OLD | NEW |
1 /* ssl/ssl_ciph.c */ | 1 /* ssl/ssl_ciph.c */ |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 * All rights reserved. | 3 * All rights reserved. |
4 * | 4 * |
5 * This package is an SSL implementation written | 5 * This package is an SSL implementation written |
6 * by Eric Young (eay@cryptsoft.com). | 6 * by Eric Young (eay@cryptsoft.com). |
7 * The implementation was written so as to conform with Netscapes SSL. | 7 * The implementation was written so as to conform with Netscapes SSL. |
8 * | 8 * |
9 * This library is free for commercial and non-commercial use as long as | 9 * This library is free for commercial and non-commercial use as long as |
10 * the following conditions are aheared to. The following conditions | 10 * the following conditions are aheared to. The following conditions |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 * SUCH DAMAGE. | 51 * SUCH DAMAGE. |
52 * | 52 * |
53 * The licence and distribution terms for any publically available version or | 53 * The licence and distribution terms for any publically available version or |
54 * derivative of this code cannot be changed. i.e. this code cannot simply be | 54 * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 * copied and put under another distribution licence | 55 * copied and put under another distribution licence |
56 * [including the GNU Public Licence.] | 56 * [including the GNU Public Licence.] |
57 */ | 57 */ |
58 /* ==================================================================== | 58 /* ==================================================================== |
59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. | 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
60 * | 60 * |
61 * Redistribution and use in source and binary forms, with or without | 61 * Redistribution and use in source and binary forms, with or without |
62 * modification, are permitted provided that the following conditions | 62 * modification, are permitted provided that the following conditions |
63 * are met: | 63 * are met: |
64 * | 64 * |
65 * 1. Redistributions of source code must retain the above copyright | 65 * 1. Redistributions of source code must retain the above copyright |
66 * notice, this list of conditions and the following disclaimer. | 66 * notice, this list of conditions and the following disclaimer. |
67 * | 67 * |
68 * 2. Redistributions in binary form must reproduce the above copyright | 68 * 2. Redistributions in binary form must reproduce the above copyright |
69 * notice, this list of conditions and the following disclaimer in | 69 * notice, this list of conditions and the following disclaimer in |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
106 * This product includes cryptographic software written by Eric Young | 106 * This product includes cryptographic software written by Eric Young |
107 * (eay@cryptsoft.com). This product includes software written by Tim | 107 * (eay@cryptsoft.com). This product includes software written by Tim |
108 * Hudson (tjh@cryptsoft.com). | 108 * Hudson (tjh@cryptsoft.com). |
109 * | 109 * |
110 */ | 110 */ |
111 /* ==================================================================== | 111 /* ==================================================================== |
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. | 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
113 * ECC cipher suite support in OpenSSL originally developed by | 113 * ECC cipher suite support in OpenSSL originally developed by |
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. | 114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. |
115 */ | 115 */ |
| 116 /* ==================================================================== |
| 117 * Copyright 2005 Nokia. All rights reserved. |
| 118 * |
| 119 * The portions of the attached software ("Contribution") is developed by |
| 120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source |
| 121 * license. |
| 122 * |
| 123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of |
| 124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites |
| 125 * support (see RFC 4279) to OpenSSL. |
| 126 * |
| 127 * No patent licenses or other rights except those expressly stated in |
| 128 * the OpenSSL open source license shall be deemed granted or received |
| 129 * expressly, by implication, estoppel, or otherwise. |
| 130 * |
| 131 * No assurances are provided by Nokia that the Contribution does not |
| 132 * infringe the patent or other intellectual property rights of any third |
| 133 * party or that the license provides you with all the necessary rights |
| 134 * to make use of the Contribution. |
| 135 * |
| 136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN |
| 137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA |
| 138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY |
| 139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR |
| 140 * OTHERWISE. |
| 141 */ |
| 142 |
116 #include <stdio.h> | 143 #include <stdio.h> |
117 #include <openssl/objects.h> | 144 #include <openssl/objects.h> |
118 #ifndef OPENSSL_NO_COMP | 145 #ifndef OPENSSL_NO_COMP |
119 #include <openssl/comp.h> | 146 #include <openssl/comp.h> |
120 #endif | 147 #endif |
121 | 148 #ifndef OPENSSL_NO_ENGINE |
| 149 #include <openssl/engine.h> |
| 150 #endif |
122 #include "ssl_locl.h" | 151 #include "ssl_locl.h" |
123 | 152 |
124 #define SSL_ENC_DES_IDX 0 | 153 #define SSL_ENC_DES_IDX 0 |
125 #define SSL_ENC_3DES_IDX 1 | 154 #define SSL_ENC_3DES_IDX 1 |
126 #define SSL_ENC_RC4_IDX 2 | 155 #define SSL_ENC_RC4_IDX 2 |
127 #define SSL_ENC_RC2_IDX 3 | 156 #define SSL_ENC_RC2_IDX 3 |
128 #define SSL_ENC_IDEA_IDX 4 | 157 #define SSL_ENC_IDEA_IDX 4 |
129 #define SSL_ENC_eFZA_IDX» 5 | 158 #define SSL_ENC_NULL_IDX» 5 |
130 #define SSL_ENC_NULL_IDX» 6 | 159 #define SSL_ENC_AES128_IDX» 6 |
131 #define SSL_ENC_AES128_IDX» 7 | 160 #define SSL_ENC_AES256_IDX» 7 |
132 #define SSL_ENC_AES256_IDX» 8 | 161 #define SSL_ENC_CAMELLIA128_IDX»8 |
133 #define SSL_ENC_CAMELLIA128_IDX»9 | 162 #define SSL_ENC_CAMELLIA256_IDX»9 |
134 #define SSL_ENC_CAMELLIA256_IDX»10 | 163 #define SSL_ENC_GOST89_IDX» 10 |
135 #define SSL_ENC_SEED_IDX 11 | 164 #define SSL_ENC_SEED_IDX 11 |
136 #define SSL_ENC_NUM_IDX 12 | 165 #define SSL_ENC_NUM_IDX 12 |
137 | 166 |
138 | 167 |
139 static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ | 168 static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ |
140 » NULL,NULL,NULL,NULL,NULL,NULL, | 169 » NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL, |
141 }; | 170 }; |
142 | 171 |
143 #define SSL_COMP_NULL_IDX 0 | 172 #define SSL_COMP_NULL_IDX 0 |
144 #define SSL_COMP_ZLIB_IDX 1 | 173 #define SSL_COMP_ZLIB_IDX 1 |
145 #define SSL_COMP_NUM_IDX 2 | 174 #define SSL_COMP_NUM_IDX 2 |
146 | 175 |
147 static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; | 176 static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; |
148 | 177 |
149 #define SSL_MD_MD5_IDX 0 | 178 #define SSL_MD_MD5_IDX 0 |
150 #define SSL_MD_SHA1_IDX 1 | 179 #define SSL_MD_SHA1_IDX 1 |
151 #define SSL_MD_NUM_IDX» 2 | 180 #define SSL_MD_GOST94_IDX 2 |
| 181 #define SSL_MD_GOST89MAC_IDX 3 |
| 182 /*Constant SSL_MAX_DIGEST equal to size of digests array should be |
| 183 * defined in the |
| 184 * ssl_locl.h */ |
| 185 #define SSL_MD_NUM_IDX» SSL_MAX_DIGEST |
152 static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ | 186 static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ |
153 » NULL,NULL, | 187 » NULL,NULL,NULL,NULL |
| 188 » }; |
| 189 /* PKEY_TYPE for GOST89MAC is known in advance, but, because |
| 190 * implementation is engine-provided, we'll fill it only if |
| 191 * corresponding EVP_PKEY_METHOD is found |
| 192 */ |
| 193 static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={ |
| 194 » EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef |
| 195 » }; |
| 196 |
| 197 static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={ |
| 198 » 0,0,0,0 |
| 199 » }; |
| 200 |
| 201 static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ |
| 202 » SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA, |
| 203 » SSL_HANDSHAKE_MAC_GOST94,0 |
154 }; | 204 }; |
155 | 205 |
156 #define CIPHER_ADD 1 | 206 #define CIPHER_ADD 1 |
157 #define CIPHER_KILL 2 | 207 #define CIPHER_KILL 2 |
158 #define CIPHER_DEL 3 | 208 #define CIPHER_DEL 3 |
159 #define CIPHER_ORD 4 | 209 #define CIPHER_ORD 4 |
160 #define CIPHER_SPECIAL 5 | 210 #define CIPHER_SPECIAL 5 |
161 | 211 |
162 typedef struct cipher_order_st | 212 typedef struct cipher_order_st |
163 { | 213 { |
164 » SSL_CIPHER *cipher; | 214 » const SSL_CIPHER *cipher; |
165 int active; | 215 int active; |
166 int dead; | 216 int dead; |
167 struct cipher_order_st *next,*prev; | 217 struct cipher_order_st *next,*prev; |
168 } CIPHER_ORDER; | 218 } CIPHER_ORDER; |
169 | 219 |
170 static const SSL_CIPHER cipher_aliases[]={ | 220 static const SSL_CIPHER cipher_aliases[]={ |
171 » /* Don't include eNULL unless specifically enabled. */ | 221 » /* "ALL" doesn't include eNULL (must be specifically enabled) */ |
172 » /* Don't include ECC in ALL because these ciphers are not yet official.
