MEDIUM: ssl: fix detection of ephemeral diffie-hellman key exchange by using the cipher description.
In OpenSSL, the name of a cipher using ephemeral diffie-hellman for key
exchange can start with EDH, but also DHE, EXP-EDH or EXP1024-DHE.
We work around this issue by using the cipher's description instead of
the cipher's name.
Hopefully the description is less likely to change in the future.
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bfbb5b8..8fb8b5f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1022,10 +1022,12 @@
SSL_MODE_RELEASE_BUFFERS;
STACK_OF(SSL_CIPHER) * ciphers = NULL;
SSL_CIPHER * cipher = NULL;
- const char * cipher_name = NULL;
- /* The name of ciphers using an Ephemeral Diffie Hellman key exchange
- starts with "EDH". */
- const char edh_name[] = "EDH";
+ char cipher_description[128];
+ /* The description of ciphers using an Ephemeral Diffie Hellman key exchange
+ contains " Kx=DH " or " Kx=DH(". Beware of " Kx=DH/",
+ which is not ephemeral DH. */
+ const char dhe_description[] = " Kx=DH ";
+ const char dhe_export_description[] = " Kx=DH(";
int idx = 0;
int dhe_found = 0;
@@ -1124,10 +1126,12 @@
if (ciphers) {
for (idx = 0; idx < sk_SSL_CIPHER_num(ciphers); idx++) {
cipher = sk_SSL_CIPHER_value(ciphers, idx);
- cipher_name = SSL_CIPHER_get_name(cipher);
- if (strncmp(cipher_name, edh_name, sizeof (edh_name)-1) == 0) {
- dhe_found = 1;
- break;
+ if (SSL_CIPHER_description(cipher, cipher_description, sizeof (cipher_description)) == cipher_description) {
+ if (strstr(cipher_description, dhe_description) != NULL ||
+ strstr(cipher_description, dhe_export_description) != NULL) {
+ dhe_found = 1;
+ break;
+ }
}
}