diff options
| author | djm <> | 2008-09-06 12:17:54 +0000 | 
|---|---|---|
| committer | djm <> | 2008-09-06 12:17:54 +0000 | 
| commit | 38ce604e3cc97706b876b0525ddff0121115456d (patch) | |
| tree | 7ccc28afe1789ea3dbedf72365f955d5b8e105b5 /src/lib/libssl/ssl_ciph.c | |
| parent | 12867252827c8efaa8ddd1fa3b3d6e321e2bcdef (diff) | |
| download | openbsd-38ce604e3cc97706b876b0525ddff0121115456d.tar.gz openbsd-38ce604e3cc97706b876b0525ddff0121115456d.tar.bz2 openbsd-38ce604e3cc97706b876b0525ddff0121115456d.zip | |
resolve conflicts
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 379 | 
1 files changed, 307 insertions, 72 deletions
| diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index f622180c69..71b645da14 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -55,11 +55,67 @@ | |||
| 55 | * copied and put under another distribution licence | 55 | * copied and put under another distribution licence | 
| 56 | * [including the GNU Public Licence.] | 56 | * [including the GNU Public Licence.] | 
| 57 | */ | 57 | */ | 
| 58 | 58 | /* ==================================================================== | |
| 59 | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. | ||
| 60 | * | ||
| 61 | * Redistribution and use in source and binary forms, with or without | ||
| 62 | * modification, are permitted provided that the following conditions | ||
| 63 | * are met: | ||
| 64 | * | ||
| 65 | * 1. Redistributions of source code must retain the above copyright | ||
| 66 | * notice, this list of conditions and the following disclaimer. | ||
| 67 | * | ||
| 68 | * 2. Redistributions in binary form must reproduce the above copyright | ||
| 69 | * notice, this list of conditions and the following disclaimer in | ||
| 70 | * the documentation and/or other materials provided with the | ||
| 71 | * distribution. | ||
| 72 | * | ||
| 73 | * 3. All advertising materials mentioning features or use of this | ||
| 74 | * software must display the following acknowledgment: | ||
| 75 | * "This product includes software developed by the OpenSSL Project | ||
| 76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | ||
| 77 | * | ||
| 78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||
| 79 | * endorse or promote products derived from this software without | ||
| 80 | * prior written permission. For written permission, please contact | ||
| 81 | * openssl-core@openssl.org. | ||
| 82 | * | ||
| 83 | * 5. Products derived from this software may not be called "OpenSSL" | ||
| 84 | * nor may "OpenSSL" appear in their names without prior written | ||
| 85 | * permission of the OpenSSL Project. | ||
| 86 | * | ||
| 87 | * 6. Redistributions of any form whatsoever must retain the following | ||
| 88 | * acknowledgment: | ||
| 89 | * "This product includes software developed by the OpenSSL Project | ||
| 90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | ||
| 91 | * | ||
| 92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||
| 93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| 94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
| 95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||
| 96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
| 97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
| 98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
| 99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
| 100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||
| 101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| 102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||
| 103 | * OF THE POSSIBILITY OF SUCH DAMAGE. | ||
| 104 | * ==================================================================== | ||
| 105 | * | ||
| 106 | * This product includes cryptographic software written by Eric Young | ||
| 107 | * (eay@cryptsoft.com). This product includes software written by Tim | ||
| 108 | * Hudson (tjh@cryptsoft.com). | ||
| 109 | * | ||
| 110 | */ | ||
| 111 | /* ==================================================================== | ||
| 112 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. | ||
| 113 | * ECC cipher suite support in OpenSSL originally developed by | ||
| 114 | * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. | ||
| 115 | */ | ||
| 59 | #include <stdio.h> | 116 | #include <stdio.h> | 
| 60 | #include <openssl/objects.h> | 117 | #include <openssl/objects.h> | 
| 61 | #include <openssl/comp.h> | 118 | #include <openssl/comp.h> | 
| 62 | #include <openssl/fips.h> | ||
| 63 | #include "ssl_locl.h" | 119 | #include "ssl_locl.h" | 
| 64 | 120 | ||
| 65 | #define SSL_ENC_DES_IDX 0 | 121 | #define SSL_ENC_DES_IDX 0 | 
| @@ -71,12 +127,20 @@ | |||
