From: Blake Lawson <blakelawson@fb.com>
Date: Thu, 16 Jun 2016 01:21:44 +0000 (-0700)
Subject: Added limited list of supported ciphers
X-Git-Tag: 2016.07.26~139
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=8fb2b024b0f18d2361ca16b894c0c812d0c8b26d;p=folly.git

Added limited list of supported ciphers

Summary: Added method to enable server support for a specific elliptic curve encryption algorithm.

Reviewed By: siyengar

Differential Revision: D3432860

fbshipit-source-id: 078531eead48ea156a68a109f8a62dc4907ac1ec
---

diff --git a/folly/io/async/SSLContext.cpp b/folly/io/async/SSLContext.cpp
index 8854b9be..a8cf72de 100644
--- a/folly/io/async/SSLContext.cpp
+++ b/folly/io/async/SSLContext.cpp
@@ -145,6 +145,42 @@ void SSLContext::setClientECCurvesList(
 #endif
 }
 
+void SSLContext::setServerECCurve(const std::string& curveName) {
+  bool validCall = false;
+#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#ifndef OPENSSL_NO_ECDH
+  validCall = true;
+#endif
+#endif
+  if (!validCall) {
+    throw std::runtime_error("Elliptic curve encryption not allowed");
+  }
+
+  EC_KEY* ecdh = nullptr;
+  int nid;
+
+  /*
+   * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
+   * from RFC 4492 section 5.1.1, or explicitly described curves over
+   * binary fields. OpenSSL only supports the "named curves", which provide
+   * maximum interoperability.
+   */
+
+  nid = OBJ_sn2nid(curveName.c_str());
+  if (nid == 0) {
+    LOG(FATAL) << "Unknown curve name:" << curveName.c_str();
+    return;
+  }
+  ecdh = EC_KEY_new_by_curve_name(nid);
+  if (ecdh == nullptr) {
+    LOG(FATAL) << "Unable to create curve:" << curveName.c_str();
+    return;
+  }
+
+  SSL_CTX_set_tmp_ecdh(ctx_, ecdh);
+  EC_KEY_free(ecdh);
+}
+
 void SSLContext::setX509VerifyParam(
     const ssl::X509VerifyParam& x509VerifyParam) {
   if (!x509VerifyParam) {
diff --git a/folly/io/async/SSLContext.h b/folly/io/async/SSLContext.h
index 83f0ad22..4593f918 100644
--- a/folly/io/async/SSLContext.h
+++ b/folly/io/async/SSLContext.h
@@ -161,6 +161,13 @@ class SSLContext {
    */
   void setClientECCurvesList(const std::vector<std::string>& ecCurves);
 
+  /**
+   * Method to add support for a specific elliptic curve encryption algorithm.
+   *
+   * @param curveName: The name of the ec curve to support, eg: prime256v1.
+   */
+  void setServerECCurve(const std::string& curveName);
+
   /**
    * Sets an x509 verification param on the context.
    */