diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/ssl_ciph.c | 94 | 
1 files changed, 44 insertions, 50 deletions
| diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index ed5ac725a2..4bd3be0d41 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c | |||
| @@ -459,9 +459,9 @@ load_builtin_compressions(void) | |||
| 459 | comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); | 459 | comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); | 
| 460 | if (comp != NULL) { | 460 | if (comp != NULL) { | 
| 461 | comp->method = COMP_zlib(); | 461 | comp->method = COMP_zlib(); | 
| 462 | if (comp->method | 462 | if (comp->method && | 
| 463 | && comp->method->type == NID_undef) | 463 | comp->method->type == NID_undef) | 
| 464 | OPENSSL_free(comp); | 464 | OPENSSL_free(comp); | 
| 465 | else { | 465 | else { | 
| 466 | comp->id = SSL_COMP_ZLIB_IDX; | 466 | comp->id = SSL_COMP_ZLIB_IDX; | 
| 467 | comp->name = comp->method->name; | 467 | comp->name = comp->method->name; | 
| @@ -508,8 +508,8 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | |||
| 508 | } | 508 | } | 
| 509 | } | 509 | } | 
| 510 | 510 | ||
| 511 | if ((enc == NULL) | 511 | if ((enc == NULL) || (md == NULL)) | 
| 512 | || (md == NULL)) return (0); | 512 | return (0); | 
| 513 | 513 | ||
| 514 | switch (c->algorithm_enc) { | 514 | switch (c->algorithm_enc) { | 
| 515 | case SSL_DES: | 515 | case SSL_DES: | 
| @@ -609,26 +609,26 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, | |||
| 609 | } | 609 | } | 
| 610 | 610 | ||
| 611 | if ((*enc != NULL) && | 611 | if ((*enc != NULL) && | 
| 612 | (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) && | 612 | (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) && | 
| 613 | (!mac_pkey_type || *mac_pkey_type != NID_undef)) { | 613 | (!mac_pkey_type || *mac_pkey_type != NID_undef)) { | 
| 614 | const EVP_CIPHER *evp; | 614 | const EVP_CIPHER *evp; | 
| 615 | 615 | ||
| 616 | if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR || | 616 | if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR || | 
| 617 | s->ssl_version < TLS1_VERSION) | 617 | s->ssl_version < TLS1_VERSION) | 
| 618 | return 1; | 618 | return 1; | 
| 619 | 619 | ||
| 620 | if (c->algorithm_enc == SSL_RC4 && | 620 | if (c->algorithm_enc == SSL_RC4 && | 
| 621 | c->algorithm_mac == SSL_MD5 && | 621 | c->algorithm_mac == SSL_MD5 && | 
| 622 | (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) | 622 | (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) | 
| 623 | *enc = evp, *md = NULL; | 623 | *enc = evp, *md = NULL; | 
| 624 | else if (c->algorithm_enc == SSL_AES128 && | 624 | else if (c->algorithm_enc == SSL_AES128 && | 
| 625 | c->algorithm_mac == SSL_SHA1 && | 625 | c->algorithm_mac == SSL_SHA1 && | 
| 626 | (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) | 626 | (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) | 
| 627 | *enc = evp, *md = NULL; | 627 | *enc = evp, *md = NULL; | 
| 628 | else if (c->algorithm_enc == SSL_AES256 && | 628 | else if (c->algorithm_enc == SSL_AES256 && | 
| 629 | c->algorithm_mac == SSL_SHA1 && | 629 | c->algorithm_mac == SSL_SHA1 && | 
| 630 | (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) | 630 | (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) | 
| 631 | *enc = evp, *md = NULL; | 631 | *enc = evp, *md = NULL; | 
| 632 | return (1); | 632 | return (1); | 
| 633 | } else | 633 | } else | 
| 634 | return (0); | 634 | return (0); | 
| @@ -793,11 +793,11 @@ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | |||
| 793 | c = ssl_method->get_cipher(i); | 793 | c = ssl_method->get_cipher(i); | 
| 794 | /* drop those that use any of that is not available */ | 794 | /* drop those that use any of that is not available */ | 
