55c3fd06bb2605376b2b6d70c2ebdb68a88e6bca
[openssl.git] / ssl / ssl_ciph.c
1 /* ssl/ssl_ciph.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #include <stdio.h>
60 #include "objects.h"
61 #include "comp.h"
62 #include "ssl_locl.h"
63
64 #define SSL_ENC_DES_IDX         0
65 #define SSL_ENC_3DES_IDX        1
66 #define SSL_ENC_RC4_IDX         2
67 #define SSL_ENC_RC2_IDX         3
68 #define SSL_ENC_IDEA_IDX        4
69 #define SSL_ENC_eFZA_IDX        5
70 #define SSL_ENC_NULL_IDX        6
71 #define SSL_ENC_NUM_IDX         7
72
73 static EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
74         NULL,NULL,NULL,NULL,NULL,NULL,
75         };
76
77 static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
78
79 #define SSL_MD_MD5_IDX  0
80 #define SSL_MD_SHA1_IDX 1
81 #define SSL_MD_NUM_IDX  2
82 static EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
83         NULL,NULL,
84         };
85
86 typedef struct cipher_sort_st
87         {
88         SSL_CIPHER *cipher;
89         int pref;
90         } CIPHER_SORT;
91
92 #define CIPHER_ADD      1
93 #define CIPHER_KILL     2
94 #define CIPHER_DEL      3
95 #define CIPHER_ORD      4
96
97 typedef struct cipher_choice_st
98         {
99         int type;
100         unsigned long algorithms;
101         unsigned long mask;
102         long top;
103         } CIPHER_CHOICE;
104
105 typedef struct cipher_order_st
106         {
107         SSL_CIPHER *cipher;
108         int active;
109         int dead;
110         struct cipher_order_st *next,*prev;
111         } CIPHER_ORDER;
112
113 static SSL_CIPHER cipher_aliases[]={
114         /* Don't include eNULL unless specifically enabled */
115         {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, 0,SSL_ALL}, /* must be first */
116         {0,SSL_TXT_kRSA,0,SSL_kRSA,  0,SSL_MKEY_MASK},
117         {0,SSL_TXT_kDHr,0,SSL_kDHr,  0,SSL_MKEY_MASK},
118         {0,SSL_TXT_kDHd,0,SSL_kDHd,  0,SSL_MKEY_MASK},
119         {0,SSL_TXT_kEDH,0,SSL_kEDH,  0,SSL_MKEY_MASK},
120         {0,SSL_TXT_kFZA,0,SSL_kFZA,  0,SSL_MKEY_MASK},
121         {0,SSL_TXT_DH,  0,SSL_DH,    0,SSL_MKEY_MASK},
122         {0,SSL_TXT_EDH, 0,SSL_EDH,   0,SSL_MKEY_MASK|SSL_AUTH_MASK},
123
124         {0,SSL_TXT_aRSA,0,SSL_aRSA,  0,SSL_AUTH_MASK},
125         {0,SSL_TXT_aDSS,0,SSL_aDSS,  0,SSL_AUTH_MASK},
126         {0,SSL_TXT_aFZA,0,SSL_aFZA,  0,SSL_AUTH_MASK},
127         {0,SSL_TXT_aNULL,0,SSL_aNULL,0,SSL_AUTH_MASK},
128         {0,SSL_TXT_aDH, 0,SSL_aDH,   0,SSL_AUTH_MASK},
129         {0,SSL_TXT_DSS, 0,SSL_DSS,   0,SSL_AUTH_MASK},
130
131         {0,SSL_TXT_DES, 0,SSL_DES,   0,SSL_ENC_MASK},
132         {0,SSL_TXT_3DES,0,SSL_3DES,  0,SSL_ENC_MASK},
133         {0,SSL_TXT_RC4, 0,SSL_RC4,   0,SSL_ENC_MASK},
134         {0,SSL_TXT_RC2, 0,SSL_RC2,   0,SSL_ENC_MASK},
135         {0,SSL_TXT_IDEA,0,SSL_IDEA,  0,SSL_ENC_MASK},
136         {0,SSL_TXT_eNULL,0,SSL_eNULL,0,SSL_ENC_MASK},
137         {0,SSL_TXT_eFZA,0,SSL_eFZA,  0,SSL_ENC_MASK},
138
139         {0,SSL_TXT_MD5, 0,SSL_MD5,   0,SSL_MAC_MASK},
140         {0,SSL_TXT_SHA1,0,SSL_SHA1,  0,SSL_MAC_MASK},
141         {0,SSL_TXT_SHA, 0,SSL_SHA,   0,SSL_MAC_MASK},
142
143         {0,SSL_TXT_NULL,0,SSL_NULL,  0,SSL_ENC_MASK},
144         {0,SSL_TXT_RSA, 0,SSL_RSA,   0,SSL_AUTH_MASK|SSL_MKEY_MASK},
145         {0,SSL_TXT_ADH, 0,SSL_ADH,   0,SSL_AUTH_MASK|SSL_MKEY_MASK},
146         {0,SSL_TXT_FZA, 0,SSL_FZA,   0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK},
147
148         {0,SSL_TXT_EXP40, 0,SSL_EXP40, 0,SSL_EXP_MASK},
149         {0,SSL_TXT_EXPORT,0,SSL_EXP40, 0,SSL_EXP_MASK},
