add option to allow user to set ciphers

Orignal code hard code TLS ciphers, and this patch allows user to
set ciphers via CLI, so that user can perform the TLS testing
without re-building the code.

Change-Id: I0d497f6d906af25bc7a33cee5747f9a1d63e0683
Signed-off-by: Ping Yu <ping.yu@intel.com>

2 files changed, 33 insertions, 6 deletions

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index b38b9618b9f..e42bb453bfd 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -459,7 +459,6 @@ check_app_fifo:
 static int
 openssl_ctx_init_client (tls_ctx_t * ctx)
 {
-  char *ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH";
   long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
   openssl_main_t *om = &openssl_main;
@@ -490,7 +489,7 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
   if (om->async)
     SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ASYNC);
 #endif
-  rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) ciphers);
+  rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) om->ciphers);
   if (rv != 1)
     {
       TLS_DBG (1, "Couldn't set cipher");
@@ -565,11 +564,8 @@ openssl_start_listen (tls_ctx_t * lctx)
   u32 olc_index;
   openssl_listen_ctx_t *olc;
 
-  char *ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH";
   long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
-#ifdef HAVE_OPENSSL_ASYNC
   openssl_main_t *om = &openssl_main;
-#endif
 
   app = application_get (lctx->parent_app_index);
   if (!app->tls_cert || !app->tls_key)
@@ -595,7 +591,7 @@ openssl_start_listen (tls_ctx_t * lctx)
   SSL_CTX_set_options (ssl_ctx, flags);
   SSL_CTX_set_ecdh_auto (ssl_ctx, 1);
 
-  rv = SSL_CTX_set_cipher_list (ssl_ctx, (const char *) ciphers);
+  rv = SSL_CTX_set_cipher_list (ssl_ctx, (const char *) om->ciphers);
   if (rv != 1)
     {
       TLS_DBG (1, "Couldn't set cipher");
@@ -781,6 +777,27 @@ tls_init_ca_chain (void)
   return (rv < 0 ? -1 : 0);
 }
 
+static int
+tls_openssl_set_ciphers (char *ciphers)
+{
+  openssl_main_t *om = &openssl_main;
+  int i;
+
+  if (!ciphers)
+    {
+      return -1;
+    }
+
+  vec_validate (om->ciphers, strlen (ciphers) - 1);
+  for (i = 0; i < vec_len (om->ciphers); i++)
+    {
+      om->ciphers[i] = toupper (ciphers[i]);
+    }
+
+  return 0;
+
+}
+
 static clib_error_t *
 tls_openssl_init (vlib_main_t * vm)
 {
@@ -809,6 +826,10 @@ tls_openssl_init (vlib_main_t * vm)
 
   om->engine_init = 0;
 
+  /* default ciphers */
+  tls_openssl_set_ciphers
+    ("ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH");
+
   return 0;
 }
 
@@ -820,6 +841,7 @@ tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
   openssl_main_t *om = &openssl_main;
   char *engine_name = NULL;
   char *engine_alg = NULL;
+  char *ciphers = NULL;
   u8 engine_name_set = 0;
   int i;
 
@@ -847,6 +869,10 @@ tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
 	  for (i = 0; i < strnlen (engine_alg, MAX_CRYPTO_LEN); i++)
 	    engine_alg[i] = toupper (engine_alg[i]);
 	}
+      else if (unformat (input, "ciphers %s", &ciphers))
+	{
+	  tls_openssl_set_ciphers (ciphers);
+	}
       else
 	return clib_error_return (0, "failed: unknown input `%U'",
 				  format_unformat_error, input);
diff --git a/src/plugins/tlsopenssl/tls_openssl.h b/src/plugins/tlsopenssl/tls_openssl.h
index a524da74cee..e802f4523ea 100644
--- a/src/plugins/tlsopenssl/tls_openssl.h
+++ b/src/plugins/tlsopenssl/tls_openssl.h
@@ -46,6 +46,7 @@ typedef struct openssl_main_
   openssl_listen_ctx_t *lctx_pool;
 
   X509_STORE *cert_store;
+  u8 *ciphers;
   int engine_init;
   int async;
 } openssl_main_t;