diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 1393 |
1 files changed, 680 insertions, 713 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 0aba8e048c..f37c70cf91 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -167,15 +167,15 @@ | |||
| 167 | #define SSL_ENC_NUM_IDX 14 | 167 | #define SSL_ENC_NUM_IDX 14 |
| 168 | 168 | ||
| 169 | 169 | ||
| 170 | static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ | 170 | static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = { |
| 171 | NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL | 171 | NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL |
| 172 | }; | 172 | }; |
| 173 | 173 | ||
| 174 | #define SSL_COMP_NULL_IDX 0 | 174 | #define SSL_COMP_NULL_IDX 0 |
| 175 | #define SSL_COMP_ZLIB_IDX 1 | 175 | #define SSL_COMP_ZLIB_IDX 1 |
| 176 | #define SSL_COMP_NUM_IDX 2 | 176 | #define SSL_COMP_NUM_IDX 2 |
| 177 | 177 | ||
| 178 | static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; | 178 | static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; |
| 179 | 179 | ||
| 180 | #define SSL_MD_MD5_IDX 0 | 180 | #define SSL_MD_MD5_IDX 0 |
| 181 | #define SSL_MD_SHA1_IDX 1 | 181 | #define SSL_MD_SHA1_IDX 1 |
| @@ -187,27 +187,27 @@ static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; | |||
| 187 | * defined in the | 187 | * defined in the |
| 188 | * ssl_locl.h */ | 188 | * ssl_locl.h */ |
| 189 | #define SSL_MD_NUM_IDX SSL_MAX_DIGEST | 189 | #define SSL_MD_NUM_IDX SSL_MAX_DIGEST |
| 190 | static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ | 190 | static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = { |
| 191 | NULL,NULL,NULL,NULL,NULL,NULL | 191 | NULL, NULL, NULL, NULL, NULL, NULL |
| 192 | }; | 192 | }; |
| 193 | /* PKEY_TYPE for GOST89MAC is known in advance, but, because | 193 | /* PKEY_TYPE for GOST89MAC is known in advance, but, because |
| 194 | * implementation is engine-provided, we'll fill it only if | 194 | * implementation is engine-provided, we'll fill it only if |
| 195 | * corresponding EVP_PKEY_METHOD is found | 195 | * corresponding EVP_PKEY_METHOD is found |
| 196 | */ | 196 | */ |
| 197 | static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={ | 197 | static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { |
| 198 | EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef, | 198 | EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, |
| 199 | EVP_PKEY_HMAC,EVP_PKEY_HMAC | 199 | EVP_PKEY_HMAC, EVP_PKEY_HMAC |
| 200 | }; | 200 | }; |
| 201 | 201 | ||
| 202 | static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={ | 202 | static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = { |
| 203 | 0,0,0,0,0,0 | 203 | 0, 0, 0, 0, 0, 0 |
| 204 | }; | 204 | }; |
| 205 | 205 | ||
| 206 | static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ | 206 | static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX] = { |
| 207 | SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA, | 207 | SSL_HANDSHAKE_MAC_MD5, SSL_HANDSHAKE_MAC_SHA, |
| 208 | SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256, | 208 | SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256, |
| 209 | SSL_HANDSHAKE_MAC_SHA384 | 209 | SSL_HANDSHAKE_MAC_SHA384 |
| 210 | }; | 210 | }; |
| 211 | 211 | ||
| 212 | #define CIPHER_ADD 1 | 212 | #define CIPHER_ADD 1 |
| 213 | #define CIPHER_KILL 2 | 213 | #define CIPHER_KILL 2 |
| @@ -215,376 +215,371 @@ static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ | |||
| 215 | #define CIPHER_ORD 4 | 215 | #define CIPHER_ORD 4 |
| 216 | #define CIPHER_SPECIAL 5 | 216 | #define CIPHER_SPECIAL 5 |
| 217 | 217 | ||
| 218 | typedef struct cipher_order_st | 218 | typedef struct cipher_order_st { |
| 219 | { | ||
| 220 | const SSL_CIPHER *cipher; | 219 | const SSL_CIPHER *cipher; |
| 221 | int active; | 220 | int active; |
| 222 | int dead; | 221 | int dead; |
| 223 | struct cipher_order_st *next,*prev; | 222 | struct cipher_order_st *next, *prev; |
| 224 | } CIPHER_ORDER; | 223 | } CIPHER_ORDER; |
| 225 | 224 | ||
| 226 | static const SSL_CIPHER cipher_aliases[]={ | 225 | static const SSL_CIPHER cipher_aliases[] = { |
| 227 | /* "ALL" doesn't include eNULL (must be specifically enabled) */ | 226 | /* "ALL" doesn't include eNULL (must be specifically enabled) */ |
| 228 | {0,SSL_TXT_ALL,0, 0,0,~SSL_eNULL,0,0,0,0,0,0}, | 227 | {0, SSL_TXT_ALL, 0, 0, 0,~SSL_eNULL, 0, 0, 0, 0, 0, 0}, |
| 229 | /* "COMPLEMENTOFALL" */ | 228 | /* "COMPLEMENTOFALL" */ |
| 230 | {0,SSL_TXT_CMPALL,0, 0,0,SSL_eNULL,0,0,0,0,0,0}, | 229 | {0, SSL_TXT_CMPALL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, |
| 231 | 230 | ||
| 232 | /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */ | 231 | /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */ |
| 233 | {0,SSL_TXT_CMPDEF,0, SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0}, | 232 | {0, SSL_TXT_CMPDEF, 0, SSL_kEDH|SSL_kEECDH, SSL_aNULL,~SSL_eNULL, 0, 0, 0, 0, 0, 0}, |
| 234 | 233 | ||
| 235 | /* key exchange aliases | 234 | /* key exchange aliases |
| 236 | * (some of those using only a single bit here combine | 235 | * (some of those using only a single bit here combine |
| 237 | * multiple key exchange algs according to the RFCs, | 236 | * multiple key exchange algs according to the RFCs, |
| 238 | * e.g. kEDH combines DHE_DSS and DHE_RSA) */ | 237 | * e.g. kEDH combines DHE_DSS and DHE_RSA) */ |
| 239 | {0,SSL_TXT_kRSA,0, SSL_kRSA, 0,0,0,0,0,0,0,0}, | 238 | {0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 240 | 239 | ||
| 241 | {0,SSL_TXT_kDHr,0, SSL_kDHr, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ | 240 | {0,SSL_TXT_kDHr,0, SSL_kDHr, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ |
| 242 | {0,SSL_TXT_kDHd,0, SSL_kDHd, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ | 241 | {0,SSL_TXT_kDHd,0, SSL_kDHd, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ |
| 243 | {0,SSL_TXT_kDH,0, SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ | 242 | {0,SSL_TXT_kDH,0, SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ |
| 244 | {0,SSL_TXT_kEDH,0, SSL_kEDH, 0,0,0,0,0,0,0,0}, | 243 | {0, SSL_TXT_kEDH, 0, SSL_kEDH, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 245 | {0,SSL_TXT_DH,0, SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0}, | 244 | {0, SSL_TXT_DH, 0, SSL_kDHr|SSL_kDHd|SSL_kEDH, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 246 | 245 | ||
| 247 | {0,SSL_TXT_kKRB5,0, SSL_kKRB5, 0,0,0,0,0,0,0,0}, | 246 | {0, SSL_TXT_kKRB5, 0, SSL_kKRB5, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 248 | 247 | ||
| 249 | {0,SSL_TXT_kECDHr,0, SSL_kECDHr,0,0,0,0,0,0,0,0}, | 248 | {0, SSL_TXT_kECDHr, 0, SSL_kECDHr, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 250 | {0,SSL_TXT_kECDHe,0, SSL_kECDHe,0,0,0,0,0,0,0,0}, | 249 | {0, SSL_TXT_kECDHe, 0, SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 251 | {0,SSL_TXT_kECDH,0, SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0}, | 250 | {0, SSL_TXT_kECDH, 0, SSL_kECDHr|SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 252 | {0,SSL_TXT_kEECDH,0, SSL_kEECDH,0,0,0,0,0,0,0,0}, | 251 | {0, SSL_TXT_kEECDH, 0, SSL_kEECDH, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 253 | {0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0}, | 252 | {0, SSL_TXT_ECDH, 0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 254 | 253 | ||
| 255 | {0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0}, | 254 | {0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 256 | {0,SSL_TXT_kSRP,0, SSL_kSRP, 0,0,0,0,0,0,0,0}, | 255 | {0, SSL_TXT_kSRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 257 | {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0}, | 256 | {0, SSL_TXT_kGOST, 0, SSL_kGOST, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 258 | 257 | ||
| 259 | /* server authentication aliases */ | 258 | /* server authentication aliases */ |
| 260 | {0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0}, | 259 | {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, |
| 261 | {0,SSL_TXT_aDSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0}, | 260 | {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0}, |
| 262 | {0,SSL_TXT_DSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0}, | 261 | {0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0}, |
| 263 | {0,SSL_TXT_aKRB5,0, 0,SSL_aKRB5, 0,0,0,0,0,0,0}, | 262 | {0, SSL_TXT_aKRB5, 0, 0, SSL_aKRB5, 0, 0, 0, 0, 0, 0, 0}, |
| 264 | {0,SSL_TXT_aNULL,0, 0,SSL_aNULL, 0,0,0,0,0,0,0}, | 263 | {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, |
| 265 | {0,SSL_TXT_aDH,0, 0,SSL_aDH, 0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ | 264 | {0,SSL_TXT_aDH,0, 0,SSL_aDH, 0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ |
| 266 | {0,SSL_TXT_aECDH,0, 0,SSL_aECDH, 0,0,0,0,0,0,0}, | 265 | {0, SSL_TXT_aECDH, 0, 0, SSL_aECDH, 0, 0, 0, 0, 0, 0, 0}, |
| 267 | {0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0}, | 266 | {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, |
| 268 | {0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0}, | 267 | {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, |
| 269 | {0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0}, | 268 | {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, |
| 270 | {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0}, | 269 | {0, SSL_TXT_aGOST94, 0, 0, SSL_aGOST94, 0, 0, 0, 0, 0, 0, 0}, |
| 271 | {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0}, | 270 | {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0}, |
| 272 | {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0}, | 271 | {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST94|SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0}, |
| 273 | 272 | ||
| 274 | /* aliases combining key exchange and server authentication */ | 273 | /* aliases combining key exchange and server authentication */ |
| 275 | {0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0}, | 274 | {0, SSL_TXT_EDH, 0, SSL_kEDH,~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, |
| 276 | {0,SSL_TXT_EECDH,0, SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0}, | 275 | {0, SSL_TXT_EECDH, 0, SSL_kEECDH,~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, |
| 277 | {0,SSL_TXT_NULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0}, | 276 | {0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, |
| 278 | {0,SSL_TXT_KRB5,0, SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0}, | 277 | {0, SSL_TXT_KRB5, 0, SSL_kKRB5, SSL_aKRB5, 0, 0, 0, 0, 0, 0, 0}, |
| 279 | {0,SSL_TXT_RSA,0, SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0}, | 278 | {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, |
| 280 | {0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0}, | 279 | {0, SSL_TXT_ADH, 0, SSL_kEDH, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, |
| 281 | {0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0}, | 280 | {0, SSL_TXT_AECDH, 0, SSL_kEECDH, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, |
| 282 | {0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0}, | 281 | {0, SSL_TXT_PSK, 0, SSL_kPSK, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, |
| 283 | {0,SSL_TXT_SRP,0, SSL_kSRP,0,0,0,0,0,0,0,0}, | 282 | {0, SSL_TXT_SRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0}, |
| 284 | 283 | ||
| 285 | 284 | ||
| 286 | /* symmetric encryption aliases */ | 285 | /* symmetric encryption aliases */ |
| 287 | {0,SSL_TXT_DES,0, 0,0,SSL_DES, 0,0,0,0,0,0}, | 286 | {0, SSL_TXT_DES, 0, 0, 0, SSL_DES, 0, 0, 0, 0, 0, 0}, |
| 288 | {0,SSL_TXT_3DES,0, 0,0,SSL_3DES, 0,0,0,0,0,0}, | 287 | {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES, 0, 0, 0, 0, 0, 0}, |
| 289 | {0,SSL_TXT_RC4,0, 0,0,SSL_RC4, 0,0,0,0,0,0}, | 288 | {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4, 0, 0, 0, 0, 0, 0}, |
| 290 | {0,SSL_TXT_RC2,0, 0,0,SSL_RC2, 0,0,0,0,0,0}, | 289 | {0, SSL_TXT_RC2, 0, 0, 0, SSL_RC2, 0, 0, 0, 0, 0, 0}, |
| 291 | {0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0}, | 290 | {0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA, 0, 0, 0, 0, 0, 0}, |
| 292 | {0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0}, | 291 | {0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED, 0, 0, 0, 0, 0, 0}, |
| 293 | {0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0}, | 292 | {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, |
