aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2017-12-28 16:03:29 (GMT)
committerJouni Malinen <j@w1.fi>2017-12-28 20:33:12 (GMT)
commitdd227e67abb0ab049fc0605d0282bea537d10c3f (patch)
tree81b877e43309284705cbb9bf603d1a77e2554399
parent5d292fcfbd10004500ca4a132dedaa2d972dcebe (diff)
downloadhostap-dd227e67abb0ab049fc0605d0282bea537d10c3f.zip
hostap-dd227e67abb0ab049fc0605d0282bea537d10c3f.tar.gz
hostap-dd227e67abb0ab049fc0605d0282bea537d10c3f.tar.bz2
GnuTLS: Add support for disabling TLS versions
This extends GnuTLS support for tls_disable_v1_{0,1,2}=1 flags in the phase1 network profile parameter in wpa_supplicant. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/crypto/tls_gnutls.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index ffc9813..c223eaf 100644
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -397,6 +397,29 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
conn->flags = params->flags;
+ if (params->flags & (TLS_CONN_DISABLE_TLSv1_0 |
+ TLS_CONN_DISABLE_TLSv1_1 |
+ TLS_CONN_DISABLE_TLSv1_2)) {
+ const char *err;
+ char prio[100];
+
+ os_snprintf(prio, sizeof(prio), "NORMAL:-VERS-SSL3.0%s%s%s",
+ params->flags & TLS_CONN_DISABLE_TLSv1_0 ?
+ ":-VERS-TLS1.0" : "",
+ params->flags & TLS_CONN_DISABLE_TLSv1_1 ?
+ ":-VERS-TLS1.1" : "",
+ params->flags & TLS_CONN_DISABLE_TLSv1_2 ?
+ ":-VERS-TLS1.2" : "");
+ wpa_printf(MSG_DEBUG, "GnuTLS: Set priority string: %s", prio);
+ ret = gnutls_priority_set_direct(conn->session, prio, &err);
+ if (ret < 0) {
+ wpa_printf(MSG_ERROR,
+ "GnuTLS: Priority string failure at '%s'",
+ err);
+ return -1;
+ }
+ }
+
if (params->openssl_ciphers) {
wpa_printf(MSG_INFO, "GnuTLS: openssl_ciphers not supported");
return -1;