summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_ciph.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_ciph.c')
-rw-r--r--src/lib/libssl/ssl_ciph.c193
1 files changed, 135 insertions, 58 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 820994408b..4c2989c47a 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -57,7 +57,8 @@
57 */ 57 */
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include "objects.h" 60#include <openssl/objects.h>
61#include <openssl/comp.h>
61#include "ssl_locl.h" 62#include "ssl_locl.h"
62 63
63#define SSL_ENC_DES_IDX 0 64#define SSL_ENC_DES_IDX 0
@@ -69,14 +70,16 @@
69#define SSL_ENC_NULL_IDX 6 70#define SSL_ENC_NULL_IDX 6
70#define SSL_ENC_NUM_IDX 7 71#define SSL_ENC_NUM_IDX 7
71 72
72static EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ 73static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
73 NULL,NULL,NULL,NULL,NULL,NULL, 74 NULL,NULL,NULL,NULL,NULL,NULL,
74 }; 75 };
75 76
77static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
78
76#define SSL_MD_MD5_IDX 0 79#define SSL_MD_MD5_IDX 0
77#define SSL_MD_SHA1_IDX 1 80#define SSL_MD_SHA1_IDX 1
78#define SSL_MD_NUM_IDX 2 81#define SSL_MD_NUM_IDX 2
79static EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ 82static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
80 NULL,NULL, 83 NULL,NULL,
81 }; 84 };
82 85
@@ -108,7 +111,8 @@ typedef struct cipher_order_st
108 } CIPHER_ORDER; 111 } CIPHER_ORDER;
109 112
110static SSL_CIPHER cipher_aliases[]={ 113static SSL_CIPHER cipher_aliases[]={
111 {0,SSL_TXT_ALL, 0,SSL_ALL, 0,SSL_ALL}, /* must be first */ 114 /* Don't include eNULL unless specifically enabled */
115 {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, 0,SSL_ALL}, /* must be first */
112 {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,SSL_MKEY_MASK}, 116 {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,SSL_MKEY_MASK},
113 {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,SSL_MKEY_MASK}, 117 {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,SSL_MKEY_MASK},
114 {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,SSL_MKEY_MASK}, 118 {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,SSL_MKEY_MASK},
@@ -141,25 +145,26 @@ static SSL_CIPHER cipher_aliases[]={
141 {0,SSL_TXT_ADH, 0,SSL_ADH, 0,SSL_AUTH_MASK|SSL_MKEY_MASK}, 145 {0,SSL_TXT_ADH, 0,SSL_ADH, 0,SSL_AUTH_MASK|SSL_MKEY_MASK},
142 {0,SSL_TXT_FZA, 0,SSL_FZA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK}, 146 {0,SSL_TXT_FZA, 0,SSL_FZA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK},
143 147
144 {0,SSL_TXT_EXP, 0,SSL_EXP, 0,SSL_EXP_MASK}, 148 {0,SSL_TXT_EXP40, 0,SSL_EXP40, 0,SSL_EXP_MASK},
145 {0,SSL_TXT_EXPORT,0,SSL_EXPORT,0,SSL_EXP_MASK}, 149 {0,SSL_TXT_EXPORT,0,SSL_EXP40, 0,SSL_EXP_MASK},
146 {0,SSL_TXT_SSLV2,0,SSL_SSLV2,0,SSL_SSL_MASK}, 150 {0,SSL_TXT_EXP56, 0,SSL_EXP56, 0,SSL_EXP_MASK},
147 {0,SSL_TXT_SSLV3,0,SSL_SSLV3,0,SSL_SSL_MASK}, 151 {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,SSL_SSL_MASK},