| 795 | if ((c != NULL) && c->valid && | 795 | if ((c != NULL) && c->valid && | 
| 796 | !(c->algorithm_mkey & disabled_mkey) && | 796 | !(c->algorithm_mkey & disabled_mkey) && | 
| 797 | !(c->algorithm_auth & disabled_auth) && | 797 | !(c->algorithm_auth & disabled_auth) && | 
| 798 | !(c->algorithm_enc & disabled_enc) && | 798 | !(c->algorithm_enc & disabled_enc) && | 
| 799 | !(c->algorithm_mac & disabled_mac) && | 799 | !(c->algorithm_mac & disabled_mac) && | 
| 800 | !(c->algorithm_ssl & disabled_ssl)) { | 800 | !(c->algorithm_ssl & disabled_ssl)) { | 
| 801 | co_list[co_list_num].cipher = c; | 801 | co_list[co_list_num].cipher = c; | 
| 802 | co_list[co_list_num].next = NULL; | 802 | co_list[co_list_num].next = NULL; | 
| 803 | co_list[co_list_num].prev = NULL; | 803 | co_list[co_list_num].prev = NULL; | 
| @@ -837,12 +837,10 @@ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | |||
| 837 | } | 837 | } | 
| 838 | 838 | ||
| 839 | static void | 839 | static void | 
| 840 | ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, | 840 | ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases, | 
| 841 | int num_of_group_aliases, | 841 | unsigned long disabled_mkey, unsigned long disabled_auth, | 
| 842 | unsigned long disabled_mkey, unsigned long disabled_auth, | ||
| 843 | unsigned long disabled_enc, unsigned long disabled_mac, | 842 | unsigned long disabled_enc, unsigned long disabled_mac, | 
| 844 | unsigned long disabled_ssl, | 843 | unsigned long disabled_ssl, CIPHER_ORDER *head) | 
| 845 | CIPHER_ORDER *head) | ||
| 846 | { | 844 | { | 
| 847 | CIPHER_ORDER *ciph_curr; | 845 | CIPHER_ORDER *ciph_curr; | 
| 848 | const SSL_CIPHER **ca_curr; | 846 | const SSL_CIPHER **ca_curr; | 
| @@ -905,13 +903,10 @@ unsigned long disabled_ssl, | |||
| 905 | } | 903 | } | 
| 906 | 904 | ||
| 907 | static void | 905 | static void | 
| 908 | ssl_cipher_apply_rule(unsigned long cipher_id, | 906 | ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, | 
| 909 | unsigned long alg_mkey, unsigned long alg_auth, | 907 | unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac, | 
| 910 | unsigned long alg_enc, unsigned long alg_mac, | 908 | unsigned long alg_ssl, unsigned long algo_strength, | 
| 911 | unsigned long alg_ssl, | 909 | int rule, int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | 
| 912 | unsigned long algo_strength, | ||
| 913 | int rule, int strength_bits, | ||
| 914 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | ||
| 915 | { | 910 | { | 
| 916 | CIPHER_ORDER *head, *tail, *curr, *curr2, *last; | 911 | CIPHER_ORDER *head, *tail, *curr, *curr2, *last; | 
| 917 | const SSL_CIPHER *cp; | 912 | const SSL_CIPHER *cp; | 
| @@ -1023,8 +1018,7 @@ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | |||
| 1023 | } | 1018 | } | 
| 1024 | 1019 | ||
| 1025 | static int | 1020 | static int | 
| 1026 | ssl_cipher_strength_sort(CIPHER_ORDER **head_p, | 1021 | ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | 
| 1027 | CIPHER_ORDER **tail_p) | ||
| 1028 | { | 1022 | { | 
| 1029 | int max_strength_bits, i, *number_uses; | 1023 | int max_strength_bits, i, *number_uses; | 
| 1030 | CIPHER_ORDER *curr; | 1024 | CIPHER_ORDER *curr; | 
| @@ -1038,8 +1032,8 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, | |||
| 1038 | curr = *head_p; | 1032 | curr = *head_p; | 
| 1039 | while (curr != NULL) { | 1033 | while (curr != NULL) { | 
| 1040 | if (curr->active && | 1034 | if (curr->active && | 
| 1041 | (curr->cipher->strength_bits > max_strength_bits)) | 1035 | (curr->cipher->strength_bits > max_strength_bits)) | 
| 1042 | max_strength_bits = curr->cipher->strength_bits; | 1036 | max_strength_bits = curr->cipher->strength_bits; | 
| 1043 | curr = curr->next; | 1037 | curr = curr->next; | 