| 294 | {0,SSL_TXT_AES128,0, 0,0,SSL_AES128|SSL_AES128GCM,0,0,0,0,0,0}, | 293 | {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128|SSL_AES128GCM, 0, 0, 0, 0, 0, 0}, |
| 295 | {0,SSL_TXT_AES256,0, 0,0,SSL_AES256|SSL_AES256GCM,0,0,0,0,0,0}, | 294 | {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256|SSL_AES256GCM, 0, 0, 0, 0, 0, 0}, |
| 296 | {0,SSL_TXT_AES,0, 0,0,SSL_AES,0,0,0,0,0,0}, | 295 | {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0}, |
| 297 | {0,SSL_TXT_AES_GCM,0, 0,0,SSL_AES128GCM|SSL_AES256GCM,0,0,0,0,0,0}, | 296 | {0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM|SSL_AES256GCM, 0, 0, 0, 0, 0, 0}, |
| 298 | {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0}, | 297 | {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128, 0, 0, 0, 0, 0, 0}, |
| 299 | {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0}, | 298 | {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0}, |
| 300 | {0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0}, | 299 | {0, SSL_TXT_CAMELLIA , 0, 0, 0, SSL_CAMELLIA128|SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0}, |
| 301 | 300 | ||
| 302 | /* MAC aliases */ | 301 | /* MAC aliases */ |
| 303 | {0,SSL_TXT_MD5,0, 0,0,0,SSL_MD5, 0,0,0,0,0}, | 302 | {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0}, |
| 304 | {0,SSL_TXT_SHA1,0, 0,0,0,SSL_SHA1, 0,0,0,0,0}, | 303 | {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0}, |
| 305 | {0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0}, | 304 | {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0}, |
| 306 | {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0}, | 305 | {0, SSL_TXT_GOST94, 0, 0, 0, 0, SSL_GOST94, 0, 0, 0, 0, 0}, |
| 307 | {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0}, | 306 | {0, SSL_TXT_GOST89MAC, 0, 0, 0, 0, SSL_GOST89MAC, 0, 0, 0, 0, 0}, |
| 308 | {0,SSL_TXT_SHA256,0, 0,0,0,SSL_SHA256, 0,0,0,0,0}, | 307 | {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256, 0, 0, 0, 0, 0}, |
| 309 | {0,SSL_TXT_SHA384,0, 0,0,0,SSL_SHA384, 0,0,0,0,0}, | 308 | {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384, 0, 0, 0, 0, 0}, |
| 310 | 309 | ||
| 311 | /* protocol version aliases */ | 310 | /* protocol version aliases */ |
| 312 | {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, | 311 | {0, SSL_TXT_SSLV2, 0, 0, 0, 0, 0, SSL_SSLV2, 0, 0, 0, 0}, |
| 313 | {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0}, | 312 | {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0}, |
| 314 | {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0}, | 313 | {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0}, |
| 315 | {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0}, | 314 | {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0}, |
| 316 | 315 | ||
| 317 | /* export flag */ | 316 | /* export flag */ |
| 318 | {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, | 317 | {0, SSL_TXT_EXP, 0, 0, 0, 0, 0, 0, SSL_EXPORT, 0, 0, 0}, |
| 319 | {0,SSL_TXT_EXPORT,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, | 318 | {0, SSL_TXT_EXPORT, 0, 0, 0, 0, 0, 0, SSL_EXPORT, 0, 0, 0}, |
| 320 | 319 | ||
| 321 | /* strength classes */ | 320 | /* strength classes */ |
| 322 | {0,SSL_TXT_EXP40,0, 0,0,0,0,0,SSL_EXP40, 0,0,0}, | 321 | {0, SSL_TXT_EXP40, 0, 0, 0, 0, 0, 0, SSL_EXP40, 0, 0, 0}, |
| 323 | {0,SSL_TXT_EXP56,0, 0,0,0,0,0,SSL_EXP56, 0,0,0}, | 322 | {0, SSL_TXT_EXP56, 0, 0, 0, 0, 0, 0, SSL_EXP56, 0, 0, 0}, |
| 324 | {0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0}, | 323 | {0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, SSL_LOW, 0, 0, 0}, |
| 325 | {0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0}, | 324 | {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0}, |
| 326 | {0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0}, | 325 | {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0}, |
| 327 | /* FIPS 140-2 approved ciphersuite */ | 326 | /* FIPS 140-2 approved ciphersuite */ |
| 328 | {0,SSL_TXT_FIPS,0, 0,0,~SSL_eNULL,0,0,SSL_FIPS, 0,0,0}, | 327 | {0, SSL_TXT_FIPS, 0, 0, 0,~SSL_eNULL, 0, 0, SSL_FIPS, 0, 0, 0}, |
| 329 | }; | 328 | }; |
| 330 | /* Search for public key algorithm with given name and | 329 | /* Search for public key algorithm with given name and |
| 331 | * return its pkey_id if it is available. Otherwise return 0 | 330 | * return its pkey_id if it is available. Otherwise return 0 |
| 332 | */ | 331 | */ |
| 333 | #ifdef OPENSSL_NO_ENGINE | 332 | #ifdef OPENSSL_NO_ENGINE |
| 334 | 333 | ||
| 335 | static int get_optional_pkey_id(const char *pkey_name) | 334 | static int |
| 336 | { | 335 | get_optional_pkey_id(const char *pkey_name) |
| 336 | { | ||
| 337 | const EVP_PKEY_ASN1_METHOD *ameth; | 337 | const EVP_PKEY_ASN1_METHOD *ameth; |
| 338 | int pkey_id=0; | 338 | int pkey_id = 0; |
| 339 | ameth = EVP_PKEY_asn1_find_str(NULL,pkey_name,-1); | 339 | ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1); |
| 340 | if (ameth) | 340 | if (ameth) { |
| 341 | { | 341 | EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); |
| 342 | EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth); | ||
| 343 | } | ||
| 344 | return pkey_id; | ||
| 345 | } | 342 | } |
| 343 | return pkey_id; | ||
| 344 | } | ||
| 346 | 345 | ||
| 347 | #else | 346 | #else |
| 348 | 347 | ||
| 349 | static int get_optional_pkey_id(const char *pkey_name) | 348 | static int |
| 350 | { | 349 | get_optional_pkey_id(const char *pkey_name) |
| 350 | { | ||
| 351 | const EVP_PKEY_ASN1_METHOD *ameth; | 351 | const EVP_PKEY_ASN1_METHOD *ameth; |
| 352 | ENGINE *tmpeng = NULL; | 352 | ENGINE *tmpeng = NULL; |
| 353 | int pkey_id=0; | 353 | int pkey_id = 0; |
| 354 | ameth = EVP_PKEY_asn1_find_str(&tmpeng,pkey_name,-1); | 354 | ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1); |
| 355 | if (ameth) | 355 | if (ameth) { |
| 356 | { | 356 | EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); |
| 357 | EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth); | ||
| 358 | } | ||
| 359 | if (tmpeng) ENGINE_finish(tmpeng); | ||
| 360 | return pkey_id; | ||
| 361 | } | 357 | } |
| 358 | if (tmpeng) | ||
| 359 | ENGINE_finish(tmpeng); | ||
| 360 | return pkey_id; | ||
| 361 | } | ||
| 362 | 362 | ||
| 363 | #endif | 363 | #endif |
| 364 | 364 | ||
| 365 | void ssl_load_ciphers(void) | 365 | void |
| 366 | { | 366 | ssl_load_ciphers(void) |
| 367 | ssl_cipher_methods[SSL_ENC_DES_IDX]= | 367 | { |
| 368 | EVP_get_cipherbyname(SN_des_cbc); | 368 | ssl_cipher_methods[SSL_ENC_DES_IDX]= |
| 369 | EVP_get_cipherbyname(SN_des_cbc); | ||
| 369 | ssl_cipher_methods[SSL_ENC_3DES_IDX]= | 370 | ssl_cipher_methods[SSL_ENC_3DES_IDX]= |
| 370 | EVP_get_cipherbyname(SN_des_ede3_cbc); | 371 | EVP_get_cipherbyname(SN_des_ede3_cbc); |
| 371 | ssl_cipher_methods[SSL_ENC_RC4_IDX]= | 372 | ssl_cipher_methods[SSL_ENC_RC4_IDX]= |
| 372 | EVP_get_cipherbyname(SN_rc4); | 373 | EVP_get_cipherbyname(SN_rc4); |
| 373 | ssl_cipher_methods[SSL_ENC_RC2_IDX]= | 374 | ssl_cipher_methods[SSL_ENC_RC2_IDX]= |
| 374 | EVP_get_cipherbyname(SN_rc2_cbc); | 375 | EVP_get_cipherbyname(SN_rc2_cbc); |
| 375 | #ifndef OPENSSL_NO_IDEA | 376 | #ifndef OPENSSL_NO_IDEA |
| 376 | ssl_cipher_methods[SSL_ENC_IDEA_IDX]= | 377 | ssl_cipher_methods[SSL_ENC_IDEA_IDX]= |
| 377 | EVP_get_cipherbyname(SN_idea_cbc); | 378 | EVP_get_cipherbyname(SN_idea_cbc); |
| 378 | #else | 379 | #else |
| 379 | ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL; | 380 | ssl_cipher_methods[SSL_ENC_IDEA_IDX] = NULL; |
| 380 | #endif | 381 | #endif |
| 381 | ssl_cipher_methods[SSL_ENC_AES128_IDX]= | 382 | ssl_cipher_methods[SSL_ENC_AES128_IDX]= |
| 382 | EVP_get_cipherbyname(SN_aes_128_cbc); | 383 | EVP_get_cipherbyname(SN_aes_128_cbc); |
| 383 | ssl_cipher_methods[SSL_ENC_AES256_IDX]= | 384 | ssl_cipher_methods[SSL_ENC_AES256_IDX]= |
| 384 | EVP_get_cipherbyname(SN_aes_256_cbc); | 385 | EVP_get_cipherbyname(SN_aes_256_cbc); |
| 385 | ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]= | 386 | ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]= |
| 386 | EVP_get_cipherbyname(SN_camellia_128_cbc); | 387 | EVP_get_cipherbyname(SN_camellia_128_cbc); |
| 387 | ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]= | 388 | ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]= |
| 388 | EVP_get_cipherbyname(SN_camellia_256_cbc); | 389 | EVP_get_cipherbyname(SN_camellia_256_cbc); |
| 389 | ssl_cipher_methods[SSL_ENC_GOST89_IDX]= | 390 | ssl_cipher_methods[SSL_ENC_GOST89_IDX]= |
| 390 | EVP_get_cipherbyname(SN_gost89_cnt); | 391 | EVP_get_cipherbyname(SN_gost89_cnt); |
| 391 | ssl_cipher_methods[SSL_ENC_SEED_IDX]= | 392 | ssl_cipher_methods[SSL_ENC_SEED_IDX]= |
| 392 | EVP_get_cipherbyname(SN_seed_cbc); | 393 | EVP_get_cipherbyname(SN_seed_cbc); |
| 393 | 394 | ||
| 394 | ssl_cipher_methods[SSL_ENC_AES128GCM_IDX]= | 395 | ssl_cipher_methods[SSL_ENC_AES128GCM_IDX]= |
| 395 | EVP_get_cipherbyname(SN_aes_128_gcm); | 396 | EVP_get_cipherbyname(SN_aes_128_gcm); |
| 396 | ssl_cipher_methods[SSL_ENC_AES256GCM_IDX]= | 397 | ssl_cipher_methods[SSL_ENC_AES256GCM_IDX]= |
| 397 | EVP_get_cipherbyname(SN_aes_256_gcm); | 398 | EVP_get_cipherbyname(SN_aes_256_gcm); |
| 398 | 399 | ||
| 399 | ssl_digest_methods[SSL_MD_MD5_IDX]= | 400 | ssl_digest_methods[SSL_MD_MD5_IDX]= |
| 400 | EVP_get_digestbyname(SN_md5); | 401 | EVP_get_digestbyname(SN_md5); |
| 401 | ssl_mac_secret_size[SSL_MD_MD5_IDX]= | 402 | ssl_mac_secret_size[SSL_MD_MD5_IDX]= |
| 402 | EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]); | 403 | EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]); |
| 403 | OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0); | 404 | OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0); |
| 404 | ssl_digest_methods[SSL_MD_SHA1_IDX]= | 405 | ssl_digest_methods[SSL_MD_SHA1_IDX]= |
| 405 | EVP_get_digestbyname(SN_sha1); | 406 | EVP_get_digestbyname(SN_sha1); |
| 406 | ssl_mac_secret_size[SSL_MD_SHA1_IDX]= | 407 | ssl_mac_secret_size[SSL_MD_SHA1_IDX]= |
| 407 | EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]); | 408 | EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]); |
| 408 | OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0); | 409 | OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0); |
| 409 | ssl_digest_methods[SSL_MD_GOST94_IDX]= | 410 | ssl_digest_methods[SSL_MD_GOST94_IDX]= |
| 410 | EVP_get_digestbyname(SN_id_GostR3411_94); | 411 | EVP_get_digestbyname(SN_id_GostR3411_94); |
| 411 | if (ssl_digest_methods[SSL_MD_GOST94_IDX]) | 412 | if (ssl_digest_methods[SSL_MD_GOST94_IDX]) { |
| 412 | { | ||
| 413 | ssl_mac_secret_size[SSL_MD_GOST94_IDX]= | 413 | ssl_mac_secret_size[SSL_MD_GOST94_IDX]= |
| 414 | EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]); | 414 | EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]); |
| 415 | OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0); | 415 | OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0); |
| 416 | } | 416 | } |
| 417 | ssl_digest_methods[SSL_MD_GOST89MAC_IDX]= | 417 | ssl_digest_methods[SSL_MD_GOST89MAC_IDX]= |
| 418 | EVP_get_digestbyname(SN_id_Gost28147_89_MAC); | 418 | EVP_get_digestbyname(SN_id_Gost28147_89_MAC); |
| 419 | ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac"); | 419 | ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac"); |
| 420 | if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) { | 420 | if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) { |
| 421 | ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32; | 421 | ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32; |
| 422 | } | 422 | } |
| 423 | 423 | ||
| 424 | ssl_digest_methods[SSL_MD_SHA256_IDX]= | 424 | ssl_digest_methods[SSL_MD_SHA256_IDX]= |
| 425 | EVP_get_digestbyname(SN_sha256); | 425 | EVP_get_digestbyname(SN_sha256); |
| 426 | ssl_mac_secret_size[SSL_MD_SHA256_IDX]= | 426 | ssl_mac_secret_size[SSL_MD_SHA256_IDX]= |
| 427 | EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]); | 427 | EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]); |
| 428 | ssl_digest_methods[SSL_MD_SHA384_IDX]= | 428 | ssl_digest_methods[SSL_MD_SHA384_IDX]= |
| 429 | EVP_get_digestbyname(SN_sha384); | 429 | EVP_get_digestbyname(SN_sha384); |
| 430 | ssl_mac_secret_size[SSL_MD_SHA384_IDX]= | 430 | ssl_mac_secret_size[SSL_MD_SHA384_IDX]= |