150         {0,SSL_TXT_EXP56, 0,SSL_EXP56, 0,SSL_EXP_MASK},
151         {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,SSL_SSL_MASK},
152         {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,SSL_SSL_MASK},
153         {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,SSL_SSL_MASK},
154         {0,SSL_TXT_LOW,   0,SSL_LOW,   0,SSL_STRONG_MASK},
155         {0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK},
156         {0,SSL_TXT_HIGH,  0,SSL_HIGH,  0,SSL_STRONG_MASK},
157         };
158
159 static int init_ciphers=1;
160 static void load_ciphers();
161
162 static int cmp_by_name(a,b)
163 SSL_CIPHER **a,**b;
164         {
165         return(strcmp((*a)->name,(*b)->name));
166         }
167
168 static void load_ciphers()
169         {
170         init_ciphers=0;
171         ssl_cipher_methods[SSL_ENC_DES_IDX]= 
172                 EVP_get_cipherbyname(SN_des_cbc);
173         ssl_cipher_methods[SSL_ENC_3DES_IDX]=
174                 EVP_get_cipherbyname(SN_des_ede3_cbc);
175         ssl_cipher_methods[SSL_ENC_RC4_IDX]=
176                 EVP_get_cipherbyname(SN_rc4);
177         ssl_cipher_methods[SSL_ENC_RC2_IDX]= 
178                 EVP_get_cipherbyname(SN_rc2_cbc);
179         ssl_cipher_methods[SSL_ENC_IDEA_IDX]= 
180                 EVP_get_cipherbyname(SN_idea_cbc);
181
182         ssl_digest_methods[SSL_MD_MD5_IDX]=
183                 EVP_get_digestbyname(SN_md5);
184         ssl_digest_methods[SSL_MD_SHA1_IDX]=
185                 EVP_get_digestbyname(SN_sha1);
186         }
187
188 int ssl_cipher_get_evp(s,enc,md,comp)
189 SSL_SESSION *s;
190 EVP_CIPHER **enc;
191 EVP_MD **md;
192 SSL_COMP **comp;
193         {
194         int i;
195         SSL_CIPHER *c;
196
197         c=s->cipher;
198         if (c == NULL) return(0);
199         if (comp != NULL)
200                 {
201                 SSL_COMP ctmp;
202
203                 if (s->compress_meth == 0)
204                         *comp=NULL;
205                 else if (ssl_comp_methods == NULL)
206                         {
207                         /* bad */
208                         *comp=NULL;
209                         }
210                 else
211                         {
212
213                         ctmp.id=s->compress_meth;
214                         i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp);
215                         if (i >= 0)
216                                 *comp=sk_SSL_COMP_value(ssl_comp_methods,i);
217                         else
218                                 *comp=NULL;
219                         }
220                 }
221
222         if ((enc == NULL) || (md == NULL)) return(0);
223
224         switch (c->algorithms & SSL_ENC_MASK)
225                 {
226         case SSL_DES:
227                 i=SSL_ENC_DES_IDX;
228                 break;
229         case SSL_3DES:
230                 i=SSL_ENC_3DES_IDX;
231                 break;
232         case SSL_RC4:
233                 i=SSL_ENC_RC4_IDX;
234                 break;
235         case SSL_RC2:
236                 i=SSL_ENC_RC2_IDX;
237                 break;
238         case SSL_IDEA:
239                 i=SSL_ENC_IDEA_IDX;
240                 break;
241         case SSL_eNULL:
242                 i=SSL_ENC_NULL_IDX;
243                 break;
244         default:
245                 i= -1;
246                 break;
247                 }
248
249         if ((i < 0) || (i > SSL_ENC_NUM_IDX))
250                 *enc=NULL;
251         else
