summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_lib.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/s3_lib.c403
1 files changed, 352 insertions, 51 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index c32c06de32..686992406c 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -110,10 +110,10 @@
110 */ 110 */
111 111
112#include <stdio.h> 112#include <stdio.h>
113#include <openssl/md5.h>
114#include <openssl/sha.h>
115#include <openssl/objects.h> 113#include <openssl/objects.h>
116#include "ssl_locl.h" 114#include "ssl_locl.h"
115#include "kssl_lcl.h"
116#include <openssl/md5.h>
117 117
118const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; 118const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
119 119
@@ -170,7 +170,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
170 SSL3_TXT_ADH_RC4_128_MD5, 170 SSL3_TXT_ADH_RC4_128_MD5,
171 SSL3_CK_ADH_RC4_128_MD5, 171 SSL3_CK_ADH_RC4_128_MD5,
172 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, 172 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
173 SSL_NOT_EXP, 173 SSL_NOT_EXP|SSL_MEDIUM,
174 0, 174 0,
175 128, 175 128,
176 128, 176 128,
@@ -196,7 +196,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
196 SSL3_TXT_ADH_DES_64_CBC_SHA, 196 SSL3_TXT_ADH_DES_64_CBC_SHA,
197 SSL3_CK_ADH_DES_64_CBC_SHA, 197 SSL3_CK_ADH_DES_64_CBC_SHA,
198 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, 198 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3,
199 SSL_NOT_EXP, 199 SSL_NOT_EXP|SSL_LOW,
200 0, 200 0,
201 56, 201 56,
202 56, 202 56,
@@ -209,7 +209,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
209 SSL3_TXT_ADH_DES_192_CBC_SHA, 209 SSL3_TXT_ADH_DES_192_CBC_SHA,
210 SSL3_CK_ADH_DES_192_CBC_SHA, 210 SSL3_CK_ADH_DES_192_CBC_SHA,
211 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, 211 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
212 SSL_NOT_EXP, 212 SSL_NOT_EXP|SSL_HIGH,
213 0, 213 0,
214 168, 214 168,
215 168, 215 168,
@@ -518,7 +518,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
518 SSL3_TXT_FZA_DMS_RC4_SHA, 518 SSL3_TXT_FZA_DMS_RC4_SHA,
519 SSL3_CK_FZA_DMS_RC4_SHA, 519 SSL3_CK_FZA_DMS_RC4_SHA,
520 SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3, 520 SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3,
521 SSL_NOT_EXP, 521 SSL_NOT_EXP|SSL_MEDIUM,
522 0, 522 0,
523 128, 523 128,
524 128, 524 128,
@@ -526,6 +526,97 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
526 SSL_ALL_STRENGTHS, 526 SSL_ALL_STRENGTHS,
527 }, 527 },
528 528
529#ifndef OPENSSL_NO_KRB5
530/* The Kerberos ciphers
531** 20000107 VRS: And the first shall be last,
532** in hopes of avoiding the lynx ssl renegotiation problem.