148 {0,SSL_TXT_LOW, 0,SSL_LOW,0,SSL_STRONG_MASK}, 152 {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,SSL_SSL_MASK},
153 {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,SSL_SSL_MASK},
154 {0,SSL_TXT_LOW, 0,SSL_LOW, 0,SSL_STRONG_MASK},
149 {0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK}, 155 {0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK},
150 {0,SSL_TXT_HIGH, 0,SSL_HIGH,0,SSL_STRONG_MASK}, 156 {0,SSL_TXT_HIGH, 0,SSL_HIGH, 0,SSL_STRONG_MASK},
151 }; 157 };
152 158
153static int init_ciphers=1; 159static int init_ciphers=1;
154static void load_ciphers(); 160static void load_ciphers();
155 161
156static int cmp_by_name(a,b) 162static int cmp_by_name(SSL_CIPHER **a, SSL_CIPHER **b)
157SSL_CIPHER **a,**b;
158 { 163 {
159 return(strcmp((*a)->name,(*b)->name)); 164 return(strcmp((*a)->name,(*b)->name));
160 } 165 }
161 166
162static void load_ciphers() 167static void load_ciphers(void)
163 { 168 {
164 init_ciphers=0; 169 init_ciphers=0;
165 ssl_cipher_methods[SSL_ENC_DES_IDX]= 170 ssl_cipher_methods[SSL_ENC_DES_IDX]=
@@ -179,14 +184,38 @@ static void load_ciphers()
179 EVP_get_digestbyname(SN_sha1); 184 EVP_get_digestbyname(SN_sha1);
180 } 185 }
181 186
182int ssl_cipher_get_evp(c,enc,md) 187int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc,
183SSL_CIPHER *c; 188 const EVP_MD **md, SSL_COMP **comp)
184EVP_CIPHER **enc;
185EVP_MD **md;
186 { 189 {
187 int i; 190 int i;
191 SSL_CIPHER *c;
188 192
193 c=s->cipher;
189 if (c == NULL) return(0); 194 if (c == NULL) return(0);
195 if (comp != NULL)
196 {
197 SSL_COMP ctmp;
198
199 if (s->compress_meth == 0)
200 *comp=NULL;
201 else if (ssl_comp_methods == NULL)
202 {
203 /* bad */
204 *comp=NULL;
205 }
206 else
207 {
208
209 ctmp.id=s->compress_meth;
210 i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
211 if (i >= 0)
212 *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
213 else
214 *comp=NULL;
215 }
216 }
217
218 if ((enc == NULL) || (md == NULL)) return(0);
190 219
191 switch (c->algorithms & SSL_ENC_MASK) 220 switch (c->algorithms & SSL_ENC_MASK)
192 { 221 {
@@ -208,7 +237,6 @@ EVP_MD **md;
208 case SSL_eNULL: 237 case SSL_eNULL:
209 i=SSL_ENC_NULL_IDX; 238 i=SSL_ENC_NULL_IDX;
210 break; 239 break;
211 break;
212 default: 240 default:
213 i= -1; 241 i= -1;
214 break; 242 break;
@@ -250,8 +278,8 @@ EVP_MD **md;
250#define ITEM_SEP(a) \ 278#define ITEM_SEP(a) \
251 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) 279 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
252 280
253static void ll_append_tail(head,curr,tail) 281static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
254CIPHER_ORDER **head,*curr,**tail; 282 CIPHER_ORDER **tail)
255 { 283 {
256 if (curr == *tail) return; 284 if (curr == *tail) return;
257 if (curr == *head) 285 if (curr == *head)
@@ -266,14 +294,14 @@ CIPHER_ORDER **head,*curr,**tail;
266 *tail=curr; 294 *tail=curr;
267 } 295 }
268 296
