mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-12 20:30:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

Apply Lutz Behnke's 56 bit cipher patch with a few

Browse Source 
minor changes.

Docs haven't been added at this stage. They are probably
best included in the 'ciphers' program docs.
This commit is contained in:
Dr. Stephen Henson 2000-01-22 03:17:06 +00:00
parent 3604a4d3d1
commit 018e57c74d
12 changed files with 893 additions and 390 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGES
View File

@ -4,6 +4,15 @@
Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
*) Apply Lutz Behnke's 56bit cipher patch. This should fix the problems with cipher
ordering and the new EXPORT1024 ciphers. Only two minor changes have been
made, the error reason codes have been altered and the @STRENGTH sorting
behaviour changed so eNULL ciphers are also sorted (if present).
One other addition: the "ciphers" program didn't check the return code
of SSL_CTX_set_cipher_list().
[Lutz Behnke <behnke@trustcenter.de>, minor changes by Steve Henson]
*) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
for the first serial number and places 2 in the serial number file. This
avoids problems when the root CA is created with serial number zero and

8
apps/ciphers.c
View File

@ -145,8 +145,12 @@ int MAIN(int argc, char **argv)
ctx=SSL_CTX_new(meth);
if (ctx == NULL) goto err;
if (ciphers != NULL)
SSL_CTX_set_cipher_list(ctx,ciphers);
if (ciphers != NULL) {
if(!SSL_CTX_set_cipher_list(ctx,ciphers)) {
BIO_printf(bio_err, "Error in cipher list\n");
goto err;
}
}
ssl=SSL_new(ctx);
if (ssl == NULL) goto err;

57
ssl/s2_lib.c
View File

@ -75,9 +75,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
1,
SSL2_TXT_NULL_WITH_MD5,
SSL2_CK_NULL_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_EXP40|SSL_SSLV2,
SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2,
SSL_EXPORT|SSL_EXP40,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif
/* RC4_128_EXPORT40_WITH_MD5 */
@ -85,63 +88,91 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
1,
SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP40|SSL_SSLV2,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
SSL_EXPORT|SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* RC4_128_WITH_MD5 */
{
1,
SSL2_TXT_RC4_128_WITH_MD5,
SSL2_CK_RC4_128_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* RC2_128_CBC_EXPORT40_WITH_MD5 */
{
1,
SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP40|SSL_SSLV2,
SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
SSL_EXPORT|SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* RC2_128_CBC_WITH_MD5 */
{
1,
SSL2_TXT_RC2_128_CBC_WITH_MD5,
SSL2_CK_RC2_128_CBC_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* IDEA_128_CBC_WITH_MD5 */
{
1,
SSL2_TXT_IDEA_128_CBC_WITH_MD5,
SSL2_CK_IDEA_128_CBC_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_SSLV2,
SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* DES_64_CBC_WITH_MD5 */
{
1,
SSL2_TXT_DES_64_CBC_WITH_MD5,
SSL2_CK_DES_64_CBC_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_LOW,
SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_SSLV2,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* DES_192_EDE3_CBC_WITH_MD5 */
{
1,
SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
SSL2_CK_DES_192_EDE3_CBC_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_HIGH,
SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_SSLV2,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* RC4_64_WITH_MD5 */
#if 1
@ -149,9 +180,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
1,
SSL2_TXT_RC4_64_WITH_MD5,
SSL2_CK_RC4_64_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2|SSL_LOW,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
SSL_NOT_EXP|SSL_LOW,
SSL2_CF_8_BYTE_ENC,
64,
64,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif
/* NULL SSLeay (testing) */
@ -161,7 +196,11 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
SSL2_TXT_NULL,
SSL2_CK_NULL,
0,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif

6
ssl/s3_clnt.c
View File

@ -1688,13 +1688,13 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
#endif
#endif
if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP))
if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
{
#ifndef NO_RSA
if (algs & SSL_kRSA)
{
if (rsa == NULL
|| RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs))
|| RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
goto f_err;
@ -1706,7 +1706,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
if (dh == NULL
|| DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs))
|| DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
goto f_err;

236
ssl/s3_lib.c
View File

@ -75,18 +75,26 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_RSA_NULL_MD5,
SSL3_CK_RSA_NULL_MD5,
SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 02 */
{
1,
SSL3_TXT_RSA_NULL_SHA,
SSL3_CK_RSA_NULL_SHA,
SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* anon DH */
@ -95,45 +103,65 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_ADH_RC4_40_MD5,
SSL3_CK_ADH_RC4_40_MD5,
SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 18 */
{
1,
SSL3_TXT_ADH_RC4_128_MD5,
SSL3_CK_ADH_RC4_128_MD5,
SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
SSL_NOT_EXP,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 19 */
{
1,
SSL3_TXT_ADH_DES_40_CBC_SHA,
SSL3_CK_ADH_DES_40_CBC_SHA,
SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 1A */
{
1,
SSL3_TXT_ADH_DES_64_CBC_SHA,
SSL3_CK_ADH_DES_64_CBC_SHA,
SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 1B */
{
1,
SSL3_TXT_ADH_DES_192_CBC_SHA,
SSL3_CK_ADH_DES_192_CBC_SHA,
SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* RSA again */
@ -142,72 +170,104 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_RSA_RC4_40_MD5,
SSL3_CK_RSA_RC4_40_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 04 */
{
1,
SSL3_TXT_RSA_RC4_128_MD5,
SSL3_CK_RSA_RC4_128_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 05 */
{
1,
SSL3_TXT_RSA_RC4_128_SHA,
SSL3_CK_RSA_RC4_128_SHA,
SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 06 */
{
1,
SSL3_TXT_RSA_RC2_40_MD5,
SSL3_CK_RSA_RC2_40_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 07 */
{
1,
SSL3_TXT_RSA_IDEA_128_SHA,
SSL3_CK_RSA_IDEA_128_SHA,
SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 08 */
{
1,
SSL3_TXT_RSA_DES_40_CBC_SHA,
SSL3_CK_RSA_DES_40_CBC_SHA,
SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 09 */
{
1,
SSL3_TXT_RSA_DES_64_CBC_SHA,
SSL3_CK_RSA_DES_64_CBC_SHA,
SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 0A */
{
1,
SSL3_TXT_RSA_DES_192_CBC3_SHA,
SSL3_CK_RSA_DES_192_CBC3_SHA,
SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* The DH ciphers */
@ -216,54 +276,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
0,
SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
SSL3_CK_DH_DSS_DES_40_CBC_SHA,
SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 0C */
{
0,
SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
SSL3_CK_DH_DSS_DES_64_CBC_SHA,
SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 0D */
{
0,
SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 0E */
{
0,
SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
SSL3_CK_DH_RSA_DES_40_CBC_SHA,
SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 0F */
{
0,
SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
SSL3_CK_DH_RSA_DES_64_CBC_SHA,
SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 10 */
{
0,
SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* The Ephemeral DH ciphers */
@ -272,54 +356,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 12 */
{
1,
SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 13 */
{
1,
SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 14 */
{
1,
SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 15 */
{
1,
SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 16 */
{
1,
SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Fortezza */
@ -328,9 +436,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
0,
SSL3_TXT_FZA_DMS_NULL_SHA,
SSL3_CK_FZA_DMS_NULL_SHA,
SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 1D */
@ -338,9 +450,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
0,
SSL3_TXT_FZA_DMS_FZA_SHA,
SSL3_CK_FZA_DMS_FZA_SHA,
SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 1E */
@ -348,9 +464,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
0,
SSL3_TXT_FZA_DMS_RC4_SHA,
SSL3_CK_FZA_DMS_RC4_SHA,
SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3,
SSL_NOT_EXP,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
@ -360,54 +480,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP56|SSL_TLSV1,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
0,
SSL_ALL_CIPHERS
56,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 61 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP56|SSL_TLSV1,
SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
0,
SSL_ALL_CIPHERS
56,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 62 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,
SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
0,
SSL_ALL_CIPHERS
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 63 */
{
1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,
SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
0,
SSL_ALL_CIPHERS
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 64 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
0,
SSL_ALL_CIPHERS
56,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 65 */
{
1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1,
SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
0,
SSL_ALL_CIPHERS
56,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 66 */
{
@ -415,8 +559,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
SSL_ALL_CIPHERS
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS
},
#endif
@ -897,7 +1045,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
emask=cert->export_mask;
alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
if (SSL_IS_EXPORT(c->algorithms))
if (SSL_C_IS_EXPORT(c))
{
ok=((alg & emask) == alg)?1:0;
#ifdef CIPHER_DEBUG

4
ssl/s3_srvr.c
View File

@ -270,8 +270,8 @@ int ssl3_accept(SSL *s)
|| (l & (SSL_DH|SSL_kFZA))
|| ((l & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|| (SSL_IS_EXPORT(l)
&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l)
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
)
)
)

18
ssl/ssl.h
View File

@ -123,8 +123,9 @@ extern "C" {
#define SSL_TXT_MD5 "MD5"
#define SSL_TXT_SHA1 "SHA1"
#define SSL_TXT_SHA "SHA"
#define SSL_TXT_EXP40 "EXP"
#define SSL_TXT_EXP "EXP"
#define SSL_TXT_EXPORT "EXPORT"
#define SSL_TXT_EXP40 "EXPORT40"
#define SSL_TXT_EXP56 "EXPORT56"
#define SSL_TXT_SSLV2 "SSLv2"
#define SSL_TXT_SSLV3 "SSLv3"
@ -134,10 +135,10 @@ extern "C" {
/* 'DEFAULT' at the start of the cipher list insert the following string
* in addition to this being the default cipher string */
#ifndef NO_RSA
#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
#else
#define SSL_ALLOW_ADH
#define SSL_DEFAULT_CIPHER_LIST "HIGH:MEDIUM:LOW:ADH+3DES:ADH+RC4:ADH+DES:+EXP"
#define SSL_DEFAULT_CIPHER_LIST "ALL:ADH+3DES:ADH+RC4:ADH+DES:@STRENGTH"
#endif
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
@ -170,8 +171,12 @@ typedef struct ssl_cipher_st
const char *name; /* text name */
unsigned long id; /* id, 4 bytes, first is version */
unsigned long algorithms; /* what ciphers are used */
unsigned long algo_strength; /* strength and export flags */
unsigned long algorithm2; /* Extra flags */
int strength_bits; /* Number of bits really used */
int alg_bits; /* Number of bits for algorithm */
unsigned long mask; /* used for matching */
unsigned long mask_strength; /* also used for matching */
} SSL_CIPHER;
DECLARE_STACK_OF(SSL_CIPHER)
@ -890,7 +895,7 @@ void BIO_ssl_shutdown(BIO *ssl_bio);
#endif
int SSL_CTX_set_cipher_list(SSL_CTX *,char *str);
int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
void SSL_CTX_free(SSL_CTX *);
long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
@ -922,7 +927,7 @@ void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
BIO * SSL_get_rbio(SSL *s);
BIO * SSL_get_wbio(SSL *s);
#endif
int SSL_set_cipher_list(SSL *s, char *str);
int SSL_set_cipher_list(SSL *s, const char *str);
void SSL_set_read_ahead(SSL *s, int yes);
int SSL_get_verify_mode(SSL *s);
int SSL_get_verify_depth(SSL *s);
@ -1248,6 +1253,8 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_F_SSL_CERT_INSTANTIATE 214
#define SSL_F_SSL_CERT_NEW 162
#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
#define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230
#define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
#define SSL_F_SSL_CLEAR 164
#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
#define SSL_F_SSL_CREATE_CIPHER_LIST 166
@ -1370,6 +1377,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_INTERNAL_ERROR 157
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
#define SSL_R_INVALID_COMMAND 280
#define SSL_R_INVALID_PURPOSE 278
#define SSL_R_INVALID_TRUST 279
#define SSL_R_LENGTH_MISMATCH 159

