Revert "[wpa_supplicant] Cumulative patch from c4e90da6d"
This reverts commit 39bc25d3a79c1375de430a7918d949c1a86f70c6.
Test: Compilation
Change-Id: Iae7670429466958911b5296cb1359bceecc0b03e
Exempt-From-Owner-Approval: Revert since it's breaking the build
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index f89053a..f4cff43 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -29,7 +29,6 @@
#include "sha1.h"
#include "sha256.h"
#include "sha384.h"
-#include "sha512.h"
#include "md5.h"
#include "aes_wrap.h"
#include "crypto.h"
diff --git a/src/crypto/md4-internal.c b/src/crypto/md4-internal.c
index cf408e8..d9c737a 100644
--- a/src/crypto/md4-internal.c
+++ b/src/crypto/md4-internal.c
@@ -85,7 +85,7 @@
(cp)[1] = (value) >> 8; \
(cp)[0] = (value); } while (0)
-static const u8 PADDING[MD4_BLOCK_LENGTH] = {
+static u8 PADDING[MD4_BLOCK_LENGTH] = {
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
diff --git a/src/crypto/random.c b/src/crypto/random.c
index ca9c0c8..6f4cf81 100644
--- a/src/crypto/random.c
+++ b/src/crypto/random.c
@@ -25,9 +25,6 @@
#include "utils/includes.h"
#ifdef __linux__
#include <fcntl.h>
-#ifdef CONFIG_GETRANDOM
-#include <sys/random.h>
-#endif /* CONFIG_GETRANDOM */
#endif /* __linux__ */
#include "utils/common.h"
@@ -238,52 +235,30 @@
return 1; /* Already initialized - good to continue */
/*
- * Try to fetch some more data from the kernel high quality RNG.
- * There may not be enough data available at this point,
+ * Try to fetch some more data from the kernel high quality
+ * /dev/random. There may not be enough data available at this point,
* so use non-blocking read to avoid blocking the application
* completely.
*/
-
-#ifdef CONFIG_GETRANDOM
- res = getrandom(dummy_key + dummy_key_avail,
- sizeof(dummy_key) - dummy_key_avail, GRND_NONBLOCK);
- if (res < 0) {
- if (errno == ENOSYS) {
- wpa_printf(MSG_DEBUG,
- "random: getrandom() not supported, falling back to /dev/random");
- } else {
- wpa_printf(MSG_INFO,
- "random: no data from getrandom(): %s",
- strerror(errno));
- res = 0;
- }
- }
-#else /* CONFIG_GETRANDOM */
- res = -1;
-#endif /* CONFIG_GETRANDOM */
- if (res < 0) {
- fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
- if (fd < 0) {
- wpa_printf(MSG_ERROR,
- "random: Cannot open /dev/random: %s",
- strerror(errno));
- return -1;
- }
-
- res = read(fd, dummy_key + dummy_key_avail,
- sizeof(dummy_key) - dummy_key_avail);
- if (res < 0) {
- wpa_printf(MSG_ERROR,
- "random: Cannot read from /dev/random: %s",
- strerror(errno));
- res = 0;
- }
- close(fd);
+ fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
+ if (fd < 0) {
+ wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s",
+ strerror(errno));
+ return -1;
}
- wpa_printf(MSG_DEBUG, "random: Got %u/%u random bytes", (unsigned) res,
+ res = read(fd, dummy_key + dummy_key_avail,
+ sizeof(dummy_key) - dummy_key_avail);
