1 files changed, 14 insertions, 119 deletions
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 92d1e94d6a..54ba7ef5b4 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -162,13 +162,11 @@
 #define SSL_ENC_CAMELLIA256_IDX 9
 #define SSL_ENC_GOST89_IDX      10
 #define SSL_ENC_SEED_IDX        11
-#define SSL_ENC_AES128GCM_IDX   12
+#define SSL_ENC_NUM_IDX         12
-#define SSL_ENC_AES256GCM_IDX   13
-#define SSL_ENC_NUM_IDX         14
 static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
-        NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
+        NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
        };
 #define SSL_COMP_NULL_IDX       0
@@ -181,32 +179,28 @@ static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
 #define SSL_MD_SHA1_IDX 1
 #define SSL_MD_GOST94_IDX 2
 #define SSL_MD_GOST89MAC_IDX 3
-#define SSL_MD_SHA256_IDX 4
-#define SSL_MD_SHA384_IDX 5
 /*Constant SSL_MAX_DIGEST equal to size of digests array should be 
 * defined in the
 * ssl_locl.h */
 #define SSL_MD_NUM_IDX  SSL_MAX_DIGEST 
 static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
-        NULL,NULL,NULL,NULL,NULL,NULL
+        NULL,NULL,NULL,NULL
        };
 /* PKEY_TYPE for GOST89MAC is known in advance, but, because
 * implementation is engine-provided, we'll fill it only if
 * corresponding EVP_PKEY_METHOD is found 
 */
 static int  ssl_mac_pkey_id[SSL_MD_NUM_IDX]={
-        EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef,
+        EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef
-        EVP_PKEY_HMAC,EVP_PKEY_HMAC
        };
 static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={
-        0,0,0,0,0,0
+        0,0,0,0
        };
 static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
        SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
-        SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
+        SSL_HANDSHAKE_MAC_GOST94,0
-        SSL_HANDSHAKE_MAC_SHA384
        };
 #define CIPHER_ADD      1
@@ -253,7 +247,6 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_ECDH,0,    SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kPSK,0,    SSL_kPSK,  0,0,0,0,0,0,0,0},
-        {0,SSL_TXT_kSRP,0,    SSL_kSRP,  0,0,0,0,0,0,0,0},
        {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0},
        /* server authentication aliases */
@@ -280,7 +273,6 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_ADH,0,     SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},
        {0,SSL_TXT_AECDH,0,   SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},
        {0,SSL_TXT_PSK,0,     SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0},
-        {0,SSL_TXT_SRP,0,     SSL_kSRP,0,0,0,0,0,0,0,0},
        /* symmetric encryption aliases */
@@ -291,10 +283,9 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_IDEA,0,    0,0,SSL_IDEA,  0,0,0,0,0,0},
        {0,SSL_TXT_SEED,0,    0,0,SSL_SEED,  0,0,0,0,0,0},
        {0,SSL_TXT_eNULL,0,   0,0,SSL_eNULL, 0,0,0,0,0,0},
-        {0,SSL_TXT_AES128,0,  0,0,SSL_AES128|SSL_AES128GCM,0,0,0,0,0,0},
+        {0,SSL_TXT_AES128,0,  0,0,SSL_AES128,0,0,0,0,0,0},
-        {0,SSL_TXT_AES256,0,  0,0,SSL_AES256|SSL_AES256GCM,0,0,0,0,0,0},
+        {0,SSL_TXT_AES256,0,  0,0,SSL_AES256,0,0,0,0,0,0},
-        {0,SSL_TXT_AES,0,     0,0,SSL_AES,0,0,0,0,0,0},
+        {0,SSL_TXT_AES,0,     0,0,SSL_AES128|SSL_AES256,0,0,0,0,0,0},
-        {0,SSL_TXT_AES_GCM,0, 0,0,SSL_AES128GCM|SSL_AES256GCM,0,0,0,0,0,0},
        {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0},
        {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0},
        {0,SSL_TXT_CAMELLIA   ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0},
@@ -305,8 +296,6 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_SHA,0,     0,0,0,SSL_SHA1,  0,0,0,0,0},
        {0,SSL_TXT_GOST94,0,     0,0,0,SSL_GOST94,  0,0,0,0,0},
        {0,SSL_TXT_GOST89MAC,0,     0,0,0,SSL_GOST89MAC,  0,0,0,0,0},
-        {0,SSL_TXT_SHA256,0,    0,0,0,SSL_SHA256,  0,0,0,0,0},
-        {0,SSL_TXT_SHA384,0,    0,0,0,SSL_SHA384,  0,0,0,0,0},
        /* protocol version aliases */
        {0,SSL_TXT_SSLV2,0,   0,0,0,0,SSL_SSLV2, 0,0,0,0},
