ssl: add ability to control kex groups and sig algs

src/client.c

@@ -1545,19 +1545,23 @@ gboolean
 client_add_incoming_ssl (Client * client,
     const gchar * cert_file, const gchar * key_file,
     const gchar * ca_file, const gchar * ca_dir,
-    const gchar * ciphers, gboolean tls1_enabled)
+    const gchar * ciphers, const gchar * kex_groups,
+    const gchar * sig_algs, gboolean tls1_enabled)
 {
   client->ssl_ctx = ssl_add_incoming (cert_file, key_file, ca_file, ca_dir,
-      ciphers, tls1_enabled);
+      ciphers, kex_groups, sig_algs, tls1_enabled);
   return client->ssl_ctx != NULL;
 }
 
 gboolean
 client_add_outgoing_ssl (Client * client,
     const gchar * ca_file, const gchar * ca_dir,
-    const gchar * ciphers, gboolean tls1_enabled)
+    const gchar * ciphers, const gchar * kex_groups,
+    const gchar * sig_algs, gboolean tls1_enabled)
 {
-  client->ssl_ctx = ssl_add_outgoing (ca_file, ca_dir, ciphers, tls1_enabled);
+  client->ssl_ctx =
+      ssl_add_outgoing (ca_file, ca_dir, ciphers, kex_groups, sig_algs,
+      tls1_enabled);
   return client->ssl_ctx != NULL;
 }
 

src/client.h

@@ -189,9 +189,11 @@ gboolean client_window_size_reached (Client *client);
 gboolean client_add_incoming_ssl (Client * client,
     const gchar * cert_file, const gchar * key_file,
     const gchar * ca_file, const gchar * ca_dir,
-    const gchar * ciphers, gboolean tls1_enabled);
+    const gchar * ciphers, const gchar * kex_groups,
+    const gchar * sig_algs, gboolean tls1_enabled);
 gboolean client_add_outgoing_ssl (Client * client,
     const gchar * ca_file, const gchar * ca_dir,
-    const gchar * ciphers, gboolean tls1_enabled);
+    const gchar * ciphers, const gchar * kex_groups,
+    const gchar * sig_algs, gboolean tls1_enabled);
 
 #endif /* __CLIENT_H__ */

src/pexrtmpserver.c

@@ -48,6 +48,8 @@ GST_DEBUG_CATEGORY (pex_rtmp_server_debug);
 #define DEFAULT_CA_CERT_FILE ""
 #define DEFAULT_CA_CERT_DIR ""
 #define DEFAULT_CIPHERS "!eNULL:!aNULL:!EXP:!DES:!RC4:!RC2:!IDEA:!ADH:ALL@STRENGTH"
+#define DEFAULT_KEX_GROUPS ""
+#define DEFAULT_SIG_ALGS ""
 #define DEFAULT_STREAM_ID 1337
 #define DEFAULT_CHUNK_SIZE 128
 #define DEFAULT_TCP_SYNCNT -1
@@ -65,6 +67,8 @@ enum
   PROP_CA_CERT_FILE,
   PROP_CA_CERT_DIR,
   PROP_CIPHERS,
+  PROP_KEX_GROUPS,
+  PROP_TLS_SIG_ALGS,
   PROP_TLS1_ENABLED,
   PROP_IGNORE_LOCALHOST,
   PROP_STREAM_ID,
@@ -103,6 +107,8 @@ struct _PexRtmpServer
   gchar *ca_cert_file;
   gchar *ca_cert_dir;
   gchar *ciphers;
+  gchar *kex_groups;
+  gchar *tls_sig_algs;
   gboolean tls1_enabled;
   gboolean ignore_localhost;
   gint stream_id;
@@ -271,24 +277,29 @@ rtmp_server_create_client (PexRtmpServer * srv, gint listen_fd)
 #ifdef HAVE_OPENSSL
   /* ssl connection */
   if (use_ssl) {
-    gchar *cert_file, *key_file, *ca_file, *ca_dir, *ciphers;
+    gchar *cert_file, *key_file, *ca_file, *ca_dir, *ciphers, *kex_groups,
+        *sig_algs;
     gboolean tls1_enabled;
 
     g_object_get (srv,
         "cert-file", &cert_file,
         "key-file", &key_file,
         "ca-cert-file", &ca_file,
         "ca-cert-dir", &ca_dir,
-        "ciphers", &ciphers, "tls1-enabled", &tls1_enabled, NULL);
+        "ciphers", &ciphers,
+        "kex-groups", &kex_groups,
+        "tls-sig-algs", &sig_algs, "tls1-enabled", &tls1_enabled, NULL);
 
     client_add_incoming_ssl (client, cert_file, key_file, ca_file, ca_dir,
-        ciphers, tls1_enabled);
+        ciphers, kex_groups, sig_algs, tls1_enabled);
 
     g_free (cert_file);
     g_free (key_file);
     g_free (ca_file);
     g_free (ca_dir);
     g_free (ciphers);
+    g_free (kex_groups);
+    g_free (sig_algs);
   }
 #endif /* HAVE_OPENSSL */
 
