[PATCH v2] OpenSSL: add build option to select default ciphers
Beniamino Galvani
bgalvani at redhat.com
Sun Jul 9 02:06:50 PDT 2017
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".
This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.
[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
Signed-off-by: Beniamino Galvani <bgalvani at redhat.com>
---
hostapd/Makefile | 4 ++++
hostapd/defconfig | 4 ++++
hostapd/hostapd.conf | 3 ++-
src/crypto/tls_openssl.c | 2 +-
wpa_supplicant/Makefile | 4 ++++
wpa_supplicant/defconfig | 4 ++++
wpa_supplicant/wpa_supplicant.conf | 4 ++--
7 files changed, 21 insertions(+), 4 deletions(-)
diff --git a/hostapd/Makefile b/hostapd/Makefile
index 91e1fda..fb926fb 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -668,6 +668,10 @@ ifdef CONFIG_TLS_ADD_DL
LIBS += -ldl
LIBS_h += -ldl
endif
+ifndef CONFIG_TLS_DEFAULT_CIPHERS
+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
+endif
+CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
endif
ifeq ($(CONFIG_TLS), gnutls)
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 521d877..26be9f8 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -278,6 +278,10 @@ CONFIG_IPV6=y
# can be enabled to enable use of stronger crypto algorithms.
#CONFIG_TLSV12=y
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 980c138..998dad7 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -931,7 +931,8 @@ eap_server=0
# OpenSSL cipher string
#
# This is an OpenSSL specific configuration option for configuring the default
-# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
+# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
+# by default) is used.
# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
# on cipher suite configuration. This is applicable only if hostapd is built to
# use OpenSSL.
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 07c6119..fd94eaf 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1025,7 +1025,7 @@ void * tls_init(const struct tls_config *conf)
if (conf && conf->openssl_ciphers)
ciphers = conf->openssl_ciphers;
else
- ciphers = "DEFAULT:!EXP:!LOW";
+ ciphers = TLS_DEFAULT_CIPHERS;
if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
wpa_printf(MSG_ERROR,
"OpenSSL: Failed to set cipher string '%s'",
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 6787a8d..948385b 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -1075,6 +1075,10 @@ ifdef CONFIG_TLS_ADD_DL
LIBS += -ldl
LIBS_p += -ldl
endif
+ifndef CONFIG_TLS_DEFAULT_CIPHERS
+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
+endif
+CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
endif
ifeq ($(CONFIG_TLS), gnutls)
diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index 307f82d..1797ad3 100644
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -317,6 +317,10 @@ CONFIG_PEERKEY=y
# will be used)
#CONFIG_TLSV12=y
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index c07badb..1d5704c 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -183,13 +183,13 @@ fast_reauth=1
# OpenSSL cipher string
#
# This is an OpenSSL specific configuration option for configuring the default
-# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
+# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
+# by default) is used.
# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
# on cipher suite configuration. This is applicable only if wpa_supplicant is
# built to use OpenSSL.
#openssl_ciphers=DEFAULT:!EXP:!LOW
-
# Dynamic EAP methods
# If EAP methods were built dynamically as shared object files, they need to be
# loaded here before being used in the network blocks. By default, EAP methods
--
2.9.3
More information about the Hostap
mailing list