@@ -390,11 +379,6 @@ void ssl_load_ciphers(void)
        ssl_cipher_methods[SSL_ENC_SEED_IDX]=
          EVP_get_cipherbyname(SN_seed_cbc);
-        ssl_cipher_methods[SSL_ENC_AES128GCM_IDX]=
-          EVP_get_cipherbyname(SN_aes_128_gcm);
-        ssl_cipher_methods[SSL_ENC_AES256GCM_IDX]=
-          EVP_get_cipherbyname(SN_aes_256_gcm);
        ssl_digest_methods[SSL_MD_MD5_IDX]=
                EVP_get_digestbyname(SN_md5);
        ssl_mac_secret_size[SSL_MD_MD5_IDX]=
@@ -420,14 +404,6 @@ void ssl_load_ciphers(void)
                        ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32;
                }               
-        ssl_digest_methods[SSL_MD_SHA256_IDX]=
-                EVP_get_digestbyname(SN_sha256);
-        ssl_mac_secret_size[SSL_MD_SHA256_IDX]=
-                EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
-        ssl_digest_methods[SSL_MD_SHA384_IDX]=
-                EVP_get_digestbyname(SN_sha384);
-        ssl_mac_secret_size[SSL_MD_SHA384_IDX]=
-                EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
        }
 #ifndef OPENSSL_NO_COMP
@@ -550,12 +526,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
        case SSL_SEED:
                i=SSL_ENC_SEED_IDX;
                break;
-        case SSL_AES128GCM:
-                i=SSL_ENC_AES128GCM_IDX;
-                break;
-        case SSL_AES256GCM:
-                i=SSL_ENC_AES256GCM_IDX;
-                break;
        default:
                i= -1;
                break;
@@ -579,12 +549,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
        case SSL_SHA1:
                i=SSL_MD_SHA1_IDX;
                break;
-        case SSL_SHA256:
-                i=SSL_MD_SHA256_IDX;
-                break;
-        case SSL_SHA384:
-                i=SSL_MD_SHA384_IDX;
-                break;
        case SSL_GOST94:
                i = SSL_MD_GOST94_IDX;
                break;
@@ -600,45 +564,17 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                *md=NULL; 
                if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
                if (mac_secret_size!=NULL) *mac_secret_size = 0;
-                if (c->algorithm_mac == SSL_AEAD)
-                        mac_pkey_type = NULL;
        }
        else
        {
                *md=ssl_digest_methods[i];
                if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i];
                if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i];
-        }
+        }       
-        if ((*enc != NULL) &&
-            (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) &&
-            (!mac_pkey_type||*mac_pkey_type != NID_undef))
-                {
-                const EVP_CIPHER *evp;
-                if (s->ssl_version>>8 != TLS1_VERSION_MAJOR ||
-                    s->ssl_version < TLS1_VERSION)
-                        return 1;
-#ifdef OPENSSL_FIPS
-                if (FIPS_mode())
-                        return 1;
-#endif
-                if      (c->algorithm_enc == SSL_RC4 &&
+        if ((*enc != NULL) && (*md != NULL) && (!mac_pkey_type||*mac_pkey_type != NID_undef))
-                         c->algorithm_mac == SSL_MD5 &&
-                         (evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
-                        *enc = evp, *md = NULL;
-                else if (c->algorithm_enc == SSL_AES128 &&
-                         c->algorithm_mac == SSL_SHA1 &&
-                         (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
-                        *enc = evp, *md = NULL;
-                else if (c->algorithm_enc == SSL_AES256 &&
-                         c->algorithm_mac == SSL_SHA1 &&
-                         (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
-                        *enc = evp, *md = NULL;
                return(1);
-                }
        else
                return(0);
        }
@@ -649,11 +585,9 @@ int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md)
                {
                return 0;
                }
+        if (ssl_handshake_digest_flag[idx]==0) return 0;