826
ssl/ssl_ciph.c
View File

@ -83,24 +83,11 @@ static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
NULL,NULL,
};
typedef struct cipher_sort_st
{
SSL_CIPHER *cipher;
int pref;
} CIPHER_SORT;
#define CIPHER_ADD 1
#define CIPHER_KILL 2
#define CIPHER_DEL 3
#define CIPHER_ORD 4
typedef struct cipher_choice_st
{
int type;
unsigned long algorithms;
unsigned long mask;
long top;
} CIPHER_CHOICE;
#define CIPHER_SPECIAL 5
typedef struct cipher_order_st
{
@ -110,59 +97,55 @@ typedef struct cipher_order_st
struct cipher_order_st *next,*prev;
} CIPHER_ORDER;
static SSL_CIPHER cipher_aliases[]={
static const SSL_CIPHER cipher_aliases[]={
/* Don't include eNULL unless specifically enabled */
{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, 0,SSL_ALL}, /* must be first */
{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,SSL_MKEY_MASK},
{0,SSL_TXT_kDHr,0,SSL_kDHr, 0,SSL_MKEY_MASK},
{0,SSL_TXT_kDHd,0,SSL_kDHd, 0,SSL_MKEY_MASK},
{0,SSL_TXT_kEDH,0,SSL_kEDH, 0,SSL_MKEY_MASK},
{0,SSL_TXT_kFZA,0,SSL_kFZA, 0,SSL_MKEY_MASK},
{0,SSL_TXT_DH, 0,SSL_DH, 0,SSL_MKEY_MASK},
{0,SSL_TXT_EDH, 0,SSL_EDH, 0,SSL_MKEY_MASK|SSL_AUTH_MASK},
{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
{0,SSL_TXT_aRSA,0,SSL_aRSA, 0,SSL_AUTH_MASK},
{0,SSL_TXT_aDSS,0,SSL_aDSS, 0,SSL_AUTH_MASK},
{0,SSL_TXT_aFZA,0,SSL_aFZA, 0,SSL_AUTH_MASK},
{0,SSL_TXT_aNULL,0,SSL_aNULL,0,SSL_AUTH_MASK},
{0,SSL_TXT_aDH, 0,SSL_aDH, 0,SSL_AUTH_MASK},
{0,SSL_TXT_DSS, 0,SSL_DSS, 0,SSL_AUTH_MASK},
{0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_DSS, 0,SSL_DSS, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_DES, 0,SSL_DES, 0,SSL_ENC_MASK},
{0,SSL_TXT_3DES,0,SSL_3DES, 0,SSL_ENC_MASK},
{0,SSL_TXT_RC4, 0,SSL_RC4, 0,SSL_ENC_MASK},
{0,SSL_TXT_RC2, 0,SSL_RC2, 0,SSL_ENC_MASK},
{0,SSL_TXT_IDEA,0,SSL_IDEA, 0,SSL_ENC_MASK},
{0,SSL_TXT_eNULL,0,SSL_eNULL,0,SSL_ENC_MASK},
{0,SSL_TXT_eFZA,0,SSL_eFZA, 0,SSL_ENC_MASK},
{0,SSL_TXT_DES, 0,SSL_DES, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_MD5, 0,SSL_MD5, 0,SSL_MAC_MASK},
{0,SSL_TXT_SHA1,0,SSL_SHA1, 0,SSL_MAC_MASK},
{0,SSL_TXT_SHA, 0,SSL_SHA, 0,SSL_MAC_MASK},
{0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_NULL,0,SSL_NULL, 0,SSL_ENC_MASK},
{0,SSL_TXT_RSA, 0,SSL_RSA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK},
{0,SSL_TXT_ADH, 0,SSL_ADH, 0,SSL_AUTH_MASK|SSL_MKEY_MASK},
{0,SSL_TXT_FZA, 0,SSL_FZA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK},
{0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
{0,SSL_TXT_EXP40, 0,SSL_EXP40, 0,SSL_EXP_MASK},
{0,SSL_TXT_EXPORT,0,SSL_EXP40, 0,SSL_EXP_MASK},
{0,SSL_TXT_EXP56, 0,SSL_EXP56, 0,SSL_EXP_MASK},
{0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,SSL_SSL_MASK},
{0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,SSL_SSL_MASK},
{0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,SSL_SSL_MASK},
{0,SSL_TXT_LOW, 0,SSL_LOW, 0,SSL_STRONG_MASK},
{0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK},
{0,SSL_TXT_HIGH, 0,SSL_HIGH, 0,SSL_STRONG_MASK},
{0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0},
{0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0},
{0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0},
{0,SSL_TXT_EXP ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
{0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
{0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK},
{0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK},
{0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
{0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
{0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
};
static int init_ciphers=1;
static void load_ciphers();
static int cmp_by_name(SSL_CIPHER **a, SSL_CIPHER **b)
{
return(strcmp((*a)->name,(*b)->name));
}
static void load_ciphers(void)
{
@ -294,170 +277,328 @@ static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
*tail=curr;
}
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) **cipher_list,
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
char *str)
static unsigned long ssl_cipher_get_disabled(void)
{
SSL_CIPHER *c;
char *l;
STACK_OF(SSL_CIPHER) *ret=NULL,*ok=NULL;
#define CL_BUF 40
char buf[CL_BUF];
char *tmp_str=NULL;
unsigned long mask,algorithms,ma;
char *start;
int i,j,k,num=0,ch,multi;
unsigned long al;
STACK *ca_list=NULL;
int current_x,num_x;
CIPHER_CHOICE *ops=NULL;
CIPHER_ORDER *list=NULL,*head=NULL,*tail=NULL,*curr,*tail2,*curr2;
int list_num;
int type;
SSL_CIPHER c_tmp,*cp;
unsigned long mask;
if (str == NULL) return(NULL);
if (strncmp(str,"DEFAULT",7) == 0)
{
i=strlen(str)+2+strlen(SSL_DEFAULT_CIPHER_LIST);
if ((tmp_str=Malloc(i)) == NULL)
{
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
goto err;
}
strcpy(tmp_str,SSL_DEFAULT_CIPHER_LIST);
strcat(tmp_str,":");
strcat(tmp_str,&(str[7]));
str=tmp_str;
}
if (init_ciphers) load_ciphers();
num=ssl_method->num_ciphers();
if ((ret=sk_SSL_CIPHER_new(NULL)) == NULL) goto err;
if ((ca_list=(STACK *)sk_new(cmp_by_name)) == NULL) goto err;
mask =SSL_kFZA;
mask = SSL_kFZA;
#ifdef NO_RSA
mask|=SSL_aRSA|SSL_kRSA;
mask |= SSL_aRSA|SSL_kRSA;
#endif
#ifdef NO_DSA
mask|=SSL_aDSS;
mask |= SSL_aDSS;
#endif
#ifdef NO_DH
mask|=SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
#endif
#ifdef SSL_FORBID_ENULL
mask|=SSL_eNULL;
mask |= SSL_eNULL;
#endif
mask|=(ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL)?SSL_DES :0;
mask|=(ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL)?SSL_3DES:0;
mask|=(ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL)?SSL_RC4 :0;
mask|=(ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL)?SSL_RC2 :0;
mask|=(ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL)?SSL_IDEA:0;
mask|=(ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL)?SSL_eFZA:0;
mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
