Move disabling of RC4 for DTLS to the cipher list.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
This commit is contained in:
Kurt Roeckx 2016-03-08 20:26:38 +01:00
parent 82478521aa
commit ca3895f0b5
4 changed files with 35 additions and 46 deletions

View File

@ -274,25 +274,6 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
return (ret);
}
/*
* As it's impossible to use stream ciphers in "datagram" mode, this
* simple filter is designed to disengage them in DTLS. Unfortunately
* there is no universal way to identify stream SSL_CIPHER, so we have
* to explicitly list their SSL_* codes. Currently RC4 is the only one
* available, but if new ones emerge, they will have to be added...
*/
const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
{
const SSL_CIPHER *ciph = ssl3_get_cipher(u);
if (ciph != NULL) {
if (ciph->algorithm_enc == SSL_RC4)
return NULL;
}
return ciph;
}
void dtls1_start_timer(SSL *s)
{
#ifndef OPENSSL_NO_SCTP

View File

@ -207,7 +207,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@ -224,7 +224,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@ -313,7 +313,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_MD5,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@ -867,7 +867,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@ -937,7 +937,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@ -1007,7 +1007,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@ -1757,7 +1757,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@ -1844,7 +1844,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@ -1931,7 +1931,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@ -2300,7 +2300,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,

View File

@ -787,21 +787,30 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
for (i = 0; i < num_of_ciphers; i++) {
c = ssl_method->get_cipher(i);
/* drop those that use any of that is not available */
if ((c != NULL) && c->valid &&
(!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
!(c->algorithm_mkey & disabled_mkey) &&
!(c->algorithm_auth & disabled_auth) &&
!(c->algorithm_enc & disabled_enc) &&
!(c->algorithm_mac & disabled_mac)) {
co_list[co_list_num].cipher = c;
co_list[co_list_num].next = NULL;
co_list[co_list_num].prev = NULL;
co_list[co_list_num].active = 0;
co_list_num++;
/*
* if (!sk_push(ca_list,(char *)c)) goto err;
*/
}
if (c == NULL || !c->valid)
continue;
if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
continue;
if ((c->algorithm_mkey & disabled_mkey) ||
(c->algorithm_auth & disabled_auth) ||
(c->algorithm_enc & disabled_enc) ||
(c->algorithm_mac & disabled_mac))
continue;
if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) == 0) &&
c->min_tls == 0)
continue;
if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) != 0) &&
c->min_dtls == 0)
continue;
co_list[co_list_num].cipher = c;
co_list[co_list_num].next = NULL;
co_list[co_list_num].prev = NULL;
co_list[co_list_num].active = 0;
co_list_num++;
/*
* if (!sk_push(ca_list,(char *)c)) goto err;
*/
}
/*

View File

@ -1854,7 +1854,7 @@ const SSL_METHOD *func_name(void) \
ssl3_put_cipher_by_char, \
ssl3_pending, \
ssl3_num_ciphers, \
dtls1_get_cipher, \
ssl3_get_cipher, \
s_get_meth, \
dtls1_default_timeout, \
&enc_data, \
@ -2013,7 +2013,6 @@ __owur long dtls1_default_timeout(void);
__owur struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft);
__owur int dtls1_check_timeout_num(SSL *s);
__owur int dtls1_handle_timeout(SSL *s);
__owur const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
void dtls1_start_timer(SSL *s);
void dtls1_stop_timer(SSL *s);
__owur int dtls1_is_timer_expired(SSL *s);