@@ -523,7 +534,8 @@ _establish_client_tcp_connection (PexRtmpServer * srv, Client * client)
 #ifdef HAVE_OPENSSL
   if (client->use_ssl) {
     if (!client_add_outgoing_ssl (client, srv->ca_cert_file, srv->ca_cert_dir,
-            srv->ciphers, srv->tls1_enabled)) {
+            srv->ciphers, srv->kex_groups, srv->tls_sig_algs,
+            srv->tls1_enabled)) {
       /* Client logs warnings for us, so no need to do that here */
       GST_WARNING_OBJECT (srv, "Outgoing SSL failed");
       return PEX_RTMP_SERVER_STATUS_SSL_CONNECT_FAILED;
@@ -982,6 +994,8 @@ pex_rtmp_server_init (PexRtmpServer * srv)
   srv->ca_cert_file = NULL;
   srv->ca_cert_dir = NULL;
   srv->ciphers = NULL;
+  srv->kex_groups = NULL;
+  srv->tls_sig_algs = NULL;
   srv->tls1_enabled = DEFAULT_TLS1_ENABLED;
   srv->ignore_localhost = DEFAULT_IGNORE_LOCALHOST;
   g_mutex_init (&srv->direct_lock);
@@ -1043,6 +1057,8 @@ pex_rtmp_server_finalize (GObject * obj)
   g_free (srv->ca_cert_file);
   g_free (srv->ca_cert_dir);
   g_free (srv->ciphers);
+  g_free (srv->kex_groups);
+  g_free (srv->tls_sig_algs);
   g_free (srv->opaque);
   g_free (srv->salt);
   g_free (srv->username);
@@ -1097,6 +1113,14 @@ pex_rtmp_server_set_property (GObject * obj, guint prop_id,
       g_assert (!srv->running);
       srv->ciphers = g_value_dup_string (value);
       break;
+    case PROP_KEX_GROUPS:
+      g_assert (!srv->running);
+      srv->kex_groups = g_value_dup_string (value);
+      break;
+    case PROP_TLS_SIG_ALGS:
+      g_assert (!srv->running);
+      srv->tls_sig_algs = g_value_dup_string (value);
+      break;
     case PROP_TLS1_ENABLED:
       g_assert (!srv->running);
       srv->tls1_enabled = g_value_get_boolean (value);
@@ -1157,6 +1181,12 @@ pex_rtmp_server_get_property (GObject * obj, guint prop_id,
     case PROP_CIPHERS:
       g_value_set_string (value, srv->ciphers);
       break;
+    case PROP_KEX_GROUPS:
+      g_value_set_string (value, srv->kex_groups);
+      break;
+    case PROP_TLS_SIG_ALGS:
+      g_value_set_string (value, srv->tls_sig_algs);
+      break;
     case PROP_TLS1_ENABLED:
       g_value_set_boolean (value, srv->tls1_enabled);
       break;
@@ -1236,6 +1266,16 @@ pex_rtmp_server_class_init (PexRtmpServerClass * klass)
           "Specification of ciphers to use", DEFAULT_CIPHERS,
           G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
 
+  g_object_class_install_property (gobject_class, PROP_KEX_GROUPS,
+      g_param_spec_string ("kex-groups", "KeX groups",
+          "Key exchange groups to use", DEFAULT_KEX_GROUPS,
+          G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
+
+  g_object_class_install_property (gobject_class, PROP_TLS_SIG_ALGS,
+      g_param_spec_string ("tls-sig-algs", "TLS Sig Algs",
+          "List of enabled TLS signature algorithms", DEFAULT_SIG_ALGS,
+          G_PARAM_CONSTRUCT | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS));
+
   g_object_class_install_property (gobject_class, PROP_TLS1_ENABLED,
       g_param_spec_boolean ("tls1-enabled", "TLS1 enabled",
           "Whether TLS1 is enabled", DEFAULT_TLS1_ENABLED,

utils/ssl.c

@@ -18,6 +18,7 @@
  * Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
  * Boston, MA 02110-1301, USA.
  */
+#include <stdbool.h>
 #include "ssl.h"
 
