Revert "[wpa_supplicant] Cumulative patch from c4e90da6d"
This reverts commit 39bc25d3a79c1375de430a7918d949c1a86f70c6.
Test: Compilation
Change-Id: Iae7670429466958911b5296cb1359bceecc0b03e
Exempt-From-Owner-Approval: Revert since it's breaking the build
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 181e64d..5bb14e2 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -104,9 +104,7 @@
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
- (defined(LIBRESSL_VERSION_NUMBER) && \
- LIBRESSL_VERSION_NUMBER < 0x20700000L)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifdef CONFIG_SUITEB
static int RSA_bits(const RSA *r)
{
@@ -228,16 +226,10 @@
struct tls_data {
SSL_CTX *ssl;
unsigned int tls_session_lifetime;
- int check_crl;
- int check_crl_strict;
- char *ca_cert;
- unsigned int crl_reload_interval;
- struct os_reltime crl_last_reload;
};
struct tls_connection {
struct tls_context *context;
- struct tls_data *data;
SSL_CTX *ssl_ctx;
SSL *ssl;
BIO *ssl_in, *ssl_out;
@@ -323,37 +315,6 @@
#endif /* CONFIG_NO_STDOUT_DEBUG */
-static X509_STORE * tls_crl_cert_reload(const char *ca_cert, int check_crl)
-{
- int flags;
- X509_STORE *store;
-
- store = X509_STORE_new();
- if (!store) {
- wpa_printf(MSG_DEBUG,
- "OpenSSL: %s - failed to allocate new certificate store",
- __func__);
- return NULL;
- }
-
- if (ca_cert && X509_STORE_load_locations(store, ca_cert, NULL) != 1) {
- tls_show_errors(MSG_WARNING, __func__,
- "Failed to load root certificates");
- X509_STORE_free(store);
- return NULL;
- }
-
- if (check_crl)
- flags = X509_V_FLAG_CRL_CHECK;
- if (check_crl == 2)
- flags |= X509_V_FLAG_CRL_CHECK_ALL;
-
- X509_STORE_set_flags(store, flags);
-
- return store;
-}
-
-
#ifdef CONFIG_NATIVE_WINDOWS
/* Windows CryptoAPI and access to certificate stores */
@@ -1042,10 +1003,8 @@
return NULL;
}
data->ssl = ssl;
- if (conf) {
+ if (conf)
data->tls_session_lifetime = conf->tls_session_lifetime;
- data->crl_reload_interval = conf->crl_reload_interval;
- }
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
@@ -1127,7 +1086,6 @@
os_free(context);
if (data->tls_session_lifetime > 0)
SSL_CTX_flush_sessions(ssl, 0);
- os_free(data->ca_cert);
SSL_CTX_free(ssl);
tls_openssl_ref_count--;
@@ -1523,32 +1481,11 @@
SSL_CTX *ssl = data->ssl;
struct tls_connection *conn;
long options;
- X509_STORE *new_cert_store;
- struct os_reltime now;
struct tls_context *context = SSL_CTX_get_app_data(ssl);
- /* Replace X509 store if it is time to update CRL. */
- if (data->crl_reload_interval > 0 && os_get_reltime(&now) == 0 &&
- os_reltime_expired(&now, &data->crl_last_reload,
- data->crl_reload_interval)) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Flushing X509 store with ca_cert file");
- new_cert_store = tls_crl_cert_reload(data->ca_cert,
- data->check_crl);
- if (!new_cert_store) {
- wpa_printf(MSG_ERROR,
- "OpenSSL: Error replacing X509 store with ca_cert file");
- } else {
- /* Replace old store */
- SSL_CTX_set_cert_store(ssl, new_cert_store);
- data->crl_last_reload = now;
- }
- }
-
conn = os_zalloc(sizeof(*conn));
if (conn == NULL)
return NULL;
- conn->data = data;
conn->ssl_ctx = ssl;
conn->ssl = SSL_new(ssl);
if (conn->ssl == NULL) {
@@ -2072,13 +2009,6 @@
"time mismatch");
preverify_ok = 1;
}
- if (!preverify_ok && !conn->data->check_crl_strict &&
- (err == X509_V_ERR_CRL_HAS_EXPIRED ||
- err == X509_V_ERR_CRL_NOT_YET_VALID)) {
- wpa_printf(MSG_DEBUG,
- "OpenSSL: Ignore certificate validity CRL time mismatch");
- preverify_ok = 1;
- }
err_str = X509_verify_cert_error_string(err);
@@ -2469,16 +2399,13 @@
SSL_CTX_set_client_CA_list(ssl_ctx,
SSL_load_client_CA_file(ca_cert));
#endif /* OPENSSL_NO_STDIO */
-
- os_free(data->ca_cert);
- data->ca_cert = os_strdup(ca_cert);
}
return 0;
}
-int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
+int tls_global_set_verify(void *ssl_ctx, int check_crl)
{
int flags;
@@ -2495,10 +2422,6 @@
if (check_crl == 2)
flags |= X509_V_FLAG_CRL_CHECK_ALL;
X509_STORE_set_flags(cs, flags);
-
- data->check_crl = check_crl;
- data->check_crl_strict = strict;
- os_get_reltime(&data->crl_last_reload);
}
return 0;
}
@@ -2614,38 +2537,6 @@
else
SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3);
#endif /* SSL_OP_NO_TLSv1_3 */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- if (flags & (TLS_CONN_ENABLE_TLSv1_0 |
