Prohibit RC4 in DTLS [from HEAD].

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index d07a212faceabd612b335bb93e38a5cfd0940271..fc088b41489384927847e64d598d1e99b2099234 100644 (file)
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -188,3 +188,23 @@ void dtls1_clear(SSL *s)
        ssl3_clear(s);
        s->version=DTLS1_VERSION;
        }
+
+/*
+ * As it's impossible to use stream ciphers in "datagram" mode, this
+ * simple filter is designed to disengage them in DTLS. Unfortunately
+ * there is no universal way to identify stream SSL_CIPHER, so we have
+ * to explicitly list their SSL_* codes. Currently RC4 is the only one
+ * available, but if new ones emerge, they will have to be added...
+ */
+SSL_CIPHER *dtls1_get_cipher(unsigned int u)
+       {
+       SSL_CIPHER *ciph = ssl3_get_cipher(u);
+
+       if (ciph != NULL)
+               {
+               if ((ciph->algorithms&SSL_ENC_MASK) == SSL_RC4)
+                       return NULL;
+               }
+
+       return ciph;
+       }

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index fe064cc98a8c20f76e0669cfd42145b675a36d33..e9fba49c53d61ac27637cd9d4f80f0b86505fe65 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -695,7 +695,7 @@ SSL_METHOD *func_name(void)  \
                ssl3_put_cipher_by_char, \
                ssl3_pending, \
                ssl3_num_ciphers, \
-               ssl3_get_cipher, \
+               dtls1_get_cipher, \
                s_get_meth, \
                dtls1_default_timeout, \
                &DTLSv1_enc_data, \
@@ -861,6 +861,8 @@ void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
 void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
 void dtls1_reset_seq_numbers(SSL *s, int rw);
 long dtls1_default_timeout(void);
+SSL_CIPHER *dtls1_get_cipher(unsigned int u);
+
 
 
 /* some client-only functions */