3party/mongoose
0
0
Fork 0
mirror of https://github.com/cesanta/mongoose.git synced 2024-12-28 15:40:23 +08:00
Code Issues Projects Releases Wiki Activity

Add ssl_cipher_suites to mg_{bind,connect}_opts

Browse Source 
Optional specification of SSL/TLS cipher suites.

PUBLISHED_FROM=e8968c6c7a92f10514d3ee575c2fb9be862e6cf8
This commit is contained in:
Deomid Ryabkov 2017-01-10 00:44:44 +01:00 committed by Cesanta Bot
parent cd9e179fcb
commit 67626d49c9
4 changed files with 119 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
docs/c-api/net.h/struct_mg_bind_opts.md
View File

@ -9,15 +9,30 @@ signature: |
const char **error_string; /* Placeholder for the error string */ const char **error_string; /* Placeholder for the error string */
struct mg_iface *iface; /* Interface instance */ struct mg_iface *iface; /* Interface instance */
#if MG_ENABLE_SSL #if MG_ENABLE_SSL
/* SSL settings. */ /*
const char *ssl_cert; /* Server certificate to present to clients * SSL settings.
* Or client certificate to present to tunnel *
* dispatcher. */ * Server certificate to present to clients or client certificate to
const char *ssl_key; /* Private key corresponding to the certificate. * present to tunnel dispatcher (for tunneled connections).
If ssl_cert is set but ssl_key is not, ssl_cert */
is used. */ const char *ssl_cert;
const char *ssl_ca_cert; /* CA bundle used to verify client certificates or /* Private key corresponding to the certificate. If ssl_cert is set but
* tunnel dispatchers. */ * ssl_key is not, ssl_cert is used. */
const char *ssl_key;
/* CA bundle used to verify client certificates or tunnel dispatchers. */
const char *ssl_ca_cert;
/* Colon-delimited list of acceptable cipher suites.
* Names depend on the library used, for example:
*
* ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256 (OpenSSL)
* TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
* (mbedTLS)
*
* For OpenSSL the list can be obtained by running "openssl ciphers".
* For mbedTLS, names can be found in library/ssl_ciphersuites.c
* If NULL, a reasonable default is used.
*/
const char *ssl_cipher_suites;
#endif #endif
}; };
--- ---

36
docs/c-api/net.h/struct_mg_connect_opts.md
View File

@ -9,15 +9,33 @@ signature: |
const char **error_string; /* Placeholder for the error string */ const char **error_string; /* Placeholder for the error string */
struct mg_iface *iface; /* Interface instance */ struct mg_iface *iface; /* Interface instance */
#if MG_ENABLE_SSL #if MG_ENABLE_SSL
/* SSL settings. */ /*
const char *ssl_cert; /* Client certificate to present to the server */ * SSL settings.
const char *ssl_key; /* Private key corresponding to the certificate. * Client certificate to present to the server.
If ssl_cert is set but ssl_key is not, ssl_cert */
is used. */ const char *ssl_cert;
const char *ssl_ca_cert; /* Verify server certificate using this CA bundle. /*
If set to "*", then SSL is enabled but no cert * Private key corresponding to the certificate.
verification is performed. */ * If ssl_cert is set but ssl_key is not, ssl_cert is used.
*/
const char *ssl_key;
/*
* Verify server certificate using this CA bundle. If set to "*", then SSL
* is enabled but no cert verification is performed.
*/
const char *ssl_ca_cert;
/* Colon-delimited list of acceptable cipher suites.
* Names depend on the library used, for example:
*
* ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256 (OpenSSL)
* TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
* (mbedTLS)
*
* For OpenSSL the list can be obtained by running "openssl ciphers".
* For mbedTLS, names can be found in library/ssl_ciphersuites.c
* If NULL, a reasonable default is used.
*/
const char *ssl_cipher_suites;
/* /*
* Server name verification. If ssl_ca_cert is set and the certificate has * Server name verification. If ssl_ca_cert is set and the certificate has
* passed verification, its subject will be verified against this string. * passed verification, its subject will be verified against this string.

22
mongoose.c
View File

@ -2746,6 +2746,7 @@ struct mg_connection *mg_connect_opt(struct mg_mgr *mgr, const char *address,
params.cert = opts.ssl_cert; params.cert = opts.ssl_cert;
params.key = opts.ssl_key; params.key = opts.ssl_key;
params.ca_cert = opts.ssl_ca_cert; params.ca_cert = opts.ssl_ca_cert;
params.cipher_suites = opts.ssl_cipher_suites;
if (opts.ssl_ca_cert != NULL) { if (opts.ssl_ca_cert != NULL) {
if (opts.ssl_server_name != NULL) { if (opts.ssl_server_name != NULL) {
if (strcmp(opts.ssl_server_name, "*") != 0) { if (strcmp(opts.ssl_server_name, "*") != 0) {
@ -2850,6 +2851,7 @@ struct mg_connection *mg_bind_opt(struct mg_mgr *mgr, const char *address,
params.cert = opts.ssl_cert; params.cert = opts.ssl_cert;
params.key = opts.ssl_key; params.key = opts.ssl_key;
params.ca_cert = opts.ssl_ca_cert; params.ca_cert = opts.ssl_ca_cert;
params.cipher_suites = opts.ssl_cipher_suites;
if (mg_ssl_if_conn_init(nc, &params, &err_msg) != MG_SSL_OK) { if (mg_ssl_if_conn_init(nc, &params, &err_msg) != MG_SSL_OK) {
MG_SET_PTRPTR(opts.error_string, err_msg); MG_SET_PTRPTR(opts.error_string, err_msg);
mg_destroy_conn(nc, 1 /* destroy_if */); mg_destroy_conn(nc, 1 /* destroy_if */);
@ -4060,7 +4062,7 @@ enum mg_ssl_if_result mg_ssl_if_conn_accept(struct mg_connection *nc,
static enum mg_ssl_if_result mg_use_cert(SSL_CTX *ctx, const char *cert, static enum mg_ssl_if_result mg_use_cert(SSL_CTX *ctx, const char *cert,
const char *key, const char **err_msg); const char *key, const char **err_msg);
static enum mg_ssl_if_result mg_use_ca_cert(SSL_CTX *ctx, const char *cert); static enum mg_ssl_if_result mg_use_ca_cert(SSL_CTX *ctx, const char *cert);
static enum mg_ssl_if_result mg_set_cipher_list(SSL_CTX *ctx); static enum mg_ssl_if_result mg_set_cipher_list(SSL_CTX *ctx, const char *cl);
enum mg_ssl_if_result mg_ssl_if_conn_init( enum mg_ssl_if_result mg_ssl_if_conn_init(
struct mg_connection *nc, const struct mg_ssl_if_conn_params *params, struct mg_connection *nc, const struct mg_ssl_if_conn_params *params,
@ -4105,7 +4107,10 @@ enum mg_ssl_if_result mg_ssl_if_conn_init(
#endif #endif
} }
mg_set_cipher_list(ctx->ssl_ctx); if (mg_set_cipher_list(ctx->ssl_ctx, params->cipher_suites) != MG_SSL_OK) {
MG_SET_PTRPTR(err_msg, "Invalid cipher suite list");
return MG_SSL_ERROR;
}
if (!(nc->flags & MG_F_LISTENING) && if (!(nc->flags & MG_F_LISTENING) &&
(ctx->ssl = SSL_new(ctx->ssl_ctx)) == NULL) { (ctx->ssl = SSL_new(ctx->ssl_ctx)) == NULL) {
@ -4287,9 +4292,10 @@ static enum mg_ssl_if_result mg_use_cert(SSL_CTX *ctx, const char *cert,
return MG_SSL_OK; return MG_SSL_OK;
} }
static enum mg_ssl_if_result mg_set_cipher_list(SSL_CTX *ctx) { static enum mg_ssl_if_result mg_set_cipher_list(SSL_CTX *ctx, const char *cl) {
return (SSL_CTX_set_cipher_list(ctx, mg_s_cipher_list) == 1 ? MG_SSL_OK return (SSL_CTX_set_cipher_list(ctx, cl ? cl : mg_s_cipher_list) == 1
: MG_SSL_ERROR); ? MG_SSL_OK
: MG_SSL_ERROR);
} }
const char *mg_set_ssl(struct mg_connection *nc, const char *cert, const char *mg_set_ssl(struct mg_connection *nc, const char *cert,
@ -4418,7 +4424,10 @@ enum mg_ssl_if_result mg_ssl_if_conn_init(
return MG_SSL_ERROR; return MG_SSL_ERROR;
} }
mg_set_cipher_list(ctx, NULL); if (mg_set_cipher_list(ctx, params->cipher_suites) != MG_SSL_OK) {
MG_SET_PTRPTR(err_msg, "Invalid cipher suite list");
return MG_SSL_ERROR;
}
if (!(nc->flags & MG_F_LISTENING)) { if (!(nc->flags & MG_F_LISTENING)) {
ctx->ssl = MG_CALLOC(1, sizeof(*ctx->ssl)); ctx->ssl = MG_CALLOC(1, sizeof(*ctx->ssl));
@ -13493,6 +13502,7 @@ enum mg_ssl_if_result mg_ssl_if_conn_init(
if (params->ca_cert != NULL && strcmp(params->ca_cert, "*") != 0) { if (params->ca_cert != NULL && strcmp(params->ca_cert, "*") != 0) {
ctx->ssl_ca_cert = strdup(params->ca_cert); ctx->ssl_ca_cert = strdup(params->ca_cert);
} }
/* TODO(rojer): cipher_suites. */
if (params->server_name != NULL) { if (params->server_name != NULL) {
ctx->ssl_server_name = strdup(params->server_name); ctx->ssl_server_name = strdup(params->server_name);
} }

