[v2] OpenSSL: add build option to select default ciphers

Message ID	20170709090650.4705-1-bgalvani@redhat.com
State	Accepted
Headers	show Return-Path: <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 3FED2552DC From: Beniamino Galvani <bgalvani@redhat.com> To: hostap@lists.infradead.org Subject: [PATCH v2] OpenSSL: add build option to select default ciphers Date: Sun, 9 Jul 2017 11:06:50 +0200 Message-Id: <20170709090650.4705-1-bgalvani@redhat.com> In-Reply-To: <20170708124355.GE8076@w1.fi> References: <20170708124355.GE8076@w1.fi> summary: Content analysis details: (-6.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high trust [209.132.183.28 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Precedence: list Cc: Beniamino Galvani <bgalvani@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "Hostap" <hostap-bounces@lists.infradead.org> Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Message ID

20170709090650.4705-1-bgalvani@redhat.com

State

Accepted

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 3FED2552DC
From: Beniamino Galvani <bgalvani@redhat.com>
To: hostap@lists.infradead.org
Subject: [PATCH v2] OpenSSL: add build option to select default ciphers
Date: Sun,  9 Jul 2017 11:06:50 +0200
Message-Id: <20170709090650.4705-1-bgalvani@redhat.com>
In-Reply-To: <20170708124355.GE8076@w1.fi>
References: <20170708124355.GE8076@w1.fi>
Precedence: list
Cc: Beniamino Galvani <bgalvani@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Commit Message

Beniamino Galvani July 9, 2017, 9:06 a.m. UTC

Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".

This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.

[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
---
 hostapd/Makefile                   | 4 ++++
 hostapd/defconfig                  | 4 ++++
 hostapd/hostapd.conf               | 3 ++-
 src/crypto/tls_openssl.c           | 2 +-
 wpa_supplicant/Makefile            | 4 ++++
 wpa_supplicant/defconfig           | 4 ++++
 wpa_supplicant/wpa_supplicant.conf | 4 ++--
 7 files changed, 21 insertions(+), 4 deletions(-)

Comments

Jouni Malinen July 17, 2017, 3:38 p.m. UTC | #1

On Sun, Jul 09, 2017 at 11:06:50AM +0200, Beniamino Galvani wrote:
> Add a build option to select different default ciphers for OpenSSL
> instead of the hardcoded default "DEFAULT:!EXP:!LOW".
> 
> This new option is useful on distributions where the security level
> should be consistent for all applications, as in Fedora [1]. In such
> cases the new configuration option would be set to "" or
> "PROFILE=SYSTEM" to select the global crypto policy by default.
> 
> [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy

Thanks, applied.

diff --git a/hostapd/Makefile b/hostapd/Makefile
index 91e1fda..fb926fb 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -668,6 +668,10 @@  ifdef CONFIG_TLS_ADD_DL
 LIBS += -ldl
 LIBS_h += -ldl
 endif
+ifndef CONFIG_TLS_DEFAULT_CIPHERS
+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
+endif
+CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
 endif
 
 ifeq ($(CONFIG_TLS), gnutls)
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 521d877..26be9f8 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -278,6 +278,10 @@  CONFIG_IPV6=y
 # can be enabled to enable use of stronger crypto algorithms.
 #CONFIG_TLSV12=y
 
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 980c138..998dad7 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -931,7 +931,8 @@  eap_server=0
 # OpenSSL cipher string
 #
 # This is an OpenSSL specific configuration option for configuring the default
-# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
+# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
+# by default) is used.
 # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
 # on cipher suite configuration. This is applicable only if hostapd is built to
 # use OpenSSL.
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 07c6119..fd94eaf 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1025,7 +1025,7 @@  void * tls_init(const struct tls_config *conf)
 	if (conf && conf->openssl_ciphers)
 		ciphers = conf->openssl_ciphers;
 	else
-		ciphers = "DEFAULT:!EXP:!LOW";
+		ciphers = TLS_DEFAULT_CIPHERS;
 	if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) {
 		wpa_printf(MSG_ERROR,
 			   "OpenSSL: Failed to set cipher string '%s'",
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 6787a8d..948385b 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -1075,6 +1075,10 @@  ifdef CONFIG_TLS_ADD_DL
 LIBS += -ldl
 LIBS_p += -ldl
 endif
+ifndef CONFIG_TLS_DEFAULT_CIPHERS
+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
+endif
+CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
 endif
 
 ifeq ($(CONFIG_TLS), gnutls)
diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index 307f82d..1797ad3 100644
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -317,6 +317,10 @@  CONFIG_PEERKEY=y
 # will be used)
 #CONFIG_TLSV12=y
 
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index c07badb..1d5704c 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -183,13 +183,13 @@  fast_reauth=1
 # OpenSSL cipher string
 #
 # This is an OpenSSL specific configuration option for configuring the default
-# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
+# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
+# by default) is used.
 # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
 # on cipher suite configuration. This is applicable only if wpa_supplicant is
 # built to use OpenSSL.
 #openssl_ciphers=DEFAULT:!EXP:!LOW
 
-
 # Dynamic EAP methods
 # If EAP methods were built dynamically as shared object files, they need to be
 # loaded here before being used in the network blocks. By default, EAP methods

[v2] OpenSSL: add build option to select default ciphers

Commit Message

Comments

Patch