- TLS_CONN_ENABLE_TLSv1_1 |
- TLS_CONN_ENABLE_TLSv1_2)) {
- int version = 0;
-
- /* Explicit request to enable TLS versions even if needing to
- * override systemwide policies. */
- if (flags & TLS_CONN_ENABLE_TLSv1_0) {
- version = TLS1_VERSION;
- } else if (flags & TLS_CONN_ENABLE_TLSv1_1) {
- if (!(flags & TLS_CONN_DISABLE_TLSv1_0))
- version = TLS1_1_VERSION;
- } else if (flags & TLS_CONN_ENABLE_TLSv1_2) {
- if (!(flags & (TLS_CONN_DISABLE_TLSv1_0 |
- TLS_CONN_DISABLE_TLSv1_1)))
- version = TLS1_2_VERSION;
- }
- if (!version) {
- wpa_printf(MSG_DEBUG,
- "OpenSSL: Invalid TLS version configuration");
- return -1;
- }
-
- if (SSL_set_min_proto_version(ssl, version) != 1) {
- wpa_printf(MSG_DEBUG,
- "OpenSSL: Failed to set minimum TLS version");
- return -1;
- }
- }
-#endif /* >= 1.1.0 */
-
#ifdef CONFIG_SUITEB
#ifdef OPENSSL_IS_BORINGSSL
/* Start with defaults from BoringSSL */
@@ -2748,22 +2639,7 @@
return -1;
}
}
-#else /* OPENSSL_IS_BORINGSSL */
- if (!(flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) &&
- openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set openssl_ciphers '%s'",
- openssl_ciphers);
- return -1;
- }
#endif /* OPENSSL_IS_BORINGSSL */
-#else /* CONFIG_SUITEB */
- if (openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set openssl_ciphers '%s'",
- openssl_ciphers);
- return -1;
- }
#endif /* CONFIG_SUITEB */
return 0;
@@ -2885,15 +2761,6 @@
return 0;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)\
- && !defined(ANDROID)
- if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
- ERR_clear_error();
- wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
- " --> OK");
- return 0;
- }
-#else
if (SSL_use_certificate_file(conn->ssl, client_cert,
SSL_FILETYPE_PEM) == 1) {
ERR_clear_error();
@@ -2901,7 +2768,6 @@
" --> OK");
return 0;
}
-#endif
tls_show_errors(MSG_DEBUG, __func__,
"SSL_use_certificate_file failed");
@@ -4655,40 +4521,6 @@
return -1;
}
- if (!params->openssl_ecdh_curves) {
-#ifndef OPENSSL_IS_BORINGSSL
-#ifndef OPENSSL_NO_EC
-#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
- (OPENSSL_VERSION_NUMBER < 0x10100000L)
- if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set ECDH curves to auto");
- return -1;
- }
-#endif /* >= 1.0.2 && < 1.1.0 */
-#endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_IS_BORINGSSL */
- } else if (params->openssl_ecdh_curves[0]) {
-#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
- wpa_printf(MSG_INFO,
- "OpenSSL: ECDH configuration nnot supported");
- return -1;
-#else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
-#ifndef OPENSSL_NO_EC
- if (SSL_set1_curves_list(conn->ssl,
- params->openssl_ecdh_curves) != 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set ECDH curves '%s'",
- params->openssl_ecdh_curves);
- return -1;
- }
-#else /* OPENSSL_NO_EC */
- wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
- return -1;
-#endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_IS_BORINGSSL */
- }
-
if (tls_set_conn_flags(conn, params->flags,
params->openssl_ciphers) < 0)
return -1;
@@ -4755,41 +4587,6 @@
return -1;
}
- if (!params->openssl_ecdh_curves) {
-#ifndef OPENSSL_IS_BORINGSSL
-#ifndef OPENSSL_NO_EC
-#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
- (OPENSSL_VERSION_NUMBER < 0x10100000L)
- if (SSL_CTX_set_ecdh_auto(ssl_ctx, 1) != 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set ECDH curves to auto");
- return -1;
- }
-#endif /* >= 1.0.2 && < 1.1.0 */
-#endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_IS_BORINGSSL */
- } else if (params->openssl_ecdh_curves[0]) {
-#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
- wpa_printf(MSG_INFO,
- "OpenSSL: ECDH configuration nnot supported");
- return -1;
-#else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
-#ifndef OPENSSL_NO_EC
- if (SSL_CTX_set1_curves_list(ssl_ctx,
- params->openssl_ecdh_curves) !=
- 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set ECDH curves '%s'",
- params->openssl_ecdh_curves);
- return -1;
- }
-#else /* OPENSSL_NO_EC */
- wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
- return -1;
-#endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_IS_BORINGSSL */
- }
-
#ifdef SSL_OP_NO_TICKET
if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);