252                 {
253                 if (i == SSL_ENC_NULL_IDX)
254                         *enc=EVP_enc_null();
255                 else
256                         *enc=ssl_cipher_methods[i];
257                 }
258
259         switch (c->algorithms & SSL_MAC_MASK)
260                 {
261         case SSL_MD5:
262                 i=SSL_MD_MD5_IDX;
263                 break;
264         case SSL_SHA1:
265                 i=SSL_MD_SHA1_IDX;
266                 break;
267         default:
268                 i= -1;
269                 break;
270                 }
271         if ((i < 0) || (i > SSL_MD_NUM_IDX))
272                 *md=NULL;
273         else
274                 *md=ssl_digest_methods[i];
275
276         if ((*enc != NULL) && (*md != NULL))
277                 return(1);
278         else
279                 return(0);
280         }
281
282 #define ITEM_SEP(a) \
283         (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
284
285 static void ll_append_tail(head,curr,tail)
286 CIPHER_ORDER **head,*curr,**tail;
287         {
288         if (curr == *tail) return;
289         if (curr == *head)
290                 *head=curr->next;
291         if (curr->prev != NULL)
292                 curr->prev->next=curr->next;
293         if (curr->next != NULL) /* should always be true */
294                 curr->next->prev=curr->prev;
295         (*tail)->next=curr;
296         curr->prev= *tail;
297         curr->next=NULL;
298         *tail=curr;
299         }
300
301 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(ssl_method,cipher_list,
302                                              cipher_list_by_id,str)
303 SSL_METHOD *ssl_method;
304 STACK_OF(SSL_CIPHER) **cipher_list,**cipher_list_by_id;
305 char *str;
306         {
307         SSL_CIPHER *c;
308         char *l;
309         STACK_OF(SSL_CIPHER) *ret=NULL,*ok=NULL;
310 #define CL_BUF  40
311         char buf[CL_BUF];
312         char *tmp_str=NULL;
313         unsigned long mask,algorithms,ma;
314         char *start;
315         int i,j,k,num=0,ch,multi;
316         unsigned long al;
317         STACK *ca_list=NULL;
318         int current_x,num_x;
319         CIPHER_CHOICE *ops=NULL;
320         CIPHER_ORDER *list=NULL,*head=NULL,*tail=NULL,*curr,*tail2,*curr2;
321         int list_num;
322         int type;
323         SSL_CIPHER c_tmp,*cp;
324
325         if (str == NULL) return(NULL);
326
327         if (strncmp(str,"DEFAULT",7) == 0)
328                 {
329                 i=strlen(str)+2+strlen(SSL_DEFAULT_CIPHER_LIST);
330                 if ((tmp_str=Malloc(i)) == NULL)
331                         {
332                         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
333                         goto err;
334                         }
335                 strcpy(tmp_str,SSL_DEFAULT_CIPHER_LIST);
336                 strcat(tmp_str,":");
337                 strcat(tmp_str,&(str[7]));
338                 str=tmp_str;
339                 }
340         if (init_ciphers) load_ciphers();
341
342         num=ssl_method->num_ciphers();
343
344         if ((ret=sk_SSL_CIPHER_new(NULL)) == NULL) goto err;
345         if ((ca_list=(STACK *)sk_new(cmp_by_name)) == NULL) goto err;
346
347         mask =SSL_kFZA;
348 #ifdef NO_RSA
349         mask|=SSL_aRSA|SSL_kRSA;
350 #endif
351 #ifdef NO_DSA
352         mask|=SSL_aDSS;
353 #endif
354 #ifdef NO_DH
355         mask|=SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
356 #endif
357
358 #ifdef SSL_FORBID_ENULL
359         mask|=SSL_eNULL;
360 #endif
