[openssl.org #3266] updated patch: Added the SYSTEM cipher keyword

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #3266] updated patch: Added the SYSTEM cipher keyword

Rich Salz via RT



From 89f90803425420ee21ed71f668072b574059081c Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <[hidden email]>
Date: Wed, 15 Jan 2014 15:46:48 +0100
Subject: [PATCH] Added the SYSTEM cipher keyword.

This keyword allows a program to simply specify SYSTEM
in its configuration file and the SSL cipher used will
be determined at run-time from a system-specific file.
The system default keywords can be extended by appending
any application-specific ciphers such as "SYSTEM:PSK".

Such a keyword will allow distributors of applications to
centrally control the allowed ciphers.
---
 Configure               | 20 +++++++++++++-
 crypto/opensslconf.h.in |  2 ++
 ssl/ssl_ciph.c          | 72 +++++++++++++++++++++++++++++++++++++++++++++++--
 3 files changed, 91 insertions(+), 3 deletions(-)

diff --git a/Configure b/Configure
index f0fadaa..7f1f6af 100755
--- a/Configure
+++ b/Configure
@@ -10,7 +10,7 @@ use strict;
 
 # see INSTALL for instructions.
 
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
 
 # Options:
 #
@@ -35,6 +35,9 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
 # --with-krb5-flavor  Declare what flavor of Kerberos 5 is used.  Currently
 # supported values are "MIT" and "Heimdal".  A value is required.
 #
+# --system-ciphers-file  A file to be read ciphers from  when the SYSTEM cipher
+#                        is specified (no default).
+#
 # --test-sanity Make a number of sanity checks on the data in this file.
 #               This is a debugging tool for OpenSSL developers.
 #
@@ -676,6 +679,7 @@ my $idx_multilib = $idx++;
 my $prefix="";
 my $libdir="";
 my $openssldir="";
+my $system_ciphers_file="";
 my $exe_ext="";
 my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
 my $cross_compile_prefix="";
@@ -939,6 +943,10 @@ EOF
  {
  $openssldir=$1;
  }
+ elsif (/^--system-ciphers-file=(.*)$/)
+ {
+ $system_ciphers_file=$1;
+ }
  elsif (/^--install.prefix=(.*)$/)
  {
  $install_prefix=$1;
@@ -1207,6 +1215,7 @@ chop $prefix if $prefix =~ /.\/$/;
 $openssldir=$prefix . "/ssl" if $openssldir eq "";
 $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
 
+chop $system_ciphers_file if $system_ciphers_file =~ /\/$/;
 
 print "IsMK1MF=$IsMK1MF\n";
 
@@ -1720,6 +1729,7 @@ while (<IN>)
  s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
  s/^MULTILIB=.*$/MULTILIB=$multilib/;
  s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
+ s/^SYSTEM_CIPHERS_FILE=.*$/SYSTEM_CIPHERS_FILE=$system_ciphers_file/;
  s/^LIBDIR=.*$/LIBDIR=$libdir/;
  s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
  s/^PLATFORM=.*$/PLATFORM=$target/;
@@ -1926,6 +1936,14 @@ while (<IN>)
  $foo =~ s/\\/\\\\/g;
  print OUT "#define ENGINESDIR \"$foo\"\n";
  }
+ elsif (/^#((define)|(undef))\s+SYSTEM_CIPHERS_FILE/)
+ {
+ my $foo = "$system_ciphers_file";
+ if ($foo ne '') {
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define SYSTEM_CIPHERS_FILE \"$foo\"\n";
+ }
+ }
  elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
  { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
  if $export_var_as_fn;
diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in
index 97e3745..98f1f20 100644
--- a/crypto/opensslconf.h.in
+++ b/crypto/opensslconf.h.in
@@ -10,6 +10,8 @@
 #endif
 #endif
 
+#undef SYSTEM_CIPHERS_FILE
+
 #undef OPENSSL_UNISTD
 #define OPENSSL_UNISTD <unistd.h>
 
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 9b37cae..356f01d 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1441,6 +1441,51 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
  }
 #endif
 
