OpenSSL: Allow openssl_ciphers override with Suite B config on server

The openssl_ciphers parameter is a global data entry on the server
instead of the per-connection design on client. As such, hostapd needs
to make a local copy of the global value and use that whenever setting
per-connection parameters. This is needed particularly when testing
Suite B functionality where the Suite B specific parameters might end up
overriding the cipher list.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 6197852247ae276d74ae2056c9cfa8082c5fbf69..5aff0d16187108e8404885f1ceae50eaf37a8530 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -231,6 +231,7 @@ struct tls_data {
        unsigned int crl_reload_interval;
        struct os_reltime crl_last_reload;
        char *check_cert_subject;
+       char *openssl_ciphers;
 };
 
 struct tls_connection {
@@ -1224,6 +1225,7 @@ void tls_deinit(void *ssl_ctx)
        }
 
        os_free(data->check_cert_subject);
+       os_free(data->openssl_ciphers);
        os_free(data);
 }
 
@@ -3191,6 +3193,9 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
        }
 #endif
 
+       if (!openssl_ciphers)
+               openssl_ciphers = conn->data->openssl_ciphers;
+
 #ifdef CONFIG_SUITEB
 #ifdef OPENSSL_IS_BORINGSSL
        /* Start with defaults from BoringSSL */
@@ -5689,6 +5694,14 @@ int tls_global_set_params(void *tls_ctx,
                return -1;
        }
 
+       os_free(data->openssl_ciphers);
+       if (params->openssl_ciphers) {
+               data->openssl_ciphers = os_strdup(params->openssl_ciphers);
+               if (!data->openssl_ciphers)
+                       return -1;
+       } else {
+               data->openssl_ciphers = NULL;
+       }
        if (params->openssl_ciphers &&
            SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) {
                wpa_printf(MSG_INFO,