diff options
| author | djm <> | 2012-10-13 21:25:14 +0000 |
|---|---|---|
| committer | djm <> | 2012-10-13 21:25:14 +0000 |
| commit | 93723b50b639d8dc717bc1bf463fd46e1b321239 (patch) | |
| tree | 281e0a29ae8f87a8c47fbd4deaa1f3d48b8cc5c1 /src/lib/libssl/ssl_ciph.c | |
| parent | 65e72ac55a6405783db7a12d7e35a7561d46005b (diff) | |
| download | openbsd-93723b50b639d8dc717bc1bf463fd46e1b321239.tar.gz openbsd-93723b50b639d8dc717bc1bf463fd46e1b321239.tar.bz2 openbsd-93723b50b639d8dc717bc1bf463fd46e1b321239.zip | |
resolve conflicts
Diffstat (limited to 'src/lib/libssl/ssl_ciph.c')
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 133 |
1 files changed, 119 insertions, 14 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 54ba7ef5b4..92d1e94d6a 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -162,11 +162,13 @@ | |||
| 162 | #define SSL_ENC_CAMELLIA256_IDX 9 | 162 | #define SSL_ENC_CAMELLIA256_IDX 9 |
| 163 | #define SSL_ENC_GOST89_IDX 10 | 163 | #define SSL_ENC_GOST89_IDX 10 |
| 164 | #define SSL_ENC_SEED_IDX 11 | 164 | #define SSL_ENC_SEED_IDX 11 |
| 165 | #define SSL_ENC_NUM_IDX 12 | 165 | #define SSL_ENC_AES128GCM_IDX 12 |
| 166 | #define SSL_ENC_AES256GCM_IDX 13 | ||
| 167 | #define SSL_ENC_NUM_IDX 14 | ||
| 166 | 168 | ||
| 167 | 169 | ||
| 168 | static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ | 170 | static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ |
| 169 | NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL, | 171 | NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL |
| 170 | }; | 172 | }; |
| 171 | 173 | ||
| 172 | #define SSL_COMP_NULL_IDX 0 | 174 | #define SSL_COMP_NULL_IDX 0 |
| @@ -179,28 +181,32 @@ static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; | |||
| 179 | #define SSL_MD_SHA1_IDX 1 | 181 | #define SSL_MD_SHA1_IDX 1 |
| 180 | #define SSL_MD_GOST94_IDX 2 | 182 | #define SSL_MD_GOST94_IDX 2 |
| 181 | #define SSL_MD_GOST89MAC_IDX 3 | 183 | #define SSL_MD_GOST89MAC_IDX 3 |
| 184 | #define SSL_MD_SHA256_IDX 4 | ||
| 185 | #define SSL_MD_SHA384_IDX 5 | ||
| 182 | /*Constant SSL_MAX_DIGEST equal to size of digests array should be | 186 | /*Constant SSL_MAX_DIGEST equal to size of digests array should be |
| 183 | * defined in the | 187 | * defined in the |
| 184 | * ssl_locl.h */ | 188 | * ssl_locl.h */ |
| 185 | #define SSL_MD_NUM_IDX SSL_MAX_DIGEST | 189 | #define SSL_MD_NUM_IDX SSL_MAX_DIGEST |
| 186 | static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ | 190 | static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ |
| 187 | NULL,NULL,NULL,NULL | 191 | NULL,NULL,NULL,NULL,NULL,NULL |
| 188 | }; | 192 | }; |
| 189 | /* PKEY_TYPE for GOST89MAC is known in advance, but, because | 193 | /* PKEY_TYPE for GOST89MAC is known in advance, but, because |
| 190 | * implementation is engine-provided, we'll fill it only if | 194 | * implementation is engine-provided, we'll fill it only if |
| 191 | * corresponding EVP_PKEY_METHOD is found | 195 | * corresponding EVP_PKEY_METHOD is found |
| 192 | */ | 196 | */ |
| 193 | static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={ | 197 | static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={ |
| 194 | EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef | 198 | EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef, |
| 199 | EVP_PKEY_HMAC,EVP_PKEY_HMAC | ||
| 195 | }; | 200 | }; |
| 196 | 201 | ||
| 197 | static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={ | 202 | static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={ |
| 198 | 0,0,0,0 | 203 | 0,0,0,0,0,0 |
| 199 | }; | 204 | }; |
| 200 | 205 | ||
| 201 | static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ | 206 | static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ |
| 202 | SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA, | 207 | SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA, |
