aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant
diff options
context:
space:
mode:
authorBeniamino Galvani <bgalvani@redhat.com>2017-07-09 09:06:50 (GMT)
committerJouni Malinen <j@w1.fi>2017-07-17 08:55:22 (GMT)
commit2b9891bd6e125d3e28f26afde32e153db658b7cc (patch)
tree11b63f7e7d7b3ec19828a56c753e94c538231728 /wpa_supplicant
parent65833d71a5f3b8240db397efa7200e894a3eab1f (diff)
downloadhostap-2b9891bd6e125d3e28f26afde32e153db658b7cc.zip
hostap-2b9891bd6e125d3e28f26afde32e153db658b7cc.tar.gz
hostap-2b9891bd6e125d3e28f26afde32e153db658b7cc.tar.bz2
OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL instead of the hardcoded default "DEFAULT:!EXP:!LOW". This new option is useful on distributions where the security level should be consistent for all applications, as in Fedora [1]. In such cases the new configuration option would be set to "" or "PROFILE=SYSTEM" to select the global crypto policy by default. [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Diffstat (limited to 'wpa_supplicant')
-rw-r--r--wpa_supplicant/Android.mk4
-rw-r--r--wpa_supplicant/Makefile4
-rw-r--r--wpa_supplicant/android.config4
-rw-r--r--wpa_supplicant/defconfig4
-rw-r--r--wpa_supplicant/wpa_supplicant.conf4
5 files changed, 18 insertions, 2 deletions
diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
index a52bb66..e77d096 100644
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@@ -1032,6 +1032,10 @@ ifdef CONFIG_TLS_ADD_DL
LIBS += -ldl
LIBS_p += -ldl
endif
+ifndef CONFIG_TLS_DEFAULT_CIPHERS
+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
+endif
+L_CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
endif
ifeq ($(CONFIG_TLS), gnutls)
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 6787a8d..948385b 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -1075,6 +1075,10 @@ ifdef CONFIG_TLS_ADD_DL
LIBS += -ldl
LIBS_p += -ldl
endif
+ifndef CONFIG_TLS_DEFAULT_CIPHERS
+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
+endif
+CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
endif
ifeq ($(CONFIG_TLS), gnutls)
diff --git a/wpa_supplicant/android.config b/wpa_supplicant/android.config
index 08134ad..06a0b85 100644
--- a/wpa_supplicant/android.config
+++ b/wpa_supplicant/android.config
@@ -304,6 +304,10 @@ CONFIG_IEEE80211W=y
# will be used)
#CONFIG_TLSV12=y
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index 307f82d..1797ad3 100644
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -317,6 +317,10 @@ CONFIG_PEERKEY=y
# will be used)
#CONFIG_TLSV12=y
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index f69c74e..68d0827 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -183,13 +183,13 @@ fast_reauth=1
# OpenSSL cipher string
#
# This is an OpenSSL specific configuration option for configuring the default
-# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
+# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
+# by default) is used.
# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
# on cipher suite configuration. This is applicable only if wpa_supplicant is
# built to use OpenSSL.
#openssl_ciphers=DEFAULT:!EXP:!LOW
-
# Dynamic EAP methods
# If EAP methods were built dynamically as shared object files, they need to be
# loaded here before being used in the network blocks. By default, EAP methods