sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-05 00:00:45 -04:00
Code Issues Projects Releases Wiki Activity

tls: Fix AEAD algorithm filtering, avoid filtering all suites if no AEAD found

Browse Source
This commit is contained in:
Martin Willi 2014-03-11 10:57:18 +01:00
parent 48d6b57c30
commit b886dad498
1 changed files with 52 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
src/libtls/tls_crypto.c
View File

@ -648,7 +648,7 @@ static suite_algs_t *find_suite(tls_cipher_suite_t suite)
/**
* Filter a suite list using a transform enumerator
*/
static void filter_suite(private_tls_crypto_t *this, bool aead,
static void filter_suite(private_tls_crypto_t *this,
suite_algs_t suites[], int *count, int offset,
enumerator_t*(*create_enumerator)(crypto_factory_t*))
{
@ -662,23 +662,56 @@ static void filter_suite(private_tls_crypto_t *this, bool aead,
for (i = 0; i < *count; i++)
{
if (create_enumerator == lib->crypto->create_crypter_enumerator &&
encryption_algorithm_is_aead(suites[i].encr))
{ /* filtering crypters, but current suite uses an AEAD, apply */
suites[remaining] = suites[i];
remaining++;
continue;
}
if (create_enumerator == lib->crypto->create_aead_enumerator &&
!encryption_algorithm_is_aead(suites[i].encr))
{ /* filtering AEADs, but current suite doesn't use one, apply */
suites[remaining] = suites[i];
remaining++;
continue;
}
enumerator = create_enumerator(lib->crypto);
while (enumerator->enumerate(enumerator, current_alg, &plugin_name))
{
if ((suites[i].encr == ENCR_NULL ||
aead != encryption_algorithm_is_aead(suites[i].encr) ||
!current.encr || current.encr == suites[i].encr) &&
(suites[i].mac == AUTH_UNDEFINED ||
!current.mac || current.mac == suites[i].mac) &&
(!current.prf || current.prf == suites[i].prf) &&
(!current.hash || current.hash == suites[i].hash) &&
(suites[i].dh == MODP_NONE ||
!current.dh || current.dh == suites[i].dh))
if (current.encr && current.encr != suites[i].encr)
{
suites[remaining] = suites[i];
remaining++;
break;
if (suites[i].encr != ENCR_NULL)
{ /* skip, ENCR does not match nor is NULL */
continue;
}
}
if (current.mac && current.mac != suites[i].mac)
{
if (suites[i].mac != AUTH_UNDEFINED)
{ /* skip, MAC does not match nor is it undefined */
continue;
}
}
if (current.prf && current.prf != suites[i].prf)
{ /* skip, PRF does not match */
continue;
}
if (current.hash && current.hash != suites[i].hash)
{ /* skip, hash does not match */
continue;
}
if (current.dh && current.dh != suites[i].dh)
{
if (suites[i].dh != MODP_NONE)
{ /* skip DH group, does not match nor NONE */
continue;
}
}
/* suite supported, apply */
suites[remaining] = suites[i];
remaining++;
break;
}
enumerator->destroy(enumerator);
}
@ -969,17 +1002,17 @@ static void build_cipher_suite_list(private_tls_crypto_t *this,
}
/* filter suite list by each algorithm */
filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, encr),
filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
lib->crypto->create_crypter_enumerator);
filter_suite(this, TRUE, suites, &count, offsetof(suite_algs_t, encr),
filter_suite(this, suites, &count, offsetof(suite_algs_t, encr),
lib->crypto->create_aead_enumerator);
filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, mac),
filter_suite(this, suites, &count, offsetof(suite_algs_t, mac),
lib->crypto->create_signer_enumerator);
filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, prf),
filter_suite(this, suites, &count, offsetof(suite_algs_t, prf),
lib->crypto->create_prf_enumerator);
filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, hash),
filter_suite(this, suites, &count, offsetof(suite_algs_t, hash),
lib->crypto->create_hasher_enumerator);
filter_suite(this, FALSE, suites, &count, offsetof(suite_algs_t, dh),
filter_suite(this, suites, &count, offsetof(suite_algs_t, dh),
lib->crypto->create_dh_enumerator);
/* filter suites with strongswan.conf options */