| 203 | SSL_HANDSHAKE_MAC_GOST94,0 | 208 | SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256, |
| 209 | SSL_HANDSHAKE_MAC_SHA384 | ||
| 204 | }; | 210 | }; |
| 205 | 211 | ||
| 206 | #define CIPHER_ADD 1 | 212 | #define CIPHER_ADD 1 |
| @@ -247,6 +253,7 @@ static const SSL_CIPHER cipher_aliases[]={ | |||
| 247 | {0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0}, | 253 | {0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0}, |
| 248 | 254 | ||
| 249 | {0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0}, | 255 | {0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0}, |
| 256 | {0,SSL_TXT_kSRP,0, SSL_kSRP, 0,0,0,0,0,0,0,0}, | ||
| 250 | {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0}, | 257 | {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0}, |
| 251 | 258 | ||
| 252 | /* server authentication aliases */ | 259 | /* server authentication aliases */ |
| @@ -273,6 +280,7 @@ static const SSL_CIPHER cipher_aliases[]={ | |||
| 273 | {0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0}, | 280 | {0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0}, |
| 274 | {0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0}, | 281 | {0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0}, |
| 275 | {0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0}, | 282 | {0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0}, |
| 283 | {0,SSL_TXT_SRP,0, SSL_kSRP,0,0,0,0,0,0,0,0}, | ||
| 276 | 284 | ||
| 277 | 285 | ||
| 278 | /* symmetric encryption aliases */ | 286 | /* symmetric encryption aliases */ |
| @@ -283,9 +291,10 @@ static const SSL_CIPHER cipher_aliases[]={ | |||
| 283 | {0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0}, | 291 | {0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0}, |
| 284 | {0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0}, | 292 | {0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0}, |
| 285 | {0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0}, | 293 | {0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0}, |
| 286 | {0,SSL_TXT_AES128,0, 0,0,SSL_AES128,0,0,0,0,0,0}, | 294 | {0,SSL_TXT_AES128,0, 0,0,SSL_AES128|SSL_AES128GCM,0,0,0,0,0,0}, |
| 287 | {0,SSL_TXT_AES256,0, 0,0,SSL_AES256,0,0,0,0,0,0}, | 295 | {0,SSL_TXT_AES256,0, 0,0,SSL_AES256|SSL_AES256GCM,0,0,0,0,0,0}, |
| 288 | {0,SSL_TXT_AES,0, 0,0,SSL_AES128|SSL_AES256,0,0,0,0,0,0}, | 296 | {0,SSL_TXT_AES,0, 0,0,SSL_AES,0,0,0,0,0,0}, |
| 297 | {0,SSL_TXT_AES_GCM,0, 0,0,SSL_AES128GCM|SSL_AES256GCM,0,0,0,0,0,0}, | ||
| 289 | {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0}, | 298 | {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0}, |
| 290 | {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0}, | 299 | {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0}, |
| 291 | {0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0}, | 300 | {0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0}, |
| @@ -296,6 +305,8 @@ static const SSL_CIPHER cipher_aliases[]={ | |||
| 296 | {0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0}, | 305 | {0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0}, |
| 297 | {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0}, | 306 | {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0}, |
| 298 | {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0}, | 307 | {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0}, |
| 308 | {0,SSL_TXT_SHA256,0, 0,0,0,SSL_SHA256, 0,0,0,0,0}, | ||
| 309 | {0,SSL_TXT_SHA384,0, 0,0,0,SSL_SHA384, 0,0,0,0,0}, | ||
| 299 | 310 | ||
| 300 | /* protocol version aliases */ | 311 | /* protocol version aliases */ |
| 301 | {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, | 312 | {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, |
| @@ -379,6 +390,11 @@ void ssl_load_ciphers(void) | |||
