OpenSSL: Allow openssl_ciphers override with Suite B config on server

The openssl_ciphers parameter is a global data entry on the server instead of the per-connection design on client. As such, hostapd needs to make a local copy of the global value and use that whenever setting per-connection parameters. This is needed particularly when testing Suite B functionality where the Suite B specific parameters might end up overriding the cipher list. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-22 19:39:45 +02:00 · 2023-11-22 19:39:45 +02:00 · 415839406a
commit 415839406a
parent e9b13938a9
1 changed files with 13 additions and 0 deletions
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@ -231,6 +231,7 @@ struct tls_data {
 	unsigned int crl_reload_interval;
 	struct os_reltime crl_last_reload;
 	char *check_cert_subject;
+	char *openssl_ciphers;
 };

 struct tls_connection {
@ -1224,6 +1225,7 @@ void tls_deinit(void *ssl_ctx)
 	}

 	os_free(data->check_cert_subject);
+	os_free(data->openssl_ciphers);
 	os_free(data);
 }

@ -3191,6 +3193,9 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
 	}
 #endif

+	if (!openssl_ciphers)
+		openssl_ciphers = conn->data->openssl_ciphers;
+
 #ifdef CONFIG_SUITEB
 #ifdef OPENSSL_IS_BORINGSSL
 	/* Start with defaults from BoringSSL */
@ -5689,6 +5694,14 @@ int tls_global_set_params(void *tls_ctx,
 		return -1;
 	}

+	os_free(data->openssl_ciphers);
+	if (params->openssl_ciphers) {
+		data->openssl_ciphers = os_strdup(params->openssl_ciphers);
+		if (!data->openssl_ciphers)
+			return -1;
+	} else {
+		data->openssl_ciphers = NULL;
+	}
 	if (params->openssl_ciphers &&
 	    SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) {
 		wpa_printf(MSG_INFO,