Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

TLS client: Add support for disabling TLS versions

The internal TLS client implementation in wpa_supplicant can now be used
with the phase2 parameters tls_disable_tlsv1_0=1, tls_disable_tlsv1_1=1,
and tls_disable_tlsv1_2=1 to disable the specified TLS version(s).

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen 9 years ago
parent
0cbc22b2eb
commit
896a97d712
2 changed files with 34 additions and 3 deletions
Unified View Show Diff Stats
  1. 13 1
      src/tls/tlsv1_client_read.c
  2. 21 2
      src/tls/tlsv1_client_write.c

+ 13 - 1
src/tls/tlsv1_client_read.c
View File 

@@ -27,6 +27,17 @@ static int tls_process_server_hello_done(struct tlsv1_client *conn, u8 ct,
 
 					 const u8 *in_data, size_t *in_len);
 
 					 const u8 *in_data, size_t *in_len);
 
 
 
 
 
+static int tls_version_disabled(struct tlsv1_client *conn, u16 ver)
 
+{
 
+	return (((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
 
+		 ver == TLS_VERSION_1) ||
 
+		((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
 
+		 ver == TLS_VERSION_1_1) ||
 
+		((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
 
+		 ver == TLS_VERSION_1_2));
 
+}
 
+
 
+
 
 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
 
 static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
 
 				    const u8 *in_data, size_t *in_len)
 
 				    const u8 *in_data, size_t *in_len)
 
 {
 
 {
 
@@ -76,7 +87,8 @@ static int tls_process_server_hello(struct tlsv1_client *conn, u8 ct,
 
 	if (end - pos < 2)
 
 	if (end - pos < 2)
 
 		goto decode_error;
 
 		goto decode_error;
 
 	tls_version = WPA_GET_BE16(pos);
 
 	tls_version = WPA_GET_BE16(pos);
 
-	if (!tls_version_ok(tls_version)) {
 
+	if (!tls_version_ok(tls_version) ||
 
+	    tls_version_disabled(conn, tls_version)) {
 
 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
 
 		wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version in "
 
 			   "ServerHello %u.%u", pos[0], pos[1]);
 
 			   "ServerHello %u.%u", pos[0], pos[1]);
 
 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 
 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,

+ 21 - 2
src/tls/tlsv1_client_write.c
View File 

@@ -48,8 +48,27 @@ u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
 
 	struct os_time now;
 
 	struct os_time now;
 
 	size_t len, i;
 
 	size_t len, i;
 
 	u8 *ext_start;
 
 	u8 *ext_start;
 
+	u16 tls_version = TLS_VERSION;
 
 
 
-	wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello");
 
+	/* Pick the highest locally enabled TLS version */
 
+#ifdef CONFIG_TLSV12
 
+	if ((conn->flags & TLS_CONN_DISABLE_TLSv1_2) &&
 
+	    tls_version == TLS_VERSION_1_2)
 
+		tls_version = TLS_VERSION_1_1;
 
+#endif /* CONFIG_TLSV12 */
 
+#ifdef CONFIG_TLSV11
 
+	if ((conn->flags & TLS_CONN_DISABLE_TLSv1_1) &&
 
+	    tls_version == TLS_VERSION_1_1)
 
+		tls_version = TLS_VERSION_1;
 
+#endif /* CONFIG_TLSV11 */
 
+	if ((conn->flags & TLS_CONN_DISABLE_TLSv1_0) &&
 
+	    tls_version == TLS_VERSION_1) {
 
+		wpa_printf(MSG_INFO, "TLSv1: No TLS version allowed");
 
+		return NULL;
 
+	}
 
+
 
+	wpa_printf(MSG_DEBUG, "TLSv1: Send ClientHello (ver %s)",
 
+		   tls_version_str(tls_version));
 
 	*out_len = 0;
 
 	*out_len = 0;
 
 
 
 	os_get_time(&now);
 
 	os_get_time(&now);
 
@@ -82,7 +101,7 @@ u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
 
 	pos += 3;
 
 	pos += 3;
 
 	/* body - ClientHello */
 
 	/* body - ClientHello */
 
 	/* ProtocolVersion client_version */
 
 	/* ProtocolVersion client_version */
 
-	WPA_PUT_BE16(pos, TLS_VERSION);
 
+	WPA_PUT_BE16(pos, tls_version);
 
 	pos += 2;
 
 	pos += 2;
 
 	/* Random random: uint32 gmt_unix_time, opaque random_bytes */
 
 	/* Random random: uint32 gmt_unix_time, opaque random_bytes */
 
 	os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);
 
 	os_memcpy(pos, conn->client_random, TLS_RANDOM_LEN);