*/ | 222 » {0,SSL_TXT_ALL,0, 0,0,~SSL_eNULL,0,0,0,0,0,0}, |
173 » {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_kECDH & ~SSL_kECDHE, SSL_A
LL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ | 223 » /* "COMPLEMENTOFALL" */ |
174 » /* TODO: COMPLEMENT OF ALL and COMPLEMENT OF DEFAULT do not have ECC cip
her suites handled properly. */ | 224 » {0,SSL_TXT_CMPALL,0, 0,0,SSL_eNULL,0,0,0,0,0,0}, |
175 » {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF
ALL */ | |
176 » {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, | |
177 » {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5
*/ | |
178 » {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, | |
179 » {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, | |
180 » {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0}, | |
181 » {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0}, | |
182 » {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0}, | |
183 » {0,SSL_TXT_DH,» 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0}, | |
184 » {0,SSL_TXT_ECC,»0,(SSL_kECDH|SSL_kECDHE), 0,0,0,0,SSL_MKEY_MASK,0}, | |
185 » {0,SSL_TXT_EDH,»0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0}, | |
186 » {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5
*/ | |
187 » {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0}, | |
188 » {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0}, | |
189 » {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0}, | |
190 » {0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0}, | |
191 » {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0}, | |
192 » {0,SSL_TXT_DSS,»0,SSL_DSS, 0,0,0,0,SSL_AUTH_MASK,0}, | |
193 | 225 |
194 » {0,SSL_TXT_DES,»0,SSL_DES, 0,0,0,0,SSL_ENC_MASK,0}, | 226 » /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in A
LL!) */ |
195 » {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0}, | 227 » {0,SSL_TXT_CMPDEF,0, SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0
,0}, |
196 » {0,SSL_TXT_RC4,»0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0}, | 228 |
197 » {0,SSL_TXT_RC2,»0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0}, | 229 » /* key exchange aliases |
198 #ifndef OPENSSL_NO_IDEA | 230 » * (some of those using only a single bit here combine |
199 » {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0}, | 231 » * multiple key exchange algs according to the RFCs, |
| 232 » * e.g. kEDH combines DHE_DSS and DHE_RSA) */ |
| 233 » {0,SSL_TXT_kRSA,0, SSL_kRSA, 0,0,0,0,0,0,0,0}, |
| 234 |
| 235 » {0,SSL_TXT_kDHr,0, SSL_kDHr, 0,0,0,0,0,0,0,0}, /* no such ciphersuit
es supported! */ |
| 236 » {0,SSL_TXT_kDHd,0, SSL_kDHd, 0,0,0,0,0,0,0,0}, /* no such ciphersuit
es supported! */ |
| 237 » {0,SSL_TXT_kDH,0, SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0}, /* no such cip
hersuites supported! */ |
| 238 » {0,SSL_TXT_kEDH,0, SSL_kEDH, 0,0,0,0,0,0,0,0}, |
| 239 » {0,SSL_TXT_DH,0, SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0}, |
| 240 |
| 241 » {0,SSL_TXT_kKRB5,0, SSL_kKRB5, 0,0,0,0,0,0,0,0}, |
| 242 |
| 243 » {0,SSL_TXT_kECDHr,0, SSL_kECDHr,0,0,0,0,0,0,0,0}, |
| 244 » {0,SSL_TXT_kECDHe,0, SSL_kECDHe,0,0,0,0,0,0,0,0}, |
| 245 » {0,SSL_TXT_kECDH,0, SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0}, |
| 246 » {0,SSL_TXT_kEECDH,0, SSL_kEECDH,0,0,0,0,0,0,0,0}, |
| 247 » {0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0}, |
| 248 |
| 249 {0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0}, |
| 250 » {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0}, |
| 251 |
| 252 » /* server authentication aliases */ |
| 253 » {0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0}, |
| 254 » {0,SSL_TXT_aDSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0}, |
| 255 » {0,SSL_TXT_DSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0}, |
| 256 » {0,SSL_TXT_aKRB5,0, 0,SSL_aKRB5, 0,0,0,0,0,0,0}, |
| 257 » {0,SSL_TXT_aNULL,0, 0,SSL_aNULL, 0,0,0,0,0,0,0}, |
| 258 » {0,SSL_TXT_aDH,0, 0,SSL_aDH, 0,0,0,0,0,0,0}, /* no such ciphersuit
es supported! */ |
| 259 » {0,SSL_TXT_aECDH,0, 0,SSL_aECDH, 0,0,0,0,0,0,0}, |
| 260 » {0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0}, |
| 261 » {0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0}, |
| 262 {0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0}, |
| 263 » {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0}, |
| 264 » {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0}, |
| 265 » {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0}, |
| 266 |
| 267 » /* aliases combining key exchange and server authentication */ |
| 268 » {0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0}, |
| 269 » {0,SSL_TXT_EECDH,0, SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0}, |
| 270 » {0,SSL_TXT_NULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0}, |
| 271 » {0,SSL_TXT_KRB5,0, SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0}, |
| 272 » {0,SSL_TXT_RSA,0, SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0}, |
| 273 » {0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0}, |
| 274 » {0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0}, |
| 275 {0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0}, |
| 276 |
| 277 |
| 278 » /* symmetric encryption aliases */ |
| 279 » {0,SSL_TXT_DES,0, 0,0,SSL_DES, 0,0,0,0,0,0}, |
| 280 » {0,SSL_TXT_3DES,0, 0,0,SSL_3DES, 0,0,0,0,0,0}, |
| 281 » {0,SSL_TXT_RC4,0, 0,0,SSL_RC4, 0,0,0,0,0,0}, |
| 282 » {0,SSL_TXT_RC2,0, 0,0,SSL_RC2, 0,0,0,0,0,0}, |
| 283 » {0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0}, |
| 284 » {0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0}, |
| 285 » {0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0}, |
| 286 » {0,SSL_TXT_AES128,0, 0,0,SSL_AES128,0,0,0,0,0,0}, |
| 287 » {0,SSL_TXT_AES256,0, 0,0,SSL_AES256,0,0,0,0,0,0}, |
| 288 » {0,SSL_TXT_AES,0, 0,0,SSL_AES128|SSL_AES256,0,0,0,0,0,0}, |
| 289 » {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0}, |
| 290 » {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0}, |
| 291 » {0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0
}, |
| 292 |
| 293 » /* MAC aliases */» |
| 294 » {0,SSL_TXT_MD5,0, 0,0,0,SSL_MD5, 0,0,0,0,0}, |
| 295 » {0,SSL_TXT_SHA1,0, 0,0,0,SSL_SHA1, 0,0,0,0,0}, |
| 296 » {0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0}, |
| 297 » {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0}, |
| 298 » {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0}, |
| 299 |
| 300 » /* protocol version aliases */ |
| 301 » {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, |
| 302 » {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0}, |
| 303 » {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0}, |
| 304 |
| 305 » /* export flag */ |
| 306 » {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, |
| 307 » {0,SSL_TXT_EXPORT,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, |
| 308 |
| 309 » /* strength classes */ |
| 310 » {0,SSL_TXT_EXP40,0, 0,0,0,0,0,SSL_EXP40, 0,0,0}, |
| 311 » {0,SSL_TXT_EXP56,0, 0,0,0,0,0,SSL_EXP56, 0,0,0}, |
| 312 » {0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0}, |
| 313 » {0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0}, |
| 314 » {0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0}, |
| 315 » /* FIPS 140-2 approved ciphersuite */ |
| 316 » {0,SSL_TXT_FIPS,0, 0,0,~SSL_eNULL,0,0,SSL_FIPS, 0,0,0}, |
| 317 » }; |
| 318 /* Search for public key algorithm with given name and |
| 319 * return its pkey_id if it is available. Otherwise return 0 |
| 320 */ |
| 321 #ifdef OPENSSL_NO_ENGINE |
| 322 |
| 323 static int get_optional_pkey_id(const char *pkey_name) |
| 324 » { |
| 325 » const EVP_PKEY_ASN1_METHOD *ameth; |
| 326 » int pkey_id=0; |
| 327 » ameth = EVP_PKEY_asn1_find_str(NULL,pkey_name,-1); |
| 328 » if (ameth) |
| 329 » » { |
| 330 » » EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth); |
| 331 » » }» » |
| 332 » return pkey_id; |
| 333 » } |
| 334 |
| 335 #else |
| 336 |
| 337 static int get_optional_pkey_id(const char *pkey_name) |
| 338 » { |
| 339 » const EVP_PKEY_ASN1_METHOD *ameth; |
| 340 » ENGINE *tmpeng = NULL; |
| 341 » int pkey_id=0; |
| 342 » ameth = EVP_PKEY_asn1_find_str(&tmpeng,pkey_name,-1); |
| 343 » if (ameth) |
| 344 » » { |
| 345 » » EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth); |
| 346 » » } |
| 347 » if (tmpeng) ENGINE_finish(tmpeng); |
| 348 » return pkey_id; |
| 349 » } |
| 350 |
200 #endif | 351 #endif |
201 {0,SSL_TXT_SEED,0,SSL_SEED, 0,0,0,0,SSL_ENC_MASK,0}, | |
202 {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, | |
203 {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0}, | |
204 {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0}, | |
205 {0,SSL_TXT_CAMELLIA,0,SSL_CAMELLIA, 0,0,0,0,SSL_ENC_MASK,0}, | |
206 | |
207 {0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0}, | |
208 {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0}, | |
209 {0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0}, | |
210 | |
211 {0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0}, | |
212 {0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, | |
213 {0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, | |
214 {0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, | |
215 {0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC
_MASK,0}, | |
216 | |
217 {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0}, | |
218 {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0}, | |
219 {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0}, | |
220 | |
221 {0,SSL_TXT_EXP ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK}, | |
222 {0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK}, | |
223 {0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK}, | |
224 {0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK}, | |
225 {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK}, | |
226 {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK}, | |
227 {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK}, | |
228 {0,SSL_TXT_FIPS, 0, 0, SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE}, | |
229 }; | |
230 | 352 |
231 void ssl_load_ciphers(void) | 353 void ssl_load_ciphers(void) |
232 { | 354 { |
233 ssl_cipher_methods[SSL_ENC_DES_IDX]= | 355 ssl_cipher_methods[SSL_ENC_DES_IDX]= |
234 EVP_get_cipherbyname(SN_des_cbc); | 356 EVP_get_cipherbyname(SN_des_cbc); |
235 ssl_cipher_methods[SSL_ENC_3DES_IDX]= | 357 ssl_cipher_methods[SSL_ENC_3DES_IDX]= |
236 EVP_get_cipherbyname(SN_des_ede3_cbc); | 358 EVP_get_cipherbyname(SN_des_ede3_cbc); |
237 ssl_cipher_methods[SSL_ENC_RC4_IDX]= | 359 ssl_cipher_methods[SSL_ENC_RC4_IDX]= |
238 EVP_get_cipherbyname(SN_rc4); | 360 EVP_get_cipherbyname(SN_rc4); |
239 ssl_cipher_methods[SSL_ENC_RC2_IDX]= | 361 ssl_cipher_methods[SSL_ENC_RC2_IDX]= |
240 EVP_get_cipherbyname(SN_rc2_cbc); | 362 EVP_get_cipherbyname(SN_rc2_cbc); |
241 #ifndef OPENSSL_NO_IDEA | 363 #ifndef OPENSSL_NO_IDEA |
242 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= | 364 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= |
243 EVP_get_cipherbyname(SN_idea_cbc); | 365 EVP_get_cipherbyname(SN_idea_cbc); |
244 #else | 366 #else |
245 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL; | 367 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL; |