269STACK *ssl_create_cipher_list(ssl_method,cipher_list,cipher_list_by_id,str) 297STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
270SSL_METHOD *ssl_method; 298 STACK_OF(SSL_CIPHER) **cipher_list,
271STACK **cipher_list,**cipher_list_by_id; 299 STACK_OF(SSL_CIPHER) **cipher_list_by_id,
272char *str; 300 char *str)
273 { 301 {
274 SSL_CIPHER *c; 302 SSL_CIPHER *c;
275 char *l; 303 char *l;
276 STACK *ret=NULL,*ok=NULL; 304 STACK_OF(SSL_CIPHER) *ret=NULL,*ok=NULL;
277#define CL_BUF 40 305#define CL_BUF 40
278 char buf[CL_BUF]; 306 char buf[CL_BUF];
279 char *tmp_str=NULL; 307 char *tmp_str=NULL;
@@ -308,7 +336,7 @@ char *str;
308 336
309 num=ssl_method->num_ciphers(); 337 num=ssl_method->num_ciphers();
310 338
311 if ((ret=(STACK *)sk_new(NULL)) == NULL) goto err; 339 if ((ret=sk_SSL_CIPHER_new(NULL)) == NULL) goto err;
312 if ((ca_list=(STACK *)sk_new(cmp_by_name)) == NULL) goto err; 340 if ((ca_list=(STACK *)sk_new(cmp_by_name)) == NULL) goto err;
313 341
314 mask =SSL_kFZA; 342 mask =SSL_kFZA;
@@ -322,7 +350,7 @@ char *str;
322 mask|=SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH; 350 mask|=SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
323#endif 351#endif
324 352
325#ifndef SSL_ALLOW_ENULL 353#ifdef SSL_FORBID_ENULL
326 mask|=SSL_eNULL; 354 mask|=SSL_eNULL;
327#endif 355#endif
328 356
@@ -372,7 +400,7 @@ char *str;
372 } 400 }
373 401
374 /* special case */ 402 /* special case */
375 cipher_aliases[0].algorithms= ~mask; 403 cipher_aliases[0].algorithms &= ~mask;
376 404
377 /* get the aliases */ 405 /* get the aliases */
378 k=sizeof(cipher_aliases)/sizeof(SSL_CIPHER); 406 k=sizeof(cipher_aliases)/sizeof(SSL_CIPHER);
@@ -430,10 +458,14 @@ char *str;
430 { 458 {
431 ch= *l; 459 ch= *l;
432 i=0; 460 i=0;
461#ifndef CHARSET_EBCDIC
433 while ( ((ch >= 'A') && (ch <= 'Z')) || 462 while ( ((ch >= 'A') && (ch <= 'Z')) ||
434 ((ch >= '0') && (ch <= '9')) || 463 ((ch >= '0') && (ch <= '9')) ||
435 ((ch >= 'a') && (ch <= 'z')) || 464 ((ch >= 'a') && (ch <= 'z')) ||
436 (ch == '-')) 465 (ch == '-'))
466#else
467 while ( isalnum(ch) || (ch == '-'))
468#endif
437 { 469 {
438 buf[i]=ch; 470 buf[i]=ch;
439 ch= *(++l); 471 ch= *(++l);
@@ -541,7 +573,7 @@ end_loop:
541 { 573 {
542 if (curr->active) 574 if (curr->active)
543 { 575 {
544 sk_push(ret,(char *)curr->cipher); 576 sk_SSL_CIPHER_push(ret,curr->cipher);
545#ifdef CIPHER_DEBUG 577#ifdef CIPHER_DEBUG
546 printf("<%s>\n",curr->cipher->name); 578 printf("<%s>\n",curr->cipher->name);
547#endif 579#endif
@@ -551,15 +583,15 @@ end_loop:
551 if (cipher_list != NULL) 583 if (cipher_list != NULL)
552 { 584 {
553 if (*cipher_list != NULL) 585 if (*cipher_list != NULL)
554 sk_free(*cipher_list); 586 sk_SSL_CIPHER_free(*cipher_list);
555 *cipher_list=ret; 587 *cipher_list=ret;
556 } 588 }
557 589
558 if (cipher_list_by_id != NULL) 590 if (cipher_list_by_id != NULL)
559 { 591 {
560 if (*cipher_list_by_id != NULL) 592 if (*cipher_list_by_id != NULL)
561 sk_free(*cipher_list_by_id); 593 sk_SSL_CIPHER_free(*cipher_list_by_id);
