OpenSSL: Drop security level to 0 if needed for EAP-FAST

OpenSSL 1.1.0 disables the anonymous ciphers by default, so need to
enable these for the special case of anonymous EAP-FAST provisioning.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 0088d6e88ce199d3bc5adf0eda926bc6255b60a4..ea963c6120011abec5173e6b17d49e2d1538691e 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3227,6 +3227,21 @@ int tls_connection_set_cipher_list(void *tls_ctx, struct tls_connection *conn,
 
        wpa_printf(MSG_DEBUG, "OpenSSL: cipher suites: %s", buf + 1);
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
+       if (os_strstr(buf, ":ADH-")) {
+               /*
+                * Need to drop to security level 0 to allow anonymous
+                * cipher suites for EAP-FAST.
+                */
+               SSL_set_security_level(conn->ssl, 0);
+       } else if (SSL_get_security_level(conn->ssl) == 0) {
+               /* Force at least security level 1 */
+               SSL_set_security_level(conn->ssl, 1);
+       }
+#endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
+#endif
+
        if (SSL_set_cipher_list(conn->ssl, buf + 1) != 1) {
                tls_show_errors(MSG_INFO, __func__,
                                "Cipher suite configuration failed");