        *mask = ssl_handshake_digest_flag[idx];
-        if (*mask)
+        *md = ssl_digest_methods[idx];
-                *md = ssl_digest_methods[idx];
-        else
-                *md = NULL;
        return 1;
 }
@@ -728,9 +662,6 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
        *mkey |= SSL_kPSK;
        *auth |= SSL_aPSK;
 #endif
-#ifdef OPENSSL_NO_SRP
-        *mkey |= SSL_kSRP;
-#endif
        /* Check for presence of GOST 34.10 algorithms, and if they
         * do not present, disable  appropriate auth and key exchange */
        if (!get_optional_pkey_id("gost94")) {
@@ -756,8 +687,6 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
        *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
        *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;
        *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM:0;
-        *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM:0;
        *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0;
        *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0;
        *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0;
@@ -765,8 +694,6 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
        *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
        *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256:0;
-        *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384:0;
        *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0;
        *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0;
@@ -797,9 +724,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                c = ssl_method->get_cipher(i);
                /* drop those that use any of that is not available */
                if ((c != NULL) && c->valid &&
-#ifdef OPENSSL_FIPS
-                    (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
-#endif
                    !(c->algorithm_mkey & disabled_mkey) &&
                    !(c->algorithm_auth & disabled_auth) &&
                    !(c->algorithm_enc & disabled_enc) &&
@@ -1499,11 +1423,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        for (curr = head; curr != NULL; curr = curr->next)
                {
-#ifdef OPENSSL_FIPS
-                if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
-#else
                if (curr->active)
-#endif
                        {
                        sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
@@ -1560,8 +1480,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
                ver="SSLv2";
        else if (alg_ssl & SSL_SSLV3)
                ver="SSLv3";
-        else if (alg_ssl & SSL_TLSV1_2)
-                ver="TLSv1.2";
        else
                ver="unknown";
@@ -1594,9 +1512,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_kPSK:
                kx="PSK";
                break;
-        case SSL_kSRP:
-                kx="SRP";
-                break;
        default:
                kx="unknown";
                }
@@ -1659,12 +1574,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_AES256:
                enc="AES(256)";
                break;
-        case SSL_AES128GCM:
-                enc="AESGCM(128)";
-                break;
-        case SSL_AES256GCM:
-                enc="AESGCM(256)";
-                break;
        case SSL_CAMELLIA128:
                enc="Camellia(128)";
                break;
@@ -1687,15 +1596,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        case SSL_SHA1:
                mac="SHA1";
                break;
-        case SSL_SHA256:
-                mac="SHA256";
-                break;
-        case SSL_SHA384:
-                mac="SHA384";
-                break;
-        case SSL_AEAD:
-                mac="AEAD";
-                break;
        default:
                mac="unknown";
                break;
@@ -1753,11 +1653,6 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
        return(ret);
        }
-unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c)
-        {
-        return c->id;
-        }
 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