361
362         mask|=(ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL)?SSL_DES :0;
363         mask|=(ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL)?SSL_3DES:0;
364         mask|=(ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL)?SSL_RC4 :0;
365         mask|=(ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL)?SSL_RC2 :0;
366         mask|=(ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL)?SSL_IDEA:0;
367         mask|=(ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL)?SSL_eFZA:0;
368
369         mask|=(ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL)?SSL_MD5 :0;
370         mask|=(ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL)?SSL_SHA1:0;
371
372         if ((list=(CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER)*num)) == NULL)
373                 goto err;
374
375         /* Get the initial list of ciphers */
376         list_num=0;
377         for (i=0; i<num; i++)
378                 {
379                 c=ssl_method->get_cipher((unsigned int)i);
380                 /* drop those that use any of that is not available */
381                 if ((c != NULL) && c->valid && !(c->algorithms & mask))
382                         {
383                         list[list_num].cipher=c;
384                         list[list_num].next=NULL;
385                         list[list_num].prev=NULL;
386                         list[list_num].active=0;
387                         list_num++;
388                         if (!sk_push(ca_list,(char *)c)) goto err;
389                         }
390                 }
391         
392         for (i=1; i<list_num-1; i++)
393                 {
394                 list[i].prev= &(list[i-1]);
395                 list[i].next= &(list[i+1]);
396                 }
397         if (list_num > 0)
398                 {
399                 head= &(list[0]);
400                 head->prev=NULL;
401                 head->next= &(list[1]);
402                 tail= &(list[list_num-1]);
403                 tail->prev= &(list[list_num-2]);
404                 tail->next=NULL;
405                 }
406
407         /* special case */
408         cipher_aliases[0].algorithms &= ~mask;
409
410         /* get the aliases */
411         k=sizeof(cipher_aliases)/sizeof(SSL_CIPHER);
412         for (j=0; j<k; j++)
413                 {
414                 al=cipher_aliases[j].algorithms;
415                 /* Drop those that are not relevent */
416                 if ((al & mask) == al) continue;
417                 if (!sk_push(ca_list,(char *)&(cipher_aliases[j]))) goto err;
418                 }
419
420         /* ca_list now holds a 'stack' of SSL_CIPHERS, some real, some
421          * 'aliases' */
422
423         /* how many parameters are there? */
424         num=1;
425         for (l=str; *l; l++)
426                 if (ITEM_SEP(*l))
427                         num++;
428         ops=(CIPHER_CHOICE *)Malloc(sizeof(CIPHER_CHOICE)*num);
429         if (ops == NULL) goto err;
430         memset(ops,0,sizeof(CIPHER_CHOICE)*num);
431
432         /* we now parse the input string and create our operations */
433         l=str;
434         i=0;
435         current_x=0;
436
437         for (;;)
438                 {
439                 ch= *l;
440
441                 if (ch == '\0') break;
442
443                 if (ch == '-')
444                         { j=CIPHER_DEL; l++; }
445                 else if (ch == '+')
446                         { j=CIPHER_ORD; l++; }
447                 else if (ch == '!')
