Merge pull request #120 from acv/ssl-refactor

mhaas · mhaas · commit 40deb49bd380 · 2015-03-22T08:24:50.000+01:00
Split out SSL init from https_get
diff --git a/src/conf.c b/src/conf.c
@@ -100,6 +100,7 @@ typedef enum {
 	oProxyPort,
 	oSSLPeerVerification,
 	oSSLCertPath,
+    oSSLAllowedCipherList,
 } OpCodes;
 
 /** @internal
@@ -142,6 +143,7 @@ static const struct {
 	{ "proxyport",			oProxyPort },
 	{ "sslpeerverification",		oSSLPeerVerification },
 	{ "sslcertpath",			oSSLCertPath },
+    { "sslallowedcipherlist",   oSSLAllowedCipherList },
 	{ NULL,				oBadOption },
 };
 
@@ -193,6 +195,7 @@ config_init(void)
 	config.proxy_port = 0;
 	config.ssl_certs = safe_strdup(DEFAULT_AUTHSERVSSLCERTPATH);
 	config.ssl_verify = DEFAULT_AUTHSERVSSLPEERVER;
+    config.ssl_cipher_list = NULL;
 }
 
 /**
@@ -738,13 +741,6 @@ config_read(const char *filename)
 				case oHTTPDPassword:
 					config.httpdpassword = safe_strdup(p1);
 					break;
-				case oBadOption:
-					debug(LOG_ERR, "Bad option on line %d "
-							"in %s.", linenum,
-							filename);
-					debug(LOG_ERR, "Exiting...");
-					exit(-1);
-					break;
 				case oCheckInterval:
 					sscanf(p1, "%d", &config.checkinterval);
 					break;
@@ -778,6 +774,21 @@ config_read(const char *filename)
 					debug(LOG_WARNING, "SSLPeerVerification is set but no SSL compiled in. Ignoring!");
 					#endif
                     break;
+                case oSSLAllowedCipherList:
+                    config.ssl_cipher_list = safe_strdup(p1);
+                    #ifndef USE_CYASSL
+                    debug(LOG_WARNING, "SSLAllowedCipherList is set but no SSL compiled in. Ignoring!");
+                    #endif
+                    break;
+				case oBadOption:
+                    /* FALL THROUGH */
+                default:
+					debug(LOG_ERR, "Bad option on line %d "
+							"in %s.", linenum,
+							filename);
+					debug(LOG_ERR, "Exiting...");
+					exit(-1);
+					break;
 				}
 			}
 		}
diff --git a/src/conf.h b/src/conf.h
@@ -171,6 +171,7 @@ typedef struct {
 		verification */
 	int ssl_verify;		/**< @brief boolean, whether to enable
 		auth server certificate verification */
+    char *ssl_cipher_list;  /**< @brief List of SSL ciphers allowed. Optional. */
     t_firewall_ruleset	*rulesets;	/**< @brief firewall rules */
     t_trusted_mac *trustedmaclist; /**< @brief list of trusted macs */
 } s_config;
diff --git a/src/simple_http.c b/src/simple_http.c
@@ -44,7 +44,13 @@
 #include <cyassl/ctaocrypt/error-crypt.h>
 #endif
 
-int http_get(const int sockfd, char *buf) {
+#ifdef USE_CYASSL
+static CYASSL_CTX *get_cyassl_ctx(void);
+#endif
+
+
+int
+http_get(const int sockfd, char *buf) {
 
 	ssize_t	numbytes;
 	size_t totalbytes;
@@ -119,8 +125,78 @@ int http_get(const int sockfd, char *buf) {
 
 #ifdef USE_CYASSL
 
+static CYASSL_CTX *cyassl_ctx = NULL;
+static pthread_mutex_t cyassl_ctx_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+#define LOCK_CYASSL_CTX() do { \
+	debug(LOG_DEBUG, "Locking CyaSSL Context"); \
+	pthread_mutex_lock(&cyassl_ctx_mutex); \
+	debug(LOG_DEBUG, "CyaSSL Context locked"); \
+} while (0)
+
+#define UNLOCK_CYASSL_CTX() do { \
+	debug(LOG_DEBUG, "Unlocking CyaSSL Context"); \
+	pthread_mutex_unlock(&cyassl_ctx_mutex); \
+	debug(LOG_DEBUG, "CyaSSL Context unlocked"); \
+} while (0)
+
+
+static CYASSL_CTX *
+get_cyassl_ctx(void)
+{
+    int err;
+    CYASSL_CTX *ret;
+	s_config *config = config_get_config();
+
+    LOCK_CYASSL_CTX();
+    
+    if (NULL == cyassl_ctx) {
+        CyaSSL_Init();
+        /* Create the CYASSL_CTX */
+        /* Allow TLSv1.0 up to TLSv1.2 */
+        if ( (cyassl_ctx = CyaSSL_CTX_new(CyaTLSv1_client_method())) == NULL){
+            debug(LOG_ERR, "Could not create CYASSL context.");
+            return NULL;
+        }
+
+        if (config->ssl_cipher_list) {
+            debug(LOG_INFO, "Setting SSL cipher list to [%s]", config->ssl_cipher_list);
+            err = CyaSSL_CTX_set_cipher_list(cyassl_ctx, config->ssl_cipher_list);
+            if (SSL_SUCCESS != err) {
+                debug(LOG_ERR, "Could not load SSL cipher list (error %d)", err);
+                return NULL;
+            }
+        }
+
+        if (config->ssl_verify) {
+            /* Use trusted certs */
+            /* Note: CyaSSL requires that the certificates are named by their hash values */
+            debug(LOG_INFO, "Loading SSL certificates from %s", config->ssl_certs);
+            err = CyaSSL_CTX_load_verify_locations(cyassl_ctx, NULL, config->ssl_certs);
+            if (err != SSL_SUCCESS) {
+                debug(LOG_ERR, "Could not load SSL certificates (error %d)", err);
+                if (err == ASN_UNKNOWN_OID_E) {
+                    debug(LOG_ERR, "Error is ASN_UNKNOWN_OID_E - try compiling cyassl/wolfssl with --enable-ecc");
+                } else {
+                    debug(LOG_ERR, "Make sure that SSLCertPath points to the correct path in the config file");
+                    debug(LOG_ERR, "Or disable certificate loading with 'SSLPeerVerification No'.");
+                }
+                return NULL;
+            }
+        } else {
+            CyaSSL_CTX_set_verify(cyassl_ctx, SSL_VERIFY_NONE, 0);
+            debug(LOG_INFO, "Disabling SSL certificate verification!");
+        }
+    }
+    
+    ret = cyassl_ctx;
+    UNLOCK_CYASSL_CTX();
+    return ret;
+}
 
