From patchwork Fri Dec 8 17:33:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3514 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:8d12:b0:fc:24ac:f0cb with SMTP id i18csp3747837dys; Fri, 8 Dec 2023 09:34:37 -0800 (PST) X-Google-Smtp-Source: AGHT+IHbTMG/zUyoSzEPEirqQUG3PJzy+uVLUsSPsel1gt0+IXwnWX4HQcR4dlWdBuJYLM35dAxl X-Received: by 2002:a05:6a20:1609:b0:188:67f:ff2c with SMTP id l9-20020a056a20160900b00188067fff2cmr900294pzj.0.1702056877453; Fri, 08 Dec 2023 09:34:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702056877; cv=none; d=google.com; s=arc-20160816; b=Lum+ThvwJqCS4BN3jRsYXfF0axIaV7S83+6eBgAyahz2RIVwfcZlK5rsMrJkEcSoVU enOD7qvdITsF5nQ0QjUVO9j5JbSm7Lak8IxmMK0O2k161PV7NjTbsH6H+bsalpgsxF78 WYBc+HUW03X3T/MsnUpgZs8NBKJi/cyXU0TxTpWVQ9qZ5Hy35cBkz9hF9f+xaEHP9Lai hmdKeJ1ZEqLBrA/ejuowOi3+8idDA/QsthFpEha6+h82WPgq4UX0Q/hmBSQN5RZh7MLL veEO9DM8o7EsR+WiMFS0o77YF1T0zGCOk5KBmp6P0fg64fgPfRA1K1ekccpjm7Tfmtks Muuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=JmqwrfsgWbolAZmFLUstE+r9UcxiOeHSwNUBm1uVrKw=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=iYYElVPQFMdOBXQElF7ZtqWt6JHpQmJbE/CT4dP2ZDq3RR4v2T/PeCOijKAJ3YDTL6 Y0P1br6q/IA+e1DEvvqyfBnsDqurLLdiyz1nZA5tLossk43jnSQ0IB86WtfYYJ4oEsos wcB3lK41BzLG7+BjQ9C8xISn741FFPW+392TYULdmYr1dBLpLPQXg0LmcvOypc7OeCLi riRcqq5W/cLL1JQoZtvyjGuP9CC3FponPFBZLPRwGIKcmDZP3gRtxhPURlOP35JF+hjl 3PsI5N192bXqgoiaoXVB8dzibi5jzELHOP2ZLXH3lG7rg+zGV/PaFYW8den2gfdo1oPq 94/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="FKYKW+K/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=HHOTUPW0; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=XIZOxiHD; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id s13-20020a65690d000000b005c1cc53612dsi1819548pgq.500.2023.12.08.09.34.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Dec 2023 09:34:37 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="FKYKW+K/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=HHOTUPW0; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=XIZOxiHD; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rBejs-0001Hn-Gm; Fri, 08 Dec 2023 17:34:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rBejq-0001Hf-Kq for openvpn-devel@lists.sourceforge.net; Fri, 08 Dec 2023 17:34:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AtR9LHH+LD9w7xstxdK6ilwwczzP5G+oGeHqFdDmk8w=; b=FKYKW+K/K7mYCeZuZT8iexrP5q C1orKfjk09lqCusYG5Un/Km1IWlxh4x/zvyFRcGbSBZlAcoxZnQJYiSu3og/089kbiPoj1nEbfmWl Rsww34s1CW3x+e6U4jQpW+kdrRaJrTNmbbF0qwyy7zCzhEahT3J1Fn78M+yuHKcSRMHI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AtR9LHH+LD9w7xstxdK6ilwwczzP5G+oGeHqFdDmk8w=; b=HHOTUPW0rT7E9SWMoWa8GYHLN6 cFVnO+ZGJeEsdDHj6r9PcdfGleXNX8dzXTuOh7BxhrDT3dH9ZySGibj68/AnI7NUcRL1Z40npkmcF 4evz/mTbgbja09c6wZg3ERbD9igsInzbP/NFox1ZIXpNYwqc+J0NK2PbG9UWHqoBpU1Q=; Received: from mout-p-102.mailbox.org ([80.241.56.152]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rBejk-0002cH-Oh for openvpn-devel@lists.sourceforge.net; Fri, 08 Dec 2023 17:34:09 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4Smyt40Nw6z9sln; Fri, 8 Dec 2023 18:33:48 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1702056828; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AtR9LHH+LD9w7xstxdK6ilwwczzP5G+oGeHqFdDmk8w=; b=XIZOxiHD4DVssh1Nz+PVW8JyT3okW8dJQogXqZfDh8YwwFBvj0E/1SUG7jSfVi0Xlhyb18 RP7zXKoLHgP8Lqy57AzIIEypg+N09qiZAWj7LsyslTx2NuMg60kYBEZbaqxyok17qZ+wG4 BcutQXiieAZE5bDFibY9YOXnpM+2KulyL+OPRvtwcz1KLwtj/YZaGFxkGB5WMtp1rMY9ly bBino8O6r3IDBvImiqxzckXh7EVxTLq3pqA5c2wSDzYNkJnsOBTB1Wyzmgak9mr2qLEOsC Q5yayMUMUJvtzUf/ESLWnx4+voroRZ47Q35RrtLR3tBax+qWOlzpVSkTg0V4wg== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 8 Dec 2023 18:33:46 +0100 Message-Id: <20231208173346.94820-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.1 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This allow these functions to be defined without having to include ssl.c/misc.c which pulls in a lot of more dependencies. Change-Id: I605394d4f3872a168d05bbbe52d90f6d48935865 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- Content analysis details: (-0.1 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.152 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H5 RBL: Excellent reputation (+5) [80.241.56.152 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.8 UPPERCASE_50_75 message body is 50-75% uppercase -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1rBejk-0002cH-Oh Subject: [Openvpn-devel] [PATCH v1] Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1784735992240592737?= X-GMAIL-MSGID: =?utf-8?q?1784735992240592737?= From: Arne Schwabe This allow these functions to be defined without having to include ssl.c/misc.c which pulls in a lot of more dependencies. Change-Id: I605394d4f3872a168d05bbbe52d90f6d48935865 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/470 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index ce6e4fd..bce63ed 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -773,26 +773,6 @@ } } -int -get_num_elements(const char *string, char delimiter) -{ - int string_len = strlen(string); - - ASSERT(0 != string_len); - - int element_count = 1; - /* Get number of ciphers */ - for (int i = 0; i < string_len; i++) - { - if (string[i] == delimiter) - { - element_count++; - } - } - - return element_count; -} - struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc) { diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index b000b72..70a24dd 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -193,20 +193,6 @@ void output_peer_info_env(struct env_set *es, const char *peer_info); /** - * Returns the occurrences of 'delimiter' in a string +1 - * This is typically used to find out the number elements in a - * cipher string or similar that is separated by : like - * - * X25519:secp256r1:X448:secp512r1:secp384r1:brainpoolP384r1 - * - * @param string the string to work on - * @param delimiter the delimiter to count, typically ':' - * @return occrrences of delimiter + 1 - */ -int -get_num_elements(const char *string, char delimiter); - -/** * Prepend a directory to a path. */ struct buffer diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 3e3696c..6eddb68 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -95,152 +95,6 @@ #endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */ /** - * SSL/TLS Cipher suite name