]> git.ipfire.org Git - thirdparty/hostap.git/commitdiff
GnuTLS: Add support for disabling TLS versions
authorJouni Malinen <j@w1.fi>
Thu, 28 Dec 2017 16:03:29 +0000 (18:03 +0200)
committerJouni Malinen <j@w1.fi>
Thu, 28 Dec 2017 20:33:12 +0000 (22:33 +0200)
This extends GnuTLS support for tls_disable_v1_{0,1,2}=1 flags in the
phase1 network profile parameter in wpa_supplicant.

Signed-off-by: Jouni Malinen <j@w1.fi>
src/crypto/tls_gnutls.c

index ffc9813c0f721f7ef2b727688fb2a87508138a23..c223eafa336ebb3e711e71733a2c70b8c01da599 100644 (file)
@@ -397,6 +397,29 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 
        conn->flags = params->flags;
 
+       if (params->flags & (TLS_CONN_DISABLE_TLSv1_0 |
+                            TLS_CONN_DISABLE_TLSv1_1 |
+                            TLS_CONN_DISABLE_TLSv1_2)) {
+               const char *err;
+               char prio[100];
+
+               os_snprintf(prio, sizeof(prio), "NORMAL:-VERS-SSL3.0%s%s%s",
+                           params->flags & TLS_CONN_DISABLE_TLSv1_0 ?
+                           ":-VERS-TLS1.0" : "",
+                           params->flags & TLS_CONN_DISABLE_TLSv1_1 ?
+                           ":-VERS-TLS1.1" : "",
+                           params->flags & TLS_CONN_DISABLE_TLSv1_2 ?
+                           ":-VERS-TLS1.2" : "");
+               wpa_printf(MSG_DEBUG, "GnuTLS: Set priority string: %s", prio);
+               ret = gnutls_priority_set_direct(conn->session, prio, &err);
+               if (ret < 0) {
+                       wpa_printf(MSG_ERROR,
+                                  "GnuTLS: Priority string failure at '%s'",
+                                  err);
+                       return -1;
+               }
+       }
+
        if (params->openssl_ciphers) {
                wpa_printf(MSG_INFO, "GnuTLS: openssl_ciphers not supported");
                return -1;