diff options
| author | PÁLI Gábor János <pali.gabor@gmail.com> | 2023-03-26 03:42:59 +0200 |
|---|---|---|
| committer | PÁLI Gábor János <pali.gabor@gmail.com> | 2023-03-26 03:48:17 +0200 |
| commit | e9bd74b9455b8bebf1b3ccb2640a48beb6b53d22 (patch) | |
| tree | 9753592e090ccbbc6997d4fa9ab1860a983f7349 | |
| parent | 7f012cfae9ba7aa2affda2de4129f064ae7bb9f9 (diff) | |
| download | freebsd-wifibox-alpine-e9bd74b9455b8bebf1b3ccb2640a48beb6b53d22.zip | |
wpa_supplicant: fix TLS negotiation issues with OpenSSL 3.0
References:
- http://w1.fi/cgit/hostap/patch/src/crypto/tls_openssl.c?id=bc99366f9b960150aa2e369048bbc2218c1d414e
Hinted by: ish-org@fromgithub
| -rw-r--r-- | aports/wpa_supplicant/APKBUILD | 4 | ||||
| -rw-r--r-- | aports/wpa_supplicant/lower-security-level-for-tls-1.patch | 57 |
2 files changed, 60 insertions, 1 deletions
diff --git a/aports/wpa_supplicant/APKBUILD b/aports/wpa_supplicant/APKBUILD index dde5f77..7313749 100644 --- a/aports/wpa_supplicant/APKBUILD +++ b/aports/wpa_supplicant/APKBUILD @@ -2,7 +2,7 @@ pkgname=wpa_supplicant pkgver=2.10 -pkgrel=2 # base: 5 +pkgrel=3 # base: 5 pkgdesc="utility providing key negotiation for WPA wireless networks" url="https://w1.fi/wpa_supplicant/" arch="all" @@ -16,6 +16,7 @@ source="https://w1.fi/releases/wpa_supplicant-$pkgver.tar.gz eloop.patch unsafe-renegotiation-1.patch unsafe-renegotiation-2.patch + lower-security-level-for-tls-1.patch no-tools.patch config" @@ -80,6 +81,7 @@ c7e4041fe41743c5e63a07edc9234d0c44c4c0f193a180b27342b43f3be45fb87b42ee0f9e4a2061 2be055dd1f7da5a3d8e79c2f2c0220ddd31df309452da18f290144d2112d6dbde0fc633bb2ad02c386a39d7785323acaf5f70e5969995a1e8303a094eb5fe232 eloop.patch 9528735924faf876a7094de46760605e5e66e265187421a668be06dbf03d7b4db6b84cbad793fcd6bd614e3ba540f82f1f80660d75e8a6070eeb7e9abb54ed28 unsafe-renegotiation-1.patch a92ba3ed3f41022a8af9396d2b703ee47f78aa05c1fddb42919a7fe6a6fad71e3515c63457e97e252ae0a32c6c34d67ea6efe0278df1e141cf36e650237e5295 unsafe-renegotiation-2.patch +b1217eff6fbdba5a4c7302ea33bec64290d26745967b24e825c100de9b0e9b6400f0769c3cfac3c761596bb01079c31b632f14bd3374735200385f38557d8cad lower-security-level-for-tls-1.patch 3278eff7118f9dc9e177adc3ed91cad562a8edde396af8619321ac8552a86e9c7de25212d5578ea17cbe4b6dc928d83cd6e9a7f0d41e07576656e6e9274107d6 no-tools.patch 310ee960c3d8beab80169bedf43ff9dfbf49f808c5a32accac2f41e54fff6d047a6136488de72cbcfa66c5205a3b68019dff6e7f2ebb87e00bbcdc509fca95ee config " diff --git a/aports/wpa_supplicant/lower-security-level-for-tls-1.patch b/aports/wpa_supplicant/lower-security-level-for-tls-1.patch new file mode 100644 index 0000000..13cb4b7 --- /dev/null +++ b/aports/wpa_supplicant/lower-security-level-for-tls-1.patch @@ -0,0 +1,57 @@ +From bc99366f9b960150aa2e369048bbc2218c1d414e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sun, 22 May 2022 17:01:35 +0300 +Subject: OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS + 1.0/1.1 + +Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for +TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level +drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be +enabled with an explicit network configuration parameter. However, the +default settings are still allowing TLS 1.0 and 1.1 to be negotiated +just to see them fail immediately when using OpenSSL 3.0. This is not +exactly helpful especially when the OpenSSL error message for this +particular case is "internal error" which does not really say anything +about the reason for the error. + +It is is a bit inconvenient to update the security policy for this +particular issue based on the negotiated TLS version since that happens +in the middle of processing for the first message from the server. +However, this can be done by using the debug callback for printing out +the received TLS messages during processing. + +Drop the OpenSSL security level to 0 if that is the only option to +continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed +in wpa_supplicant default configuration and OpenSSL 3.0 with the +constraint on MD5-SHA1 use. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- + src/crypto/tls_openssl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +(limited to 'src/crypto/tls_openssl.c') + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index 6602ac64f..78621d926 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type, + struct tls_connection *conn = arg; + const u8 *pos = buf; + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ if ((SSL_version(ssl) == TLS1_VERSION || ++ SSL_version(ssl) == TLS1_1_VERSION) && ++ SSL_get_security_level(ssl) > 0) { ++ wpa_printf(MSG_DEBUG, ++ "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm"); ++ SSL_set_security_level(ssl, 0); ++ } ++#endif /* OpenSSL version >= 3.0 */ + if (write_p == 2) { + wpa_printf(MSG_DEBUG, + "OpenSSL: session ver=0x%x content_type=%d", +-- +cgit v1.2.3-18-g5258 + |