| 431 | EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]); | 431 | EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]); |
| 432 | } | 432 | } |
| 433 | #ifndef OPENSSL_NO_COMP | 433 | #ifndef OPENSSL_NO_COMP |
| 434 | 434 | ||
| 435 | static int sk_comp_cmp(const SSL_COMP * const *a, | 435 | static int |
| 436 | const SSL_COMP * const *b) | 436 | sk_comp_cmp(const SSL_COMP * const *a, |
| 437 | { | 437 | const SSL_COMP * const *b) |
| 438 | return((*a)->id-(*b)->id); | 438 | { |
| 439 | } | 439 | return ((*a)->id - (*b)->id); |
| 440 | } | ||
| 440 | 441 | ||
| 441 | static void load_builtin_compressions(void) | 442 | static void |
| 442 | { | 443 | load_builtin_compressions(void) |
| 444 | { | ||
| 443 | int got_write_lock = 0; | 445 | int got_write_lock = 0; |
| 444 | 446 | ||
| 445 | CRYPTO_r_lock(CRYPTO_LOCK_SSL); | 447 | CRYPTO_r_lock(CRYPTO_LOCK_SSL); |
| 446 | if (ssl_comp_methods == NULL) | 448 | if (ssl_comp_methods == NULL) { |
| 447 | { | ||
| 448 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL); | 449 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL); |
| 449 | CRYPTO_w_lock(CRYPTO_LOCK_SSL); | 450 | CRYPTO_w_lock(CRYPTO_LOCK_SSL); |
| 450 | got_write_lock = 1; | 451 | got_write_lock = 1; |
| 451 | 452 | ||
| 452 | if (ssl_comp_methods == NULL) | 453 | if (ssl_comp_methods == NULL) { |
| 453 | { | ||
| 454 | SSL_COMP *comp = NULL; | 454 | SSL_COMP *comp = NULL; |
| 455 | 455 | ||
| 456 | MemCheck_off(); | 456 | MemCheck_off(); |
| 457 | ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); | 457 | ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp); |
| 458 | if (ssl_comp_methods != NULL) | 458 | if (ssl_comp_methods != NULL) { |
| 459 | { | 459 | comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); |
| 460 | comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); | 460 | if (comp != NULL) { |
| 461 | if (comp != NULL) | 461 | comp->method = COMP_zlib(); |
| 462 | { | ||
| 463 | comp->method=COMP_zlib(); | ||
| 464 | if (comp->method | 462 | if (comp->method |
| 465 | && comp->method->type == NID_undef) | 463 | && comp->method->type == NID_undef) |
| 466 | OPENSSL_free(comp); | 464 | OPENSSL_free(comp); |
| 467 | else | 465 | else { |
| 468 | { | 466 | comp->id = SSL_COMP_ZLIB_IDX; |
| 469 | comp->id=SSL_COMP_ZLIB_IDX; | 467 | comp->name = comp->method->name; |
| 470 | comp->name=comp->method->name; | 468 | sk_SSL_COMP_push(ssl_comp_methods, comp); |
| 471 | sk_SSL_COMP_push(ssl_comp_methods,comp); | ||
| 472 | } | ||
| 473 | } | 469 | } |
| 474 | sk_SSL_COMP_sort(ssl_comp_methods); | ||
| 475 | } | 470 | } |
| 476 | MemCheck_on(); | 471 | sk_SSL_COMP_sort(ssl_comp_methods); |
| 477 | } | 472 | } |
| 473 | MemCheck_on(); | ||
| 478 | } | 474 | } |
| 479 | 475 | } | |
| 476 | |||
| 480 | if (got_write_lock) | 477 | if (got_write_lock) |
| 481 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL); | 478 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL); |
| 482 | else | 479 | else |
| 483 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL); | 480 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL); |
| 484 | } | 481 | } |
| 485 | #endif | 482 | #endif |
| 486 | 483 | ||
| 487 | int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | 484 | int |
| 488 | const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp) | 485 | ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, |
| 489 | { | 486 | const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size, SSL_COMP **comp) |
| 487 | { | ||
| 490 | int i; | 488 | int i; |
| 491 | const SSL_CIPHER *c; | 489 | const SSL_CIPHER *c; |
| 492 | 490 | ||
| 493 | c=s->cipher; | 491 | c = s->cipher; |
| 494 | if (c == NULL) return(0); | 492 | if (c == NULL) |
| 495 | if (comp != NULL) | 493 | return (0); |
| 496 | { | 494 | if (comp != NULL) { |
| 497 | SSL_COMP ctmp; | 495 | SSL_COMP ctmp; |
| 498 | #ifndef OPENSSL_NO_COMP | 496 | #ifndef OPENSSL_NO_COMP |
| 499 | load_builtin_compressions(); | 497 | load_builtin_compressions(); |
| 500 | #endif | 498 | #endif |
| 501 | 499 | ||
| 502 | *comp=NULL; | 500 | *comp = NULL; |
| 503 | ctmp.id=s->compress_meth; | 501 | ctmp.id = s->compress_meth; |
| 504 | if (ssl_comp_methods != NULL) | 502 | if (ssl_comp_methods != NULL) { |
| 505 | { | 503 | i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp); |
| 506 | i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp); | ||
| 507 | if (i >= 0) | 504 | if (i >= 0) |
| 508 | *comp=sk_SSL_COMP_value(ssl_comp_methods,i); | 505 | *comp = sk_SSL_COMP_value(ssl_comp_methods, i); |
| 509 | else | 506 | else |
| 510 | *comp=NULL; | 507 | *comp = NULL; |
| 511 | } | ||
| 512 | } | 508 | } |
| 509 | } | ||
| 513 | 510 | ||
| 514 | if ((enc == NULL) || (md == NULL)) return(0); | 511 | if ((enc == NULL) |
| 512 | || (md == NULL)) return (0); | ||
| 515 | 513 | ||
| 516 | switch (c->algorithm_enc) | 514 | switch (c->algorithm_enc) { |
| 517 | { | ||
| 518 | case SSL_DES: | 515 | case SSL_DES: |
| 519 | i=SSL_ENC_DES_IDX; | 516 | i = SSL_ENC_DES_IDX; |
| 520 | break; | 517 | break; |
| 521 | case SSL_3DES: | 518 | case SSL_3DES: |
| 522 | i=SSL_ENC_3DES_IDX; | 519 | i = SSL_ENC_3DES_IDX; |
| 523 | break; | 520 | break; |
| 524 | case SSL_RC4: | 521 | case SSL_RC4: |
| 525 | i=SSL_ENC_RC4_IDX; | 522 | i = SSL_ENC_RC4_IDX; |
| 526 | break; | 523 | break; |
| 527 | case SSL_RC2: | 524 | case SSL_RC2: |
| 528 | i=SSL_ENC_RC2_IDX; | 525 | i = SSL_ENC_RC2_IDX; |
| 529 | break; | 526 | break; |
| 530 | case SSL_IDEA: | 527 | case SSL_IDEA: |
| 531 | i=SSL_ENC_IDEA_IDX; | 528 | i = SSL_ENC_IDEA_IDX; |
| 532 | break; | 529 | break; |
| 533 | case SSL_eNULL: | 530 | case SSL_eNULL: |
| 534 | i=SSL_ENC_NULL_IDX; | 531 | i = SSL_ENC_NULL_IDX; |
| 535 | break; | 532 | break; |
| 536 | case SSL_AES128: | 533 | case SSL_AES128: |
| 537 | i=SSL_ENC_AES128_IDX; | 534 | i = SSL_ENC_AES128_IDX; |
| 538 | break; | 535 | break; |
| 539 | case SSL_AES256: | 536 | case SSL_AES256: |
| 540 | i=SSL_ENC_AES256_IDX; | 537 | i = SSL_ENC_AES256_IDX; |
| 541 | break; | 538 | break; |
| 542 | case SSL_CAMELLIA128: | 539 | case SSL_CAMELLIA128: |
| 543 | i=SSL_ENC_CAMELLIA128_IDX; | 540 | i = SSL_ENC_CAMELLIA128_IDX; |
| 544 | break; | 541 | break; |
| 545 | case SSL_CAMELLIA256: | 542 | case SSL_CAMELLIA256: |
| 546 | i=SSL_ENC_CAMELLIA256_IDX; | 543 | i = SSL_ENC_CAMELLIA256_IDX; |
| 547 | break; | 544 | break; |
| 548 | case SSL_eGOST2814789CNT: | 545 | case SSL_eGOST2814789CNT: |
| 549 | i=SSL_ENC_GOST89_IDX; | 546 | i = SSL_ENC_GOST89_IDX; |
| 550 | break; | 547 | break; |
| 551 | case SSL_SEED: | 548 | case SSL_SEED: |
| 552 | i=SSL_ENC_SEED_IDX; | 549 | i = SSL_ENC_SEED_IDX; |
| 553 | break; | 550 | break; |
| 554 | case SSL_AES128GCM: | 551 | case SSL_AES128GCM: |
| 555 | i=SSL_ENC_AES128GCM_IDX; | 552 | i = SSL_ENC_AES128GCM_IDX; |
| 556 | break; | 553 | break; |
| 557 | case SSL_AES256GCM: | 554 | case SSL_AES256GCM: |
| 558 | i=SSL_ENC_AES256GCM_IDX; | 555 | i = SSL_ENC_AES256GCM_IDX; |
| 559 | break; | 556 | break; |
| 560 | default: | 557 | default: |
| 561 | i= -1; | 558 | i = -1; |
| 562 | break; | 559 | break; |
| 563 | } | 560 | } |
| 564 | 561 | ||
| 565 | if ((i < 0) || (i > SSL_ENC_NUM_IDX)) | 562 | if ((i < 0) || (i > SSL_ENC_NUM_IDX)) |
| 566 | *enc=NULL; | 563 | *enc = NULL; |
| 567 | else | 564 | else { |
| 568 | { | ||
| 569 | if (i == SSL_ENC_NULL_IDX) | 565 | if (i == SSL_ENC_NULL_IDX) |
| 570 | *enc=EVP_enc_null(); | 566 | *enc = EVP_enc_null(); |
| 571 | else | 567 | else |
| 572 | *enc=ssl_cipher_methods[i]; | 568 | *enc = ssl_cipher_methods[i]; |
| 573 | } | 569 | } |
| 574 | 570 | ||
| 575 | switch (c->algorithm_mac) | 571 | switch (c->algorithm_mac) { |
| 576 | { | ||
| 577 | case SSL_MD5: | 572 | case SSL_MD5: |
| 578 | i=SSL_MD_MD5_IDX; | 573 | i = SSL_MD_MD5_IDX; |
| 579 | break; | 574 | break; |
| 580 | case SSL_SHA1: | 575 | case SSL_SHA1: |
| 581 | i=SSL_MD_SHA1_IDX; | 576 | i = SSL_MD_SHA1_IDX; |
| 582 | break; | 577 | break; |
| 583 | case SSL_SHA256: | 578 | case SSL_SHA256: |
| 584 | i=SSL_MD_SHA256_IDX; | 579 | i = SSL_MD_SHA256_IDX; |
| 585 | break; | 580 | break; |
| 586 | case SSL_SHA384: | 581 | case SSL_SHA384: |
| 587 | i=SSL_MD_SHA384_IDX; | 582 | i = SSL_MD_SHA384_IDX; |
| 588 | break; | 583 | break; |
| 589 | case SSL_GOST94: | 584 | case SSL_GOST94: |
| 590 | i = SSL_MD_GOST94_IDX; | 585 | i = SSL_MD_GOST94_IDX; |
| @@ -593,63 +588,63 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | |||
| 593 | i = SSL_MD_GOST89MAC_IDX; | 588 | i = SSL_MD_GOST89MAC_IDX; |
| 594 | break; | 589 | break; |
| 595 | default: | 590 | default: |
| 596 | i= -1; | 591 | i = -1; |
| 597 | break; | 592 | break; |
| 598 | } | 593 | } |
| 599 | if ((i < 0) || (i > SSL_MD_NUM_IDX)) | 594 | if ((i < 0) || (i > SSL_MD_NUM_IDX)) { |
| 600 | { | 595 | *md = NULL; |
| 601 | *md=NULL; | 596 | |
| 602 | if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef; | 597 | if (mac_pkey_type != NULL) |
| 603 | if (mac_secret_size!=NULL) *mac_secret_size = 0; | 598 | *mac_pkey_type = NID_undef; |
| 599 | if (mac_secret_size != NULL) | ||
| 600 | *mac_secret_size = 0; | ||
| 604 | if (c->algorithm_mac == SSL_AEAD) | 601 | if (c->algorithm_mac == SSL_AEAD) |
| 605 | mac_pkey_type = NULL; | 602 | mac_pkey_type = NULL; |
| 606 | } | 603 | } else { |
| 607 | else | 604 | *md = ssl_digest_methods[i]; |
| 608 | { | 605 | if (mac_pkey_type != NULL) |
| 609 | *md=ssl_digest_methods[i]; | 606 | *mac_pkey_type = ssl_mac_pkey_id[i]; |
| 610 | if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i]; | 607 | if (mac_secret_size != NULL) |
| 611 | if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i]; | 608 | *mac_secret_size = ssl_mac_secret_size[i]; |
| 612 | } | 609 | } |
| 613 | 610 | ||
| 614 | if ((*enc != NULL) && | 611 | if ((*enc != NULL) && |
| 615 | (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) && | 612 | (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) && |
| 616 | (!mac_pkey_type||*mac_pkey_type != NID_undef)) | 613 | (!mac_pkey_type || *mac_pkey_type != NID_undef)) { |
| 617 | { | ||
| 618 | const EVP_CIPHER *evp; | 614 | const EVP_CIPHER *evp; |
| 619 | 615 | ||
| 620 | if (s->ssl_version>>8 != TLS1_VERSION_MAJOR || | 616 | if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR || |
| 621 | s->ssl_version < TLS1_VERSION) | 617 | s->ssl_version < TLS1_VERSION) |
| 622 | return 1; | 618 | return 1; |
| 623 | 619 | ||
| 624 | #ifdef OPENSSL_FIPS | 620 | #ifdef OPENSSL_FIPS |
| 625 | if (FIPS_mode()) | 621 | if (FIPS_mode()) |
| 626 | return 1; | 622 | return 1; |
| 627 | #endif | 623 | #endif |
| 628 | 624 | ||
| 629 | if (c->algorithm_enc == SSL_RC4 && | 625 | if (c->algorithm_enc == SSL_RC4 && |
| 630 | c->algorithm_mac == SSL_MD5 && | 626 | c->algorithm_mac == SSL_MD5 && |
| 631 | (evp=EVP_get_cipherbyname("RC4-HMAC-MD5"))) | 627 | (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) |
| 632 | *enc = evp, *md = NULL; | 628 | *enc = evp, *md = NULL; |
| 633 | else if (c->algorithm_enc == SSL_AES128 && | 629 | else if (c->algorithm_enc == SSL_AES128 && |
| 634 | c->algorithm_mac == SSL_SHA1 && | 630 | c->algorithm_mac == SSL_SHA1 && |
| 635 | (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) | 631 | (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) |
| 636 | *enc = evp, *md = NULL; | 632 | *enc = evp, *md = NULL; |
| 637 | else if (c->algorithm_enc == SSL_AES256 && | 633 | else if (c->algorithm_enc == SSL_AES256 && |
| 638 | c->algorithm_mac == SSL_SHA1 && | 634 | c->algorithm_mac == SSL_SHA1 && |
| 639 | (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) | 635 | (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) |
| 640 | *enc = evp, *md = NULL; | 636 | *enc = evp, *md = NULL; |
| 641 | return(1); | 637 | return (1); |
| 642 | } | 638 | } else |
| 643 | else | 639 | return (0); |
| 644 | return(0); | 640 | } |
| 645 | } | ||
| 646 | 641 | ||
| 647 | int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md) | 642 | int |
| 643 | ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md) | ||
| 648 | { | 644 | { |
| 649 | if (idx <0||idx>=SSL_MD_NUM_IDX) | 645 | if (idx < 0 || idx >= SSL_MD_NUM_IDX) { |
| 650 | { | ||
| 651 | return 0; | 646 | return 0; |
| 652 | } | 647 | } |
| 653 | *mask = ssl_handshake_digest_flag[idx]; | 648 | *mask = ssl_handshake_digest_flag[idx]; |
| 654 | if (*mask) | 649 | if (*mask) |
| 655 | *md = ssl_digest_methods[idx]; | 650 | *md = ssl_digest_methods[idx]; |
| @@ -661,40 +656,45 @@ int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md) | |||
| 661 | #define ITEM_SEP(a) \ | 656 | #define ITEM_SEP(a) \ |
| 662 | (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) | 657 | (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) |
| 663 | 658 | ||
| 664 | static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, | 659 | static void |
| 665 | CIPHER_ORDER **tail) | 660 | ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, |
| 666 | { | 661 | CIPHER_ORDER **tail) |
| 667 | if (curr == *tail) return; | 662 | { |
| 663 | if (curr == *tail) | ||
| 664 | return; | ||
| 668 | if (curr == *head) | 665 | if (curr == *head) |
| 669 | *head=curr->next; | 666 | *head = curr->next; |
| 670 | if (curr->prev != NULL) | 667 | if (curr->prev != NULL) |
| 671 | curr->prev->next=curr->next; | 668 | curr->prev->next = curr->next; |
| 672 | if (curr->next != NULL) | 669 | if (curr->next != NULL) |
| 673 | curr->next->prev=curr->prev; | 670 | curr->next->prev = curr->prev; |
| 674 | (*tail)->next=curr; | 671 | (*tail)->next = curr; |
| 675 | curr->prev= *tail; | 672 | curr->prev= *tail; |
| 676 | curr->next=NULL; | 673 | curr->next = NULL; |
| 677 | *tail=curr; | 674 | *tail = curr; |
| 678 | } | 675 | } |
| 679 | 676 | ||
| 680 | static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, | 677 | static void |
| 681 | CIPHER_ORDER **tail) | 678 | ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, |
| 682 | { | 679 | CIPHER_ORDER **tail) |
| 683 | if (curr == *head) return; | 680 | { |
| 681 | if (curr == *head) | ||
| 682 | return; | ||
| 684 | if (curr == *tail) | 683 | if (curr == *tail) |
| 685 | *tail=curr->prev; | 684 | *tail = curr->prev; |
| 686 | if (curr->next != NULL) | 685 | if (curr->next != NULL) |
| 687 | curr->next->prev=curr->prev; | 686 | curr->next->prev = curr->prev; |
| 688 | if (curr->prev != NULL) | 687 | if (curr->prev != NULL) |
| 689 | curr->prev->next=curr->next; | 688 | curr->prev->next = curr->next; |
| 690 | (*head)->prev=curr; | 689 | (*head)->prev = curr; |
| 691 | curr->next= *head; | 690 | curr->next= *head; |
| 692 | curr->prev=NULL; | 691 | curr->prev = NULL; |
| 693 | *head=curr; | 692 | *head = curr; |
| 694 | } | 693 | } |
| 695 | 694 | ||
| 696 | static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl) | 695 | static void |
| 697 | { | 696 | ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl) |
| 697 | { | ||
| 698 | *mkey = 0; | 698 | *mkey = 0; |
| 699 | *auth = 0; | 699 | *auth = 0; |
| 700 | *enc = 0; | 700 | *enc = 0; |
| @@ -743,44 +743,45 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un | |||
| 743 | /* Disable GOST key exchange if no GOST signature algs are available * */ | 743 | /* Disable GOST key exchange if no GOST signature algs are available * */ |
| 744 | if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) { | 744 | if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) { |
| 745 | *mkey |= SSL_kGOST; | 745 | *mkey |= SSL_kGOST; |
| 746 | } | 746 | } |
| 747 | #ifdef SSL_FORBID_ENULL | 747 | #ifdef SSL_FORBID_ENULL |
| 748 | *enc |= SSL_eNULL; | 748 | *enc |= SSL_eNULL; |
| 749 | #endif | 749 | #endif |
| 750 | |||
| 751 | |||
| 752 | |||
| 753 | *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0; | ||
| 754 | *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0; | ||
| 755 | *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0; | ||
| 756 | *enc |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; | ||
| 757 | *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; | ||
| 758 | *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0; | ||
| 759 | *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0; | ||
| 760 | *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM:0; | ||
| 761 | *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM:0; | ||
| 762 | *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0; | ||
| 763 | *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0; | ||
| 764 | *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0; | ||
| 765 | *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED:0; | ||
| 766 | |||
| 767 | *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; | ||
| 768 | *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; | ||
| 769 | *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256:0; | ||
| 770 | *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384:0; | ||
| 771 | *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0; | ||
| 772 | *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0; | ||
| 773 | 750 | ||
| 774 | } | ||
| 775 | 751 | ||
| 776 | static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, | 752 | |
| 777 | int num_of_ciphers, | 753 | *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0; |
| 778 | unsigned long disabled_mkey, unsigned long disabled_auth, | 754 | *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0; |
| 779 | unsigned long disabled_enc, unsigned long disabled_mac, | 755 | *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0; |
| 780 | unsigned long disabled_ssl, | 756 | *enc |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 : 0; |
| 781 | CIPHER_ORDER *co_list, | 757 | *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA : 0; |
| 782 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | 758 | *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0; |
| 783 | { | 759 | *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0; |
| 760 | *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM : 0; | ||
| 761 | *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM : 0; | ||
| 762 | *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128 : 0; | ||
| 763 | *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256 : 0; | ||
| 764 | *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT : 0; | ||
| 765 | *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED : 0; | ||
| 766 | |||
| 767 | *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 : 0; | ||
| 768 | *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0; | ||
| 769 | *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0; | ||
| 770 | *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0; | ||
| 771 | *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0; | ||
| 772 | *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef) ? SSL_GOST89MAC : 0; | ||
| 773 | |||
| 774 | } | ||
| 775 | |||
| 776 | static void | ||
| 777 | ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, | ||
| 778 | int num_of_ciphers, | ||
| 779 | unsigned long disabled_mkey, unsigned long disabled_auth, | ||
| 780 | unsigned long disabled_enc, unsigned long disabled_mac, | ||
| 781 | unsigned long disabled_ssl, | ||
| 782 | CIPHER_ORDER *co_list, | ||
| 783 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | ||
| 784 | { | ||
| 784 | int i, co_list_num; | 785 | int i, co_list_num; |
| 785 | const SSL_CIPHER *c; | 786 | const SSL_CIPHER *c; |
| 786 | 787 | ||
| @@ -793,68 +794,64 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, | |||
| 793 | 794 | ||
| 794 | /* Get the initial list of ciphers */ | 795 | /* Get the initial list of ciphers */ |
| 795 | co_list_num = 0; /* actual count of ciphers */ | 796 | co_list_num = 0; /* actual count of ciphers */ |
| 796 | for (i = 0; i < num_of_ciphers; i++) | 797 | for (i = 0; i < num_of_ciphers; i++) { |
| 797 | { | ||
| 798 | c = ssl_method->get_cipher(i); | 798 | c = ssl_method->get_cipher(i); |
| 799 | /* drop those that use any of that is not available */ | 799 | /* drop those that use any of that is not available */ |
| 800 | if ((c != NULL) && c->valid && | 800 | if ((c != NULL) && c->valid && |
| 801 | #ifdef OPENSSL_FIPS | 801 | #ifdef OPENSSL_FIPS |
| 802 | (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) && | 802 | (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) && |
| 803 | #endif | 803 | #endif |
| 804 | !(c->algorithm_mkey & disabled_mkey) && | 804 | !(c->algorithm_mkey & disabled_mkey) && |
| 805 | !(c->algorithm_auth & disabled_auth) && | 805 | !(c->algorithm_auth & disabled_auth) && |
| 806 | !(c->algorithm_enc & disabled_enc) && | 806 | !(c->algorithm_enc & disabled_enc) && |
| 807 | !(c->algorithm_mac & disabled_mac) && | 807 | !(c->algorithm_mac & disabled_mac) && |
| 808 | !(c->algorithm_ssl & disabled_ssl)) | 808 | !(c->algorithm_ssl & disabled_ssl)) { |
| 809 | { | ||
| 810 | co_list[co_list_num].cipher = c; | 809 | co_list[co_list_num].cipher = c; |
| 811 | co_list[co_list_num].next = NULL; | 810 | co_list[co_list_num].next = NULL; |
| 812 | co_list[co_list_num].prev = NULL; | 811 | co_list[co_list_num].prev = NULL; |
| 813 | co_list[co_list_num].active = 0; | 812 | co_list[co_list_num].active = 0; |
| 814 | co_list_num++; | 813 | co_list_num++; |
| 815 | #ifdef KSSL_DEBUG | 814 | #ifdef KSSL_DEBUG |
| 816 | printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth); | 815 | printf("\t%d: %s %lx %lx %lx\n", i, c->name, c->id, c->algorithm_mkey, c->algorithm_auth); |
| 817 | #endif /* KSSL_DEBUG */ | 816 | #endif /* KSSL_DEBUG */ |
| 818 | /* | 817 | /* |
| 819 | if (!sk_push(ca_list,(char *)c)) goto err; | 818 | if (!sk_push(ca_list,(char *)c)) goto err; |
| 820 | */ | 819 | */ |
| 821 | } | ||
| 822 | } | 820 | } |
| 821 | } | ||
| 823 | 822 | ||
| 824 | /* | 823 | /* |
| 825 | * Prepare linked list from list entries | 824 | * Prepare linked list from list entries |
| 826 | */ | 825 | */ |
| 827 | if (co_list_num > 0) | 826 | if (co_list_num > 0) { |
| 828 | { | ||
| 829 | co_list[0].prev = NULL; | 827 | co_list[0].prev = NULL; |
| 830 | 828 | ||
| 831 | if (co_list_num > 1) | 829 | if (co_list_num > 1) { |
| 832 | { | ||
| 833 | co_list[0].next = &co_list[1]; | 830 | co_list[0].next = &co_list[1]; |
| 834 | 831 | ||
| 835 | for (i = 1; i < co_list_num - 1; i++) | 832 | for (i = 1; i < co_list_num - 1; i++) { |
| 836 | { | ||
| 837 | co_list[i].prev = &co_list[i - 1]; | 833 | co_list[i].prev = &co_list[i - 1]; |
| 838 | co_list[i].next = &co_list[i + 1]; | 834 | co_list[i].next = &co_list[i + 1]; |
| 839 | } | 835 | } |
| 840 | 836 | ||
| 841 | co_list[co_list_num - 1].prev = &co_list[co_list_num - 2]; | 837 | co_list[co_list_num - 1].prev = &co_list[co_list_num - 2]; |
| 842 | } | 838 | } |
| 843 | 839 | ||
| 844 | co_list[co_list_num - 1].next = NULL; | 840 | co_list[co_list_num - 1].next = NULL; |
| 845 | 841 | ||
| 846 | *head_p = &co_list[0]; | 842 | *head_p = &co_list[0]; |
| 847 | *tail_p = &co_list[co_list_num - 1]; | 843 | *tail_p = &co_list[co_list_num - 1]; |
| 848 | } | ||
| 849 | } | 844 | } |
| 845 | } | ||
| 850 | 846 | ||
| 851 | static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, | 847 | static void |
| 852 | int num_of_group_aliases, | 848 | ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, |
| 853 | unsigned long disabled_mkey, unsigned long disabled_auth, | 849 | int num_of_group_aliases, |
| 854 | unsigned long disabled_enc, unsigned long disabled_mac, | 850 | unsigned long disabled_mkey, unsigned long disabled_auth, |
| 855 | unsigned long disabled_ssl, | 851 | unsigned long disabled_enc, unsigned long disabled_mac, |
| 856 | CIPHER_ORDER *head) | 852 | unsigned long disabled_ssl, |
| 857 | { | 853 | CIPHER_ORDER *head) |
| 854 | { | ||
| 858 | CIPHER_ORDER *ciph_curr; | 855 | CIPHER_ORDER *ciph_curr; |
| 859 | const SSL_CIPHER **ca_curr; | 856 | const SSL_CIPHER **ca_curr; |
| 860 | int i; | 857 | int i; |
| @@ -869,12 +866,11 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, | |||
| 869 | */ | 866 | */ |
| 870 | ciph_curr = head; | 867 | ciph_curr = head; |
| 871 | ca_curr = ca_list; | 868 | ca_curr = ca_list; |
| 872 | while (ciph_curr != NULL) | 869 | while (ciph_curr != NULL) { |
| 873 | { | ||
| 874 | *ca_curr = ciph_curr->cipher; | 870 | *ca_curr = ciph_curr->cipher; |
| 875 | ca_curr++; | 871 | ca_curr++; |
| 876 | ciph_curr = ciph_curr->next; | 872 | ciph_curr = ciph_curr->next; |
| 877 | } | 873 | } |
| 878 | 874 | ||
| 879 | /* | 875 | /* |
| 880 | * Now we add the available ones from the cipher_aliases[] table. | 876 | * Now we add the available ones from the cipher_aliases[] table. |
| @@ -882,8 +878,7 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, | |||
