Make s_server, s_client check cipher list return codes.

Update docs.

diff --git a/CHANGES b/CHANGES
index d9be214926480fc12a8fd5e4b504760aeece811a..a1bae7ee6dcb581fad0979c7243f8a192bb150ae 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -20,15 +20,27 @@
      (instead of parameters) in future.
      [Steve Henson]
 
      (instead of parameters) in future.
      [Steve Henson]
 

-  *) Apply Lutz Jaenicke's 56bit cipher patch. This should fix the problems
-     with cipher ordering and the new EXPORT1024 ciphers. Only two minor
-     changes have been made, the error reason codes have been altered and the
-     @STRENGTH sorting behaviour changed so eNULL ciphers are also sorted
-     (if present).
-
-     One other addition: the "ciphers" program didn't check the return code
-     of SSL_CTX_set_cipher_list().
-     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> modified by Steve Henson]
+  *) Make the ciphers, s_server and s_client programs check the return values
+     when a new cipher list is set.
+     [Steve Henson]
+
+  *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
+     ciphers. Before when the 56bit ciphers were enabled the sorting was
+     wrong.
+
+     The syntax for the cipher sorting has been extended to support sorting by
+     cipher-strength (using the strength_bits hard coded in the tables).
+     The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).
+
+     Fix a bug in the cipher-command parser: when supplying a cipher command
+     string with an "undefined" symbol (neither command nor alphanumeric
+     [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now
+     an error is flagged.
+
+     Due to the strength-sorting extension, the code of the
+     ssl_create_cipher_list() function was completely rearranged. I hope that
+     the readability was also increased :-)
+     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]

 
   *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
      for the first serial number and places 2 in the serial number file. This
 
   *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
      for the first serial number and places 2 in the serial number file. This

diff --git a/apps/s_client.c b/apps/s_client.c
index 84a475d7b8e4a0eaa8c8ec5cc72dc25c54e22067..c9b52e6a99ce651738f1c3a4eb9843fa0aa0e71a 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -338,6 +338,7 @@ bad:
                }
 
        SSLeay_add_ssl_algorithms();
                }
 
        SSLeay_add_ssl_algorithms();

+       SSL_load_error_strings();

        ctx=SSL_CTX_new(meth);
        if (ctx == NULL)
                {
        ctx=SSL_CTX_new(meth);
        if (ctx == NULL)
                {


@@ -352,7 +353,11 @@ bad:
 
        if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
        if (cipher != NULL)
 
        if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
        if (cipher != NULL)

-               SSL_CTX_set_cipher_list(ctx,cipher);
+               if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+               BIO_printf(bio_err,"error seting cipher list\n");
+               ERR_print_errors(bio_err);
+               goto end;
+       }

 #if 0
        else
                SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));
 #if 0
        else
                SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER"));


@@ -370,7 +375,6 @@ bad:
                /* goto end; */
                }
 
                /* goto end; */
                }
 

-       SSL_load_error_strings();

 
        con=(SSL *)SSL_new(ctx);
 /*     SSL_set_cipher_list(con,"RC4-MD5"); */
 
        con=(SSL *)SSL_new(ctx);
 /*     SSL_set_cipher_list(con,"RC4-MD5"); */

diff --git a/apps/s_server.c b/apps/s_server.c
index ff0354acc8a5bee10bb3b2effc2a109dd9d500c6..bbb651b6eaa8d370ec787caaeb26d61b175fd9f0 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -697,7 +697,11 @@ bad:
 #endif
 
        if (cipher != NULL)
 #endif
 
        if (cipher != NULL)

-               SSL_CTX_set_cipher_list(ctx,cipher);
+               if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
+               BIO_printf(bio_err,"error seting cipher list\n");
+               ERR_print_errors(bio_err);
+               goto end;
+       }

        SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
        SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
                sizeof s_server_session_id_context);
        SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
        SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
                sizeof s_server_session_id_context);

diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index cd9093eaba25cf9045e7db6d6ea5ff37bea44a32..5145bb65a98dff35fcca9f94e6efca91a094cd59 100644 (file)
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -144,8 +144,10 @@ option enables various workarounds.
 
 =item B<-cipher cipherlist>
 
 
 =item B<-cipher cipherlist>
 

-this allows the cipher list sent by the client to be modified. See the
-B<ciphers> command for more information.
+this allows the cipher list sent by the client to be modified. Although
+the server determines which cipher suite is used it should take the first
+supported cipher in the list sent by the client. See the B<ciphers>
+command for more information.

 
 =back
 
 
 =back
 

diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index ddd08c990e977a7a3c2ea95b11a9571d730ff6cb..e07d066bc70a2ce0c8836444821f9d9350854b90 100644 (file)
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -167,8 +167,11 @@ SSL code (?).
 
 =item B<-cipher cipherlist>
 
 
 =item B<-cipher cipherlist>
 

-this allows the cipher list sent by the client to be modified. See the
-B<ciphers> command for more information.
+this allows the cipher list used by the server to be modified.  When
+the client sends a list of supported ciphers the first client cipher
+also included in the server list is used. Because the client specifies
+the preference order, the order of the server cipherlist irrelevant. See
+the B<ciphers> command for more information.

 
 =item B<-www>
 
 
 =item B<-www>