Methods to change cipher suite list

author Subodh Iyengar <subodh@fb.com>

Wed, 1 Jun 2016 08:45:00 +0000 (01:45 -0700)

committer Facebook Github Bot 4 <facebook-github-bot-4-bot@fb.com>

Wed, 1 Jun 2016 08:53:24 +0000 (01:53 -0700)
author Subodh Iyengar <subodh@fb.com>
Wed, 1 Jun 2016 08:45:00 +0000 (01:45 -0700)
committer Facebook Github Bot 4 <facebook-github-bot-4-bot@fb.com>
Wed, 1 Jun 2016 08:53:24 +0000 (01:53 -0700)
diff --git a/folly/io/async/SSLContext.cpp b/folly/io/async/SSLContext.cpp

index c4f052b8112d57f0a3a66945188d44be8940fffc..f0862263b842176dfe48541878b7e6576fa56204 100644 (file)
--- a/folly/io/async/SSLContext.cpp
+++ b/folly/io/async/SSLContext.cpp
@@ -82,6 +82,8 @@ SSLContext::SSLContext(SSLVersion version) {
  
    checkPeerName_ = false;
  
  
    checkPeerName_ = false;
  
+  SSL_CTX_set_options(ctx_, SSL_OP_NO_COMPRESSION);
+
  #if OPENSSL_VERSION_NUMBER >= 0x1000105fL && !defined(OPENSSL_NO_TLSEXT)
    SSL_CTX_set_tlsext_servername_callback(ctx_, baseServerNameOpenSSLCallback);
    SSL_CTX_set_tlsext_servername_arg(ctx_, this);
  #if OPENSSL_VERSION_NUMBER >= 0x1000105fL && !defined(OPENSSL_NO_TLSEXT)
    SSL_CTX_set_tlsext_servername_callback(ctx_, baseServerNameOpenSSLCallback);
    SSL_CTX_set_tlsext_servername_arg(ctx_, this);
@@ -104,13 +106,59 @@ void SSLContext::ciphers(const std::string& ciphers) {
    setCiphersOrThrow(ciphers);
  }
  
    setCiphersOrThrow(ciphers);
  }
  
+void SSLContext::setCipherList(const std::vector<std::string>& ciphers) {
+  if (ciphers.size() == 0) {
+    return;
+  }
+  std::string opensslCipherList;
+  join(":", ciphers, opensslCipherList);
+  setCiphersOrThrow(opensslCipherList);
+}
+
+void SSLContext::setSignatureAlgorithms(
+    const std::vector<std::string>& sigalgs) {
+  if (sigalgs.size() == 0) {
+    return;
+  }
+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+  std::string opensslSigAlgsList;
+  join(":", sigalgs, opensslSigAlgsList);
+  int rc = SSL_CTX_set1_sigalgs_list(ctx_, opensslSigAlgsList.c_str());
+  if (rc == 0) {
+    throw std::runtime_error("SSL_CTX_set1_sigalgs_list " + getErrors());
+  }
+#endif
+}
+
+void SSLContext::setClientECCurvesList(
+    const std::vector<std::string>& ecCurves) {
+  if (ecCurves.size() == 0) {
+    return;
+  }
+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+  std::string ecCurvesList;
+  join(":", ecCurves, ecCurvesList);
+  int rc = SSL_CTX_set1_curves_list(ctx_, ecCurvesList.c_str());
+  if (rc == 0) {
+    throw std::runtime_error("SSL_CTX_set1_curves_list " + getErrors());
+  }
+#endif
+}
+
+void SSLContext::setX509VerifyParam(
+    const ssl::X509VerifyParam& x509VerifyParam) {
+  if (!x509VerifyParam) {
+    return;
+  }
+  if (SSL_CTX_set1_param(ctx_, x509VerifyParam.get()) != 1) {
+    throw std::runtime_error("SSL_CTX_set1_param " + getErrors());
+  }
+}
+
  void SSLContext::setCiphersOrThrow(const std::string& ciphers) {
    int rc = SSL_CTX_set_cipher_list(ctx_, ciphers.c_str());
  void SSLContext::setCiphersOrThrow(const std::string& ciphers) {
    int rc = SSL_CTX_set_cipher_list(ctx_, ciphers.c_str());
-  if (ERR_peek_error() != 0) {
-    throw std::runtime_error("SSL_CTX_set_cipher_list: " + getErrors());
-  }
    if (rc == 0) {
    if (rc == 0) {
-    throw std::runtime_error("None of specified ciphers are supported");
+    throw std::runtime_error("SSL_CTX_set_cipher_list: " + getErrors());
    }
  }
  
    }
  }
  
diff --git a/folly/io/async/SSLContext.h b/folly/io/async/SSLContext.h

index 81c8a210de52bf2d65530a97745820ad2d2a2356..83f0ad22442ae21300c894b563f8730b1639a53d 100644 (file)
--- a/folly/io/async/SSLContext.h
+++ b/folly/io/async/SSLContext.h
@@ -133,12 +133,39 @@ class SSLContext {
     */
    virtual void ciphers(const std::string& ciphers);
  
     */
    virtual void ciphers(const std::string& ciphers);
  
+  /**
+   * Set default ciphers to be used in SSL handshake process.
+   *
+   * @param ciphers A list of ciphers to use for TLS.
+   */
+  virtual void setCipherList(const std::vector<std::string>& ciphers);
+
    /**
     * Low-level method that attempts to set the provided ciphers on the
     * SSL_CTX object, and throws if something goes wrong.
     */
    virtual void setCiphersOrThrow(const std::string& ciphers);
  
    /**
     * Low-level method that attempts to set the provided ciphers on the
     * SSL_CTX object, and throws if something goes wrong.
     */
    virtual void setCiphersOrThrow(const std::string& ciphers);
  
+  /**
+   * Sets the signature algorithms to be used during SSL negotiation
+   * for TLS1.2+
+   *
+   * @param sigalgs A list of signature algorithms, eg. RSA+SHA512
+   */
+  void setSignatureAlgorithms(const std::vector<std::string>& sigalgs);
+
+  /**
+   * Sets the list of EC curves supported by the client.
+   *
+   * @param ecCurves A list of ec curves, eg: P-256
+   */
+  void setClientECCurvesList(const std::vector<std::string>& ecCurves);
+
+  /**
+   * Sets an x509 verification param on the context.
+   */
+  void setX509VerifyParam(const ssl::X509VerifyParam& x509VerifyParam);
+
    /**
     * Method to set verification option in the context object.
     *
    /**
     * Method to set verification option in the context object.
     *
author	Subodh Iyengar <subodh@fb.com>
	Wed, 1 Jun 2016 08:45:00 +0000 (01:45 -0700)
committer	Facebook Github Bot 4 <facebook-github-bot-4-bot@fb.com>
	Wed, 1 Jun 2016 08:53:24 +0000 (01:53 -0700)
folly/io/async/SSLContext.cpp		patch \| blob \| history
folly/io/async/SSLContext.h		patch \| blob \| history