| 71 | #define SSL_ENC_NULL_IDX 6 | 127 | #define SSL_ENC_NULL_IDX 6 | 
| 72 | #define SSL_ENC_AES128_IDX 7 | 128 | #define SSL_ENC_AES128_IDX 7 | 
| 73 | #define SSL_ENC_AES256_IDX 8 | 129 | #define SSL_ENC_AES256_IDX 8 | 
| 74 | #define SSL_ENC_NUM_IDX 9 | 130 | #define SSL_ENC_CAMELLIA128_IDX 9 | 
| 131 | #define SSL_ENC_CAMELLIA256_IDX 10 | ||
| 132 | #define SSL_ENC_SEED_IDX 11 | ||
| 133 | #define SSL_ENC_NUM_IDX 12 | ||
| 134 | |||
| 75 | 135 | ||
| 76 | static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ | 136 | static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ | 
| 77 | NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL | 137 | NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL | 
| 78 | }; | 138 | }; | 
| 79 | 139 | ||
| 140 | #define SSL_COMP_NULL_IDX 0 | ||
| 141 | #define SSL_COMP_ZLIB_IDX 1 | ||
| 142 | #define SSL_COMP_NUM_IDX 2 | ||
| 143 | |||
| 80 | static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; | 144 | static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; | 
| 81 | 145 | ||
| 82 | #define SSL_MD_MD5_IDX 0 | 146 | #define SSL_MD_MD5_IDX 0 | 
| @@ -102,18 +166,20 @@ typedef struct cipher_order_st | |||
| 102 | 166 | ||
| 103 | static const SSL_CIPHER cipher_aliases[]={ | 167 | static const SSL_CIPHER cipher_aliases[]={ | 
| 104 | /* Don't include eNULL unless specifically enabled. */ | 168 | /* Don't include eNULL unless specifically enabled. */ | 
| 105 | {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ | 169 | /* Don't include ECC in ALL because these ciphers are not yet official. */ | 
| 106 | {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ | 170 | {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_kECDH & ~SSL_kECDHE, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ | 
| 171 | /* TODO: COMPLEMENT OF ALL and COMPLEMENT OF DEFAULT do not have ECC cipher suites handled properly. */ | ||
| 172 | {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ | ||
| 107 | {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, | 173 | {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, | 
| 108 | {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ | 174 | {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ | 
| 109 | {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, | 175 | {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, | 
| 110 | {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, | 176 | {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, | 
| 111 | {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0}, | 177 | {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0}, | 
| 112 | {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0}, | 178 | {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0}, | 
| 113 | {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0}, | 179 | {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0}, | 
| 114 | {0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0}, | 180 | {0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0}, | 
| 181 | {0,SSL_TXT_ECC, 0,(SSL_kECDH|SSL_kECDHE), 0,0,0,0,SSL_MKEY_MASK,0}, | ||
| 115 | {0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0}, | 182 | {0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0}, | 
| 116 | |||
| 117 | {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */ | 183 | {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */ | 
| 118 | {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0}, | 184 | {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0}, | 
| 119 | {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0}, | 185 | {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0}, | 
| @@ -129,9 +195,11 @@ static const SSL_CIPHER cipher_aliases[]={ | |||
| 129 | #ifndef OPENSSL_NO_IDEA | 195 | #ifndef OPENSSL_NO_IDEA | 
| 130 | {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0}, | 196 | {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0}, | 
| 131 | #endif | 197 | #endif | 
| 198 | {0,SSL_TXT_SEED,0,SSL_SEED, 0,0,0,0,SSL_ENC_MASK,0}, | ||
| 132 | {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, | 199 | {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, | 
| 133 | {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0}, | 200 | {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0}, | 
| 134 | {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0}, | 201 | {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0}, | 
| 202 | {0,SSL_TXT_CAMELLIA,0,SSL_CAMELLIA, 0,0,0,0,SSL_ENC_MASK,0}, | ||
| 135 | 203 | ||
| 136 | {0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0}, | 204 | {0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0}, | 
| 137 | {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0}, | 205 | {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0}, | 
| @@ -154,12 +222,9 @@ static const SSL_CIPHER cipher_aliases[]={ | |||
| 154 | {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK}, | 222 | {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK}, | 
| 155 | {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK}, | 223 | {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK}, | 
| 156 | {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK}, | 224 | {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK}, | 
| 157 | {0,SSL_TXT_FIPS, 0, 0, SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE}, | ||
| 158 | }; | 225 | }; | 
| 159 | 226 | ||
| 160 | static int init_ciphers=1; | 227 | void ssl_load_ciphers(void) | 
| 161 | |||
| 162 | static void load_ciphers(void) | ||
| 163 | { | 228 | { | 
| 164 | ssl_cipher_methods[SSL_ENC_DES_IDX]= | 229 | ssl_cipher_methods[SSL_ENC_DES_IDX]= | 
| 165 | EVP_get_cipherbyname(SN_des_cbc); | 230 | EVP_get_cipherbyname(SN_des_cbc); | 
| @@ -179,14 +244,73 @@ static void load_ciphers(void) | |||
| 179 | EVP_get_cipherbyname(SN_aes_128_cbc); | 244 | EVP_get_cipherbyname(SN_aes_128_cbc); | 
| 180 | ssl_cipher_methods[SSL_ENC_AES256_IDX]= | 245 | ssl_cipher_methods[SSL_ENC_AES256_IDX]= | 
| 181 | EVP_get_cipherbyname(SN_aes_256_cbc); | 246 | EVP_get_cipherbyname(SN_aes_256_cbc); | 
| 247 | ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]= | ||
| 248 | EVP_get_cipherbyname(SN_camellia_128_cbc); | ||
| 249 | ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]= | ||
| 250 | EVP_get_cipherbyname(SN_camellia_256_cbc); | ||
| 251 | ssl_cipher_methods[SSL_ENC_SEED_IDX]= | ||
| 252 | EVP_get_cipherbyname(SN_seed_cbc); | ||
| 182 | 253 | ||
| 183 | ssl_digest_methods[SSL_MD_MD5_IDX]= | 254 | ssl_digest_methods[SSL_MD_MD5_IDX]= | 
| 184 | EVP_get_digestbyname(SN_md5); | 255 | EVP_get_digestbyname(SN_md5); | 
| 185 | ssl_digest_methods[SSL_MD_SHA1_IDX]= | 256 | ssl_digest_methods[SSL_MD_SHA1_IDX]= | 
| 186 | EVP_get_digestbyname(SN_sha1); | 257 | EVP_get_digestbyname(SN_sha1); | 
| 187 | init_ciphers=0; | ||
| 188 | } | 258 | } | 
| 189 | 259 | ||
| 260 | |||
| 261 | #ifndef OPENSSL_NO_COMP | ||
| 262 | |||
| 263 | static int sk_comp_cmp(const SSL_COMP * const *a, | ||
| 264 | const SSL_COMP * const *b) | ||
| 265 | { | ||
| 266 | return((*a)->id-(*b)->id); | ||
| 267 | } | ||
| 268 | |||
| 269 | static void load_builtin_compressions(void) | ||
| 270 | { | ||
| 271 | int got_write_lock = 0; | ||
| 272 | |||
| 273 | CRYPTO_r_lock(CRYPTO_LOCK_SSL); | ||
| 274 | if (ssl_comp_methods == NULL) | ||
| 275 | { | ||
| 276 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL); | ||
| 277 | CRYPTO_w_lock(CRYPTO_LOCK_SSL); | ||
| 278 | got_write_lock = 1; | ||
| 279 | |||
| 280 | if (ssl_comp_methods == NULL) | ||
| 281 | { | ||
| 282 | SSL_COMP *comp = NULL; | ||
| 283 | |||
| 284 | MemCheck_off(); | ||
| 285 | ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); | ||
| 286 | if (ssl_comp_methods != NULL) | ||
| 287 | { | ||
| 288 | comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); | ||
| 289 | if (comp != NULL) | ||
| 290 | { | ||
| 291 | comp->method=COMP_zlib(); | ||
| 292 | if (comp->method | ||
| 293 | && comp->method->type == NID_undef) | ||
| 294 | OPENSSL_free(comp); | ||
| 295 | else | ||
| 296 | { | ||
| 297 | comp->id=SSL_COMP_ZLIB_IDX; | ||
| 298 | comp->name=comp->method->name; | ||
| 299 | sk_SSL_COMP_push(ssl_comp_methods,comp); | ||
| 300 | } | ||
| 301 | } | ||
| 302 | } | ||
| 303 | MemCheck_on(); | ||
| 304 | } | ||
| 305 | } | ||
| 306 | |||
| 307 | if (got_write_lock) | ||
| 308 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL); | ||
| 309 | else | ||
| 310 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL); | ||
| 311 | } | ||
| 312 | #endif | ||
| 313 | |||
| 190 | int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | 314 | int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | 
| 191 | const EVP_MD **md, SSL_COMP **comp) | 315 | const EVP_MD **md, SSL_COMP **comp) | 
| 192 | { | 316 | { | 
| @@ -198,18 +322,14 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | |||
| 198 | if (comp != NULL) | 322 | if (comp != NULL) | 
| 199 | { | 323 | { | 
| 200 | SSL_COMP ctmp; | 324 | SSL_COMP ctmp; | 
| 325 | #ifndef OPENSSL_NO_COMP | ||
| 326 | load_builtin_compressions(); | ||
| 327 | #endif | ||
| 201 | 328 | ||
| 202 | if (s->compress_meth == 0) | 329 | *comp=NULL; | 
| 203 | *comp=NULL; | 330 | ctmp.id=s->compress_meth; | 
| 204 | else if (ssl_comp_methods == NULL) | 331 | if (ssl_comp_methods != NULL) | 
