diff options
author | Steffan Karger <steffan@karger.me> | 2014-01-03 21:03:02 +0100 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2014-01-05 18:35:18 +0100 |
commit | e83313a8ba92684a660c9d78c536699f67dcdf63 (patch) | |
tree | 1351cddb1a2e06952723273f3eedc2ef31c59609 | |
parent | 69e03f4cd4971c8748faa83be45c89694d4b7a51 (diff) | |
download | openvpn-e83313a8ba92684a660c9d78c536699f67dcdf63.tar.gz openvpn-e83313a8ba92684a660c9d78c536699f67dcdf63.tar.xz openvpn-e83313a8ba92684a660c9d78c536699f67dcdf63.zip |
Make tls_ctx_restrict_ciphers accept NULL as char *cipher_list.
This adds some ifs to check for NULL in tls_ctx_restrict_ciphers() to
prepare
for disabling export ciphers by default in OpenVPN 2.4+.
Also let tls_ctx_restrict_ciphers always be called, also when *cipher_list
is
NULL.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <52C8922E.3030607@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8173
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | src/openvpn/ssl.c | 5 | ||||
-rw-r--r-- | src/openvpn/ssl_backend.h | 5 | ||||
-rw-r--r-- | src/openvpn/ssl_openssl.c | 10 | ||||
-rw-r--r-- | src/openvpn/ssl_polarssl.c | 16 |
4 files changed, 24 insertions, 12 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index bd19d75..93222c4 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -543,10 +543,7 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) } /* Allowable ciphers */ - if (options->cipher_list) - { - tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); - } + tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); #ifdef ENABLE_CRYPTO_POLARSSL /* Personalise the random by mixing in the certificate */ diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 54383fe..a6fc3bd 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -167,8 +167,9 @@ void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags); /** * Restrict the list of ciphers that can be used within the TLS context. * - * @param ctx TLS context to restrict - * @param ciphers String containing : delimited cipher names. + * @param ctx TLS context to restrict, must be valid. + * @param ciphers String containing : delimited cipher names, or NULL to use + * sane defaults. */ void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers); diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 08327a1..7ad7eab 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -217,6 +217,13 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags) void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) { + if (ciphers == NULL) + { + /* Nothing to do */ + return; + } + + /* Parse supplied cipher list and pass on to OpenSSL */ size_t begin_of_cipher, end_of_cipher; const char *current_cipher; @@ -1272,8 +1279,7 @@ show_available_tls_ciphers (const char *cipher_list) if (!ssl) msg (M_SSLERR, "Cannot create SSL object"); - if (cipher_list) - tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); printf ("Available TLS Ciphers,\n"); printf ("listed in order of preference:\n\n"); diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c index 551c352..47fb62a 100644 --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c @@ -173,7 +173,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) { char *tmp_ciphers, *tmp_ciphers_orig, *token; int i, cipher_count; - int ciphers_len = strlen (ciphers); + int ciphers_len; + + if (NULL == ciphers) + return; /* Nothing to do */ + + ciphers_len = strlen (ciphers); ASSERT (NULL != ctx); ASSERT (0 != ciphers_len); @@ -1038,10 +1043,11 @@ show_available_tls_ciphers (const char *cipher_list) struct tls_root_ctx tls_ctx; const int *ciphers = ssl_list_ciphersuites(); - if (cipher_list) { - tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + tls_ctx_server_new(&tls_ctx); + tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); + + if (tls_ctx.allowed_ciphers) ciphers = tls_ctx.allowed_ciphers; - } #ifndef ENABLE_SMALL printf ("Available TLS Ciphers,\n"); @@ -1054,6 +1060,8 @@ show_available_tls_ciphers (const char *cipher_list) ciphers++; } printf ("\n"); + + tls_ctx_free(&tls_ctx); } void |