+ if (res < 0) {
+ wpa_printf(MSG_ERROR, "random: Cannot read from /dev/random: "
+ "%s", strerror(errno));
+ res = 0;
+ }
+ wpa_printf(MSG_DEBUG, "random: Got %u/%u bytes from "
+ "/dev/random", (unsigned) res,
(unsigned) (sizeof(dummy_key) - dummy_key_avail));
dummy_key_avail += res;
+ close(fd);
if (dummy_key_avail == sizeof(dummy_key)) {
if (own_pool_ready < MIN_READY_MARK)
@@ -293,7 +268,7 @@
}
wpa_printf(MSG_INFO, "random: Only %u/%u bytes of strong "
- "random data available",
+ "random data available from /dev/random",
(unsigned) dummy_key_avail, (unsigned) sizeof(dummy_key));
if (own_pool_ready >= MIN_READY_MARK ||
@@ -445,19 +420,6 @@
if (random_fd >= 0)
return;
-#ifdef CONFIG_GETRANDOM
- {
- u8 dummy;
-
- if (getrandom(&dummy, 0, GRND_NONBLOCK) == 0 ||
- errno != ENOSYS) {
- wpa_printf(MSG_DEBUG,
- "random: getrandom() support available");
- return;
- }
- }
-#endif /* CONFIG_GETRANDOM */
-
random_fd = open("/dev/random", O_RDONLY | O_NONBLOCK);
if (random_fd < 0) {
wpa_printf(MSG_ERROR, "random: Cannot open /dev/random: %s",
diff --git a/src/crypto/sha512-internal.c b/src/crypto/sha512-internal.c
index c026394..76c4fe7 100644
--- a/src/crypto/sha512-internal.c
+++ b/src/crypto/sha512-internal.c
@@ -109,14 +109,9 @@
/* compress 1024-bits */
static int sha512_compress(struct sha512_state *md, unsigned char *buf)
{
- u64 S[8], t0, t1;
- u64 *W;
+ u64 S[8], W[80], t0, t1;
int i;
- W = os_malloc(80 * sizeof(u64));
- if (!W)
- return -1;
-
/* copy state into S */
for (i = 0; i < 8; i++) {
S[i] = md->state[i];
@@ -151,7 +146,6 @@
md->state[i] = md->state[i] + S[i];
}
- os_free(W);
return 0;
}
diff --git a/src/crypto/sha512.c b/src/crypto/sha512.c
deleted file mode 100644
index 66311c3..0000000
--- a/src/crypto/sha512.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * SHA-512 hash implementation and interface functions
- * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
- *
- * This software may be distributed under the terms of the BSD license.
- * See README for more details.
- */
-
-#include "includes.h"
-
-#include "common.h"
-#include "sha512.h"
-#include "crypto.h"
-
-
-/**
- * hmac_sha512_vector - HMAC-SHA512 over data vector (RFC 2104)
- * @key: Key for HMAC operations
- * @key_len: Length of the key in bytes
- * @num_elem: Number of elements in the data vector
- * @addr: Pointers to the data areas
- * @len: Lengths of the data blocks
- * @mac: Buffer for the hash (64 bytes)
- * Returns: 0 on success, -1 on failure
- */
-int hmac_sha512_vector(const u8 *key, size_t key_len, size_t num_elem,
- const u8 *addr[], const size_t *len, u8 *mac)
-{
- unsigned char k_pad[128]; /* padding - key XORd with ipad/opad */
- unsigned char tk[64];
- const u8 *_addr[6];
- size_t _len[6], i;
-
- if (num_elem > 5) {
- /*
- * Fixed limit on the number of fragments to avoid having to
- * allocate memory (which could fail).
