Introduce a new `-P` option which allows specifying a colon separated list
of accepted TLS ciphers.

Depending on the underlying ustream-ssl provider, the list either follows
OpenSSL's cipher string format or, in case of mbedTLS, is a simple colon
separated cipher whitelist.

Signed-off-by: Jo-Philipp Wich <j...@mein.io>
---
 main.c | 12 +++++++++---
 tls.c  |  7 ++++++-
 tls.h  |  4 ++--
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/main.c b/main.c
index 6c29afe..26e74ec 100644
--- a/main.c
+++ b/main.c
@@ -139,6 +139,7 @@ static int usage(const char *name)
                "       -s [addr:]port  Like -p but provide HTTPS on this 
port\n"
                "       -C file         ASN.1 server certificate file\n"
                "       -K file         ASN.1 server private key file\n"
+               "       -P ciphers      Colon separated list of allowed TLS 
ciphers\n"
                "       -q              Redirect all HTTP requests to HTTPS\n"
 #endif
                "       -h directory    Specify the document root, default is 
'.'\n"
@@ -249,7 +250,7 @@ int main(int argc, char **argv)
        int bound = 0;
 #ifdef HAVE_TLS
        int n_tls = 0;
-       const char *tls_key = NULL, *tls_crt = NULL;
+       const char *tls_key = NULL, *tls_crt = NULL, *tls_ciphers = NULL;
 #endif
 #ifdef HAVE_LUA
        const char *lua_prefix = NULL, *lua_handler = NULL;
@@ -261,7 +262,7 @@ int main(int argc, char **argv)
        init_defaults_pre();
        signal(SIGPIPE, SIG_IGN);
 
-       while ((ch = getopt(argc, argv, 
"A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
+       while ((ch = getopt(argc, argv, 
"A:aC:c:Dd:E:fh:H:I:i:K:k:L:l:m:N:n:P:p:qRr:Ss:T:t:U:u:Xx:y:")) != -1) {
                switch(ch) {
 #ifdef HAVE_TLS
                case 'C':
@@ -272,6 +273,10 @@ int main(int argc, char **argv)
                        tls_key = optarg;
                        break;
 
+               case 'P':
+                       tls_ciphers = optarg;
+                       break;
+
                case 'q':
                        conf.tls_redirect = 1;
                        break;
@@ -282,6 +287,7 @@ int main(int argc, char **argv)
 #else
                case 'C':
                case 'K':
+               case 'P':
                case 'q':
                case 's':
                        fprintf(stderr, "uhttpd: TLS support not compiled, "
@@ -523,7 +529,7 @@ int main(int argc, char **argv)
                        return 1;
                }
 
-               if (uh_tls_init(tls_key, tls_crt))
+               if (uh_tls_init(tls_key, tls_crt, tls_ciphers))
                    return 1;
        }
 #endif
diff --git a/tls.c b/tls.c
index d969b82..1da0881 100644
--- a/tls.c
+++ b/tls.c
@@ -31,7 +31,7 @@ static struct ustream_ssl_ops *ops;
 static void *dlh;
 static void *ctx;
 
-int uh_tls_init(const char *key, const char *crt)
+int uh_tls_init(const char *key, const char *crt, const char *ciphers)
 {
        static bool _init = false;
 
@@ -63,6 +63,11 @@ int uh_tls_init(const char *key, const char *crt)
                return -EINVAL;
        }
 
+       if (ciphers && ops->context_set_ciphers(ctx, ciphers)) {
+               fprintf(stderr, "No recognized ciphers in cipher list\n");
+               return -EINVAL;
+       }
+
        return 0;
 }
 
diff --git a/tls.h b/tls.h
index 9be74ba..f457cb7 100644
--- a/tls.h
+++ b/tls.h
@@ -22,13 +22,13 @@
 
 #ifdef HAVE_TLS
 
-int uh_tls_init(const char *key, const char *crt);
+int uh_tls_init(const char *key, const char *crt, const char *ciphers);
 void uh_tls_client_attach(struct client *cl);
 void uh_tls_client_detach(struct client *cl);
 
 #else
 
-static inline int uh_tls_init(const char *key, const char *crt)
+static inline int uh_tls_init(const char *key, const char *crt, const char 
*ciphers)
 {
        return -1;
 }
-- 
2.25.0


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to