| 205 | { | 332 | { | 
| 206 | /* bad */ | ||
| 207 | *comp=NULL; | ||
| 208 | } | ||
| 209 | else | ||
| 210 | { | ||
| 211 | |||
| 212 | ctmp.id=s->compress_meth; | ||
| 213 | i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp); | 333 | i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp); | 
| 214 | if (i >= 0) | 334 | if (i >= 0) | 
| 215 | *comp=sk_SSL_COMP_value(ssl_comp_methods,i); | 335 | *comp=sk_SSL_COMP_value(ssl_comp_methods,i); | 
| @@ -248,6 +368,18 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | |||
| 248 | default: i=-1; break; | 368 | default: i=-1; break; | 
| 249 | } | 369 | } | 
| 250 | break; | 370 | break; | 
| 371 | case SSL_CAMELLIA: | ||
| 372 | switch(c->alg_bits) | ||
| 373 | { | ||
| 374 | case 128: i=SSL_ENC_CAMELLIA128_IDX; break; | ||
| 375 | case 256: i=SSL_ENC_CAMELLIA256_IDX; break; | ||
| 376 | default: i=-1; break; | ||
| 377 | } | ||
| 378 | break; | ||
| 379 | case SSL_SEED: | ||
| 380 | i=SSL_ENC_SEED_IDX; | ||
| 381 | break; | ||
| 382 | |||
| 251 | default: | 383 | default: | 
| 252 | i= -1; | 384 | i= -1; | 
| 253 | break; | 385 | break; | 
| @@ -305,9 +437,18 @@ static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, | |||
| 305 | *tail=curr; | 437 | *tail=curr; | 
| 306 | } | 438 | } | 
| 307 | 439 | ||
| 308 | static unsigned long ssl_cipher_get_disabled(void) | 440 | struct disabled_masks { /* This is a kludge no longer needed with OpenSSL 0.9.9, | 
| 441 | * where 128-bit and 256-bit algorithms simply will get | ||
| 442 | * separate bits. */ | ||
| 443 | unsigned long mask; /* everything except m256 */ | ||
| 444 | unsigned long m256; /* applies to 256-bit algorithms only */ | ||
| 445 | }; | ||
| 446 | |||
| 447 | static struct disabled_masks ssl_cipher_get_disabled(void) | ||
| 309 | { | 448 | { | 
| 310 | unsigned long mask; | 449 | unsigned long mask; | 
| 450 | unsigned long m256; | ||
| 451 | struct disabled_masks ret; | ||
| 311 | 452 | ||
| 312 | mask = SSL_kFZA; | 453 | mask = SSL_kFZA; | 
| 313 | #ifdef OPENSSL_NO_RSA | 454 | #ifdef OPENSSL_NO_RSA | 
| @@ -322,7 +463,9 @@ static unsigned long ssl_cipher_get_disabled(void) | |||
| 322 | #ifdef OPENSSL_NO_KRB5 | 463 | #ifdef OPENSSL_NO_KRB5 | 
| 323 | mask |= SSL_kKRB5|SSL_aKRB5; | 464 | mask |= SSL_kKRB5|SSL_aKRB5; | 
| 324 | #endif | 465 | #endif | 
| 325 | 466 | #ifdef OPENSSL_NO_ECDH | |
| 467 | mask |= SSL_kECDH|SSL_kECDHE; | ||
| 468 | #endif | ||
| 326 | #ifdef SSL_FORBID_ENULL | 469 | #ifdef SSL_FORBID_ENULL | 
| 327 | mask |= SSL_eNULL; | 470 | mask |= SSL_eNULL; | 
| 328 | #endif | 471 | #endif | 
| @@ -333,17 +476,27 @@ static unsigned long ssl_cipher_get_disabled(void) | |||
| 333 | mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; | 476 | mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; | 
| 334 | mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; | 477 | mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; | 
| 335 | mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0; | 478 | mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0; | 
| 336 | mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; | 479 | mask |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED:0; | 
| 337 | 480 | ||
| 338 | mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; | 481 | mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; | 
| 339 | mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; | 482 | mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; | 
| 340 | 483 | ||
| 341 | return(mask); | 484 | /* finally consider algorithms where mask and m256 differ */ | 
| 485 | m256 = mask; | ||
| 486 | mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; | ||
| 487 | mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0; | ||
| 488 | m256 |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES:0; | ||
| 489 | m256 |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA:0; | ||
| 490 | |||
| 491 | ret.mask = mask; | ||
| 492 | ret.m256 = m256; | ||
| 493 | return ret; | ||
| 342 | } | 494 | } | 
| 343 | 495 | ||
| 344 | static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, | 496 | static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, | 
| 345 | int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list, | 497 | int num_of_ciphers, unsigned long mask, unsigned long m256, | 
| 346 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | 498 | CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, | 
| 499 | CIPHER_ORDER **tail_p) | ||
| 347 | { | 500 | { | 
| 348 | int i, co_list_num; | 501 | int i, co_list_num; | 
| 349 | SSL_CIPHER *c; | 502 | SSL_CIPHER *c; | 