533*/
534/* Cipher 21 VRS */
535 {
536 1,
537 SSL3_TXT_KRB5_DES_40_CBC_SHA,
538 SSL3_CK_KRB5_DES_40_CBC_SHA,
539 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
540 SSL_EXPORT|SSL_EXP40,
541 0,
542 40,
543 56,
544 SSL_ALL_CIPHERS,
545 SSL_ALL_STRENGTHS,
546 },
547
548/* Cipher 22 VRS */
549 {
550 1,
551 SSL3_TXT_KRB5_DES_40_CBC_MD5,
552 SSL3_CK_KRB5_DES_40_CBC_MD5,
553 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3,
554 SSL_EXPORT|SSL_EXP40,
555 0,
556 40,
557 56,
558 SSL_ALL_CIPHERS,
559 SSL_ALL_STRENGTHS,
560 },
561
562/* Cipher 23 VRS */
563 {
564 1,
565 SSL3_TXT_KRB5_DES_64_CBC_SHA,
566 SSL3_CK_KRB5_DES_64_CBC_SHA,
567 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
568 SSL_NOT_EXP|SSL_LOW,
569 0,
570 56,
571 56,
572 SSL_ALL_CIPHERS,
573 SSL_ALL_STRENGTHS,
574 },
575
576/* Cipher 24 VRS */
577 {
578 1,
579 SSL3_TXT_KRB5_DES_64_CBC_MD5,
580 SSL3_CK_KRB5_DES_64_CBC_MD5,
581 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3,
582 SSL_NOT_EXP|SSL_LOW,
583 0,
584 56,
585 56,
586 SSL_ALL_CIPHERS,
587 SSL_ALL_STRENGTHS,
588 },
589
590/* Cipher 25 VRS */
591 {
592 1,
593 SSL3_TXT_KRB5_DES_192_CBC3_SHA,
594 SSL3_CK_KRB5_DES_192_CBC3_SHA,
595 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3,
596 SSL_NOT_EXP|SSL_HIGH,
597 0,
598 112,
599 168,
600 SSL_ALL_CIPHERS,
601 SSL_ALL_STRENGTHS,
602 },
603
604/* Cipher 26 VRS */
605 {
606 1,
607 SSL3_TXT_KRB5_DES_192_CBC3_MD5,
608 SSL3_CK_KRB5_DES_192_CBC3_MD5,
609 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3,
610 SSL_NOT_EXP|SSL_HIGH,
611 0,
612 112,
613 168,
614 SSL_ALL_CIPHERS,
615 SSL_ALL_STRENGTHS,
616 },
617#endif /* OPENSSL_NO_KRB5 */
618
619
529#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 620#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
530 /* New TLS Export CipherSuites */ 621 /* New TLS Export CipherSuites */
531 /* Cipher 60 */ 622 /* Cipher 60 */
@@ -612,7 +703,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
612 TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, 703 TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
613 TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, 704 TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
614 SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, 705 SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
615 SSL_NOT_EXP, 706 SSL_NOT_EXP|SSL_MEDIUM,
616 0, 707 0,
617 128, 708 128,
618 128, 709 128,
@@ -620,6 +711,165 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
620 SSL_ALL_STRENGTHS 711 SSL_ALL_STRENGTHS
621 }, 712 },
622#endif 713#endif
714 /* New AES ciphersuites */
715
716 /* Cipher 2F */
717 {
718 1,
719 TLS1_TXT_RSA_WITH_AES_128_SHA,
720 TLS1_CK_RSA_WITH_AES_128_SHA,
721 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
722 SSL_NOT_EXP|SSL_MEDIUM,
723 0,
724 128,
725 128,
726 SSL_ALL_CIPHERS,
727 SSL_ALL_STRENGTHS,
728 },
729 /* Cipher 30 */
730 {
731 0,
732 TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
733 TLS1_CK_DH_DSS_WITH_AES_128_SHA,
734 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
735 SSL_NOT_EXP|SSL_MEDIUM,
736 0,
737 128,
738 128,
739 SSL_ALL_CIPHERS,
740 SSL_ALL_STRENGTHS,
741 },
742 /* Cipher 31 */
743 {
744 0,
745 TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
746 TLS1_CK_DH_RSA_WITH_AES_128_SHA,
747 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
748 SSL_NOT_EXP|SSL_MEDIUM,
