Don't accept cipherlist with no usable ciphers

trondn · daverigby · commit 3ad8757a1838 · 2019-08-23T11:44:34.000Z
Fail if we cannot use any of the ciphers provided in the list of ciphers (to avoid ending up in a situation where memcached only listens on an SSL socket, but that cannot be used as there is no cipher to use) Change-Id: I48a671f66b87887f4d2e244b27990eac0ed83b98 Reviewed-on: http://review.couchbase.org/113701 Tested-by: Trond Norbye <trond.norbye@couchbase.com> Reviewed-by: Dave Rigby <daver@couchbase.com>
diff --git a/daemon/settings.cc b/daemon/settings.cc
@@ -33,6 +33,7 @@
 #include "ssl_utils.h"
 
 #include <mcbp/mcbp.h>
+#include <memcached/openssl.h>
 #include <utilities/json_utilities.h>
 #include <utilities/logtags.h>
 
@@ -389,6 +390,21 @@ static void handle_root(Settings& s, const nlohmann::json& obj) {
  * @param obj the object in the configuration
  */
 static void handle_ssl_cipher_list(Settings& s, const nlohmann::json& obj) {
+    const auto value = obj.get<std::string>();
+    cb::openssl::unique_ssl_ctx_ptr ctx;
+    ctx.reset(SSL_CTX_new(SSLv23_server_method()));
+    if (!ctx) {
+        throw std::bad_alloc{};
+    }
+
+    if (!value.empty() &&
+        SSL_CTX_set_cipher_list(ctx.get(), value.c_str()) == 0) {
+        std::string msg = "Failed to select any of the requested ciphers (";
+        msg.append(value);
+        msg.append(")");
+        throw std::runtime_error(msg);
+    }
+
     s.setSslCipherList(obj.get<std::string>());
 }
 
diff --git a/include/memcached/openssl.h b/include/memcached/openssl.h
@@ -37,5 +37,13 @@ struct X509deletor {
 };
 
 using unique_x509_ptr = std::unique_ptr<X509, X509deletor>;
+
+struct SSL_CTX_Deletor {
+    void operator()(SSL_CTX* ctx) {
+        SSL_CTX_free(ctx);
+    }
+};
+
+using unique_ssl_ctx_ptr = std::unique_ptr<SSL_CTX, SSL_CTX_Deletor>;
 }
 }
diff --git a/tests/config_parse_test/config_parse_test.cc b/tests/config_parse_test/config_parse_test.cc
@@ -731,7 +731,7 @@ TEST_F(SettingsTest, SslCipherList) {
         FAIL() << exception.what();
     }
 
-    // An empty string is also allowed
+    // An empty string is also allowed (giving default ciphers)
     obj["ssl_cipher_list"] = "";
     try {
         Settings settings(obj);
@@ -740,6 +740,14 @@ TEST_F(SettingsTest, SslCipherList) {
     } catch (std::exception& exception) {
         FAIL() << exception.what();
     }
+
+    // Detect that we need at least 1 cipher defined
+    obj["ssl_cipher_list"] = "foobar";
+    try {
+        Settings settings(obj);
+        FAIL() << "We should not be allowed to disable all ciphers";
+    } catch (std::exception&) {
+    }
 }
 
 TEST_F(SettingsTest, SslCipherOrder) {

Original file line number	Diff line number	Diff line change
`@@ -37,5 +37,13 @@ struct X509deletor {`
`37`	`37`	`};`
`38`	`38`
`39`	`39`	`using unique_x509_ptr = std::unique_ptr<X509, X509deletor>;`
	`40`	`+`
	`41`	`+struct SSL_CTX_Deletor {`
	`42`	`+ void operator()(SSL_CTX* ctx) {`
	`43`	`+ SSL_CTX_free(ctx);`
	`44`	`+ }`
	`45`	`+};`
	`46`	`+`
	`47`	`+using unique_ssl_ctx_ptr = std::unique_ptr<SSL_CTX, SSL_CTX_Deletor>;`
`40`	`48`	`}`
`41`	`49`	`}`