From: Adriaan de Jong <dejong@fox-it.com>
Date: Wed, 29 Jun 2011 16:32:44 +0000 (+0200)
Subject: Refactored cipher restriction code
X-Git-Tag: v2.3-alpha1~144
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e74a9d02da9ac071438e24de8561ccf9192e94a;p=thirdparty%2Fopenvpn.git

Refactored cipher restriction code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
---

diff --git a/ssl.c b/ssl.c
index 99eca844c..8ef75abc6 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1609,8 +1609,6 @@ tls_deauthenticate (struct tls_multi *multi)
 void
 init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
 {
-  SSL_CTX *ctx = NULL;
-
   ASSERT(NULL != new_ctx);
 
   tls_clear_error();
@@ -1673,8 +1671,6 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
 	}
     }
 
-  ctx = new_ctx->ctx;
-
   if (options->ca_file || options->ca_path)
     {
       tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
@@ -1702,8 +1698,7 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
   /* Allowable ciphers */
   if (options->cipher_list)
     {
-      if (!SSL_CTX_set_cipher_list (ctx, options->cipher_list))
-	msg (M_SSLERR, "Problem with cipher list: %s", options->cipher_list);
+      tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
     }
 
   tls_clear_error ();
diff --git a/ssl_backend.h b/ssl_backend.h
index c36f92ee9..64d93360c 100644
--- a/ssl_backend.h
+++ b/ssl_backend.h
@@ -116,6 +116,14 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx);
  */
 void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags);
 
+/**
+ * Restrict the list of ciphers that can be used within the TLS context.
+ *
+ * @param ctx		TLS context to restrict
+ * @param ciphers	String containing : delimited cipher names.
+ */
+void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
+
 /**
  * Load Diffie Hellman Parameters, and load them into the library-specific
  * TLS context.
diff --git a/ssl_openssl.c b/ssl_openssl.c
index e71c9ef1f..6897c2994 100644
--- a/ssl_openssl.c
+++ b/ssl_openssl.c
@@ -181,6 +181,16 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
   SSL_CTX_set_info_callback (ctx->ctx, info_callback);
 }
 
+void
+tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
+{
+  ASSERT(NULL != ctx);
+
+  /* Fox-IT hardening: restrict allowed TLS ciphers. */
+  if(!SSL_CTX_set_cipher_list(ctx->ctx, ciphers))
+    msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", ciphers);
+}
+
 void
 tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file
 #if ENABLE_INLINE_FILES