summaryrefslogtreecommitdiffstats
path: root/src/plugins
diff options
context:
space:
mode:
authorPing Yu <ping.yu@intel.com>2018-08-27 09:07:13 -0400
committerFlorin Coras <florin.coras@gmail.com>2018-09-04 02:25:34 +0000
commit7eedb5fb44d5a38cb3ba059d6983e95128b97d36 (patch)
tree2f27eb7da6f50c103a3fd8da5462bfbb7a972856 /src/plugins
parent8e71529ea86018ab05c8cb77081512cbd2e413a7 (diff)
add option to allow user to set ciphers
Orignal code hard code TLS ciphers, and this patch allows user to set ciphers via CLI, so that user can perform the TLS testing without re-building the code. Change-Id: I0d497f6d906af25bc7a33cee5747f9a1d63e0683 Signed-off-by: Ping Yu <ping.yu@intel.com>
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/tlsopenssl/tls_openssl.c38
-rw-r--r--src/plugins/tlsopenssl/tls_openssl.h1
2 files changed, 33 insertions, 6 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index b38b9618b9f..e42bb453bfd 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -459,7 +459,6 @@ check_app_fifo:
static int
openssl_ctx_init_client (tls_ctx_t * ctx)
{
- char *ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH";
long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
openssl_main_t *om = &openssl_main;
@@ -490,7 +489,7 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
if (om->async)
SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ASYNC);
#endif
- rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) ciphers);
+ rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) om->ciphers);
if (rv != 1)
{
TLS_DBG (1, "Couldn't set cipher");
@@ -565,11 +564,8 @@ openssl_start_listen (tls_ctx_t * lctx)
u32 olc_index;
openssl_listen_ctx_t *olc;
- char *ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH";
long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
-#ifdef HAVE_OPENSSL_ASYNC
openssl_main_t *om = &openssl_main;
-#endif
app = application_get (lctx->parent_app_index);
if (!app->tls_cert || !app->tls_key)
@@ -595,7 +591,7 @@ openssl_start_listen (tls_ctx_t * lctx)
SSL_CTX_set_options (ssl_ctx, flags);
SSL_CTX_set_ecdh_auto (ssl_ctx, 1);
- rv = SSL_CTX_set_cipher_list (ssl_ctx, (const char *) ciphers);
+ rv = SSL_CTX_set_cipher_list (ssl_ctx, (const char *) om->ciphers);
if (rv != 1)
{
TLS_DBG (1, "Couldn't set cipher");
@@ -781,6 +777,27 @@ tls_init_ca_chain (void)
return (rv < 0 ? -1 : 0);
}
+static int
+tls_openssl_set_ciphers (char *ciphers)
+{
+ openssl_main_t *om = &openssl_main;
+ int i;
+
+ if (!ciphers)
+ {
+ return -1;
+ }
+
+ vec_validate (om->ciphers, strlen (ciphers) - 1);
+ for (i = 0; i < vec_len (om->ciphers); i++)
+ {
+ om->ciphers[i] = toupper (ciphers[i]);
+ }
+
+ return 0;
+
+}
+
static clib_error_t *
tls_openssl_init (vlib_main_t * vm)
{
@@ -809,6 +826,10 @@ tls_openssl_init (vlib_main_t * vm)
om->engine_init = 0;
+ /* default ciphers */
+ tls_openssl_set_ciphers
+ ("ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH");
+
return 0;
}
@@ -820,6 +841,7 @@ tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
openssl_main_t *om = &openssl_main;
char *engine_name = NULL;
char *engine_alg = NULL;
+ char *ciphers = NULL;
u8 engine_name_set = 0;
int i;
@@ -847,6 +869,10 @@ tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
for (i = 0; i < strnlen (engine_alg, MAX_CRYPTO_LEN); i++)
engine_alg[i] = toupper (engine_alg[i]);
}
+ else if (unformat (input, "ciphers %s", &ciphers))
+ {
+ tls_openssl_set_ciphers (ciphers);
+ }
else
return clib_error_return (0, "failed: unknown input `%U'",
format_unformat_error, input);
diff --git a/src/plugins/tlsopenssl/tls_openssl.h b/src/plugins/tlsopenssl/tls_openssl.h
index a524da74cee..e802f4523ea 100644
--- a/src/plugins/tlsopenssl/tls_openssl.h
+++ b/src/plugins/tlsopenssl/tls_openssl.h
@@ -46,6 +46,7 @@ typedef struct openssl_main_
openssl_listen_ctx_t *lctx_pool;
X509_STORE *cert_store;
+ u8 *ciphers;
int engine_init;
int async;
} openssl_main_t;