From 8b8e5bed233a2d8106296c8e460be252719e0fdd Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 14 Jan 2014 14:55:21 +0000 Subject: [PATCH] Allow return of supported ciphers. New function ssl_cipher_disabled. Check for disabled client ciphers using ssl_cipher_disabled. New function to return only supported ciphers. New option to ciphers utility to print only supported ciphers. --- apps/ciphers.c | 15 ++++++++++++--- ssl/s3_clnt.c | 4 +--- ssl/ssl.h | 1 + ssl/ssl_lib.c | 32 ++++++++++++++++++++++++++++---- ssl/ssl_locl.h | 1 + ssl/t1_lib.c | 8 ++++++++ 6 files changed, 51 insertions(+), 10 deletions(-) diff --git a/apps/ciphers.c b/apps/ciphers.c index c9abf1a05a..52da70245a 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -85,6 +85,7 @@ int MAIN(int argc, char **argv) { int ret=1,i; int verbose=0,Verbose=0; + int use_supported = 0; #ifndef OPENSSL_NO_SSL_TRACE int stdname = 0; #endif @@ -129,6 +130,8 @@ int MAIN(int argc, char **argv) verbose=1; else if (strcmp(*argv,"-V") == 0) verbose=Verbose=1; + else if (strcmp(*argv,"-s") == 0) + use_supported = 1; #ifndef OPENSSL_NO_SSL_TRACE else if (strcmp(*argv,"-stdname") == 0) stdname=verbose=1; @@ -179,12 +182,17 @@ int MAIN(int argc, char **argv) ssl=SSL_new(ctx); if (ssl == NULL) goto err; + if (use_supported) + sk=SSL_get1_supported_ciphers(ssl); + else + sk=SSL_get_ciphers(ssl); if (!verbose) { - for (i=0; ; i++) + for (i=0; ialgorithm_ssl & ct->mask_ssl || - c->algorithm_mkey & ct->mask_k || - c->algorithm_auth & ct->mask_a) + if (ssl_cipher_disabled(s, c)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED); diff --git a/ssl/ssl.h b/ssl/ssl.h index c6b1ac35f9..9c200b798e 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2378,6 +2378,7 @@ const SSL_METHOD *DTLS_server_method(void); /* DTLS 1.0 and 1.2 */ const SSL_METHOD *DTLS_client_method(void); /* DTLS 1.0 and 1.2 */ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s); +STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s); int SSL_do_handshake(SSL *s); int SSL_renegotiate(SSL *s); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index cc9b965778..1b8c0f42bc 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1342,6 +1342,33 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) return(NULL); } +STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s) + { + STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers; + int i; + ciphers = SSL_get_ciphers(s); + if (!ciphers) + return NULL; + ssl_set_client_disabled(s); + for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) + { + const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i); + if (!ssl_cipher_disabled(s, c)) + { + if (!sk) + sk = sk_SSL_CIPHER_new_null(); + if (!sk) + return NULL; + if (!sk_SSL_CIPHER_push(sk, c)) + { + sk_SSL_CIPHER_free(sk); + return NULL; + } + } + } + return sk; + } + /** return a STACK of the ciphers available for the SSL and in order of * algorithm id */ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) @@ -1459,7 +1486,6 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, { int i,j=0; SSL_CIPHER *c; - CERT *ct = s->cert; unsigned char *q; int no_scsv = s->renegotiate; /* Set disabled masks for this session */ @@ -1472,9 +1498,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, { c=sk_SSL_CIPHER_value(sk,i); /* Skip disabled ciphers */ - if (c->algorithm_ssl & ct->mask_ssl || - c->algorithm_mkey & ct->mask_k || - c->algorithm_auth & ct->mask_a) + if (ssl_cipher_disabled(s, c)) continue; #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL if (c->id == SSL3_CK_SCSV) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index cd397f45d2..07ea0d2972 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1331,6 +1331,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs); int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, const unsigned char *sig, EVP_PKEY *pkey); void ssl_set_client_disabled(SSL *s); +int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c); int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index c9e489898a..37cc6f6abf 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1093,6 +1093,14 @@ void ssl_set_client_disabled(SSL *s) c->valid = 1; } +int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c) + { + CERT *ct = s->cert; + if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a) + return 1; + return 0; + } + unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al) { int extdatalen=0; -- 2.25.1