View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000856 | LDMud 3.7 | General | public | 2017-12-16 10:41 | 2022-10-06 21:00 |
| Reporter | manuel | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | confirmed | Resolution | open | ||
| OS | gnu/linux | OS Version | current | ||
| Summary | 0000856: Cipher list in tls.h lacks modern ciphers | ||||
| Description | Up to date tls libraries like libgnutls or libssl (from openssl) provide ciphers that are not listed in mudlib/sys/tls.h. If the define TLS_CIPHER_NAME(x) is called naively it may choke on a bad index. | ||||
| Steps To Reproduce | Install mudlib/sys/tls.h and link ldmud with libgnutls28 (current dev version in debian stable is 3.5.8). Initiate a tls session with TLS_CIPHER_AES_256_GCM or any other cipher that is not provided in tls.h. Call TLS_CIPHER_NAME(x). | ||||
| Additional Information | See the attached example of a tls.h updated for usage with a current libgnutls28. | ||||
| Tags | No tags attached. | ||||
| Attached Files | tls.h (2,600 bytes)
#ifndef LPC_TLS_H
#define LPC_TLS_H
/* Field indices for the result of tls_query_connection_info() */
#define TLS_CIPHER 0
#define TLS_COMP 1
#define TLS_KX 2
#define TLS_MAC 3
#define TLS_PROT 4
#define TLS_INFO_MAX 5 /* Total number of result fields */
/* Interpretation of the cipher information */
#define TLS_CIPHER_TABLE ({ \
"TLS_CIPHER_UNKNOWN", \
"TLS_CIPHER_NULL", \
"TLS_CIPHER_ARCFOUR_128", \
"TLS_CIPHER_3DES_CBC", \
"TLS_CIPHER_AES_128_CBC", \
"TLS_CIPHER_AES_256_CBC", \
"TLS_CIPHER_ARCFOUR_40", \
"TLS_CIPHER_CAMELLIA_128_CBC", \
"TLS_CIPHER_CAMELLIA_256_CBC", \
"TLS_CIPHER_AES_192_CBC", \
"TLS_CIPHER_AES_128_GCM", \
"TLS_CIPHER_AES_256_GCM", \
"TLS_CIPHER_CAMELLIA_192_CBC", \
"TLS_CIPHER_SALSA20_256", \
"TLS_CIPHER_ESTREAM_SALSA20_256", \
"TLS_CIPHER_CAMELLIA_128_GCM", \
"TLS_CIPHER_CAMELLIA_256_GCM", \
"TLS_CIPHER_RC2_40_CBC", \
"TLS_CIPHER_DES_CBC", \
"TLS_CIPHER_AES_128_CCM", \
"TLS_CIPHER_AES_256_CCM", \
"TLS_CIPHER_AES_128_CCM", \
"TLS_CIPHER_AES_256_CCM_8", \
"TLS_CIPHER_CHACHA20_POLY1305" \
})
#define TLS_CIPHER_NAME(x) TLS_CIPHER_TABLE[(x)]
/* Interpretation of the key-exchange information */
#define TLS_KX_TABLE ({ \
"TLS_KX_UNKNOWN", \
"TLS_KX_RSA", \
"TLS_KX_DHE_DSS", \
"TLS_KX_DHE_RSA", \
"TLS_KX_ANON_DH", \
"TLS_KX_SRP", \
"TLS_KX_RSA_EXPORT", \
"TLS_KX_SRP_RSA", \
"TLS_KX_SRP_DSS", \
"TLS_KX_PSK", \
"TLS_KX_DHE_PSK", \
"TLS_KX_ANON_ECDH", \
"TLS_KX_ECDHE_RSA", \
"TLS_KX_ECDHE_ECDSA", \
"TLS_KX_ECDHE_PSK", \
"TLS_KX_RSA_PSK" \
})
#define TLS_KX_NAME(x) TLS_KX_TABLE[(x)]
/* Interpretation of the MAC information */
#define TLS_MAC_TABLE ({ \
"TLS_MAC_UNKNOWN", \
"TLS_MAC_NULL", \
"TLS_MAC_MD5", \
"TLS_MAC_SHA1", \
"TLS_MAC_RMD160", \
"TLS_MAC_MD2", \
"TLS_MAC_SHA256", \
"TLS_MAC_SHA384", \
"TLS_MAC_SHA512", \
"TLS_MAC_SHA224" \
})
#define TLS_MAC_NAME(x) TLS_MAC_TABLE[(x)]
/* Interpretation of the compression information */
#define TLS_COMP_TABLE ({ \
"TLS_COMP_UNKOWN", \
"TLS_COMP_NULL", \
"TLS_COMP_DEFLATE", \
"TLS_COMP_LZO" \
})
#define TLS_COMP_NAME(x) TLS_COMP_TABLE[(x)]
/* Interpretation of the protocol information */
#define TLS_PROT_TABLE ({ \
"TLS_PROT_NONE", \
"TLS_PROT_SSL3", \
"TLS_PROT_TLS1_0", \
"TLS_TLS1_1", \
"TLS_TLS1_2", \
})
#define TLS_PROT_NAME(x) TLS_PROT_TABLE[(x)]
/* Recognized hash() algorithms (not all may be supported at runtime) */
#define TLS_HASH_SHA1 (1)
#define TLS_HASH_SHA224 (2)
#define TLS_HASH_SHA256 (3)
#define TLS_HASH_SHA384 (4)
#define TLS_HASH_SHA512 (5)
#define TLS_HASH_MD5 (6)
#define TLS_HASH_RIPEMD160 (7)
#endif /* LPC_TLS_H */
| ||||
|
|
And as far as I can see, it won't work at all with OpenSSL, because then tls_query_connection_info() will return the cipher name, not any index. IMHO the API is not great even with an up-to-date table/tls.h. I would argue, that tls_query_connection_info() should - if necessary - translate any enums/indices from the used crypto lib to a common name... |
|
|
I agree. |
|
|
The efun should be changed to return a struct and the struct should contain strings for algorithms instead of ids. Target LDMud 3.7. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-12-16 10:41 | manuel | New Issue | |
| 2017-12-16 10:41 | manuel | File Added: tls.h | |
| 2017-12-16 21:31 | zesstra | Note Added: 0002285 | |
| 2018-01-30 22:46 | Gnomi | Note Added: 0002446 | |
| 2018-01-30 23:00 | zesstra | Project | LDMud => LDMud 3.5 |
| 2018-01-30 23:01 | zesstra | Status | new => confirmed |
| 2022-10-06 21:00 | Gnomi | Note Added: 0002703 | |
| 2022-10-06 21:00 | Gnomi | Project | LDMud 3.5 => LDMud 3.7 |
| 2022-10-06 21:00 | Gnomi | Category | Runtime => General |
