Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/libexec/httpd - restrict the default list of ciphers to some...
details: https://anonhg.NetBSD.org/src/rev/3af22dcc4ea2
branches: trunk
changeset: 342201:3af22dcc4ea2
user: christos <christos%NetBSD.org@localhost>
date: Sat Dec 12 16:57:53 2015 +0000
description:
- restrict the default list of ciphers to something more secure
- restrict ssl options
>From Travis Paul
diffstat:
libexec/httpd/bozohttpd.8 | 10 ++++-
libexec/httpd/bozohttpd.h | 24 ++++++++------
libexec/httpd/main.c | 16 ++++++++-
libexec/httpd/ssl-bozo.c | 75 ++++++++++++++++++++++++++++++++++++++--------
4 files changed, 97 insertions(+), 28 deletions(-)
diffs (273 lines):
diff -r 4f814666fb9b -r 3af22dcc4ea2 libexec/httpd/bozohttpd.8
--- a/libexec/httpd/bozohttpd.8 Sat Dec 12 15:27:42 2015 +0000
+++ b/libexec/httpd/bozohttpd.8 Sat Dec 12 16:57:53 2015 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: bozohttpd.8,v 1.56 2015/11/29 15:58:07 kamil Exp $
+.\" $NetBSD: bozohttpd.8,v 1.57 2015/12/12 16:57:53 christos Exp $
.\"
.\" $eterna: bozohttpd.8,v 1.101 2011/11/18 01:25:11 mrg Exp $
.\"
@@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd November 29, 2015
+.Dd December 12, 2015
.Dt BOZOHTTPD 8
.Os
.Sh NAME
@@ -49,6 +49,7 @@
.Op Fl t Ar chrootdir
.Op Fl v Ar virtualroot
.Op Fl x Ar index
+.Op Fl z Ar ciphers
.Ar slashdir
.Op Ar myname
.Sh DESCRIPTION
@@ -303,6 +304,9 @@
.Dq index.html
to
.Ar index .
+.It Fl z Ar ciphers
+Sets the list of SSL ciphers (see
+.Xr SSL_CTX_set_cipher_list 3 ) .
.It Fl Z Ar certificate_path privatekey_path
Sets the path to the server certificate file and the private key file
in pem format.
@@ -425,7 +429,7 @@
.Dq -lcrypt .
.Ss SSL SUPPORT
.Nm
-has support for SSLv2, SSLv3, and TLSv1 protocols that is included by
+has support for TLSv1.1 and TLSv1.2 protocols that are included by
default.
It requires linking with the crypto and ssl library, using
.Dq -lcrypto -lssl .
diff -r 4f814666fb9b -r 3af22dcc4ea2 libexec/httpd/bozohttpd.h
--- a/libexec/httpd/bozohttpd.h Sat Dec 12 15:27:42 2015 +0000
+++ b/libexec/httpd/bozohttpd.h Sat Dec 12 16:57:53 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bozohttpd.h,v 1.38 2015/10/28 09:20:15 shm Exp $ */
+/* $NetBSD: bozohttpd.h,v 1.39 2015/12/12 16:57:53 christos Exp $ */
/* $eterna: bozohttpd.h,v 1.39 2011/11/18 09:21:15 mrg Exp $ */
@@ -238,14 +238,18 @@
void *bozorealloc(bozohttpd_t *, void *, size_t);
char *bozostrdup(bozohttpd_t *, const char *);
+#define bozo_noop do { /* nothing */ } while (/*CONSTCOND*/0)
+
/* ssl-bozo.c */
#ifdef NO_SSL_SUPPORT
-#define bozo_ssl_set_opts(w, x, y) do { /* nothing */ } while (0)
-#define bozo_ssl_init(x) do { /* nothing */ } while (0)
+#define bozo_ssl_set_opts(w, x, y) bozo_noop
+#define bozo_ssl_set_ciphers(w, x, y) bozo_noop
+#define bozo_ssl_init(x) bozo_noop
#define bozo_ssl_accept(x) (0)
-#define bozo_ssl_destroy(x) do { /* nothing */ } while (0)
+#define bozo_ssl_destroy(x) bozo_noop
#else
void bozo_ssl_set_opts(bozohttpd_t *, const char *, const char *);
+void bozo_ssl_set_ciphers(bozohttpd_t *, const char *);
void bozo_ssl_init(bozohttpd_t *);
int bozo_ssl_accept(bozohttpd_t *);
void bozo_ssl_destroy(bozohttpd_t *);
@@ -263,13 +267,13 @@
void bozo_auth_cgi_setenv(bozo_httpreq_t *, char ***);
int bozo_auth_cgi_count(bozo_httpreq_t *);
#else
-#define bozo_auth_init(x) do { /* nothing */ } while (0)
+#define bozo_auth_init(x) bozo_noop
#define bozo_auth_check(x, y) 0
-#define bozo_auth_cleanup(x) do { /* nothing */ } while (0)
+#define bozo_auth_cleanup(x) bozo_noop
#define bozo_auth_check_headers(y, z, a, b) 0
#define bozo_auth_check_special_files(x, y) 0
-#define bozo_auth_check_401(x, y) do { /* nothing */ } while (0)
-#define bozo_auth_cgi_setenv(x, y) do { /* nothing */ } while (0)
+#define bozo_auth_check_401(x, y) bozo_noop
+#define bozo_auth_cgi_setenv(x, y) bozo_noop
#define bozo_auth_cgi_count(x) 0
#endif /* DO_HTPASSWD */
@@ -296,9 +300,9 @@
/* daemon-bozo.c */
#ifdef NO_DAEMON_MODE
-#define bozo_daemon_init(x) do { /* nothing */ } while (0)
+#define bozo_daemon_init(x) bozo_noop
#define bozo_daemon_fork(x) 0
-#define bozo_daemon_closefds(x) do { /* nothing */ } while (0)
+#define bozo_daemon_closefds(x) bozo_noop
#else
void bozo_daemon_init(bozohttpd_t *);
int bozo_daemon_fork(bozohttpd_t *);
diff -r 4f814666fb9b -r 3af22dcc4ea2 libexec/httpd/main.c
--- a/libexec/httpd/main.c Sat Dec 12 15:27:42 2015 +0000
+++ b/libexec/httpd/main.c Sat Dec 12 16:57:53 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: main.c,v 1.10 2015/11/29 15:26:10 kamil Exp $ */
+/* $NetBSD: main.c,v 1.11 2015/12/12 16:57:53 christos Exp $ */
/* $eterna: main.c,v 1.6 2011/11/18 09:21:15 mrg Exp $ */
/* from: eterna: bozohttpd.c,v 1.159 2009/05/23 02:14:30 mrg Exp */
@@ -112,6 +112,8 @@
" -x index\t\tchange default `index.html' file name");
#ifndef NO_SSL_SUPPORT
bozo_warn(httpd,
+ " -z ciphers\t\tspecify SSL ciphers");
+ bozo_warn(httpd,
" -Z cert privkey\tspecify path to server certificate"
" and private key file\n"
"\t\t\tin pem format and enable bozohttpd in SSL mode");
@@ -145,7 +147,7 @@
*/
while ((c = getopt(argc, argv,
- "C:EHI:L:M:P:S:U:VXZ:bc:defhi:np:st:uv:x:")) != -1) {
+ "C:EHI:L:M:P:S:U:VXZ:bc:defhi:np:st:uv:x:z:")) != -1) {
switch (c) {
case 'L':
@@ -198,6 +200,16 @@
bozo_ssl_set_opts(&httpd, optarg, argv[optind++]);
break;
#endif /* NO_SSL_SUPPORT */
+
+ case 'z':
+#ifdef NO_SSL_SUPPORT
+ bozo_err(&httpd, 1, "ssl support is not enabled");
+ /* NOT REACHED */
+#else
+ bozo_ssl_set_ciphers(&httpd, optarg);
+ break;
+#endif /* NO_SSL_SUPPORT */
+
case 'U':
bozo_set_pref(&prefs, "username", optarg);
break;
diff -r 4f814666fb9b -r 3af22dcc4ea2 libexec/httpd/ssl-bozo.c
--- a/libexec/httpd/ssl-bozo.c Sat Dec 12 15:27:42 2015 +0000
+++ b/libexec/httpd/ssl-bozo.c Sat Dec 12 16:57:53 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ssl-bozo.c,v 1.18 2014/07/17 06:27:52 mrg Exp $ */
+/* $NetBSD: ssl-bozo.c,v 1.19 2015/12/12 16:57:53 christos Exp $ */
/* $eterna: ssl-bozo.c,v 1.15 2011/11/18 09:21:15 mrg Exp $ */
@@ -48,6 +48,25 @@
#define USE_ARG(x) /*LINTED*/(void)&(x)
#endif
+#ifndef BOZO_SSL_CIPHERS
+#define BOZO_SSL_CIPHERS \