- */
- return -1;
- }
-
- /* if key is longer than 128 bytes reset it to key = SHA512(key) */
- if (key_len > 128) {
- if (sha512_vector(1, &key, &key_len, tk) < 0)
- return -1;
- key = tk;
- key_len = 64;
- }
-
- /* the HMAC_SHA512 transform looks like:
- *
- * SHA512(K XOR opad, SHA512(K XOR ipad, text))
- *
- * where K is an n byte key
- * ipad is the byte 0x36 repeated 128 times
- * opad is the byte 0x5c repeated 128 times
- * and text is the data being protected */
-
- /* start out by storing key in ipad */
- os_memset(k_pad, 0, sizeof(k_pad));
- os_memcpy(k_pad, key, key_len);
- /* XOR key with ipad values */
- for (i = 0; i < 128; i++)
- k_pad[i] ^= 0x36;
-
- /* perform inner SHA512 */
- _addr[0] = k_pad;
- _len[0] = 128;
- for (i = 0; i < num_elem; i++) {
- _addr[i + 1] = addr[i];
- _len[i + 1] = len[i];
- }
- if (sha512_vector(1 + num_elem, _addr, _len, mac) < 0)
- return -1;
-
- os_memset(k_pad, 0, sizeof(k_pad));
- os_memcpy(k_pad, key, key_len);
- /* XOR key with opad values */
- for (i = 0; i < 128; i++)
- k_pad[i] ^= 0x5c;
-
- /* perform outer SHA512 */
- _addr[0] = k_pad;
- _len[0] = 128;
- _addr[1] = mac;
- _len[1] = SHA512_MAC_LEN;
- return sha512_vector(2, _addr, _len, mac);
-}
-
-
-/**
- * hmac_sha512 - HMAC-SHA512 over data buffer (RFC 2104)
- * @key: Key for HMAC operations
- * @key_len: Length of the key in bytes
- * @data: Pointers to the data area
- * @data_len: Length of the data area
- * @mac: Buffer for the hash (64 bytes)
- * Returns: 0 on success, -1 on failure
- */
-int hmac_sha512(const u8 *key, size_t key_len, const u8 *data,
- size_t data_len, u8 *mac)
-{
- return hmac_sha512_vector(key, key_len, 1, &data, &data_len, mac);
-}
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 413cccd..481b346 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -82,7 +82,6 @@
int cert_in_cb;
const char *openssl_ciphers;
unsigned int tls_session_lifetime;
- unsigned int crl_reload_interval;
unsigned int tls_flags;
void (*event_cb)(void *ctx, enum tls_event ev,
@@ -104,9 +103,6 @@
#define TLS_CONN_SUITEB BIT(11)
#define TLS_CONN_SUITEB_NO_ECDH BIT(12)
#define TLS_CONN_DISABLE_TLSv1_3 BIT(13)
-#define TLS_CONN_ENABLE_TLSv1_0 BIT(14)
-#define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
-#define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
/**
* struct tls_connection_params - Parameters for TLS connection
@@ -148,8 +144,6 @@
* @cert_id: the certificate's id when using engine
* @ca_cert_id: the CA certificate's id when using engine
* @openssl_ciphers: OpenSSL cipher configuration
- * @openssl_ecdh_curves: OpenSSL ECDH curve configuration. %NULL for auto if
- * supported, empty string to disable, or a colon-separated curve list.
* @flags: Parameter options (TLS_CONN_*)
* @ocsp_stapling_response: DER encoded file with cached OCSP stapling response
* or %NULL if OCSP is not enabled
@@ -193,7 +187,6 @@
const char *cert_id;
const char *ca_cert_id;
const char *openssl_ciphers;
- const char *openssl_ecdh_curves;
unsigned int flags;
const char *ocsp_stapling_response;
@@ -328,11 +321,9 @@
* @tls_ctx: TLS context data from tls_init()
* @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate,
* 2 = verify CRL for all certificates
- * @strict: 0 = allow CRL time errors, 1 = do not allow CRL time errors
* Returns: 0 on success, -1 on failure
*/
-int __must_check tls_global_set_verify(void *tls_ctx, int check_crl,
- int strict);
+int __must_check tls_global_set_verify(void *tls_ctx, int check_crl);
/**
* tls_connection_set_verify - Set certificate verification options
diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index 527d01e..36dafd2 100644
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -461,12 +461,6 @@
}
}
- if (params->openssl_ecdh_curves) {
- wpa_printf(MSG_INFO,
- "GnuTLS: openssl_ecdh_curves not supported");
- return -1;
- }
-
/* TODO: gnutls_certificate_set_verify_flags(xcred, flags);
* to force peer validation(?) */
@@ -848,7 +842,7 @@
}
-int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
+int tls_global_set_verify(void *ssl_ctx, int check_crl)
{
/* TODO */
return 0;
diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c
index 9c57ab2..d289c94 100644
--- a/src/crypto/tls_internal.c
+++ b/src/crypto/tls_internal.c
@@ -248,12 +248,6 @@
return -1;
}
- if (params->openssl_ecdh_curves) {
- wpa_printf(MSG_INFO, "TLS: openssl_ecdh_curves not supported");
- tlsv1_cred_free(cred);
- return -1;
- }
-
if (tlsv1_set_ca_cert(cred, params->ca_cert,
params->ca_cert_blob, params->ca_cert_blob_len,
params->ca_path)) {
@@ -359,7 +353,7 @@
}
-int tls_global_set_verify(void *tls_ctx, int check_crl, int strict)
+int tls_global_set_verify(void *tls_ctx, int check_crl)
{
struct tls_global *global = tls_ctx;
global->check_crl = check_crl;
diff --git a/src/crypto/tls_none.c b/src/crypto/tls_none.c
index 108e9aa..5d0c6bd 100644
--- a/src/crypto/tls_none.c
+++ b/src/crypto/tls_none.c
@@ -72,7 +72,7 @@
}
-int tls_global_set_verify(void *tls_ctx, int check_crl, int strict)
+int tls_global_set_verify(void *tls_ctx, int check_crl)
{
return -1;
}
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 181e64d..5bb14e2 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -104,9 +104,7 @@
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
- (defined(LIBRESSL_VERSION_NUMBER) && \
- LIBRESSL_VERSION_NUMBER < 0x20700000L)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifdef CONFIG_SUITEB
static int RSA_bits(const RSA *r)
{
@@ -228,16 +226,10 @@
struct tls_data {
SSL_CTX *ssl;
unsigned int tls_session_lifetime;
- int check_crl;
- int check_crl_strict;
- char *ca_cert;
- unsigned int crl_reload_interval;
- struct os_reltime crl_last_reload;
};
struct tls_connection {
struct tls_context *context;
- struct tls_data *data;
SSL_CTX *ssl_ctx;
SSL *ssl;
BIO *ssl_in, *ssl_out;
@@ -323,37 +315,6 @@
#endif /* CONFIG_NO_STDOUT_DEBUG */
-static X509_STORE * tls_crl_cert_reload(const char *ca_cert, int check_crl)
-{
- int flags;
- X509_STORE *store;
-
- store = X509_STORE_new();
- if (!store) {
- wpa_printf(MSG_DEBUG,
- "OpenSSL: %s - failed to allocate new certificate store",
- __func__);
- return NULL;
- }
-
- if (ca_cert && X509_STORE_load_locations(store, ca_cert, NULL) != 1) {
- tls_show_errors(MSG_WARNING, __func__,
- "Failed to load root certificates");
- X509_STORE_free(store);
- return NULL;
- }
-
- if (check_crl)
- flags = X509_V_FLAG_CRL_CHECK;
- if (check_crl == 2)
- flags |= X509_V_FLAG_CRL_CHECK_ALL;
-
- X509_STORE_set_flags(store, flags);
-
- return store;
-}
-
-
#ifdef CONFIG_NATIVE_WINDOWS
/* Windows CryptoAPI and access to certificate stores */
@@ -1042,10 +1003,8 @@
return NULL;
}
data->ssl = ssl;
- if (conf) {
+ if (conf)
data->tls_session_lifetime = conf->tls_session_lifetime;
- data->crl_reload_interval = conf->crl_reload_interval;
- }
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
@@ -1127,7 +1086,6 @@
os_free(context);
if (data->tls_session_lifetime > 0)
SSL_CTX_flush_sessions(ssl, 0);
- os_free(data->ca_cert);
SSL_CTX_free(ssl);
tls_openssl_ref_count--;
@@ -1523,32 +1481,11 @@
