summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_ciph.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/ssl_ciph.c85
1 files changed, 46 insertions, 39 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 888b667fa1..44c503eb04 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -125,7 +125,9 @@ static const SSL_CIPHER cipher_aliases[]={
125 {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0}, 125 {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0},
126 {0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0}, 126 {0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0},
127 {0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0}, 127 {0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0},
128#ifndef OPENSSL_NO_IDEA
128 {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0}, 129 {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0},
130#endif
129 {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, 131 {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
130 {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0}, 132 {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0},
131 {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0}, 133 {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0},
@@ -166,8 +168,12 @@ static void load_ciphers(void)
166 EVP_get_cipherbyname(SN_rc4); 168 EVP_get_cipherbyname(SN_rc4);
167 ssl_cipher_methods[SSL_ENC_RC2_IDX]= 169 ssl_cipher_methods[SSL_ENC_RC2_IDX]=
168 EVP_get_cipherbyname(SN_rc2_cbc); 170 EVP_get_cipherbyname(SN_rc2_cbc);
171#ifndef OPENSSL_NO_IDEA
169 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= 172 ssl_cipher_methods[SSL_ENC_IDEA_IDX]=
170 EVP_get_cipherbyname(SN_idea_cbc); 173 EVP_get_cipherbyname(SN_idea_cbc);
174#else
175 ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL;
176#endif
171 ssl_cipher_methods[SSL_ENC_AES128_IDX]= 177 ssl_cipher_methods[SSL_ENC_AES128_IDX]=
172 EVP_get_cipherbyname(SN_aes_128_cbc); 178 EVP_get_cipherbyname(SN_aes_128_cbc);
173 ssl_cipher_methods[SSL_ENC_AES256_IDX]= 179 ssl_cipher_methods[SSL_ENC_AES256_IDX]=
@@ -334,10 +340,10 @@ static unsigned long ssl_cipher_get_disabled(void)
334 } 340 }
335 341
336static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, 342static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
337 int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list, 343 int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list,
338 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) 344 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
339 { 345 {
340 int i, list_num; 346 int i, co_list_num;
341 SSL_CIPHER *c; 347 SSL_CIPHER *c;
342 348
343 /* 349 /*
@@ -348,18 +354,18 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
348 */ 354 */
349 355
350 /* Get the initial list of ciphers */ 356 /* Get the initial list of ciphers */
351 list_num = 0; /* actual count of ciphers */ 357 co_list_num = 0; /* actual count of ciphers */
352 for (i = 0; i < num_of_ciphers; i++) 358 for (i = 0; i < num_of_ciphers; i++)
353 { 359 {
354 c = ssl_method->get_cipher(i); 360 c = ssl_method->get_cipher(i);
355 /* drop those that use any of that is not available */ 361 /* drop those that use any of that is not available */
356 if ((c != NULL) && c->valid && !(c->algorithms & mask)) 362 if ((c != NULL) && c->valid && !(c->algorithms & mask))
357 { 363 {
358 list[list_num].cipher = c; 364 co_list[co_list_num].cipher = c;
359 list[list_num].next = NULL; 365 co_list[co_list_num].next = NULL;
360 list[list_num].prev = NULL; 366 co_list[co_list_num].prev = NULL;
361 list[list_num].active = 0; 367 co_list[co_list_num].active = 0;
362 list_num++; 368 co_list_num++;
363#ifdef KSSL_DEBUG 369#ifdef KSSL_DEBUG
364 printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms); 370 printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms);
365#endif /* KSSL_DEBUG */ 371#endif /* KSSL_DEBUG */
@@ -372,18 +378,18 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
372 /* 378 /*
373 * Prepare linked list from list entries 379 * Prepare linked list from list entries
374 */ 380 */
375 for (i = 1; i < list_num - 1; i++) 381 for (i = 1; i < co_list_num - 1; i++)
376 { 382 {
377 list[i].prev = &(list[i-1]); 383 co_list[i].prev = &(co_list[i-1]);
378 list[i].next = &(list[i+1]); 384 co_list[i].next = &(co_list[i+1]);
379 } 385 }
380 if (list_num > 0) 386 if (co_list_num > 0)
381 { 387 {
382 (*head_p) = &(list[0]); 388 (*head_p) = &(co_list[0]);
383 (*head_p)->prev = NULL; 389 (*head_p)->prev = NULL;
384 (*head_p)->next = &(list[1]); 390 (*head_p)->next = &(co_list[1]);
385 (*tail_p) = &(list[list_num - 1]); 391 (*tail_p) = &(co_list[co_list_num - 1]);