| 882 | * in any affected category must be supported (set in enabled_mask), | 878 | * in any affected category must be supported (set in enabled_mask), |
| 883 | * or represent a cipher strength value (will be added in any case because algorithms=0). | 879 | * or represent a cipher strength value (will be added in any case because algorithms=0). |
| 884 | */ | 880 | */ |
| 885 | for (i = 0; i < num_of_group_aliases; i++) | 881 | for (i = 0; i < num_of_group_aliases; i++) { |
| 886 | { | ||
| 887 | unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey; | 882 | unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey; |
| 888 | unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth; | 883 | unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth; |
| 889 | unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc; | 884 | unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc; |
| @@ -893,45 +888,46 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, | |||
| 893 | if (algorithm_mkey) | 888 | if (algorithm_mkey) |
| 894 | if ((algorithm_mkey & mask_mkey) == 0) | 889 | if ((algorithm_mkey & mask_mkey) == 0) |
| 895 | continue; | 890 | continue; |
| 896 | 891 | ||
| 897 | if (algorithm_auth) | 892 | if (algorithm_auth) |
| 898 | if ((algorithm_auth & mask_auth) == 0) | 893 | if ((algorithm_auth & mask_auth) == 0) |
| 899 | continue; | 894 | continue; |
| 900 | 895 | ||
| 901 | if (algorithm_enc) | 896 | if (algorithm_enc) |
| 902 | if ((algorithm_enc & mask_enc) == 0) | 897 | if ((algorithm_enc & mask_enc) == 0) |
| 903 | continue; | 898 | continue; |
| 904 | 899 | ||
| 905 | if (algorithm_mac) | 900 | if (algorithm_mac) |
| 906 | if ((algorithm_mac & mask_mac) == 0) | 901 | if ((algorithm_mac & mask_mac) == 0) |
| 907 | continue; | 902 | continue; |
| 908 | 903 | ||
| 909 | if (algorithm_ssl) | 904 | if (algorithm_ssl) |
| 910 | if ((algorithm_ssl & mask_ssl) == 0) | 905 | if ((algorithm_ssl & mask_ssl) == 0) |
| 911 | continue; | 906 | continue; |
| 912 | 907 | ||
| 913 | *ca_curr = (SSL_CIPHER *)(cipher_aliases + i); | 908 | *ca_curr = (SSL_CIPHER *)(cipher_aliases + i); |
| 914 | ca_curr++; | 909 | ca_curr++; |
| 915 | } | 910 | } |
| 916 | 911 | ||
| 917 | *ca_curr = NULL; /* end of list */ | 912 | *ca_curr = NULL; /* end of list */ |
| 918 | } | 913 | } |
| 919 | 914 | ||
| 920 | static void ssl_cipher_apply_rule(unsigned long cipher_id, | 915 | static void |
| 921 | unsigned long alg_mkey, unsigned long alg_auth, | 916 | ssl_cipher_apply_rule(unsigned long cipher_id, |
| 922 | unsigned long alg_enc, unsigned long alg_mac, | 917 | unsigned long alg_mkey, unsigned long alg_auth, |
| 923 | unsigned long alg_ssl, | 918 | unsigned long alg_enc, unsigned long alg_mac, |
| 924 | unsigned long algo_strength, | 919 | unsigned long alg_ssl, |
| 925 | int rule, int strength_bits, | 920 | unsigned long algo_strength, |
| 926 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | 921 | int rule, int strength_bits, |
| 927 | { | 922 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) |
| 923 | { | ||
| 928 | CIPHER_ORDER *head, *tail, *curr, *curr2, *last; | 924 | CIPHER_ORDER *head, *tail, *curr, *curr2, *last; |
| 929 | const SSL_CIPHER *cp; | 925 | const SSL_CIPHER *cp; |
| 930 | int reverse = 0; | 926 | int reverse = 0; |
| 931 | 927 | ||
| 932 | #ifdef CIPHER_DEBUG | 928 | #ifdef CIPHER_DEBUG |
| 933 | printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n", | 929 | printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n", |
| 934 | rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits); | 930 | rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits); |
| 935 | #endif | 931 | #endif |
| 936 | 932 | ||
| 937 | if (rule == CIPHER_DEL) | 933 | if (rule == CIPHER_DEL) |
| @@ -940,21 +936,18 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, | |||
| 940 | head = *head_p; | 936 | head = *head_p; |
| 941 | tail = *tail_p; | 937 | tail = *tail_p; |
| 942 | 938 | ||
| 943 | if (reverse) | 939 | if (reverse) { |
| 944 | { | ||
| 945 | curr = tail; | 940 | curr = tail; |
| 946 | last = head; | 941 | last = head; |
| 947 | } | 942 | } else { |
| 948 | else | ||
| 949 | { | ||
| 950 | curr = head; | 943 | curr = head; |
| 951 | last = tail; | 944 | last = tail; |
| 952 | } | 945 | } |
| 953 | 946 | ||
| 954 | curr2 = curr; | 947 | curr2 = curr; |
| 955 | for (;;) | 948 | for (;;) { |
| 956 | { | 949 | if ((curr == NULL) |
| 957 | if ((curr == NULL) || (curr == last)) break; | 950 | || (curr == last)) break; |
| 958 | curr = curr2; | 951 | curr = curr2; |
| 959 | curr2 = reverse ? curr->prev : curr->next; | 952 | curr2 = reverse ? curr->prev : curr->next; |
| 960 | 953 | ||
| @@ -964,13 +957,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, | |||
| 964 | * Selection criteria is either the value of strength_bits | 957 | * Selection criteria is either the value of strength_bits |
| 965 | * or the algorithms used. | 958 | * or the algorithms used. |
| 966 | */ | 959 | */ |
| 967 | if (strength_bits >= 0) | 960 | if (strength_bits >= 0) { |
| 968 | { | ||
| 969 | if (strength_bits != cp->strength_bits) | 961 | if (strength_bits != cp->strength_bits) |
| 970 | continue; | 962 | continue; |
| 971 | } | 963 | } else { |
| 972 | else | ||
| 973 | { | ||
| 974 | #ifdef CIPHER_DEBUG | 964 | #ifdef CIPHER_DEBUG |
| 975 | printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); | 965 | printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); |
| 976 | #endif | 966 | #endif |
| @@ -989,45 +979,36 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, | |||
| 989 | continue; | 979 | continue; |
| 990 | if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) | 980 | if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) |
| 991 | continue; | 981 | continue; |
| 992 | } | 982 | } |
| 993 | 983 | ||
| 994 | #ifdef CIPHER_DEBUG | 984 | #ifdef CIPHER_DEBUG |
| 995 | printf("Action = %d\n", rule); | 985 | printf("Action = %d\n", rule); |
| 996 | #endif | 986 | #endif |
| 997 | 987 | ||
| 998 | /* add the cipher if it has not been added yet. */ | 988 | /* add the cipher if it has not been added yet. */ |
| 999 | if (rule == CIPHER_ADD) | 989 | if (rule == CIPHER_ADD) { |
| 1000 | { | ||
| 1001 | /* reverse == 0 */ | 990 | /* reverse == 0 */ |
| 1002 | if (!curr->active) | 991 | if (!curr->active) { |
| 1003 | { | ||
| 1004 | ll_append_tail(&head, curr, &tail); | 992 | ll_append_tail(&head, curr, &tail); |
| 1005 | curr->active = 1; | 993 | curr->active = 1; |
| 1006 | } | ||
| 1007 | } | 994 | } |
| 995 | } | ||
| 1008 | /* Move the added cipher to this location */ | 996 | /* Move the added cipher to this location */ |
| 1009 | else if (rule == CIPHER_ORD) | 997 | else if (rule == CIPHER_ORD) { |
| 1010 | { | ||
| 1011 | /* reverse == 0 */ | 998 | /* reverse == 0 */ |
| 1012 | if (curr->active) | 999 | if (curr->active) { |
| 1013 | { | ||
| 1014 | ll_append_tail(&head, curr, &tail); | 1000 | ll_append_tail(&head, curr, &tail); |
| 1015 | } | ||
| 1016 | } | 1001 | } |
| 1017 | else if (rule == CIPHER_DEL) | 1002 | } else if (rule == CIPHER_DEL) { |
| 1018 | { | ||
| 1019 | /* reverse == 1 */ | 1003 | /* reverse == 1 */ |
| 1020 | if (curr->active) | 1004 | if (curr->active) { |
| 1021 | { | ||
| 1022 | /* most recently deleted ciphersuites get best positions | 1005 | /* most recently deleted ciphersuites get best positions |
| 1023 | * for any future CIPHER_ADD (note that the CIPHER_DEL loop | 1006 | * for any future CIPHER_ADD (note that the CIPHER_DEL loop |
| 1024 | * works in reverse to maintain the order) */ | 1007 | * works in reverse to maintain the order) */ |
| 1025 | ll_append_head(&head, curr, &tail); | 1008 | ll_append_head(&head, curr, &tail); |
| 1026 | curr->active = 0; | 1009 | curr->active = 0; |
| 1027 | } | ||
| 1028 | } | 1010 | } |
| 1029 | else if (rule == CIPHER_KILL) | 1011 | } else if (rule == CIPHER_KILL) { |
| 1030 | { | ||
| 1031 | /* reverse == 0 */ | 1012 | /* reverse == 0 */ |
| 1032 | if (head == curr) | 1013 | if (head == curr) |
| 1033 | head = curr->next; | 1014 | head = curr->next; |
| @@ -1042,16 +1023,17 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, | |||
| 1042 | curr->prev->next = curr->next; | 1023 | curr->prev->next = curr->next; |
| 1043 | curr->next = NULL; | 1024 | curr->next = NULL; |
| 1044 | curr->prev = NULL; | 1025 | curr->prev = NULL; |
| 1045 | } | ||
| 1046 | } | 1026 | } |
| 1027 | } | ||
| 1047 | 1028 | ||
| 1048 | *head_p = head; | 1029 | *head_p = head; |
| 1049 | *tail_p = tail; | 1030 | *tail_p = tail; |
| 1050 | } | 1031 | } |
| 1051 | 1032 | ||
| 1052 | static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, | 1033 | static int |
| 1053 | CIPHER_ORDER **tail_p) | 1034 | ssl_cipher_strength_sort(CIPHER_ORDER **head_p, |
| 1054 | { | 1035 | CIPHER_ORDER **tail_p) |
| 1036 | { | ||
| 1055 | int max_strength_bits, i, *number_uses; | 1037 | int max_strength_bits, i, *number_uses; |
| 1056 | CIPHER_ORDER *curr; | 1038 | CIPHER_ORDER *curr; |
| 1057 | 1039 | ||
| @@ -1062,32 +1044,29 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, | |||
| 1062 | */ | 1044 | */ |
| 1063 | max_strength_bits = 0; | 1045 | max_strength_bits = 0; |
| 1064 | curr = *head_p; | 1046 | curr = *head_p; |
| 1065 | while (curr != NULL) | 1047 | while (curr != NULL) { |
| 1066 | { | ||
| 1067 | if (curr->active && | 1048 | if (curr->active && |
| 1068 | (curr->cipher->strength_bits > max_strength_bits)) | 1049 | (curr->cipher->strength_bits > max_strength_bits)) |
| 1069 | max_strength_bits = curr->cipher->strength_bits; | 1050 | max_strength_bits = curr->cipher->strength_bits; |
| 1070 | curr = curr->next; | 1051 | curr = curr->next; |
| 1071 | } | 1052 | } |
| 1072 | 1053 | ||
| 1073 | number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); | 1054 | number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); |
| 1074 | if (!number_uses) | 1055 | if (!number_uses) { |
| 1075 | { | 1056 | SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT, ERR_R_MALLOC_FAILURE); |
| 1076 | SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE); | 1057 | return (0); |
| 1077 | return(0); | 1058 | } |
| 1078 | } | ||
| 1079 | memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); | 1059 | memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); |
| 1080 | 1060 | ||
| 1081 | /* | 1061 | /* |
| 1082 | * Now find the strength_bits values actually used | 1062 | * Now find the strength_bits values actually used |
| 1083 | */ | 1063 | */ |
| 1084 | curr = *head_p; | 1064 | curr = *head_p; |
| 1085 | while (curr != NULL) | 1065 | while (curr != NULL) { |
| 1086 | { | ||
| 1087 | if (curr->active) | 1066 | if (curr->active) |
| 1088 | number_uses[curr->cipher->strength_bits]++; | 1067 | number_uses[curr->cipher->strength_bits]++; |
| 1089 | curr = curr->next; | 1068 | curr = curr->next; |
| 1090 | } | 1069 | } |
| 1091 | /* | 1070 | /* |
| 1092 | * Go through the list of used strength_bits values in descending | 1071 | * Go through the list of used strength_bits values in descending |
| 1093 | * order. | 1072 | * order. |
| @@ -1097,13 +1076,14 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, | |||
| 1097 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p); | 1076 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p); |
| 1098 | 1077 | ||
| 1099 | OPENSSL_free(number_uses); | 1078 | OPENSSL_free(number_uses); |
| 1100 | return(1); | 1079 | return (1); |
| 1101 | } | 1080 | } |
| 1102 | 1081 | ||
| 1103 | static int ssl_cipher_process_rulestr(const char *rule_str, | 1082 | static int |
| 1104 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p, | 1083 | ssl_cipher_process_rulestr(const char *rule_str, |
| 1105 | const SSL_CIPHER **ca_list) | 1084 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p, |
| 1106 | { | 1085 | const SSL_CIPHER **ca_list) |
| 1086 | { | ||
| 1107 | unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength; | 1087 | unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength; |
| 1108 | const char *l, *buf; | 1088 | const char *l, *buf; |
| 1109 | int j, multi, found, rule, retval, ok, buflen; | 1089 | int j, multi, found, rule, retval, ok, buflen; |
| @@ -1112,28 +1092,32 @@ static int ssl_cipher_process_rulestr(const char *rule_str, | |||
| 1112 | 1092 | ||
| 1113 | retval = 1; | 1093 | retval = 1; |
| 1114 | l = rule_str; | 1094 | l = rule_str; |