| 379 | ssl_cipher_methods[SSL_ENC_SEED_IDX]= | 390 | ssl_cipher_methods[SSL_ENC_SEED_IDX]= |
| 380 | EVP_get_cipherbyname(SN_seed_cbc); | 391 | EVP_get_cipherbyname(SN_seed_cbc); |
| 381 | 392 | ||
| 393 | ssl_cipher_methods[SSL_ENC_AES128GCM_IDX]= | ||
| 394 | EVP_get_cipherbyname(SN_aes_128_gcm); | ||
| 395 | ssl_cipher_methods[SSL_ENC_AES256GCM_IDX]= | ||
| 396 | EVP_get_cipherbyname(SN_aes_256_gcm); | ||
| 397 | |||
| 382 | ssl_digest_methods[SSL_MD_MD5_IDX]= | 398 | ssl_digest_methods[SSL_MD_MD5_IDX]= |
| 383 | EVP_get_digestbyname(SN_md5); | 399 | EVP_get_digestbyname(SN_md5); |
| 384 | ssl_mac_secret_size[SSL_MD_MD5_IDX]= | 400 | ssl_mac_secret_size[SSL_MD_MD5_IDX]= |
| @@ -404,6 +420,14 @@ void ssl_load_ciphers(void) | |||
| 404 | ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32; | 420 | ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32; |
| 405 | } | 421 | } |
| 406 | 422 | ||
| 423 | ssl_digest_methods[SSL_MD_SHA256_IDX]= | ||
| 424 | EVP_get_digestbyname(SN_sha256); | ||
| 425 | ssl_mac_secret_size[SSL_MD_SHA256_IDX]= | ||
| 426 | EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]); | ||
| 427 | ssl_digest_methods[SSL_MD_SHA384_IDX]= | ||
| 428 | EVP_get_digestbyname(SN_sha384); | ||
| 429 | ssl_mac_secret_size[SSL_MD_SHA384_IDX]= | ||
| 430 | EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]); | ||
| 407 | } | 431 | } |
| 408 | #ifndef OPENSSL_NO_COMP | 432 | #ifndef OPENSSL_NO_COMP |
| 409 | 433 | ||
| @@ -526,6 +550,12 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | |||
| 526 | case SSL_SEED: | 550 | case SSL_SEED: |
| 527 | i=SSL_ENC_SEED_IDX; | 551 | i=SSL_ENC_SEED_IDX; |
| 528 | break; | 552 | break; |
| 553 | case SSL_AES128GCM: | ||
| 554 | i=SSL_ENC_AES128GCM_IDX; | ||
| 555 | break; | ||
| 556 | case SSL_AES256GCM: | ||
| 557 | i=SSL_ENC_AES256GCM_IDX; | ||
| 558 | break; | ||
| 529 | default: | 559 | default: |
| 530 | i= -1; | 560 | i= -1; |
| 531 | break; | 561 | break; |
| @@ -549,6 +579,12 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | |||
| 549 | case SSL_SHA1: | 579 | case SSL_SHA1: |
| 550 | i=SSL_MD_SHA1_IDX; | 580 | i=SSL_MD_SHA1_IDX; |
| 551 | break; | 581 | break; |
| 582 | case SSL_SHA256: | ||
| 583 | i=SSL_MD_SHA256_IDX; | ||
| 584 | break; | ||
| 585 | case SSL_SHA384: | ||
| 586 | i=SSL_MD_SHA384_IDX; | ||
| 587 | break; | ||
| 552 | case SSL_GOST94: | 588 | case SSL_GOST94: |
| 553 | i = SSL_MD_GOST94_IDX; | 589 | i = SSL_MD_GOST94_IDX; |
| 554 | break; | 590 | break; |
| @@ -564,17 +600,45 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | |||
| 564 | *md=NULL; | 600 | *md=NULL; |
| 565 | if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef; | 601 | if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef; |
| 566 | if (mac_secret_size!=NULL) *mac_secret_size = 0; | 602 | if (mac_secret_size!=NULL) *mac_secret_size = 0; |
| 567 | 603 | if (c->algorithm_mac == SSL_AEAD) | |
| 604 | mac_pkey_type = NULL; | ||
| 568 | } | 605 | } |
| 569 | else | 606 | else |
| 570 | { | 607 | { |
| 571 | *md=ssl_digest_methods[i]; | 608 | *md=ssl_digest_methods[i]; |
| 572 | if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i]; | 609 | if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i]; |
| 573 | if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i]; | 610 | if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i]; |
| 574 | } | 611 | } |
| 612 | |||
| 613 | if ((*enc != NULL) && | ||
| 614 | (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) && | ||
| 615 | (!mac_pkey_type||*mac_pkey_type != NID_undef)) | ||
| 616 | { | ||
| 617 | const EVP_CIPHER *evp; | ||
| 618 | |||
| 619 | if (s->ssl_version>>8 != TLS1_VERSION_MAJOR || | ||
| 620 | s->ssl_version < TLS1_VERSION) | ||
| 621 | return 1; | ||
| 575 | 622 | ||
| 576 | if ((*enc != NULL) && (*md != NULL) && (!mac_pkey_type||*mac_pkey_type != NID_undef)) | 623 | #ifdef OPENSSL_FIPS |