        {
        SSL_COMP *ctmp;

diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 92d1e94d6a..54ba7ef5b4 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c
@@ -162,13 +162,11 @@
162	#define SSL_ENC_CAMELLIA256_IDX 9	162	#define SSL_ENC_CAMELLIA256_IDX 9
163	#define SSL_ENC_GOST89_IDX 10	163	#define SSL_ENC_GOST89_IDX 10
164	#define SSL_ENC_SEED_IDX 11	164	#define SSL_ENC_SEED_IDX 11
165	#define SSL_ENC_AES128GCM_IDX 12	165	#define SSL_ENC_NUM_IDX 12
166	#define SSL_ENC_AES256GCM_IDX 13
167	#define SSL_ENC_NUM_IDX 14
168		166
169		167
170	static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={	168	static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
171	NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL	169	NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
172	};	170	};
173		171
174	#define SSL_COMP_NULL_IDX 0	172	#define SSL_COMP_NULL_IDX 0
@@ -181,32 +179,28 @@ static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
181	#define SSL_MD_SHA1_IDX 1	179	#define SSL_MD_SHA1_IDX 1
182	#define SSL_MD_GOST94_IDX 2	180	#define SSL_MD_GOST94_IDX 2
183	#define SSL_MD_GOST89MAC_IDX 3	181	#define SSL_MD_GOST89MAC_IDX 3
184	#define SSL_MD_SHA256_IDX 4
185	#define SSL_MD_SHA384_IDX 5
186	/*Constant SSL_MAX_DIGEST equal to size of digests array should be	182	/*Constant SSL_MAX_DIGEST equal to size of digests array should be
187	* defined in the	183	* defined in the
188	* ssl_locl.h */	184	* ssl_locl.h */
189	#define SSL_MD_NUM_IDX SSL_MAX_DIGEST	185	#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
190	static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={	186	static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
191	NULL,NULL,NULL,NULL,NULL,NULL	187	NULL,NULL,NULL,NULL
192	};	188	};
193	/* PKEY_TYPE for GOST89MAC is known in advance, but, because	189	/* PKEY_TYPE for GOST89MAC is known in advance, but, because
194	* implementation is engine-provided, we'll fill it only if	190	* implementation is engine-provided, we'll fill it only if
195	* corresponding EVP_PKEY_METHOD is found	191	* corresponding EVP_PKEY_METHOD is found
196	*/	192	*/
197	static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={	193	static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={
198	EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef,	194	EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef
199	EVP_PKEY_HMAC,EVP_PKEY_HMAC
200	};	195	};
201		196
202	static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={	197	static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={
203	0,0,0,0,0,0	198	0,0,0,0
204	};	199	};
205		200
206	static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={	201	static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
207	SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,	202	SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
208	SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,	203	SSL_HANDSHAKE_MAC_GOST94,0
209	SSL_HANDSHAKE_MAC_SHA384
210	};	204	};
211		205
212	#define CIPHER_ADD 1	206	#define CIPHER_ADD 1
@@ -253,7 +247,6 @@ static const SSL_CIPHER cipher_aliases[]={
253	{0,SSL_TXT_ECDH,0, SSL_kECDHr\|SSL_kECDHe\|SSL_kEECDH,0,0,0,0,0,0,0,0},	247	{0,SSL_TXT_ECDH,0, SSL_kECDHr\|SSL_kECDHe\|SSL_kEECDH,0,0,0,0,0,0,0,0},
254		248
255	{0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},	249	{0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},
256	{0,SSL_TXT_kSRP,0, SSL_kSRP, 0,0,0,0,0,0,0,0},
257	{0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0},	250	{0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0},
258		251
259	/* server authentication aliases */	252	/* server authentication aliases */
@@ -280,7 +273,6 @@ static const SSL_CIPHER cipher_aliases[]={
280	{0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},	273	{0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},
281	{0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},	274	{0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},
282	{0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0},	275	{0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0},
283	{0,SSL_TXT_SRP,0, SSL_kSRP,0,0,0,0,0,0,0,0},