| 1115 | for (;;) | 1095 | for (;;) { |
| 1116 | { | ||
| 1117 | ch = *l; | 1096 | ch = *l; |
| 1118 | 1097 | ||
| 1119 | if (ch == '\0') | 1098 | if (ch == '\0') |
| 1120 | break; /* done */ | 1099 | break; |
| 1100 | /* done */ | ||
| 1121 | if (ch == '-') | 1101 | if (ch == '-') |
| 1122 | { rule = CIPHER_DEL; l++; } | 1102 | { rule = CIPHER_DEL; |
| 1123 | else if (ch == '+') | 1103 | l++; |
| 1124 | { rule = CIPHER_ORD; l++; } | 1104 | } else if (ch == '+') |
| 1125 | else if (ch == '!') | 1105 | { rule = CIPHER_ORD; |
| 1126 | { rule = CIPHER_KILL; l++; } | 1106 | l++; |
| 1127 | else if (ch == '@') | 1107 | } else if (ch == '!') |
| 1128 | { rule = CIPHER_SPECIAL; l++; } | 1108 | { rule = CIPHER_KILL; |
| 1129 | else | 1109 | l++; |
| 1130 | { rule = CIPHER_ADD; } | 1110 | } else if (ch == '@') |
| 1111 | { rule = CIPHER_SPECIAL; | ||
| 1112 | l++; | ||
| 1113 | } else | ||
| 1114 | { rule = CIPHER_ADD; | ||
| 1115 | } | ||
| 1131 | 1116 | ||
| 1132 | if (ITEM_SEP(ch)) | 1117 | if (ITEM_SEP(ch)) { |
| 1133 | { | ||
| 1134 | l++; | 1118 | l++; |
| 1135 | continue; | 1119 | continue; |
| 1136 | } | 1120 | } |
| 1137 | 1121 | ||
| 1138 | alg_mkey = 0; | 1122 | alg_mkey = 0; |
| 1139 | alg_auth = 0; | 1123 | alg_auth = 0; |
| @@ -1142,52 +1126,47 @@ static int ssl_cipher_process_rulestr(const char *rule_str, | |||
| 1142 | alg_ssl = 0; | 1126 | alg_ssl = 0; |
| 1143 | algo_strength = 0; | 1127 | algo_strength = 0; |
| 1144 | 1128 | ||
| 1145 | for (;;) | 1129 | for (;;) { |
| 1146 | { | ||
| 1147 | ch = *l; | 1130 | ch = *l; |
| 1148 | buf = l; | 1131 | buf = l; |
| 1149 | buflen = 0; | 1132 | buflen = 0; |
| 1150 | #ifndef CHARSET_EBCDIC | 1133 | #ifndef CHARSET_EBCDIC |
| 1151 | while ( ((ch >= 'A') && (ch <= 'Z')) || | 1134 | while (((ch >= 'A') && (ch <= 'Z')) || |
| 1152 | ((ch >= '0') && (ch <= '9')) || | 1135 | ((ch >= '0') && (ch <= '9')) || |
| 1153 | ((ch >= 'a') && (ch <= 'z')) || | 1136 | ((ch >= 'a') && (ch <= 'z')) || |
| 1154 | (ch == '-') || (ch == '.')) | 1137 | (ch == '-') || (ch == '.')) |
| 1155 | #else | 1138 | #else |
| 1156 | while ( isalnum(ch) || (ch == '-') || (ch == '.')) | 1139 | while (isalnum(ch) || (ch == '-') || (ch == '.')) |
| 1157 | #endif | 1140 | #endif |
| 1158 | { | 1141 | { |
| 1159 | ch = *(++l); | 1142 | ch = *(++l); |
| 1160 | buflen++; | 1143 | buflen++; |
| 1161 | } | 1144 | } |
| 1162 | 1145 | ||
| 1163 | if (buflen == 0) | 1146 | if (buflen == 0) { |
| 1164 | { | ||
| 1165 | /* | 1147 | /* |
| 1166 | * We hit something we cannot deal with, | 1148 | * We hit something we cannot deal with, |
| 1167 | * it is no command or separator nor | 1149 | * it is no command or separator nor |
| 1168 | * alphanumeric, so we call this an error. | 1150 | * alphanumeric, so we call this an error. |
| 1169 | */ | 1151 | */ |
| 1170 | SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, | 1152 | SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, |
| 1171 | SSL_R_INVALID_COMMAND); | 1153 | SSL_R_INVALID_COMMAND); |
| 1172 | retval = found = 0; | 1154 | retval = found = 0; |
| 1173 | l++; | 1155 | l++; |
| 1174 | break; | 1156 | break; |
| 1175 | } | 1157 | } |
| 1176 | 1158 | ||
| 1177 | if (rule == CIPHER_SPECIAL) | 1159 | if (rule == CIPHER_SPECIAL) { |
| 1178 | { | ||
| 1179 | found = 0; /* unused -- avoid compiler warning */ | 1160 | found = 0; /* unused -- avoid compiler warning */ |
| 1180 | break; /* special treatment */ | 1161 | break; /* special treatment */ |
| 1181 | } | 1162 | } |
| 1182 | 1163 | ||
| 1183 | /* check for multi-part specification */ | 1164 | /* check for multi-part specification */ |
| 1184 | if (ch == '+') | 1165 | if (ch == '+') { |
| 1185 | { | 1166 | multi = 1; |
| 1186 | multi=1; | ||
| 1187 | l++; | 1167 | l++; |
| 1188 | } | 1168 | } else |
| 1189 | else | 1169 | multi = 0; |
| 1190 | multi=0; | ||
| 1191 | 1170 | ||
| 1192 | /* | 1171 | /* |
| 1193 | * Now search for the cipher alias in the ca_list. Be careful | 1172 | * Now search for the cipher alias in the ca_list. Be careful |
| @@ -1202,126 +1181,121 @@ static int ssl_cipher_process_rulestr(const char *rule_str, | |||
| 1202 | */ | 1181 | */ |
| 1203 | j = found = 0; | 1182 | j = found = 0; |
| 1204 | cipher_id = 0; | 1183 | cipher_id = 0; |
| 1205 | while (ca_list[j]) | 1184 | while (ca_list[j]) { |
| 1206 | { | ||
| 1207 | if (!strncmp(buf, ca_list[j]->name, buflen) && | 1185 | if (!strncmp(buf, ca_list[j]->name, buflen) && |
| 1208 | (ca_list[j]->name[buflen] == '\0')) | 1186 | (ca_list[j]->name[buflen] == '\0')) { |
| 1209 | { | ||
| 1210 | found = 1; | 1187 | found = 1; |
| 1211 | break; | 1188 | break; |
| 1212 | } | 1189 | } else |
| 1213 | else | ||
| 1214 | j++; | 1190 | j++; |
| 1215 | } | 1191 | } |
| 1216 | 1192 | ||
| 1217 | if (!found) | 1193 | if (!found) |
| 1218 | break; /* ignore this entry */ | 1194 | break; /* ignore this entry */ |
| 1219 | 1195 | ||
| 1220 | if (ca_list[j]->algorithm_mkey) | 1196 | if (ca_list[j]->algorithm_mkey) { |
| 1221 | { | 1197 | if (alg_mkey) { |
| 1222 | if (alg_mkey) | ||
| 1223 | { | ||
| 1224 | alg_mkey &= ca_list[j]->algorithm_mkey; | 1198 | alg_mkey &= ca_list[j]->algorithm_mkey; |
| 1225 | if (!alg_mkey) { found = 0; break; } | 1199 | if (!alg_mkey) { |
| 1200 | found = 0; | ||
| 1201 | break; | ||
| 1226 | } | 1202 | } |
| 1227 | else | 1203 | } else |
| 1228 | alg_mkey = ca_list[j]->algorithm_mkey; | 1204 | alg_mkey = ca_list[j]->algorithm_mkey; |
| 1229 | } | 1205 | } |
| 1230 | 1206 | ||
| 1231 | if (ca_list[j]->algorithm_auth) | 1207 | if (ca_list[j]->algorithm_auth) { |
| 1232 | { | 1208 | if (alg_auth) { |
| 1233 | if (alg_auth) | ||
| 1234 | { | ||
| 1235 | alg_auth &= ca_list[j]->algorithm_auth; | 1209 | alg_auth &= ca_list[j]->algorithm_auth; |
| 1236 | if (!alg_auth) { found = 0; break; } | 1210 | if (!alg_auth) { |
| 1211 | found = 0; | ||
| 1212 | break; | ||
| 1237 | } | 1213 | } |
| 1238 | else | 1214 | } else |
| 1239 | alg_auth = ca_list[j]->algorithm_auth; | 1215 | alg_auth = ca_list[j]->algorithm_auth; |
| 1240 | } | 1216 | } |
| 1241 | 1217 | ||
| 1242 | if (ca_list[j]->algorithm_enc) | 1218 | if (ca_list[j]->algorithm_enc) { |
| 1243 | { | 1219 | if (alg_enc) { |
| 1244 | if (alg_enc) | ||
| 1245 | { | ||
| 1246 | alg_enc &= ca_list[j]->algorithm_enc; | 1220 | alg_enc &= ca_list[j]->algorithm_enc; |
| 1247 | if (!alg_enc) { found = 0; break; } | 1221 | if (!alg_enc) { |
| 1222 | found = 0; | ||
| 1223 | break; | ||
| 1248 | } | 1224 | } |
| 1249 | else | 1225 | } else |
| 1250 | alg_enc = ca_list[j]->algorithm_enc; | 1226 | alg_enc = ca_list[j]->algorithm_enc; |
| 1251 | } | 1227 | } |
| 1252 | 1228 | ||
| 1253 | if (ca_list[j]->algorithm_mac) | 1229 | if (ca_list[j]->algorithm_mac) { |
| 1254 | { | 1230 | if (alg_mac) { |
| 1255 | if (alg_mac) | ||
| 1256 | { | ||
| 1257 | alg_mac &= ca_list[j]->algorithm_mac; | 1231 | alg_mac &= ca_list[j]->algorithm_mac; |
| 1258 | if (!alg_mac) { found = 0; break; } | 1232 | if (!alg_mac) { |
| 1233 | found = 0; | ||
| 1234 | break; | ||
| 1259 | } | 1235 | } |
| 1260 | else | 1236 | } else |
| 1261 | alg_mac = ca_list[j]->algorithm_mac; | 1237 | alg_mac = ca_list[j]->algorithm_mac; |
| 1262 | } | 1238 | } |
| 1263 | 1239 | ||
| 1264 | if (ca_list[j]->algo_strength & SSL_EXP_MASK) | 1240 | if (ca_list[j]->algo_strength & SSL_EXP_MASK) { |
| 1265 | { | 1241 | if (algo_strength & SSL_EXP_MASK) { |
| 1266 | if (algo_strength & SSL_EXP_MASK) | ||
| 1267 | { | ||
| 1268 | algo_strength &= (ca_list[j]->algo_strength & SSL_EXP_MASK) | ~SSL_EXP_MASK; | 1242 | algo_strength &= (ca_list[j]->algo_strength & SSL_EXP_MASK) | ~SSL_EXP_MASK; |
| 1269 | if (!(algo_strength & SSL_EXP_MASK)) { found = 0; break; } | 1243 | if (!(algo_strength & SSL_EXP_MASK)) { |
| 1244 | found = 0; | ||
| 1245 | break; | ||
| 1270 | } | 1246 | } |
| 1271 | else | 1247 | } else |
| 1272 | algo_strength |= ca_list[j]->algo_strength & SSL_EXP_MASK; | 1248 | algo_strength |= ca_list[j]->algo_strength & SSL_EXP_MASK; |
| 1273 | } | 1249 | } |
| 1274 | 1250 | ||
| 1275 | if (ca_list[j]->algo_strength & SSL_STRONG_MASK) | 1251 | if (ca_list[j]->algo_strength & SSL_STRONG_MASK) { |
| 1276 | { | 1252 | if (algo_strength & SSL_STRONG_MASK) { |
| 1277 | if (algo_strength & SSL_STRONG_MASK) | ||
| 1278 | { | ||
| 1279 | algo_strength &= (ca_list[j]->algo_strength & SSL_STRONG_MASK) | ~SSL_STRONG_MASK; | 1253 | algo_strength &= (ca_list[j]->algo_strength & SSL_STRONG_MASK) | ~SSL_STRONG_MASK; |
| 1280 | if (!(algo_strength & SSL_STRONG_MASK)) { found = 0; break; } | 1254 | if (!(algo_strength & SSL_STRONG_MASK)) { |
| 1255 | found = 0; | ||
| 1256 | break; | ||
| 1281 | } | 1257 | } |
| 1282 | else | 1258 | } else |
| 1283 | algo_strength |= ca_list[j]->algo_strength & SSL_STRONG_MASK; | 1259 | algo_strength |= ca_list[j]->algo_strength & SSL_STRONG_MASK; |
| 1284 | } | 1260 | } |
| 1285 | 1261 | ||
| 1286 | if (ca_list[j]->valid) | 1262 | if (ca_list[j]->valid) { |
| 1287 | { | ||
| 1288 | /* explicit ciphersuite found; its protocol version | 1263 | /* explicit ciphersuite found; its protocol version |
| 1289 | * does not become part of the search pattern!*/ | 1264 | * does not become part of the search pattern!*/ |
| 1290 | 1265 | ||
| 1291 | cipher_id = ca_list[j]->id; | 1266 | cipher_id = ca_list[j]->id; |
| 1292 | } | 1267 | } else { |
| 1293 | else | ||
| 1294 | { | ||
| 1295 | /* not an explicit ciphersuite; only in this case, the | 1268 | /* not an explicit ciphersuite; only in this case, the |
| 1296 | * protocol version is considered part of the search pattern */ | 1269 | * protocol version is considered part of the search pattern */ |
| 1297 | 1270 | ||
| 1298 | if (ca_list[j]->algorithm_ssl) | 1271 | if (ca_list[j]->algorithm_ssl) { |
| 1299 | { | 1272 | if (alg_ssl) { |
| 1300 | if (alg_ssl) | ||
| 1301 | { | ||
| 1302 | alg_ssl &= ca_list[j]->algorithm_ssl; | 1273 | alg_ssl &= ca_list[j]->algorithm_ssl; |
| 1303 | if (!alg_ssl) { found = 0; break; } | 1274 | if (!alg_ssl) { |
| 1275 | found = 0; | ||
| 1276 | break; | ||
| 1304 | } | 1277 | } |
| 1305 | else | 1278 | } else |
| 1306 | alg_ssl = ca_list[j]->algorithm_ssl; | 1279 | alg_ssl = ca_list[j]->algorithm_ssl; |
| 1307 | } | ||
| 1308 | } | 1280 | } |
| 1309 | |||
| 1310 | if (!multi) break; | ||
| 1311 | } | 1281 | } |
| 1312 | 1282 | ||
| 1283 | if (!multi) | ||
| 1284 | break; | ||
| 1285 | } | ||
| 1286 | |||
| 1313 | /* | 1287 | /* |
| 1314 | * Ok, we have the rule, now apply it | 1288 | * Ok, we have the rule, now apply it |
| 1315 | */ | 1289 | */ |
| 1316 | if (rule == CIPHER_SPECIAL) | 1290 | if (rule == CIPHER_SPECIAL) |
| 1317 | { /* special command */ | 1291 | { /* special command */ |
| 1318 | ok = 0; | 1292 | ok = 0; |
| 1319 | if ((buflen == 8) && | 1293 | if ((buflen == 8) && |
| 1320 | !strncmp(buf, "STRENGTH", 8)) | 1294 | !strncmp(buf, "STRENGTH", 8)) |
| 1321 | ok = ssl_cipher_strength_sort(head_p, tail_p); | 1295 | ok = ssl_cipher_strength_sort(head_p, tail_p); |
| 1322 | else | 1296 | else |
| 1323 | SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, | 1297 | SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, |
| 1324 | SSL_R_INVALID_COMMAND); | 1298 | SSL_R_INVALID_COMMAND); |
| 1325 | if (ok == 0) | 1299 | if (ok == 0) |
| 1326 | retval = 0; | 1300 | retval = 0; |
| 1327 | /* | 1301 | /* |
| @@ -1331,30 +1305,27 @@ static int ssl_cipher_process_rulestr(const char *rule_str, | |||
| 1331 | * end or ':' is found. | 1305 | * end or ':' is found. |
| 1332 | */ | 1306 | */ |
| 1333 | while ((*l != '\0') && !ITEM_SEP(*l)) | 1307 | while ((*l != '\0') && !ITEM_SEP(*l)) |
| 1334 | l++; | 1308 | l++; |
| 1335 | } | 1309 | } else if (found) { |
| 1336 | else if (found) | ||
| 1337 | { | ||
| 1338 | ssl_cipher_apply_rule(cipher_id, | 1310 | ssl_cipher_apply_rule(cipher_id, |
| 1339 | alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, | 1311 | alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, |
| 1340 | rule, -1, head_p, tail_p); | 1312 | rule, -1, head_p, tail_p); |
| 1341 | } | 1313 | } else { |
| 1342 | else | ||
| 1343 | { | ||
| 1344 | while ((*l != '\0') && !ITEM_SEP(*l)) | 1314 | while ((*l != '\0') && !ITEM_SEP(*l)) |
| 1345 | l++; | 1315 | l++; |
| 1346 | } | 1316 | } |
| 1347 | if (*l == '\0') break; /* done */ | 1317 | if (*l == '\0') break; /* done */ |
| 1348 | } | 1318 | } |
| 1349 | 1319 | ||