| 624 | if (FIPS_mode()) | ||
| 625 | return 1; | ||
| 626 | #endif | ||
| 627 | |||
| 628 | if (c->algorithm_enc == SSL_RC4 && | ||
| 629 | c->algorithm_mac == SSL_MD5 && | ||
| 630 | (evp=EVP_get_cipherbyname("RC4-HMAC-MD5"))) | ||
| 631 | *enc = evp, *md = NULL; | ||
| 632 | else if (c->algorithm_enc == SSL_AES128 && | ||
| 633 | c->algorithm_mac == SSL_SHA1 && | ||
| 634 | (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) | ||
| 635 | *enc = evp, *md = NULL; | ||
| 636 | else if (c->algorithm_enc == SSL_AES256 && | ||
| 637 | c->algorithm_mac == SSL_SHA1 && | ||
| 638 | (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) | ||
| 639 | *enc = evp, *md = NULL; | ||
| 577 | return(1); | 640 | return(1); |
| 641 | } | ||
| 578 | else | 642 | else |
| 579 | return(0); | 643 | return(0); |
| 580 | } | 644 | } |
| @@ -585,9 +649,11 @@ int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md) | |||
| 585 | { | 649 | { |
| 586 | return 0; | 650 | return 0; |
| 587 | } | 651 | } |
| 588 | if (ssl_handshake_digest_flag[idx]==0) return 0; | ||
| 589 | *mask = ssl_handshake_digest_flag[idx]; | 652 | *mask = ssl_handshake_digest_flag[idx]; |
| 590 | *md = ssl_digest_methods[idx]; | 653 | if (*mask) |
| 654 | *md = ssl_digest_methods[idx]; | ||
| 655 | else | ||
| 656 | *md = NULL; | ||
| 591 | return 1; | 657 | return 1; |
| 592 | } | 658 | } |
| 593 | 659 | ||
| @@ -662,6 +728,9 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un | |||
| 662 | *mkey |= SSL_kPSK; | 728 | *mkey |= SSL_kPSK; |
| 663 | *auth |= SSL_aPSK; | 729 | *auth |= SSL_aPSK; |
| 664 | #endif | 730 | #endif |
| 731 | #ifdef OPENSSL_NO_SRP | ||
| 732 | *mkey |= SSL_kSRP; | ||
| 733 | #endif | ||
| 665 | /* Check for presence of GOST 34.10 algorithms, and if they | 734 | /* Check for presence of GOST 34.10 algorithms, and if they |
| 666 | * do not present, disable appropriate auth and key exchange */ | 735 | * do not present, disable appropriate auth and key exchange */ |
| 667 | if (!get_optional_pkey_id("gost94")) { | 736 | if (!get_optional_pkey_id("gost94")) { |
| @@ -687,6 +756,8 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un | |||
| 687 | *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; | 756 | *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; |
| 688 | *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0; | 757 | *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0; |
| 689 | *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0; | 758 | *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0; |
| 759 | *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM:0; | ||
| 760 | *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM:0; | ||
| 690 | *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0; | 761 | *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0; |
| 691 | *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0; | 762 | *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0; |
| 692 | *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0; | 763 | *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0; |
| @@ -694,6 +765,8 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un | |||
| 694 | 765 | ||
| 695 | *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; | 766 | *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; |
| 696 | *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; | 767 | *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; |
| 768 | *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256:0; | ||
| 769 | *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384:0; | ||
| 697 | *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0; | 770 | *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0; |
| 698 | *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0; | 771 | *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0; |