749 0,
750 128,
751 128,
752 SSL_ALL_CIPHERS,
753 SSL_ALL_STRENGTHS,
754 },
755 /* Cipher 32 */
756 {
757 1,
758 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
759 TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
760 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
761 SSL_NOT_EXP|SSL_MEDIUM,
762 0,
763 128,
764 128,
765 SSL_ALL_CIPHERS,
766 SSL_ALL_STRENGTHS,
767 },
768 /* Cipher 33 */
769 {
770 1,
771 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
772 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
773 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
774 SSL_NOT_EXP|SSL_MEDIUM,
775 0,
776 128,
777 128,
778 SSL_ALL_CIPHERS,
779 SSL_ALL_STRENGTHS,
780 },
781 /* Cipher 34 */
782 {
783 1,
784 TLS1_TXT_ADH_WITH_AES_128_SHA,
785 TLS1_CK_ADH_WITH_AES_128_SHA,
786 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
787 SSL_NOT_EXP|SSL_MEDIUM,
788 0,
789 128,
790 128,
791 SSL_ALL_CIPHERS,
792 SSL_ALL_STRENGTHS,
793 },
794
795 /* Cipher 35 */
796 {
797 1,
798 TLS1_TXT_RSA_WITH_AES_256_SHA,
799 TLS1_CK_RSA_WITH_AES_256_SHA,
800 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
801 SSL_NOT_EXP|SSL_HIGH,
802 0,
803 256,
804 256,
805 SSL_ALL_CIPHERS,
806 SSL_ALL_STRENGTHS,
807 },
808 /* Cipher 36 */
809 {
810 0,
811 TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
812 TLS1_CK_DH_DSS_WITH_AES_256_SHA,
813 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
814 SSL_NOT_EXP|SSL_HIGH,
815 0,
816 256,
817 256,
818 SSL_ALL_CIPHERS,
819 SSL_ALL_STRENGTHS,
820 },
821 /* Cipher 37 */
822 {
823 0,
824 TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
825 TLS1_CK_DH_RSA_WITH_AES_256_SHA,
826 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
827 SSL_NOT_EXP|SSL_HIGH,
828 0,
829 256,
830 256,
831 SSL_ALL_CIPHERS,
832 SSL_ALL_STRENGTHS,
833 },
834 /* Cipher 38 */
835 {
836 1,
837 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
838 TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
839 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
840 SSL_NOT_EXP|SSL_HIGH,
841 0,
842 256,
843 256,
844 SSL_ALL_CIPHERS,
845 SSL_ALL_STRENGTHS,
846 },
847 /* Cipher 39 */
848 {
849 1,
850 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
851 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
852 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
853 SSL_NOT_EXP|SSL_HIGH,
854 0,
855 256,
856 256,
857 SSL_ALL_CIPHERS,
858 SSL_ALL_STRENGTHS,
859 },
860 /* Cipher 3A */
861 {
862 1,
863 TLS1_TXT_ADH_WITH_AES_256_SHA,
864 TLS1_CK_ADH_WITH_AES_256_SHA,
865 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
866 SSL_NOT_EXP|SSL_HIGH,
867 0,
868 256,
869 256,
870 SSL_ALL_CIPHERS,
871 SSL_ALL_STRENGTHS,
872 },
623 873
624/* end of list */ 874/* end of list */
625 }; 875 };
@@ -693,6 +943,9 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u)
693 943
694int ssl3_pending(SSL *s) 944int ssl3_pending(SSL *s)
695 { 945 {
946 if (s->rstate == SSL_ST_READ_BODY)
947 return 0;
948
696 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; 949 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
697 } 950 }
698 951
@@ -702,6 +955,8 @@ int ssl3_new(SSL *s)
702 955
703 if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err; 956 if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
704 memset(s3,0,sizeof *s3); 957 memset(s3,0,sizeof *s3);