562 *cipher_list_by_id=sk_dup(ret); 594 *cipher_list_by_id=sk_SSL_CIPHER_dup(ret);
563 } 595 }
564 596
565 if ( (cipher_list_by_id == NULL) || 597 if ( (cipher_list_by_id == NULL) ||
@@ -567,25 +599,22 @@ end_loop:
567 (cipher_list == NULL) || 599 (cipher_list == NULL) ||
568 (*cipher_list == NULL)) 600 (*cipher_list == NULL))
569 goto err; 601 goto err;
570 sk_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp); 602 sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
571 603
572 ok=ret; 604 ok=ret;
573 ret=NULL; 605 ret=NULL;
574err: 606err:
575 if (tmp_str) Free(tmp_str); 607 if (tmp_str) Free(tmp_str);
576 if (ops != NULL) Free(ops); 608 if (ops != NULL) Free(ops);
577 if (ret != NULL) sk_free(ret); 609 if (ret != NULL) sk_SSL_CIPHER_free(ret);
578 if (ca_list != NULL) sk_free(ca_list); 610 if (ca_list != NULL) sk_free(ca_list);
579 if (list != NULL) Free(list); 611 if (list != NULL) Free(list);
580 return(ok); 612 return(ok);
581 } 613 }
582 614
583char *SSL_CIPHER_description(cipher,buf,len) 615char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
584SSL_CIPHER *cipher;
585char *buf;
586int len;
587 { 616 {
588 int export; 617 int is_export,pkl,kl;
589 char *ver,*exp; 618 char *ver,*exp;
590 char *kx,*au,*enc,*mac; 619 char *kx,*au,*enc,*mac;
591 unsigned long alg,alg2; 620 unsigned long alg,alg2;
@@ -594,8 +623,10 @@ int len;
594 alg=cipher->algorithms; 623 alg=cipher->algorithms;
595 alg2=cipher->algorithm2; 624 alg2=cipher->algorithm2;
596 625
597 export=(alg&SSL_EXP)?1:0; 626 is_export=SSL_IS_EXPORT(alg);
598 exp=(export)?" export":""; 627 pkl=SSL_EXPORT_PKEYLENGTH(alg);
628 kl=SSL_EXPORT_KEYLENGTH(alg);
629 exp=is_export?" export":"";
599 630
600 if (alg & SSL_SSLV2) 631 if (alg & SSL_SSLV2)
601 ver="SSLv2"; 632 ver="SSLv2";
@@ -607,7 +638,7 @@ int len;
607 switch (alg&SSL_MKEY_MASK) 638 switch (alg&SSL_MKEY_MASK)
608 { 639 {
609 case SSL_kRSA: 640 case SSL_kRSA:
610 kx=(export)?"RSA(512)":"RSA"; 641 kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
611 break; 642 break;
612 case SSL_kDHr: 643 case SSL_kDHr:
613 kx="DH/RSA"; 644 kx="DH/RSA";
@@ -619,7 +650,7 @@ int len;
619 kx="Fortezza"; 650 kx="Fortezza";
620 break; 651 break;
621 case SSL_kEDH: 652 case SSL_kEDH:
622 kx=(export)?"DH(512)":"DH"; 653 kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
623 break; 654 break;
624 default: 655 default:
625 kx="unknown"; 656 kx="unknown";
@@ -648,16 +679,17 @@ int len;
648 switch (alg&SSL_ENC_MASK) 679 switch (alg&SSL_ENC_MASK)
649 { 680 {
650 case SSL_DES: 681 case SSL_DES:
651 enc=export?"DES(40)":"DES(56)"; 682 enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
652 break; 683 break;
653 case SSL_3DES: 684 case SSL_3DES:
654 enc="3DES(168)"; 685 enc="3DES(168)";
655 break; 686 break;
656 case SSL_RC4: 687 case SSL_RC4:
657 enc=export?"RC4(40)":((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); 688 enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
