Patchwork TLS: Add tls_disable_tlsv1_1 and tls_disable_tlsv1_2 params

login
register
mail settings
Submitter Dmitry Shmidt
Date Feb. 19, 2014, 9:21 p.m.
Message ID <20140219212304.AE9C713FFD8@ushik.mtv.corp.google.com>
Download mbox | patch
Permalink /patch/322016/
State Accepted
Headers show

Comments

Dmitry Shmidt - Feb. 19, 2014, 9:21 p.m.
Change-Id: I5c23b6f7ea07719829622e6661807ca53da5b068
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
---
 src/crypto/tls.h              | 2 ++
 src/crypto/tls_openssl.c      | 9 +++++++++
 src/eap_peer/eap_tls_common.c | 8 ++++++++
 3 files changed, 19 insertions(+)
Jouni Malinen - Feb. 20, 2014, 2:29 p.m.
On Wed, Feb 19, 2014 at 01:21:58PM -0800, Dmitry Shmidt wrote:
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> @@ -3182,6 +3182,15 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
> +	if (params->flags & TLS_CONN_DISABLE_TLSv1_1)
> +		SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_1);
> +	else
> +		SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1_1);
> +	if (params->flags & TLS_CONN_DISABLE_TLSv1_2)
> +		SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_2);
> +	else
> +		SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1_2);

Thanks, applied with these protected using #ifdef to avoid breaking
build with older OpenSSL versions and with the new values documented in
wpa_supplicant.conf.

Patch

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index feba13f..88afae4 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -85,6 +85,8 @@  struct tls_config {
 #define TLS_CONN_DISABLE_SESSION_TICKET BIT(2)
 #define TLS_CONN_REQUEST_OCSP BIT(3)
 #define TLS_CONN_REQUIRE_OCSP BIT(4)
+#define TLS_CONN_DISABLE_TLSv1_1 BIT(5)
+#define TLS_CONN_DISABLE_TLSv1_2 BIT(6)
 
 /**
  * struct tls_connection_params - Parameters for TLS connection
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 2fd7bbb..eeabbd7 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3182,6 +3182,15 @@  int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 #endif /* SSL_clear_options */
 #endif /*  SSL_OP_NO_TICKET */
 
+	if (params->flags & TLS_CONN_DISABLE_TLSv1_1)
+		SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_1);
+	else
+		SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1_1);
+	if (params->flags & TLS_CONN_DISABLE_TLSv1_2)
+		SSL_set_options(conn->ssl, SSL_OP_NO_TLSv1_2);
+	else
+		SSL_clear_options(conn->ssl, SSL_OP_NO_TLSv1_2);
+
 #ifdef HAVE_OCSP
 	if (params->flags & TLS_CONN_REQUEST_OCSP) {
 		SSL_CTX *ssl_ctx = tls_ctx;
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 008af37..b3a99b6 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -64,6 +64,14 @@  static void eap_tls_params_flags(struct tls_connection_params *params,
 		params->flags |= TLS_CONN_DISABLE_SESSION_TICKET;
 	if (os_strstr(txt, "tls_disable_session_ticket=0"))
 		params->flags &= ~TLS_CONN_DISABLE_SESSION_TICKET;
+	if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
+		params->flags |= TLS_CONN_DISABLE_TLSv1_1;
+	if (os_strstr(txt, "tls_disable_tlsv1_1=0"))
+		params->flags &= ~TLS_CONN_DISABLE_TLSv1_1;
+	if (os_strstr(txt, "tls_disable_tlsv1_2=1"))
+		params->flags |= TLS_CONN_DISABLE_TLSv1_2;
+	if (os_strstr(txt, "tls_disable_tlsv1_2=0"))
+		params->flags &= ~TLS_CONN_DISABLE_TLSv1_2;
 }