mask|=(ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL)?SSL_MD5 :0;
mask|=(ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL)?SSL_SHA1:0;
mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
if ((list=(CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER)*num)) == NULL)
goto err;
return(mask);
}
static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
{
unsigned int i, list_num;
SSL_CIPHER *c;
/*
* We have num_of_ciphers descriptions compiled in, depending on the
* method selected (SSLv2 and/or SSLv3, TLSv1 etc).
* These will later be sorted in a linked list with at most num
* entries.
*/
/* Get the initial list of ciphers */
list_num=0;
for (i=0; i<num; i++)
list_num = 0; /* actual count of ciphers */
for (i = 0; i < num_of_ciphers; i++)
{
c=ssl_method->get_cipher((unsigned int)i);
c = ssl_method->get_cipher(i);
/* drop those that use any of that is not available */
if ((c != NULL) && c->valid && !(c->algorithms & mask))
{
list[list_num].cipher=c;
list[list_num].next=NULL;
list[list_num].prev=NULL;
list[list_num].active=0;
list[list_num].cipher = c;
list[list_num].next = NULL;
list[list_num].prev = NULL;
list[list_num].active = 0;
list_num++;
/*
if (!sk_push(ca_list,(char *)c)) goto err;
*/
}
}
for (i=1; i<list_num-1; i++)
/*
* Prepare linked list from list entries
*/
for (i = 1; i < list_num - 1; i++)
{
list[i].prev= &(list[i-1]);
list[i].next= &(list[i+1]);
list[i].prev = &(list[i-1]);
list[i].next = &(list[i+1]);
}
if (list_num > 0)
{
head= &(list[0]);
head->prev=NULL;
head->next= &(list[1]);
tail= &(list[list_num-1]);
tail->prev= &(list[list_num-2]);
tail->next=NULL;
(*head_p) = &(list[0]);
(*head_p)->prev = NULL;
(*head_p)->next = &(list[1]);
(*tail_p) = &(list[list_num - 1]);
(*tail_p)->prev = &(list[list_num - 2]);
(*tail_p)->next = NULL;
}
}
/* special case */
cipher_aliases[0].algorithms &= ~mask;
static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
int num_of_group_aliases, unsigned long mask,
CIPHER_ORDER *head)
{
CIPHER_ORDER *ciph_curr;
SSL_CIPHER **ca_curr;
int i;
/* get the aliases */
k=sizeof(cipher_aliases)/sizeof(SSL_CIPHER);
for (j=0; j<k; j++)
/*
* First, add the real ciphers as already collected
*/
ciph_curr = head;
ca_curr = ca_list;
while (ciph_curr != NULL)
{
al=cipher_aliases[j].algorithms;
/* Drop those that are not relevent */
if ((al & mask) == al) continue;
if (!sk_push(ca_list,(char *)&(cipher_aliases[j]))) goto err;
*ca_curr = ciph_curr->cipher;
ca_curr++;
ciph_curr = ciph_curr->next;
}
/* ca_list now holds a 'stack' of SSL_CIPHERS, some real, some
* 'aliases' */
/*
* Now we add the available ones from the cipher_aliases[] table.
* They represent either an algorithm, that must be fully
* supported (not match any bit in mask) or represent a cipher
* strength value (will be added in any case because algorithms=0).
*/
for (i = 0; i < num_of_group_aliases; i++)
{
if ((i == 0) || /* always fetch "ALL" */
!(cipher_aliases[i].algorithms & mask))
{
*ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
ca_curr++;
}
}
/* how many parameters are there? */
num=1;
for (l=str; *l; l++)
if (ITEM_SEP(*l))
num++;
ops=(CIPHER_CHOICE *)Malloc(sizeof(CIPHER_CHOICE)*num);
if (ops == NULL) goto err;
memset(ops,0,sizeof(CIPHER_CHOICE)*num);
*ca_curr = NULL; /* end of list */
}
/* we now parse the input string and create our operations */
l=str;
i=0;
current_x=0;
static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
unsigned long algo_strength, unsigned long mask_strength,
int rule, int strength_bits, CIPHER_ORDER *list,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
{
CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
SSL_CIPHER *cp;
unsigned long ma, ma_s;
#ifdef CIPHER_DEBUG
printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n",
rule, algorithms, mask, algo_strength, mask_strength,
strength_bits);
#endif
curr = head = *head_p;
curr2 = head;
tail2 = tail = *tail_p;
for (;;)
{
ch= *l;
if ((curr == NULL) || (curr == tail2)) break;
curr = curr2;
curr2 = curr->next;
if (ch == '\0') break;
cp = curr->cipher;
/*
* Selection criteria is either the number of strength_bits
* or the algorithm used.
*/
if (strength_bits == -1)
{
ma = mask & cp->algorithms;
ma_s = mask_strength & cp->algo_strength;
#ifdef CIPHER_DEBUG
printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength);
printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength);
#endif
/*
* Select: if none of the mask bit was met from the
* cipher or not all of the bits were met, the
* selection does not apply.
*/
if (((ma == 0) && (ma_s == 0)) ||
((ma & algorithms) != ma) ||
((ma_s & algo_strength) != ma_s))
continue; /* does not apply */
}
else if (strength_bits != cp->strength_bits)
continue; /* does not apply */
#ifdef CIPHER_DEBUG
printf("Action = %d\n", rule);
#endif
/* add the cipher if it has not been added yet. */
if (rule == CIPHER_ADD)
{
if (!curr->active)
{
ll_append_tail(&head, curr, &tail);
curr->active = 1;
}
}
/* Move the added cipher to this location */
else if (rule == CIPHER_ORD)
{
if (curr->active)
{
ll_append_tail(&head, curr, &tail);
}
}
else if (rule == CIPHER_DEL)
curr->active = 0;
else if (rule == CIPHER_KILL)
{
if (head == curr)
head = curr->next;
else
curr->prev->next = curr->next;
if (tail == curr)
tail = curr->prev;
curr->active = 0;
if (curr->next != NULL)
curr->next->prev = curr->prev;
if (curr->prev != NULL)
curr->prev->next = curr->next;
curr->next = NULL;
curr->prev = NULL;
}
}
*head_p = head;
*tail_p = tail;
}
static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p)
{
int max_strength_bits, i, *number_uses;
CIPHER_ORDER *curr;
/*
* This routine sorts the ciphers with descending strength. The sorting
* must keep the pre-sorted sequence, so we apply the normal sorting
* routine as '+' movement to the end of the list.
