parlay

yet another gentoo overlay
git clone https://git.parazyd.org/parlay
Log | Files | Refs | README

wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch (2386B)

      1 From: Jouni Malinen <j@w1.fi>
      2 Date: Sun, 22 May 2022 17:01:35 +0300
      3 Subject: OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
      4 
      5 Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for
      6 TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level
      7 drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be
      8 enabled with an explicit network configuration parameter. However, the
      9 default settings are still allowing TLS 1.0 and 1.1 to be negotiated
     10 just to see them fail immediately when using OpenSSL 3.0. This is not
     11 exactly helpful especially when the OpenSSL error message for this
     12 particular case is "internal error" which does not really say anything
     13 about the reason for the error.
     14 
     15 It is is a bit inconvenient to update the security policy for this
     16 particular issue based on the negotiated TLS version since that happens
     17 in the middle of processing for the first message from the server.
     18 However, this can be done by using the debug callback for printing out
     19 the received TLS messages during processing.
     20 
     21 Drop the OpenSSL security level to 0 if that is the only option to
     22 continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed
     23 in wpa_supplicant default configuration and OpenSSL 3.0 with the
     24 constraint on MD5-SHA1 use.
     25 
     26 Signed-off-by: Jouni Malinen <j@w1.fi>
     27 
     28 Bug-Debian: https://bugs.debian.org/1011121
     29 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1958267
     30 Origin: upstream, commit:bc99366f9b960150aa2e369048bbc2218c1d414e
     31 ---
     32  src/crypto/tls_openssl.c | 9 +++++++++
     33  1 file changed, 9 insertions(+)
     34 
     35 diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
     36 index 6602ac64f591..78621d926dab 100644
     37 --- a/src/crypto/tls_openssl.c
     38 +++ b/src/crypto/tls_openssl.c
     39 @@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type,
     40  	struct tls_connection *conn = arg;
     41  	const u8 *pos = buf;
     42  
     43 +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
     44 +	if ((SSL_version(ssl) == TLS1_VERSION ||
     45 +	     SSL_version(ssl) == TLS1_1_VERSION) &&
     46 +	    SSL_get_security_level(ssl) > 0) {
     47 +		wpa_printf(MSG_DEBUG,
     48 +			   "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm");
     49 +		SSL_set_security_level(ssl, 0);
     50 +	}
     51 +#endif /* OpenSSL version >= 3.0 */
     52  	if (write_p == 2) {
     53  		wpa_printf(MSG_DEBUG,
     54  			   "OpenSSL: session ver=0x%x content_type=%d",
     55 -- 
     56 2.39.0
     57