From 415839406a45a643672534f3dc97f8fab8a257c8 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 22 Nov 2023 19:39:45 +0200 Subject: [PATCH] OpenSSL: Allow openssl_ciphers override with Suite B config on server The openssl_ciphers parameter is a global data entry on the server instead of the per-connection design on client. As such, hostapd needs to make a local copy of the global value and use that whenever setting per-connection parameters. This is needed particularly when testing Suite B functionality where the Suite B specific parameters might end up overriding the cipher list. Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 619785224..5aff0d161 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -231,6 +231,7 @@ struct tls_data { unsigned int crl_reload_interval; struct os_reltime crl_last_reload; char *check_cert_subject; + char *openssl_ciphers; }; struct tls_connection { @@ -1224,6 +1225,7 @@ void tls_deinit(void *ssl_ctx) } os_free(data->check_cert_subject); + os_free(data->openssl_ciphers); os_free(data); } @@ -3191,6 +3193,9 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, } #endif + if (!openssl_ciphers) + openssl_ciphers = conn->data->openssl_ciphers; + #ifdef CONFIG_SUITEB #ifdef OPENSSL_IS_BORINGSSL /* Start with defaults from BoringSSL */ @@ -5689,6 +5694,14 @@ int tls_global_set_params(void *tls_ctx, return -1; } + os_free(data->openssl_ciphers); + if (params->openssl_ciphers) { + data->openssl_ciphers = os_strdup(params->openssl_ciphers); + if (!data->openssl_ciphers) + return -1; + } else { + data->openssl_ciphers = NULL; + } if (params->openssl_ciphers && SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) { wpa_printf(MSG_INFO,