| 1044 | } | 1038 | } | 
| 1045 | 1039 | ||
| @@ -1123,9 +1117,9 @@ const SSL_CIPHER **ca_list) | |||
| 1123 | buf = l; | 1117 | buf = l; | 
| 1124 | buflen = 0; | 1118 | buflen = 0; | 
| 1125 | while (((ch >= 'A') && (ch <= 'Z')) || | 1119 | while (((ch >= 'A') && (ch <= 'Z')) || | 
| 1126 | ((ch >= '0') && (ch <= '9')) || | 1120 | ((ch >= '0') && (ch <= '9')) || | 
| 1127 | ((ch >= 'a') && (ch <= 'z')) || | 1121 | ((ch >= 'a') && (ch <= 'z')) || | 
| 1128 | (ch == '-') || (ch == '.')) | 1122 | (ch == '-') || (ch == '.')) | 
| 1129 | { | 1123 | { | 
| 1130 | ch = *(++l); | 1124 | ch = *(++l); | 
| 1131 | buflen++; | 1125 | buflen++; | 
| @@ -1171,7 +1165,7 @@ const SSL_CIPHER **ca_list) | |||
| 1171 | cipher_id = 0; | 1165 | cipher_id = 0; | 
| 1172 | while (ca_list[j]) { | 1166 | while (ca_list[j]) { | 
| 1173 | if (!strncmp(buf, ca_list[j]->name, buflen) && | 1167 | if (!strncmp(buf, ca_list[j]->name, buflen) && | 
| 1174 | (ca_list[j]->name[buflen] == '\0')) { | 1168 | (ca_list[j]->name[buflen] == '\0')) { | 
| 1175 | found = 1; | 1169 | found = 1; | 
| 1176 | break; | 1170 | break; | 
| 1177 | } else | 1171 | } else | 
| @@ -1276,7 +1270,7 @@ const SSL_CIPHER **ca_list) | |||
| 1276 | * Ok, we have the rule, now apply it | 1270 | * Ok, we have the rule, now apply it | 
| 1277 | */ | 1271 | */ | 
| 1278 | if (rule == CIPHER_SPECIAL) | 1272 | if (rule == CIPHER_SPECIAL) | 
| 1279 | { /* special command */ | 1273 | { /* special command */ | 
| 1280 | ok = 0; | 1274 | ok = 0; | 
| 1281 | if ((buflen == 8) && | 1275 | if ((buflen == 8) && | 
| 1282 | !strncmp(buf, "STRENGTH", 8)) | 1276 | !strncmp(buf, "STRENGTH", 8)) | 
| @@ -1310,9 +1304,9 @@ const SSL_CIPHER **ca_list) | |||
| 1310 | 1304 | ||
| 1311 | STACK_OF(SSL_CIPHER) | 1305 | STACK_OF(SSL_CIPHER) | 
| 1312 | *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 1306 | *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | 
| 1313 | STACK_OF(SSL_CIPHER) **cipher_list, | 1307 | STACK_OF(SSL_CIPHER) **cipher_list, | 
| 1314 | STACK_OF(SSL_CIPHER) **cipher_list_by_id, | 1308 | STACK_OF(SSL_CIPHER) **cipher_list_by_id, | 
| 1315 | const char *rule_str) | 1309 | const char *rule_str) | 
| 1316 | { | 1310 | { | 
| 1317 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 1311 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | 
| 1318 | unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; | 1312 | unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; | 
| @@ -1777,14 +1771,14 @@ SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) | |||
| 1777 | comp->id = id; | 1771 | comp->id = id; | 
| 1778 | comp->method = cm; | 1772 | comp->method = cm; | 
| 1779 | load_builtin_compressions(); | 1773 | load_builtin_compressions(); | 
| 1780 | if (ssl_comp_methods | 1774 | if (ssl_comp_methods && | 
| 1781 | && sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) { | 1775 | sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) { | 
| 1782 | OPENSSL_free(comp); | 1776 | OPENSSL_free(comp); | 
| 1783 | MemCheck_on(); | 1777 | MemCheck_on(); | 
| 1784 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, SSL_R_DUPLICATE_COMPRESSION_ID); | 1778 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, SSL_R_DUPLICATE_COMPRESSION_ID); | 
| 1785 | return (1); | 1779 | return (1); | 
| 1786 | } else if ((ssl_comp_methods == NULL) | 1780 | } else if ((ssl_comp_methods == NULL) || | 
| 1787 | || !sk_SSL_COMP_push(ssl_comp_methods, comp)) { | 1781 | !sk_SSL_COMP_push(ssl_comp_methods, comp)) { | 
| 1788 | OPENSSL_free(comp); | 1782 | OPENSSL_free(comp); | 
| 1789 | MemCheck_on(); | 1783 | MemCheck_on(); | 
| 1790 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE); | 1784 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE); | 
