From: Subodh Iyengar Date: Wed, 1 Jun 2016 08:45:00 +0000 (-0700) Subject: Methods to change cipher suite list X-Git-Tag: 2016.07.26~174 X-Git-Url: http://plrg.eecs.uci.edu/git/?a=commitdiff_plain;h=7030ff9c5a8fae4bc51cf4ea239f477aa977157c;p=folly.git Methods to change cipher suite list Summary: Add methods to change cipher suite list and sigalg list Reviewed By: anirudhvr Differential Revision: D3295935 fbshipit-source-id: eb46311986465e399eafa69e3070b53b36bce820 --- diff --git a/folly/io/async/SSLContext.cpp b/folly/io/async/SSLContext.cpp index c4f052b8..f0862263 100644 --- a/folly/io/async/SSLContext.cpp +++ b/folly/io/async/SSLContext.cpp @@ -82,6 +82,8 @@ SSLContext::SSLContext(SSLVersion version) { checkPeerName_ = false; + SSL_CTX_set_options(ctx_, SSL_OP_NO_COMPRESSION); + #if OPENSSL_VERSION_NUMBER >= 0x1000105fL && !defined(OPENSSL_NO_TLSEXT) SSL_CTX_set_tlsext_servername_callback(ctx_, baseServerNameOpenSSLCallback); SSL_CTX_set_tlsext_servername_arg(ctx_, this); @@ -104,13 +106,59 @@ void SSLContext::ciphers(const std::string& ciphers) { setCiphersOrThrow(ciphers); } +void SSLContext::setCipherList(const std::vector& ciphers) { + if (ciphers.size() == 0) { + return; + } + std::string opensslCipherList; + join(":", ciphers, opensslCipherList); + setCiphersOrThrow(opensslCipherList); +} + +void SSLContext::setSignatureAlgorithms( + const std::vector& sigalgs) { + if (sigalgs.size() == 0) { + return; + } +#if OPENSSL_VERSION_NUMBER >= 0x1000200fL + std::string opensslSigAlgsList; + join(":", sigalgs, opensslSigAlgsList); + int rc = SSL_CTX_set1_sigalgs_list(ctx_, opensslSigAlgsList.c_str()); + if (rc == 0) { + throw std::runtime_error("SSL_CTX_set1_sigalgs_list " + getErrors()); + } +#endif +} + +void SSLContext::setClientECCurvesList( + const std::vector& ecCurves) { + if (ecCurves.size() == 0) { + return; + } +#if OPENSSL_VERSION_NUMBER >= 0x1000200fL + std::string ecCurvesList; + join(":", ecCurves, ecCurvesList); + int rc = SSL_CTX_set1_curves_list(ctx_, ecCurvesList.c_str()); + if (rc == 0) { + throw std::runtime_error("SSL_CTX_set1_curves_list " + getErrors()); + } +#endif +} + +void SSLContext::setX509VerifyParam( + const ssl::X509VerifyParam& x509VerifyParam) { + if (!x509VerifyParam) { + return; + } + if (SSL_CTX_set1_param(ctx_, x509VerifyParam.get()) != 1) { + throw std::runtime_error("SSL_CTX_set1_param " + getErrors()); + } +} + void SSLContext::setCiphersOrThrow(const std::string& ciphers) { int rc = SSL_CTX_set_cipher_list(ctx_, ciphers.c_str()); - if (ERR_peek_error() != 0) { - throw std::runtime_error("SSL_CTX_set_cipher_list: " + getErrors()); - } if (rc == 0) { - throw std::runtime_error("None of specified ciphers are supported"); + throw std::runtime_error("SSL_CTX_set_cipher_list: " + getErrors()); } } diff --git a/folly/io/async/SSLContext.h b/folly/io/async/SSLContext.h index 81c8a210..83f0ad22 100644 --- a/folly/io/async/SSLContext.h +++ b/folly/io/async/SSLContext.h @@ -133,12 +133,39 @@ class SSLContext { */ virtual void ciphers(const std::string& ciphers); + /** + * Set default ciphers to be used in SSL handshake process. + * + * @param ciphers A list of ciphers to use for TLS. + */ + virtual void setCipherList(const std::vector& ciphers); + /** * Low-level method that attempts to set the provided ciphers on the * SSL_CTX object, and throws if something goes wrong. */ virtual void setCiphersOrThrow(const std::string& ciphers); + /** + * Sets the signature algorithms to be used during SSL negotiation + * for TLS1.2+ + * + * @param sigalgs A list of signature algorithms, eg. RSA+SHA512 + */ + void setSignatureAlgorithms(const std::vector& sigalgs); + + /** + * Sets the list of EC curves supported by the client. + * + * @param ecCurves A list of ec curves, eg: P-256 + */ + void setClientECCurvesList(const std::vector& ecCurves); + + /** + * Sets an x509 verification param on the context. + */ + void setX509VerifyParam(const ssl::X509VerifyParam& x509VerifyParam); + /** * Method to set verification option in the context object. *