Update MozNSS OpenSSL-like parsing code Author: Matus Honek PreviousAuthor: Jan Vcelak diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c @@ -597,10 +597,12 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) while ((*cipher) && (isspace(*cipher))) ++cipher; - action = 1; switch(*cipher) { - case '+': /* Add something */ - action = 1; + case '+': /* Do nothig. NSS does not support ordering. */ + Debug( LDAP_DEBUG_ARGS, + "TLS: warning: parsing cipher string: ordering is not supported by NSS.\n", + 0, 0, 0 ); + action = 2; cipher++; break; case '-': /* Subtract something */ @@ -611,8 +613,8 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) action = -1; cipher++; break; - default: - /* do nothing */ + default: /* Add something */ + action = 1; break; } @@ -646,7 +648,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) } } else { int mask = 0; + int multi_mask = 0; + int negative_mask = 0; int strength = 0; + int multi_strength = 0; int protocol = 0; char *c; @@ -657,16 +662,21 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) *c++ = '\0'; } - if (!strcmp(cipher, "RSA")) { - mask |= SSL_RSA; + if ((!strcmp(cipher, "RSA")) || (!strcmp(cipher, "kRSA"))) { + mask |= SSL_kRSA; + } else if (!strcmp(cipher, "aRSA")) { + mask |= SSL_aRSA; + negative_mask |= SSL_kECDH; } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { mask |= SSL_eNULL; } else if (!strcmp(cipher, "AES128")) { mask |= SSL_AES128; } else if (!strcmp(cipher, "AES256")) { mask |= SSL_AES256; + } else if (!strcmp(cipher, "AESGCM")) { + mask |= SSL_AESGCM; } else if (!strcmp(cipher, "AES")) { - mask |= SSL_AES; + multi_mask |= SSL_AES; } else if (!strcmp(cipher, "3DES")) { mask |= SSL_3DES; } else if (!strcmp(cipher, "DES")) { @@ -673,44 +687,67 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) mask |= SSL_RC2; } else if (!strcmp(cipher, "MD5")) { mask |= SSL_MD5; + } else if (!strcmp(cipher, "SHA256")) { + mask |= SSL_SHA256; + } else if (!strcmp(cipher, "SHA384")) { + mask |= SSL_SHA384; } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { mask |= SSL_SHA1; - } else if (!strcmp(cipher, "EDH")) { - mask |= SSL_kEDH; - } else if (!strcmp(cipher, "DSS")) { - mask |= SSL_aDSA; + } else if ((!strcmp(cipher, "EDH")) || (!strcmp(cipher, "DH"))) { + mask |= SSL_kEDH; + } else if ((!strcmp(cipher, "DSS")) || (!strcmp(cipher, "aDSS"))) { + mask |= SSL_aDSA; } else if (!strcmp(cipher, "CAMELLIA128")) { mask |= SSL_CAMELLIA128; } else if (!strcmp(cipher, "CAMELLIA256")) { mask |= SSL_CAMELLIA256; } else if (!strcmp(cipher, "CAMELLIA")) { - mask |= SSL_CAMELLIA; + multi_mask |= SSL_CAMELLIA; } else if (!strcmp(cipher, "SEED")) { mask |= SSL_SEED; - } else if (!strcmp(cipher, "ECDH")) { - mask |= SSL_kECDH; - } else if (!strcmp(cipher, "ECDHE")) { - mask |= SSL_kECDHE; - } else if (!strcmp(cipher, "ECDSA")) { - mask |= SSL_aECDSA; + } else if (!strcmp(cipher, "kECDHe")) { + mask |= SSL_kECDH|SSL_aECDSA; + } else if (!strcmp(cipher, "kECDHr")) { + mask |= SSL_kECDH|SSL_aRSA; + } else if (!strcmp(cipher, "kECDH")) { + mask |= SSL_kECDH; + } else if (!strcmp(cipher, "aECDH")) { + mask |= SSL_kECDH; + } else if (!strcmp(cipher, "EECDH")) { + mask |= SSL_kECDHE; + } else if (!strcmp(cipher, "kEECDH")) { + mask |= SSL_kECDHE; + } else if (!strcmp(cipher, "ECDHE")) { + mask |= SSL_kECDHE; + } else if (!strcmp(cipher, "ECDH")) { + multi_mask |= SSL_ECDH; + } else if ((!strcmp(cipher, "ECDSA")) || (!strcmp(cipher, "aECDSA"))) { + mask |= SSL_aECDSA; + negative_mask |= SSL_kECDH; + } else if (!strcmp(cipher, "PSK")) { + mask |= SSL_aPSK; + } else if (!strcmp(cipher, "CHACHA20POLY1305")) { + mask |= SSL_CHACHA20POLY1305; } else if (!strcmp(cipher, "SSLv2")) { protocol |= SSL2; } else if (!strcmp(cipher, "SSLv3")) { protocol |= SSL3; } else if (!strcmp(cipher, "TLSv1")) { protocol |= TLS1; + } else if (!strcmp(cipher, "TLSv1.2")) { + protocol |= TLS1_2; } else if (!strcmp(cipher, "HIGH")) { strength |= SSL_HIGH; } else if (!strcmp(cipher, "MEDIUM")) { strength |= SSL_MEDIUM; } else if (!strcmp(cipher, "LOW")) { strength |= SSL_LOW; - } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) { - strength |= SSL_EXPORT40|SSL_EXPORT56; } else if (!strcmp(cipher, "EXPORT40")) { strength |= SSL_EXPORT40; } else if (!strcmp(cipher, "EXPORT56")) { strength |= SSL_EXPORT56; + } else if ((!strcmp(cipher, "EXPORT")) || (!strcmp(cipher, "EXP"))) { + multi_strength |= SSL_EXPORT; } if (c) @@ -700,23 +751,39 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) } /* while */ + /* NSS does not support ordering */ + if (action == 2) + continue; + /* If we have a mask, apply it. If not then perhaps they provided * a specific cipher to enable. + * if more than one mask is provided then AND logic applies (to match openssl) */ - if (mask || strength || protocol) { + if (mask || negative_mask || multi_mask || strength || multi_strength || protocol) { for (i=0; i