mirror/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-09-20 12:02:28 +02:00
Code

Refactored cipher restriction code

Browse Source 
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
This commit is contained in:
Adriaan de Jong 2011-06-29 18:32:44 +02:00 committed by David Sommerseth
parent 244da317ee
commit 2e74a9d02d
3 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ssl.c
View File

@ -1609,8 +1609,6 @@ tls_deauthenticate (struct tls_multi *multi)
void
init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
{
SSL_CTX *ctx = NULL;
ASSERT(NULL != new_ctx);
tls_clear_error();
@ -1673,8 +1671,6 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
}
}
ctx = new_ctx->ctx;
if (options->ca_file || options->ca_path)
{
tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
@ -1702,8 +1698,7 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
/* Allowable ciphers */
if (options->cipher_list)
{
if (!SSL_CTX_set_cipher_list (ctx, options->cipher_list))
msg (M_SSLERR, "Problem with cipher list: %s", options->cipher_list);
tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
}
tls_clear_error ();

8
ssl_backend.h
View File

@ -116,6 +116,14 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx);
*/
void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags);
/**
* Restrict the list of ciphers that can be used within the TLS context.
*
* @param ctx TLS context to restrict
* @param ciphers String containing : delimited cipher names.
*/
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
/**
* Load Diffie Hellman Parameters, and load them into the library-specific
* TLS context.

10
ssl_openssl.c
View File

@ -181,6 +181,16 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
SSL_CTX_set_info_callback (ctx->ctx, info_callback);
}
void
tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
{
ASSERT(NULL != ctx);
/* Fox-IT hardening: restrict allowed TLS ciphers. */
if(!SSL_CTX_set_cipher_list(ctx->ctx, ciphers))
msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", ciphers);
}
void
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file
#if ENABLE_INLINE_FILES