>From 89f90803425420ee21ed71f668072b574059081c Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <[email protected]>
Date: Wed, 15 Jan 2014 15:46:48 +0100
Subject: [PATCH] Added the SYSTEM cipher keyword.
This keyword allows a program to simply specify SYSTEM
in its configuration file and the SSL cipher used will
be determined at run-time from a system-specific file.
The system default keywords can be extended by appending
any application-specific ciphers such as "SYSTEM:PSK".
Such a keyword will allow distributors of applications to
centrally control the allowed ciphers.
---
Configure | 20 +++++++++++++-
crypto/opensslconf.h.in | 2 ++
ssl/ssl_ciph.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++--
3 files changed, 91 insertions(+), 3 deletions(-)
diff --git a/Configure b/Configure
index f0fadaa..7f1f6af 100755
--- a/Configure
+++ b/Configure
@@ -10,7 +10,7 @@ use strict;
# see INSTALL for instructions.
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
# Options:
#
@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
# --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently
# supported values are "MIT" and "Heimdal". A value is required.
#
+# --system-ciphers-file A file to be read ciphers from when the SYSTEM cipher
+# is specified (no default).
+#
# --test-sanity Make a number of sanity checks on the data in this file.
# This is a debugging tool for OpenSSL developers.
#
@@ -676,6 +679,7 @@ my $idx_multilib = $idx++;
my $prefix="";
my $libdir="";
my $openssldir="";
+my $system_ciphers_file="";
my $exe_ext="";
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
my $cross_compile_prefix="";
@@ -939,6 +943,10 @@ EOF
{
$openssldir=$1;
}
+ elsif (/^--system-ciphers-file=(.*)$/)
+ {
+ $system_ciphers_file=$1;
+ }
elsif (/^--install.prefix=(.*)$/)
{
$install_prefix=$1;
@@ -1207,6 +1215,7 @@ chop $prefix if $prefix =~ /.\/$/;
$openssldir=$prefix . "/ssl" if $openssldir eq "";
$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
+chop $system_ciphers_file if $system_ciphers_file =~ /\/$/;
print "IsMK1MF=$IsMK1MF\n";
@@ -1720,6 +1729,7 @@ while (<IN>)
s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
s/^MULTILIB=.*$/MULTILIB=$multilib/;
s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
+ s/^SYSTEM_CIPHERS_FILE=.*$/SYSTEM_CIPHERS_FILE=$system_ciphers_file/;
s/^LIBDIR=.*$/LIBDIR=$libdir/;
s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
s/^PLATFORM=.*$/PLATFORM=$target/;
@@ -1926,6 +1936,14 @@ while (<IN>)
$foo =~ s/\\/\\\\/g;
print OUT "#define ENGINESDIR \"$foo\"\n";
}
+ elsif (/^#((define)|(undef))\s+SYSTEM_CIPHERS_FILE/)
+ {
+ my $foo = "$system_ciphers_file";
+ if ($foo ne '') {
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define SYSTEM_CIPHERS_FILE \"$foo\"\n";
+ }
+ }
elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
if $export_var_as_fn;
diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in
index 97e3745..98f1f20 100644
--- a/crypto/opensslconf.h.in
+++ b/crypto/opensslconf.h.in
@@ -10,6 +10,8 @@
#endif
#endif
+#undef SYSTEM_CIPHERS_FILE
+
#undef OPENSSL_UNISTD
#define OPENSSL_UNISTD <unistd.h>
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 9b37cae..356f01d 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1441,6 +1441,51 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
}
#endif
+#ifdef SYSTEM_CIPHERS_FILE
+char* load_system_str(const char* suffix)
+{
+FILE* fp;
+char buf[1024];
+char *new_rules;
+unsigned len, slen;
+
+ fp = fopen(SYSTEM_CIPHERS_FILE, "r");
+ if (fp == NULL)
+ return NULL;
+
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
+ fclose(fp);
+ return NULL;
+ }
+ fclose(fp);
+
+ slen = strlen(suffix);
+ len = strlen(buf);
+
+ if (buf[len-1] == '\n') {
+ len--;
+ buf[len] = 0;
+ }
+ if (buf[len-1] == '\r') {
+ len--;
+ buf[len] = 0;
+ }
+
+ new_rules = malloc(len + slen + 1);
+
+ if (new_rules == 0)
+ return NULL;
+
+ memcpy(new_rules, buf, len);
+ if (slen > 0) {
+ memcpy(&new_rules[len], suffix, slen);
+ len += slen;
+ }
+ new_rules[len] = 0;
+
+ return new_rules;
+}
+#endif
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1451,17 +1496,32 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
const char *rule_p;
+ char *new_rules = NULL;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
+#ifdef SYSTEM_CIPHERS_FILE
+ if (rule_str != NULL && strncmp(rule_str, "SYSTEM", 6) == 0) {
+ const char* p = rule_str + 6;
+
+ new_rules = load_system_str(p);
+ rule_str = new_rules;
+ }
+#endif
+
/*
* Return with error if nothing to do.
*/
- if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
+ if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) {
+ OPENSSL_free(new_rules);
return NULL;
+ }
+
#ifndef OPENSSL_NO_EC
- if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
+ if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) {
+ OPENSSL_free(new_rules);
return NULL;
+ }
#endif
/*
@@ -1483,6 +1543,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if (co_list == NULL)
{
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+ OPENSSL_free(new_rules);
return(NULL); /* Failure */
}
@@ -1526,6 +1587,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if (!ssl_cipher_strength_sort(&head, &tail))
{
OPENSSL_free(co_list);
+ OPENSSL_free(new_rules);
return NULL;
}
@@ -1547,6 +1609,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if (ca_list == NULL)
{
OPENSSL_free(co_list);
+ OPENSSL_free(new_rules);
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
return(NULL); /* Failure */
}
@@ -1577,6 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if (!ok)
{ /* Rule processing failure */
OPENSSL_free(co_list);
+ OPENSSL_free(new_rules);
return(NULL);
}
@@ -1587,6 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
{
OPENSSL_free(co_list);
+ OPENSSL_free(new_rules);
return(NULL);
}
@@ -1614,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if (tmp_cipher_list == NULL)
{
sk_SSL_CIPHER_free(cipherstack);
+ OPENSSL_free(new_rules);
return NULL;
}
if (*cipher_list != NULL)
@@ -1625,6 +1691,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
sk_SSL_CIPHER_sort(*cipher_list_by_id);
+
+ OPENSSL_free(new_rules);
return(cipherstack);
}
--
1.8.5.3