| @@ -360,13 +513,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, | |||
| 360 | for (i = 0; i < num_of_ciphers; i++) | 513 | for (i = 0; i < num_of_ciphers; i++) | 
| 361 | { | 514 | { | 
| 362 | c = ssl_method->get_cipher(i); | 515 | c = ssl_method->get_cipher(i); | 
| 516 | #define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask)) | ||
| 363 | /* drop those that use any of that is not available */ | 517 | /* drop those that use any of that is not available */ | 
| 364 | #ifdef OPENSSL_FIPS | 518 | if ((c != NULL) && c->valid && !IS_MASKED(c)) | 
| 365 | if ((c != NULL) && c->valid && !(c->algorithms & mask) | ||
| 366 | && (!FIPS_mode() || (c->algo_strength & SSL_FIPS))) | ||
| 367 | #else | ||
| 368 | if ((c != NULL) && c->valid && !(c->algorithms & mask)) | ||
| 369 | #endif | ||
| 370 | { | 519 | { | 
| 371 | co_list[co_list_num].cipher = c; | 520 | co_list[co_list_num].cipher = c; | 
| 372 | co_list[co_list_num].next = NULL; | 521 | co_list[co_list_num].next = NULL; | 
| @@ -440,7 +589,8 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list, | |||
| 440 | *ca_curr = NULL; /* end of list */ | 589 | *ca_curr = NULL; /* end of list */ | 
| 441 | } | 590 | } | 
| 442 | 591 | ||
| 443 | static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, | 592 | static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_version, | 
| 593 | unsigned long algorithms, unsigned long mask, | ||
| 444 | unsigned long algo_strength, unsigned long mask_strength, | 594 | unsigned long algo_strength, unsigned long mask_strength, | 
| 445 | int rule, int strength_bits, CIPHER_ORDER *co_list, | 595 | int rule, int strength_bits, CIPHER_ORDER *co_list, | 
| 446 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | 596 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | 
| @@ -466,11 +616,20 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, | |||
| 466 | 616 | ||
| 467 | cp = curr->cipher; | 617 | cp = curr->cipher; | 
| 468 | 618 | ||
| 619 | /* If explicit cipher suite, match only that one for its own protocol version. | ||
| 620 | * Usual selection criteria will be used for similar ciphersuites from other version! */ | ||
| 621 | |||
| 622 | if (cipher_id && (cp->algorithms & SSL_SSL_MASK) == ssl_version) | ||
| 623 | { | ||
| 624 | if (cp->id != cipher_id) | ||
| 625 | continue; | ||
| 626 | } | ||
| 627 | |||
| 469 | /* | 628 | /* | 
| 470 | * Selection criteria is either the number of strength_bits | 629 | * Selection criteria is either the number of strength_bits | 
| 471 | * or the algorithm used. | 630 | * or the algorithm used. | 
| 472 | */ | 631 | */ | 
| 473 | if (strength_bits == -1) | 632 | else if (strength_bits == -1) | 
| 474 | { | 633 | { | 
| 475 | ma = mask & cp->algorithms; | 634 | ma = mask & cp->algorithms; | 
| 476 | ma_s = mask_strength & cp->algo_strength; | 635 | ma_s = mask_strength & cp->algo_strength; | 
| @@ -501,8 +660,22 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, | |||
| 501 | { | 660 | { | 
| 502 | if (!curr->active) | 661 | if (!curr->active) | 
| 503 | { | 662 | { | 
| 504 | ll_append_tail(&head, curr, &tail); | 663 | int add_this_cipher = 1; | 
| 505 | curr->active = 1; | 664 | |
| 665 | if (((cp->algorithms & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0)) | ||
| 666 | { | ||
| 667 | /* Make sure "ECCdraft" ciphersuites are activated only if | ||
| 668 | * *explicitly* requested, but not implicitly (such as | ||
| 669 | * as part of the "AES" alias). */ | ||
| 670 | |||
| 671 | add_this_cipher = (mask & (SSL_kECDHE|SSL_kECDH|SSL_aECDSA)) != 0 || cipher_id != 0; | ||
| 672 | } | ||
| 673 | |||
| 674 | if (add_this_cipher) | ||
| 675 | { | ||
| 676 | ll_append_tail(&head, curr, &tail); | ||
| 677 | curr->active = 1; | ||
| 678 | } | ||
| 506 | } | 679 | } | 
| 507 | } | 680 | } | 
| 508 | /* Move the added cipher to this location */ | 681 | /* Move the added cipher to this location */ | 
| @@ -583,7 +756,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list, | |||
| 583 | */ | 756 | */ | 
| 584 | for (i = max_strength_bits; i >= 0; i--) | 757 | for (i = max_strength_bits; i >= 0; i--) | 
| 585 | if (number_uses[i] > 0) | 758 | if (number_uses[i] > 0) | 
| 586 | ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i, | 759 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, | 
| 587 | co_list, head_p, tail_p); | 760 | co_list, head_p, tail_p); | 
| 588 | 761 | ||
| 589 | OPENSSL_free(number_uses); | 762 | OPENSSL_free(number_uses); | 
| @@ -597,6 +770,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, | |||
| 597 | unsigned long algorithms, mask, algo_strength, mask_strength; | 770 | unsigned long algorithms, mask, algo_strength, mask_strength; | 