386 (*tail_p)->prev = &(list[list_num - 2]); 392 (*tail_p)->prev = &(co_list[co_list_num - 2]);
387 (*tail_p)->next = NULL; 393 (*tail_p)->next = NULL;
388 } 394 }
389 } 395 }
@@ -429,7 +435,7 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
429 435
430static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, 436static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
431 unsigned long algo_strength, unsigned long mask_strength, 437 unsigned long algo_strength, unsigned long mask_strength,
432 int rule, int strength_bits, CIPHER_ORDER *list, 438 int rule, int strength_bits, CIPHER_ORDER *co_list,
433 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) 439 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
434 { 440 {
435 CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2; 441 CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
@@ -524,8 +530,9 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
524 *tail_p = tail; 530 *tail_p = tail;
525 } 531 }
526 532
527static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p, 533static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
528 CIPHER_ORDER **tail_p) 534 CIPHER_ORDER **head_p,
535 CIPHER_ORDER **tail_p)
529 { 536 {
530 int max_strength_bits, i, *number_uses; 537 int max_strength_bits, i, *number_uses;
531 CIPHER_ORDER *curr; 538 CIPHER_ORDER *curr;
@@ -570,14 +577,14 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p,
570 for (i = max_strength_bits; i >= 0; i--) 577 for (i = max_strength_bits; i >= 0; i--)
571 if (number_uses[i] > 0) 578 if (number_uses[i] > 0)
572 ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i, 579 ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
573 list, head_p, tail_p); 580 co_list, head_p, tail_p);
574 581
575 OPENSSL_free(number_uses); 582 OPENSSL_free(number_uses);
576 return(1); 583 return(1);
577 } 584 }
578 585
579static int ssl_cipher_process_rulestr(const char *rule_str, 586static int ssl_cipher_process_rulestr(const char *rule_str,
580 CIPHER_ORDER *list, CIPHER_ORDER **head_p, 587 CIPHER_ORDER *co_list, CIPHER_ORDER **head_p,
581 CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list) 588 CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list)
582 { 589 {
583 unsigned long algorithms, mask, algo_strength, mask_strength; 590 unsigned long algorithms, mask, algo_strength, mask_strength;
@@ -702,7 +709,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
702 ok = 0; 709 ok = 0;
703 if ((buflen == 8) && 710 if ((buflen == 8) &&
704 !strncmp(buf, "STRENGTH", 8)) 711 !strncmp(buf, "STRENGTH", 8))
705 ok = ssl_cipher_strength_sort(list, 712 ok = ssl_cipher_strength_sort(co_list,
706 head_p, tail_p); 713 head_p, tail_p);
707 else 714 else
708 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, 715 SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
@@ -722,7 +729,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
722 { 729 {
723 ssl_cipher_apply_rule(algorithms, mask, 730 ssl_cipher_apply_rule(algorithms, mask,
724 algo_strength, mask_strength, rule, -1, 731 algo_strength, mask_strength, rule, -1,
725 list, head_p, tail_p); 732 co_list, head_p, tail_p);
726 } 733 }
727 else 734 else
728 { 735 {
@@ -744,7 +751,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
744 unsigned long disabled_mask; 751 unsigned long disabled_mask;
745 STACK_OF(SSL_CIPHER) *cipherstack; 752 STACK_OF(SSL_CIPHER) *cipherstack;
746 const char *rule_p; 753 const char *rule_p;
747 CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr; 754 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
748 SSL_CIPHER **ca_list = NULL; 755 SSL_CIPHER **ca_list = NULL;
749 756
750 /* 757 /*
@@ -774,15 +781,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
774#ifdef KSSL_DEBUG 781#ifdef KSSL_DEBUG
775 printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); 782 printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
776#endif /* KSSL_DEBUG */ 783#endif /* KSSL_DEBUG */
777 list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); 784 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
778 if (list == NULL) 785 if (co_list == NULL)
779 { 786 {
780 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); 787 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
781 return(NULL); /* Failure */ 788 return(NULL); /* Failure */
782 } 789 }
783 790
784 ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, 791 ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
785 list, &head, &tail); 792 co_list, &head, &tail);
786 793
787 /* 794 /*
788 * We also need cipher aliases for selecting based on the rule_str. 795 * We also need cipher aliases for selecting based on the rule_str.
