mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
Move disabling of RC4 for DTLS to the cipher list.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> MR: #1595
This commit is contained in:
parent
82478521aa
commit
ca3895f0b5
19
ssl/d1_lib.c
19
ssl/d1_lib.c
@ -274,25 +274,6 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
|
||||
return (ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* As it's impossible to use stream ciphers in "datagram" mode, this
|
||||
* simple filter is designed to disengage them in DTLS. Unfortunately
|
||||
* there is no universal way to identify stream SSL_CIPHER, so we have
|
||||
* to explicitly list their SSL_* codes. Currently RC4 is the only one
|
||||
* available, but if new ones emerge, they will have to be added...
|
||||
*/
|
||||
const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
|
||||
{
|
||||
const SSL_CIPHER *ciph = ssl3_get_cipher(u);
|
||||
|
||||
if (ciph != NULL) {
|
||||
if (ciph->algorithm_enc == SSL_RC4)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return ciph;
|
||||
}
|
||||
|
||||
void dtls1_start_timer(SSL *s)
|
||||
{
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
|
20
ssl/s3_lib.c
20
ssl/s3_lib.c
@ -207,7 +207,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_RC4,
|
||||
SSL_MD5,
|
||||
SSL3_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_VERSION, DTLS1_2_VERSION,
|
||||
0, 0,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
128,
|
||||
@ -224,7 +224,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_RC4,
|
||||
SSL_SHA1,
|
||||
SSL3_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_VERSION, DTLS1_2_VERSION,
|
||||
0, 0,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
128,
|
||||
@ -313,7 +313,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_RC4,
|
||||
SSL_MD5,
|
||||
SSL3_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_VERSION, DTLS1_2_VERSION,
|
||||
0, 0,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
128,
|
||||
@ -867,7 +867,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_RC4,
|
||||
SSL_SHA1,
|
||||
SSL3_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_VERSION, DTLS1_2_VERSION,
|
||||
0, 0,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
128,
|
||||
@ -937,7 +937,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_RC4,
|
||||
SSL_SHA1,
|
||||
SSL3_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_VERSION, DTLS1_2_VERSION,
|
||||
0, 0,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
128,
|
||||
@ -1007,7 +1007,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_RC4,
|
||||
SSL_SHA1,
|
||||
SSL3_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_VERSION, DTLS1_2_VERSION,
|
||||
0, 0,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
128,
|
||||
@ -1757,7 +1757,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_RC4,
|
||||
SSL_SHA1,
|
||||
SSL3_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_VERSION, DTLS1_2_VERSION,
|
||||
0, 0,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
128,
|
||||
@ -1844,7 +1844,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_RC4,
|
||||
SSL_SHA1,
|
||||
SSL3_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_VERSION, DTLS1_2_VERSION,
|
||||
0, 0,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
128,
|
||||
@ -1931,7 +1931,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_RC4,
|
||||
SSL_SHA1,
|
||||
SSL3_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_VERSION, DTLS1_2_VERSION,
|
||||
0, 0,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
128,
|
||||
@ -2300,7 +2300,7 @@ static const SSL_CIPHER ssl3_ciphers[] = {
|
||||
SSL_RC4,
|
||||
SSL_SHA1,
|
||||
SSL3_VERSION, TLS1_2_VERSION,
|
||||
DTLS1_VERSION, DTLS1_2_VERSION,
|
||||
0, 0,
|
||||
SSL_NOT_DEFAULT | SSL_MEDIUM,
|
||||
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
|
||||
128,
|
||||
|
@ -787,21 +787,30 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
|
||||
for (i = 0; i < num_of_ciphers; i++) {
|
||||
c = ssl_method->get_cipher(i);
|
||||
/* drop those that use any of that is not available */
|
||||
if ((c != NULL) && c->valid &&
|
||||
(!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
|
||||
!(c->algorithm_mkey & disabled_mkey) &&
|
||||
!(c->algorithm_auth & disabled_auth) &&
|
||||
!(c->algorithm_enc & disabled_enc) &&
|
||||
!(c->algorithm_mac & disabled_mac)) {
|
||||
co_list[co_list_num].cipher = c;
|
||||
co_list[co_list_num].next = NULL;
|
||||
co_list[co_list_num].prev = NULL;
|
||||
co_list[co_list_num].active = 0;
|
||||
co_list_num++;
|
||||
/*
|
||||
* if (!sk_push(ca_list,(char *)c)) goto err;
|
||||
*/
|
||||
}
|
||||
if (c == NULL || !c->valid)
|
||||
continue;
|
||||
if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
|
||||
continue;
|
||||
if ((c->algorithm_mkey & disabled_mkey) ||
|
||||
(c->algorithm_auth & disabled_auth) ||
|
||||
(c->algorithm_enc & disabled_enc) ||
|
||||
(c->algorithm_mac & disabled_mac))
|
||||
continue;
|
||||
if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) == 0) &&
|
||||
c->min_tls == 0)
|
||||
continue;
|
||||
if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) != 0) &&
|
||||
c->min_dtls == 0)
|
||||
continue;
|
||||
|
||||
co_list[co_list_num].cipher = c;
|
||||
co_list[co_list_num].next = NULL;
|
||||
co_list[co_list_num].prev = NULL;
|
||||
co_list[co_list_num].active = 0;
|
||||
co_list_num++;
|
||||
/*
|
||||
* if (!sk_push(ca_list,(char *)c)) goto err;
|
||||
*/
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -1854,7 +1854,7 @@ const SSL_METHOD *func_name(void) \
|
||||
ssl3_put_cipher_by_char, \
|
||||
ssl3_pending, \
|
||||
ssl3_num_ciphers, \
|
||||
dtls1_get_cipher, \
|
||||
ssl3_get_cipher, \
|
||||
s_get_meth, \
|
||||
dtls1_default_timeout, \
|
||||
&enc_data, \
|
||||
@ -2013,7 +2013,6 @@ __owur long dtls1_default_timeout(void);
|
||||
__owur struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft);
|
||||
__owur int dtls1_check_timeout_num(SSL *s);
|
||||
__owur int dtls1_handle_timeout(SSL *s);
|
||||
__owur const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
|
||||
void dtls1_start_timer(SSL *s);
|
||||
void dtls1_stop_timer(SSL *s);
|
||||
__owur int dtls1_is_timer_expired(SSL *s);
|
||||
|
Loading…
Reference in New Issue
Block a user