246 #endif | 368 #endif |
247 ssl_cipher_methods[SSL_ENC_AES128_IDX]= | 369 ssl_cipher_methods[SSL_ENC_AES128_IDX]= |
248 EVP_get_cipherbyname(SN_aes_128_cbc); | 370 EVP_get_cipherbyname(SN_aes_128_cbc); |
249 ssl_cipher_methods[SSL_ENC_AES256_IDX]= | 371 ssl_cipher_methods[SSL_ENC_AES256_IDX]= |
250 EVP_get_cipherbyname(SN_aes_256_cbc); | 372 EVP_get_cipherbyname(SN_aes_256_cbc); |
251 ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]= | 373 ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]= |
252 EVP_get_cipherbyname(SN_camellia_128_cbc); | 374 EVP_get_cipherbyname(SN_camellia_128_cbc); |
253 ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]= | 375 ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]= |
254 EVP_get_cipherbyname(SN_camellia_256_cbc); | 376 EVP_get_cipherbyname(SN_camellia_256_cbc); |
| 377 ssl_cipher_methods[SSL_ENC_GOST89_IDX]= |
| 378 EVP_get_cipherbyname(SN_gost89_cnt); |
255 ssl_cipher_methods[SSL_ENC_SEED_IDX]= | 379 ssl_cipher_methods[SSL_ENC_SEED_IDX]= |
256 EVP_get_cipherbyname(SN_seed_cbc); | 380 EVP_get_cipherbyname(SN_seed_cbc); |
257 | 381 |
258 ssl_digest_methods[SSL_MD_MD5_IDX]= | 382 ssl_digest_methods[SSL_MD_MD5_IDX]= |
259 EVP_get_digestbyname(SN_md5); | 383 EVP_get_digestbyname(SN_md5); |
| 384 ssl_mac_secret_size[SSL_MD_MD5_IDX]= |
| 385 EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]); |
| 386 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0); |
260 ssl_digest_methods[SSL_MD_SHA1_IDX]= | 387 ssl_digest_methods[SSL_MD_SHA1_IDX]= |
261 EVP_get_digestbyname(SN_sha1); | 388 EVP_get_digestbyname(SN_sha1); |
| 389 ssl_mac_secret_size[SSL_MD_SHA1_IDX]= |
| 390 EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]); |
| 391 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0); |
| 392 ssl_digest_methods[SSL_MD_GOST94_IDX]= |
| 393 EVP_get_digestbyname(SN_id_GostR3411_94); |
| 394 if (ssl_digest_methods[SSL_MD_GOST94_IDX]) |
| 395 { |
| 396 ssl_mac_secret_size[SSL_MD_GOST94_IDX]= |
| 397 EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]); |
| 398 OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0); |
| 399 } |
| 400 ssl_digest_methods[SSL_MD_GOST89MAC_IDX]= |
| 401 EVP_get_digestbyname(SN_id_Gost28147_89_MAC); |
| 402 ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("go
st-mac"); |
| 403 if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) { |
| 404 ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32; |
| 405 } |
| 406 |
262 } | 407 } |
263 | |
264 | |
265 #ifndef OPENSSL_NO_COMP | 408 #ifndef OPENSSL_NO_COMP |
266 | 409 |
267 static int sk_comp_cmp(const SSL_COMP * const *a, | 410 static int sk_comp_cmp(const SSL_COMP * const *a, |
268 const SSL_COMP * const *b) | 411 const SSL_COMP * const *b) |
269 { | 412 { |
270 return((*a)->id-(*b)->id); | 413 return((*a)->id-(*b)->id); |
271 } | 414 } |
272 | 415 |
273 static void load_builtin_compressions(void) | 416 static void load_builtin_compressions(void) |
274 { | 417 { |
(...skipping 21 matching lines...) Expand all Loading... |
296 if (comp->method | 439 if (comp->method |
297 && comp->method->type == NID_und
ef) | 440 && comp->method->type == NID_und
ef) |
298 OPENSSL_free(comp); | 441 OPENSSL_free(comp); |
299 else | 442 else |
300 { | 443 { |
301 comp->id=SSL_COMP_ZLIB_IDX; | 444 comp->id=SSL_COMP_ZLIB_IDX; |
302 comp->name=comp->method->name; | 445 comp->name=comp->method->name; |
303 sk_SSL_COMP_push(ssl_comp_method
s,comp); | 446 sk_SSL_COMP_push(ssl_comp_method
s,comp); |
304 } | 447 } |
305 } | 448 } |
| 449 sk_SSL_COMP_sort(ssl_comp_methods); |
306 } | 450 } |
307 MemCheck_on(); | 451 MemCheck_on(); |
308 } | 452 } |
309 } | 453 } |
310 | 454 |
311 if (got_write_lock) | 455 if (got_write_lock) |
312 CRYPTO_w_unlock(CRYPTO_LOCK_SSL); | 456 CRYPTO_w_unlock(CRYPTO_LOCK_SSL); |
313 else | 457 else |
314 CRYPTO_r_unlock(CRYPTO_LOCK_SSL); | 458 CRYPTO_r_unlock(CRYPTO_LOCK_SSL); |
315 } | 459 } |
316 #endif | 460 #endif |
317 | 461 |
318 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | 462 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, |
319 » const EVP_MD **md, SSL_COMP **comp) | 463 » const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COM
P **comp) |
320 { | 464 { |
321 int i; | 465 int i; |
322 » SSL_CIPHER *c; | 466 » const SSL_CIPHER *c; |
323 | 467 |
324 c=s->cipher; | 468 c=s->cipher; |
325 if (c == NULL) return(0); | 469 if (c == NULL) return(0); |
326 if (comp != NULL) | 470 if (comp != NULL) |
327 { | 471 { |
328 SSL_COMP ctmp; | 472 SSL_COMP ctmp; |
329 #ifndef OPENSSL_NO_COMP | 473 #ifndef OPENSSL_NO_COMP |
330 load_builtin_compressions(); | 474 load_builtin_compressions(); |
331 #endif | 475 #endif |
332 | 476 |
333 *comp=NULL; | 477 *comp=NULL; |
334 ctmp.id=s->compress_meth; | 478 ctmp.id=s->compress_meth; |
335 if (ssl_comp_methods != NULL) | 479 if (ssl_comp_methods != NULL) |
336 { | 480 { |
337 i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp); | 481 i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp); |
338 if (i >= 0) | 482 if (i >= 0) |
339 *comp=sk_SSL_COMP_value(ssl_comp_methods,i); | 483 *comp=sk_SSL_COMP_value(ssl_comp_methods,i); |
340 else | 484 else |
341 *comp=NULL; | 485 *comp=NULL; |
342 } | 486 } |
343 } | 487 } |
344 | 488 |
345 if ((enc == NULL) || (md == NULL)) return(0); | 489 if ((enc == NULL) || (md == NULL)) return(0); |
346 | 490 |
347 » switch (c->algorithms & SSL_ENC_MASK) | 491 » switch (c->algorithm_enc) |
348 { | 492 { |
349 case SSL_DES: | 493 case SSL_DES: |
350 i=SSL_ENC_DES_IDX; | 494 i=SSL_ENC_DES_IDX; |
351 break; | 495 break; |
352 case SSL_3DES: | 496 case SSL_3DES: |
353 i=SSL_ENC_3DES_IDX; | 497 i=SSL_ENC_3DES_IDX; |
354 break; | 498 break; |
355 case SSL_RC4: | 499 case SSL_RC4: |
356 i=SSL_ENC_RC4_IDX; | 500 i=SSL_ENC_RC4_IDX; |
357 break; | 501 break; |
358 case SSL_RC2: | 502 case SSL_RC2: |
359 i=SSL_ENC_RC2_IDX; | 503 i=SSL_ENC_RC2_IDX; |
360 break; | 504 break; |
361 case SSL_IDEA: | 505 case SSL_IDEA: |
362 i=SSL_ENC_IDEA_IDX; | 506 i=SSL_ENC_IDEA_IDX; |
363 break; | 507 break; |
364 case SSL_eNULL: | 508 case SSL_eNULL: |
365 i=SSL_ENC_NULL_IDX; | 509 i=SSL_ENC_NULL_IDX; |
366 break; | 510 break; |
367 » case SSL_AES: | 511 » case SSL_AES128: |
368 » » switch(c->alg_bits) | 512 » » i=SSL_ENC_AES128_IDX; |
369 » » » { | |
370 » » case 128: i=SSL_ENC_AES128_IDX; break; | |
371 » » case 256: i=SSL_ENC_AES256_IDX; break; | |
372 » » default: i=-1; break; | |
373 » » » } | |
374 break; | 513 break; |
375 » case SSL_CAMELLIA: | 514 » case SSL_AES256: |
376 » » switch(c->alg_bits) | 515 » » i=SSL_ENC_AES256_IDX; |
377 » » » { | 516 » » break; |
378 » » case 128: i=SSL_ENC_CAMELLIA128_IDX; break; | 517 » case SSL_CAMELLIA128: |
379 » » case 256: i=SSL_ENC_CAMELLIA256_IDX; break; | 518 » » i=SSL_ENC_CAMELLIA128_IDX; |
380 » » default: i=-1; break; | 519 » » break; |
381 » » » } | 520 » case SSL_CAMELLIA256: |
| 521 » » i=SSL_ENC_CAMELLIA256_IDX; |
| 522 » » break; |
| 523 » case SSL_eGOST2814789CNT: |
| 524 » » i=SSL_ENC_GOST89_IDX; |
382 break; | 525 break; |
383 case SSL_SEED: | 526 case SSL_SEED: |
384 i=SSL_ENC_SEED_IDX; | 527 i=SSL_ENC_SEED_IDX; |
385 break; | 528 break; |
386 | |
387 default: | 529 default: |
388 i= -1; | 530 i= -1; |
389 break; | 531 break; |
390 } | 532 } |
391 | 533 |
392 if ((i < 0) || (i > SSL_ENC_NUM_IDX)) | 534 if ((i < 0) || (i > SSL_ENC_NUM_IDX)) |
393 *enc=NULL; | 535 *enc=NULL; |
394 else | 536 else |
395 { | 537 { |
396 if (i == SSL_ENC_NULL_IDX) | 538 if (i == SSL_ENC_NULL_IDX) |
397 *enc=EVP_enc_null(); | 539 *enc=EVP_enc_null(); |
398 else | 540 else |
399 *enc=ssl_cipher_methods[i]; | 541 *enc=ssl_cipher_methods[i]; |
400 } | 542 } |
401 | 543 |
402 » switch (c->algorithms & SSL_MAC_MASK) | 544 » switch (c->algorithm_mac) |
403 { | 545 { |
404 case SSL_MD5: | 546 case SSL_MD5: |
405 i=SSL_MD_MD5_IDX; | 547 i=SSL_MD_MD5_IDX; |
406 break; | 548 break; |
407 case SSL_SHA1: | 549 case SSL_SHA1: |
408 i=SSL_MD_SHA1_IDX; | 550 i=SSL_MD_SHA1_IDX; |
409 break; | 551 break; |
| 552 case SSL_GOST94: |
| 553 i = SSL_MD_GOST94_IDX; |
| 554 break; |
| 555 case SSL_GOST89MAC: |
| 556 i = SSL_MD_GOST89MAC_IDX; |
| 557 break; |
410 default: | 558 default: |
411 i= -1; | 559 i= -1; |
412 break; | 560 break; |
413 } | 561 } |
414 if ((i < 0) || (i > SSL_MD_NUM_IDX)) | 562 if ((i < 0) || (i > SSL_MD_NUM_IDX)) |
415 » » *md=NULL; | 563 » { |
| 564 » » *md=NULL; |
| 565 » » if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef; |
| 566 » » if (mac_secret_size!=NULL) *mac_secret_size = 0; |
| 567 |
| 568 » } |
416 else | 569 else |
| 570 { |
417 *md=ssl_digest_methods[i]; | 571 *md=ssl_digest_methods[i]; |
| 572 if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i]; |
| 573 if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_siz
e[i]; |
| 574 } |
418 | 575 |
419 » if ((*enc != NULL) && (*md != NULL)) | 576 » if ((*enc != NULL) && (*md != NULL) && (!mac_pkey_type||*mac_pkey_type !
= NID_undef)) |
420 return(1); | 577 return(1); |
421 else | 578 else |
422 return(0); | 579 return(0); |
423 } | 580 } |
424 | 581 |
| 582 int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md) |
| 583 { |
| 584 if (idx <0||idx>=SSL_MD_NUM_IDX) |
| 585 { |
| 586 return 0; |
| 587 } |
| 588 if (ssl_handshake_digest_flag[idx]==0) return 0; |
| 589 *mask = ssl_handshake_digest_flag[idx]; |
| 590 *md = ssl_digest_methods[idx]; |
| 591 return 1; |
| 592 } |
| 593 |
425 #define ITEM_SEP(a) \ | 594 #define ITEM_SEP(a) \ |
426 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) | 595 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) |
427 | 596 |
428 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, | 597 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, |
429 CIPHER_ORDER **tail) | 598 CIPHER_ORDER **tail) |
430 { | 599 { |
431 if (curr == *tail) return; | 600 if (curr == *tail) return; |
432 if (curr == *head) | 601 if (curr == *head) |
433 *head=curr->next; | 602 *head=curr->next; |
434 if (curr->prev != NULL) | 603 if (curr->prev != NULL) |
435 curr->prev->next=curr->next; | 604 curr->prev->next=curr->next; |
436 » if (curr->next != NULL) /* should always be true */ | 605 » if (curr->next != NULL) |
437 curr->next->prev=curr->prev; | 606 curr->next->prev=curr->prev; |
438 (*tail)->next=curr; | 607 (*tail)->next=curr; |
439 curr->prev= *tail; | 608 curr->prev= *tail; |
440 curr->next=NULL; | 609 curr->next=NULL; |
441 *tail=curr; | 610 *tail=curr; |
442 } | 611 } |
443 | 612 |
444 struct disabled_masks { /* This is a kludge no longer needed with OpenSSL 0.9.9, | 613 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, |
445 * where 128-bit and 256-bit algorithms simply will get | 614 » CIPHER_ORDER **tail) |
446 * separate bits. */ | 615 » { |
447 unsigned long mask; /* everything except m256 */ | 616 » if (curr == *head) return; |
448 unsigned long m256; /* applies to 256-bit algorithms only */ | 617 » if (curr == *tail) |
449 }; | 618 » » *tail=curr->prev; |
| 619 » if (curr->next != NULL) |
| 620 » » curr->next->prev=curr->prev; |
| 621 » if (curr->prev != NULL) |
| 622 » » curr->prev->next=curr->next; |
| 623 » (*head)->prev=curr; |
| 624 » curr->next= *head; |
| 625 » curr->prev=NULL; |
| 626 » *head=curr; |
| 627 » } |
450 | 628 |