284		276
285		277
286	/* symmetric encryption aliases */	278	/* symmetric encryption aliases */
@@ -291,10 +283,9 @@ static const SSL_CIPHER cipher_aliases[]={
291	{0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0},	283	{0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0},
292	{0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0},	284	{0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0},
293	{0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0},	285	{0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0},
294	{0,SSL_TXT_AES128,0, 0,0,SSL_AES128\|SSL_AES128GCM,0,0,0,0,0,0},	286	{0,SSL_TXT_AES128,0, 0,0,SSL_AES128,0,0,0,0,0,0},
295	{0,SSL_TXT_AES256,0, 0,0,SSL_AES256\|SSL_AES256GCM,0,0,0,0,0,0},	287	{0,SSL_TXT_AES256,0, 0,0,SSL_AES256,0,0,0,0,0,0},
296	{0,SSL_TXT_AES,0, 0,0,SSL_AES,0,0,0,0,0,0},	288	{0,SSL_TXT_AES,0, 0,0,SSL_AES128\|SSL_AES256,0,0,0,0,0,0},
297	{0,SSL_TXT_AES_GCM,0, 0,0,SSL_AES128GCM\|SSL_AES256GCM,0,0,0,0,0,0},
298	{0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0},	289	{0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0},
299	{0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0},	290	{0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0},
300	{0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128\|SSL_CAMELLIA256,0,0,0,0,0,0},	291	{0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128\|SSL_CAMELLIA256,0,0,0,0,0,0},
@@ -305,8 +296,6 @@ static const SSL_CIPHER cipher_aliases[]={
305	{0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},	296	{0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0},
306	{0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0},	297	{0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0},
307	{0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0},	298	{0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0},
308	{0,SSL_TXT_SHA256,0, 0,0,0,SSL_SHA256, 0,0,0,0,0},
309	{0,SSL_TXT_SHA384,0, 0,0,0,SSL_SHA384, 0,0,0,0,0},
310		299
311	/* protocol version aliases */	300	/* protocol version aliases */
312	{0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0},	301	{0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0},
@@ -390,11 +379,6 @@ void ssl_load_ciphers(void)
390	ssl_cipher_methods[SSL_ENC_SEED_IDX]=	379	ssl_cipher_methods[SSL_ENC_SEED_IDX]=
391	EVP_get_cipherbyname(SN_seed_cbc);	380	EVP_get_cipherbyname(SN_seed_cbc);
392		381
393	ssl_cipher_methods[SSL_ENC_AES128GCM_IDX]=
394	EVP_get_cipherbyname(SN_aes_128_gcm);
395	ssl_cipher_methods[SSL_ENC_AES256GCM_IDX]=
396	EVP_get_cipherbyname(SN_aes_256_gcm);
397
398	ssl_digest_methods[SSL_MD_MD5_IDX]=	382	ssl_digest_methods[SSL_MD_MD5_IDX]=
399	EVP_get_digestbyname(SN_md5);	383	EVP_get_digestbyname(SN_md5);
400	ssl_mac_secret_size[SSL_MD_MD5_IDX]=	384	ssl_mac_secret_size[SSL_MD_MD5_IDX]=
@@ -420,14 +404,6 @@ void ssl_load_ciphers(void)
420	ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32;	404	ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32;
421	}	405	}
422		406
423	ssl_digest_methods[SSL_MD_SHA256_IDX]=
424	EVP_get_digestbyname(SN_sha256);
425	ssl_mac_secret_size[SSL_MD_SHA256_IDX]=
426	EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
427	ssl_digest_methods[SSL_MD_SHA384_IDX]=
428	EVP_get_digestbyname(SN_sha384);
429	ssl_mac_secret_size[SSL_MD_SHA384_IDX]=
430	EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
431	}	407	}
432	#ifndef OPENSSL_NO_COMP	408	#ifndef OPENSSL_NO_COMP
433		409
@@ -550,12 +526,6 @@ int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
550	case SSL_SEED:	526	case SSL_SEED:
551	i=SSL_ENC_SEED_IDX;	527	i=SSL_ENC_SEED_IDX;
552	break;	528	break;
553	case SSL_AES128GCM:
554	i=SSL_ENC_AES128GCM_IDX;
555	break;
556	case SSL_AES256GCM:
557	i=SSL_ENC_AES256GCM_IDX;
558	break;
559	default:	529	default:
560	i= -1;	530	i= -1;
561	break;	531	break;
@@ -579,12 +549,6 @@ int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
579	case SSL_SHA1:	549	case SSL_SHA1:
580	i=SSL_MD_SHA1_IDX;	550	i=SSL_MD_SHA1_IDX;
581	break;	551	break;
582	case SSL_SHA256:
583	i=SSL_MD_SHA256_IDX;
584	break;
585	case SSL_SHA384:
586	i=SSL_MD_SHA384_IDX;
587	break;
