From f6fd15e0418aea97c7ee77672468561cdac302e5 Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@koprulu.sector>
Date: Sat, 26 Aug 2023 15:57:31 +0100
Subject: gentoo auto-resync : 26:08:2023 - 15:57:31

---
 ...p-security-level-to-0-with-OpenSSL-3.0-wh.patch | 57 ++++++++++++++++++++++
 ...upplicant-2.10-allow-legacy-renegotiation.patch | 30 ++++++++++++
 2 files changed, 87 insertions(+)
 create mode 100644 net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch
 create mode 100644 net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch

(limited to 'net-wireless/wpa_supplicant/files')

diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch
new file mode 100644
index 000000000000..18f879c9f39f
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch
@@ -0,0 +1,57 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 22 May 2022 17:01:35 +0300
+Subject: OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
+
+Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for
+TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level
+drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be
+enabled with an explicit network configuration parameter. However, the
+default settings are still allowing TLS 1.0 and 1.1 to be negotiated
+just to see them fail immediately when using OpenSSL 3.0. This is not
+exactly helpful especially when the OpenSSL error message for this
+particular case is "internal error" which does not really say anything
+about the reason for the error.
+
+It is is a bit inconvenient to update the security policy for this
+particular issue based on the negotiated TLS version since that happens
+in the middle of processing for the first message from the server.
+However, this can be done by using the debug callback for printing out
+the received TLS messages during processing.
+
+Drop the OpenSSL security level to 0 if that is the only option to
+continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed
+in wpa_supplicant default configuration and OpenSSL 3.0 with the
+constraint on MD5-SHA1 use.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Bug-Debian: https://bugs.debian.org/1011121
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1958267
+Origin: upstream, commit:bc99366f9b960150aa2e369048bbc2218c1d414e
+---
+ src/crypto/tls_openssl.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 6602ac64f591..78621d926dab 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type,
+ 	struct tls_connection *conn = arg;
+ 	const u8 *pos = buf;
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++	if ((SSL_version(ssl) == TLS1_VERSION ||
++	     SSL_version(ssl) == TLS1_1_VERSION) &&
++	    SSL_get_security_level(ssl) > 0) {
++		wpa_printf(MSG_DEBUG,
++			   "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm");
++		SSL_set_security_level(ssl, 0);
++	}
++#endif /* OpenSSL version >= 3.0 */
+ 	if (write_p == 2) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "OpenSSL: session ver=0x%x content_type=%d",
+-- 
+2.39.0
+
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch
new file mode 100644
index 000000000000..574973fe6fe5
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch
@@ -0,0 +1,30 @@
+From: James Ralston <ralston@pobox.com>
+Date: Sun, 1 May 2022 16:15:23 -0700
+Subject: Allow legacy renegotiation to fix PEAP issues with some servers
+
+Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html
+---
+ src/crypto/tls_openssl.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 273e5cb..ad3aa1a 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -1056,6 +1056,16 @@ void * tls_init(const struct tls_config *conf)
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ 
++	/* Many enterprise PEAP server implementations (e.g. used in large
++	 corporations and universities) do not support RFC5746 secure
++	 renegotiation, and starting with OpenSSL 3.0,
++	 SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
++	 So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
++	 only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
++	 globally. */
++
++	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
++
+ 	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+ 
+ #ifdef SSL_MODE_NO_AUTO_CHAIN
-- 
cgit v1.2.3