|
 |
b7538d |
From a199da277582152086eb06267dd31932f03a0b8e Mon Sep 17 00:00:00 2001
|
|
|
b7538d |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
b7538d |
Date: Mon, 21 Sep 2015 18:34:12 -0400
|
|
|
b7538d |
Subject: [PATCH] Implement EECDH, kECDH, AECDH, ECDSA and aECDSA cipher macros
|
|
|
b7538d |
|
|
|
b7538d |
Also add test for AESGCM
|
|
|
b7538d |
---
|
|
|
b7538d |
nss_engine_cipher.c | 28 ++++++++++++++++++++++++++++
|
|
|
b7538d |
test/test_cipher.py | 18 ++++++++++++++++++
|
|
|
b7538d |
2 files changed, 46 insertions(+)
|
|
|
b7538d |
|
|
|
b7538d |
diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
|
|
|
b7538d |
index 45b8836..bede228 100644
|
|
|
b7538d |
--- a/nss_engine_cipher.c
|
|
|
b7538d |
+++ b/nss_engine_cipher.c
|
|
|
b7538d |
@@ -237,6 +237,8 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
|
|
|
b7538d |
"Cipher ordering is not supported in NSS");
|
|
|
b7538d |
return -1;
|
|
|
b7538d |
} else {
|
|
|
b7538d |
+ int amask = 0;
|
|
|
b7538d |
+ int amaskaction = 0;
|
|
|
b7538d |
int mask = 0;
|
|
|
b7538d |
int strength = 0;
|
|
|
b7538d |
int protocol = 0;
|
|
|
b7538d |
@@ -251,6 +253,8 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
|
|
|
b7538d |
|
|
|
b7538d |
c = cipher;
|
|
|
b7538d |
while (c && (strlen(c))) {
|
|
|
b7538d |
+ amask = 0;
|
|
|
b7538d |
+ amaskaction = 0;
|
|
|
b7538d |
mask = 0;
|
|
|
b7538d |
strength = 0;
|
|
|
b7538d |
protocol = 0;
|
|
|
b7538d |
@@ -276,6 +280,16 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
|
|
|
b7538d |
#endif
|
|
|
b7538d |
} else if (!strcmp(cipher, "ECDH")) {
|
|
|
b7538d |
mask |= SSL_ECDH;
|
|
|
b7538d |
+ } else if (!strcmp(cipher, "EECDH")) {
|
|
|
b7538d |
+ mask |= SSL_kEECDH;
|
|
|
b7538d |
+ amask = SSL_aNULL;
|
|
|
b7538d |
+ amaskaction = 1; /* filter anonymous out */
|
|
|
b7538d |
+ } else if (!strcmp(cipher, "AECDH")) {
|
|
|
b7538d |
+ mask |= SSL_kEECDH;
|
|
|
b7538d |
+ amask = SSL_aNULL; /* require anonymous */
|
|
|
b7538d |
+ amaskaction = 0; /* keep these */
|
|
|
b7538d |
+ } else if (!strcmp(cipher, "kECDH")) {
|
|
|
b7538d |
+ mask |= SSL_kECDHe | SSL_kECDHr;
|
|
|
b7538d |
} else if (!strcmp(cipher, "kECDHe")) {
|
|
|
b7538d |
mask |= SSL_kECDHe;
|
|
|
b7538d |
} else if (!strcmp(cipher, "kECDHr")) {
|
|
|
b7538d |
@@ -284,6 +298,10 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
|
|
|
b7538d |
mask |= SSL_kEECDH;
|
|
|
b7538d |
} else if (!strcmp(cipher, "aECDH")) {
|
|
|
b7538d |
mask |= SSL_aECDH;
|
|
|
b7538d |
+ } else if (!strcmp(cipher, "ECDSA")) {
|
|
|
b7538d |
+ mask |= SSL_aECDSA;
|
|
|
b7538d |
+ } else if (!strcmp(cipher, "aECDSA")) {
|
|
|
b7538d |
+ mask |= SSL_aECDSA;
|
|
|
b7538d |
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
|
|
|
b7538d |
mask |= SSL_eNULL;
|
|
|
b7538d |
} else if (!strcmp(cipher, "aNULL")) {
|
|
|
b7538d |
@@ -352,6 +370,16 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
|
|
|
b7538d |
(ciphers_def[i].strength & strength) ||
|
|
|
b7538d |
(ciphers_def[i].version & protocol)) &&
|
|
|
b7538d |
(cipher_list[i] != -1)) {
|
|
|
b7538d |
+ if (amask != 0) {
|
|
|
b7538d |
+ PRBool match = PR_FALSE;
|
|
|
b7538d |
+ if (ciphers_def[i].attr & amask) {
|
|
|
b7538d |
+ match = PR_TRUE;
|
|
|
b7538d |
+ }
|
|
|
b7538d |
+ if (amaskaction && match)
|
|
|
b7538d |
+ continue;
|
|
|
b7538d |
+ if (!amaskaction && !match)
|
|
|
b7538d |
+ continue;
|
|
|
b7538d |
+ }
|
|
|
b7538d |
#if 0
|
|
|
b7538d |
/* Enable the NULL ciphers only if explicity
|
|
|
b7538d |
* requested */
|
|
|
b7538d |
diff --git a/test/test_cipher.py b/test/test_cipher.py
|
|
|
b7538d |
index af9d7eb..3f1f344 100644
|
|
|
b7538d |
--- a/test/test_cipher.py
|
|
|
b7538d |
+++ b/test/test_cipher.py
|
|
|
b7538d |
@@ -183,6 +183,9 @@ class test_ciphers(object):
|
|
|
b7538d |
def test_aECDH(self):
|
|
|
b7538d |
assert_equal_openssl("aECDH", "aECDH")
|
|
|
b7538d |
|
|
|
b7538d |
+ def test_kECDH(self):
|
|
|
b7538d |
+ assert_equal_openssl("kECDH", "kECDH")
|
|
|
b7538d |
+
|
|
|
b7538d |
def test_kECDHe(self):
|
|
|
b7538d |
assert_equal_openssl("kECDHe", "kECDHe")
|
|
|
b7538d |
|
|
|
b7538d |
@@ -192,6 +195,21 @@ class test_ciphers(object):
|
|
|
b7538d |
def test_kEECDH(self):
|
|
|
b7538d |
assert_equal_openssl("kEECDH", "kEECDH")
|
|
|
b7538d |
|
|
|
b7538d |
+ def test_AECDH(self):
|
|
|
b7538d |
+ assert_equal_openssl("AECDH", "AECDH")
|
|
|
b7538d |
+
|
|
|
b7538d |
+ def test_EECDH(self):
|
|
|
b7538d |
+ assert_equal_openssl("EECDH", "EECDH")
|
|
|
b7538d |
+
|
|
|
b7538d |
+ def test_ECDSA(self):
|
|
|
b7538d |
+ assert_equal_openssl("ECDSA", "ECDSA")
|
|
|
b7538d |
+
|
|
|
b7538d |
+ def test_aECDSA(self):
|
|
|
b7538d |
+ assert_equal_openssl("aECDSA", "aECDSA")
|
|
|
b7538d |
+
|
|
|
b7538d |
+ def test_AESGCM(self):
|
|
|
b7538d |
+ assert_equal_openssl("AESGCM", "AESGCM:-DH")
|
|
|
b7538d |
+
|
|
|
b7538d |
def test_ECDH(self):
|
|
|
b7538d |
assert_equal_openssl("ECDH", "ECDH")
|
|
|
b7538d |
|
|
|
b7538d |
--
|
|
|
b7538d |
1.9.3
|
|
|
b7538d |
|