| 598 | const char *l, *start, *buf; | 771 | const char *l, *start, *buf; | 
| 599 | int j, multi, found, rule, retval, ok, buflen; | 772 | int j, multi, found, rule, retval, ok, buflen; | 
| 773 | unsigned long cipher_id = 0, ssl_version = 0; | ||
| 600 | char ch; | 774 | char ch; | 
| 601 | 775 | ||
| 602 | retval = 1; | 776 | retval = 1; | 
| @@ -686,6 +860,8 @@ static int ssl_cipher_process_rulestr(const char *rule_str, | |||
| 686 | * use strcmp(), because buf is not '\0' terminated.) | 860 | * use strcmp(), because buf is not '\0' terminated.) | 
| 687 | */ | 861 | */ | 
| 688 | j = found = 0; | 862 | j = found = 0; | 
| 863 | cipher_id = 0; | ||
| 864 | ssl_version = 0; | ||
| 689 | while (ca_list[j]) | 865 | while (ca_list[j]) | 
| 690 | { | 866 | { | 
| 691 | if (!strncmp(buf, ca_list[j]->name, buflen) && | 867 | if (!strncmp(buf, ca_list[j]->name, buflen) && | 
| @@ -714,6 +890,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str, | |||
| 714 | (algo_strength & ca_list[j]->algo_strength); | 890 | (algo_strength & ca_list[j]->algo_strength); | 
| 715 | mask_strength |= ca_list[j]->mask_strength; | 891 | mask_strength |= ca_list[j]->mask_strength; | 
| 716 | 892 | ||
| 893 | /* explicit ciphersuite found */ | ||
| 894 | if (ca_list[j]->valid) | ||
| 895 | { | ||
| 896 | cipher_id = ca_list[j]->id; | ||
| 897 | ssl_version = ca_list[j]->algorithms & SSL_SSL_MASK; | ||
| 898 | break; | ||
| 899 | } | ||
| 900 | |||
| 717 | if (!multi) break; | 901 | if (!multi) break; | 
| 718 | } | 902 | } | 
| 719 | 903 | ||
| @@ -738,18 +922,18 @@ static int ssl_cipher_process_rulestr(const char *rule_str, | |||
| 738 | * rest of the command, if any left, until | 922 | * rest of the command, if any left, until | 
| 739 | * end or ':' is found. | 923 | * end or ':' is found. | 
| 740 | */ | 924 | */ | 
| 741 | while ((*l != '\0') && ITEM_SEP(*l)) | 925 | while ((*l != '\0') && !ITEM_SEP(*l)) | 
| 742 | l++; | 926 | l++; | 
| 743 | } | 927 | } | 
| 744 | else if (found) | 928 | else if (found) | 
| 745 | { | 929 | { | 
| 746 | ssl_cipher_apply_rule(algorithms, mask, | 930 | ssl_cipher_apply_rule(cipher_id, ssl_version, algorithms, mask, | 
| 747 | algo_strength, mask_strength, rule, -1, | 931 | algo_strength, mask_strength, rule, -1, | 
| 748 | co_list, head_p, tail_p); | 932 | co_list, head_p, tail_p); | 
| 749 | } | 933 | } | 
| 750 | else | 934 | else | 
| 751 | { | 935 | { | 
| 752 | while ((*l != '\0') && ITEM_SEP(*l)) | 936 | while ((*l != '\0') && !ITEM_SEP(*l)) | 
| 753 | l++; | 937 | l++; | 
| 754 | } | 938 | } | 
| 755 | if (*l == '\0') break; /* done */ | 939 | if (*l == '\0') break; /* done */ | 
| @@ -765,6 +949,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 765 | { | 949 | { | 
| 766 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 950 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 
| 767 | unsigned long disabled_mask; | 951 | unsigned long disabled_mask; | 
| 952 | unsigned long disabled_m256; | ||
| 768 | STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; | 953 | STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; | 
| 769 | const char *rule_p; | 954 | const char *rule_p; | 
| 770 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; | 955 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; | 
| @@ -776,18 +961,16 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 776 | if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) | 961 | if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) | 
| 777 | return NULL; | 962 | return NULL; | 
| 778 | 963 | ||
| 779 | if (init_ciphers) | ||
| 780 | { | ||
| 781 | CRYPTO_w_lock(CRYPTO_LOCK_SSL); | ||
| 782 | if (init_ciphers) load_ciphers(); | ||
| 783 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL); | ||
| 784 | } | ||
| 785 | |||
| 786 | /* | 964 | /* | 
| 787 | * To reduce the work to do we only want to process the compiled | 965 | * To reduce the work to do we only want to process the compiled | 
| 788 | * in algorithms, so we first get the mask of disabled ciphers. | 966 | * in algorithms, so we first get the mask of disabled ciphers. | 
| 789 | */ | 967 | */ | 
| 790 | disabled_mask = ssl_cipher_get_disabled(); | 968 | { | 
| 969 | struct disabled_masks d; | ||
| 970 | d = ssl_cipher_get_disabled(); | ||
| 971 | disabled_mask = d.mask; | ||
| 972 | disabled_m256 = d.m256; | ||
| 973 | } | ||
| 791 | 974 | ||
| 792 | /* | 975 | /* | 
| 793 | * Now we have to collect the available ciphers from the compiled | 976 | * Now we have to collect the available ciphers from the compiled | 
| @@ -806,7 +989,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 806 | } | 989 | } | 
