diff options
Diffstat (limited to 'src/lib/libssl/ssl_ciph.c')
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 47 |
1 files changed, 22 insertions, 25 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index dce141101d..2478d70eac 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciph.c,v 1.146 2024/07/22 14:47:15 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciph.c,v 1.147 2024/07/23 14:40:53 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -576,22 +576,6 @@ ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, | |||
| 576 | *head = curr; | 576 | *head = curr; |
| 577 | } | 577 | } |
| 578 | 578 | ||
| 579 | /* XXX beck: remove this in a followon to removing GOST */ | ||
| 580 | static void | ||
| 581 | ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, | ||
| 582 | unsigned long *enc, unsigned long *mac, unsigned long *ssl) | ||
| 583 | { | ||
| 584 | *mkey = 0; | ||
| 585 | *auth = 0; | ||
| 586 | *enc = 0; | ||
| 587 | *mac = 0; | ||
| 588 | *ssl = 0; | ||
| 589 | |||
| 590 | #ifdef SSL_FORBID_ENULL | ||
| 591 | *enc |= SSL_eNULL; | ||
| 592 | #endif | ||
| 593 | } | ||
| 594 | |||
| 595 | static void | 579 | static void |
| 596 | ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers, | 580 | ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers, |
| 597 | unsigned long disabled_mkey, unsigned long disabled_auth, | 581 | unsigned long disabled_mkey, unsigned long disabled_auth, |
| @@ -608,10 +592,15 @@ ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers, | |||
| 608 | * a linked list with at most num entries. | 592 | * a linked list with at most num entries. |
| 609 | */ | 593 | */ |
| 610 | 594 | ||
| 611 | /* Get the initial list of ciphers */ | 595 | /* |
| 596 | * Get the initial list of ciphers, iterating backwards over the | ||
| 597 | * cipher list - the list is ordered by cipher value and we currently | ||
| 598 | * hope that ciphers with higher cipher values are preferable... | ||
| 599 | */ | ||
| 612 | co_list_num = 0; /* actual count of ciphers */ | 600 | co_list_num = 0; /* actual count of ciphers */ |
| 613 | for (i = 0; i < num_of_ciphers; i++) { | 601 | for (i = num_of_ciphers - 1; i >= 0; i--) { |
| 614 | c = ssl_method->get_cipher(i); | 602 | c = ssl3_get_cipher_by_index(i); |
| 603 | |||
| 615 | /* | 604 | /* |
| 616 | * Drop any invalid ciphers and any which use unavailable | 605 | * Drop any invalid ciphers and any which use unavailable |
| 617 | * algorithms. | 606 | * algorithms. |
| @@ -1153,11 +1142,19 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1153 | if (rule_str == NULL || cipher_list == NULL) | 1142 | if (rule_str == NULL || cipher_list == NULL) |
| 1154 | goto err; | 1143 | goto err; |
| 1155 | 1144 | ||
| 1156 | /* | 1145 | disabled_mkey = 0; |
| 1157 | * To reduce the work to do we only want to process the compiled | 1146 | disabled_auth = 0; |
| 1158 | * in algorithms, so we first get the mask of disabled ciphers. | 1147 | disabled_enc = 0; |
| 1159 | */ | 1148 | disabled_mac = 0; |
| 1160 | ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &disabled_mac, &disabled_ssl); | 1149 | disabled_ssl = 0; |
| 1150 | |||
| 1151 | #ifdef SSL_FORBID_ENULL | ||
| 1152 | disabled_enc |= SSL_eNULL; | ||
| 1153 | #endif | ||
| 1154 | |||
| 1155 | /* DTLS cannot be used with stream ciphers. */ | ||
| 1156 | if (ssl_method->dtls) | ||
| 1157 | disabled_enc |= SSL_RC4; | ||
| 1161 | 1158 | ||
| 1162 | /* | 1159 | /* |
| 1163 | * Now we have to collect the available ciphers from the compiled | 1160 | * Now we have to collect the available ciphers from the compiled |