451 static struct disabled_masks ssl_cipher_get_disabled(void) | 629 static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
signed long *enc, unsigned long *mac, unsigned long *ssl) |
452 { | 630 { |
453 » unsigned long mask; | 631 » *mkey = 0; |
454 » unsigned long m256; | 632 » *auth = 0; |
455 » struct disabled_masks ret; | 633 » *enc = 0; |
| 634 » *mac = 0; |
| 635 » *ssl = 0; |
456 | 636 |
457 mask = SSL_kFZA; | |
458 #ifdef OPENSSL_NO_RSA | 637 #ifdef OPENSSL_NO_RSA |
459 » mask |= SSL_aRSA|SSL_kRSA; | 638 » *mkey |= SSL_kRSA; |
| 639 » *auth |= SSL_aRSA; |
460 #endif | 640 #endif |
461 #ifdef OPENSSL_NO_DSA | 641 #ifdef OPENSSL_NO_DSA |
462 » mask |= SSL_aDSS; | 642 » *auth |= SSL_aDSS; |
463 #endif | 643 #endif |
| 644 *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */ |
| 645 *auth |= SSL_aDH; |
464 #ifdef OPENSSL_NO_DH | 646 #ifdef OPENSSL_NO_DH |
465 » mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH; | 647 » *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH; |
| 648 » *auth |= SSL_aDH; |
466 #endif | 649 #endif |
467 #ifdef OPENSSL_NO_KRB5 | 650 #ifdef OPENSSL_NO_KRB5 |
468 » mask |= SSL_kKRB5|SSL_aKRB5; | 651 » *mkey |= SSL_kKRB5; |
| 652 » *auth |= SSL_aKRB5; |
| 653 #endif |
| 654 #ifdef OPENSSL_NO_ECDSA |
| 655 » *auth |= SSL_aECDSA; |
469 #endif | 656 #endif |
470 #ifdef OPENSSL_NO_ECDH | 657 #ifdef OPENSSL_NO_ECDH |
471 » mask |= SSL_kECDH|SSL_kECDHE; | 658 » *mkey |= SSL_kECDHe|SSL_kECDHr; |
| 659 » *auth |= SSL_aECDH; |
472 #endif | 660 #endif |
| 661 #ifdef OPENSSL_NO_PSK |
| 662 *mkey |= SSL_kPSK; |
| 663 *auth |= SSL_aPSK; |
| 664 #endif |
| 665 /* Check for presence of GOST 34.10 algorithms, and if they |
| 666 * do not present, disable appropriate auth and key exchange */ |
| 667 if (!get_optional_pkey_id("gost94")) { |
| 668 *auth |= SSL_aGOST94; |
| 669 } |
| 670 if (!get_optional_pkey_id("gost2001")) { |
| 671 *auth |= SSL_aGOST01; |
| 672 } |
| 673 /* Disable GOST key exchange if no GOST signature algs are available * *
/ |
| 674 if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) { |
| 675 *mkey |= SSL_kGOST; |
| 676 } |
473 #ifdef SSL_FORBID_ENULL | 677 #ifdef SSL_FORBID_ENULL |
474 » mask |= SSL_eNULL; | 678 » *enc |= SSL_eNULL; |
475 #endif | 679 #endif |
| 680 |
476 | 681 |
477 mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0; | |
478 mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0; | |
479 mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0; | |
480 mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; | |
481 mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; | |
482 mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0; | |
483 mask |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED:0; | |
484 | 682 |
485 » mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; | 683 » *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0; |
486 » mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; | 684 » *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0; |
| 685 » *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0; |
| 686 » *enc |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; |
| 687 » *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; |
| 688 » *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0; |
| 689 » *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0; |
| 690 » *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAME
LLIA128:0; |
| 691 » *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAME
LLIA256:0; |
| 692 » *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814
789CNT:0; |
| 693 » *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED:0; |
487 | 694 |
488 » /* finally consider algorithms where mask and m256 differ */ | 695 » *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; |
489 » m256 = mask; | 696 » *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; |
490 » mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; | 697 » *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0; |
491 » mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAME
LLIA:0; | 698 » *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pke
y_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0; |
492 » m256 |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES:0; | |
493 » m256 |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAME
LLIA:0; | |
494 | 699 |
495 ret.mask = mask; | |
496 ret.m256 = m256; | |
497 return ret; | |
498 } | 700 } |
499 | 701 |
500 static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, | 702 static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, |
501 » » int num_of_ciphers, unsigned long mask, unsigned long m256, | 703 int num_of_ciphers, |
502 » » CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, | 704 unsigned long disabled_mkey, unsigned long disabled_auth, |
503 » » CIPHER_ORDER **tail_p) | 705 unsigned long disabled_enc, unsigned long disabled_mac, |
| 706 unsigned long disabled_ssl, |
| 707 CIPHER_ORDER *co_list, |
| 708 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) |
504 { | 709 { |
505 int i, co_list_num; | 710 int i, co_list_num; |
506 » SSL_CIPHER *c; | 711 » const SSL_CIPHER *c; |
507 | 712 |
508 /* | 713 /* |
509 * We have num_of_ciphers descriptions compiled in, depending on the | 714 * We have num_of_ciphers descriptions compiled in, depending on the |
510 * method selected (SSLv2 and/or SSLv3, TLSv1 etc). | 715 * method selected (SSLv2 and/or SSLv3, TLSv1 etc). |
511 * These will later be sorted in a linked list with at most num | 716 * These will later be sorted in a linked list with at most num |
512 * entries. | 717 * entries. |
513 */ | 718 */ |
514 | 719 |
515 /* Get the initial list of ciphers */ | 720 /* Get the initial list of ciphers */ |
516 co_list_num = 0; /* actual count of ciphers */ | 721 co_list_num = 0; /* actual count of ciphers */ |
517 for (i = 0; i < num_of_ciphers; i++) | 722 for (i = 0; i < num_of_ciphers; i++) |
518 { | 723 { |
519 c = ssl_method->get_cipher(i); | 724 c = ssl_method->get_cipher(i); |
520 #define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask)) | |
521 /* drop those that use any of that is not available */ | 725 /* drop those that use any of that is not available */ |
522 #ifdef OPENSSL_FIPS | 726 » » if ((c != NULL) && c->valid && |
523 » » if ((c != NULL) && c->valid && !IS_MASKED(c) | 727 » » !(c->algorithm_mkey & disabled_mkey) && |
524 » » » && (!FIPS_mode() || (c->algo_strength & SSL_FIPS))) | 728 » » !(c->algorithm_auth & disabled_auth) && |
525 #else | 729 » » !(c->algorithm_enc & disabled_enc) && |
526 » » if ((c != NULL) && c->valid && !IS_MASKED(c)) | 730 » » !(c->algorithm_mac & disabled_mac) && |
527 #endif | 731 » » !(c->algorithm_ssl & disabled_ssl)) |
528 { | 732 { |
529 co_list[co_list_num].cipher = c; | 733 co_list[co_list_num].cipher = c; |
530 co_list[co_list_num].next = NULL; | 734 co_list[co_list_num].next = NULL; |
531 co_list[co_list_num].prev = NULL; | 735 co_list[co_list_num].prev = NULL; |
532 co_list[co_list_num].active = 0; | 736 co_list[co_list_num].active = 0; |
533 co_list_num++; | 737 co_list_num++; |
534 #ifdef KSSL_DEBUG | 738 #ifdef KSSL_DEBUG |
535 » » » printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithm
s); | 739 » » » printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algor
ithm_mkey,c->algorithm_auth); |
536 #endif /* KSSL_DEBUG */ | 740 #endif /* KSSL_DEBUG */ |
537 /* | 741 /* |
538 if (!sk_push(ca_list,(char *)c)) goto err; | 742 if (!sk_push(ca_list,(char *)c)) goto err; |
539 */ | 743 */ |
540 } | 744 } |
541 } | 745 } |
542 | 746 |
543 /* | 747 /* |
544 * Prepare linked list from list entries | 748 * Prepare linked list from list entries |
545 */ | 749 */ |
546 for (i = 1; i < co_list_num - 1; i++) | |
547 { | |
548 co_list[i].prev = &(co_list[i-1]); | |
549 co_list[i].next = &(co_list[i+1]); | |
550 } | |
551 if (co_list_num > 0) | 750 if (co_list_num > 0) |
552 { | 751 { |
553 » » (*head_p) = &(co_list[0]); | 752 » » co_list[0].prev = NULL; |
554 » » (*head_p)->prev = NULL; | 753 |
555 » » (*head_p)->next = &(co_list[1]); | 754 » » if (co_list_num > 1) |
556 » » (*tail_p) = &(co_list[co_list_num - 1]); | 755 » » » { |
557 » » (*tail_p)->prev = &(co_list[co_list_num - 2]); | 756 » » » co_list[0].next = &co_list[1]; |
558 » » (*tail_p)->next = NULL; | 757 » » » |
| 758 » » » for (i = 1; i < co_list_num - 1; i++) |
| 759 » » » » { |
| 760 » » » » co_list[i].prev = &co_list[i - 1]; |
| 761 » » » » co_list[i].next = &co_list[i + 1]; |
| 762 » » » » } |
| 763 |
| 764 » » » co_list[co_list_num - 1].prev = &co_list[co_list_num - 2
]; |
| 765 » » » } |
| 766 » » |
| 767 » » co_list[co_list_num - 1].next = NULL; |
| 768 |
| 769 » » *head_p = &co_list[0]; |
| 770 » » *tail_p = &co_list[co_list_num - 1]; |
559 } | 771 } |
560 } | 772 } |
561 | 773 |
562 static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list, | 774 static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, |
563 » » » int num_of_group_aliases, unsigned long mask, | 775 int num_of_group_aliases, |
| 776 unsigned long disabled_mkey, unsigned long disabled_auth
, |
| 777 unsigned long disabled_enc, unsigned long disabled_mac, |
| 778 unsigned long disabled_ssl, |
564 CIPHER_ORDER *head) | 779 CIPHER_ORDER *head) |
565 { | 780 { |
566 CIPHER_ORDER *ciph_curr; | 781 CIPHER_ORDER *ciph_curr; |
567 » SSL_CIPHER **ca_curr; | 782 » const SSL_CIPHER **ca_curr; |
568 int i; | 783 int i; |
| 784 unsigned long mask_mkey = ~disabled_mkey; |
| 785 unsigned long mask_auth = ~disabled_auth; |
| 786 unsigned long mask_enc = ~disabled_enc; |
| 787 unsigned long mask_mac = ~disabled_mac; |
| 788 unsigned long mask_ssl = ~disabled_ssl; |
569 | 789 |
570 /* | 790 /* |
571 * First, add the real ciphers as already collected | 791 * First, add the real ciphers as already collected |
572 */ | 792 */ |
573 ciph_curr = head; | 793 ciph_curr = head; |
574 ca_curr = ca_list; | 794 ca_curr = ca_list; |
575 while (ciph_curr != NULL) | 795 while (ciph_curr != NULL) |
576 { | 796 { |
577 *ca_curr = ciph_curr->cipher; | 797 *ca_curr = ciph_curr->cipher; |
578 ca_curr++; | 798 ca_curr++; |
579 ciph_curr = ciph_curr->next; | 799 ciph_curr = ciph_curr->next; |
580 } | 800 } |
581 | 801 |
582 /* | 802 /* |
583 * Now we add the available ones from the cipher_aliases[] table. | 803 * Now we add the available ones from the cipher_aliases[] table. |
584 » * They represent either an algorithm, that must be fully | 804 » * They represent either one or more algorithms, some of which |
585 » * supported (not match any bit in mask) or represent a cipher | 805 » * in any affected category must be supported (set in enabled_mask), |
586 » * strength value (will be added in any case because algorithms=0). | 806 » * or represent a cipher strength value (will be added in any case becau
se algorithms=0). |
587 */ | 807 */ |
588 for (i = 0; i < num_of_group_aliases; i++) | 808 for (i = 0; i < num_of_group_aliases; i++) |
589 { | 809 { |
590 » » if ((i == 0) ||»» /* always fetch "ALL" */ | 810 » » unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey; |
591 » » !(cipher_aliases[i].algorithms & mask)) | 811 » » unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth; |
592 » » » { | 812 » » unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc; |
