From 88a9614ba30e2d1f5b1b14df5814b824190d46f8 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 21 Feb 2016 18:02:36 +0100 Subject: [PATCH] Check algo_strength using SSL_STRONG_MASK algo_strength contains 2 parts that need to be checked by their own. Reviewed-by: Viktor Dukhovni MR: #2082 --- ssl/ssl_ciph.c | 15 +++++++++------ ssl/ssl_locl.h | 1 + 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 938baaca43..46fa3e89c6 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -970,7 +970,8 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, continue; if (min_tls && (min_tls != cp->min_tls)) continue; - if (algo_strength && !(algo_strength & cp->algo_strength)) + if ((algo_strength & SSL_STRONG_MASK) + && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) continue; if ((algo_strength & SSL_DEFAULT_MASK) && !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength)) @@ -1237,15 +1238,17 @@ static int ssl_cipher_process_rulestr(const char *rule_str, alg_mac = ca_list[j]->algorithm_mac; } - if (ca_list[j]->algo_strength) { - if (algo_strength) { - algo_strength &= ca_list[j]->algo_strength; - if (!algo_strength) { + if (ca_list[j]->algo_strength & SSL_STRONG_MASK) { + if (algo_strength & SSL_STRONG_MASK) { + algo_strength &= + (ca_list[j]->algo_strength & SSL_STRONG_MASK) | + ~SSL_STRONG_MASK; + if (!(algo_strength & SSL_STRONG_MASK)) { found = 0; break; } } else - algo_strength = ca_list[j]->algo_strength; + algo_strength = ca_list[j]->algo_strength & SSL_STRONG_MASK; } if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) { diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4abe7b425f..64f4ae9373 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -417,6 +417,7 @@ */ # define TLS1_STREAM_MAC 0x10000 +# define SSL_STRONG_MASK 0x0000001FU # define SSL_DEFAULT_MASK 0X00000020U # define SSL_STRONG_NONE 0x00000001U -- 2.34.1