projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Preparation for beta3 release.
[openssl.git]
/
ssl
/
ssl_ciph.c
diff --git
a/ssl/ssl_ciph.c
b/ssl/ssl_ciph.c
index 5ba5b32a073a31678c72b9018c80532cf0a8c47f..87c5f61670007305f8c7777068b9c6fb294e2056 100644
(file)
--- a/
ssl/ssl_ciph.c
+++ b/
ssl/ssl_ciph.c
@@
-142,8
+142,12
@@
#include <stdio.h>
#include <openssl/objects.h>
#include <stdio.h>
#include <openssl/objects.h>
+#ifndef OPENSSL_NO_COMP
#include <openssl/comp.h>
#include <openssl/comp.h>
+#endif
+#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#include <openssl/engine.h>
+#endif
#include "ssl_locl.h"
#define SSL_ENC_DES_IDX 0
#include "ssl_locl.h"
#define SSL_ENC_DES_IDX 0
@@
-207,7
+211,7
@@
static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
typedef struct cipher_order_st
{
typedef struct cipher_order_st
{
- SSL_CIPHER *cipher;
+
const
SSL_CIPHER *cipher;
int active;
int dead;
struct cipher_order_st *next,*prev;
int active;
int dead;
struct cipher_order_st *next,*prev;
@@
-243,7
+247,7
@@
static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
{0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},
{0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
{0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},
-
+ {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0},
/* server authentication aliases */
{0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0},
/* server authentication aliases */
{0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0},
@@
-256,7
+260,9
@@
static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0},
{0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0},
{0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0},
{0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0},
{0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0},
{0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0},
-
+ {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
+ {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
+ {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
/* aliases combining key exchange and server authentication */
{0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
/* aliases combining key exchange and server authentication */
{0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
@@
-306,24
+312,44
@@
static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0},
{0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0},
{0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0},
{0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0},
{0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0},
{0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0},
+ /* FIPS 140-2 approved ciphersuite */
+ {0,SSL_TXT_FIPS,0, 0,0,~SSL_eNULL,0,0,SSL_FIPS, 0,0,0},
};
/* Search for public key algorithm with given name and
* return its pkey_id if it is available. Otherwise return 0
*/
};
/* Search for public key algorithm with given name and
* return its pkey_id if it is available. Otherwise return 0
*/
+#ifdef OPENSSL_NO_ENGINE
+
static int get_optional_pkey_id(const char *pkey_name)
{
const EVP_PKEY_ASN1_METHOD *ameth;
static int get_optional_pkey_id(const char *pkey_name)
{
const EVP_PKEY_ASN1_METHOD *ameth;
- ENGINE *tmpeng = NULL;
int pkey_id=0;
int pkey_id=0;
- ameth = EVP_PKEY_asn1_find_str(
&tmpeng
,pkey_name,-1);
+ ameth = EVP_PKEY_asn1_find_str(
NULL
,pkey_name,-1);
if (ameth)
{
EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
}
if (ameth)
{
EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
}
- if (tmpeng) ENGINE_finish(tmpeng);
return pkey_id;
}
return pkey_id;
}
+#else
+
+static int get_optional_pkey_id(const char *pkey_name)
+ {
+ const EVP_PKEY_ASN1_METHOD *ameth;
+ ENGINE *tmpeng = NULL;
+ int pkey_id=0;
+ ameth = EVP_PKEY_asn1_find_str(&tmpeng,pkey_name,-1);
+ if (ameth)
+ {
+ EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
+ }
+ if (tmpeng) ENGINE_finish(tmpeng);
+ return pkey_id;
+ }
+
+#endif
+
void ssl_load_ciphers(void)
{
ssl_cipher_methods[SSL_ENC_DES_IDX]=
void ssl_load_ciphers(void)
{
ssl_cipher_methods[SSL_ENC_DES_IDX]=
@@
-357,16
+383,19
@@
void ssl_load_ciphers(void)
EVP_get_digestbyname(SN_md5);
ssl_mac_secret_size[SSL_MD_MD5_IDX]=
EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
EVP_get_digestbyname(SN_md5);
ssl_mac_secret_size[SSL_MD_MD5_IDX]=
EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
+ OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
ssl_digest_methods[SSL_MD_SHA1_IDX]=
EVP_get_digestbyname(SN_sha1);
ssl_mac_secret_size[SSL_MD_SHA1_IDX]=
EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
ssl_digest_methods[SSL_MD_SHA1_IDX]=
EVP_get_digestbyname(SN_sha1);
ssl_mac_secret_size[SSL_MD_SHA1_IDX]=
EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
+ OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
ssl_digest_methods[SSL_MD_GOST94_IDX]=
EVP_get_digestbyname(SN_id_GostR3411_94);
if (ssl_digest_methods[SSL_MD_GOST94_IDX])
{
ssl_mac_secret_size[SSL_MD_GOST94_IDX]=
EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
ssl_digest_methods[SSL_MD_GOST94_IDX]=
EVP_get_digestbyname(SN_id_GostR3411_94);
if (ssl_digest_methods[SSL_MD_GOST94_IDX])
{
ssl_mac_secret_size[SSL_MD_GOST94_IDX]=
EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
+ OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
}
ssl_digest_methods[SSL_MD_GOST89MAC_IDX]=
EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
}
ssl_digest_methods[SSL_MD_GOST89MAC_IDX]=
EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
@@
-433,7
+462,7
@@
int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp)
{
int i;
const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp)
{
int i;
- SSL_CIPHER *c;
+
const
SSL_CIPHER *c;
c=s->cipher;
if (c == NULL) return(0);
c=s->cipher;
if (c == NULL) return(0);
@@
-678,7
+707,7
@@
static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
{
int i, co_list_num;
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
{
int i, co_list_num;
- SSL_CIPHER *c;
+
const
SSL_CIPHER *c;
/*
* We have num_of_ciphers descriptions compiled in, depending on the
/*
* We have num_of_ciphers descriptions compiled in, depending on the
@@
-741,7
+770,7
@@
static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
}
}
}
}
-static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
+static void ssl_cipher_collect_aliases(
const
SSL_CIPHER **ca_list,
int num_of_group_aliases,
unsigned long disabled_mkey, unsigned long disabled_auth,
unsigned long disabled_enc, unsigned long disabled_mac,
int num_of_group_aliases,
unsigned long disabled_mkey, unsigned long disabled_auth,
unsigned long disabled_enc, unsigned long disabled_mac,
@@
-749,7
+778,7
@@
static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
CIPHER_ORDER *head)
{
CIPHER_ORDER *ciph_curr;
CIPHER_ORDER *head)
{
CIPHER_ORDER *ciph_curr;
- SSL_CIPHER **ca_curr;
+
const
SSL_CIPHER **ca_curr;
int i;
unsigned long mask_mkey = ~disabled_mkey;
unsigned long mask_auth = ~disabled_auth;
int i;
unsigned long mask_mkey = ~disabled_mkey;
unsigned long mask_auth = ~disabled_auth;
@@
-819,7
+848,7
@@
static void ssl_cipher_apply_rule(unsigned long cipher_id,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
{
CIPHER_ORDER *head, *tail, *curr, *curr2, *last;
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
{
CIPHER_ORDER *head, *tail, *curr, *curr2, *last;
- SSL_CIPHER *cp;
+
const
SSL_CIPHER *cp;
int reverse = 0;
#ifdef CIPHER_DEBUG
int reverse = 0;
#ifdef CIPHER_DEBUG
@@
-995,7
+1024,7
@@
static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
static int ssl_cipher_process_rulestr(const char *rule_str,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
static int ssl_cipher_process_rulestr(const char *rule_str,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
- SSL_CIPHER **ca_list)
+
const
SSL_CIPHER **ca_list)
{
unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
const char *l, *start, *buf;
{
unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
const char *l, *start, *buf;
@@
-1254,7
+1283,7
@@
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
const char *rule_p;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
const char *rule_p;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
- SSL_CIPHER **ca_list = NULL;
+
const
SSL_CIPHER **ca_list = NULL;
/*
* Return with error if nothing to do.
/*
* Return with error if nothing to do.
@@
-1341,8
+1370,7
@@
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/
num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
*/
num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
- ca_list =
- (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
+ ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
if (ca_list == NULL)
{
OPENSSL_free(co_list);
if (ca_list == NULL)
{
OPENSSL_free(co_list);
@@
-1350,8
+1378,8
@@
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
return(NULL); /* Failure */
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
return(NULL); /* Failure */
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
- disabled_mkey, disabled_auth, disabled_enc,
disabled_mac, disabled_ssl,
- head);
+ disabled_mkey, disabled_auth, disabled_enc,
+
disabled_mac, disabled_ssl,
head);
/*
* If the rule_string begins with DEFAULT, apply the default rule
/*
* If the rule_string begins with DEFAULT, apply the default rule
@@
-1371,7
+1399,7
@@
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if (ok && (strlen(rule_p) > 0))
ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
if (ok && (strlen(rule_p) > 0))
ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
- OPENSSL_free(ca_list); /* Not needed anymore */
+ OPENSSL_free(
(void *)
ca_list); /* Not needed anymore */
if (!ok)
{ /* Rule processing failure */
if (!ok)
{ /* Rule processing failure */
@@
-1419,6
+1447,7
@@
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*cipher_list_by_id = tmp_cipher_list;
(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
*cipher_list_by_id = tmp_cipher_list;
(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
+ sk_SSL_CIPHER_sort(*cipher_list_by_id);
return(cipherstack);
}
return(cipherstack);
}
@@
-1687,7
+1716,7
@@
int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
comp->method=cm;
load_builtin_compressions();
if (ssl_comp_methods
comp->method=cm;
load_builtin_compressions();
if (ssl_comp_methods
- &&
!sk_SSL_COMP_find(ssl_comp_methods,comp)
)
+ &&
sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0
)
{
OPENSSL_free(comp);
MemCheck_on();
{
OPENSSL_free(comp);
MemCheck_on();