+#ifdef SYSTEM_CIPHERS_FILE
+char* load_system_str(const char* suffix)
+{
+FILE* fp;
+char buf[1024];
+char *new_rules;
+unsigned len, slen;
+
+ fp = fopen(SYSTEM_CIPHERS_FILE, "r");
+ if (fp == NULL)
+ return NULL;
+
+ if (fgets(buf, sizeof(buf), fp) == NULL) {
+ fclose(fp);
+ return NULL;
+ }
+ fclose(fp);
+
+ slen = strlen(suffix);
+ len = strlen(buf);
+
+ if (buf[len-1] == '\n') {
+ len--;
+ buf[len] = 0;
+ }
+ if (buf[len-1] == '\r') {
+ len--;
+ buf[len] = 0;
+ }
+
+ new_rules = malloc(len + slen + 1);
+
+ if (new_rules == 0)
+ return NULL;
+
+ memcpy(new_rules, buf, len);
+ if (slen > 0) {
+ memcpy(&new_rules[len], suffix, slen);
+ len += slen;
+ }
+ new_rules[len] = 0;
+
+ return new_rules;
+}
+#endif
 
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1451,17 +1496,32 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
  STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
  const char *rule_p;
+ char *new_rules = NULL;
  CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
  const SSL_CIPHER **ca_list = NULL;
 
+#ifdef SYSTEM_CIPHERS_FILE
+ if (rule_str != NULL && strncmp(rule_str, "SYSTEM", 6) == 0) {
+ const char* p = rule_str + 6;
+
+ new_rules = load_system_str(p);
+ rule_str = new_rules;
+ }
+#endif
+
  /*
  * Return with error if nothing to do.
  */
- if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
+ if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) {
+ OPENSSL_free(new_rules);
  return NULL;
+ }
+
 #ifndef OPENSSL_NO_EC
- if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
+ if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) {
+ OPENSSL_free(new_rules);
  return NULL;
+ }
 #endif
 
  /*
@@ -1483,6 +1543,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  if (co_list == NULL)
  {
  SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+ OPENSSL_free(new_rules);
  return(NULL); /* Failure */
  }
 
@@ -1526,6 +1587,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  if (!ssl_cipher_strength_sort(&head, &tail))
  {
  OPENSSL_free(co_list);
+ OPENSSL_free(new_rules);
  return NULL;
  }
 
@@ -1547,6 +1609,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  if (ca_list == NULL)
  {
  OPENSSL_free(co_list);
+ OPENSSL_free(new_rules);
  SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
  return(NULL); /* Failure */
  }
@@ -1577,6 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  if (!ok)
  { /* Rule processing failure */
  OPENSSL_free(co_list);
+ OPENSSL_free(new_rules);
  return(NULL);
  }
 
@@ -1587,6 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
  {
  OPENSSL_free(co_list);
+ OPENSSL_free(new_rules);
  return(NULL);
  }
 
@@ -1614,6 +1679,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  if (tmp_cipher_list == NULL)
  {
  sk_SSL_CIPHER_free(cipherstack);
+ OPENSSL_free(new_rules);
  return NULL;
  }
  if (*cipher_list != NULL)
@@ -1625,6 +1691,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
  (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
 
  sk_SSL_CIPHER_sort(*cipher_list_by_id);
+
+ OPENSSL_free(new_rules);
  return(cipherstack);
  }
 
--
1.8.5.3

Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3266] updated patch: Added the SYSTEM cipher keyword

Hubert Kario
----- Original Message -----

> From: "Nikos Mavrogiannopoulos via RT" <[hidden email]>
> Cc: [hidden email]
> Sent: Thursday, 27 March, 2014 4:35:03 PM
> Subject: [openssl.org #3266] updated patch: Added the SYSTEM cipher keyword
>
>
> +#ifdef SYSTEM_CIPHERS_FILE
> +char* load_system_str(const char* suffix)
> +{
> +FILE* fp;
> +char buf[1024];
> +char *new_rules;
> +unsigned len, slen;
> +
> +        fp = fopen(SYSTEM_CIPHERS_FILE, "r");
> +        if (fp == NULL)
> +                return NULL;
> +
> +        if (fgets(buf, sizeof(buf), fp) == NULL) {
> +                fclose(fp);
> +                return NULL;
> +        }
> +        fclose(fp);

Since `openssl ciphers ALL:COMPLEMENTOFALL:COMPLEMENTOFDEFAULT | wc -c`
is already over 2500 bytes (depending on configured ciphers), I don't
think 1024 size for buf is large enough...

--
Regards,
Hubert Kario
BaseOS QE Security team
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic