From: Jouni Malinen Date: Tue, 1 May 2018 18:52:45 +0000 (+0300) Subject: EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabled X-Git-Tag: hostap_2_7~376 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bbbc7e8016dd559b65187cf1e9a8c04aa3aa9e07;p=thirdparty%2Fhostap.git EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabled This may be needed to avoid interoperability issues with the new protocol version and significant changes for EAP use cases in both key derivation and handshake termination. Signed-off-by: Jouni Malinen --- diff --git a/hostapd/config_file.c b/hostapd/config_file.c index bd52f4ae7..c2d2d6244 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2150,6 +2150,8 @@ static unsigned int parse_tls_flags(const char *val) flags |= TLS_CONN_DISABLE_TLSv1_1; if (os_strstr(val, "[DISABLE-TLSv1.2]")) flags |= TLS_CONN_DISABLE_TLSv1_2; + if (os_strstr(val, "[DISABLE-TLSv1.3]")) + flags |= TLS_CONN_DISABLE_TLSv1_3; if (os_strstr(val, "[SUITEB]")) flags |= TLS_CONN_SUITEB; if (os_strstr(val, "[SUITEB-NO-ECDH]")) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index dc4117c38..585db8bbe 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -101,6 +101,7 @@ struct tls_config { #define TLS_CONN_REQUIRE_OCSP_ALL BIT(10) #define TLS_CONN_SUITEB BIT(11) #define TLS_CONN_SUITEB_NO_ECDH BIT(12) +#define TLS_CONN_DISABLE_TLSv1_3 BIT(13) /** * struct tls_connection_params - Parameters for TLS connection diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index c1da6d08b..b4bfc9b73 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2470,6 +2470,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, else SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2); #endif /* SSL_OP_NO_TLSv1_2 */ +#ifdef SSL_OP_NO_TLSv1_3 + if (flags & TLS_CONN_DISABLE_TLSv1_3) + SSL_set_options(ssl, SSL_OP_NO_TLSv1_3); + else + SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3); +#endif /* SSL_OP_NO_TLSv1_3 */ #ifdef CONFIG_SUITEB #ifdef OPENSSL_IS_BORINGSSL /* Start with defaults from BoringSSL */ diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index a72cc08bd..e0d8d43c8 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -80,6 +80,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params, params->flags |= TLS_CONN_DISABLE_TLSv1_2; if (os_strstr(txt, "tls_disable_tlsv1_2=0")) params->flags &= ~TLS_CONN_DISABLE_TLSv1_2; + if (os_strstr(txt, "tls_disable_tlsv1_3=1")) + params->flags |= TLS_CONN_DISABLE_TLSv1_3; + if (os_strstr(txt, "tls_disable_tlsv1_3=0")) + params->flags &= ~TLS_CONN_DISABLE_TLSv1_3; if (os_strstr(txt, "tls_ext_cert_check=1")) params->flags |= TLS_CONN_EXT_CERT_CHECK; if (os_strstr(txt, "tls_ext_cert_check=0")) diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 5c478b696..892e73501 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1210,6 +1210,8 @@ fast_reauth=1 # that have issues interoperating with updated TLS version) # tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers # that have issues interoperating with updated TLS version) +# tls_disable_tlsv1_3=1 - disable use of TLSv1.3 (a workaround for AAA servers +# that have issues interoperating with updated TLS version) # tls_ext_cert_check=0 - No external server certificate validation (default) # tls_ext_cert_check=1 - External server certificate validation enabled; this # requires an external program doing validation of server certificate