958 EVP_MD_CTX_init(&s3->finish_dgst1);
959 EVP_MD_CTX_init(&s3->finish_dgst2);
705 960
706 s->s3=s3; 961 s->s3=s3;
707 962
@@ -723,12 +978,14 @@ void ssl3_free(SSL *s)
723 OPENSSL_free(s->s3->wbuf.buf); 978 OPENSSL_free(s->s3->wbuf.buf);
724 if (s->s3->rrec.comp != NULL) 979 if (s->s3->rrec.comp != NULL)
725 OPENSSL_free(s->s3->rrec.comp); 980 OPENSSL_free(s->s3->rrec.comp);
726#ifndef NO_DH 981#ifndef OPENSSL_NO_DH
727 if (s->s3->tmp.dh != NULL) 982 if (s->s3->tmp.dh != NULL)
728 DH_free(s->s3->tmp.dh); 983 DH_free(s->s3->tmp.dh);
729#endif 984#endif
730 if (s->s3->tmp.ca_names != NULL) 985 if (s->s3->tmp.ca_names != NULL)
731 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 986 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
987 EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
988 EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
732 memset(s->s3,0,sizeof *s->s3); 989 memset(s->s3,0,sizeof *s->s3);
733 OPENSSL_free(s->s3); 990 OPENSSL_free(s->s3);
734 s->s3=NULL; 991 s->s3=NULL;
@@ -737,6 +994,7 @@ void ssl3_free(SSL *s)
737void ssl3_clear(SSL *s) 994void ssl3_clear(SSL *s)
738 { 995 {
739 unsigned char *rp,*wp; 996 unsigned char *rp,*wp;
997 size_t rlen, wlen;
740 998
741 ssl3_cleanup_key_block(s); 999 ssl3_cleanup_key_block(s);
742 if (s->s3->tmp.ca_names != NULL) 1000 if (s->s3->tmp.ca_names != NULL)
@@ -747,17 +1005,24 @@ void ssl3_clear(SSL *s)
747 OPENSSL_free(s->s3->rrec.comp); 1005 OPENSSL_free(s->s3->rrec.comp);
748 s->s3->rrec.comp=NULL; 1006 s->s3->rrec.comp=NULL;
749 } 1007 }
750#ifndef NO_DH 1008#ifndef OPENSSL_NO_DH
751 if (s->s3->tmp.dh != NULL) 1009 if (s->s3->tmp.dh != NULL)
752 DH_free(s->s3->tmp.dh); 1010 DH_free(s->s3->tmp.dh);
753#endif 1011#endif
754 1012
755 rp=s->s3->rbuf.buf; 1013 rp = s->s3->rbuf.buf;
756 wp=s->s3->wbuf.buf; 1014 wp = s->s3->wbuf.buf;
1015 rlen = s->s3->rbuf.len;
1016 wlen = s->s3->wbuf.len;
1017
1018 EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
1019 EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
757 1020
758 memset(s->s3,0,sizeof *s->s3); 1021 memset(s->s3,0,sizeof *s->s3);
759 if (rp != NULL) s->s3->rbuf.buf=rp; 1022 s->s3->rbuf.buf = rp;
760 if (wp != NULL) s->s3->wbuf.buf=wp; 1023 s->s3->wbuf.buf = wp;
1024 s->s3->rbuf.len = rlen;
1025 s->s3->wbuf.len = wlen;
761 1026
762 ssl_free_wbio_buffer(s); 1027 ssl_free_wbio_buffer(s);
763 1028
@@ -769,17 +1034,17 @@ void ssl3_clear(SSL *s)
769 s->version=SSL3_VERSION; 1034 s->version=SSL3_VERSION;
770 } 1035 }
771 1036
772long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg) 1037long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
773 { 1038 {
774 int ret=0; 1039 int ret=0;
775 1040
776#if !defined(NO_DSA) || !defined(NO_RSA) 1041#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
777 if ( 1042 if (
778#ifndef NO_RSA 1043#ifndef OPENSSL_NO_RSA
779 cmd == SSL_CTRL_SET_TMP_RSA || 1044 cmd == SSL_CTRL_SET_TMP_RSA ||
780 cmd == SSL_CTRL_SET_TMP_RSA_CB || 1045 cmd == SSL_CTRL_SET_TMP_RSA_CB ||
781#endif 1046#endif
782#ifndef NO_DSA 1047#ifndef OPENSSL_NO_DSA
783 cmd == SSL_CTRL_SET_TMP_DH || 1048 cmd == SSL_CTRL_SET_TMP_DH ||
784 cmd == SSL_CTRL_SET_TMP_DH_CB || 1049 cmd == SSL_CTRL_SET_TMP_DH_CB ||
785#endif 1050#endif
@@ -813,7 +1078,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
813 case SSL_CTRL_GET_FLAGS: 1078 case SSL_CTRL_GET_FLAGS:
814 ret=(int)(s->s3->flags); 1079 ret=(int)(s->s3->flags);
815 break; 1080 break;
816#ifndef NO_RSA 1081#ifndef OPENSSL_NO_RSA
817 case SSL_CTRL_NEED_TMP_RSA: 1082 case SSL_CTRL_NEED_TMP_RSA:
818 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && 1083 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
819 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 1084 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
@@ -846,7 +1111,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
846 } 1111 }
847 break; 1112 break;
848#endif 1113#endif
849#ifndef NO_DH 1114#ifndef OPENSSL_NO_DH
850 case SSL_CTRL_SET_TMP_DH: 1115 case SSL_CTRL_SET_TMP_DH:
851 { 1116 {
852 DH *dh = (DH *)parg; 1117 DH *dh = (DH *)parg;
@@ -892,12 +1157,12 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
892 { 1157 {
893 int ret=0; 1158 int ret=0;
894 1159
895#if !defined(NO_DSA) || !defined(NO_RSA) 1160#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
896 if ( 1161 if (
897#ifndef NO_RSA 1162#ifndef OPENSSL_NO_RSA
898 cmd == SSL_CTRL_SET_TMP_RSA_CB || 1163 cmd == SSL_CTRL_SET_TMP_RSA_CB ||
899#endif 1164#endif
900#ifndef NO_DSA 1165#ifndef OPENSSL_NO_DSA
901 cmd == SSL_CTRL_SET_TMP_DH_CB || 1166 cmd == SSL_CTRL_SET_TMP_DH_CB ||
902#endif 1167#endif
903 0) 1168 0)
@@ -912,14 +1177,14 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
912 1177
913 switch (cmd) 1178 switch (cmd)
914 { 1179 {
915#ifndef NO_RSA 1180#ifndef OPENSSL_NO_RSA
916 case SSL_CTRL_SET_TMP_RSA_CB: 1181 case SSL_CTRL_SET_TMP_RSA_CB:
917 { 1182 {
918 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 1183 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
919 } 1184 }
920 break; 1185 break;
921#endif 1186#endif
922#ifndef NO_DH 1187#ifndef OPENSSL_NO_DH
923 case SSL_CTRL_SET_TMP_DH_CB: 1188 case SSL_CTRL_SET_TMP_DH_CB:
924 { 1189 {
925 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 1190 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@@ -932,7 +1197,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
932 return(ret); 1197 return(ret);
933 } 1198 }
934 1199
935long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) 1200long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
936 { 1201 {
937 CERT *cert; 1202 CERT *cert;
938 1203
@@ -940,7 +1205,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
940 1205
941 switch (cmd) 1206 switch (cmd)
942 { 1207 {
943#ifndef NO_RSA 1208#ifndef OPENSSL_NO_RSA
944 case SSL_CTRL_NEED_TMP_RSA: 1209 case SSL_CTRL_NEED_TMP_RSA:
945 if ( (cert->rsa_tmp == NULL) && 1210 if ( (cert->rsa_tmp == NULL) &&
946 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 1211 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
@@ -985,7 +1250,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
985 } 1250 }
986 break; 1251 break;
987#endif 1252#endif
988#ifndef NO_DH 1253#ifndef OPENSSL_NO_DH
989 case SSL_CTRL_SET_TMP_DH: 1254 case SSL_CTRL_SET_TMP_DH:
990 { 1255 {
991 DH *new=NULL,*dh; 1256 DH *new=NULL,*dh;
@@ -1042,14 +1307,14 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
1042 1307
1043 switch (cmd) 1308 switch (cmd)
1044 { 1309 {
1045#ifndef NO_RSA 1310#ifndef OPENSSL_NO_RSA
1046 case SSL_CTRL_SET_TMP_RSA_CB: 1311 case SSL_CTRL_SET_TMP_RSA_CB:
1047 { 1312 {
1048 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 1313 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
1049 } 1314 }