-int https_get(const int sockfd, char *buf, const char* hostname) {
+
+int
+https_get(const int sockfd, char *buf, const char* hostname) {
 
 	ssize_t	numbytes;
 	size_t totalbytes;
@@ -134,43 +210,18 @@ int https_get(const int sockfd, char *buf, const char* hostname) {
 	s_config *config;
 	config = config_get_config();
 
-	CyaSSL_Init();
-
-	CYASSL_CTX* ctx;
-	/* Create the CYASSL_CTX */
-	/* Allow SSLv3 up to TLSv1.2 */
-	if ( (ctx = CyaSSL_CTX_new(CyaSSLv23_client_method())) == NULL){
-		debug(LOG_ERR, "Could not create CYASSL context.");
-		return -1;
-	}
-
-	if (config->ssl_verify) {
-		/* Use trusted certs */
-		/* Note: CyaSSL requires that the certificates are named by their hash values */
-		int err = CyaSSL_CTX_load_verify_locations(ctx, NULL, config->ssl_certs);
-		if (err != SSL_SUCCESS) {
-			debug(LOG_ERR, "Could not load SSL certificates (error %d)", err);
-			if (err == ASN_UNKNOWN_OID_E) {
-				debug(LOG_ERR, "Error is ASN_UNKNOWN_OID_E - try compiling cyassl/wolfssl with --enable-ecc");
-			} else {
-				debug(LOG_ERR, "Make sure that SSLCertPath points to the correct path in the config file");
-				debug(LOG_ERR, "Or disable certificate loading with 'SSLPeerVerification No'.");
-			}
-			return -1;
-		}
-		debug(LOG_INFO, "Loading SSL certificates from %s", config->ssl_certs);
-	} else {
-		CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
-		debug(LOG_INFO, "Disabling SSL certificate verification!");
-	}
+	CYASSL_CTX* ctx = get_cyassl_ctx();
+    if (NULL == ctx) {
+        debug(LOG_ERR, "Could not get CyaSSL Context!");
+        return -1;
+    }
 
 	if (sockfd == -1) {
 		/* Could not connect to server */
 		debug(LOG_ERR, "Could not open socket to server!");
 		return -1;
 	}
 
-
 	/* Create CYASSL object */
 	CYASSL* ssl;
 	if( (ssl = CyaSSL_new(ctx)) == NULL) {
@@ -204,7 +255,7 @@ int https_get(const int sockfd, char *buf, const char* hostname) {
 	memset(buf, 0, buflen);
 
 	debug(LOG_DEBUG, "Reading response");
-	numbytes = totalbytes = 0;
+	totalbytes = 0;
 	done = 0;
 	do {
 		FD_ZERO(&readfds);
@@ -257,8 +308,6 @@ int https_get(const int sockfd, char *buf, const char* hostname) {
 	debug(LOG_DEBUG, "HTTP Response from Server: [%s]", buf);
 
 	CyaSSL_free(ssl);
-	CyaSSL_CTX_free(ctx);
-	CyaSSL_Cleanup();
 
 	return totalbytes;
 }
diff --git a/wifidog.conf b/wifidog.conf
@@ -185,7 +185,6 @@ ClientTimeout 5
 #
 # SSLPeerVerification Yes
 
-
 # Parameter: SSLCertPath
 # Default: /etc/ssl/certs/
 # Optional
@@ -204,6 +203,20 @@ ClientTimeout 5
 #
 # SSLCertPath /etc/ssl/certs/ 
 
+# Parameter: SSLAllowedCipherList
+# Default: all ciphers supported
+# Optional
+#
+# Which cipher suite to allow. Note that CyaSSL will ignore cipher
+# suites that use algorithms that aren't compiled in or cipher
+# suites *WITH ERRORS IN THEIR NAMES*.
+#
+# Please see CyaSSL documentation for allowed values, format is a
+# string where the ciphers are separated by colons (:) with no
+# spaces. Ciphers are ordered from most desirable to least desirable.
+#
+# SSLAllowedCipherList ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:AES128-SHA:AES256-SHA
+
 # Parameter: TrustedMACList
 # Default: none
 # Optional
