OpenSSL: Allow openssl_ciphers override with Suite B config on server

The openssl_ciphers parameter is a global data entry on the server
instead of the per-connection design on client. As such, hostapd needs
to make a local copy of the global value and use that whenever setting
per-connection parameters. This is needed particularly when testing
Suite B functionality where the Suite B specific parameters might end up
overriding the cipher list.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2023-11-22 19:39:45 +02:00 committed by Jouni Malinen
parent e9b13938a9
commit 415839406a

View file

@ -231,6 +231,7 @@ struct tls_data {
unsigned int crl_reload_interval;
struct os_reltime crl_last_reload;
char *check_cert_subject;
char *openssl_ciphers;
};
struct tls_connection {
@ -1224,6 +1225,7 @@ void tls_deinit(void *ssl_ctx)
}
os_free(data->check_cert_subject);
os_free(data->openssl_ciphers);
os_free(data);
}
@ -3191,6 +3193,9 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
}
#endif
if (!openssl_ciphers)
openssl_ciphers = conn->data->openssl_ciphers;
#ifdef CONFIG_SUITEB
#ifdef OPENSSL_IS_BORINGSSL
/* Start with defaults from BoringSSL */
@ -5689,6 +5694,14 @@ int tls_global_set_params(void *tls_ctx,
return -1;
}
os_free(data->openssl_ciphers);
if (params->openssl_ciphers) {
data->openssl_ciphers = os_strdup(params->openssl_ciphers);
if (!data->openssl_ciphers)
return -1;
} else {
data->openssl_ciphers = NULL;
}
if (params->openssl_ciphers &&
SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) {
wpa_printf(MSG_INFO,