 #ifdef G_OS_WIN32
@@ -490,8 +491,10 @@ ssl_verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
 SSL_CTX *
 ssl_add_incoming (const gchar * cert_file, const gchar * key_file,
     const gchar * ca_file, const gchar * ca_dir,
-    const gchar * ciphers, gboolean tls1_enabled)
+    const gchar * ciphers, const gchar * kex_groups, const gchar * sig_algs,
+    gboolean tls1_enabled)
 {
+  bool kex_groups_set = false;
   int seclevel = 0;
   int min_version = TLS1_VERSION;
   long ssl_options = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
@@ -512,6 +515,25 @@ ssl_add_incoming (const gchar * cert_file, const gchar * key_file,
 #endif
   SSL_CTX_set_cipher_list (ssl_ctx, ciphers);
   SSL_CTX_set_options (ssl_ctx, ssl_options);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  if (kex_groups != NULL && kex_groups[0] != '\0') {
+    if (SSL_CTX_set1_curves_list (ssl_ctx, kex_groups) != 1) {
+      GST_WARNING ("failed to set kex-groups: %s", kex_groups);
+      ssl_print_errors ();
+      return NULL;
+    }
+    kex_groups_set = true;
+  }
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  if (sig_algs != NULL && sig_algs[0] != '\0') {
+    if (SSL_CTX_set1_sigalgs_list (ssl_ctx, sig_algs) != 1) {
+      GST_WARNING ("failed to set tls-sig-algs: %s", kex_groups);
+      ssl_print_errors ();
+      return NULL;
+    }
+  }
+#endif
   if (file_exists (ca_file)) {
     SSL_CTX_load_verify_locations (ssl_ctx, ca_file, NULL);
   } else {
@@ -554,8 +576,11 @@ ssl_add_incoming (const gchar * cert_file, const gchar * key_file,
       }
     }
 
-    /* Configure ECDH parameters */
-    params = pkey_parameters_from_file (cert_file, EVP_PKEY_EC);
+    /* Configure ECDH parameters (if not already set) */
+    params = NULL;
+    if (!kex_groups_set) {
+      params = pkey_parameters_from_file (cert_file, EVP_PKEY_EC);
+    }
     if (params != NULL) {
       int nid = NID_undef;
 #if (OPENSSL_VERSION_NUMBER < 0x30000000L)
@@ -612,7 +637,8 @@ outgoing_ssl_info_callback (const SSL * ssl, int where, int ret)
 
 SSL_CTX *
 ssl_add_outgoing (const gchar * ca_file, const gchar * ca_dir,
-    const gchar * ciphers, gboolean tls1_enabled)
+    const gchar * ciphers, const gchar * kex_groups, const gchar * sig_algs,
+    gboolean tls1_enabled)
 {
   int seclevel = 0;
   int min_version = TLS1_VERSION;
@@ -632,6 +658,16 @@ ssl_add_outgoing (const gchar * ca_file, const gchar * ca_dir,
 #endif
   SSL_CTX_set_cipher_list (ssl_ctx, ciphers);
   SSL_CTX_set_options (ssl_ctx, ssl_options);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  if (kex_groups != NULL && kex_groups[0] != '\0') {
+    SSL_CTX_set1_curves_list (ssl_ctx, kex_groups);
+  }
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  if (sig_algs != NULL && sig_algs[0] != '\0') {
+    SSL_CTX_set1_sigalgs_list (ssl_ctx, sig_algs);
+  }
+#endif
   if (file_exists (ca_file)) {
     SSL_CTX_load_verify_locations (ssl_ctx, ca_file, NULL);
   }

utils/ssl.h

@@ -30,9 +30,11 @@
 void ssl_print_errors ();
 
 SSL_CTX * ssl_add_outgoing (const gchar * ca_file, const gchar * ca_dir,
-    const gchar * ciphers, gboolean tls1_enabled);
+    const gchar * ciphers, const gchar * kex_groups, const gchar * sig_algs,
+    gboolean tls1_enabled);
 SSL_CTX * ssl_add_incoming (const gchar * cert_file, const gchar * key_file,
     const gchar * ca_file, const gchar * ca_dir,
-    const gchar * ciphers, gboolean tls1_enabled);
+    const gchar * ciphers, const gchar * kex_groups, const gchar * sig_algs,
+    gboolean tls1_enabled);
 
 #endif /* __SSL_H__ */