*/
max_strength_bits = 0;
curr = *head_p;
while (curr != NULL)
{
if (curr->active &&
(curr->cipher->strength_bits > max_strength_bits))
max_strength_bits = curr->cipher->strength_bits;
curr = curr->next;
}
number_uses = Malloc((max_strength_bits + 1) * sizeof(int));
if (!number_uses)
{
SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
return(0);
}
memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
/*
* Now find the strength_bits values actually used
*/
curr = *head_p;
while (curr != NULL)
{
if (curr->active)
number_uses[curr->cipher->strength_bits]++;
curr = curr->next;
}
#if 0
/*
* Go through the list of used strength_bits values in descending
* order, omit strength_bits "0".
*/
for (i = max_strength_bits; i > 0; i--)
/* Do we really want this? If so "ALL:eNULL:@STRENGTH" puts eNULL
* ciphers first???
*/
#else
for (i = max_strength_bits; i >= 0; i--)
#endif
if (number_uses[i] > 0)
ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
list, head_p, tail_p);
Free(number_uses);
return(1);
}
static int ssl_cipher_process_rulestr(const char *rule_str,
CIPHER_ORDER *list, CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list)
{
unsigned long algorithms, mask, algo_strength, mask_strength;
const char *l, *start, *buf;
int j, multi, found, rule, retval, ok, buflen;
char ch;
retval = 1;
l = rule_str;
for (;;)
{
ch = *l;
if (ch == '\0')
break; /* done */
if (ch == '-')
{ j=CIPHER_DEL; l++; }
{ rule = CIPHER_DEL; l++; }
else if (ch == '+')
{ j=CIPHER_ORD; l++; }
{ rule = CIPHER_ORD; l++; }
else if (ch == '!')
{ j=CIPHER_KILL; l++; }
else
{ j=CIPHER_ADD; }
{ rule = CIPHER_KILL; l++; }
else if (ch == '@')
{ rule = CIPHER_SPECIAL; l++; }
else
{ rule = CIPHER_ADD; }
if (ITEM_SEP(ch))
{
l++;
continue;
}
ops[current_x].type=j;
ops[current_x].algorithms=0;
ops[current_x].mask=0;
algorithms = mask = algo_strength = mask_strength = 0;
start=l;
for (;;)
{
ch= *l;
i=0;
ch = *l;
buf = l;
buflen = 0;
#ifndef CHARSET_EBCDIC
while ( ((ch >= 'A') && (ch <= 'Z')) ||
((ch >= '0') && (ch <= '9')) ||
@ -467,12 +608,28 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
while ( isalnum(ch) || (ch == '-'))
#endif
{
buf[i]=ch;
ch= *(++l);
i++;
if (i >= (CL_BUF-2)) break;
ch = *(++l);
buflen++;
}
buf[i]='\0';
if (buflen == 0)
{
/*
* We hit something, we cannot deal with,
* it is no command or seperator nor
* alphanumeric, so we call this an error.
*/
SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
SSL_R_INVALID_COMMAND);
retval = found = 0;
l++;
break;
}
if (rule == CIPHER_SPECIAL)
{
break; /* special treatment */
}
/* check for multi-part specification */
if (ch == '+')
@ -483,133 +640,236 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
else
multi=0;
c_tmp.name=buf;
j=sk_find(ca_list,(char *)&c_tmp);
if (j < 0)
goto end_loop;
/*
* Now search for the name in the ca_list. Be carefule
* with the strncmp, because the "buflen" limitation
* will make the rule "ADH:SOME" and the cipher
* "ADH-MY-CIPHER" look like a match for buflen=3.
* So additionally check, whether the cipher name found
* has the correct length. We can save a strlen() call,
* just checking for the '\0' at the right place is
* sufficient, we have to strncmp() anyway.
*/
j = found = 0;
while (ca_list[j])
{
if ((ca_list[j]->name[buflen] == '\0') &&
!strncmp(buf, ca_list[j]->name, buflen))
{
found = 1;
break;
}
else
j++;
}
if (!found)
break; /* ignore this entry */
algorithms |= ca_list[j]->algorithms;
mask |= ca_list[j]->mask;
algo_strength |= ca_list[j]->algo_strength;
mask_strength |= ca_list[j]->mask_strength;
cp=(SSL_CIPHER *)sk_value(ca_list,j);
ops[current_x].algorithms|=cp->algorithms;
/* We add the SSL_SSL_MASK so we can match the
* SSLv2 and SSLv3 versions of RC4-MD5 */
ops[current_x].mask|=cp->mask;
if (!multi) break;
}
current_x++;
if (ch == '\0') break;
end_loop:
/* Make sure we scan until the next valid start point */
while ((*l != '\0') && ITEM_SEP(*l))
l++;
}
num_x=current_x;
current_x=0;
/* We will now process the list of ciphers, once for each category, to
* decide what we should do with it. */
for (j=0; j<num_x; j++)
{
algorithms=ops[j].algorithms;
type=ops[j].type;
mask=ops[j].mask;
curr=head;
curr2=head;
tail2=tail;
for (;;)
{
if ((curr == NULL) || (curr == tail2)) break;
curr=curr2;
curr2=curr->next;
cp=curr->cipher;
ma=mask & cp->algorithms;
if ((ma == 0) || ((ma & algorithms) != ma))
{
/* does not apply */
continue;
}
/* add the cipher if it has not been added yet. */
if (type == CIPHER_ADD)
{
if (!curr->active)
{
ll_append_tail(&head,curr,&tail);
curr->active=1;
}
}
/* Move the added cipher to this location */
else if (type == CIPHER_ORD)
{
if (curr->active)
{
ll_append_tail(&head,curr,&tail);
}
}
else if (type == CIPHER_DEL)
curr->active=0;
if (type == CIPHER_KILL)
{
if (head == curr)
head=curr->next;
/*
* Ok, we have the rule, now apply it
*/
if (rule == CIPHER_SPECIAL)
{ /* special command */
ok = 0;
if (!strncmp(buf, "STRENGTH", buflen))
ok = ssl_cipher_strength_sort(list,
head_p, tail_p);
else
curr->prev->next=curr->next;
if (tail == curr)
tail=curr->prev;
curr->active=0;
if (curr->next != NULL)
curr->next->prev=curr->prev;
if (curr->prev != NULL)
curr->prev->next=curr->next;
curr->next=NULL;
curr->prev=NULL;
SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
SSL_R_INVALID_COMMAND);
if (ok == 0)
retval = 0;
/*
* We do not support any "multi" options
* together with "@", so through away the
* rest of the command, if any left, until
* end or ':' is found.
*/
while ((*l != '\0') && ITEM_SEP(*l))
l++;
}
}
else if (found)
{
ssl_cipher_apply_rule(algorithms, mask,
algo_strength, mask_strength, rule, -1,
list, head_p, tail_p);
}
else
{
while ((*l != '\0') && ITEM_SEP(*l))
l++;
}
if (*l == '\0') break; /* done */
}
for (curr=head; curr != NULL; curr=curr->next)
return(retval);
}