1050 break; 1315 break;
1051#endif 1316#endif
1052#ifndef NO_DH 1317#ifndef OPENSSL_NO_DH
1053 case SSL_CTRL_SET_TMP_DH_CB: 1318 case SSL_CTRL_SET_TMP_DH_CB:
1054 { 1319 {
1055 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 1320 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@@ -1114,10 +1379,11 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
1114 return(2); 1379 return(2);
1115 } 1380 }
1116 1381
1117SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, 1382SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
1118 STACK_OF(SSL_CIPHER) *pref) 1383 STACK_OF(SSL_CIPHER) *srvr)
1119 { 1384 {
1120 SSL_CIPHER *c,*ret=NULL; 1385 SSL_CIPHER *c,*ret=NULL;
1386 STACK_OF(SSL_CIPHER) *prio, *allow;
1121 int i,j,ok; 1387 int i,j,ok;
1122 CERT *cert; 1388 CERT *cert;
1123 unsigned long alg,mask,emask; 1389 unsigned long alg,mask,emask;
@@ -1125,26 +1391,62 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
1125 /* Let's see which ciphers we can support */ 1391 /* Let's see which ciphers we can support */
1126 cert=s->cert; 1392 cert=s->cert;
1127 1393
1128 sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); 1394#if 0
1395 /* Do not set the compare functions, because this may lead to a
1396 * reordering by "id". We want to keep the original ordering.
1397 * We may pay a price in performance during sk_SSL_CIPHER_find(),
1398 * but would have to pay with the price of sk_SSL_CIPHER_dup().
1399 */
1400 sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
1401 sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
1402#endif
1129 1403
1130#ifdef CIPHER_DEBUG 1404#ifdef CIPHER_DEBUG
1131 printf("Have:\n"); 1405 printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr);
1132 for(i=0 ; i < sk_num(pref) ; ++i) 1406 for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
1133 { 1407 {
1134 c=(SSL_CIPHER *)sk_value(pref,i); 1408 c=sk_SSL_CIPHER_value(srvr,i);
1409 printf("%p:%s\n",c,c->name);
1410 }
1411 printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt);
1412 for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
1413 {
1414 c=sk_SSL_CIPHER_value(clnt,i);
1135 printf("%p:%s\n",c,c->name); 1415 printf("%p:%s\n",c,c->name);
1136 } 1416 }
1137#endif 1417#endif
1138 1418
1139 for (i=0; i<sk_SSL_CIPHER_num(have); i++) 1419 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
1420 {
1421 prio = srvr;
1422 allow = clnt;
1423 }
1424 else
1425 {
1426 prio = clnt;
1427 allow = srvr;
1428 }
1429
1430 for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
1140 { 1431 {
1141 c=sk_SSL_CIPHER_value(have,i); 1432 c=sk_SSL_CIPHER_value(prio,i);
1142 1433
1143 ssl_set_cert_masks(cert,c); 1434 ssl_set_cert_masks(cert,c);
1144 mask=cert->mask; 1435 mask=cert->mask;
1145 emask=cert->export_mask; 1436 emask=cert->export_mask;
1146 1437
1438#ifdef KSSL_DEBUG
1439 printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);
1440#endif /* KSSL_DEBUG */
1441
1147 alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); 1442 alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
1443#ifndef OPENSSL_NO_KRB5
1444 if (alg & SSL_KRB5)
1445 {
1446 if ( !kssl_keytab_is_available(s->kssl_ctx) )
1447 continue;
1448 }
1449#endif /* OPENSSL_NO_KRB5 */
1148 if (SSL_C_IS_EXPORT(c)) 1450 if (SSL_C_IS_EXPORT(c))
1149 { 1451 {
1150 ok=((alg & emask) == alg)?1:0; 1452 ok=((alg & emask) == alg)?1:0;