| 1350 | return(retval); | 1320 | return (retval); |
| 1351 | } | 1321 | } |
| 1352 | 1322 | ||
| 1353 | STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 1323 | STACK_OF(SSL_CIPHER) |
| 1354 | STACK_OF(SSL_CIPHER) **cipher_list, | 1324 | *ssl_create_cipher_list(const SSL_METHOD *ssl_method, |
| 1355 | STACK_OF(SSL_CIPHER) **cipher_list_by_id, | 1325 | STACK_OF(SSL_CIPHER) **cipher_list, |
| 1356 | const char *rule_str) | 1326 | STACK_OF(SSL_CIPHER) **cipher_list_by_id, |
| 1357 | { | 1327 | const char *rule_str) |
| 1328 | { | ||
| 1358 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 1329 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; |
| 1359 | unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; | 1330 | unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; |
| 1360 | STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; | 1331 | STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; |
| @@ -1384,15 +1355,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1384 | printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); | 1355 | printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); |
| 1385 | #endif /* KSSL_DEBUG */ | 1356 | #endif /* KSSL_DEBUG */ |
| 1386 | co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); | 1357 | co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); |
| 1387 | if (co_list == NULL) | 1358 | if (co_list == NULL) { |
| 1388 | { | 1359 | SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); |
| 1389 | SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); | ||
| 1390 | return(NULL); /* Failure */ | 1360 | return(NULL); /* Failure */ |
| 1391 | } | 1361 | } |
| 1392 | 1362 | ||
| 1393 | ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, | 1363 | ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, |
| 1394 | disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl, | 1364 | disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl, |
| 1395 | co_list, &head, &tail); | 1365 | co_list, &head, &tail); |
| 1396 | 1366 | ||
| 1397 | 1367 | ||
| 1398 | /* Now arrange all ciphers by preference: */ | 1368 | /* Now arrange all ciphers by preference: */ |
| @@ -1419,19 +1389,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1419 | ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); | 1389 | ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); |
| 1420 | /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */ | 1390 | /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */ |
| 1421 | ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); | 1391 | ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); |
| 1422 | ssl_cipher_apply_rule(0, SSL_kPSK, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); | 1392 | ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); |
| 1423 | ssl_cipher_apply_rule(0, SSL_kKRB5, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); | 1393 | ssl_cipher_apply_rule(0, SSL_kKRB5, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); |
| 1424 | 1394 | ||
| 1425 | /* RC4 is sort-of broken -- move the the end */ | 1395 | /* RC4 is sort-of broken -- move the the end */ |
| 1426 | ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); | 1396 | ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); |
| 1427 | 1397 | ||
| 1428 | /* Now sort by symmetric encryption strength. The above ordering remains | 1398 | /* Now sort by symmetric encryption strength. The above ordering remains |
| 1429 | * in force within each class */ | 1399 | * in force within each class */ |
| 1430 | if (!ssl_cipher_strength_sort(&head, &tail)) | 1400 | if (!ssl_cipher_strength_sort(&head, &tail)) { |
| 1431 | { | ||
| 1432 | OPENSSL_free(co_list); | 1401 | OPENSSL_free(co_list); |
| 1433 | return NULL; | 1402 | return NULL; |
| 1434 | } | 1403 | } |
| 1435 | 1404 | ||
| 1436 | /* Now disable everything (maintaining the ordering!) */ | 1405 | /* Now disable everything (maintaining the ordering!) */ |
| 1437 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); | 1406 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); |
| @@ -1448,15 +1417,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1448 | num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER); | 1417 | num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER); |
| 1449 | num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; | 1418 | num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; |
| 1450 | ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); | 1419 | ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); |
| 1451 | if (ca_list == NULL) | 1420 | if (ca_list == NULL) { |
| 1452 | { | ||
| 1453 | OPENSSL_free(co_list); | 1421 | OPENSSL_free(co_list); |
| 1454 | SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); | 1422 | SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); |
| 1455 | return(NULL); /* Failure */ | 1423 | return(NULL); /* Failure */ |
| 1456 | } | 1424 | } |
| 1457 | ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, | 1425 | ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, |
| 1458 | disabled_mkey, disabled_auth, disabled_enc, | 1426 | disabled_mkey, disabled_auth, disabled_enc, |
| 1459 | disabled_mac, disabled_ssl, head); | 1427 | disabled_mac, disabled_ssl, head); |
| 1460 | 1428 | ||
| 1461 | /* | 1429 | /* |
| 1462 | * If the rule_string begins with DEFAULT, apply the default rule | 1430 | * If the rule_string begins with DEFAULT, apply the default rule |
| @@ -1464,14 +1432,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1464 | */ | 1432 | */ |
| 1465 | ok = 1; | 1433 | ok = 1; |
| 1466 | rule_p = rule_str; | 1434 | rule_p = rule_str; |
| 1467 | if (strncmp(rule_str,"DEFAULT",7) == 0) | 1435 | if (strncmp(rule_str, "DEFAULT", 7) == 0) { |
| 1468 | { | ||
| 1469 | ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, | 1436 | ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, |
| 1470 | &head, &tail, ca_list); | 1437 | &head, &tail, ca_list); |
| 1471 | rule_p += 7; | 1438 | rule_p += 7; |
| 1472 | if (*rule_p == ':') | 1439 | if (*rule_p == ':') |
| 1473 | rule_p++; | 1440 | rule_p++; |
| 1474 | } | 1441 | } |
| 1475 | 1442 | ||
| 1476 | if (ok && (strlen(rule_p) > 0)) | 1443 | if (ok && (strlen(rule_p) > 0)) |
| 1477 | ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list); | 1444 | ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list); |
| @@ -1479,65 +1446,63 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |||
| 1479 | OPENSSL_free((void *)ca_list); /* Not needed anymore */ | 1446 | OPENSSL_free((void *)ca_list); /* Not needed anymore */ |
| 1480 | 1447 | ||
| 1481 | if (!ok) | 1448 | if (!ok) |
| 1482 | { /* Rule processing failure */ | 1449 | { /* Rule processing failure */ |
| 1483 | OPENSSL_free(co_list); | 1450 | OPENSSL_free(co_list); |
| 1484 | return(NULL); | 1451 | return (NULL); |
| 1485 | } | 1452 | } |
| 1486 | 1453 | ||
| 1487 | /* | 1454 | /* |
| 1488 | * Allocate new "cipherstack" for the result, return with error | 1455 | * Allocate new "cipherstack" for the result, return with error |
| 1489 | * if we cannot get one. | 1456 | * if we cannot get one. |
| 1490 | */ | 1457 | */ |
| 1491 | if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) | 1458 | if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { |
| 1492 | { | ||
| 1493 | OPENSSL_free(co_list); | 1459 | OPENSSL_free(co_list); |
| 1494 | return(NULL); | 1460 | return (NULL); |
| 1495 | } | 1461 | } |
| 1496 | 1462 | ||
| 1497 | /* | 1463 | /* |
| 1498 | * The cipher selection for the list is done. The ciphers are added | 1464 | * The cipher selection for the list is done. The ciphers are added |
| 1499 | * to the resulting precedence to the STACK_OF(SSL_CIPHER). | 1465 | * to the resulting precedence to the STACK_OF(SSL_CIPHER). |
| 1500 | */ | 1466 | */ |
| 1501 | for (curr = head; curr != NULL; curr = curr->next) | 1467 | for (curr = head; curr != NULL; curr = curr->next) { |
| 1502 | { | ||
| 1503 | #ifdef OPENSSL_FIPS | 1468 | #ifdef OPENSSL_FIPS |
| 1504 | if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) | 1469 | if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) |
| 1505 | #else | 1470 | #else |
| 1506 | if (curr->active) | 1471 | if (curr->active) |
| 1507 | #endif | 1472 | #endif |
| 1508 | { | 1473 | { |
| 1509 | sk_SSL_CIPHER_push(cipherstack, curr->cipher); | 1474 | sk_SSL_CIPHER_push(cipherstack, curr->cipher); |
| 1510 | #ifdef CIPHER_DEBUG | 1475 | #ifdef CIPHER_DEBUG |
| 1511 | printf("<%s>\n",curr->cipher->name); | 1476 | printf("<%s>\n", curr->cipher->name); |
| 1512 | #endif | 1477 | #endif |
| 1513 | } | ||
| 1514 | } | 1478 | } |
| 1479 | } | ||
| 1515 | OPENSSL_free(co_list); /* Not needed any longer */ | 1480 | OPENSSL_free(co_list); /* Not needed any longer */ |
| 1516 | 1481 | ||
| 1517 | tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); | 1482 | tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); |
| 1518 | if (tmp_cipher_list == NULL) | 1483 | if (tmp_cipher_list == NULL) { |
| 1519 | { | ||
| 1520 | sk_SSL_CIPHER_free(cipherstack); | 1484 | sk_SSL_CIPHER_free(cipherstack); |
| 1521 | return NULL; | 1485 | return NULL; |
| 1522 | } | 1486 | } |
| 1523 | if (*cipher_list != NULL) | 1487 | if (*cipher_list != NULL) |
| 1524 | sk_SSL_CIPHER_free(*cipher_list); | 1488 | sk_SSL_CIPHER_free(*cipher_list); |
| 1525 | *cipher_list = cipherstack; | 1489 | *cipher_list = cipherstack; |
| 1526 | if (*cipher_list_by_id != NULL) | 1490 | if (*cipher_list_by_id != NULL) |
| 1527 | sk_SSL_CIPHER_free(*cipher_list_by_id); | 1491 | sk_SSL_CIPHER_free(*cipher_list_by_id); |
| 1528 | *cipher_list_by_id = tmp_cipher_list; | 1492 | *cipher_list_by_id = tmp_cipher_list; |
| 1529 | (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp); | 1493 | (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp); |
| 1530 | 1494 | ||
| 1531 | sk_SSL_CIPHER_sort(*cipher_list_by_id); | 1495 | sk_SSL_CIPHER_sort(*cipher_list_by_id); |
| 1532 | return(cipherstack); | 1496 | return (cipherstack); |
| 1533 | } | 1497 | } |
| 1534 | 1498 | ||
| 1535 | char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | 1499 | char |
| 1536 | { | 1500 | *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) |
| 1537 | int is_export,pkl,kl; | 1501 | { |
| 1538 | const char *ver,*exp_str; | 1502 | int is_export, pkl, kl; |
| 1539 | const char *kx,*au,*enc,*mac; | 1503 | const char *ver, *exp_str; |
| 1540 | unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2; | 1504 | const char *kx, *au, *enc, *mac; |
| 1505 | unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, alg2; | ||
| 1541 | #ifdef KSSL_DEBUG | 1506 | #ifdef KSSL_DEBUG |
| 1542 | static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n"; | 1507 | static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n"; |
| 1543 | #else | 1508 | #else |
| @@ -1550,13 +1515,13 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1550 | alg_mac = cipher->algorithm_mac; | 1515 | alg_mac = cipher->algorithm_mac; |
| 1551 | alg_ssl = cipher->algorithm_ssl; | 1516 | alg_ssl = cipher->algorithm_ssl; |
| 1552 | 1517 | ||
| 1553 | alg2=cipher->algorithm2; | 1518 | alg2 = cipher->algorithm2; |
| 1519 | |||
| 1520 | is_export = SSL_C_IS_EXPORT(cipher); | ||
| 1521 | pkl = SSL_C_EXPORT_PKEYLENGTH(cipher); | ||
| 1522 | kl = SSL_C_EXPORT_KEYLENGTH(cipher); | ||
| 1523 | exp_str = is_export?" export":""; | ||
| 1554 | 1524 | ||
| 1555 | is_export=SSL_C_IS_EXPORT(cipher); | ||
| 1556 | pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); | ||
| 1557 | kl=SSL_C_EXPORT_KEYLENGTH(cipher); | ||
| 1558 | exp_str=is_export?" export":""; | ||
| 1559 | |||
| 1560 | if (alg_ssl & SSL_SSLV2) | 1525 | if (alg_ssl & SSL_SSLV2) |
| 1561 | ver="SSLv2"; | 1526 | ver="SSLv2"; |
| 1562 | else if (alg_ssl & SSL_SSLV3) | 1527 | else if (alg_ssl & SSL_SSLV3) |
| @@ -1566,10 +1531,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1566 | else | 1531 | else |
| 1567 | ver="unknown"; | 1532 | ver="unknown"; |
| 1568 | 1533 | ||
| 1569 | switch (alg_mkey) | 1534 | switch (alg_mkey) { |
| 1570 | { | ||
| 1571 | case SSL_kRSA: | 1535 | case SSL_kRSA: |
| 1572 | kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA"; | 1536 | kx = is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA"; |
| 1573 | break; | 1537 | break; |
| 1574 | case SSL_kDHr: | 1538 | case SSL_kDHr: |