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:" \
+ "AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:" \
+ "AES:" \
+ "-SHA:" \
+ "!aNULL:!eNULL:" \
+ "!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:" \
+ "!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:" \
+ "!KRB5-DES-CBC3-SHA"
+#endif
+
+#ifndef BOZO_SSL_OPTIONS
+#define BOZO_SSL_OPTIONS \
+ (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1)
+#endif
+
+ /* this structure encapsulates the ssl info */
+
/* this structure encapsulates the ssl info */
typedef struct sslinfo_t {
SSL_CTX *ssl_context;
@@ -55,6 +74,7 @@
SSL *bozossl;
char *certificate_file;
char *privatekey_file;
+ char *ciphers;
} sslinfo_t;
/*
@@ -187,6 +207,7 @@
bozo_ssl_init(bozohttpd_t *httpd)
{
sslinfo_t *sslinfo = httpd->sslinfo;
+ long options;
if (sslinfo == NULL || !sslinfo->certificate_file)
return;
@@ -200,6 +221,18 @@
bozo_ssl_err(httpd, EXIT_FAILURE,
"SSL context creation failed");
+ options = SSL_CTX_set_options(sslinfo->ssl_context,
+ BOZO_SSL_OPTIONS);
+ if ((options & BOZO_SSL_OPTIONS) != BOZO_SSL_OPTIONS)
+ bozo_ssl_err(httpd, EXIT_FAILURE,
+ "Error setting ssl options requested %#lx, got %#lx",
+ BOZO_SSL_OPTIONS, options);
+
+ if (!SSL_CTX_set_cipher_list(sslinfo->ssl_context,
+ sslinfo->ciphers ? sslinfo->ciphers : BOZO_SSL_CIPHERS))
+ bozo_ssl_err(httpd, EXIT_FAILURE,
+ "Error setting cipher list '%s'", sslinfo->ciphers);
+
if (1 != SSL_CTX_use_certificate_chain_file(sslinfo->ssl_context,
sslinfo->certificate_file))
bozo_ssl_err(httpd, EXIT_FAILURE,
@@ -251,24 +284,40 @@
SSL_free(sslinfo->bozossl);
}
+static sslinfo_t *
+bozo_get_sslinfo(bozohttpd_t *httpd)
+{
+ sslinfo_t *sslinfo;
+ if (httpd->sslinfo)
+ return httpd->sslinfo;
+ sslinfo = bozomalloc(httpd, sizeof(*sslinfo));
+ if (sslinfo == NULL)
+ bozo_err(httpd, 1, "sslinfo allocation failed");
+ memset(sslinfo, 0, sizeof(*sslinfo));
+ return httpd->sslinfo = sslinfo;
+}
+
void
bozo_ssl_set_opts(bozohttpd_t *httpd, const char *cert, const char *priv)
{
- sslinfo_t *sslinfo = httpd->sslinfo;
+ sslinfo_t *sslinfo = bozo_get_sslinfo(httpd);
- if (sslinfo == NULL) {
- sslinfo = bozomalloc(httpd, sizeof(*sslinfo));
- if (sslinfo == NULL)
- bozo_err(httpd, 1, "sslinfo allocation failed");
- httpd->sslinfo = sslinfo;
- }
- sslinfo->certificate_file = strdup(cert);
- sslinfo->privatekey_file = strdup(priv);
+ sslinfo->certificate_file = bozostrdup(httpd, cert);
+ sslinfo->privatekey_file = bozostrdup(httpd, priv);
debug((httpd, DEBUG_NORMAL, "using cert/priv files: %s & %s",
- sslinfo->certificate_file,
- sslinfo->privatekey_file));
+ sslinfo->certificate_file,
+ sslinfo->privatekey_file));
if (!httpd->bindport)
- httpd->bindport = strdup("https");
+ httpd->bindport = bozostrdup(httpd, "https");
+}
+
+void
+bozo_ssl_set_ciphers(bozohttpd_t *httpd, const char *ciphers)
+{
+ sslinfo_t *sslinfo = bozo_get_sslinfo(httpd);
+
+ sslinfo->ciphers = bozostrdup(httpd, ciphers);
+ debug((httpd, DEBUG_NORMAL, "using ciphers: %s", sslinfo->ciphers));
}
#endif /* NO_SSL_SUPPORT */
Home |
Main Index |
Thread Index |
Old Index