translation table - */ -static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { - {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"}, - {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"}, - {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"}, - {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"}, - {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"}, - {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"}, - {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"}, - {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"}, - {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"}, - {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"}, - {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"}, - {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"}, - {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"}, - {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"}, - {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"}, - {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"}, - {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"}, - {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"}, - {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"}, - {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"}, - {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"}, - {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"}, - {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"}, - {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"}, - {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"}, - {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"}, - {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"}, - {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"}, - {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"}, - {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"}, - {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"}, - {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"}, - {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"}, - {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"}, - {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"}, - {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"}, - {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"}, - {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"}, - {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"}, - {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"}, - {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"}, - {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"}, - {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"}, - {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"}, - {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"}, - {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"}, - {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"}, - {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"}, - {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"}, - {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"}, - {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"}, - {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"}, - {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"}, - {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"}, - {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"}, - {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"}, - {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"}, - {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"}, - {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"}, - {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"}, - {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"}, - {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"}, - {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"}, - {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"}, - {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"}, - {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"}, - {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"}, - {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"}, - {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"}, - {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"}, - {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"}, - {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"}, - {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, - {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"}, - {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, - {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"}, - {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"}, - {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"}, - {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"}, - {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"}, - {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"}, - {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"}, - {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"}, - {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"}, - {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"}, - {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"}, - {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"}, - {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"}, - {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"}, - {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"}, - {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"}, - {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"}, - {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"}, - {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"}, - {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"}, - {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"}, - {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"}, - {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"}, - {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"}, - {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"}, - {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"}, - {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"}, - {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"}, - {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"}, -#ifdef