commit 916e0a7f2f5d99acfb2ee89ec841bd043cfe95bf
author Jimmy Chen <jimmycmchen@google.com> Tue Jan 11 15:19:46 2022 +0800
committer Jimmy Chen <jimmycmchen@google.com> Tue Jan 11 15:28:42 2022 +0800
tree 9d150fe454a7edb8784937985cd765b58a19c826
parent 658bbdfa1a5c4725877520806b957824d00a8010

wifi: set TLS signature algorithm list param to the connection context

The signature algorithm list of SSL context is populated to
the SSL connection context in SSL_new(). wpa_supplicant set the
signature algorithm list to SSL context after SSL_new.
As a result, the desired signature algorithm list is not used in
current handshake, but in next handshake.

Instead of SSL_CTX_set_verify_algorithm_prefs, SSL_set_verify_algorithm_prefs
configures the signature algorithm list to the current connection context
directly.

Bug: 213288930
Test: connect to a SUITE-B network, connect to an EAP network,
      check signature algorithm lists in both client hello packets
      are correct.
Change-Id: Icb7ad1c79c5b129bc3350153775931708b98a146

src/crypto/tls_openssl.c

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 086dfb3..4bc5075 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3066,7 +3066,7 @@
 #ifdef CONFIG_SUITEB
 #ifdef OPENSSL_IS_BORINGSSL
 	/* Start with defaults from BoringSSL */
-	SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, NULL, 0);
+	SSL_set_verify_algorithm_prefs(conn->ssl, NULL, 0);
 #endif /* OPENSSL_IS_BORINGSSL */
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L
 	if (flags & TLS_CONN_SUITEB_NO_ECDH) {
@@ -3120,7 +3120,7 @@
 #ifdef OPENSSL_IS_BORINGSSL
 		uint16_t sigalgs[1] = { SSL_SIGN_RSA_PKCS1_SHA384 };
 
-		if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs,
+		if (SSL_set_verify_algorithm_prefs(conn->ssl, sigalgs,
 						       1) != 1) {
 			wpa_printf(MSG_INFO,
 				   "OpenSSL: Failed to set Suite B sigalgs");
@@ -3158,7 +3158,7 @@
 			return -1;
 		}
 
-		if (SSL_CTX_set_verify_algorithm_prefs(conn->ssl_ctx, sigalgs,
+		if (SSL_set_verify_algorithm_prefs(conn->ssl, sigalgs,
 						       1) != 1) {
 			wpa_printf(MSG_INFO,
 				   "OpenSSL: Failed to set Suite B sigalgs");