projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
dtls1_write_bytes consumers expect amount of bytes written per call, not
[openssl.git]
/
ssl
/
ssl_ciph.c
diff --git
a/ssl/ssl_ciph.c
b/ssl/ssl_ciph.c
index d2e648bf3071ff88403d45781fb63bc76f9bc527..c31d6e0c782f7545364b11da4f8981a071d60240 100644
(file)
--- a/
ssl/ssl_ciph.c
+++ b/
ssl/ssl_ciph.c
@@
-175,7
+175,10
@@
static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
#define SSL_MD_SHA1_IDX 1
#define SSL_MD_GOST94_IDX 2
#define SSL_MD_GOST89MAC_IDX 3
#define SSL_MD_SHA1_IDX 1
#define SSL_MD_GOST94_IDX 2
#define SSL_MD_GOST89MAC_IDX 3
-#define SSL_MD_NUM_IDX 4
+/*Constant SSL_MAX_DIGEST equal to size of digests array should be
+ * defined in the
+ * ssl_locl.h */
+#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
NULL,NULL,NULL,NULL
};
static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
NULL,NULL,NULL,NULL
};
@@
-191,6
+194,11
@@
static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={
0,0,0,0
};
0,0,0,0
};
+static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
+ SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
+ SSL_HANDSHAKE_MAC_GOST94,0
+ };
+
#define CIPHER_ADD 1
#define CIPHER_KILL 2
#define CIPHER_DEL 3
#define CIPHER_ADD 1
#define CIPHER_KILL 2
#define CIPHER_DEL 3
@@
-235,7
+243,7
@@
static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
{0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},
{0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
{0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0},
-
+ {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0},
/* server authentication aliases */
{0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0},
/* server authentication aliases */
{0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0},
@@
-248,7
+256,9
@@
static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0},
{0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0},
{0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0},
{0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0},
{0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0},
{0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0},
-
+ {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
+ {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
+ {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
/* aliases combining key exchange and server authentication */
{0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
/* aliases combining key exchange and server authentication */
{0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
@@
-298,7
+308,25
@@
static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0},
{0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0},
{0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0},
{0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0},
{0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0},
{0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0},
+ /* FIPS 140-2 approved ciphersuite */
+ {0,SSL_TXT_FIPS,0, 0,0,~SSL_eNULL,0,0,SSL_FIPS, 0,0,0},
};
};
+/* Search for public key algorithm with given name and
+ * return its pkey_id if it is available. Otherwise return 0
+ */
+static int get_optional_pkey_id(const char *pkey_name)
+ {
+ const EVP_PKEY_ASN1_METHOD *ameth;
+ ENGINE *tmpeng = NULL;
+ int pkey_id=0;
+ ameth = EVP_PKEY_asn1_find_str(&tmpeng,pkey_name,-1);
+ if (ameth)
+ {
+ EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
+ }
+ if (tmpeng) ENGINE_finish(tmpeng);
+ return pkey_id;
+ }
void ssl_load_ciphers(void)
{
void ssl_load_ciphers(void)
{
@@
-346,19
+374,10
@@
void ssl_load_ciphers(void)
}
ssl_digest_methods[SSL_MD_GOST89MAC_IDX]=
EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
}
ssl_digest_methods[SSL_MD_GOST89MAC_IDX]=
EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
- {
- const EVP_PKEY_ASN1_METHOD *ameth;
- ENGINE *tmpeng = NULL;
- int pkey_id;
- ameth = EVP_PKEY_asn1_find_str(&tmpeng,"gost-mac",-1);
- if (ameth)
- {
- EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth);
- ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]= pkey_id;
+ ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
+ if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32;
ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32;
- }
- if (tmpeng) ENGINE_finish(tmpeng);
- }
+ }
}
#ifndef OPENSSL_NO_COMP
}
#ifndef OPENSSL_NO_COMP
@@
-534,6
+553,18
@@
int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
return(0);
}
return(0);
}
+int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md)
+{
+ if (idx <0||idx>=SSL_MD_NUM_IDX)
+ {
+ return 0;
+ }
+ if (ssl_handshake_digest_flag[idx]==0) return 0;
+ *mask = ssl_handshake_digest_flag[idx];
+ *md = ssl_digest_methods[idx];
+ return 1;
+}
+
#define ITEM_SEP(a) \
(((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
#define ITEM_SEP(a) \
(((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
@@
-605,9
+636,23
@@
static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un
*mkey |= SSL_kPSK;
*auth |= SSL_aPSK;
#endif
*mkey |= SSL_kPSK;
*auth |= SSL_aPSK;
#endif
+ /* Check for presence of GOST 34.10 algorithms, and if they
+ * do not present, disable appropriate auth and key exchange */
+ if (!get_optional_pkey_id("gost94")) {
+ *auth |= SSL_aGOST94;
+ }
+ if (!get_optional_pkey_id("gost2001")) {
+ *auth |= SSL_aGOST01;
+ }
+ /* Disable GOST key exchange if no GOST signature algs are available * */
+ if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) {
+ *mkey |= SSL_kGOST;
+ }
#ifdef SSL_FORBID_ENULL
*enc |= SSL_eNULL;
#endif
#ifdef SSL_FORBID_ENULL
*enc |= SSL_eNULL;
#endif
+
+
*enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
*enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
*enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
*enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
@@
-1376,7
+1421,7
@@
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
if (*cipher_list_by_id != NULL)
sk_SSL_CIPHER_free(*cipher_list_by_id);
*cipher_list_by_id = tmp_cipher_list;
if (*cipher_list_by_id != NULL)
sk_SSL_CIPHER_free(*cipher_list_by_id);
*cipher_list_by_id = tmp_cipher_list;
- sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
+
(void)
sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
return(cipherstack);
}
return(cipherstack);
}