448                         { j=CIPHER_KILL; l++; }
449                 else    
450                         { j=CIPHER_ADD; }
451
452                 if (ITEM_SEP(ch))
453                         {
454                         l++;
455                         continue;
456                         }
457                 ops[current_x].type=j;
458                 ops[current_x].algorithms=0;
459                 ops[current_x].mask=0;
460
461                 start=l;
462                 for (;;)
463                         {
464                         ch= *l;
465                         i=0;
466                         while ( ((ch >= 'A') && (ch <= 'Z')) ||
467                                 ((ch >= '0') && (ch <= '9')) ||
468                                 ((ch >= 'a') && (ch <= 'z')) ||
469                                  (ch == '-'))
470                                  {
471                                  buf[i]=ch;
472                                  ch= *(++l);
473                                  i++;
474                                  if (i >= (CL_BUF-2)) break;
475                                  }
476                         buf[i]='\0';
477
478                         /* check for multi-part specification */
479                         if (ch == '+')
480                                 {
481                                 multi=1;
482                                 l++;
483                                 }
484                         else
485                                 multi=0;
486
487                         c_tmp.name=buf;
488                         j=sk_find(ca_list,(char *)&c_tmp);
489                         if (j < 0)
490                                 goto end_loop;
491
492                         cp=(SSL_CIPHER *)sk_value(ca_list,j);
493                         ops[current_x].algorithms|=cp->algorithms;
494                         /* We add the SSL_SSL_MASK so we can match the
495                          * SSLv2 and SSLv3 versions of RC4-MD5 */
496                         ops[current_x].mask|=cp->mask;
497                         if (!multi) break;
498                         }
499                 current_x++;
500                 if (ch == '\0') break;
501 end_loop:
502                 /* Make sure we scan until the next valid start point */
503                 while ((*l != '\0') && ITEM_SEP(*l))
504                         l++;
505                 }
506
507         num_x=current_x;
508         current_x=0;
509
510         /* We will now process the list of ciphers, once for each category, to
511          * decide what we should do with it. */
512         for (j=0; j<num_x; j++)
513                 {
514                 algorithms=ops[j].algorithms;
515                 type=ops[j].type;
516                 mask=ops[j].mask;
517
518                 curr=head;
519                 curr2=head;
520                 tail2=tail;
521                 for (;;)
522                         {
523                         if ((curr == NULL) || (curr == tail2)) break;
524                         curr=curr2;
525                         curr2=curr->next;
526
527                         cp=curr->cipher;
528                         ma=mask & cp->algorithms;
529                         if ((ma == 0) || ((ma & algorithms) != ma))
530                                 {
531                                 /* does not apply */
532                                 continue;
533                                 }
534
535                         /* add the cipher if it has not been added yet. */
536                         if (type == CIPHER_ADD)
537                                 {
538                                 if (!curr->active)
539                                         {
540                                         ll_append_tail(&head,curr,&tail);
541                                         curr->active=1;
542                                         }
543                                 }
544                         /* Move the added cipher to this location */
545                         else if (type == CIPHER_ORD)
546                                 {
547                                 if (curr->active)
548                                         {
549                                         ll_append_tail(&head,curr,&tail);
550                                         }
551                                 }
552                         else if (type == CIPHER_DEL)
553                                 curr->active=0;
554                         if (type == CIPHER_KILL)
