jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

OpenSSL: Add build option to select default ciphers

Browse source 
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".

This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.

[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
This commit is contained in:
Beniamino Galvani 2017-07-09 11:06:50 +02:00 committed by Jouni Malinen
parent 65833d71a5
commit 2b9891bd6e
10 changed files with 33 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
hostapd/Android.mk
View file

@ -630,6 +630,10 @@ NEED_SHA256=y
NEED_TLS_PRF_SHA256=y NEED_TLS_PRF_SHA256=y
LIBS += -lcrypto LIBS += -lcrypto
LIBS_h += -lcrypto LIBS_h += -lcrypto
ifndef CONFIG_TLS_DEFAULT_CIPHERS
CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
endif
L_CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
endif endif
ifeq ($(CONFIG_TLS), gnutls) ifeq ($(CONFIG_TLS), gnutls)

4
hostapd/Makefile
View file

@ -668,6 +668,10 @@ ifdef CONFIG_TLS_ADD_DL
LIBS += -ldl LIBS += -ldl
LIBS_h += -ldl LIBS_h += -ldl
endif endif
ifndef CONFIG_TLS_DEFAULT_CIPHERS
CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
endif
CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
endif endif
ifeq ($(CONFIG_TLS), gnutls) ifeq ($(CONFIG_TLS), gnutls)

4
hostapd/defconfig
View file

@ -278,6 +278,10 @@ CONFIG_IPV6=y
# can be enabled to enable use of stronger crypto algorithms. # can be enabled to enable use of stronger crypto algorithms.
#CONFIG_TLSV12=y #CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are # If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of # needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits # LibTomMath can be used. See beginning of libtommath.c for details on benefits

3
hostapd/hostapd.conf
View file

@ -931,7 +931,8 @@ eap_server=0
# OpenSSL cipher string # OpenSSL cipher string
# #
# This is an OpenSSL specific configuration option for configuring the default # This is an OpenSSL specific configuration option for configuring the default
# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default. # ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
# by default) is used.
# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
# on cipher suite configuration. This is applicable only if hostapd is built to # on cipher suite configuration. This is applicable only if hostapd is built to
# use OpenSSL. # use OpenSSL.

2
src/crypto/tls_openssl.c
View file

@ -1025,7 +1025,7 @@ void * tls_init(const struct tls_config *conf)
if (conf && conf->openssl_ciphers) if (conf && conf->openssl_ciphers)
ciphers = conf->openssl_ciphers; ciphers = conf->openssl_ciphers;
else else
ciphers = "DEFAULT:!EXP:!LOW"; ciphers = TLS_DEFAULT_CIPHERS;
if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) { if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
wpa_printf(MSG_ERROR, wpa_printf(MSG_ERROR,
"OpenSSL: Failed to set cipher string '%s'", "OpenSSL: Failed to set cipher string '%s'",

4
wpa_supplicant/Android.mk
View file

@ -1032,6 +1032,10 @@ ifdef CONFIG_TLS_ADD_DL
LIBS += -ldl LIBS += -ldl
LIBS_p += -ldl LIBS_p += -ldl
endif endif
ifndef CONFIG_TLS_DEFAULT_CIPHERS
CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
endif
L_CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
endif endif
ifeq ($(CONFIG_TLS), gnutls) ifeq ($(CONFIG_TLS), gnutls)

4
wpa_supplicant/Makefile
View file

@ -1075,6 +1075,10 @@ ifdef CONFIG_TLS_ADD_DL
LIBS += -ldl LIBS += -ldl
LIBS_p += -ldl LIBS_p += -ldl
endif endif
ifndef CONFIG_TLS_DEFAULT_CIPHERS
CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
endif
CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
endif endif
ifeq ($(CONFIG_TLS), gnutls) ifeq ($(CONFIG_TLS), gnutls)

4
wpa_supplicant/android.config
View file

@ -304,6 +304,10 @@ CONFIG_IEEE80211W=y
# will be used) # will be used)
#CONFIG_TLSV12=y #CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are # If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of # needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits # LibTomMath can be used. See beginning of libtommath.c for details on benefits

4
wpa_supplicant/defconfig
View file

@ -317,6 +317,10 @@ CONFIG_PEERKEY=y
# will be used) # will be used)
#CONFIG_TLSV12=y #CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are # If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of # needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits # LibTomMath can be used. See beginning of libtommath.c for details on benefits

4
wpa_supplicant/wpa_supplicant.conf
View file

@ -183,13 +183,13 @@ fast_reauth=1
# OpenSSL cipher string # OpenSSL cipher string
# #
# This is an OpenSSL specific configuration option for configuring the default # This is an OpenSSL specific configuration option for configuring the default
# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default. # ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
# by default) is used.
# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
# on cipher suite configuration. This is applicable only if wpa_supplicant is # on cipher suite configuration. This is applicable only if wpa_supplicant is
# built to use OpenSSL. # built to use OpenSSL.
#openssl_ciphers=DEFAULT:!EXP:!LOW #openssl_ciphers=DEFAULT:!EXP:!LOW
# Dynamic EAP methods # Dynamic EAP methods
# If EAP methods were built dynamically as shared object files, they need to be # If EAP methods were built dynamically as shared object files, they need to be
# loaded here before being used in the network blocks. By default, EAP methods # loaded here before being used in the network blocks. By default, EAP methods