| 807 | 990 | ||
| 808 | ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, | 991 | ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, | 
| 809 | co_list, &head, &tail); | 992 | disabled_m256, co_list, &head, &tail); | 
| 810 | 993 | ||
| 811 | /* | 994 | /* | 
| 812 | * We also need cipher aliases for selecting based on the rule_str. | 995 | * We also need cipher aliases for selecting based on the rule_str. | 
| @@ -826,8 +1009,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 826 | SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); | 1009 | SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); | 
| 827 | return(NULL); /* Failure */ | 1010 | return(NULL); /* Failure */ | 
| 828 | } | 1011 | } | 
| 829 | ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask, | 1012 | ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, | 
| 830 | head); | 1013 | (disabled_mask & disabled_m256), head); | 
| 831 | 1014 | ||
| 832 | /* | 1015 | /* | 
| 833 | * If the rule_string begins with DEFAULT, apply the default rule | 1016 | * If the rule_string begins with DEFAULT, apply the default rule | 
| @@ -871,11 +1054,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 871 | */ | 1054 | */ | 
| 872 | for (curr = head; curr != NULL; curr = curr->next) | 1055 | for (curr = head; curr != NULL; curr = curr->next) | 
| 873 | { | 1056 | { | 
| 874 | #ifdef OPENSSL_FIPS | ||
| 875 | if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) | ||
| 876 | #else | ||
| 877 | if (curr->active) | 1057 | if (curr->active) | 
| 878 | #endif | ||
| 879 | { | 1058 | { | 
| 880 | sk_SSL_CIPHER_push(cipherstack, curr->cipher); | 1059 | sk_SSL_CIPHER_push(cipherstack, curr->cipher); | 
| 881 | #ifdef CIPHER_DEBUG | 1060 | #ifdef CIPHER_DEBUG | 
| @@ -897,7 +1076,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 897 | if (*cipher_list_by_id != NULL) | 1076 | if (*cipher_list_by_id != NULL) | 
| 898 | sk_SSL_CIPHER_free(*cipher_list_by_id); | 1077 | sk_SSL_CIPHER_free(*cipher_list_by_id); | 
| 899 | *cipher_list_by_id = tmp_cipher_list; | 1078 | *cipher_list_by_id = tmp_cipher_list; | 
| 900 | sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp); | 1079 | (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp); | 
| 901 | 1080 | ||
| 902 | return(cipherstack); | 1081 | return(cipherstack); | 
| 903 | } | 1082 | } | 
| @@ -905,13 +1084,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 905 | char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) | 1084 | char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) | 
| 906 | { | 1085 | { | 
| 907 | int is_export,pkl,kl; | 1086 | int is_export,pkl,kl; | 
| 908 | char *ver,*exp_str; | 1087 | const char *ver,*exp_str; | 
| 909 | char *kx,*au,*enc,*mac; | 1088 | const char *kx,*au,*enc,*mac; | 
| 910 | unsigned long alg,alg2,alg_s; | 1089 | unsigned long alg,alg2,alg_s; | 
| 911 | #ifdef KSSL_DEBUG | 1090 | #ifdef KSSL_DEBUG | 
| 912 | static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n"; | 1091 | static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n"; | 
| 913 | #else | 1092 | #else | 
| 914 | static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n"; | 1093 | static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n"; | 
| 915 | #endif /* KSSL_DEBUG */ | 1094 | #endif /* KSSL_DEBUG */ | 
| 916 | 1095 | ||
| 917 | alg=cipher->algorithms; | 1096 | alg=cipher->algorithms; | 
| @@ -922,7 +1101,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) | |||
| 922 | pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); | 1101 | pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); | 
| 923 | kl=SSL_C_EXPORT_KEYLENGTH(cipher); | 1102 | kl=SSL_C_EXPORT_KEYLENGTH(cipher); | 
| 924 | exp_str=is_export?" export":""; | 1103 | exp_str=is_export?" export":""; | 
| 925 | 1104 | ||
| 926 | if (alg & SSL_SSLV2) | 1105 | if (alg & SSL_SSLV2) | 
| 927 | ver="SSLv2"; | 1106 | ver="SSLv2"; | 
| 928 | else if (alg & SSL_SSLV3) | 1107 | else if (alg & SSL_SSLV3) | 
| @@ -951,6 +1130,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) | |||
| 951 | case SSL_kEDH: | 1130 | case SSL_kEDH: | 
| 952 | kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; | 1131 | kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; | 
| 953 | break; | 1132 | break; | 
| 1133 | case SSL_kECDH: | ||
| 1134 | case SSL_kECDHE: | ||
| 1135 | kx=is_export?"ECDH(<=163)":"ECDH"; | ||
| 1136 | break; | ||
| 954 | default: | 1137 | default: | 
| 955 | kx="unknown"; | 1138 | kx="unknown"; | 
| 956 | } | 1139 | } | 
| @@ -974,6 +1157,9 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) | |||
| 974 | case SSL_aNULL: | 1157 | case SSL_aNULL: | 
