment_size = atoi(pos);
 #ifdef EAP_SERVER_FAST
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 989b07107..343732043 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -366,6 +366,7 @@ struct hostapd_bss_config {
 	char *ocsp_stapling_response_multi;
 	char *dh_file;
 	char *openssl_ciphers;
+	char *openssl_ecdh_curves;
 	u8 *pac_opaque_encr_key;
 	u8 *eap_fast_a_id;
 	size_t eap_fast_a_id_len;
diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index 8a658244a..a94f08236 100644
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -170,6 +170,7 @@ int authsrv_init(struct hostapd_data *hapd)
 		params.private_key_passwd = hapd->conf->private_key_passwd;
 		params.dh_file = hapd->conf->dh_file;
 		params.openssl_ciphers = hapd->conf->openssl_ciphers;
+		params.openssl_ecdh_curves = hapd->conf->openssl_ecdh_curves;
 		params.ocsp_stapling_response =
 			hapd->conf->ocsp_stapling_response;
 		params.ocsp_stapling_response_multi =
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 2924787f3..d45376043 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -4143,6 +4143,28 @@ int tls_global_set_params(void *tls_ctx,
 		return -1;
 	}
 
+	if (params->openssl_ecdh_curves == NULL) {
+		#ifndef OPENSSL_NO_EC
+		if (SSL_CTX_set_ecdh_auto(ssl_ctx, 1) != 1) {
+			wpa_printf(MSG_INFO,
+				   "OpenSSL: Failed to set ECDH curves to auto");
+			return -1;
+		}
+		#endif
+	} else if (params->openssl_ecdh_curves[0] != 0) {
+		#ifndef OPENSSL_NO_EC
+		if (SSL_CTX_set1_curves_list(ssl_ctx, params->openssl_ecdh_curves) != 1) {
+			wpa_printf(MSG_INFO,
+				   "OpenSSL: Failed to set ECDH curves to auto");
+			return -1;
+		}
+		#else
+		wpa_printf(MSG_INFO,
+			   "OpenSSL: ECDH not supporrted");
+		return -1;
+		#endif
+	}
+
 #ifdef SSL_OP_NO_TICKET
 	if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
 		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
-- 
2.12.2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20170420/984f6de4/attachment-0001.sig>