From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Tue, 11 Jan 2022 15:37:32 +0000 (+0200)
Subject: OpenSSL: Update security level drop for TLS 1.0/1.1 with OpenSSL 3.0
X-Git-Tag: hostap_2_10~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=58bbcfa31b18;p=thirdparty%2Fhostap.git

OpenSSL: Update security level drop for TLS 1.0/1.1 with OpenSSL 3.0

OpenSSL 3.0 dropped these older TLS versions from the security level 2
to 1, so need to drop the security level all the way to 0 if TLS v1.0 or
v1.1 is explicitly enabled.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index ad651bdc8..c9e00b3af 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3023,13 +3023,23 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
 	!defined(LIBRESSL_VERSION_NUMBER) && \
 	!defined(OPENSSL_IS_BORINGSSL)
-	if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
-	    SSL_get_security_level(ssl) >= 2) {
-		/*
-		 * Need to drop to security level 1 to allow TLS versions older
-		 * than 1.2 to be used when explicitly enabled in configuration.
-		 */
-		SSL_set_security_level(conn->ssl, 1);
+	{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+		int need_level = 0;
+#else
+		int need_level = 1;
+#endif
+
+		if ((flags &
+		     (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
+		    SSL_get_security_level(ssl) > need_level) {
+			/*
+			 * Need to drop to security level 1 (or 0  with OpenSSL
+			 * 3.0) to allow TLS versions older than 1.2 to be used
+			 * when explicitly enabled in configuration.
+			 */
+			SSL_set_security_level(conn->ssl, need_level);
+		}
 	}
 #endif