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) **cipher_list,
STACK_OF(SSL_CIPHER) **cipher_list_by_id,
const char *rule_str)
{
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
unsigned long disabled_mask;
STACK_OF(SSL_CIPHER) *cipherstack;
const char *rule_p;
CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr;
SSL_CIPHER **ca_list = NULL;
/*
* Return with error if nothing to do.
*/
if (rule_str == NULL) return(NULL);
if (init_ciphers) load_ciphers();
/*
* To reduce the work to do we only want to process the compiled
* in algorithms, so we first get the mask of disabled ciphers.
*/
disabled_mask = ssl_cipher_get_disabled();
/*
* Now we have to collect the available ciphers from the compiled
* in ciphers. We cannot get more than the number compiled in, so
* it is used for allocation.
*/
num_of_ciphers = ssl_method->num_ciphers();
list = (CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
if (list == NULL)
{
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
return(NULL); /* Failure */
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
list, &head, &tail);
/*
* We also need cipher aliases for selecting based on the rule_str.
* There might be two types of entries in the rule_str: 1) names
* of ciphers themselves 2) aliases for groups of ciphers.
* For 1) we need the available ciphers and for 2) the cipher
* groups of cipher_aliases added togehter in one list (otherwise
* we would be happy with just the cipher_aliases table).
*/
num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list =
(SSL_CIPHER **)Malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
if (ca_list == NULL)
{
Free(list);
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
return(NULL); /* Failure */
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask,
head);
/*
* If the rule_string begins with DEFAULT, apply the default rule
* before using the (possibly available) additional rules.
*/
ok = 1;
rule_p = rule_str;
if (strncmp(rule_str,"DEFAULT",7) == 0)
{
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
list, &head, &tail, ca_list);
rule_p += 7;
if (*rule_p == ':')
rule_p++;
}
if (ok && (strlen(rule_p) > 0))
ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail,
ca_list);
Free(ca_list); /* Not needed anymore */
if (!ok)
{ /* Rule processing failure */
Free(list);
return(NULL);
}
/*
* Allocate new "cipherstack" for the result, return with error
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new(NULL)) == NULL)
{
Free(list);
return(NULL);
}
/*
* The cipher selection for the list is done. The ciphers are added
* to the resulting precedence to the STACK_OF(SSL_CIPHER).
*/
for (curr = head; curr != NULL; curr = curr->next)
{
if (curr->active)
{
sk_SSL_CIPHER_push(ret,curr->cipher);
sk_SSL_CIPHER_push(cipherstack, curr->cipher);
#ifdef CIPHER_DEBUG
printf("<%s>\n",curr->cipher->name);
#endif
}
}
Free(list); /* Not needed any longer */
/*
* The following passage is a little bit odd. If pointer variables
* were supplied to hold STACK_OF(SSL_CIPHER) return information,
* the old memory pointed to is free()ed. Then, however, the
* cipher_list entry will be assigned just a copy of the returned
* cipher stack. For cipher_list_by_id a copy of the cipher stack
* will be created. See next comment...
*/
if (cipher_list != NULL)
{
if (*cipher_list != NULL)
sk_SSL_CIPHER_free(*cipher_list);
*cipher_list=ret;
*cipher_list = cipherstack;
}
if (cipher_list_by_id != NULL)
{
if (*cipher_list_by_id != NULL)
sk_SSL_CIPHER_free(*cipher_list_by_id);
*cipher_list_by_id=sk_SSL_CIPHER_dup(ret);
*cipher_list_by_id = sk_SSL_CIPHER_dup(cipherstack);
}
/*
* Now it is getting really strange. If something failed during
* the previous pointer assignement or if one of the pointers was
* not requested, the error condition is met. That might be
* discussable. The strange thing is however that in this case
* the memory "ret" pointed to is "free()ed" and hence the pointer
* cipher_list becomes wild. The memory reserved for
* cipher_list_by_id however is not "free()ed" and stays intact.
*/
if ( (cipher_list_by_id == NULL) ||
(*cipher_list_by_id == NULL) ||
(cipher_list == NULL) ||
(*cipher_list == NULL))
goto err;
{
sk_SSL_CIPHER_free(cipherstack);
return(NULL);
}
sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
ok=ret;
ret=NULL;
err:
if (tmp_str) Free(tmp_str);
if (ops != NULL) Free(ops);
if (ret != NULL) sk_SSL_CIPHER_free(ret);
if (ca_list != NULL) sk_free(ca_list);
if (list != NULL) Free(list);
return(ok);
return(cipherstack);
}
char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
@ -617,15 +877,16 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
int is_export,pkl,kl;
char *ver,*exp;
char *kx,*au,*enc,*mac;
unsigned long alg,alg2;
unsigned long alg,alg2,alg_s;
static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
alg=cipher->algorithms;
alg_s=cipher->algo_strength;
alg2=cipher->algorithm2;
is_export=SSL_IS_EXPORT(alg);
pkl=SSL_EXPORT_PKEYLENGTH(alg);
kl=SSL_EXPORT_KEYLENGTH(alg);
is_export=SSL_C_IS_EXPORT(cipher);
pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
kl=SSL_C_EXPORT_KEYLENGTH(cipher);
exp=is_export?" export":"";
if (alg & SSL_SSLV2)
@ -755,34 +1016,13 @@ const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
/* number of bits for symetric cipher */
int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits)
{
int ret=0,a=0;
const EVP_CIPHER *enc;
const EVP_MD *md;
SSL_SESSION ss;
int ret=0;
if (c != NULL)
{
ss.cipher=c;
if (!ssl_cipher_get_evp(&ss,&enc,&md,NULL))
return(0);
a=EVP_CIPHER_key_length(enc)*8;
if (SSL_C_IS_EXPORT(c))
{
ret=SSL_C_EXPORT_KEYLENGTH(c)*8;
}
else
{
if (c->algorithm2 & SSL2_CF_8_BYTE_ENC)
ret=64;
else
ret=a;
}
if (alg_bits != NULL) *alg_bits = c->alg_bits;
ret = c->strength_bits;
}
if (alg_bits != NULL) *alg_bits=a;
return(ret);
}

