Move disabling of RC4 for DTLS to the cipher list.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
MR: #1595
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index d9c4ec6..f2daaf2 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -274,25 +274,6 @@
return (ret);
}
-/*
- * As it's impossible to use stream ciphers in "datagram" mode, this
- * simple filter is designed to disengage them in DTLS. Unfortunately
- * there is no universal way to identify stream SSL_CIPHER, so we have
- * to explicitly list their SSL_* codes. Currently RC4 is the only one
- * available, but if new ones emerge, they will have to be added...
- */
-const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
-{
- const SSL_CIPHER *ciph = ssl3_get_cipher(u);
-
- if (ciph != NULL) {
- if (ciph->algorithm_enc == SSL_RC4)
- return NULL;
- }
-
- return ciph;
-}
-
void dtls1_start_timer(SSL *s)
{
#ifndef OPENSSL_NO_SCTP
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index c779ea7..973274b 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -207,7 +207,7 @@
SSL_RC4,
SSL_MD5,
SSL3_VERSION, TLS1_2_VERSION,
- DTLS1_VERSION, DTLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -224,7 +224,7 @@
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
- DTLS1_VERSION, DTLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -313,7 +313,7 @@
SSL_RC4,
SSL_MD5,
SSL3_VERSION, TLS1_2_VERSION,
- DTLS1_VERSION, DTLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -867,7 +867,7 @@
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
- DTLS1_VERSION, DTLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -937,7 +937,7 @@
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
- DTLS1_VERSION, DTLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1007,7 +1007,7 @@
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
- DTLS1_VERSION, DTLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1757,7 +1757,7 @@
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
- DTLS1_VERSION, DTLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1844,7 +1844,7 @@
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
- DTLS1_VERSION, DTLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -1931,7 +1931,7 @@
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
- DTLS1_VERSION, DTLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
@@ -2300,7 +2300,7 @@
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
- DTLS1_VERSION, DTLS1_2_VERSION,
+ 0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 1481bd2..c8c7f02 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -787,21 +787,30 @@
for (i = 0; i < num_of_ciphers; i++) {
c = ssl_method->get_cipher(i);
/* drop those that use any of that is not available */
- if ((c != NULL) && c->valid &&
- (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
- !(c->algorithm_mkey & disabled_mkey) &&
- !(c->algorithm_auth & disabled_auth) &&
- !(c->algorithm_enc & disabled_enc) &&
- !(c->algorithm_mac & disabled_mac)) {
- co_list[co_list_num].cipher = c;
- co_list[co_list_num].next = NULL;
- co_list[co_list_num].prev = NULL;
- co_list[co_list_num].active = 0;
- co_list_num++;
- /*
- * if (!sk_push(ca_list,(char *)c)) goto err;
- */
- }
+ if (c == NULL || !c->valid)
+ continue;
+ if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
+ continue;
+ if ((c->algorithm_mkey & disabled_mkey) ||
+ (c->algorithm_auth & disabled_auth) ||
+ (c->algorithm_enc & disabled_enc) ||
+ (c->algorithm_mac & disabled_mac))
+ continue;
+ if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) == 0) &&
+ c->min_tls == 0)
+ continue;
+ if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) != 0) &&
+ c->min_dtls == 0)
+ continue;
+
+ co_list[co_list_num].cipher = c;
+ co_list[co_list_num].next = NULL;
+ co_list[co_list_num].prev = NULL;
+ co_list[co_list_num].active = 0;
+ co_list_num++;
+ /*
+ * if (!sk_push(ca_list,(char *)c)) goto err;
+ */
}
/*
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index ef5eb8c..adce5ad 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1854,7 +1854,7 @@
ssl3_put_cipher_by_char, \
ssl3_pending, \
ssl3_num_ciphers, \
- dtls1_get_cipher, \
+ ssl3_get_cipher, \
s_get_meth, \
dtls1_default_timeout, \
&enc_data, \
@@ -2013,7 +2013,6 @@
__owur struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft);
__owur int dtls1_check_timeout_num(SSL *s);
__owur int dtls1_handle_timeout(SSL *s);
-__owur const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
void dtls1_start_timer(SSL *s);
void dtls1_stop_timer(SSL *s);
__owur int dtls1_is_timer_expired(SSL *s);