588	case SSL_GOST94:	552	case SSL_GOST94:
589	i = SSL_MD_GOST94_IDX;	553	i = SSL_MD_GOST94_IDX;
590	break;	554	break;
@@ -600,45 +564,17 @@ int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
600	*md=NULL;	564	*md=NULL;
601	if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;	565	if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
602	if (mac_secret_size!=NULL) *mac_secret_size = 0;	566	if (mac_secret_size!=NULL) *mac_secret_size = 0;
603	if (c->algorithm_mac == SSL_AEAD)	567
604	mac_pkey_type = NULL;
605	}	568	}
606	else	569	else
607	{	570	{
608	*md=ssl_digest_methods[i];	571	*md=ssl_digest_methods[i];
609	if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i];	572	if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i];
610	if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i];	573	if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i];
611	}	574	}
612
613	if ((*enc != NULL) &&
614	(md != NULL \|\| (EVP_CIPHER_flags(enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) &&
615	(!mac_pkey_type\|\|*mac_pkey_type != NID_undef))
616	{
617	const EVP_CIPHER *evp;
618
619	if (s->ssl_version>>8 != TLS1_VERSION_MAJOR \|\|
620	s->ssl_version < TLS1_VERSION)
621	return 1;
622
623	#ifdef OPENSSL_FIPS
624	if (FIPS_mode())
625	return 1;
626	#endif
627		575
628	if (c->algorithm_enc == SSL_RC4 &&	576	if ((enc != NULL) && (md != NULL) && (!mac_pkey_type\|\|*mac_pkey_type != NID_undef))
629	c->algorithm_mac == SSL_MD5 &&
630	(evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
631	enc = evp, md = NULL;
632	else if (c->algorithm_enc == SSL_AES128 &&
633	c->algorithm_mac == SSL_SHA1 &&
634	(evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
635	enc = evp, md = NULL;
636	else if (c->algorithm_enc == SSL_AES256 &&
637	c->algorithm_mac == SSL_SHA1 &&
638	(evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
639	enc = evp, md = NULL;
640	return(1);	577	return(1);
641	}
642	else	578	else
643	return(0);	579	return(0);
644	}	580	}
@@ -649,11 +585,9 @@ int ssl_get_handshake_digest(int idx, long mask, const EVP_MD *md)
649	{	585	{
650	return 0;	586	return 0;
651	}	587	}
		588	if (ssl_handshake_digest_flag[idx]==0) return 0;
652	*mask = ssl_handshake_digest_flag[idx];	589	*mask = ssl_handshake_digest_flag[idx];
653	if (*mask)	590	*md = ssl_digest_methods[idx];
654	*md = ssl_digest_methods[idx];
655	else
656	*md = NULL;
657	return 1;	591	return 1;
658	}	592	}
659		593
@@ -728,9 +662,6 @@ static void ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth, un
728	*mkey \|= SSL_kPSK;	662	*mkey \|= SSL_kPSK;
729	*auth \|= SSL_aPSK;	663	*auth \|= SSL_aPSK;
730	#endif	664	#endif
731	#ifdef OPENSSL_NO_SRP
732	*mkey \|= SSL_kSRP;
733	#endif
734	/* Check for presence of GOST 34.10 algorithms, and if they	665	/* Check for presence of GOST 34.10 algorithms, and if they
735	* do not present, disable appropriate auth and key exchange */	666	* do not present, disable appropriate auth and key exchange */
736	if (!get_optional_pkey_id("gost94")) {	667	if (!get_optional_pkey_id("gost94")) {
@@ -756,8 +687,6 @@ static void ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth, un
756	*enc \|= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;	687	*enc \|= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
757	*enc \|= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;	688	*enc \|= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;
758	*enc \|= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0;	689	*enc \|= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0;
759	*enc \|= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM:0;
760	*enc \|= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM:0;
761	*enc \|= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0;	690	*enc \|= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0;
762	*enc \|= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0;	691	*enc \|= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0;
763	*enc \|= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0;	692	*enc \|= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0;
@@ -765,8 +694,6 @@ static void ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth, un
