summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPÁLI Gábor János <pali.gabor@gmail.com>2023-03-26 03:42:59 +0200
committerPÁLI Gábor János <pali.gabor@gmail.com>2023-03-26 03:48:17 +0200
commite9bd74b9455b8bebf1b3ccb2640a48beb6b53d22 (patch)
tree9753592e090ccbbc6997d4fa9ab1860a983f7349
parent7f012cfae9ba7aa2affda2de4129f064ae7bb9f9 (diff)
downloadfreebsd-wifibox-alpine-e9bd74b9455b8bebf1b3ccb2640a48beb6b53d22.zip
wpa_supplicant: fix TLS negotiation issues with OpenSSL 3.0
References: - http://w1.fi/cgit/hostap/patch/src/crypto/tls_openssl.c?id=bc99366f9b960150aa2e369048bbc2218c1d414e Hinted by: ish-org@fromgithub
-rw-r--r--aports/wpa_supplicant/APKBUILD4
-rw-r--r--aports/wpa_supplicant/lower-security-level-for-tls-1.patch57
2 files changed, 60 insertions, 1 deletions
diff --git a/aports/wpa_supplicant/APKBUILD b/aports/wpa_supplicant/APKBUILD
index dde5f77..7313749 100644
--- a/aports/wpa_supplicant/APKBUILD
+++ b/aports/wpa_supplicant/APKBUILD
@@ -2,7 +2,7 @@
pkgname=wpa_supplicant
pkgver=2.10
-pkgrel=2 # base: 5
+pkgrel=3 # base: 5
pkgdesc="utility providing key negotiation for WPA wireless networks"
url="https://w1.fi/wpa_supplicant/"
arch="all"
@@ -16,6 +16,7 @@ source="https://w1.fi/releases/wpa_supplicant-$pkgver.tar.gz
eloop.patch
unsafe-renegotiation-1.patch
unsafe-renegotiation-2.patch
+ lower-security-level-for-tls-1.patch
no-tools.patch
config"
@@ -80,6 +81,7 @@ c7e4041fe41743c5e63a07edc9234d0c44c4c0f193a180b27342b43f3be45fb87b42ee0f9e4a2061
2be055dd1f7da5a3d8e79c2f2c0220ddd31df309452da18f290144d2112d6dbde0fc633bb2ad02c386a39d7785323acaf5f70e5969995a1e8303a094eb5fe232 eloop.patch
9528735924faf876a7094de46760605e5e66e265187421a668be06dbf03d7b4db6b84cbad793fcd6bd614e3ba540f82f1f80660d75e8a6070eeb7e9abb54ed28 unsafe-renegotiation-1.patch
a92ba3ed3f41022a8af9396d2b703ee47f78aa05c1fddb42919a7fe6a6fad71e3515c63457e97e252ae0a32c6c34d67ea6efe0278df1e141cf36e650237e5295 unsafe-renegotiation-2.patch
+b1217eff6fbdba5a4c7302ea33bec64290d26745967b24e825c100de9b0e9b6400f0769c3cfac3c761596bb01079c31b632f14bd3374735200385f38557d8cad lower-security-level-for-tls-1.patch
3278eff7118f9dc9e177adc3ed91cad562a8edde396af8619321ac8552a86e9c7de25212d5578ea17cbe4b6dc928d83cd6e9a7f0d41e07576656e6e9274107d6 no-tools.patch
310ee960c3d8beab80169bedf43ff9dfbf49f808c5a32accac2f41e54fff6d047a6136488de72cbcfa66c5205a3b68019dff6e7f2ebb87e00bbcdc509fca95ee config
"
diff --git a/aports/wpa_supplicant/lower-security-level-for-tls-1.patch b/aports/wpa_supplicant/lower-security-level-for-tls-1.patch
new file mode 100644
index 0000000..13cb4b7
--- /dev/null
+++ b/aports/wpa_supplicant/lower-security-level-for-tls-1.patch
@@ -0,0 +1,57 @@
+From bc99366f9b960150aa2e369048bbc2218c1d414e Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 22 May 2022 17:01:35 +0300
+Subject: OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS
+ 1.0/1.1
+
+Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for
+TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level
+drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be
+enabled with an explicit network configuration parameter. However, the
+default settings are still allowing TLS 1.0 and 1.1 to be negotiated
+just to see them fail immediately when using OpenSSL 3.0. This is not
+exactly helpful especially when the OpenSSL error message for this
+particular case is "internal error" which does not really say anything
+about the reason for the error.
+
+It is is a bit inconvenient to update the security policy for this
+particular issue based on the negotiated TLS version since that happens
+in the middle of processing for the first message from the server.
+However, this can be done by using the debug callback for printing out
+the received TLS messages during processing.
+
+Drop the OpenSSL security level to 0 if that is the only option to
+continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed
+in wpa_supplicant default configuration and OpenSSL 3.0 with the
+constraint on MD5-SHA1 use.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/crypto/tls_openssl.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+(limited to 'src/crypto/tls_openssl.c')
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 6602ac64f..78621d926 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type,
+ struct tls_connection *conn = arg;
+ const u8 *pos = buf;
+
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ if ((SSL_version(ssl) == TLS1_VERSION ||
++ SSL_version(ssl) == TLS1_1_VERSION) &&
++ SSL_get_security_level(ssl) > 0) {
++ wpa_printf(MSG_DEBUG,
++ "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm");
++ SSL_set_security_level(ssl, 0);
++ }
++#endif /* OpenSSL version >= 3.0 */
+ if (write_p == 2) {
+ wpa_printf(MSG_DEBUG,
+ "OpenSSL: session ver=0x%x content_type=%d",
+--
+cgit v1.2.3-18-g5258
+