3
ssl/ssl_err.c
View File

@ -135,6 +135,8 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL_CERT_INSTANTIATE,0), "SSL_CERT_INSTANTIATE"},
{ERR_PACK(0,SSL_F_SSL_CERT_NEW,0), "SSL_CERT_NEW"},
{ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0), "SSL_check_private_key"},
{ERR_PACK(0,SSL_F_SSL_CIPHER_PROCESS_RULESTR,0), "SSL_CIPHER_PROCESS_RULESTR"},
{ERR_PACK(0,SSL_F_SSL_CIPHER_STRENGTH_SORT,0), "SSL_CIPHER_STRENGTH_SORT"},
{ERR_PACK(0,SSL_F_SSL_CLEAR,0), "SSL_clear"},
{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0), "SSL_COMP_add_compression_method"},
{ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0), "SSL_CREATE_CIPHER_LIST"},
@ -260,6 +262,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_HTTP_REQUEST ,"http request"},
{SSL_R_INTERNAL_ERROR ,"internal error"},
{SSL_R_INVALID_CHALLENGE_LENGTH ,"invalid challenge length"},
{SSL_R_INVALID_COMMAND ,"invalid command"},
{SSL_R_INVALID_PURPOSE ,"invalid purpose"},
{SSL_R_INVALID_TRUST ,"invalid trust"},
{SSL_R_LENGTH_MISMATCH ,"length mismatch"},

6
ssl/ssl_lib.c
View File

@ -923,7 +923,7 @@ const char *SSL_get_cipher_list(SSL *s,int n)
}
/** specify the ciphers to be used by default by the SSL_CTX */
int SSL_CTX_set_cipher_list(SSL_CTX *ctx,char *str)
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
{
STACK_OF(SSL_CIPHER) *sk;
@ -934,7 +934,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx,char *str)
}
/** specify the ciphers to be used by the SSL */
int SSL_set_cipher_list(SSL *s,char *str)
int SSL_set_cipher_list(SSL *s,const char *str)
{
STACK_OF(SSL_CIPHER) *sk;
@ -1362,7 +1362,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
c=s->cert;
ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
alg=s->s3->tmp.new_cipher->algorithms;
is_export=SSL_IS_EXPORT(alg);
is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
mask=is_export?c->export_mask:c->mask;
kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);

