aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2018-05-01 18:52:45 (GMT)
committerJouni Malinen <j@w1.fi>2018-05-01 19:13:38 (GMT)
commitbbbc7e8016dd559b65187cf1e9a8c04aa3aa9e07 (patch)
treec8cce4398db247d6883ecc270731904928e9d776
parent0d34c13a72adaf43c2fd1ea7082b6e99ecda51f3 (diff)
downloadhostap-bbbc7e8016dd559b65187cf1e9a8c04aa3aa9e07.zip
hostap-bbbc7e8016dd559b65187cf1e9a8c04aa3aa9e07.tar.gz
hostap-bbbc7e8016dd559b65187cf1e9a8c04aa3aa9e07.tar.bz2
EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabled
This may be needed to avoid interoperability issues with the new protocol version and significant changes for EAP use cases in both key derivation and handshake termination. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--hostapd/config_file.c2
-rw-r--r--src/crypto/tls.h1
-rw-r--r--src/crypto/tls_openssl.c6
-rw-r--r--src/eap_peer/eap_tls_common.c4
-rw-r--r--wpa_supplicant/wpa_supplicant.conf2
5 files changed, 15 insertions, 0 deletions
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index bd52f4a..c2d2d62 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2150,6 +2150,8 @@ static unsigned int parse_tls_flags(const char *val)
flags |= TLS_CONN_DISABLE_TLSv1_1;
if (os_strstr(val, "[DISABLE-TLSv1.2]"))
flags |= TLS_CONN_DISABLE_TLSv1_2;
+ if (os_strstr(val, "[DISABLE-TLSv1.3]"))
+ flags |= TLS_CONN_DISABLE_TLSv1_3;
if (os_strstr(val, "[SUITEB]"))
flags |= TLS_CONN_SUITEB;
if (os_strstr(val, "[SUITEB-NO-ECDH]"))
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index dc4117c..585db8b 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -101,6 +101,7 @@ struct tls_config {
#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
#define TLS_CONN_SUITEB BIT(11)
#define TLS_CONN_SUITEB_NO_ECDH BIT(12)
+#define TLS_CONN_DISABLE_TLSv1_3 BIT(13)
/**
* struct tls_connection_params - Parameters for TLS connection
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index c1da6d0..b4bfc9b 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2470,6 +2470,12 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
else
SSL_clear_options(ssl, SSL_OP_NO_TLSv1_2);
#endif /* SSL_OP_NO_TLSv1_2 */
+#ifdef SSL_OP_NO_TLSv1_3
+ if (flags & TLS_CONN_DISABLE_TLSv1_3)
+ SSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
+ else
+ SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3);
+#endif /* SSL_OP_NO_TLSv1_3 */
#ifdef CONFIG_SUITEB
#ifdef OPENSSL_IS_BORINGSSL
/* Start with defaults from BoringSSL */
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index a72cc08..e0d8d43 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -80,6 +80,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
params->flags |= TLS_CONN_DISABLE_TLSv1_2;
if (os_strstr(txt, "tls_disable_tlsv1_2=0"))
params->flags &= ~TLS_CONN_DISABLE_TLSv1_2;
+ if (os_strstr(txt, "tls_disable_tlsv1_3=1"))
+ params->flags |= TLS_CONN_DISABLE_TLSv1_3;
+ if (os_strstr(txt, "tls_disable_tlsv1_3=0"))
+ params->flags &= ~TLS_CONN_DISABLE_TLSv1_3;
if (os_strstr(txt, "tls_ext_cert_check=1"))
params->flags |= TLS_CONN_EXT_CERT_CHECK;
if (os_strstr(txt, "tls_ext_cert_check=0"))
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 5c478b6..892e735 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1210,6 +1210,8 @@ fast_reauth=1
# that have issues interoperating with updated TLS version)
# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
# that have issues interoperating with updated TLS version)
+# tls_disable_tlsv1_3=1 - disable use of TLSv1.3 (a workaround for AAA servers
+# that have issues interoperating with updated TLS version)
# tls_ext_cert_check=0 - No external server certificate validation (default)
# tls_ext_cert_check=1 - External server certificate validation enabled; this
# requires an external program doing validation of server certificate