555                                 {
556                                 if (head == curr)
557                                         head=curr->next;
558                                 else
559                                         curr->prev->next=curr->next;
560                                 if (tail == curr)
561                                         tail=curr->prev;
562                                 curr->active=0;
563                                 if (curr->next != NULL)
564                                         curr->next->prev=curr->prev;
565                                 if (curr->prev != NULL)
566                                         curr->prev->next=curr->next;
567                                 curr->next=NULL;
568                                 curr->prev=NULL;
569                                 }
570                         }
571                 }
572
573         for (curr=head; curr != NULL; curr=curr->next)
574                 {
575                 if (curr->active)
576                         {
577                         sk_SSL_CIPHER_push(ret,curr->cipher);
578 #ifdef CIPHER_DEBUG
579                         printf("<%s>\n",curr->cipher->name);
580 #endif
581                         }
582                 }
583
584         if (cipher_list != NULL)
585                 {
586                 if (*cipher_list != NULL)
587                         sk_SSL_CIPHER_free(*cipher_list);
588                 *cipher_list=ret;
589                 }
590
591         if (cipher_list_by_id != NULL)
592                 {
593                 if (*cipher_list_by_id != NULL)
594                         sk_SSL_CIPHER_free(*cipher_list_by_id);
595                 *cipher_list_by_id=sk_SSL_CIPHER_dup(ret);
596                 }
597
598         if (    (cipher_list_by_id == NULL) ||
599                 (*cipher_list_by_id == NULL) ||
600                 (cipher_list == NULL) ||
601                 (*cipher_list == NULL))
602                 goto err;
603         sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
604
605         ok=ret;
606         ret=NULL;
607 err:
608         if (tmp_str) Free(tmp_str);
609         if (ops != NULL) Free(ops);
610         if (ret != NULL) sk_SSL_CIPHER_free(ret);
611         if (ca_list != NULL) sk_free(ca_list);
612         if (list != NULL) Free(list);
613         return(ok);
614         }
615
616 char *SSL_CIPHER_description(cipher,buf,len)
617 SSL_CIPHER *cipher;
618 char *buf;
619 int len;
620         {
621         int is_export,pkl,kl;
622         char *ver,*exp;
623         char *kx,*au,*enc,*mac;
624         unsigned long alg,alg2;
625         static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
626         
627         alg=cipher->algorithms;
628         alg2=cipher->algorithm2;
629
630         is_export=SSL_IS_EXPORT(alg);
631         pkl=SSL_EXPORT_PKEYLENGTH(alg);
632         kl=SSL_EXPORT_KEYLENGTH(alg);
633         exp=is_export?" export":"";
634
635         if (alg & SSL_SSLV2)
636                 ver="SSLv2";
637         else if (alg & SSL_SSLV3)
638                 ver="SSLv3";
639         else
640                 ver="unknown";
641
642         switch (alg&SSL_MKEY_MASK)
643                 {
644         case SSL_kRSA:
645                 kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
646                 break;
647         case SSL_kDHr:
648                 kx="DH/RSA";
649                 break;
650         case SSL_kDHd:
651                 kx="DH/DSS";
652                 break;
653         case SSL_kFZA:
654                 kx="Fortezza";
655                 break;
656         case SSL_kEDH:
657                 kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
658                 break;
659         default:
660                 kx="unknown";
661                 }
662
663         switch (alg&SSL_AUTH_MASK)
664                 {
665         case SSL_aRSA:
666                 au="RSA";
667                 break;
668         case SSL_aDSS:
669                 au="DSS";
670                 break;
671         case SSL_aDH:
672                 au="DH";
673                 break;
674         case SSL_aFZA:
675         case SSL_aNULL:
676                 au="None";
677                 break;
678         default:
679                 au="unknown";
680                 break;
681                 }
682
683         switch (alg&SSL_ENC_MASK)
684                 {
685         case SSL_DES:
686                 enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
687                 break;
688         case SSL_3DES:
689                 enc="3DES(168)";