593 » » » *ca_curr = (SSL_CIPHER *)(cipher_aliases + i); | 813 » » unsigned long algorithm_mac = cipher_aliases[i].algorithm_mac; |
594 » » » ca_curr++; | 814 » » unsigned long algorithm_ssl = cipher_aliases[i].algorithm_ssl; |
595 » » » } | 815 |
| 816 » » if (algorithm_mkey) |
| 817 » » » if ((algorithm_mkey & mask_mkey) == 0) |
| 818 » » » » continue; |
| 819 » |
| 820 » » if (algorithm_auth) |
| 821 » » » if ((algorithm_auth & mask_auth) == 0) |
| 822 » » » » continue; |
| 823 » » |
| 824 » » if (algorithm_enc) |
| 825 » » » if ((algorithm_enc & mask_enc) == 0) |
| 826 » » » » continue; |
| 827 » » |
| 828 » » if (algorithm_mac) |
| 829 » » » if ((algorithm_mac & mask_mac) == 0) |
| 830 » » » » continue; |
| 831 » » |
| 832 » » if (algorithm_ssl) |
| 833 » » » if ((algorithm_ssl & mask_ssl) == 0) |
| 834 » » » » continue; |
| 835 » » |
| 836 » » *ca_curr = (SSL_CIPHER *)(cipher_aliases + i); |
| 837 » » ca_curr++; |
596 } | 838 } |
597 | 839 |
598 *ca_curr = NULL; /* end of list */ | 840 *ca_curr = NULL; /* end of list */ |
599 } | 841 } |
600 | 842 |
601 static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_ver
sion, | 843 static void ssl_cipher_apply_rule(unsigned long cipher_id, |
602 » » unsigned long algorithms, unsigned long mask, | 844 unsigned long alg_mkey, unsigned long alg_auth, |
603 » » unsigned long algo_strength, unsigned long mask_strength, | 845 unsigned long alg_enc, unsigned long alg_mac, |
604 » » int rule, int strength_bits, CIPHER_ORDER *co_list, | 846 unsigned long alg_ssl, |
| 847 » » unsigned long algo_strength, |
| 848 » » int rule, int strength_bits, |
605 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | 849 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) |
606 { | 850 { |
607 » CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2; | 851 » CIPHER_ORDER *head, *tail, *curr, *curr2, *last; |
608 » SSL_CIPHER *cp; | 852 » const SSL_CIPHER *cp; |
609 » unsigned long ma, ma_s; | 853 » int reverse = 0; |
610 | 854 |
611 #ifdef CIPHER_DEBUG | 855 #ifdef CIPHER_DEBUG |
612 » printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n", | 856 » printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n
", |
613 » » rule, algorithms, mask, algo_strength, mask_strength, | 857 » » rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_streng
th, strength_bits); |
614 » » strength_bits); | |
615 #endif | 858 #endif |
616 | 859 |
617 » curr = head = *head_p; | 860 » if (rule == CIPHER_DEL) |
618 » curr2 = head; | 861 » » reverse = 1; /* needed to maintain sorting between currently del
eted ciphers */ |
619 » tail2 = tail = *tail_p; | 862 |
| 863 » head = *head_p; |
| 864 » tail = *tail_p; |
| 865 |
| 866 » if (reverse) |
| 867 » » { |
| 868 » » curr = tail; |
| 869 » » last = head; |
| 870 » » } |
| 871 » else |
| 872 » » { |
| 873 » » curr = head; |
| 874 » » last = tail; |
| 875 » » } |
| 876 |
| 877 » curr2 = curr; |
620 for (;;) | 878 for (;;) |
621 { | 879 { |
622 » » if ((curr == NULL) || (curr == tail2)) break; | 880 » » if ((curr == NULL) || (curr == last)) break; |
623 curr = curr2; | 881 curr = curr2; |
624 » » curr2 = curr->next; | 882 » » curr2 = reverse ? curr->prev : curr->next; |
625 | 883 |
626 cp = curr->cipher; | 884 cp = curr->cipher; |
627 | 885 |
628 » » /* If explicit cipher suite, match only that one for its own pro
tocol version. | 886 » » /* |
629 » » * Usual selection criteria will be used for similar ciphersuite
s from other version! */ | 887 » » * Selection criteria is either the value of strength_bits |
| 888 » » * or the algorithms used. |
| 889 » » */ |
| 890 » » if (strength_bits >= 0) |
| 891 » » » { |
| 892 » » » if (strength_bits != cp->strength_bits) |
| 893 » » » » continue; |
| 894 » » » } |
| 895 » » else |
| 896 » » » { |
| 897 #ifdef CIPHER_DEBUG |
| 898 » » » printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08l
x Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp
->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); |
| 899 #endif |
630 | 900 |
631 » » if (cipher_id && (cp->algorithms & SSL_SSL_MASK) == ssl_version) | 901 » » » if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) |
632 » » » { | 902 » » » » continue; |
633 » » » if (cp->id != cipher_id) | 903 » » » if (alg_auth && !(alg_auth & cp->algorithm_auth)) |
| 904 » » » » continue; |
| 905 » » » if (alg_enc && !(alg_enc & cp->algorithm_enc)) |
| 906 » » » » continue; |
| 907 » » » if (alg_mac && !(alg_mac & cp->algorithm_mac)) |
| 908 » » » » continue; |
| 909 » » » if (alg_ssl && !(alg_ssl & cp->algorithm_ssl)) |
| 910 » » » » continue; |
| 911 » » » if ((algo_strength & SSL_EXP_MASK) && !(algo_strength &
SSL_EXP_MASK & cp->algo_strength)) |
| 912 » » » » continue; |
| 913 » » » if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength
& SSL_STRONG_MASK & cp->algo_strength)) |
634 continue; | 914 continue; |
635 } | 915 } |
636 | 916 |
637 /* | |
638 * Selection criteria is either the number of strength_bits | |
639 * or the algorithm used. | |
640 */ | |
641 else if (strength_bits == -1) | |
642 { | |
643 ma = mask & cp->algorithms; | |
644 ma_s = mask_strength & cp->algo_strength; | |
645 | |
646 #ifdef CIPHER_DEBUG | |
647 printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\
nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strengt
h, mask, mask_strength); | |
648 printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos
=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength); | |
649 #endif | |
650 /* | |
651 * Select: if none of the mask bit was met from the | |
652 * cipher or not all of the bits were met, the | |
653 * selection does not apply. | |
654 */ | |
655 if (((ma == 0) && (ma_s == 0)) || | |
656 ((ma & algorithms) != ma) || | |
657 ((ma_s & algo_strength) != ma_s)) | |
658 continue; /* does not apply */ | |
659 } | |
660 else if (strength_bits != cp->strength_bits) | |
661 continue; /* does not apply */ | |
662 | |
663 #ifdef CIPHER_DEBUG | 917 #ifdef CIPHER_DEBUG |
664 printf("Action = %d\n", rule); | 918 printf("Action = %d\n", rule); |
665 #endif | 919 #endif |
666 | 920 |
667 /* add the cipher if it has not been added yet. */ | 921 /* add the cipher if it has not been added yet. */ |
668 if (rule == CIPHER_ADD) | 922 if (rule == CIPHER_ADD) |
669 { | 923 { |
| 924 /* reverse == 0 */ |
670 if (!curr->active) | 925 if (!curr->active) |
671 { | 926 { |
672 » » » » int add_this_cipher = 1; | 927 » » » » ll_append_tail(&head, curr, &tail); |
673 | 928 » » » » curr->active = 1; |
674 » » » » if (((cp->algorithms & (SSL_kECDHE|SSL_kECDH|SSL
_aECDSA)) != 0)) | |
675 » » » » » { | |
676 » » » » » /* Make sure "ECCdraft" ciphersuites are
activated only if | |
677 » » » » » * *explicitly* requested, but not impli
citly (such as | |
678 » » » » » * as part of the "AES" alias). */ | |
679 | |
680 » » » » » add_this_cipher = (mask & (SSL_kECDHE|SS
L_kECDH|SSL_aECDSA)) != 0 || cipher_id != 0; | |
681 » » » » » } | |
682 » » » » | |
683 » » » » if (add_this_cipher) | |
684 » » » » » { | |
685 » » » » » ll_append_tail(&head, curr, &tail); | |
686 » » » » » curr->active = 1; | |
687 » » » » » } | |
688 } | 929 } |
689 } | 930 } |
690 /* Move the added cipher to this location */ | 931 /* Move the added cipher to this location */ |
691 else if (rule == CIPHER_ORD) | 932 else if (rule == CIPHER_ORD) |
692 { | 933 { |
| 934 /* reverse == 0 */ |
693 if (curr->active) | 935 if (curr->active) |
694 { | 936 { |
695 ll_append_tail(&head, curr, &tail); | 937 ll_append_tail(&head, curr, &tail); |
696 } | 938 } |
697 } | 939 } |
698 else if (rule == CIPHER_DEL) | 940 else if (rule == CIPHER_DEL) |
699 » » » curr->active = 0; | 941 » » » { |
| 942 » » » /* reverse == 1 */ |
| 943 » » » if (curr->active) |
| 944 » » » » { |
| 945 » » » » /* most recently deleted ciphersuites get best p
ositions |
| 946 » » » » * for any future CIPHER_ADD (note that the CIPH
ER_DEL loop |
| 947 » » » » * works in reverse to maintain the order) */ |
| 948 » » » » ll_append_head(&head, curr, &tail); |
| 949 » » » » curr->active = 0; |
| 950 » » » » } |
| 951 » » » } |
700 else if (rule == CIPHER_KILL) | 952 else if (rule == CIPHER_KILL) |
701 { | 953 { |
| 954 /* reverse == 0 */ |
702 if (head == curr) | 955 if (head == curr) |
703 head = curr->next; | 956 head = curr->next; |
704 else | 957 else |
705 curr->prev->next = curr->next; | 958 curr->prev->next = curr->next; |
706 if (tail == curr) | 959 if (tail == curr) |
707 tail = curr->prev; | 960 tail = curr->prev; |
708 curr->active = 0; | 961 curr->active = 0; |
709 if (curr->next != NULL) | 962 if (curr->next != NULL) |
710 curr->next->prev = curr->prev; | 963 curr->next->prev = curr->prev; |
711 if (curr->prev != NULL) | 964 if (curr->prev != NULL) |
712 curr->prev->next = curr->next; | 965 curr->prev->next = curr->next; |
713 curr->next = NULL; | 966 curr->next = NULL; |
714 curr->prev = NULL; | 967 curr->prev = NULL; |
715 } | 968 } |
716 } | 969 } |
717 | 970 |
718 *head_p = head; | 971 *head_p = head; |
719 *tail_p = tail; | 972 *tail_p = tail; |
720 } | 973 } |
721 | 974 |
722 static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list, | 975 static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, |
723 » » » » CIPHER_ORDER **head_p, | |
724 CIPHER_ORDER **tail_p) | 976 CIPHER_ORDER **tail_p) |
725 { | 977 { |
726 int max_strength_bits, i, *number_uses; | 978 int max_strength_bits, i, *number_uses; |
727 CIPHER_ORDER *curr; | 979 CIPHER_ORDER *curr; |
728 | 980 |
729 /* | 981 /* |
730 * This routine sorts the ciphers with descending strength. The sorting | 982 * This routine sorts the ciphers with descending strength. The sorting |
731 * must keep the pre-sorted sequence, so we apply the normal sorting | 983 * must keep the pre-sorted sequence, so we apply the normal sorting |
732 * routine as '+' movement to the end of the list. | 984 * routine as '+' movement to the end of the list. |
733 */ | 985 */ |
734 max_strength_bits = 0; | 986 max_strength_bits = 0; |
735 curr = *head_p; | 987 curr = *head_p; |
736 while (curr != NULL) | 988 while (curr != NULL) |
737 { | 989 { |
738 if (curr->active && | 990 if (curr->active && |
739 (curr->cipher->strength_bits > max_strength_bits)) | 991 (curr->cipher->strength_bits > max_strength_bits)) |
740 max_strength_bits = curr->cipher->strength_bits; | 992 max_strength_bits = curr->cipher->strength_bits; |
741 curr = curr->next; | 993 curr = curr->next; |
742 } | 994 } |
743 | 995 |
744 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); | 996 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); |
745 if (!number_uses) | 997 if (!number_uses) |
746 » { | 998 » » { |
747 SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE); | 999 SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE); |
748 return(0); | 1000 return(0); |
749 » } | 1001 » » } |
750 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); | 1002 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); |
751 | 1003 |
752 /* | 1004 /* |
753 * Now find the strength_bits values actually used | 1005 * Now find the strength_bits values actually used |
754 */ | 1006 */ |
755 curr = *head_p; | 1007 curr = *head_p; |
756 while (curr != NULL) | 1008 while (curr != NULL) |
757 { | 1009 { |