| 975 | au="None"; | 1158 | au="None"; | 
| 976 | break; | 1159 | break; | 
| 1160 | case SSL_aECDSA: | ||
| 1161 | au="ECDSA"; | ||
| 1162 | break; | ||
| 977 | default: | 1163 | default: | 
| 978 | au="unknown"; | 1164 | au="unknown"; | 
| 979 | break; | 1165 | break; | 
| @@ -1012,6 +1198,18 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) | |||
| 1012 | default: enc="AES(?""?""?)"; break; | 1198 | default: enc="AES(?""?""?)"; break; | 
| 1013 | } | 1199 | } | 
| 1014 | break; | 1200 | break; | 
| 1201 | case SSL_CAMELLIA: | ||
| 1202 | switch(cipher->strength_bits) | ||
| 1203 | { | ||
| 1204 | case 128: enc="Camellia(128)"; break; | ||
| 1205 | case 256: enc="Camellia(256)"; break; | ||
| 1206 | default: enc="Camellia(?""?""?)"; break; | ||
| 1207 | } | ||
| 1208 | break; | ||
| 1209 | case SSL_SEED: | ||
| 1210 | enc="SEED(128)"; | ||
| 1211 | break; | ||
| 1212 | |||
| 1015 | default: | 1213 | default: | 
| 1016 | enc="unknown"; | 1214 | enc="unknown"; | 
| 1017 | break; | 1215 | break; | 
| @@ -1098,35 +1296,63 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) | |||
| 1098 | return(NULL); | 1296 | return(NULL); | 
| 1099 | } | 1297 | } | 
| 1100 | 1298 | ||
| 1101 | static int sk_comp_cmp(const SSL_COMP * const *a, | 1299 | #ifdef OPENSSL_NO_COMP | 
| 1102 | const SSL_COMP * const *b) | 1300 | void *SSL_COMP_get_compression_methods(void) | 
| 1103 | { | 1301 | { | 
| 1104 | return((*a)->id-(*b)->id); | 1302 | return NULL; | 
| 1303 | } | ||
| 1304 | int SSL_COMP_add_compression_method(int id, void *cm) | ||
| 1305 | { | ||
| 1306 | return 1; | ||
| 1105 | } | 1307 | } | 
| 1106 | 1308 | ||
| 1309 | const char *SSL_COMP_get_name(const void *comp) | ||
| 1310 | { | ||
| 1311 | return NULL; | ||
| 1312 | } | ||
| 1313 | #else | ||
| 1107 | STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) | 1314 | STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) | 
| 1108 | { | 1315 | { | 
| 1316 | load_builtin_compressions(); | ||
| 1109 | return(ssl_comp_methods); | 1317 | return(ssl_comp_methods); | 
| 1110 | } | 1318 | } | 
| 1111 | 1319 | ||
| 1112 | int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) | 1320 | int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) | 
| 1113 | { | 1321 | { | 
| 1114 | SSL_COMP *comp; | 1322 | SSL_COMP *comp; | 
| 1115 | STACK_OF(SSL_COMP) *sk; | ||
| 1116 | 1323 | ||
| 1117 | if (cm == NULL || cm->type == NID_undef) | 1324 | if (cm == NULL || cm->type == NID_undef) | 
| 1118 | return 1; | 1325 | return 1; | 
| 1119 | 1326 | ||
| 1327 | /* According to draft-ietf-tls-compression-04.txt, the | ||
| 1328 | compression number ranges should be the following: | ||
| 1329 | |||
| 1330 | 0 to 63: methods defined by the IETF | ||
| 1331 | 64 to 192: external party methods assigned by IANA | ||
| 1332 | 193 to 255: reserved for private use */ | ||
| 1333 | if (id < 193 || id > 255) | ||
| 1334 | { | ||
| 1335 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE); | ||
| 1336 | return 0; | ||
| 1337 | } | ||
| 1338 | |||
| 1120 | MemCheck_off(); | 1339 | MemCheck_off(); | 
| 1121 | comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); | 1340 | comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); | 
| 1122 | comp->id=id; | 1341 | comp->id=id; | 
| 1123 | comp->method=cm; | 1342 | comp->method=cm; | 
| 1124 | if (ssl_comp_methods == NULL) | 1343 | load_builtin_compressions(); | 
| 1125 | sk=ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); | 1344 | if (ssl_comp_methods | 
| 1126 | else | 1345 | && !sk_SSL_COMP_find(ssl_comp_methods,comp)) | 
| 1127 | sk=ssl_comp_methods; | ||
| 1128 | if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp)) | ||
| 1129 | { | 1346 | { | 
| 1347 | OPENSSL_free(comp); | ||
| 1348 | MemCheck_on(); | ||
| 1349 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID); | ||
| 1350 | return(1); | ||
| 1351 | } | ||
| 1352 | else if ((ssl_comp_methods == NULL) | ||
| 1353 | || !sk_SSL_COMP_push(ssl_comp_methods,comp)) | ||
| 1354 | { | ||
| 1355 | OPENSSL_free(comp); | ||
| 1130 | MemCheck_on(); | 1356 | MemCheck_on(); | 
| 1131 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); | 1357 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); | 
| 1132 | return(1); | 1358 | return(1); | 
| @@ -1137,3 +1363,12 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) | |||
| 1137 | return(0); | 1363 | return(0); | 
| 1138 | } | 1364 | } | 
| 1139 | } | 1365 | } | 
| 1366 | |||
| 1367 | const char *SSL_COMP_get_name(const COMP_METHOD *comp) | ||
| 1368 | { | ||
| 1369 | if (comp) | ||
| 1370 | return comp->name; | ||
| 1371 | return NULL; | ||
| 1372 | } | ||
| 1373 | |||
| 1374 | #endif | ||