765		694
766	*mac \|= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;	695	*mac \|= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
767	*mac \|= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;	696	*mac \|= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
768	*mac \|= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256:0;
769	*mac \|= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384:0;
770	*mac \|= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0;	697	*mac \|= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0;
771	*mac \|= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL \|\| ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0;	698	*mac \|= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL \|\| ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0;
772		699
@@ -797,9 +724,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
797	c = ssl_method->get_cipher(i);	724	c = ssl_method->get_cipher(i);
798	/* drop those that use any of that is not available */	725	/* drop those that use any of that is not available */
799	if ((c != NULL) && c->valid &&	726	if ((c != NULL) && c->valid &&
800	#ifdef OPENSSL_FIPS
801	(!FIPS_mode() \|\| (c->algo_strength & SSL_FIPS)) &&
802	#endif
803	!(c->algorithm_mkey & disabled_mkey) &&	727	!(c->algorithm_mkey & disabled_mkey) &&
804	!(c->algorithm_auth & disabled_auth) &&	728	!(c->algorithm_auth & disabled_auth) &&
805	!(c->algorithm_enc & disabled_enc) &&	729	!(c->algorithm_enc & disabled_enc) &&
@@ -1499,11 +1423,7 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(const SSL_METHOD ssl_method,
1499	*/	1423	*/
1500	for (curr = head; curr != NULL; curr = curr->next)	1424	for (curr = head; curr != NULL; curr = curr->next)
1501	{	1425	{
1502	#ifdef OPENSSL_FIPS
1503	if (curr->active && (!FIPS_mode() \|\| curr->cipher->algo_strength & SSL_FIPS))
1504	#else
1505	if (curr->active)	1426	if (curr->active)
1506	#endif
1507	{	1427	{
1508	sk_SSL_CIPHER_push(cipherstack, curr->cipher);	1428	sk_SSL_CIPHER_push(cipherstack, curr->cipher);
1509	#ifdef CIPHER_DEBUG	1429	#ifdef CIPHER_DEBUG
@@ -1560,8 +1480,6 @@ char SSL_CIPHER_description(const SSL_CIPHER cipher, char *buf, int len)
1560	ver="SSLv2";	1480	ver="SSLv2";
1561	else if (alg_ssl & SSL_SSLV3)	1481	else if (alg_ssl & SSL_SSLV3)
1562	ver="SSLv3";	1482	ver="SSLv3";
1563	else if (alg_ssl & SSL_TLSV1_2)
1564	ver="TLSv1.2";
1565	else	1483	else
1566	ver="unknown";	1484	ver="unknown";
1567		1485
@@ -1594,9 +1512,6 @@ char SSL_CIPHER_description(const SSL_CIPHER cipher, char *buf, int len)
1594	case SSL_kPSK:	1512	case SSL_kPSK:
1595	kx="PSK";	1513	kx="PSK";
1596	break;	1514	break;
1597	case SSL_kSRP:
1598	kx="SRP";
1599	break;
1600	default:	1515	default:
1601	kx="unknown";	1516	kx="unknown";
1602	}	1517	}
@@ -1659,12 +1574,6 @@ char SSL_CIPHER_description(const SSL_CIPHER cipher, char *buf, int len)
1659	case SSL_AES256:	1574	case SSL_AES256:
1660	enc="AES(256)";	1575	enc="AES(256)";
1661	break;	1576	break;
1662	case SSL_AES128GCM:
1663	enc="AESGCM(128)";
1664	break;
1665	case SSL_AES256GCM:
1666	enc="AESGCM(256)";
1667	break;
1668	case SSL_CAMELLIA128:	1577	case SSL_CAMELLIA128:
1669	enc="Camellia(128)";	1578	enc="Camellia(128)";
1670	break;	1579	break;
@@ -1687,15 +1596,6 @@ char SSL_CIPHER_description(const SSL_CIPHER cipher, char *buf, int len)
1687	case SSL_SHA1:	1596	case SSL_SHA1:
1688	mac="SHA1";	1597	mac="SHA1";
1689	break;	1598	break;
1690	case SSL_SHA256:
1691	mac="SHA256";
1692	break;
1693	case SSL_SHA384:
1694	mac="SHA384";
1695	break;
1696	case SSL_AEAD:
1697	mac="AEAD";
1698	break;
1699	default:	1599	default:
1700	mac="unknown";	1600	mac="unknown";
1701	break;	1601	break;
@@ -1753,11 +1653,6 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER c, int alg_bits)
1753	return(ret);	1653	return(ret);
1754	}	1654	}
1755		1655
1756	unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c)
1757	{
1758	return c->id;
1759	}
1760
1761	SSL_COMP ssl3_comp_find(STACK_OF(SSL_COMP) sk, int n)	1656	SSL_COMP ssl3_comp_find(STACK_OF(SSL_COMP) sk, int n)
1762	{	1657	{
1763	SSL_COMP *ctmp;	1658	SSL_COMP *ctmp;