ENABLE_CRYPTO_OPENSSL - /* OpenSSL-specific group names */ - {"DEFAULT", "DEFAULT"}, - {"ALL", "ALL"}, - {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"}, - {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"}, - {"LOW", "LOW"}, {"!LOW", "!LOW"}, - {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"}, - {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"}, - {"EDH", "EDH"}, {"!EDH", "!EDH"}, - {"EXP", "EXP"}, {"!EXP", "!EXP"}, - {"RSA", "RSA"}, {"!RSA", "!RSA"}, - {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"}, - {"SRP", "SRP"}, {"!SRP", "!SRP"}, -#endif - {NULL, NULL} -}; - -/** * Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher * used. * @@ -254,24 +108,6 @@ static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len); -const tls_cipher_name_pair * -tls_get_cipher_name_pair(const char *cipher_name, size_t len) -{ - const tls_cipher_name_pair *pair = tls_cipher_name_translation_table; - - while (pair->openssl_name != NULL) - { - if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len)) - || (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len))) - { - return pair; - } - pair++; - } - - /* No entry found, return NULL */ - return NULL; -} /** * Limit the reneg_bytes value when using a small-block (<128 bytes) cipher. diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 3854d59..b9466ce 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -53,15 +53,6 @@ */ struct tls_session; -/** - * Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name - * - * @param cipher_name Can be either OpenSSL or IANA cipher name - * @return tls_cipher_name_pair* if found, NULL otherwise - */ -typedef struct { const char *openssl_name; const char *iana_name; } tls_cipher_name_pair; -const tls_cipher_name_pair *tls_get_cipher_name_pair(const char *cipher_name, size_t len); - /* * * Functions implemented in ssl.c for use by the backend SSL library diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 9c9167d..cc88484 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -44,6 +44,7 @@ #include "mbedtls_compat.h" #include "pkcs11_backend.h" #include "ssl_common.h" +#include "ssl_util.h" #include "ssl_verify_mbedtls.h" #include diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 82872bf..c30e6a9 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -50,6 +50,7 @@ #endif #include "ssl_verify_openssl.h" +#include "ssl_util.h" #include #include diff --git a/src/openvpn/ssl_util.c b/src/openvpn/ssl_util.c index bca6eed..447e739 100644 --- a/src/openvpn/ssl_util.c +++ b/src/openvpn/ssl_util.c @@ -114,3 +114,188 @@ return BSTR(&buf); } + +/** + * SSL/TLS Cipher suite name translation table + */ +static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { + {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"}, + {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"}, + {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"}, + {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"}, + {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"}, + {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"}, + {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"}, + {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, + {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"}, + {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, + {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"}, + {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"}, + {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"}, + {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"}, + {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"}, + {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"}, + {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"}, + {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"}, + {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"}, + {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"}, + {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"}, + {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"}, + {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"}, + {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"}, + {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"}, + {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"}, + {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"}, + {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"}, + {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"}, + {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"}, + {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"}, + {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, + {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, + {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, + {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, + {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"}, + {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"}, + {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"}, + {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"}, + {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"}, + {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"}, + {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"}, + {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"}, + {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"}, + {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"}, + {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, + {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, + {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, + {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, + {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"}, + {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"}, + {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"}, + {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"}, + {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"}, + {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"}, + {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"}, + {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"}, + {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"}, + {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"}, + {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"}, + {