67 lines
2.5 KiB
Diff
67 lines
2.5 KiB
Diff
From 9afb68b03976d019bb450e5e33b0d8e48867691c Mon Sep 17 00:00:00 2001
|
|
Message-Id: <9afb68b03976d019bb450e5e33b0d8e48867691c.1626202922.git.davide.caratti@gmail.com>
|
|
From: Jouni Malinen <jouni@codeaurora.org>
|
|
Date: Tue, 8 Sep 2020 17:55:36 +0300
|
|
Subject: [PATCH] OpenSSL: Allow systemwide secpolicy overrides for TLS version
|
|
|
|
Explicit configuration to enable TLS v1.0 and/or v1.1 did not work with
|
|
systemwide OpenSSL secpolicy=2 cases (e.g., Ubuntu 20.04). Allow such
|
|
systemwide configuration to be overridden if the older TLS versions have
|
|
been explicitly enabled in the network profile. The default behavior
|
|
follows the systemwide policy, but this allows compatibility with old
|
|
authentication servers without having to touch the systemwide policy.
|
|
|
|
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
|
|
---
|
|
src/crypto/tls_openssl.c | 26 +++++++++++++++++---------
|
|
1 file changed, 17 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
|
|
index e73dd7f5b..f7dfecbbf 100644
|
|
--- a/src/crypto/tls_openssl.c
|
|
+++ b/src/crypto/tls_openssl.c
|
|
@@ -2995,16 +2995,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
|
|
|
|
/* Explicit request to enable TLS versions even if needing to
|
|
* override systemwide policies. */
|
|
- if (flags & TLS_CONN_ENABLE_TLSv1_0) {
|
|
+ if (flags & TLS_CONN_ENABLE_TLSv1_0)
|
|
version = TLS1_VERSION;
|
|
- } else if (flags & TLS_CONN_ENABLE_TLSv1_1) {
|
|
- if (!(flags & TLS_CONN_DISABLE_TLSv1_0))
|
|
- version = TLS1_1_VERSION;
|
|
- } else if (flags & TLS_CONN_ENABLE_TLSv1_2) {
|
|
- if (!(flags & (TLS_CONN_DISABLE_TLSv1_0 |
|
|
- TLS_CONN_DISABLE_TLSv1_1)))
|
|
- version = TLS1_2_VERSION;
|
|
- }
|
|
+ else if (flags & TLS_CONN_ENABLE_TLSv1_1)
|
|
+ version = TLS1_1_VERSION;
|
|
+ else if (flags & TLS_CONN_ENABLE_TLSv1_2)
|
|
+ version = TLS1_2_VERSION;
|
|
if (!version) {
|
|
wpa_printf(MSG_DEBUG,
|
|
"OpenSSL: Invalid TLS version configuration");
|
|
@@ -3018,6 +3014,18 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
|
|
}
|
|
}
|
|
#endif /* >= 1.1.0 */
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
|
|
+ !defined(LIBRESSL_VERSION_NUMBER) && \
|
|
+ !defined(OPENSSL_IS_BORINGSSL)
|
|
+ if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
|
|
+ SSL_get_security_level(ssl) >= 2) {
|
|
+ /*
|
|
+ * Need to drop to security level 1 to allow TLS versions older
|
|
+ * than 1.2 to be used when explicitly enabled in configuration.
|
|
+ */
|
|
+ SSL_set_security_level(conn->ssl, 1);
|
|
+ }
|
|
+#endif
|
|
|
|
#ifdef CONFIG_SUITEB
|
|
#ifdef OPENSSL_IS_BORINGSSL
|
|
--
|
|
2.31.1
|
|
|