From 7f9d47b3aa8271fc32ef0fa58649f399c2dcd2a4 Mon Sep 17 00:00:00 2001 From: Davide Beatrici Date: Fri, 21 Dec 2018 09:54:51 +0100 Subject: [PATCH] Mayaqua: query OpenSSL for the list of available ciphers instead of relying on a static list --- src/Cedar/Command.c | 2 ++ src/Cedar/SM.c | 1 + src/Mayaqua/Network.c | 74 +++++++++++++++++++++++++++++++++++-------- 3 files changed, 64 insertions(+), 13 deletions(-) diff --git a/src/Cedar/Command.c b/src/Cedar/Command.c index 85086dab..97951c6e 100644 --- a/src/Cedar/Command.c +++ b/src/Cedar/Command.c @@ -8850,6 +8850,8 @@ UINT PsServerCipherGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param) c->Write(c, tmp); } + FreeToken(ciphers); + FreeRpcStr(&t); FreeParamValueList(o); diff --git a/src/Cedar/SM.c b/src/Cedar/SM.c index a7aec72a..c9aa2540 100644 --- a/src/Cedar/SM.c +++ b/src/Cedar/SM.c @@ -17029,6 +17029,7 @@ void SmSslDlgInit(HWND hWnd, SM_SSL *s) StrToUni(tmp, sizeof(tmp), name); CbAddStr(hWnd, C_CIPHER, tmp, 0); } + FreeToken(cipher_list); if (s->p != NULL) { diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c index 4be28ec3..6d015f02 100644 --- a/src/Mayaqua/Network.c +++ b/src/Mayaqua/Network.c @@ -205,7 +205,6 @@ static LOCK *socket_library_lock = NULL; extern LOCK *openssl_lock; static LOCK *ssl_accept_lock = NULL; static LOCK *ssl_connect_lock = NULL; -static TOKEN_LIST *cipher_list_token = NULL; static COUNTER *num_tcp_connections = NULL; static LOCK *dns_lock = NULL; static LOCK *unix_dns_server_addr_lock = NULL; @@ -233,12 +232,6 @@ static COUNTER *getip_thread_counter = NULL; static UINT max_getip_thread = 0; -static char *cipher_list = "RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384" -#if OPENSSL_VERSION_NUMBER >= 0x10100000L - " DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305"; -#endif -; - static LIST *ip_clients = NULL; static LIST *local_mac_list = NULL; @@ -16532,8 +16525,6 @@ void InitNetwork() Zero(&unix_dns_server, sizeof(unix_dns_server)); local_mac_list_lock = NewLock(); - cipher_list_token = ParseToken(cipher_list, " "); - current_global_ip_lock = NewLock(); current_fqdn_lock = NewLock(); current_global_ip_set = false; @@ -16566,7 +16557,67 @@ bool IsNetworkNameCacheEnabled() // Get the cipher algorithm list TOKEN_LIST *GetCipherList() { - return cipher_list_token; + UINT i; + SSL *ssl; + SSL_CTX *ctx; + const char *name; + STACK_OF(SSL_CIPHER) *sk; + + TOKEN_LIST *ciphers = ZeroMalloc(sizeof(TOKEN_LIST)); + + ctx = NewSSLCtx(true); + if (ctx == NULL) + { + return ciphers; + } + + SSL_CTX_set_ssl_version(ctx, SSLv23_server_method()); + +#ifdef SSL_OP_NO_SSLv3 + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); +#endif + + ssl = SSL_new(ctx); + if (ssl == NULL) + { + FreeSSLCtx(ctx); + return ciphers; + } + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + sk = SSL_get1_supported_ciphers(ssl); +#else + sk = SSL_get_ciphers(ssl); +#endif + + for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) + { + const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); + + name = SSL_CIPHER_get_name(c); + if (IsEmptyStr(name)) + { + break; + } + + ciphers->NumTokens++; + + if (ciphers->Token != NULL) { + ciphers->Token = ReAlloc(ciphers->Token, sizeof(char *) * ciphers->NumTokens); + } + else + { + ciphers->Token = Malloc(sizeof(char *)); + } + + ciphers->Token[i] = CopyStr(name); + } + + sk_SSL_CIPHER_free(sk); + FreeSSLCtx(ctx); + SSL_free(ssl); + + return ciphers; } // Get the TCP connections counter @@ -16954,9 +17005,6 @@ void FreeNetwork() // Release of thread-related FreeWaitThread(); - FreeToken(cipher_list_token); - cipher_list_token = NULL; - Zero(&unix_dns_server, sizeof(unix_dns_server)); // Release the locks