SSL_CTX *ssl = data->ssl;
struct tls_connection *conn;
long options;
- X509_STORE *new_cert_store;
- struct os_reltime now;
struct tls_context *context = SSL_CTX_get_app_data(ssl);
- /* Replace X509 store if it is time to update CRL. */
- if (data->crl_reload_interval > 0 && os_get_reltime(&now) == 0 &&
- os_reltime_expired(&now, &data->crl_last_reload,
- data->crl_reload_interval)) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Flushing X509 store with ca_cert file");
- new_cert_store = tls_crl_cert_reload(data->ca_cert,
- data->check_crl);
- if (!new_cert_store) {
- wpa_printf(MSG_ERROR,
- "OpenSSL: Error replacing X509 store with ca_cert file");
- } else {
- /* Replace old store */
- SSL_CTX_set_cert_store(ssl, new_cert_store);
- data->crl_last_reload = now;
- }
- }
-
conn = os_zalloc(sizeof(*conn));
if (conn == NULL)
return NULL;
- conn->data = data;
conn->ssl_ctx = ssl;
conn->ssl = SSL_new(ssl);
if (conn->ssl == NULL) {
@@ -2072,13 +2009,6 @@
"time mismatch");
preverify_ok = 1;
}
- if (!preverify_ok && !conn->data->check_crl_strict &&
- (err == X509_V_ERR_CRL_HAS_EXPIRED ||
- err == X509_V_ERR_CRL_NOT_YET_VALID)) {
- wpa_printf(MSG_DEBUG,
- "OpenSSL: Ignore certificate validity CRL time mismatch");
- preverify_ok = 1;
- }
err_str = X509_verify_cert_error_string(err);
@@ -2469,16 +2399,13 @@
SSL_CTX_set_client_CA_list(ssl_ctx,
SSL_load_client_CA_file(ca_cert));
#endif /* OPENSSL_NO_STDIO */
-
- os_free(data->ca_cert);
- data->ca_cert = os_strdup(ca_cert);
}
return 0;
}
-int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
+int tls_global_set_verify(void *ssl_ctx, int check_crl)
{
int flags;
@@ -2495,10 +2422,6 @@
if (check_crl == 2)
flags |= X509_V_FLAG_CRL_CHECK_ALL;
X509_STORE_set_flags(cs, flags);
-
- data->check_crl = check_crl;
- data->check_crl_strict = strict;
- os_get_reltime(&data->crl_last_reload);
}
return 0;
}
@@ -2614,38 +2537,6 @@
else
SSL_clear_options(ssl, SSL_OP_NO_TLSv1_3);
#endif /* SSL_OP_NO_TLSv1_3 */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- if (flags & (TLS_CONN_ENABLE_TLSv1_0 |
- TLS_CONN_ENABLE_TLSv1_1 |
- TLS_CONN_ENABLE_TLSv1_2)) {
- int version = 0;
-
- /* Explicit request to enable TLS versions even if needing to
- * override systemwide policies. */
- if (flags & TLS_CONN_ENABLE_TLSv1_0) {
- version = TLS1_VERSION;
- } else if (flags & TLS_CONN_ENABLE_TLSv1_1) {
- if (!(flags & TLS_CONN_DISABLE_TLSv1_0))
- version = TLS1_1_VERSION;
- } else if (flags & TLS_CONN_ENABLE_TLSv1_2) {
- if (!(flags & (TLS_CONN_DISABLE_TLSv1_0 |
- TLS_CONN_DISABLE_TLSv1_1)))
- version = TLS1_2_VERSION;
- }
- if (!version) {
- wpa_printf(MSG_DEBUG,
- "OpenSSL: Invalid TLS version configuration");
- return -1;
- }
-
- if (SSL_set_min_proto_version(ssl, version) != 1) {
- wpa_printf(MSG_DEBUG,
- "OpenSSL: Failed to set minimum TLS version");
- return -1;
- }
- }
-#endif /* >= 1.1.0 */
-
#ifdef CONFIG_SUITEB
#ifdef OPENSSL_IS_BORINGSSL
/* Start with defaults from BoringSSL */
@@ -2748,22 +2639,7 @@
return -1;
}
}
-#else /* OPENSSL_IS_BORINGSSL */
- if (!(flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) &&
- openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set openssl_ciphers '%s'",
- openssl_ciphers);
- return -1;
- }
#endif /* OPENSSL_IS_BORINGSSL */
-#else /* CONFIG_SUITEB */
- if (openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set openssl_ciphers '%s'",
- openssl_ciphers);
- return -1;
- }
#endif /* CONFIG_SUITEB */
return 0;
@@ -2885,15 +2761,6 @@
return 0;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)\
