ref: 081c1f215399065fcd43acc4360d3c6836a98865
parent: c8d84a805eeb664f6b29b94814ae5c39217a3767
author: cinap_lenrek <[email protected]>
date: Sat Mar 12 08:29:58 EST 2016
libsec: remove weakCipher[] array check as we do not support any of these weak ciphers
--- a/libsec/tlshand.c
+++ b/libsec/tlshand.c
@@ -693,11 +693,7 @@
memmove(c->crandom, m.u.clientHello.random, RandomSize);
cipher = okCipher(m.u.clientHello.ciphers, psklen > 0);
if(cipher < 0) {
- // reply with EInsufficientSecurity if we know that's the case
- if(cipher == -2)
- tlsError(c, EInsufficientSecurity, "cipher suites too weak");
- else
- tlsError(c, EHandshakeFailure, "no matching cipher suite");
+ tlsError(c, EHandshakeFailure, "no matching cipher suite");
goto Err;
}
if(!setAlgs(c, cipher)){
@@ -2208,38 +2204,6 @@
//================= cipher choices ========================
-static char weakCipher[] =
-{
-[TLS_NULL_WITH_NULL_NULL] 1,
-[TLS_RSA_WITH_NULL_MD5] 1,
-[TLS_RSA_WITH_NULL_SHA] 1,
-[TLS_RSA_EXPORT_WITH_RC4_40_MD5] 1,
-[TLS_RSA_WITH_RC4_128_MD5] 1,
-[TLS_RSA_WITH_RC4_128_SHA] 1,
-[TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5] 1,
-[TLS_RSA_WITH_IDEA_CBC_SHA] 0,
-[TLS_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
-[TLS_RSA_WITH_DES_CBC_SHA] 0,
-[TLS_RSA_WITH_3DES_EDE_CBC_SHA] 0,
-[TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA] 1,
-[TLS_DH_DSS_WITH_DES_CBC_SHA] 0,
-[TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA] 0,
-[TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
-[TLS_DH_RSA_WITH_DES_CBC_SHA] 0,
-[TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA] 0,
-[TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA] 1,
-[TLS_DHE_DSS_WITH_DES_CBC_SHA] 0,
-[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA] 0,
-[TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA] 1,
-[TLS_DHE_RSA_WITH_DES_CBC_SHA] 0,
-[TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA] 0,
-[TLS_DH_anon_EXPORT_WITH_RC4_40_MD5] 1,
-[TLS_DH_anon_WITH_RC4_128_MD5] 1,
-[TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA] 1,
-[TLS_DH_anon_WITH_DES_CBC_SHA] 1,
-[TLS_DH_anon_WITH_3DES_EDE_CBC_SHA] 1,
-};
-
static int
setAlgs(TlsConnection *c, int a)
{
@@ -2262,25 +2226,15 @@
static int
okCipher(Ints *cv, int ispsk)
{
- int weak, i, j, c;
+ int i, j, c;
- weak = 1;
for(i = 0; i < cv->len; i++) {
- c = cv->data[i];
- if(c >= nelem(weakCipher))
- weak = 0;
- else
- weak &= weakCipher[c];
- if(isPSK(c) != ispsk)
- continue;
- if(isDHE(c) || isECDHE(c))
+ if(isDHE(c) || isECDHE(c) || isPSK(c) != ispsk)
continue; /* TODO: not implemented for server */
for(j = 0; j < nelem(cipherAlgs); j++)
if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
return c;
}
- if(weak)
- return -2;
return -1;
}