From bd341c8ccb6a25e20436d5b9218de577a9bb5e55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AD=A6=E4=B8=B9?= Date: Tue, 18 Apr 2023 09:48:53 +0800 Subject: [PATCH] 2023-04-18-add-supports-openssl3.0 --- debian/changelog | 8 ++++++++ src/crypto/tls_openssl.c | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/debian/changelog b/debian/changelog index 19595e6..6d2d884 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +wpa (2:2.10-ok1.5) yangtze; urgency=medium + + * merge patch to fix OpenSSL 3.0 + -- allow-legacy-renegotiation.patch + -- Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1 + + -- wudan Tue, 18 Apr 2023 09:47:45 +0800 + wpa (2:2.10-ok1.4) yangtze; urgency=medium * fix wifi6/wifi6+ diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 1316da8..2dd2a04 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1056,6 +1056,16 @@ void * tls_init(const struct tls_config *conf) SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3); + /* Many enterprise PEAP server implementations (e.g. used in large + corporations and universities) do not support RFC5746 secure + renegotiation, and starting with OpenSSL 3.0, + SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL. + So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT + only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT + globally. */ + + SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT); + SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY); #ifdef SSL_MODE_NO_AUTO_CHAIN @@ -1506,6 +1516,15 @@ static void tls_msg_cb(int write_p, int version, int content_type, struct tls_connection *conn = arg; const u8 *pos = buf; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + if ((SSL_version(ssl) == TLS1_VERSION || + SSL_version(ssl) == TLS1_1_VERSION) && + SSL_get_security_level(ssl) > 0) { + wpa_printf(MSG_DEBUG, + "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm"); + SSL_set_security_level(ssl, 0); + } +#endif /* OpenSSL version >= 3.0 */ if (write_p == 2) { wpa_printf(MSG_DEBUG, "OpenSSL: session ver=0x%x content_type=%d",