758 if (curr->active) | 1010 if (curr->active) |
759 number_uses[curr->cipher->strength_bits]++; | 1011 number_uses[curr->cipher->strength_bits]++; |
760 curr = curr->next; | 1012 curr = curr->next; |
761 } | 1013 } |
762 /* | 1014 /* |
763 * Go through the list of used strength_bits values in descending | 1015 * Go through the list of used strength_bits values in descending |
764 * order. | 1016 * order. |
765 */ | 1017 */ |
766 for (i = max_strength_bits; i >= 0; i--) | 1018 for (i = max_strength_bits; i >= 0; i--) |
767 if (number_uses[i] > 0) | 1019 if (number_uses[i] > 0) |
768 » » » ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, | 1020 » » » ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i
, head_p, tail_p); |
769 » » » » » co_list, head_p, tail_p); | |
770 | 1021 |
771 OPENSSL_free(number_uses); | 1022 OPENSSL_free(number_uses); |
772 return(1); | 1023 return(1); |
773 } | 1024 } |
774 | 1025 |
775 static int ssl_cipher_process_rulestr(const char *rule_str, | 1026 static int ssl_cipher_process_rulestr(const char *rule_str, |
776 » » CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, | 1027 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p, |
777 » » CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list) | 1028 const SSL_CIPHER **ca_list) |
778 { | 1029 { |
779 » unsigned long algorithms, mask, algo_strength, mask_strength; | 1030 » unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_streng
th; |
780 » const char *l, *start, *buf; | 1031 » const char *l, *buf; |
781 int j, multi, found, rule, retval, ok, buflen; | 1032 int j, multi, found, rule, retval, ok, buflen; |
782 » unsigned long cipher_id = 0, ssl_version = 0; | 1033 » unsigned long cipher_id = 0; |
783 char ch; | 1034 char ch; |
784 | 1035 |
785 retval = 1; | 1036 retval = 1; |
786 l = rule_str; | 1037 l = rule_str; |
787 for (;;) | 1038 for (;;) |
788 { | 1039 { |
789 ch = *l; | 1040 ch = *l; |
790 | 1041 |
791 if (ch == '\0') | 1042 if (ch == '\0') |
792 break; /* done */ | 1043 break; /* done */ |
793 if (ch == '-') | 1044 if (ch == '-') |
794 { rule = CIPHER_DEL; l++; } | 1045 { rule = CIPHER_DEL; l++; } |
795 else if (ch == '+') | 1046 else if (ch == '+') |
796 { rule = CIPHER_ORD; l++; } | 1047 { rule = CIPHER_ORD; l++; } |
797 else if (ch == '!') | 1048 else if (ch == '!') |
798 { rule = CIPHER_KILL; l++; } | 1049 { rule = CIPHER_KILL; l++; } |
799 else if (ch == '@') | 1050 else if (ch == '@') |
800 { rule = CIPHER_SPECIAL; l++; } | 1051 { rule = CIPHER_SPECIAL; l++; } |
801 else | 1052 else |
802 { rule = CIPHER_ADD; } | 1053 { rule = CIPHER_ADD; } |
803 | 1054 |
804 if (ITEM_SEP(ch)) | 1055 if (ITEM_SEP(ch)) |
805 { | 1056 { |
806 l++; | 1057 l++; |
807 continue; | 1058 continue; |
808 } | 1059 } |
809 | 1060 |
810 » » algorithms = mask = algo_strength = mask_strength = 0; | 1061 » » alg_mkey = 0; |
| 1062 » » alg_auth = 0; |
| 1063 » » alg_enc = 0; |
| 1064 » » alg_mac = 0; |
| 1065 » » alg_ssl = 0; |
| 1066 » » algo_strength = 0; |
811 | 1067 |
812 start=l; | |
813 for (;;) | 1068 for (;;) |
814 { | 1069 { |
815 ch = *l; | 1070 ch = *l; |
816 buf = l; | 1071 buf = l; |
817 buflen = 0; | 1072 buflen = 0; |
818 #ifndef CHARSET_EBCDIC | 1073 #ifndef CHARSET_EBCDIC |
819 while ( ((ch >= 'A') && (ch <= 'Z')) || | 1074 while ( ((ch >= 'A') && (ch <= 'Z')) || |
820 ((ch >= '0') && (ch <= '9')) || | 1075 ((ch >= '0') && (ch <= '9')) || |
821 ((ch >= 'a') && (ch <= 'z')) || | 1076 ((ch >= 'a') && (ch <= 'z')) || |
822 (ch == '-')) | 1077 (ch == '-')) |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
861 * Now search for the cipher alias in the ca_list. Be ca
reful | 1116 * Now search for the cipher alias in the ca_list. Be ca
reful |
862 * with the strncmp, because the "buflen" limitation | 1117 * with the strncmp, because the "buflen" limitation |
863 * will make the rule "ADH:SOME" and the cipher | 1118 * will make the rule "ADH:SOME" and the cipher |
864 * "ADH-MY-CIPHER" look like a match for buflen=3. | 1119 * "ADH-MY-CIPHER" look like a match for buflen=3. |
865 * So additionally check whether the cipher name found | 1120 * So additionally check whether the cipher name found |
866 * has the correct length. We can save a strlen() call: | 1121 * has the correct length. We can save a strlen() call: |
867 * just checking for the '\0' at the right place is | 1122 * just checking for the '\0' at the right place is |
868 * sufficient, we have to strncmp() anyway. (We cannot | 1123 * sufficient, we have to strncmp() anyway. (We cannot |
869 * use strcmp(), because buf is not '\0' terminated.) | 1124 * use strcmp(), because buf is not '\0' terminated.) |
870 */ | 1125 */ |
871 » » » j = found = 0; | 1126 » » » j = found = 0; |
872 » » » cipher_id = 0; | 1127 » » » cipher_id = 0; |
873 » » » ssl_version = 0; | 1128 » » » while (ca_list[j]) |
874 » » » while (ca_list[j]) | |
875 { | 1129 { |
876 if (!strncmp(buf, ca_list[j]->name, buflen) && | 1130 if (!strncmp(buf, ca_list[j]->name, buflen) && |
877 (ca_list[j]->name[buflen] == '\0')) | 1131 (ca_list[j]->name[buflen] == '\0')) |
878 { | 1132 { |
879 found = 1; | 1133 found = 1; |
880 break; | 1134 break; |
881 } | 1135 } |
882 else | 1136 else |
883 j++; | 1137 j++; |
884 } | 1138 } |
| 1139 |
885 if (!found) | 1140 if (!found) |
886 break; /* ignore this entry */ | 1141 break; /* ignore this entry */ |
887 | 1142 |
888 » » » /* New algorithms: | 1143 » » » if (ca_list[j]->algorithm_mkey) |
889 » » » * 1 - any old restrictions apply outside new mask | 1144 » » » » { |
890 » » » * 2 - any new restrictions apply outside old mask | 1145 » » » » if (alg_mkey) |
891 » » » * 3 - enforce old & new where masks intersect | 1146 » » » » » { |
892 » » » */ | 1147 » » » » » alg_mkey &= ca_list[j]->algorithm_mkey; |
893 » » » algorithms = (algorithms & ~ca_list[j]->mask) |»»
/* 1 */ | 1148 » » » » » if (!alg_mkey) { found = 0; break; } |
894 » » » (ca_list[j]->algorithms & ~mask) |»»
/* 2 */ | 1149 » » » » » } |
895 » » » (algorithms & ca_list[j]->algorithms);»
/* 3 */ | 1150 » » » » else |
896 » » » mask |= ca_list[j]->mask; | 1151 » » » » » alg_mkey = ca_list[j]->algorithm_mkey; |
897 » » » algo_strength = (algo_strength & ~ca_list[j]->mask_stren
gth) | | 1152 » » » » } |
898 » » » (ca_list[j]->algo_strength & ~mask_stren
gth) | | |
899 » » » (algo_strength & ca_list[j]->algo_streng
th); | |
900 » » » mask_strength |= ca_list[j]->mask_strength; | |
901 | 1153 |
902 » » » /* explicit ciphersuite found */ | 1154 » » » if (ca_list[j]->algorithm_auth) |
| 1155 » » » » { |
| 1156 » » » » if (alg_auth) |
| 1157 » » » » » { |
| 1158 » » » » » alg_auth &= ca_list[j]->algorithm_auth; |
| 1159 » » » » » if (!alg_auth) { found = 0; break; } |
| 1160 » » » » » } |
| 1161 » » » » else |
| 1162 » » » » » alg_auth = ca_list[j]->algorithm_auth; |
| 1163 » » » » } |
| 1164 » » » |
| 1165 » » » if (ca_list[j]->algorithm_enc) |
| 1166 » » » » { |
| 1167 » » » » if (alg_enc) |
| 1168 » » » » » { |
| 1169 » » » » » alg_enc &= ca_list[j]->algorithm_enc; |
| 1170 » » » » » if (!alg_enc) { found = 0; break; } |
| 1171 » » » » » } |
| 1172 » » » » else |
| 1173 » » » » » alg_enc = ca_list[j]->algorithm_enc; |
| 1174 » » » » } |
| 1175 » » » » » » |
| 1176 » » » if (ca_list[j]->algorithm_mac) |
| 1177 » » » » { |
| 1178 » » » » if (alg_mac) |
| 1179 » » » » » { |
| 1180 » » » » » alg_mac &= ca_list[j]->algorithm_mac; |
| 1181 » » » » » if (!alg_mac) { found = 0; break; } |
| 1182 » » » » » } |
| 1183 » » » » else |
| 1184 » » » » » alg_mac = ca_list[j]->algorithm_mac; |
| 1185 » » » » } |
| 1186 » » » |
| 1187 » » » if (ca_list[j]->algo_strength & SSL_EXP_MASK) |
| 1188 » » » » { |
| 1189 » » » » if (algo_strength & SSL_EXP_MASK) |
| 1190 » » » » » { |
| 1191 » » » » » algo_strength &= (ca_list[j]->algo_stren
gth & SSL_EXP_MASK) | ~SSL_EXP_MASK; |
| 1192 » » » » » if (!(algo_strength & SSL_EXP_MASK)) { f
ound = 0; break; } |
| 1193 » » » » » } |
| 1194 » » » » else |
| 1195 » » » » » algo_strength |= ca_list[j]->algo_streng
th & SSL_EXP_MASK; |
| 1196 » » » » } |
| 1197 |
| 1198 » » » if (ca_list[j]->algo_strength & SSL_STRONG_MASK) |
| 1199 » » » » { |
| 1200 » » » » if (algo_strength & SSL_STRONG_MASK) |
| 1201 » » » » » { |
| 1202 » » » » » algo_strength &= (ca_list[j]->algo_stren
gth & SSL_STRONG_MASK) | ~SSL_STRONG_MASK; |
| 1203 » » » » » if (!(algo_strength & SSL_STRONG_MASK))
{ found = 0; break; } |
| 1204 » » » » » } |
| 1205 » » » » else |
| 1206 » » » » » algo_strength |= ca_list[j]->algo_streng
th & SSL_STRONG_MASK; |
| 1207 » » » » } |
| 1208 » » » |
903 if (ca_list[j]->valid) | 1209 if (ca_list[j]->valid) |
904 { | 1210 { |
| 1211 /* explicit ciphersuite found; its protocol vers
ion |
| 1212 * does not become part of the search pattern!*/ |
| 1213 |
905 cipher_id = ca_list[j]->id; | 1214 cipher_id = ca_list[j]->id; |
906 ssl_version = ca_list[j]->algorithms & SSL_SSL_M
ASK; | |
907 break; | |
908 } | 1215 } |
| 1216 else |
| 1217 { |
| 1218 /* not an explicit ciphersuite; only in this cas
e, the |
| 1219 * protocol version is considered part of the se
arch pattern */ |
909 | 1220 |
| 1221 if (ca_list[j]->algorithm_ssl) |
| 1222 { |
| 1223 if (alg_ssl) |
| 1224 { |
| 1225 alg_ssl &= ca_list[j]->algorithm
_ssl; |
| 1226 if (!alg_ssl) { found = 0; break
; } |
| 1227 } |
| 1228 else |
| 1229 alg_ssl = ca_list[j]->algorithm_
ssl; |
| 1230 } |
| 1231 } |
| 1232 |
910 if (!multi) break; | 1233 if (!multi) break; |
911 } | 1234 } |
912 | 1235 |
913 /* | 1236 /* |
914 * Ok, we have the rule, now apply it | 1237 * Ok, we have the rule, now apply it |
915 */ | 1238 */ |
916 if (rule == CIPHER_SPECIAL) | 1239 if (rule == CIPHER_SPECIAL) |
917 { /* special command */ | 1240 { /* special command */ |
918 ok = 0; | 1241 ok = 0; |
919 if ((buflen == 8) && | 1242 if ((buflen == 8) && |
920 !strncmp(buf, "STRENGTH", 8)) | 1243 !strncmp(buf, "STRENGTH", 8)) |
921 » » » » ok = ssl_cipher_strength_sort(co_list, | 1244 » » » » ok = ssl_cipher_strength_sort(head_p, tail_p); |
922 » » » » » head_p, tail_p); | |
923 else | 1245 else |
924 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, | 1246 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, |
925 SSL_R_INVALID_COMMAND); | 1247 SSL_R_INVALID_COMMAND); |
926 if (ok == 0) | 1248 if (ok == 0) |
927 retval = 0; | 1249 retval = 0; |
928 /* | 1250 /* |
929 * We do not support any "multi" options | 1251 * We do not support any "multi" options |
930 * together with "@", so throw away the | 1252 * together with "@", so throw away the |
931 * rest of the command, if any left, until | 1253 * rest of the command, if any left, until |
932 * end or ':' is found. | 1254 * end or ':' is found. |
933 */ | 1255 */ |
934 while ((*l != '\0') && !ITEM_SEP(*l)) | 1256 while ((*l != '\0') && !ITEM_SEP(*l)) |
935 l++; | 1257 l++; |
936 } | 1258 } |
937 else if (found) | 1259 else if (found) |
938 { | 1260 { |
939 » » » ssl_cipher_apply_rule(cipher_id, ssl_version, algorithms
, mask, | 1261 » » » ssl_cipher_apply_rule(cipher_id, |
940 » » » » algo_strength, mask_strength, rule, -1, | 1262 » » » » alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, a
lgo_strength, |
941 » » » » co_list, head_p, tail_p); | 1263 » » » » rule, -1, head_p, tail_p); |
942 } | 1264 } |
943 else | 1265 else |
944 { | 1266 { |