70
mongoose.h
View File

@ -3152,6 +3152,7 @@ struct mg_ssl_if_conn_params {
const char *key; const char *key;
const char *ca_cert; const char *ca_cert;
const char *server_name; const char *server_name;
const char *cipher_suites;
}; };
enum mg_ssl_if_result mg_ssl_if_conn_init( enum mg_ssl_if_result mg_ssl_if_conn_init(
@ -3471,15 +3472,30 @@ struct mg_bind_opts {
const char **error_string; /* Placeholder for the error string */ const char **error_string; /* Placeholder for the error string */
struct mg_iface *iface; /* Interface instance */ struct mg_iface *iface; /* Interface instance */
#if MG_ENABLE_SSL #if MG_ENABLE_SSL
/* SSL settings. */ /*
const char *ssl_cert; /* Server certificate to present to clients * SSL settings.
* Or client certificate to present to tunnel *
* dispatcher. */ * Server certificate to present to clients or client certificate to
const char *ssl_key; /* Private key corresponding to the certificate. * present to tunnel dispatcher (for tunneled connections).
If ssl_cert is set but ssl_key is not, ssl_cert */
is used. */ const char *ssl_cert;
const char *ssl_ca_cert; /* CA bundle used to verify client certificates or /* Private key corresponding to the certificate. If ssl_cert is set but
* tunnel dispatchers. */ * ssl_key is not, ssl_cert is used. */
const char *ssl_key;
/* CA bundle used to verify client certificates or tunnel dispatchers. */
const char *ssl_ca_cert;
/* Colon-delimited list of acceptable cipher suites.
* Names depend on the library used, for example:
*
* ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256 (OpenSSL)
* TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
* (mbedTLS)
*
* For OpenSSL the list can be obtained by running "openssl ciphers".
* For mbedTLS, names can be found in library/ssl_ciphersuites.c
* If NULL, a reasonable default is used.
*/
const char *ssl_cipher_suites;
#endif #endif
}; };
@ -3519,15 +3535,33 @@ struct mg_connect_opts {
const char **error_string; /* Placeholder for the error string */ const char **error_string; /* Placeholder for the error string */
struct mg_iface *iface; /* Interface instance */ struct mg_iface *iface; /* Interface instance */
#if MG_ENABLE_SSL #if MG_ENABLE_SSL
/* SSL settings. */ /*
const char *ssl_cert; /* Client certificate to present to the server */ * SSL settings.
const char *ssl_key; /* Private key corresponding to the certificate. * Client certificate to present to the server.
If ssl_cert is set but ssl_key is not, ssl_cert */
is used. */ const char *ssl_cert;
const char *ssl_ca_cert; /* Verify server certificate using this CA bundle. /*
If set to "*", then SSL is enabled but no cert * Private key corresponding to the certificate.
verification is performed. */ * If ssl_cert is set but ssl_key is not, ssl_cert is used.
*/
const char *ssl_key;
/*
* Verify server certificate using this CA bundle. If set to "*", then SSL
* is enabled but no cert verification is performed.
*/
const char *ssl_ca_cert;
/* Colon-delimited list of acceptable cipher suites.
* Names depend on the library used, for example:
*
* ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256 (OpenSSL)
* TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
* (mbedTLS)
*
* For OpenSSL the list can be obtained by running "openssl ciphers".
* For mbedTLS, names can be found in library/ssl_ciphersuites.c
* If NULL, a reasonable default is used.
*/
const char *ssl_cipher_suites;
/* /*
* Server name verification. If ssl_ca_cert is set and the certificate has * Server name verification. If ssl_ca_cert is set and the certificate has
* passed verification, its subject will be verified against this string. * passed verification, its subject will be verified against this string.