shithub: drawterm

Download patch

ref: 081c1f215399065fcd43acc4360d3c6836a98865
parent: c8d84a805eeb664f6b29b94814ae5c39217a3767
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sat Mar 12 07:29:58 EST 2016

libsec: remove weakCipher[] array check as we do not support any of these weak ciphers

--- a/libsec/tlshand.c	Thu Mar 10 15:02:21 2016
+++ b/libsec/tlshand.c	Sat Mar 12 07:29:58 2016
@@ -693,11 +693,7 @@
 	memmove(c->crandom, m.u.clientHello.random, RandomSize);
 	cipher = okCipher(m.u.clientHello.ciphers, psklen > 0);
 	if(cipher < 0) {
-		// reply with EInsufficientSecurity if we know that's the case
-		if(cipher == -2)
-			tlsError(c, EInsufficientSecurity, "cipher suites too weak");
-		else
-			tlsError(c, EHandshakeFailure, "no matching cipher suite");
+		tlsError(c, EHandshakeFailure, "no matching cipher suite");
 		goto Err;
 	}
 	if(!setAlgs(c, cipher)){
@@ -2208,38 +2204,6 @@
 
 //================= cipher choices ========================
 
-static char weakCipher[] =
-{
-[TLS_NULL_WITH_NULL_NULL]		1,
-[TLS_RSA_WITH_NULL_MD5]			1,
-[TLS_RSA_WITH_NULL_SHA]			1,
-[TLS_RSA_EXPORT_WITH_RC4_40_MD5]	1,
-[TLS_RSA_WITH_RC4_128_MD5]		1,
-[TLS_RSA_WITH_RC4_128_SHA]		1,
-[TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5]	1,
-[TLS_RSA_WITH_IDEA_CBC_SHA]		0,
-[TLS_RSA_EXPORT_WITH_DES40_CBC_SHA]	1,
-[TLS_RSA_WITH_DES_CBC_SHA]		0,
-[TLS_RSA_WITH_3DES_EDE_CBC_SHA]		0,
-[TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA]	1,
-[TLS_DH_DSS_WITH_DES_CBC_SHA]		0,
-[TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA]	0,
-[TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA]	1,
-[TLS_DH_RSA_WITH_DES_CBC_SHA]		0,
-[TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA]	0,
-[TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]	1,
-[TLS_DHE_DSS_WITH_DES_CBC_SHA]		0,
-[TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA]	0,
-[TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA]	1,
-[TLS_DHE_RSA_WITH_DES_CBC_SHA]		0,
-[TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA]	0,
-[TLS_DH_anon_EXPORT_WITH_RC4_40_MD5]	1,
-[TLS_DH_anon_WITH_RC4_128_MD5]		1,
-[TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA]	1,
-[TLS_DH_anon_WITH_DES_CBC_SHA]		1,
-[TLS_DH_anon_WITH_3DES_EDE_CBC_SHA]	1,
-};
-
 static int
 setAlgs(TlsConnection *c, int a)
 {
@@ -2262,25 +2226,15 @@
 static int
 okCipher(Ints *cv, int ispsk)
 {
-	int weak, i, j, c;
+	int i, j, c;
 
-	weak = 1;
 	for(i = 0; i < cv->len; i++) {
-		c = cv->data[i];
-		if(c >= nelem(weakCipher))
-			weak = 0;
-		else
-			weak &= weakCipher[c];
-		if(isPSK(c) != ispsk)
-			continue;
-		if(isDHE(c) || isECDHE(c))
+		if(isDHE(c) || isECDHE(c) || isPSK(c) != ispsk)
 			continue;	/* TODO: not implemented for server */
 		for(j = 0; j < nelem(cipherAlgs); j++)
 			if(cipherAlgs[j].ok && cipherAlgs[j].tlsid == c)
 				return c;
 	}
-	if(weak)
-		return -2;
 	return -1;
 }