690                 break;
691         case SSL_RC4:
692                 enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
693                   :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
694                 break;
695         case SSL_RC2:
696                 enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
697                 break;
698         case SSL_IDEA:
699                 enc="IDEA(128)";
700                 break;
701         case SSL_eFZA:
702                 enc="Fortezza";
703                 break;
704         case SSL_eNULL:
705                 enc="None";
706                 break;
707         default:
708                 enc="unknown";
709                 break;
710                 }
711
712         switch (alg&SSL_MAC_MASK)
713                 {
714         case SSL_MD5:
715                 mac="MD5";
716                 break;
717         case SSL_SHA1:
718                 mac="SHA1";
719                 break;
720         default:
721                 mac="unknown";
722                 break;
723                 }
724
725         if (buf == NULL)
726                 {
727                 buf=Malloc(128);
728                 if (buf == NULL) return("Malloc Error");
729                 }
730         else if (len < 128)
731                 return("Buffer too small");
732
733         sprintf(buf,format,cipher->name,ver,kx,au,enc,mac,exp);
734         return(buf);
735         }
736
737 char *SSL_CIPHER_get_version(c)
738 SSL_CIPHER *c;
739         {
740         int i;
741
742         if (c == NULL) return("(NONE)");
743         i=(int)(c->id>>24L);
744         if (i == 3)
745                 return("TLSv1/SSLv3");
746         else if (i == 2)
747                 return("SSLv2");
748         else
749                 return("unknown");
750         }
751
752 /* return the actual cipher being used */
753 char *SSL_CIPHER_get_name(c)
754 SSL_CIPHER *c;
755         {
756         if (c != NULL)
757                 return(c->name);
758         return("(NONE)");
759         }
760
761 /* number of bits for symetric cipher */
762 int SSL_CIPHER_get_bits(c,alg_bits)
763 SSL_CIPHER *c;
764 int *alg_bits;
765         {
766         int ret=0,a=0;
767         EVP_CIPHER *enc;
768         EVP_MD *md;
769         SSL_SESSION ss;
770
771         if (c != NULL)
772                 {
773                 ss.cipher=c;
774                 if (!ssl_cipher_get_evp(&ss,&enc,&md,NULL))
775                         return(0);
776
777                 a=EVP_CIPHER_key_length(enc)*8;
778
779                 if (SSL_C_IS_EXPORT(c))
780                         {
781                         ret=SSL_C_EXPORT_KEYLENGTH(c)*8;
782                         }
783                 else
784                         {
785                         if (c->algorithm2 & SSL2_CF_8_BYTE_ENC)
786                                 ret=64;
787                         else
788                                 ret=a;
789                         }
790                 }
791
792         if (alg_bits != NULL) *alg_bits=a;
793         
794         return(ret);
795         }
796
797 SSL_COMP *ssl3_comp_find(sk,n)
798 STACK_OF(SSL_COMP) *sk;
799 int n;
800         {
801         SSL_COMP *ctmp;
802         int i,nn;
803
804         if ((n == 0) || (sk == NULL)) return(NULL);
805         nn=sk_SSL_COMP_num(sk);
806         for (i=0; i<nn; i++)
807                 {
808                 ctmp=sk_SSL_COMP_value(sk,i);
809                 if (ctmp->id == n)
810                         return(ctmp);
811                 }
812         return(NULL);
813         }
814
815 static int sk_comp_cmp(a,b)
816 SSL_COMP **a,**b;
817         {
818         return((*a)->id-(*b)->id);
819         }
820
821 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods()
822         {
823         return(ssl_comp_methods);
824         }
825
826 int SSL_COMP_add_compression_method(id,cm)
827 int id;
828 COMP_METHOD *cm;
829         {
830         SSL_COMP *comp;
831         STACK_OF(SSL_COMP) *sk;
832
833         comp=(SSL_COMP *)Malloc(sizeof(SSL_COMP));
834         comp->id=id;
835         comp->method=cm;
836         if (ssl_comp_methods == NULL)
837                 sk=ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
838         else
839                 sk=ssl_comp_methods;
840         if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp))
841                 {
842                 SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
843                 return(0);
844                 }
845         else
846                 return(1);
847         }
848