Allow return of supported ciphers.
New function ssl_cipher_disabled. Check for disabled client ciphers using ssl_cipher_disabled. New function to return only supported ciphers. New option to ciphers utility to print only supported ciphers.
This commit is contained in:
Dr. Stephen Henson
parent
09599b52d4
commit
8b8e5bed23
6 changed files with 51 additions and 10 deletions
|
|
@ -85,6 +85,7 @@ int MAIN(int argc, char **argv)
|
|||
{
|
||||
int ret=1,i;
|
||||
int verbose=0,Verbose=0;
|
||||
int use_supported = 0;
|
||||
#ifndef OPENSSL_NO_SSL_TRACE
|
||||
int stdname = 0;
|
||||
#endif
|
||||
|
|
@ -129,6 +130,8 @@ int MAIN(int argc, char **argv)
|
|||
verbose=1;
|
||||
else if (strcmp(*argv,"-V") == 0)
|
||||
verbose=Verbose=1;
|
||||
else if (strcmp(*argv,"-s") == 0)
|
||||
use_supported = 1;
|
||||
#ifndef OPENSSL_NO_SSL_TRACE
|
||||
else if (strcmp(*argv,"-stdname") == 0)
|
||||
stdname=verbose=1;
|
||||
|
|
@ -179,12 +182,17 @@ int MAIN(int argc, char **argv)
|
|||
ssl=SSL_new(ctx);
|
||||
if (ssl == NULL) goto err;
|
||||
|
||||
if (use_supported)
|
||||
sk=SSL_get1_supported_ciphers(ssl);
|
||||
else
|
||||
sk=SSL_get_ciphers(ssl);
|
||||
|
||||
if (!verbose)
|
||||
{
|
||||
for (i=0; ; i++)
|
||||
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
|
||||
{
|
||||
p=SSL_get_cipher_list(ssl,i);
|
||||
SSL_CIPHER *c = sk_SSL_CIPHER_value(sk,i);
|
||||
p = SSL_CIPHER_get_name(c);
|
||||
if (p == NULL) break;
|
||||
if (i != 0) BIO_printf(STDout,":");
|
||||
BIO_printf(STDout,"%s",p);
|
||||
|
|
@ -193,7 +201,6 @@ int MAIN(int argc, char **argv)
|
|||
}
|
||||
else /* verbose */
|
||||
{
|
||||
sk=SSL_get_ciphers(ssl);
|
||||
|
||||
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
|
||||
{
|
||||
|
|
@ -237,6 +244,8 @@ err:
|
|||
ERR_print_errors(bio_err);
|
||||
}
|
||||
end:
|
||||
if (use_supported && sk)
|
||||
sk_SSL_CIPHER_free(sk);
|
||||
if (ctx != NULL) SSL_CTX_free(ctx);
|
||||
if (ssl != NULL) SSL_free(ssl);
|
||||
if (STDout != NULL) BIO_free_all(STDout);
|
||||
|
|
|
|||
|
|
@ -1079,9 +1079,7 @@ int ssl3_get_server_hello(SSL *s)
|
|||
/* If it is a disabled cipher we didn't send it in client hello,
|
||||
* so return an error.
|
||||
*/
|
||||
if (c->algorithm_ssl & ct->mask_ssl ||
|
||||
c->algorithm_mkey & ct->mask_k ||
|
||||
c->algorithm_auth & ct->mask_a)
|
||||
if (ssl_cipher_disabled(s, c))
|
||||
{
|
||||
al=SSL_AD_ILLEGAL_PARAMETER;
|
||||
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
|
||||
|
|
|
|||
|
|
@ -2378,6 +2378,7 @@ const SSL_METHOD *DTLS_server_method(void); /* DTLS 1.0 and 1.2 */
|
|||
const SSL_METHOD *DTLS_client_method(void); /* DTLS 1.0 and 1.2 */
|
||||
|
||||
STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
|
||||
STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s);
|
||||
|
||||
int SSL_do_handshake(SSL *s);
|
||||
int SSL_renegotiate(SSL *s);
|
||||
|
|
|
|||
|
|
@ -1342,6 +1342,33 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s)
|
|||
return(NULL);
|
||||
}
|
||||
|
||||
STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s)
|
||||
{
|
||||
STACK_OF(SSL_CIPHER) *sk = NULL, *ciphers;
|
||||
int i;
|
||||
ciphers = SSL_get_ciphers(s);
|
||||
if (!ciphers)
|
||||
return NULL;
|
||||
ssl_set_client_disabled(s);
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++)
|
||||
{
|
||||
const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
|
||||
if (!ssl_cipher_disabled(s, c))
|
||||
{
|
||||
if (!sk)
|
||||
sk = sk_SSL_CIPHER_new_null();
|
||||
if (!sk)
|
||||
return NULL;
|
||||
if (!sk_SSL_CIPHER_push(sk, c))
|
||||
{
|
||||
sk_SSL_CIPHER_free(sk);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
return sk;
|
||||
}
|
||||
|
||||
/** return a STACK of the ciphers available for the SSL and in order of
|
||||
* algorithm id */
|
||||
STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s)
|
||||
|
|
@ -1459,7 +1486,6 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
|
|||
{
|
||||
int i,j=0;
|
||||
SSL_CIPHER *c;
|
||||
CERT *ct = s->cert;
|
||||
unsigned char *q;
|
||||
int no_scsv = s->renegotiate;
|
||||
/* Set disabled masks for this session */
|
||||
|
|
@ -1472,9 +1498,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
|
|||
{
|
||||
c=sk_SSL_CIPHER_value(sk,i);
|
||||
/* Skip disabled ciphers */
|
||||
if (c->algorithm_ssl & ct->mask_ssl ||
|
||||
c->algorithm_mkey & ct->mask_k ||
|
||||
c->algorithm_auth & ct->mask_a)
|
||||
if (ssl_cipher_disabled(s, c))
|
||||
continue;
|
||||
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
|
||||
if (c->id == SSL3_CK_SCSV)
|
||||
|
|
|
|||
|
|
@ -1331,6 +1331,7 @@ size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
|
|||
int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
|
||||
const unsigned char *sig, EVP_PKEY *pkey);
|
||||
void ssl_set_client_disabled(SSL *s);
|
||||
int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c);
|
||||
|
||||
int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
|
||||
int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
|
||||
|
|
|
|||
|
|
@ -1093,6 +1093,14 @@ void ssl_set_client_disabled(SSL *s)
|
|||
c->valid = 1;
|
||||
}
|
||||
|
||||
int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c)
|
||||
{
|
||||
CERT *ct = s->cert;
|
||||
if (c->algorithm_ssl & ct->mask_ssl || c->algorithm_mkey & ct->mask_k || c->algorithm_auth & ct->mask_a)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit, int *al)
|
||||
{
|
||||
int extdatalen=0;
|
||||
|
|
|
|||
Loading…
Reference in a new issue