jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

BoringSSL: Map OpenSSL SUITEB192 cipher into appropriate sigalgs

Browse source 
BoringSSL removed the special OpenSSL cipher suite value "SUITEB192", so
need to map that to the explicit ciphersuite
(ECDHE-ECDSA-AES256-GCM-SHA384), curve (P-384), and sigalg
(SSL_SIGN_ECDSA_SECP384R1_SHA384) to allow 192-bit level Suite B with
ECDSA to be used.

This commit takes care of the sigalg configuration using the relatively
recent SSL_CTX_set_verify_algorithm_prefs() addition from April 2017.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2018-02-19 16:25:54 +02:00 committed by Jouni Malinen
parent 7a47f34b1a
commit aa6de8e6b6
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/crypto/tls_openssl.c
View file

@ -2536,6 +2536,7 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
#ifdef OPENSSL_IS_BORINGSSL
if (openssl_ciphers && os_strcmp(openssl_ciphers, "SUITEB192") == 0) {
uint16_t sigalgs[1] = { SSL_SIGN_ECDSA_SECP384R1_SHA384 };
int nid[1] = { NID_secp384r1 };
if (SSL_set1_curves(ssl, nid, 1) != 1) {
@ -2543,6 +2544,16 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
"OpenSSL: Failed to set Suite B curves");
return -1;
}
if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs,
1) != 1) {
wpa_printf(MSG_INFO,
"OpenSSL: Failed to set Suite B sigalgs");
return -1;
}
} else {
/* Use defaults from BoringSSL */
SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, NULL, 0);
}
#endif /* OPENSSL_IS_BORINGSSL */
#endif /* CONFIG_SUITEB */