945 while ((*l != '\0') && !ITEM_SEP(*l)) | 1267 while ((*l != '\0') && !ITEM_SEP(*l)) |
946 l++; | 1268 l++; |
947 } | 1269 } |
948 if (*l == '\0') break; /* done */ | 1270 if (*l == '\0') break; /* done */ |
949 } | 1271 } |
950 | 1272 |
951 return(retval); | 1273 return(retval); |
952 } | 1274 } |
953 | 1275 |
954 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 1276 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, |
955 STACK_OF(SSL_CIPHER) **cipher_list, | 1277 STACK_OF(SSL_CIPHER) **cipher_list, |
956 STACK_OF(SSL_CIPHER) **cipher_list_by_id, | 1278 STACK_OF(SSL_CIPHER) **cipher_list_by_id, |
957 const char *rule_str) | 1279 const char *rule_str) |
958 { | 1280 { |
959 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 1281 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; |
960 » unsigned long disabled_mask; | 1282 » unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac,
disabled_ssl; |
961 » unsigned long disabled_m256; | |
962 STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; | 1283 STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; |
963 const char *rule_p; | 1284 const char *rule_p; |
964 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; | 1285 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; |
965 » SSL_CIPHER **ca_list = NULL; | 1286 » const SSL_CIPHER **ca_list = NULL; |
966 | 1287 |
967 /* | 1288 /* |
968 * Return with error if nothing to do. | 1289 * Return with error if nothing to do. |
969 */ | 1290 */ |
970 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL
) | 1291 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL
) |
971 return NULL; | 1292 return NULL; |
972 | 1293 |
973 /* | 1294 /* |
974 * To reduce the work to do we only want to process the compiled | 1295 * To reduce the work to do we only want to process the compiled |
975 * in algorithms, so we first get the mask of disabled ciphers. | 1296 * in algorithms, so we first get the mask of disabled ciphers. |
976 */ | 1297 */ |
977 » { | 1298 » ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &
disabled_mac, &disabled_ssl); |
978 » » struct disabled_masks d; | |
979 » » d = ssl_cipher_get_disabled(); | |
980 » » disabled_mask = d.mask; | |
981 » » disabled_m256 = d.m256; | |
982 » } | |
983 | 1299 |
984 /* | 1300 /* |
985 * Now we have to collect the available ciphers from the compiled | 1301 * Now we have to collect the available ciphers from the compiled |
986 * in ciphers. We cannot get more than the number compiled in, so | 1302 * in ciphers. We cannot get more than the number compiled in, so |
987 * it is used for allocation. | 1303 * it is used for allocation. |
988 */ | 1304 */ |
989 num_of_ciphers = ssl_method->num_ciphers(); | 1305 num_of_ciphers = ssl_method->num_ciphers(); |
990 #ifdef KSSL_DEBUG | 1306 #ifdef KSSL_DEBUG |
991 printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); | 1307 printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); |
992 #endif /* KSSL_DEBUG */ | 1308 #endif /* KSSL_DEBUG */ |
993 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_c
iphers); | 1309 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_c
iphers); |
994 if (co_list == NULL) | 1310 if (co_list == NULL) |
995 { | 1311 { |
996 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); | 1312 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); |
997 return(NULL); /* Failure */ | 1313 return(NULL); /* Failure */ |
998 } | 1314 } |
999 | 1315 |
1000 » ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, | 1316 » ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, |
1001 » » » » disabled_m256, co_list, &head, &tail); | 1317 » disabled_mkey, disabled_auth, disabled_enc, d
isabled_mac, disabled_ssl, |
| 1318 » co_list, &head, &tail); |
| 1319 |
| 1320 |
| 1321 » /* Now arrange all ciphers by preference: */ |
| 1322 |
| 1323 » /* Everything else being equal, prefer ephemeral ECDH over other key exc
hange mechanisms */ |
| 1324 » ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &hea
d, &tail); |
| 1325 » ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &hea
d, &tail); |
| 1326 |
| 1327 » /* AES is our preferred symmetric cipher */ |
| 1328 » ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0, CIPHER_ADD, -1, &head,
&tail); |
| 1329 |
| 1330 » /* Temporarily enable everything else for sorting */ |
| 1331 » ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail)
; |
| 1332 |
| 1333 » /* Low priority for MD5 */ |
| 1334 » ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
&tail); |
| 1335 |
| 1336 » /* Move anonymous ciphers to the end. Usually, these will remain disabl
ed. |
| 1337 » * (For applications that allow them, they aren't too bad, but we prefer |
| 1338 » * authenticated ciphers.) */ |
| 1339 » ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head
, &tail); |
| 1340 |
| 1341 » /* Move ciphers without forward secrecy to the end */ |
| 1342 » ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head
, &tail); |
| 1343 » /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &hea
d, &tail); */ |
| 1344 » ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
&tail); |
| 1345 » ssl_cipher_apply_rule(0, SSL_kPSK, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head,
&tail); |
| 1346 » ssl_cipher_apply_rule(0, SSL_kKRB5, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head,
&tail); |
| 1347 |
| 1348 » /* RC4 is sort-of broken -- move the the end */ |
| 1349 » ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
&tail); |
| 1350 |
| 1351 » /* Now sort by symmetric encryption strength. The above ordering remain
s |
| 1352 » * in force within each class */ |
| 1353 » if (!ssl_cipher_strength_sort(&head, &tail)) |
| 1354 » » { |
| 1355 » » OPENSSL_free(co_list); |
| 1356 » » return NULL; |
| 1357 » » } |
| 1358 |
| 1359 » /* Now disable everything (maintaining the ordering!) */ |
| 1360 » ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail)
; |
| 1361 |
1002 | 1362 |
1003 /* | 1363 /* |
1004 * We also need cipher aliases for selecting based on the rule_str. | 1364 * We also need cipher aliases for selecting based on the rule_str. |
1005 * There might be two types of entries in the rule_str: 1) names | 1365 * There might be two types of entries in the rule_str: 1) names |
1006 * of ciphers themselves 2) aliases for groups of ciphers. | 1366 * of ciphers themselves 2) aliases for groups of ciphers. |
1007 * For 1) we need the available ciphers and for 2) the cipher | 1367 * For 1) we need the available ciphers and for 2) the cipher |
1008 * groups of cipher_aliases added together in one list (otherwise | 1368 * groups of cipher_aliases added together in one list (otherwise |
1009 * we would be happy with just the cipher_aliases table). | 1369 * we would be happy with just the cipher_aliases table). |
1010 */ | 1370 */ |
1011 num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER); | 1371 num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER); |
1012 num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; | 1372 num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; |
1013 » ca_list = | 1373 » ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); |
1014 » » (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alia
s_max); | |
1015 if (ca_list == NULL) | 1374 if (ca_list == NULL) |
1016 { | 1375 { |
1017 OPENSSL_free(co_list); | 1376 OPENSSL_free(co_list); |
1018 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); | 1377 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); |
1019 return(NULL); /* Failure */ | 1378 return(NULL); /* Failure */ |
1020 } | 1379 } |
1021 ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, | 1380 ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, |
1022 » » » » (disabled_mask & disabled_m256), head); | 1381 » disabled_mkey, disabled_auth, disabled_enc, |
| 1382 » » » » disabled_mac, disabled_ssl, head); |
1023 | 1383 |
1024 /* | 1384 /* |
1025 * If the rule_string begins with DEFAULT, apply the default rule | 1385 * If the rule_string begins with DEFAULT, apply the default rule |
1026 * before using the (possibly available) additional rules. | 1386 * before using the (possibly available) additional rules. |
1027 */ | 1387 */ |
1028 ok = 1; | 1388 ok = 1; |
1029 rule_p = rule_str; | 1389 rule_p = rule_str; |
1030 if (strncmp(rule_str,"DEFAULT",7) == 0) | 1390 if (strncmp(rule_str,"DEFAULT",7) == 0) |
1031 { | 1391 { |
1032 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, | 1392 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, |
1033 » » » co_list, &head, &tail, ca_list); | 1393 » » » &head, &tail, ca_list); |
1034 rule_p += 7; | 1394 rule_p += 7; |
1035 if (*rule_p == ':') | 1395 if (*rule_p == ':') |
1036 rule_p++; | 1396 rule_p++; |
1037 } | 1397 } |
1038 | 1398 |
1039 if (ok && (strlen(rule_p) > 0)) | 1399 if (ok && (strlen(rule_p) > 0)) |
1040 » » ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail, | 1400 » » ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list); |
1041 » » » » » » ca_list); | |
1042 | 1401 |
1043 » OPENSSL_free(ca_list);» /* Not needed anymore */ | 1402 » OPENSSL_free((void *)ca_list);» /* Not needed anymore */ |
1044 | 1403 |
1045 if (!ok) | 1404 if (!ok) |
1046 { /* Rule processing failure */ | 1405 { /* Rule processing failure */ |
1047 OPENSSL_free(co_list); | 1406 OPENSSL_free(co_list); |
1048 return(NULL); | 1407 return(NULL); |
1049 } | 1408 } |
| 1409 |
1050 /* | 1410 /* |
1051 * Allocate new "cipherstack" for the result, return with error | 1411 * Allocate new "cipherstack" for the result, return with error |
1052 * if we cannot get one. | 1412 * if we cannot get one. |
1053 */ | 1413 */ |
1054 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) | 1414 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) |
1055 { | 1415 { |
1056 OPENSSL_free(co_list); | 1416 OPENSSL_free(co_list); |
1057 return(NULL); | 1417 return(NULL); |
1058 } | 1418 } |
1059 | 1419 |
1060 /* | 1420 /* |
1061 * The cipher selection for the list is done. The ciphers are added | 1421 * The cipher selection for the list is done. The ciphers are added |
1062 * to the resulting precedence to the STACK_OF(SSL_CIPHER). | 1422 * to the resulting precedence to the STACK_OF(SSL_CIPHER). |
1063 */ | 1423 */ |
1064 for (curr = head; curr != NULL; curr = curr->next) | 1424 for (curr = head; curr != NULL; curr = curr->next) |
1065 { | 1425 { |
1066 #ifdef OPENSSL_FIPS | |
1067 if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength
& SSL_FIPS)) | |
1068 #else | |
1069 if (curr->active) | 1426 if (curr->active) |
1070 #endif | |
1071 { | 1427 { |
1072 sk_SSL_CIPHER_push(cipherstack, curr->cipher); | 1428 sk_SSL_CIPHER_push(cipherstack, curr->cipher); |
1073 #ifdef CIPHER_DEBUG | 1429 #ifdef CIPHER_DEBUG |
1074 printf("<%s>\n",curr->cipher->name); | 1430 printf("<%s>\n",curr->cipher->name); |
1075 #endif | 1431 #endif |
1076 } | 1432 } |
1077 } | 1433 } |
1078 OPENSSL_free(co_list); /* Not needed any longer */ | 1434 OPENSSL_free(co_list); /* Not needed any longer */ |
1079 | 1435 |
1080 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); | 1436 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); |
(...skipping 12 matching lines...) Expand all Loading... |
1093 | 1449 |
