From a199da277582152086eb06267dd31932f03a0b8e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 21 Sep 2015 18:34:12 -0400
Subject: [PATCH] Implement EECDH, kECDH, AECDH, ECDSA and aECDSA cipher macros
Also add test for AESGCM
---
nss_engine_cipher.c | 28 ++++++++++++++++++++++++++++
test/test_cipher.py | 18 ++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
index 45b8836..bede228 100644
--- a/nss_engine_cipher.c
+++ b/nss_engine_cipher.c
@@ -237,6 +237,8 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
"Cipher ordering is not supported in NSS");
return -1;
} else {
+ int amask = 0;
+ int amaskaction = 0;
int mask = 0;
int strength = 0;
int protocol = 0;
@@ -251,6 +253,8 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
c = cipher;
while (c && (strlen(c))) {
+ amask = 0;
+ amaskaction = 0;
mask = 0;
strength = 0;
protocol = 0;
@@ -276,6 +280,16 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
#endif
} else if (!strcmp(cipher, "ECDH")) {
mask |= SSL_ECDH;
+ } else if (!strcmp(cipher, "EECDH")) {
+ mask |= SSL_kEECDH;
+ amask = SSL_aNULL;
+ amaskaction = 1; /* filter anonymous out */
+ } else if (!strcmp(cipher, "AECDH")) {
+ mask |= SSL_kEECDH;
+ amask = SSL_aNULL; /* require anonymous */
+ amaskaction = 0; /* keep these */
+ } else if (!strcmp(cipher, "kECDH")) {
+ mask |= SSL_kECDHe | SSL_kECDHr;
} else if (!strcmp(cipher, "kECDHe")) {
mask |= SSL_kECDHe;
} else if (!strcmp(cipher, "kECDHr")) {
@@ -284,6 +298,10 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
mask |= SSL_kEECDH;
} else if (!strcmp(cipher, "aECDH")) {
mask |= SSL_aECDH;
+ } else if (!strcmp(cipher, "ECDSA")) {
+ mask |= SSL_aECDSA;
+ } else if (!strcmp(cipher, "aECDSA")) {
+ mask |= SSL_aECDSA;
} else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) {
mask |= SSL_eNULL;
} else if (!strcmp(cipher, "aNULL")) {
@@ -352,6 +370,16 @@ static int parse_openssl_ciphers(server_rec *s, char *ciphers, PRBool cipher_lis
(ciphers_def[i].strength & strength) ||
(ciphers_def[i].version & protocol)) &&
(cipher_list[i] != -1)) {
+ if (amask != 0) {
+ PRBool match = PR_FALSE;
+ if (ciphers_def[i].attr & amask) {
+ match = PR_TRUE;
+ }
+ if (amaskaction && match)
+ continue;
+ if (!amaskaction && !match)
+ continue;
+ }
#if 0
/* Enable the NULL ciphers only if explicity
* requested */
diff --git a/test/test_cipher.py b/test/test_cipher.py
index af9d7eb..3f1f344 100644
--- a/test/test_cipher.py
+++ b/test/test_cipher.py
@@ -183,6 +183,9 @@ class test_ciphers(object):
def test_aECDH(self):
assert_equal_openssl("aECDH", "aECDH")
+ def test_kECDH(self):
+ assert_equal_openssl("kECDH", "kECDH")
+
def test_kECDHe(self):
assert_equal_openssl("kECDHe", "kECDHe")
@@ -192,6 +195,21 @@ class test_ciphers(object):
def test_kEECDH(self):
assert_equal_openssl("kEECDH", "kEECDH")
+ def test_AECDH(self):
+ assert_equal_openssl("AECDH", "AECDH")
+
+ def test_EECDH(self):
+ assert_equal_openssl("EECDH", "EECDH")
+
+ def test_ECDSA(self):
+ assert_equal_openssl("ECDSA", "ECDSA")
+
+ def test_aECDSA(self):
+ assert_equal_openssl("aECDSA", "aECDSA")
+
+ def test_AESGCM(self):
+ assert_equal_openssl("AESGCM", "AESGCM:-DH")
+
def test_ECDH(self):
assert_equal_openssl("ECDH", "ECDH")
--
1.9.3