wpa_supplicant/0001-OpenSSL-Allow-systemwide-secpolicy-overrides-for-TLS.patch

From 9afb68b03976d019bb450e5e33b0d8e48867691c Mon Sep 17 00:00:00 2001
Message-Id: <9afb68b03976d019bb450e5e33b0d8e48867691c.1626202922.git.davide.caratti@gmail.com>
From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 8 Sep 2020 17:55:36 +0300
Subject: [PATCH] OpenSSL: Allow systemwide secpolicy overrides for TLS version

Explicit configuration to enable TLS v1.0 and/or v1.1 did not work with
systemwide OpenSSL secpolicy=2 cases (e.g., Ubuntu 20.04). Allow such
systemwide configuration to be overridden if the older TLS versions have
been explicitly enabled in the network profile. The default behavior
follows the systemwide policy, but this allows compatibility with old
authentication servers without having to touch the systemwide policy.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 src/crypto/tls_openssl.c | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index e73dd7f5b..f7dfecbbf 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2995,16 +2995,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 
 		/* Explicit request to enable TLS versions even if needing to
 		 * override systemwide policies. */
-		if (flags & TLS_CONN_ENABLE_TLSv1_0) {
+		if (flags & TLS_CONN_ENABLE_TLSv1_0)
 			version = TLS1_VERSION;
-		} else if (flags & TLS_CONN_ENABLE_TLSv1_1) {
-			if (!(flags & TLS_CONN_DISABLE_TLSv1_0))
-				version = TLS1_1_VERSION;
-		} else if (flags & TLS_CONN_ENABLE_TLSv1_2) {
-			if (!(flags & (TLS_CONN_DISABLE_TLSv1_0 |
-				       TLS_CONN_DISABLE_TLSv1_1)))
-				version = TLS1_2_VERSION;
-		}
+		else if (flags & TLS_CONN_ENABLE_TLSv1_1)
+			version = TLS1_1_VERSION;
+		else if (flags & TLS_CONN_ENABLE_TLSv1_2)
+			version = TLS1_2_VERSION;
 		if (!version) {
 			wpa_printf(MSG_DEBUG,
 				   "OpenSSL: Invalid TLS version configuration");
@@ -3018,6 +3014,18 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 		}
 	}
 #endif /* >= 1.1.0 */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+	!defined(LIBRESSL_VERSION_NUMBER) && \
+	!defined(OPENSSL_IS_BORINGSSL)
+	if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
+	    SSL_get_security_level(ssl) >= 2) {
+		/*
+		 * Need to drop to security level 1 to allow TLS versions older
+		 * than 1.2 to be used when explicitly enabled in configuration.
+		 */
+		SSL_set_security_level(conn->ssl, 1);
+	}
+#endif
 
 #ifdef CONFIG_SUITEB
 #ifdef OPENSSL_IS_BORINGSSL
-- 
2.31.1
fix NetworkManager-CI failures with OpenSSL-3.0 Resolves: rhbz#1975718 Signed-off-by: Davide Caratti <dcaratti@redhat.com> 2021-08-19 12:19:21 +00:00			`From 9afb68b03976d019bb450e5e33b0d8e48867691c Mon Sep 17 00:00:00 2001`
			`Message-Id: <9afb68b03976d019bb450e5e33b0d8e48867691c.1626202922.git.davide.caratti@gmail.com>`
			`From: Jouni Malinen <jouni@codeaurora.org>`
			`Date: Tue, 8 Sep 2020 17:55:36 +0300`
			`Subject: [PATCH] OpenSSL: Allow systemwide secpolicy overrides for TLS version`

			`Explicit configuration to enable TLS v1.0 and/or v1.1 did not work with`
			`systemwide OpenSSL secpolicy=2 cases (e.g., Ubuntu 20.04). Allow such`
			`systemwide configuration to be overridden if the older TLS versions have`
			`been explicitly enabled in the network profile. The default behavior`
			`follows the systemwide policy, but this allows compatibility with old`
			`authentication servers without having to touch the systemwide policy.`

			`Signed-off-by: Jouni Malinen <jouni@codeaurora.org>`
			`---`
			`src/crypto/tls_openssl.c \| 26 +++++++++++++++++---------`
			`1 file changed, 17 insertions(+), 9 deletions(-)`

			`diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c`
			`index e73dd7f5b..f7dfecbbf 100644`
			`--- a/src/crypto/tls_openssl.c`
			`+++ b/src/crypto/tls_openssl.c`
			`@@ -2995,16 +2995,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,`

			`/* Explicit request to enable TLS versions even if needing to`
			`* override systemwide policies. */`
			`- if (flags & TLS_CONN_ENABLE_TLSv1_0) {`
			`+ if (flags & TLS_CONN_ENABLE_TLSv1_0)`
			`version = TLS1_VERSION;`
			`- } else if (flags & TLS_CONN_ENABLE_TLSv1_1) {`
			`- if (!(flags & TLS_CONN_DISABLE_TLSv1_0))`
			`- version = TLS1_1_VERSION;`
			`- } else if (flags & TLS_CONN_ENABLE_TLSv1_2) {`
			`- if (!(flags & (TLS_CONN_DISABLE_TLSv1_0 \|`
			`- TLS_CONN_DISABLE_TLSv1_1)))`
			`- version = TLS1_2_VERSION;`
			`- }`
			`+ else if (flags & TLS_CONN_ENABLE_TLSv1_1)`
			`+ version = TLS1_1_VERSION;`
			`+ else if (flags & TLS_CONN_ENABLE_TLSv1_2)`
			`+ version = TLS1_2_VERSION;`
			`if (!version) {`
			`wpa_printf(MSG_DEBUG,`
			`"OpenSSL: Invalid TLS version configuration");`
			`@@ -3018,6 +3014,18 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,`
			`}`
			`}`
			`#endif /* >= 1.1.0 */`
			`+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \`
			`+ !defined(LIBRESSL_VERSION_NUMBER) && \`
			`+ !defined(OPENSSL_IS_BORINGSSL)`
			`+ if ((flags & (TLS_CONN_ENABLE_TLSv1_0 \| TLS_CONN_ENABLE_TLSv1_1)) &&`
			`+ SSL_get_security_level(ssl) >= 2) {`
			`+ /*`
			`+ * Need to drop to security level 1 to allow TLS versions older`
			`+ * than 1.2 to be used when explicitly enabled in configuration.`
			`+ */`
			`+ SSL_set_security_level(conn->ssl, 1);`
			`+ }`
			`+#endif`

			`#ifdef CONFIG_SUITEB`
			`#ifdef OPENSSL_IS_BORINGSSL`
			`--`
			`2.31.1`