| 1575 | kx="DH/RSA"; | 1539 | kx="DH/RSA"; |
| @@ -1577,11 +1541,11 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1577 | case SSL_kDHd: | 1541 | case SSL_kDHd: |
| 1578 | kx="DH/DSS"; | 1542 | kx="DH/DSS"; |
| 1579 | break; | 1543 | break; |
| 1580 | case SSL_kKRB5: | 1544 | case SSL_kKRB5: |
| 1581 | kx="KRB5"; | 1545 | kx="KRB5"; |
| 1582 | break; | 1546 | break; |
| 1583 | case SSL_kEDH: | 1547 | case SSL_kEDH: |
| 1584 | kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; | 1548 | kx = is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; |
| 1585 | break; | 1549 | break; |
| 1586 | case SSL_kECDHr: | 1550 | case SSL_kECDHr: |
| 1587 | kx="ECDH/RSA"; | 1551 | kx="ECDH/RSA"; |
| @@ -1600,10 +1564,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1600 | break; | 1564 | break; |
| 1601 | default: | 1565 | default: |
| 1602 | kx="unknown"; | 1566 | kx="unknown"; |
| 1603 | } | 1567 | } |
| 1604 | 1568 | ||
| 1605 | switch (alg_auth) | 1569 | switch (alg_auth) { |
| 1606 | { | ||
| 1607 | case SSL_aRSA: | 1570 | case SSL_aRSA: |
| 1608 | au="RSA"; | 1571 | au="RSA"; |
| 1609 | break; | 1572 | break; |
| @@ -1613,10 +1576,10 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1613 | case SSL_aDH: | 1576 | case SSL_aDH: |
| 1614 | au="DH"; | 1577 | au="DH"; |
| 1615 | break; | 1578 | break; |
| 1616 | case SSL_aKRB5: | 1579 | case SSL_aKRB5: |
| 1617 | au="KRB5"; | 1580 | au="KRB5"; |
| 1618 | break; | 1581 | break; |
| 1619 | case SSL_aECDH: | 1582 | case SSL_aECDH: |
| 1620 | au="ECDH"; | 1583 | au="ECDH"; |
| 1621 | break; | 1584 | break; |
| 1622 | case SSL_aNULL: | 1585 | case SSL_aNULL: |
| @@ -1631,22 +1594,21 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1631 | default: | 1594 | default: |
| 1632 | au="unknown"; | 1595 | au="unknown"; |
| 1633 | break; | 1596 | break; |
| 1634 | } | 1597 | } |
| 1635 | 1598 | ||
| 1636 | switch (alg_enc) | 1599 | switch (alg_enc) { |
| 1637 | { | ||
| 1638 | case SSL_DES: | 1600 | case SSL_DES: |
| 1639 | enc=(is_export && kl == 5)?"DES(40)":"DES(56)"; | 1601 | enc = (is_export && kl == 5)?"DES(40)":"DES(56)"; |
| 1640 | break; | 1602 | break; |
| 1641 | case SSL_3DES: | 1603 | case SSL_3DES: |
| 1642 | enc="3DES(168)"; | 1604 | enc="3DES(168)"; |
| 1643 | break; | 1605 | break; |
| 1644 | case SSL_RC4: | 1606 | case SSL_RC4: |
| 1645 | enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)") | 1607 | enc = is_export?(kl == 5 ? "RC4(40)" : "RC4(56)") |
| 1646 | :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); | 1608 | :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); |
| 1647 | break; | 1609 | break; |
| 1648 | case SSL_RC2: | 1610 | case SSL_RC2: |
| 1649 | enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; | 1611 | enc = is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; |
| 1650 | break; | 1612 | break; |
| 1651 | case SSL_IDEA: | 1613 | case SSL_IDEA: |
| 1652 | enc="IDEA(128)"; | 1614 | enc="IDEA(128)"; |
| @@ -1678,10 +1640,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1678 | default: | 1640 | default: |
| 1679 | enc="unknown"; | 1641 | enc="unknown"; |
| 1680 | break; | 1642 | break; |
| 1681 | } | 1643 | } |
| 1682 | 1644 | ||
| 1683 | switch (alg_mac) | 1645 | switch (alg_mac) { |
| 1684 | { | ||
| 1685 | case SSL_MD5: | 1646 | case SSL_MD5: |
| 1686 | mac="MD5"; | 1647 | mac="MD5"; |
| 1687 | break; | 1648 | break; |
| @@ -1700,108 +1661,119 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) | |||
| 1700 | default: | 1661 | default: |
| 1701 | mac="unknown"; | 1662 | mac="unknown"; |
| 1702 | break; | 1663 | break; |
| 1703 | } | 1664 | } |
| 1704 | 1665 | ||
| 1705 | if (buf == NULL) | 1666 | if (buf == NULL) { |
| 1706 | { | 1667 | len = 128; |
| 1707 | len=128; | 1668 | buf = OPENSSL_malloc(len); |
| 1708 | buf=OPENSSL_malloc(len); | 1669 | if (buf == NULL) |
| 1709 | if (buf == NULL) return("OPENSSL_malloc Error"); | 1670 | return("OPENSSL_malloc Error"); |
| 1710 | } | 1671 | } else if (len < 128) |
| 1711 | else if (len < 128) | 1672 | return("Buffer too small"); |
| 1712 | return("Buffer too small"); | ||
| 1713 | 1673 | ||
| 1714 | #ifdef KSSL_DEBUG | 1674 | #ifdef KSSL_DEBUG |
| 1715 | BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl); | 1675 | BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac, exp_str, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl); |
| 1716 | #else | 1676 | #else |
| 1717 | BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str); | 1677 | BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac, exp_str); |
| 1718 | #endif /* KSSL_DEBUG */ | 1678 | #endif /* KSSL_DEBUG */ |
| 1719 | return(buf); | 1679 | return (buf); |
| 1720 | } | 1680 | } |
| 1721 | 1681 | ||
| 1722 | char *SSL_CIPHER_get_version(const SSL_CIPHER *c) | 1682 | char |
| 1723 | { | 1683 | *SSL_CIPHER_get_version(const SSL_CIPHER *c) |
| 1684 | { | ||
| 1724 | int i; | 1685 | int i; |
| 1725 | 1686 | ||
| 1726 | if (c == NULL) return("(NONE)"); | 1687 | if (c == NULL) |
| 1727 | i=(int)(c->id>>24L); | 1688 | return("(NONE)"); |
| 1689 | i = (int)(c->id >> 24L); | ||
| 1728 | if (i == 3) | 1690 | if (i == 3) |
| 1729 | return("TLSv1/SSLv3"); | 1691 | return("TLSv1/SSLv3"); |
| 1730 | else if (i == 2) | 1692 | else if (i == 2) |
| 1731 | return("SSLv2"); | 1693 | return("SSLv2"); |
| 1732 | else | 1694 | else |
| 1733 | return("unknown"); | 1695 | return("unknown"); |
| 1734 | } | 1696 | } |
| 1735 | 1697 | ||
| 1736 | /* return the actual cipher being used */ | 1698 | /* return the actual cipher being used */ |
| 1737 | const char *SSL_CIPHER_get_name(const SSL_CIPHER *c) | 1699 | const char |
| 1738 | { | 1700 | *SSL_CIPHER_get_name(const SSL_CIPHER *c) |
| 1701 | { | ||
| 1739 | if (c != NULL) | 1702 | if (c != NULL) |
| 1740 | return(c->name); | 1703 | return (c->name); |
| 1741 | return("(NONE)"); | 1704 | return("(NONE)"); |
| 1742 | } | 1705 | } |
| 1743 | 1706 | ||
| 1744 | /* number of bits for symmetric cipher */ | 1707 | /* number of bits for symmetric cipher */ |
| 1745 | int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) | 1708 | int |
| 1746 | { | 1709 | SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) |
| 1747 | int ret=0; | 1710 | { |
| 1711 | int ret = 0; | ||
| 1748 | 1712 | ||
| 1749 | if (c != NULL) | 1713 | if (c != NULL) { |
| 1750 | { | 1714 | if (alg_bits != NULL) |
| 1751 | if (alg_bits != NULL) *alg_bits = c->alg_bits; | 1715 | *alg_bits = c->alg_bits; |
| 1752 | ret = c->strength_bits; | 1716 | ret = c->strength_bits; |
| 1753 | } | ||
| 1754 | return(ret); | ||
| 1755 | } | 1717 | } |
| 1718 | return (ret); | ||
| 1719 | } | ||
| 1756 | 1720 | ||
| 1757 | unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c) | 1721 | unsigned long |
| 1758 | { | 1722 | SSL_CIPHER_get_id(const SSL_CIPHER *c) |
| 1723 | { | ||
| 1759 | return c->id; | 1724 | return c->id; |
| 1760 | } | 1725 | } |
| 1761 | 1726 | ||
| 1762 | SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) | 1727 | SSL_COMP |
| 1763 | { | 1728 | *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) |
| 1729 | { | ||
| 1764 | SSL_COMP *ctmp; | 1730 | SSL_COMP *ctmp; |
| 1765 | int i,nn; | 1731 | int i, nn; |
| 1766 | 1732 | ||
| 1767 | if ((n == 0) || (sk == NULL)) return(NULL); | 1733 | if ((n == 0) |
| 1768 | nn=sk_SSL_COMP_num(sk); | 1734 | || (sk == NULL)) return (NULL); |
| 1769 | for (i=0; i<nn; i++) | 1735 | nn = sk_SSL_COMP_num(sk); |
| 1770 | { | 1736 | for (i = 0; i < nn; i++) { |
| 1771 | ctmp=sk_SSL_COMP_value(sk,i); | 1737 | ctmp = sk_SSL_COMP_value(sk, i); |
| 1772 | if (ctmp->id == n) | 1738 | if (ctmp->id == n) |
| 1773 | return(ctmp); | 1739 | return (ctmp); |
| 1774 | } | ||
| 1775 | return(NULL); | ||
| 1776 | } | 1740 | } |
| 1741 | return (NULL); | ||
| 1742 | } | ||
| 1777 | 1743 | ||
| 1778 | #ifdef OPENSSL_NO_COMP | 1744 | #ifdef OPENSSL_NO_COMP |
| 1779 | void *SSL_COMP_get_compression_methods(void) | 1745 | void |
| 1780 | { | 1746 | *SSL_COMP_get_compression_methods(void) |
| 1747 | { | ||
| 1781 | return NULL; | 1748 | return NULL; |
| 1782 | } | 1749 | } |
| 1783 | int SSL_COMP_add_compression_method(int id, void *cm) | 1750 | |
| 1784 | { | 1751 | int |
| 1752 | SSL_COMP_add_compression_method(int id, void *cm) | ||
| 1753 | { | ||
| 1785 | return 1; | 1754 | return 1; |
| 1786 | } | 1755 | } |
| 1787 | 1756 | ||
| 1788 | const char *SSL_COMP_get_name(const void *comp) | 1757 | const char |
| 1789 | { | 1758 | *SSL_COMP_get_name(const void *comp) |
| 1759 | { | ||
| 1790 | return NULL; | 1760 | return NULL; |
| 1791 | } | 1761 | } |
| 1792 | #else | 1762 | #else |
| 1793 | STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) | 1763 | STACK_OF(SSL_COMP) |
| 1794 | { | 1764 | *SSL_COMP_get_compression_methods(void) |
| 1765 | { | ||
| 1795 | load_builtin_compressions(); | 1766 | load_builtin_compressions(); |
| 1796 | return(ssl_comp_methods); | 1767 | return (ssl_comp_methods); |
| 1797 | } | 1768 | } |
| 1798 | 1769 | ||
| 1799 | int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) | 1770 | int |
| 1800 | { | 1771 | SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) |
| 1772 | { | ||
| 1801 | SSL_COMP *comp; | 1773 | SSL_COMP *comp; |
| 1802 | 1774 | ||
| 1803 | if (cm == NULL || cm->type == NID_undef) | 1775 | if (cm == NULL || cm->type == NID_undef) |
| 1804 | return 1; | 1776 | return 1; |
| 1805 | 1777 | ||
| 1806 | /* According to draft-ietf-tls-compression-04.txt, the | 1778 | /* According to draft-ietf-tls-compression-04.txt, the |
| 1807 | compression number ranges should be the following: | 1779 | compression number ranges should be the following: |
| @@ -1809,45 +1781,40 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) | |||
| 1809 | 0 to 63: methods defined by the IETF | 1781 | 0 to 63: methods defined by the IETF |
| 1810 | 64 to 192: external party methods assigned by IANA | 1782 | 64 to 192: external party methods assigned by IANA |
| 1811 | 193 to 255: reserved for private use */ | 1783 | 193 to 255: reserved for private use */ |
| 1812 | if (id < 193 || id > 255) | 1784 | if (id < 193 || id > 255) { |
| 1813 | { | 1785 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE); |
| 1814 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE); | ||
| 1815 | return 0; | 1786 | return 0; |
| 1816 | } | 1787 | } |
| 1817 | 1788 | ||
| 1818 | MemCheck_off(); | 1789 | MemCheck_off(); |
| 1819 | comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); | 1790 | comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); |
| 1820 | comp->id=id; | 1791 | comp->id = id; |
| 1821 | comp->method=cm; | 1792 | comp->method = cm; |
| 1822 | load_builtin_compressions(); | 1793 | load_builtin_compressions(); |
| 1823 | if (ssl_comp_methods | 1794 | if (ssl_comp_methods |
| 1824 | && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0) | 1795 | && sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) { |
| 1825 | { | ||
| 1826 | OPENSSL_free(comp); | 1796 | OPENSSL_free(comp); |
| 1827 | MemCheck_on(); | 1797 | MemCheck_on(); |
| 1828 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID); | 1798 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, SSL_R_DUPLICATE_COMPRESSION_ID); |
| 1829 | return(1); | 1799 | return (1); |
| 1830 | } | 1800 | } else if ((ssl_comp_methods == NULL) |
| 1831 | else if ((ssl_comp_methods == NULL) | 1801 | || !sk_SSL_COMP_push(ssl_comp_methods, comp)) { |
| 1832 | || !sk_SSL_COMP_push(ssl_comp_methods,comp)) | ||
| 1833 | { | ||
| 1834 | OPENSSL_free(comp); | 1802 | OPENSSL_free(comp); |
| 1835 | MemCheck_on(); | 1803 | MemCheck_on(); |
| 1836 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); | 1804 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE); |
| 1837 | return(1); | 1805 | return (1); |
| 1838 | } | 1806 | } else { |
| 1839 | else | ||
| 1840 | { | ||
| 1841 | MemCheck_on(); | 1807 | MemCheck_on(); |
| 1842 | return(0); | 1808 | return (0); |
| 1843 | } | ||
| 1844 | } | 1809 | } |
| 1810 | } | ||
| 1845 | 1811 | ||
| 1846 | const char *SSL_COMP_get_name(const COMP_METHOD *comp) | 1812 | const char |
| 1847 | { | 1813 | *SSL_COMP_get_name(const COMP_METHOD *comp) |
| 1814 | { | ||
| 1848 | if (comp) | 1815 | if (comp) |
| 1849 | return comp->name; | 1816 | return comp->name; |
| 1850 | return NULL; | 1817 | return NULL; |
| 1851 | } | 1818 | } |
| 1852 | 1819 | ||
| 1853 | #endif | 1820 | #endif |