From 63eb1f4c6ef8c1bb68afbfc5fba8762d50c1a0a8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 17 Jun 2015 11:12:40 -0400
Subject: Fix logical AND support in OpenSSL cipher compatibility

The + operator didn't perform properly at all. It is supposed
to be used either for logical AND to combine two cipher suites
or to move ciphers to the end of the list. Given that NSS
doesn't support cipher ordering + is a no-op in this case.

Also add in a slew of missing aliases: kRSA, aRSA, EDH,
ECDH, kECDHe, kECDHr, kEECDH, aECDH, aNULL, AESGCM, AES128,
AES256, CAMELLIA, CAMELLIA128, CAMELLIA256.

Fix the definition of TLSv1.2.

Define some ciphers as unimplemented in NSS.

Renumber the mask/protocol/strength values to ensure uniqueness.

Replace the existing cipher test to one that compares the output
of the NSS-generated cipher string with the openssl generated
string.  There are a lot of restrictions on the openssl string
since so much isn't either implemented or needed for mod_nss.

Add a new openssl-compatible cipher request test to the server
tests.
---
 test_cipher.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

(limited to 'test_cipher.c')

diff --git a/test_cipher.c b/test_cipher.c
index 91d112b..86a88d6 100644
--- a/test_cipher.c
+++ b/test_cipher.c
@@ -40,7 +40,7 @@ int ap_log_error_(const char *fn, int line, int module_index,
 
     va_start(args, fmt);
     vsprintf(out, fmt, args);
-    fprintf(stderr,"%s:%d, %s", fn, line, out);
+    fprintf(stderr,"%s:%d, %s\n", fn, line, out);
     va_end(args);
 
     return 0;
@@ -53,10 +53,11 @@ int main(int argc, char ** argv)
     int rv=0;
     int i;
     char *ciphers;
+    PRBool openssl_output = PR_FALSE;
     PRBool ciphers_list[ciphernum];
 
-    if (argc != 2) {
-        fprintf(stderr, "Usage: test_cipher [--count] <cipher_list>\n");
+    if (argc != 2 && argc != 3) {
+        fprintf(stderr, "Usage: test_cipher [--count] [--o] <cipher_list>\n");
         exit(1);
     }
 
@@ -70,9 +71,14 @@ int main(int argc, char ** argv)
         ciphers_list[i] = PR_FALSE;
     }
 
-    ciphers = strdup(argv[1]);
+    i = 1; /* index of ciphers */
+    if (!strcmp(argv[1], "--o")) {
+        openssl_output = PR_TRUE;
+        i = 2;
+    }
+
+    ciphers = strdup(argv[i]);
     if (nss_parse_ciphers(NULL, ciphers, ciphers_list) < 0) {
-        fprintf(stderr, "Unable to parse cipher list\n");
         rv = 1;
     }
     free(ciphers);
@@ -85,12 +91,22 @@ int main(int argc, char ** argv)
         for (i = 0; i < ciphernum; i++)
         {
             if (ciphers_list[i] == 1) {
-                strncat(output,  ciphers_def[i].name, sizeof(output));
-                strncat(output,  ", ", sizeof(output));
+                if (openssl_output) {
+                    strncat(output,  ciphers_def[i].openssl_name, sizeof(output));
+                    strncat(output,  ":", sizeof(output));
+                } else {
+                    strncat(output,  ciphers_def[i].name, sizeof(output));
+                    strncat(output,  ", ", sizeof(output));
+                }
             }
         }
-        output[strlen(output) - 2] = '\0';
+        if (openssl_output)
+            output[strlen(output) - 1] = '\0';
+        else
+            output[strlen(output) - 2] = '\0';
         fprintf(stdout, "%s\n", output);
+    } else {
+        fprintf(stdout, "Unable to parse cipher list\n");
     }
 
     return rv;
-- 
cgit