- && !defined(ANDROID)
- if (SSL_use_certificate_chain_file(conn->ssl, client_cert) == 1) {
- ERR_clear_error();
- wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file"
- " --> OK");
- return 0;
- }
-#else
if (SSL_use_certificate_file(conn->ssl, client_cert,
SSL_FILETYPE_PEM) == 1) {
ERR_clear_error();
@@ -2901,7 +2768,6 @@
" --> OK");
return 0;
}
-#endif
tls_show_errors(MSG_DEBUG, __func__,
"SSL_use_certificate_file failed");
@@ -4655,40 +4521,6 @@
return -1;
}
- if (!params->openssl_ecdh_curves) {
-#ifndef OPENSSL_IS_BORINGSSL
-#ifndef OPENSSL_NO_EC
-#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
- (OPENSSL_VERSION_NUMBER < 0x10100000L)
- if (SSL_set_ecdh_auto(conn->ssl, 1) != 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set ECDH curves to auto");
- return -1;
- }
-#endif /* >= 1.0.2 && < 1.1.0 */
-#endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_IS_BORINGSSL */
- } else if (params->openssl_ecdh_curves[0]) {
-#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
- wpa_printf(MSG_INFO,
- "OpenSSL: ECDH configuration nnot supported");
- return -1;
-#else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
-#ifndef OPENSSL_NO_EC
- if (SSL_set1_curves_list(conn->ssl,
- params->openssl_ecdh_curves) != 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set ECDH curves '%s'",
- params->openssl_ecdh_curves);
- return -1;
- }
-#else /* OPENSSL_NO_EC */
- wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
- return -1;
-#endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_IS_BORINGSSL */
- }
-
if (tls_set_conn_flags(conn, params->flags,
params->openssl_ciphers) < 0)
return -1;
@@ -4755,41 +4587,6 @@
return -1;
}
- if (!params->openssl_ecdh_curves) {
-#ifndef OPENSSL_IS_BORINGSSL
-#ifndef OPENSSL_NO_EC
-#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) && \
- (OPENSSL_VERSION_NUMBER < 0x10100000L)
- if (SSL_CTX_set_ecdh_auto(ssl_ctx, 1) != 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set ECDH curves to auto");
- return -1;
- }
-#endif /* >= 1.0.2 && < 1.1.0 */
-#endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_IS_BORINGSSL */
- } else if (params->openssl_ecdh_curves[0]) {
-#if defined(OPENSSL_IS_BORINGSSL) || (OPENSSL_VERSION_NUMBER < 0x10002000L)
- wpa_printf(MSG_INFO,
- "OpenSSL: ECDH configuration nnot supported");
- return -1;
-#else /* OPENSSL_IS_BORINGSSL || < 1.0.2 */
-#ifndef OPENSSL_NO_EC
- if (SSL_CTX_set1_curves_list(ssl_ctx,
- params->openssl_ecdh_curves) !=
- 1) {
- wpa_printf(MSG_INFO,
- "OpenSSL: Failed to set ECDH curves '%s'",
- params->openssl_ecdh_curves);
- return -1;
- }
-#else /* OPENSSL_NO_EC */
- wpa_printf(MSG_INFO, "OpenSSL: ECDH not supported");
- return -1;
-#endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_IS_BORINGSSL */
- }
-
#ifdef SSL_OP_NO_TICKET
if (params->flags & TLS_CONN_DISABLE_SESSION_TICKET)
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index b59622e..cc8c704 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -1524,12 +1524,6 @@
return -1;
}
- if (params->openssl_ecdh_curves) {
- wpa_printf(MSG_INFO,
- "wolfSSL: openssl_ecdh_curves not supported");
- return -1;
- }
-
#ifdef HAVE_SESSION_TICKET
/* Session ticket is off by default - can't disable once on. */
if (!(params->flags & TLS_CONN_DISABLE_SESSION_TICKET))
@@ -1549,7 +1543,7 @@
}
-int tls_global_set_verify(void *tls_ctx, int check_crl, int strict)
+int tls_global_set_verify(void *tls_ctx, int check_crl)
{
wpa_printf(MSG_DEBUG, "SSL: global set verify: %d", check_crl);