From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 19 Feb 2018 14:00:19 +0000 (+0200)
Subject: OpenSSL: Replace SSL_set1_curves_list() with SSL_set1_curves()
X-Git-Tag: hostap_2_7~550
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3552502344cffb5e2e61034f2a7d390e28f421ba;p=thirdparty%2Fhostap.git

OpenSSL: Replace SSL_set1_curves_list() with SSL_set1_curves()

In practice, this does the same thing (i.e., allows only the P-384 curve
to be used), but using an older API function that happens to be
available in some BoringSSL builds while the newer one is not.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 316836784..7c53eb61c 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2483,6 +2483,7 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 		EC_KEY *ecdh;
 		const char *ciphers =
 			"ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384";
+		int nid[1] = { NID_secp384r1 };
 
 		if (openssl_ciphers) {
 			wpa_printf(MSG_DEBUG,
@@ -2496,7 +2497,7 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 			return -1;
 		}
 
-		if (SSL_set1_curves_list(ssl, "P-384") != 1) {
+		if (SSL_set1_curves(ssl, nid, 1) != 1) {
 			wpa_printf(MSG_INFO,
 				   "OpenSSL: Failed to set Suite B curves");
 			return -1;