add option to allow user to set ciphers

Orignal code hard code TLS ciphers, and this patch allows user to
set ciphers via CLI, so that user can perform the TLS testing
without re-building the code.

Change-Id: I0d497f6d906af25bc7a33cee5747f9a1d63e0683
Signed-off-by: Ping Yu <ping.yu@intel.com>

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index b38b961..e42bb45 100644 (file)
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -459,7 +459,6 @@ check_app_fifo:
 static int
 openssl_ctx_init_client (tls_ctx_t * ctx)
 {
-  char *ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH";
   long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
   openssl_main_t *om = &openssl_main;
@@ -490,7 +489,7 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
   if (om->async)
     SSL_CTX_set_mode (oc->ssl_ctx, SSL_MODE_ASYNC);
 #endif
-  rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) ciphers);
+  rv = SSL_CTX_set_cipher_list (oc->ssl_ctx, (const char *) om->ciphers);
   if (rv != 1)
     {
       TLS_DBG (1, "Couldn't set cipher");
@@ -565,11 +564,8 @@ openssl_start_listen (tls_ctx_t * lctx)
   u32 olc_index;
   openssl_listen_ctx_t *olc;
 
-  char *ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH";
   long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
-#ifdef HAVE_OPENSSL_ASYNC
   openssl_main_t *om = &openssl_main;
-#endif
 
   app = application_get (lctx->parent_app_index);
   if (!app->tls_cert || !app->tls_key)
@@ -595,7 +591,7 @@ openssl_start_listen (tls_ctx_t * lctx)
   SSL_CTX_set_options (ssl_ctx, flags);
   SSL_CTX_set_ecdh_auto (ssl_ctx, 1);
 
-  rv = SSL_CTX_set_cipher_list (ssl_ctx, (const char *) ciphers);
+  rv = SSL_CTX_set_cipher_list (ssl_ctx, (const char *) om->ciphers);
   if (rv != 1)
     {
       TLS_DBG (1, "Couldn't set cipher");
@@ -781,6 +777,27 @@ tls_init_ca_chain (void)
   return (rv < 0 ? -1 : 0);
 }
 
+static int
+tls_openssl_set_ciphers (char *ciphers)
+{
+  openssl_main_t *om = &openssl_main;
+  int i;
+
+  if (!ciphers)
+    {
+      return -1;
+    }
+
+  vec_validate (om->ciphers, strlen (ciphers) - 1);
+  for (i = 0; i < vec_len (om->ciphers); i++)
+    {
+      om->ciphers[i] = toupper (ciphers[i]);
+    }
+
+  return 0;
+
+}
+
 static clib_error_t *
 tls_openssl_init (vlib_main_t * vm)
 {
@@ -809,6 +826,10 @@ tls_openssl_init (vlib_main_t * vm)
 
   om->engine_init = 0;
 
+  /* default ciphers */
+  tls_openssl_set_ciphers
+    ("ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH");
+
   return 0;
 }
 
@@ -820,6 +841,7 @@ tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
   openssl_main_t *om = &openssl_main;
   char *engine_name = NULL;
   char *engine_alg = NULL;
+  char *ciphers = NULL;
   u8 engine_name_set = 0;
   int i;
 
@@ -847,6 +869,10 @@ tls_openssl_set_command_fn (vlib_main_t * vm, unformat_input_t * input,
          for (i = 0; i < strnlen (engine_alg, MAX_CRYPTO_LEN); i++)
            engine_alg[i] = toupper (engine_alg[i]);
        }
+      else if (unformat (input, "ciphers %s", &ciphers))
+       {
+         tls_openssl_set_ciphers (ciphers);
+       }
       else
        return clib_error_return (0, "failed: unknown input `%U'",
                                  format_unformat_error, input);

diff --git a/src/plugins/tlsopenssl/tls_openssl.h b/src/plugins/tlsopenssl/tls_openssl.h
index a524da7..e802f45 100644 (file)
--- a/src/plugins/tlsopenssl/tls_openssl.h
+++ b/src/plugins/tlsopenssl/tls_openssl.h
@@ -46,6 +46,7 @@ typedef struct openssl_main_
   openssl_listen_ctx_t *lctx_pool;
 
   X509_STORE *cert_store;
+  u8 *ciphers;
   int engine_init;
   int async;
 } openssl_main_t;