108
ssl/ssl_locl.h
View File

@ -155,6 +155,19 @@
#define DEC32(a) ((a)=((a)-1)&0xffffffffL)
#define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
/*
* Define the Bitmasks for SSL_CIPHER.algorithms.
* This bits are used packed as dense as possible. If new methods/ciphers
* etc will be added, the bits a likely to change, so this information
* is for internal library use only, even though SSL_CIPHER.algorithms
* can be publicly accessed.
* Use the according functions for cipher management instead.
*
* The bit mask hendling in the selection and sorting scheme in
* ssl_create_cipher_list() has only limited capabilities, reflecting
* that the different entities within are mutually exclusiv:
* ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
*/
#define SSL_MKEY_MASK 0x0000001FL
#define SSL_kRSA 0x00000001L /* RSA key exchange */
#define SSL_kDHr 0x00000002L /* DH cert RSA CA cert */
@ -191,36 +204,75 @@
#define SSL_SHA1 0x00040000L
#define SSL_SHA (SSL_SHA1)
#define SSL_EXP_MASK 0x00300000L
#define SSL_EXP40 0x00100000L
#define SSL_NOT_EXP 0x00200000L
#define SSL_EXP56 0x00300000L
#define SSL_IS_EXPORT(a) ((a)&SSL_EXP40)
#define SSL_IS_EXPORT56(a) (((a)&SSL_EXP_MASK) == SSL_EXP56)
#define SSL_IS_EXPORT40(a) (((a)&SSL_EXP_MASK) == SSL_EXP40)
#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algorithms)
#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algorithms)
#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algorithms)
#define SSL_EXPORT_KEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 5 : \
((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithms)
#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algorithms)
#define SSL_SSL_MASK 0x00c00000L
#define SSL_SSLV2 0x00400000L
#define SSL_SSLV3 0x00800000L
#define SSL_SSL_MASK 0x00180000L
#define SSL_SSLV2 0x00080000L
#define SSL_SSLV3 0x00100000L
#define SSL_TLSV1 SSL_SSLV3 /* for now */
#define SSL_STRONG_MASK 0x07000000L
#define SSL_LOW 0x01000000L
#define SSL_MEDIUM 0x02000000L
#define SSL_HIGH 0x04000000L
/* we have used 001fffff - 11 bits left to go */
/*
* Export and cipher strenght information. For each cipher we have to decide
* whether it is exportable or not. This information is likely to change
* over time, since the export control rules are no static technical issue.
*
* Independent of the export flag the cipher strength is sorted into classes.
* SSL_EXP40 was denoting the 40bit US export limit of past times, which now
* is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
* againg (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
* since SSL_EXP64 could be similar to SSL_LOW.
* For this reason SSL_MICRO and SSL_MINI macros are included to widen the
* namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
* and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
* be possible.
*/
#define SSL_EXP_MASK 0x00000003L
#define SSL_NOT_EXP 0x00000001L
#define SSL_EXPORT 0x00000002L
#define SSL_STRONG_MASK 0x0000007cL
#define SSL_EXP40 0x00000004L
#define SSL_MICRO (SSL_EXP40)
#define SSL_EXP56 0x00000008L
#define SSL_MINI (SSL_EXP56)
#define SSL_LOW 0x00000010L
#define SSL_MEDIUM 0x00000020L
#define SSL_HIGH 0x00000040L
/* we have used 0000007f - 25 bits left to go */
/*
* Macros to check the export status and cipher strength for export ciphers.
* Even though the macros for EXPORT and EXPORT40/56 have similar names,
* their meaning is different:
* *_EXPORT macros check the 'exportable' status.
* *_EXPORT40/56 macros are used to check whether a certain cipher strength
* is given.
* Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
* algorithm structure element to be passed (algorithms, algo_strength) and no
* typechecking can be done as they are all of type unsigned long, their
* direct usage is discouraged.
* Use the SSL_C_* macros instead.
*/
#define SSL_IS_EXPORT(a) ((a)&SSL_EXPORT)
#define SSL_IS_EXPORT56(a) ((a)&SSL_EXP56)
#define SSL_IS_EXPORT40(a) ((a)&SSL_EXP40)
#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algo_strength)
#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algo_strength)
#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
#define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \
((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithms, \
(c)->algo_strength)
#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
/* we have used 0fffffff - 4 bits left to go */
#define SSL_ALL 0xffffffffL
#define SSL_ALL_CIPHERS (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
SSL_MAC_MASK|SSL_EXP_MASK)
SSL_MAC_MASK)
#define SSL_ALL_STRENGTHS (SSL_EXP_MASK|SSL_STRONG_MASK)
/* Mostly for SSLv3 */
#define SSL_PKEY_RSA_ENC 0
@ -256,7 +308,7 @@ typedef struct cert_st
CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
* Probably it would make more sense to store
* an index, not a pointer. */
/* The following masks are for the key and auth
* algorithms that are supported by the certs below */
int valid;
@ -376,10 +428,10 @@ int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp);
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
STACK_OF(SSL_CIPHER) **skp);
int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p);
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *meth,
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
STACK_OF(SSL_CIPHER) **pref,
STACK_OF(SSL_CIPHER) **sorted,
char *str);
const char *rule_str);
void ssl_update_cache(SSL *s, int mode);
int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md,
SSL_COMP **comp);

2
ssl/tls1.h
View File

@ -65,7 +65,7 @@
extern "C" {
#endif
#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1
#define TLS1_VERSION 0x0301
#define TLS1_VERSION_MAJOR 0x03