@@ -798,7 +805,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
798 (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); 805 (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
799 if (ca_list == NULL) 806 if (ca_list == NULL)
800 { 807 {
801 OPENSSL_free(list); 808 OPENSSL_free(co_list);
802 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); 809 SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
803 return(NULL); /* Failure */ 810 return(NULL); /* Failure */
804 } 811 }
@@ -814,21 +821,21 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
814 if (strncmp(rule_str,"DEFAULT",7) == 0) 821 if (strncmp(rule_str,"DEFAULT",7) == 0)
815 { 822 {
816 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, 823 ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
817 list, &head, &tail, ca_list); 824 co_list, &head, &tail, ca_list);
818 rule_p += 7; 825 rule_p += 7;
819 if (*rule_p == ':') 826 if (*rule_p == ':')
820 rule_p++; 827 rule_p++;
821 } 828 }
822 829
823 if (ok && (strlen(rule_p) > 0)) 830 if (ok && (strlen(rule_p) > 0))
824 ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail, 831 ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail,
825 ca_list); 832 ca_list);
826 833
827 OPENSSL_free(ca_list); /* Not needed anymore */ 834 OPENSSL_free(ca_list); /* Not needed anymore */
828 835
829 if (!ok) 836 if (!ok)
830 { /* Rule processing failure */ 837 { /* Rule processing failure */
831 OPENSSL_free(list); 838 OPENSSL_free(co_list);
832 return(NULL); 839 return(NULL);
833 } 840 }
834 /* 841 /*
@@ -837,7 +844,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
837 */ 844 */
838 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) 845 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL)
839 { 846 {
840 OPENSSL_free(list); 847 OPENSSL_free(co_list);
841 return(NULL); 848 return(NULL);
842 } 849 }
843 850
@@ -855,7 +862,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
855#endif 862#endif
856 } 863 }
857 } 864 }
858 OPENSSL_free(list); /* Not needed any longer */ 865 OPENSSL_free(co_list); /* Not needed any longer */
859 866
860 /* 867 /*
861 * The following passage is a little bit odd. If pointer variables 868 * The following passage is a little bit odd. If pointer variables
@@ -905,7 +912,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
905char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) 912char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
906 { 913 {
907 int is_export,pkl,kl; 914 int is_export,pkl,kl;
908 char *ver,*exp; 915 char *ver,*exp_str;
909 char *kx,*au,*enc,*mac; 916 char *kx,*au,*enc,*mac;
910 unsigned long alg,alg2,alg_s; 917 unsigned long alg,alg2,alg_s;
911#ifdef KSSL_DEBUG 918#ifdef KSSL_DEBUG
@@ -921,7 +928,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
921 is_export=SSL_C_IS_EXPORT(cipher); 928 is_export=SSL_C_IS_EXPORT(cipher);
922 pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); 929 pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
923 kl=SSL_C_EXPORT_KEYLENGTH(cipher); 930 kl=SSL_C_EXPORT_KEYLENGTH(cipher);
924 exp=is_export?" export":""; 931 exp_str=is_export?" export":"";
925 932
926 if (alg & SSL_SSLV2) 933 if (alg & SSL_SSLV2)
927 ver="SSLv2"; 934 ver="SSLv2";
@@ -1040,9 +1047,9 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
1040 return("Buffer too small"); 1047 return("Buffer too small");
1041 1048
1042#ifdef KSSL_DEBUG 1049#ifdef KSSL_DEBUG
1043 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp,alg); 1050 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg);
1044#else 1051#else
1045 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp); 1052 BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str);
1046#endif /* KSSL_DEBUG */ 1053#endif /* KSSL_DEBUG */
1047 return(buf); 1054 return(buf);
1048 } 1055 }
@@ -1129,11 +1136,11 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
1129 { 1136 {
1130 MemCheck_on(); 1137 MemCheck_on();
1131 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); 1138 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
1132 return(0); 1139 return(1);
1133 } 1140 }
1134 else 1141 else
1135 { 1142 {
1136 MemCheck_on(); 1143 MemCheck_on();
1137 return(1); 1144 return(0);
1138 } 1145 }
1139 } 1146 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-25 07:48:25 +0000