From ca3895f0b52628df29bcf87e139971904f4b9b28 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Tue, 8 Mar 2016 20:26:38 +0100 Subject: [PATCH] Move disabling of RC4 for DTLS to the cipher list. Reviewed-by: Viktor Dukhovni MR: #1595 --- ssl/d1_lib.c | 19 ------------------- ssl/s3_lib.c | 20 ++++++++++---------- ssl/ssl_ciph.c | 39 ++++++++++++++++++++++++--------------- ssl/ssl_locl.h | 3 +-- 4 files changed, 35 insertions(+), 46 deletions(-) diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index d9c4ec6503..f2daaf2fd2 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -274,25 +274,6 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) return (ret); } -/* - * As it's impossible to use stream ciphers in "datagram" mode, this - * simple filter is designed to disengage them in DTLS. Unfortunately - * there is no universal way to identify stream SSL_CIPHER, so we have - * to explicitly list their SSL_* codes. Currently RC4 is the only one - * available, but if new ones emerge, they will have to be added... - */ -const SSL_CIPHER *dtls1_get_cipher(unsigned int u) -{ - const SSL_CIPHER *ciph = ssl3_get_cipher(u); - - if (ciph != NULL) { - if (ciph->algorithm_enc == SSL_RC4) - return NULL; - } - - return ciph; -} - void dtls1_start_timer(SSL *s) { #ifndef OPENSSL_NO_SCTP diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index c779ea76c3..973274bc8d 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -207,7 +207,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_RC4, SSL_MD5, SSL3_VERSION, TLS1_2_VERSION, - DTLS1_VERSION, DTLS1_2_VERSION, + 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -224,7 +224,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_RC4, SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, - DTLS1_VERSION, DTLS1_2_VERSION, + 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -313,7 +313,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_RC4, SSL_MD5, SSL3_VERSION, TLS1_2_VERSION, - DTLS1_VERSION, DTLS1_2_VERSION, + 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -867,7 +867,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_RC4, SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, - DTLS1_VERSION, DTLS1_2_VERSION, + 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -937,7 +937,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_RC4, SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, - DTLS1_VERSION, DTLS1_2_VERSION, + 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1007,7 +1007,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_RC4, SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, - DTLS1_VERSION, DTLS1_2_VERSION, + 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1757,7 +1757,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_RC4, SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, - DTLS1_VERSION, DTLS1_2_VERSION, + 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1844,7 +1844,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_RC4, SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, - DTLS1_VERSION, DTLS1_2_VERSION, + 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -1931,7 +1931,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_RC4, SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, - DTLS1_VERSION, DTLS1_2_VERSION, + 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, @@ -2300,7 +2300,7 @@ static const SSL_CIPHER ssl3_ciphers[] = { SSL_RC4, SSL_SHA1, SSL3_VERSION, TLS1_2_VERSION, - DTLS1_VERSION, DTLS1_2_VERSION, + 0, 0, SSL_NOT_DEFAULT | SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 1481bd20f7..c8c7f0281c 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -787,21 +787,30 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, for (i = 0; i < num_of_ciphers; i++) { c = ssl_method->get_cipher(i); /* drop those that use any of that is not available */ - if ((c != NULL) && c->valid && - (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) && - !(c->algorithm_mkey & disabled_mkey) && - !(c->algorithm_auth & disabled_auth) && - !(c->algorithm_enc & disabled_enc) && - !(c->algorithm_mac & disabled_mac)) { - co_list[co_list_num].cipher = c; - co_list[co_list_num].next = NULL; - co_list[co_list_num].prev = NULL; - co_list[co_list_num].active = 0; - co_list_num++; - /* - * if (!sk_push(ca_list,(char *)c)) goto err; - */ - } + if (c == NULL || !c->valid) + continue; + if (FIPS_mode() && (c->algo_strength & SSL_FIPS)) + continue; + if ((c->algorithm_mkey & disabled_mkey) || + (c->algorithm_auth & disabled_auth) || + (c->algorithm_enc & disabled_enc) || + (c->algorithm_mac & disabled_mac)) + continue; + if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) == 0) && + c->min_tls == 0) + continue; + if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) != 0) && + c->min_dtls == 0) + continue; + + co_list[co_list_num].cipher = c; + co_list[co_list_num].next = NULL; + co_list[co_list_num].prev = NULL; + co_list[co_list_num].active = 0; + co_list_num++; + /* + * if (!sk_push(ca_list,(char *)c)) goto err; + */ } /* diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index ef5eb8cf53..adce5ad34a 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1854,7 +1854,7 @@ const SSL_METHOD *func_name(void) \ ssl3_put_cipher_by_char, \ ssl3_pending, \ ssl3_num_ciphers, \ - dtls1_get_cipher, \ + ssl3_get_cipher, \ s_get_meth, \ dtls1_default_timeout, \ &enc_data, \ @@ -2013,7 +2013,6 @@ __owur long dtls1_default_timeout(void); __owur struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft); __owur int dtls1_check_timeout_num(SSL *s); __owur int dtls1_handle_timeout(SSL *s); -__owur const SSL_CIPHER *dtls1_get_cipher(unsigned int u); void dtls1_start_timer(SSL *s); void dtls1_stop_timer(SSL *s); __owur int dtls1_is_timer_expired(SSL *s); -- 2.25.1