@@ -1164,10 +1466,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
1164 1466
1165 if (!ok) continue; 1467 if (!ok) continue;
1166 1468
1167 j=sk_SSL_CIPHER_find(pref,c); 1469 j=sk_SSL_CIPHER_find(allow,c);
1168 if (j >= 0) 1470 if (j >= 0)
1169 { 1471 {
1170 ret=sk_SSL_CIPHER_value(pref,j); 1472 ret=sk_SSL_CIPHER_value(allow,j);
1171 break; 1473 break;
1172 } 1474 }
1173 } 1475 }
@@ -1181,31 +1483,31 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
1181 1483
1182 alg=s->s3->tmp.new_cipher->algorithms; 1484 alg=s->s3->tmp.new_cipher->algorithms;
1183 1485
1184#ifndef NO_DH 1486#ifndef OPENSSL_NO_DH
1185 if (alg & (SSL_kDHr|SSL_kEDH)) 1487 if (alg & (SSL_kDHr|SSL_kEDH))
1186 { 1488 {
1187# ifndef NO_RSA 1489# ifndef OPENSSL_NO_RSA
1188 p[ret++]=SSL3_CT_RSA_FIXED_DH; 1490 p[ret++]=SSL3_CT_RSA_FIXED_DH;
1189# endif 1491# endif
1190# ifndef NO_DSA 1492# ifndef OPENSSL_NO_DSA
1191 p[ret++]=SSL3_CT_DSS_FIXED_DH; 1493 p[ret++]=SSL3_CT_DSS_FIXED_DH;
1192# endif 1494# endif
1193 } 1495 }
1194 if ((s->version == SSL3_VERSION) && 1496 if ((s->version == SSL3_VERSION) &&
1195 (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) 1497 (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
1196 { 1498 {
1197# ifndef NO_RSA 1499# ifndef OPENSSL_NO_RSA
1198 p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; 1500 p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
1199# endif 1501# endif
1200# ifndef NO_DSA 1502# ifndef OPENSSL_NO_DSA
1201 p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; 1503 p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
1202# endif 1504# endif
1203 } 1505 }
1204#endif /* !NO_DH */ 1506#endif /* !OPENSSL_NO_DH */
1205#ifndef NO_RSA 1507#ifndef OPENSSL_NO_RSA
1206 p[ret++]=SSL3_CT_RSA_SIGN; 1508 p[ret++]=SSL3_CT_RSA_SIGN;
1207#endif 1509#endif
1208#ifndef NO_DSA 1510#ifndef OPENSSL_NO_DSA
1209 p[ret++]=SSL3_CT_DSS_SIGN; 1511 p[ret++]=SSL3_CT_DSS_SIGN;
1210#endif 1512#endif
1211 return(ret); 1513 return(ret);
@@ -1312,13 +1614,12 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
1312 if (s->s3->renegotiate) ssl3_renegotiate_check(s); 1614 if (s->s3->renegotiate) ssl3_renegotiate_check(s);
1313 s->s3->in_read_app_data=1; 1615 s->s3->in_read_app_data=1;
1314 ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); 1616 ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
1315 if ((ret == -1) && (s->s3->in_read_app_data == 0)) 1617 if ((ret == -1) && (s->s3->in_read_app_data == 2))
1316 { 1618 {
1317 /* ssl3_read_bytes decided to call s->handshake_func, which 1619 /* ssl3_read_bytes decided to call s->handshake_func, which
1318 * called ssl3_read_bytes to read handshake data. 1620 * called ssl3_read_bytes to read handshake data.
1319 * However, ssl3_read_bytes actually found application data 1621 * However, ssl3_read_bytes actually found application data
1320 * and thinks that application data makes sense here (signalled 1622 * and thinks that application data makes sense here; so disable
1321 * by resetting 'in_read_app_data', strangely); so disable
1322 * handshake processing and try to read application data again. */ 1623 * handshake processing and try to read application data again. */
1323 s->in_handshake++; 1624 s->in_handshake++;
1324 ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); 1625 ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-23 23:45:00 +0000