689 :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
658 break; 690 break;
659 case SSL_RC2: 691 case SSL_RC2:
660 enc=export?"RC2(40)":"RC2(128)"; 692 enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
661 break; 693 break;
662 case SSL_IDEA: 694 case SSL_IDEA:
663 enc="IDEA(128)"; 695 enc="IDEA(128)";
@@ -698,8 +730,7 @@ int len;
698 return(buf); 730 return(buf);
699 } 731 }
700 732
701char *SSL_CIPHER_get_version(c) 733char *SSL_CIPHER_get_version(SSL_CIPHER *c)
702SSL_CIPHER *c;
703 { 734 {
704 int i; 735 int i;
705 736
@@ -714,8 +745,7 @@ SSL_CIPHER *c;
714 } 745 }
715 746
716/* return the actual cipher being used */ 747/* return the actual cipher being used */
717char *SSL_CIPHER_get_name(c) 748const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
718SSL_CIPHER *c;
719 { 749 {
720 if (c != NULL) 750 if (c != NULL)
721 return(c->name); 751 return(c->name);
@@ -723,24 +753,24 @@ SSL_CIPHER *c;
723 } 753 }
724 754
725/* number of bits for symetric cipher */ 755/* number of bits for symetric cipher */
726int SSL_CIPHER_get_bits(c,alg_bits) 756int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits)
727SSL_CIPHER *c;
728int *alg_bits;
729 { 757 {
730 int ret=0,a=0; 758 int ret=0,a=0;
731 EVP_CIPHER *enc; 759 const EVP_CIPHER *enc;
732 EVP_MD *md; 760 const EVP_MD *md;
761 SSL_SESSION ss;
733 762
734 if (c != NULL) 763 if (c != NULL)
735 { 764 {
736 if (!ssl_cipher_get_evp(c,&enc,&md)) 765 ss.cipher=c;
766 if (!ssl_cipher_get_evp(&ss,&enc,&md,NULL))
737 return(0); 767 return(0);
738 768
739 a=EVP_CIPHER_key_length(enc)*8; 769 a=EVP_CIPHER_key_length(enc)*8;
740 770
741 if (c->algorithms & SSL_EXP) 771 if (SSL_C_IS_EXPORT(c))
742 { 772 {
743 ret=40; 773 ret=SSL_C_EXPORT_KEYLENGTH(c)*8;
744 } 774 }
745 else 775 else
746 { 776 {
@@ -756,3 +786,50 @@ int *alg_bits;
756 return(ret); 786 return(ret);
757 } 787 }
758 788
789SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
790 {
791 SSL_COMP *ctmp;
792 int i,nn;
793
794 if ((n == 0) || (sk == NULL)) return(NULL);
795 nn=sk_SSL_COMP_num(sk);
796 for (i=0; i<nn; i++)
797 {
798 ctmp=sk_SSL_COMP_value(sk,i);
799 if (ctmp->id == n)
800 return(ctmp);
801 }
802 return(NULL);
803 }
804
805static int sk_comp_cmp(SSL_COMP **a,SSL_COMP **b)
806 {
807 return((*a)->id-(*b)->id);
808 }
809
810STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
811 {
812 return(ssl_comp_methods);
813 }
814
815int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
816 {
817 SSL_COMP *comp;
818 STACK_OF(SSL_COMP) *sk;
819
820 comp=(SSL_COMP *)Malloc(sizeof(SSL_COMP));
821 comp->id=id;
822 comp->method=cm;
823 if (ssl_comp_methods == NULL)
824 sk=ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
825 else
826 sk=ssl_comp_methods;
827 if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp))
828 {
829 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
830 return(0);
831 }
832 else
833 return(1);
834 }
835
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 11:45:22 +0000