diff options
author | Ping Yu <ping.yu@intel.com> | 2018-08-27 09:07:13 -0400 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2018-09-04 02:25:34 +0000 |
commit | 7eedb5fb44d5a38cb3ba059d6983e95128b97d36 (patch) | |
tree | 2f27eb7da6f50c103a3fd8da5462bfbb7a972856 /src/plugins | |
parent | 8e71529ea86018ab05c8cb77081512cbd2e413a7 (diff) |
add option to allow user to set ciphers
Orignal code hard code TLS ciphers, and this patch allows user to
set ciphers via CLI, so that user can perform the TLS testing
without re-building the code.
Change-Id: I0d497f6d906af25bc7a33cee5747f9a1d63e0683
Signed-off-by: Ping Yu <ping.yu@intel.com>
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.c | 38 | ||||
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.h | 1 |
2 files changed, 33 insertions, 6 deletions
diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index b38b9618b9f..e42bb453bfd 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -459,7 +459,6 @@ check_app_fifo: static int openssl_ctx_init_client (tls_ctx_t * ctx) { - char *ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH"; long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; openssl_ctx_t *oc = (openssl_ctx_t *) ctx; openssl_main_t *om = &openssl_main; @@ -490,7 +489,7 @@ openssl_ctx_init_client (tls_ctx_t * ctx) if (om->async) SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ASYNC); #endif - rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) ciphers); + rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) om->ciphers); if (rv != 1) { TLS_DBG (1, "Couldn't set cipher"); @@ -565,11 +564,8 @@ openssl_start_listen (tls_ctx_t * lctx) u32 olc_index; openssl_listen_ctx_t *olc; - char *ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH"; long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; -#ifdef HAVE_OPENSSL_ASYNC openssl_main_t *om = &openssl_main; -#endif app = application_get (lctx->parent_app_index); if (!app->tls_cert || !app->tls_key) @@ -595,7 +591,7 @@ openssl_start_listen (tls_ctx_t * lctx) SSL_CTX_set_options (ssl_ctx, flags); SSL_CTX_set_ecdh_auto (ssl_ctx, 1); - rv = SSL_CTX_set_cipher_list (ssl_ctx, (const char *) ciphers); + rv = SSL_CTX_set_cipher_list (ssl_ctx, (const char *) om->ciphers); if (rv != 1) { TLS_DBG (1, "Couldn't set cipher"); @@ -781,6 +777,27 @@ tls_init_ca_chain (void) return (rv < 0 ? -1 : 0); } +static int +tls_openssl_set_ciphers (char *ciphers) +{ + openssl_main_t *om = &openssl_main; + int i; + + if (!ciphers) + { + return -1; + } + + vec_validate (om->ciphers, strlen (ciphers) - 1); + for (i = 0; i < vec_len (om->ciphers); i++) + { + om->ciphers[i] = toupper (ciphers[i]); + } + + return 0; + +} + static clib_error_t * tls_openssl_init (vlib_main_t * vm) { @@ -809,6 +826,10 @@ tls_openssl_init (vlib_main_t * vm) om->engine_init = 0; + /* default ciphers */ + tls_openssl_set_ciphers + ("ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH"); + return 0; } @@ -820,6 +841,7 @@ tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input, openssl_main_t *om = &openssl_main; char *engine_name = NULL; char *engine_alg = NULL; + char *ciphers = NULL; u8 engine_name_set = 0; int i; @@ -847,6 +869,10 @@ tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input, for (i = 0; i < strnlen (engine_alg, MAX_CRYPTO_LEN); i++) engine_alg[i] = toupper (engine_alg[i]); } + else if (unformat (input, "ciphers %s", &ciphers)) + { + tls_openssl_set_ciphers (ciphers); + } else return clib_error_return (0, "failed: unknown input `%U'", format_unformat_error, input); diff --git a/src/plugins/tlsopenssl/tls_openssl.h b/src/plugins/tlsopenssl/tls_openssl.h index a524da74cee..e802f4523ea 100644 --- a/src/plugins/tlsopenssl/tls_openssl.h +++ b/src/plugins/tlsopenssl/tls_openssl.h @@ -46,6 +46,7 @@ typedef struct openssl_main_ openssl_listen_ctx_t *lctx_pool; X509_STORE *cert_store; + u8 *ciphers; int engine_init; int async; } openssl_main_t; |