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, + {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, + {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, + {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, + {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"}, + {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"}, + {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"}, + {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"}, + {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"}, + {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"}, + {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"}, + {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"}, + {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"}, + {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"}, + {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"}, + {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"}, + {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, + {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, + {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, + {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, + {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"}, + {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"}, + {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"}, + {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"}, + {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"}, + {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"}, + {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"}, + {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"}, + {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"}, + {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"}, + {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"}, + {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"}, + {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, + {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"}, + {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, + {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"}, + {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"}, + {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"}, + {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"}, + {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"}, + {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"}, + {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"}, + {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"}, + {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"}, + {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"}, + {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"}, + {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"}, + {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"}, + {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"}, + {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"}, + {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"}, + {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"}, + {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"}, + {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"}, + {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"}, + {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"}, + {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"}, + {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"}, + {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"}, + {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"}, + {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"}, + {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"}, + {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"}, + {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"}, +#ifdef ENABLE_CRYPTO_OPENSSL + /* OpenSSL-specific group names */ + {"DEFAULT", "DEFAULT"}, + {"ALL", "ALL"}, + {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"}, + {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"}, + {"LOW", "LOW"}, {"!LOW", "!LOW"}, + {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"}, + {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"}, + {"EDH", "EDH"}, {"!EDH", "!EDH"}, + {"EXP", "EXP"}, {"!EXP", "!EXP"}, + {"RSA", "RSA"}, {"!RSA", "!RSA"}, + {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"}, + {"SRP", "SRP"}, {"!SRP", "!SRP"}, +#endif + {NULL, NULL} +}; + +const tls_cipher_name_pair * +tls_get_cipher_name_pair(const char *cipher_name, size_t len) +{ + const tls_cipher_name_pair *pair = tls_cipher_name_translation_table; + + while (pair->openssl_name != NULL) + { + if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len)) + || (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len))) + { + return pair; + } + pair++; + } + + /* No entry found, return NULL */ + return NULL; +} + +int +get_num_elements(const char *string, char delimiter) +{ + int string_len = strlen(string); + + ASSERT(0 != string_len); + + int element_count = 1; + /* Get number of ciphers */ + for (int i = 0; i < string_len; i++) + { + if (string[i] == delimiter) + { + element_count++; + } + } + + return element_count; +} diff --git a/src/openvpn/ssl_util.h b/src/openvpn/ssl_util.h index 4c46f88..b3eaf9f 100644 --- a/src/openvpn/ssl_util.h +++ b/src/openvpn/ssl_util.h @@ -66,4 +66,27 @@ */ const char *options_string_compat_lzo(const char *options, struct gc_arena *gc); -#endif +/** + * Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name + * + * @param cipher_name Can be either OpenSSL or IANA cipher name + * @return tls_cipher_name_pair* if found, NULL otherwise + */ +typedef struct { const char *openssl_name; const char *iana_name; } tls_cipher_name_pair; +const tls_cipher_name_pair *tls_get_cipher_name_pair(const char *cipher_name, size_t len); + +/** + * Returns the occurrences of 'delimiter' in a string +1 + * This is typically used to find out the number elements in a + * cipher string or similar that is separated by : like + * + * X25519:secp256r1:X448:secp512r1:secp384r1:brainpoolP384r1 + * + * @param string the string to work on + * @param delimiter the delimiter to count, typically ':' + * @return occrrences of delimiter + 1 + */ +int +get_num_elements(const char *string, char delimiter); + +#endif /* ifndef SSL_UTIL_H_ */