| 699 | 772 | ||
| @@ -724,6 +797,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, | |||
| 724 | c = ssl_method->get_cipher(i); | 797 | c = ssl_method->get_cipher(i); |
| 725 | /* drop those that use any of that is not available */ | 798 | /* drop those that use any of that is not available */ |
| 726 | if ((c != NULL) && c->valid && | 799 | if ((c != NULL) && c->valid && |
| 800 | #ifdef OPENSSL_FIPS | ||
| 801 | (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) && | ||
| 802 | #endif | ||
| 727 | !(c->algorithm_mkey & disabled_mkey) && | 803 | !(c->algorithm_mkey & disabled_mkey) && |
| 728 | !(c->algorithm_auth & disabled_auth) && | 804 | !(c->algorithm_auth & disabled_auth) && |
| 729 | !(c->algorithm_enc & disabled_enc) && | 805 | !(c->algorithm_enc & disabled_enc) && |
| @@ -1423,7 +1499,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1423 | */ | 1499 | */ |
| 1424 | for (curr = head; curr != NULL; curr = curr->next) | 1500 | for (curr = head; curr != NULL; curr = curr->next) |
| 1425 | { | 1501 | { |
| 1502 | #ifdef OPENSSL_FIPS | ||
| 1503 | if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) | ||
| 1504 | #else | ||
| 1426 | if (curr->active) | 1505 | if (curr->active) |
| 1506 | #endif | ||
| 1427 | { | 1507 | { |
| 1428 | sk_SSL_CIPHER_push(cipherstack, curr->cipher); | 1508 | sk_SSL_CIPHER_push(cipherstack, curr->cipher); |
| 1429 | #ifdef CIPHER_DEBUG | 1509 | #ifdef CIPHER_DEBUG |
| @@ -1480,6 +1560,8 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1480 | ver="SSLv2"; | 1560 | ver="SSLv2"; |
| 1481 | else if (alg_ssl & SSL_SSLV3) | 1561 | else if (alg_ssl & SSL_SSLV3) |
| 1482 | ver="SSLv3"; | 1562 | ver="SSLv3"; |
| 1563 | else if (alg_ssl & SSL_TLSV1_2) | ||
| 1564 | ver="TLSv1.2"; | ||
| 1483 | else | 1565 | else |
| 1484 | ver="unknown"; | 1566 | ver="unknown"; |
| 1485 | 1567 | ||
| @@ -1512,6 +1594,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1512 | case SSL_kPSK: | 1594 | case SSL_kPSK: |
| 1513 | kx="PSK"; | 1595 | kx="PSK"; |
| 1514 | break; | 1596 | break; |
| 1597 | case SSL_kSRP: | ||
| 1598 | kx="SRP"; | ||
| 1599 | break; | ||
| 1515 | default: | 1600 | default: |
| 1516 | kx="unknown"; | 1601 | kx="unknown"; |
| 1517 | } | 1602 | } |
| @@ -1574,6 +1659,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1574 | case SSL_AES256: | 1659 | case SSL_AES256: |
| 1575 | enc="AES(256)"; | 1660 | enc="AES(256)"; |
| 1576 | break; | 1661 | break; |
| 1662 | case SSL_AES128GCM: | ||
| 1663 | enc="AESGCM(128)"; | ||
| 1664 | break; | ||
| 1665 | case SSL_AES256GCM: | ||
| 1666 | enc="AESGCM(256)"; | ||
| 1667 | break; | ||
| 1577 | case SSL_CAMELLIA128: | 1668 | case SSL_CAMELLIA128: |
| 1578 | enc="Camellia(128)"; | 1669 | enc="Camellia(128)"; |
| 1579 | break; | 1670 | break; |
| @@ -1596,6 +1687,15 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1596 | case SSL_SHA1: | 1687 | case SSL_SHA1: |
| 1597 | mac="SHA1"; | 1688 | mac="SHA1"; |
| 1598 | break; | 1689 | break; |
| 1690 | case SSL_SHA256: | ||
| 1691 | mac="SHA256"; | ||
| 1692 | break; | ||
| 1693 | case SSL_SHA384: | ||
| 1694 | mac="SHA384"; | ||
| 1695 | break; | ||
| 1696 | case SSL_AEAD: | ||
| 1697 | mac="AEAD"; | ||
| 1698 | break; | ||
| 1599 | default: | 1699 | default: |
| 1600 | mac="unknown"; | 1700 | mac="unknown"; |
| 1601 | break; | 1701 | break; |
| @@ -1653,6 +1753,11 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) | |||
| 1653 | return(ret); | 1753 | return(ret); |
| 1654 | } | 1754 | } |
| 1655 | 1755 | ||
| 1756 | unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c) | ||
| 1757 | { | ||
| 1758 | return c->id; | ||
| 1759 | } | ||
| 1760 | |||
| 1656 | SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) | 1761 | SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) |
| 1657 | { | 1762 | { |
| 1658 | SSL_COMP *ctmp; | 1763 | SSL_COMP *ctmp; |