|
 |
919688 |
From 9afb68b03976d019bb450e5e33b0d8e48867691c Mon Sep 17 00:00:00 2001
|
|
|
919688 |
Message-Id: <9afb68b03976d019bb450e5e33b0d8e48867691c.1626202922.git.davide.caratti@gmail.com>
|
|
|
919688 |
From: Jouni Malinen <jouni@codeaurora.org>
|
|
|
919688 |
Date: Tue, 8 Sep 2020 17:55:36 +0300
|
|
|
919688 |
Subject: [PATCH] OpenSSL: Allow systemwide secpolicy overrides for TLS version
|
|
|
919688 |
|
|
|
919688 |
Explicit configuration to enable TLS v1.0 and/or v1.1 did not work with
|
|
|
919688 |
systemwide OpenSSL secpolicy=2 cases (e.g., Ubuntu 20.04). Allow such
|
|
|
919688 |
systemwide configuration to be overridden if the older TLS versions have
|
|
|
919688 |
been explicitly enabled in the network profile. The default behavior
|
|
|
919688 |
follows the systemwide policy, but this allows compatibility with old
|
|
|
919688 |
authentication servers without having to touch the systemwide policy.
|
|
|
919688 |
|
|
|
919688 |
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
|
|
|
919688 |
---
|
|
|
919688 |
src/crypto/tls_openssl.c | 26 +++++++++++++++++---------
|
|
|
919688 |
1 file changed, 17 insertions(+), 9 deletions(-)
|
|
|
919688 |
|
|
|
919688 |
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
|
|
|
919688 |
index e73dd7f5b..f7dfecbbf 100644
|
|
|
919688 |
--- a/src/crypto/tls_openssl.c
|
|
|
919688 |
+++ b/src/crypto/tls_openssl.c
|
|
|
919688 |
@@ -2995,16 +2995,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
|
|
|
919688 |
|
|
|
919688 |
/* Explicit request to enable TLS versions even if needing to
|
|
|
919688 |
* override systemwide policies. */
|
|
|
919688 |
- if (flags & TLS_CONN_ENABLE_TLSv1_0) {
|
|
|
919688 |
+ if (flags & TLS_CONN_ENABLE_TLSv1_0)
|
|
|
919688 |
version = TLS1_VERSION;
|
|
|
919688 |
- } else if (flags & TLS_CONN_ENABLE_TLSv1_1) {
|
|
|
919688 |
- if (!(flags & TLS_CONN_DISABLE_TLSv1_0))
|
|
|
919688 |
- version = TLS1_1_VERSION;
|
|
|
919688 |
- } else if (flags & TLS_CONN_ENABLE_TLSv1_2) {
|
|
|
919688 |
- if (!(flags & (TLS_CONN_DISABLE_TLSv1_0 |
|
|
|
919688 |
- TLS_CONN_DISABLE_TLSv1_1)))
|
|
|
919688 |
- version = TLS1_2_VERSION;
|
|
|
919688 |
- }
|
|
|
919688 |
+ else if (flags & TLS_CONN_ENABLE_TLSv1_1)
|
|
|
919688 |
+ version = TLS1_1_VERSION;
|
|
|
919688 |
+ else if (flags & TLS_CONN_ENABLE_TLSv1_2)
|
|
|
919688 |
+ version = TLS1_2_VERSION;
|
|
|
919688 |
if (!version) {
|
|
|
919688 |
wpa_printf(MSG_DEBUG,
|
|
|
919688 |
"OpenSSL: Invalid TLS version configuration");
|
|
|
919688 |
@@ -3018,6 +3014,18 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
|
|
|
919688 |
}
|
|
|
919688 |
}
|
|
|
919688 |
#endif /* >= 1.1.0 */
|
|
|
919688 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
|
|
|
919688 |
+ !defined(LIBRESSL_VERSION_NUMBER) && \
|
|
|
919688 |
+ !defined(OPENSSL_IS_BORINGSSL)
|
|
|
919688 |
+ if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
|
|
|
919688 |
+ SSL_get_security_level(ssl) >= 2) {
|
|
|
919688 |
+ /*
|
|
|
919688 |
+ * Need to drop to security level 1 to allow TLS versions older
|
|
|
919688 |
+ * than 1.2 to be used when explicitly enabled in configuration.
|
|
|
919688 |
+ */
|
|
|
919688 |
+ SSL_set_security_level(conn->ssl, 1);
|
|
|
919688 |
+ }
|
|
|
919688 |
+#endif
|
|
|
919688 |
|
|
|
919688 |
#ifdef CONFIG_SUITEB
|
|
|
919688 |
#ifdef OPENSSL_IS_BORINGSSL
|
|
|
919688 |
--
|
|
|
919688 |
2.31.1
|
|
|
919688 |
|