From 566101d166f3fb1e031c8d44ce1a303600e13628 Mon Sep 17 00:00:00 2001
From: Hai Shalom <haishalom@google.com>
Date: Mon, 25 Mar 2019 14:40:59 -0700
Subject: [PATCH] [WPA3] Initialize Suite-B ciphers correctly based on the CA
 cert type

Initialize Suite-B ciphers correctly based on the CA cert type. Read the
cert type from key store, parse it and get the signature algorithm.
Enforce SHA384, and initialize AllowedSuiteBCiphers based on the
certificate type: RSA or ECSDA.
Wi-Fi alliance requires the use of both ECDSA secp384r1 and RSA 3072
certificates in WPA3-Enterprise 192-bit security networks, which are
also known as Suite-B-192 netowkrs, even though NSA Suite-B-192 mandates
ECDSA only. The use of the term Suite-B was already coined in the
IEEE 802.11-2016 specification for AKM 00-0F-AC but the test plan for
WPA3-Enterprise 192-bit for APs mandates support for both RSA and ECDSA,
and for STAs it mandates ECDSA and optionally RSA. In order to be
compatible with all WPA3-Enterprise 192-bit deployments,

Bug: 128861164
Test: Verify Suite-B initialized correctly with RSA and ECDSA certs.
Test: Associate to SUITE_B_192 AP with RSA certificate
Test: Associate to SUITE_B_192 AP with ECDSA certificate
Change-Id: I5e8b6794e68ed3af5f8c8beac622fff8076a46a1
---
 src/com/android/settings/wifi/WifiConfigController.java | 2 +-
 src/com/android/settings/wifi/WifiUtils.java            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/com/android/settings/wifi/WifiConfigController.java b/src/com/android/settings/wifi/WifiConfigController.java
index 0adbd8d4fa..0887fc5532 100644
--- a/src/com/android/settings/wifi/WifiConfigController.java
+++ b/src/com/android/settings/wifi/WifiConfigController.java
@@ -637,7 +637,7 @@ public class WifiConfigController implements TextWatcher,
                     config.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.GCMP_256);
                     config.allowedGroupManagementCiphers.set(WifiConfiguration.GroupMgmtCipher
                             .BIP_GMAC_256);
-                    config.allowedSuiteBCiphers.set(WifiConfiguration.SuiteBCipher.ECDHE_RSA);
+                    // allowedSuiteBCiphers will be set according to certificate type
                 }
                 config.enterpriseConfig = new WifiEnterpriseConfig();
                 int eapMethod = mEapMethodSpinner.getSelectedItemPosition();
diff --git a/src/com/android/settings/wifi/WifiUtils.java b/src/com/android/settings/wifi/WifiUtils.java
index a22bdba868..9b3c1b368c 100644
--- a/src/com/android/settings/wifi/WifiUtils.java
+++ b/src/com/android/settings/wifi/WifiUtils.java
@@ -198,7 +198,7 @@ public class WifiUtils {
                     config.allowedGroupCiphers.set(WifiConfiguration.GroupCipher.GCMP_256);
                     config.allowedGroupManagementCiphers.set(WifiConfiguration.GroupMgmtCipher
                             .BIP_GMAC_256);
-                    config.allowedSuiteBCiphers.set(WifiConfiguration.SuiteBCipher.ECDHE_RSA);
+                    // allowedSuiteBCiphers will be set according to certificate type
                 }
 
                 if (!TextUtils.isEmpty(password)) {
-- 
2.11.0