SSL_set_cipher_list and strength_bits

Fri, 21 May 2010 08:53:18 -0700 

Hi,

I am trying to set a single cipher on my SSL object: AES128-SHA.

However, when I call SSL_set_cipher_list(sslobj,"AES128-SHA") and then
check what ciphers were actually set I see that AES256-SHA is also set.

Arduously stepping through the code I think I finally understand the
reason. See backtrace:

#0  ssl_cipher_apply_rule (algorithms=109052161, mask=83886079,
algo_strength=129, mask_strength=255, rule=1, strength_bits=-1,
co_list=0x2f681000,
    head_p=0x76dea538, tail_p=0x76dea53c) at
src/crypto/openssl/ssl/ssl_ciph.c:523
#1  0x210edc00 in ssl_cipher_process_rulestr (rule_str=<value optimized
out>, co_list=0x2f681000, head_p=0x76dea538, tail_p=0x76dea53c,
ca_list=0x2f670800)
    at src/crypto/openssl/ssl/ssl_ciph.c:796
#2  0x210ee07c in ssl_create_cipher_list (ssl_method=0x21b07640,
cipher_list=0x2f643c74, cipher_list_by_id=0x2f643c78,
rule_str=0x2f67c6a6 "AES128-SHA")
    at src/crypto/openssl/ssl/ssl_ciph.c:891
#3  0x210f6fe4 in SSL_set_cipher_list (s=<value optimized out>,
str=0x76dea53c "/h\024\210") at src/crypto/openssl/ssl/ssl_lib.c:1187

ssl_cipher_apply_rule is called with strength_bits == -1 which causes it
to disregard the ciphers strength bits in the following code:

        /*
         * Selection criteria is either the number of strength_bits
         * or the algorithm used.
         */
        if (strength_bits == -1) [Michal Dorsett] this execution path is
selected
            {
            ma = mask & cp->algorithms;
            ma_s = mask_strength & cp->algo_strength;

            if (((ma == 0) && (ma_s == 0)) ||
                ((ma & algorithms) != ma) ||
                ((ma_s & algo_strength) != ma_s))
                continue; /* does not apply */
            }
        else if (strength_bits != cp->strength_bits) [Michal Dorsett] I
believe this should have been selected
            continue;   /* does not apply */

I am quite the newbie in this, but why is it valid to disregard the
strength bits when setting the requested cipher?

Regards,
 
Michal Dorsett
Software Engineer
   _             _
  (_)_   _ _ __ (_)_ __   ___ _ __
  | | | | | '_ \| | '_ \ / _ \ '__|
  | | |_| | | | | | |_) |  __/ |
 _/ |\__,_|_| |_|_| .__/ \___|_|
|__/              |_|     NETWORKS
Mobile number:          +972-52-520-5535
Phone number:   +972-74-717-0037
Fax number:             +972-74-717-0001

Reply via email to