1094 sk_SSL_CIPHER_sort(*cipher_list_by_id); | 1450 sk_SSL_CIPHER_sort(*cipher_list_by_id); |
1095 return(cipherstack); | 1451 return(cipherstack); |
1096 } | 1452 } |
1097 | 1453 |
1098 char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | 1454 char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) |
1099 { | 1455 { |
1100 int is_export,pkl,kl; | 1456 int is_export,pkl,kl; |
1101 const char *ver,*exp_str; | 1457 const char *ver,*exp_str; |
1102 const char *kx,*au,*enc,*mac; | 1458 const char *kx,*au,*enc,*mac; |
1103 » unsigned long alg,alg2,alg_s; | 1459 » unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2; |
1104 #ifdef KSSL_DEBUG | 1460 #ifdef KSSL_DEBUG |
1105 » static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s
AL=%lx\n"; | 1461 » static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s
AL=%lx/%lx/%lx/%lx/%lx\n"; |
1106 #else | 1462 #else |
1107 static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\
n"; | 1463 static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\
n"; |
1108 #endif /* KSSL_DEBUG */ | 1464 #endif /* KSSL_DEBUG */ |
1109 | 1465 |
1110 » alg=cipher->algorithms; | 1466 » alg_mkey = cipher->algorithm_mkey; |
1111 » alg_s=cipher->algo_strength; | 1467 » alg_auth = cipher->algorithm_auth; |
| 1468 » alg_enc = cipher->algorithm_enc; |
| 1469 » alg_mac = cipher->algorithm_mac; |
| 1470 » alg_ssl = cipher->algorithm_ssl; |
| 1471 |
1112 alg2=cipher->algorithm2; | 1472 alg2=cipher->algorithm2; |
1113 | 1473 |
1114 is_export=SSL_C_IS_EXPORT(cipher); | 1474 is_export=SSL_C_IS_EXPORT(cipher); |
1115 pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); | 1475 pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); |
1116 kl=SSL_C_EXPORT_KEYLENGTH(cipher); | 1476 kl=SSL_C_EXPORT_KEYLENGTH(cipher); |
1117 exp_str=is_export?" export":""; | 1477 exp_str=is_export?" export":""; |
1118 | 1478 |
1119 » if (alg & SSL_SSLV2) | 1479 » if (alg_ssl & SSL_SSLV2) |
1120 ver="SSLv2"; | 1480 ver="SSLv2"; |
1121 » else if (alg & SSL_SSLV3) | 1481 » else if (alg_ssl & SSL_SSLV3) |
1122 ver="SSLv3"; | 1482 ver="SSLv3"; |
1123 else | 1483 else |
1124 ver="unknown"; | 1484 ver="unknown"; |
1125 | 1485 |
1126 » switch (alg&SSL_MKEY_MASK) | 1486 » switch (alg_mkey) |
1127 { | 1487 { |
1128 case SSL_kRSA: | 1488 case SSL_kRSA: |
1129 kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA"; | 1489 kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA"; |
1130 break; | 1490 break; |
1131 case SSL_kDHr: | 1491 case SSL_kDHr: |
1132 kx="DH/RSA"; | 1492 kx="DH/RSA"; |
1133 break; | 1493 break; |
1134 case SSL_kDHd: | 1494 case SSL_kDHd: |
1135 kx="DH/DSS"; | 1495 kx="DH/DSS"; |
1136 break; | 1496 break; |
1137 case SSL_kKRB5: /* VRS */ | 1497 case SSL_kKRB5: |
1138 case SSL_KRB5: /* VRS */ | 1498 » » kx="KRB5"; |
1139 kx="KRB5"; | |
1140 break; | |
1141 » case SSL_kFZA: | |
1142 » » kx="Fortezza"; | |
1143 break; | 1499 break; |
1144 case SSL_kEDH: | 1500 case SSL_kEDH: |
1145 kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; | 1501 kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; |
1146 break; | 1502 break; |
1147 » case SSL_kECDH: | 1503 » case SSL_kECDHr: |
1148 » case SSL_kECDHE: | 1504 » » kx="ECDH/RSA"; |
1149 » » kx=is_export?"ECDH(<=163)":"ECDH"; | 1505 » » break; |
| 1506 » case SSL_kECDHe: |
| 1507 » » kx="ECDH/ECDSA"; |
| 1508 » » break; |
| 1509 » case SSL_kEECDH: |
| 1510 » » kx="ECDH"; |
| 1511 » » break; |
| 1512 » case SSL_kPSK: |
| 1513 » » kx="PSK"; |
1150 break; | 1514 break; |
1151 default: | 1515 default: |
1152 kx="unknown"; | 1516 kx="unknown"; |
1153 } | 1517 } |
1154 | 1518 |
1155 » switch (alg&SSL_AUTH_MASK) | 1519 » switch (alg_auth) |
1156 { | 1520 { |
1157 case SSL_aRSA: | 1521 case SSL_aRSA: |
1158 au="RSA"; | 1522 au="RSA"; |
1159 break; | 1523 break; |
1160 case SSL_aDSS: | 1524 case SSL_aDSS: |
1161 au="DSS"; | 1525 au="DSS"; |
1162 break; | 1526 break; |
1163 case SSL_aDH: | 1527 case SSL_aDH: |
1164 au="DH"; | 1528 au="DH"; |
1165 break; | 1529 break; |
1166 case SSL_aKRB5: /* VRS */ | 1530 case SSL_aKRB5: |
1167 case SSL_KRB5: /* VRS */ | 1531 » » au="KRB5"; |
1168 au="KRB5"; | 1532 » » break; |
1169 break; | 1533 case SSL_aECDH: |
1170 » case SSL_aFZA: | 1534 » » au="ECDH"; |
| 1535 » » break; |
1171 case SSL_aNULL: | 1536 case SSL_aNULL: |
1172 au="None"; | 1537 au="None"; |
1173 break; | 1538 break; |
1174 case SSL_aECDSA: | 1539 case SSL_aECDSA: |
1175 au="ECDSA"; | 1540 au="ECDSA"; |
1176 break; | 1541 break; |
| 1542 case SSL_aPSK: |
| 1543 au="PSK"; |
| 1544 break; |
1177 default: | 1545 default: |
1178 au="unknown"; | 1546 au="unknown"; |
1179 break; | 1547 break; |
1180 } | 1548 } |
1181 | 1549 |
1182 » switch (alg&SSL_ENC_MASK) | 1550 » switch (alg_enc) |
1183 { | 1551 { |
1184 case SSL_DES: | 1552 case SSL_DES: |
1185 enc=(is_export && kl == 5)?"DES(40)":"DES(56)"; | 1553 enc=(is_export && kl == 5)?"DES(40)":"DES(56)"; |
1186 break; | 1554 break; |
1187 case SSL_3DES: | 1555 case SSL_3DES: |
1188 enc="3DES(168)"; | 1556 enc="3DES(168)"; |
1189 break; | 1557 break; |
1190 case SSL_RC4: | 1558 case SSL_RC4: |
1191 enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)") | 1559 enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)") |
1192 :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); | 1560 :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); |
1193 break; | 1561 break; |
1194 case SSL_RC2: | 1562 case SSL_RC2: |
1195 enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; | 1563 enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; |
1196 break; | 1564 break; |
1197 case SSL_IDEA: | 1565 case SSL_IDEA: |
1198 enc="IDEA(128)"; | 1566 enc="IDEA(128)"; |
1199 break; | 1567 break; |
1200 case SSL_eFZA: | |
1201 enc="Fortezza"; | |
1202 break; | |
1203 case SSL_eNULL: | 1568 case SSL_eNULL: |
1204 enc="None"; | 1569 enc="None"; |
1205 break; | 1570 break; |
1206 » case SSL_AES: | 1571 » case SSL_AES128: |
1207 » » switch(cipher->strength_bits) | 1572 » » enc="AES(128)"; |
1208 » » » { | |
1209 » » case 128: enc="AES(128)"; break; | |
1210 » » case 192: enc="AES(192)"; break; | |
1211 » » case 256: enc="AES(256)"; break; | |
1212 » » default: enc="AES(?""?""?)"; break; | |
1213 » » » } | |
1214 break; | 1573 break; |
1215 » case SSL_CAMELLIA: | 1574 » case SSL_AES256: |
1216 » » switch(cipher->strength_bits) | 1575 » » enc="AES(256)"; |
1217 » » » { | 1576 » » break; |
1218 » » case 128: enc="Camellia(128)"; break; | 1577 » case SSL_CAMELLIA128: |
1219 » » case 256: enc="Camellia(256)"; break; | 1578 » » enc="Camellia(128)"; |
1220 » » default: enc="Camellia(?""?""?)"; break; | 1579 » » break; |
1221 » » » } | 1580 » case SSL_CAMELLIA256: |
| 1581 » » enc="Camellia(256)"; |
1222 break; | 1582 break; |
1223 case SSL_SEED: | 1583 case SSL_SEED: |
1224 enc="SEED(128)"; | 1584 enc="SEED(128)"; |
1225 break; | 1585 break; |
1226 | |
1227 default: | 1586 default: |
1228 enc="unknown"; | 1587 enc="unknown"; |
1229 break; | 1588 break; |
1230 } | 1589 } |
1231 | 1590 |
1232 » switch (alg&SSL_MAC_MASK) | 1591 » switch (alg_mac) |
1233 { | 1592 { |
1234 case SSL_MD5: | 1593 case SSL_MD5: |
1235 mac="MD5"; | 1594 mac="MD5"; |
1236 break; | 1595 break; |
1237 case SSL_SHA1: | 1596 case SSL_SHA1: |
1238 mac="SHA1"; | 1597 mac="SHA1"; |
1239 break; | 1598 break; |
1240 default: | 1599 default: |
1241 mac="unknown"; | 1600 mac="unknown"; |
1242 break; | 1601 break; |
1243 } | 1602 } |
1244 | 1603 |
1245 if (buf == NULL) | 1604 if (buf == NULL) |
1246 { | 1605 { |
1247 len=128; | 1606 len=128; |
1248 buf=OPENSSL_malloc(len); | 1607 buf=OPENSSL_malloc(len); |
1249 if (buf == NULL) return("OPENSSL_malloc Error"); | 1608 if (buf == NULL) return("OPENSSL_malloc Error"); |
1250 } | 1609 } |
1251 else if (len < 128) | 1610 else if (len < 128) |
1252 return("Buffer too small"); | 1611 return("Buffer too small"); |
1253 | 1612 |
1254 #ifdef KSSL_DEBUG | 1613 #ifdef KSSL_DEBUG |
1255 » BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg); | 1614 » BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg_m
key,alg_auth,alg_enc,alg_mac,alg_ssl); |
1256 #else | 1615 #else |
1257 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str); | 1616 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str); |
1258 #endif /* KSSL_DEBUG */ | 1617 #endif /* KSSL_DEBUG */ |
1259 return(buf); | 1618 return(buf); |
1260 } | 1619 } |
1261 | 1620 |
1262 char *SSL_CIPHER_get_version(const SSL_CIPHER *c) | 1621 char *SSL_CIPHER_get_version(const SSL_CIPHER *c) |
1263 { | 1622 { |
1264 int i; | 1623 int i; |
1265 | 1624 |
(...skipping 21 matching lines...) Expand all Loading... |
1287 int ret=0; | 1646 int ret=0; |
1288 | 1647 |
1289 if (c != NULL) | 1648 if (c != NULL) |
1290 { | 1649 { |
1291 if (alg_bits != NULL) *alg_bits = c->alg_bits; | 1650 if (alg_bits != NULL) *alg_bits = c->alg_bits; |
1292 ret = c->strength_bits; | 1651 ret = c->strength_bits; |
1293 } | 1652 } |
1294 return(ret); | 1653 return(ret); |
1295 } | 1654 } |
1296 | 1655 |
| 1656 /* return string version of key exchange algorithm */ |
| 1657 const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher) |
| 1658 { |
| 1659 switch (cipher->algorithm_mkey) |
| 1660 { |
| 1661 case SSL_kRSA: |
| 1662 return SSL_TXT_RSA; |
| 1663 case SSL_kDHr: |
| 1664 return SSL_TXT_DH "_" SSL_TXT_RSA; |
| 1665 case SSL_kDHd: |
| 1666 return SSL_TXT_DH "_" SSL_TXT_DSS; |
| 1667 case SSL_kEDH: |
| 1668 switch (cipher->algorithm_auth) |
| 1669 { |
| 1670 case SSL_aDSS: |
| 1671 return "DHE_" SSL_TXT_DSS; |
| 1672 case SSL_aRSA: |
| 1673 return "DHE_" SSL_TXT_RSA; |
| 1674 case SSL_aNULL: |
| 1675 return SSL_TXT_DH "_anon"; |
| 1676 default: |
| 1677 return "UNKNOWN"; |
| 1678 } |
| 1679 case SSL_kKRB5: |
| 1680 return SSL_TXT_KRB5; |
| 1681 case SSL_kECDHr: |
| 1682 return SSL_TXT_ECDH "_" SSL_TXT_RSA; |
| 1683 case SSL_kECDHe: |
| 1684 return SSL_TXT_ECDH "_" SSL_TXT_ECDSA; |
| 1685 case SSL_kEECDH: |
| 1686 switch (cipher->algorithm_auth) |
| 1687 { |
| 1688 case SSL_aECDSA: |
| 1689 return "ECDHE_" SSL_TXT_ECDSA; |
| 1690 case SSL_aRSA: |
| 1691 return "ECDHE_" SSL_TXT_RSA; |
| 1692 case SSL_aNULL: |
| 1693 return SSL_TXT_ECDH "_anon"; |
| 1694 default: |
| 1695 return "UNKNOWN"; |
| 1696 } |
| 1697 default: |
| 1698 return "UNKNOWN"; |
| 1699 } |
| 1700 } |
| 1701 |
1297 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) | 1702 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) |
1298 { | 1703 { |
1299 SSL_COMP *ctmp; | 1704 SSL_COMP *ctmp; |
1300 int i,nn; | 1705 int i,nn; |
1301 | 1706 |
1302 if ((n == 0) || (sk == NULL)) return(NULL); | 1707 if ((n == 0) || (sk == NULL)) return(NULL); |
1303 nn=sk_SSL_COMP_num(sk); | 1708 nn=sk_SSL_COMP_num(sk); |
1304 for (i=0; i<nn; i++) | 1709 for (i=0; i<nn; i++) |
1305 { | 1710 { |
1306 ctmp=sk_SSL_COMP_value(sk,i); | 1711 ctmp=sk_SSL_COMP_value(sk,i); |
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1379 } | 1784 } |
1380 | 1785 |
1381 const char *SSL_COMP_get_name(const COMP_METHOD *comp) | 1786 const char *SSL_COMP_get_name(const COMP_METHOD *comp) |
1382 { | 1787 { |
1383 if (comp) | 1788 if (comp) |
1384 return comp->name; | 1789 return comp->name; |
1385 return NULL; | 1790 return NULL; |
1386 } | 1791 } |
1387 | 1792 |
1388 #endif | 1793 #endif |
OLD | NEW |