SSL_ALL_STRENGTHS,
},
-#ifndef NO_KRB5
+#ifndef OPENSSL_NO_KRB5
/* The Kerberos ciphers
** 20000107 VRS: And the first shall be last,
** in hopes of avoiding the lynx ssl renegotiation problem.
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
-#endif /* NO_KRB5 */
+#endif /* OPENSSL_NO_KRB5 */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
OPENSSL_free(s->s3->wbuf.buf);
if (s->s3->rrec.comp != NULL)
OPENSSL_free(s->s3->rrec.comp);
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
DH_free(s->s3->tmp.dh);
#endif
OPENSSL_free(s->s3->rrec.comp);
s->s3->rrec.comp=NULL;
}
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
DH_free(s->s3->tmp.dh);
#endif
{
int ret=0;
-#if !defined(NO_DSA) || !defined(NO_RSA)
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
if (
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
cmd == SSL_CTRL_SET_TMP_RSA ||
cmd == SSL_CTRL_SET_TMP_RSA_CB ||
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
cmd == SSL_CTRL_SET_TMP_DH ||
cmd == SSL_CTRL_SET_TMP_DH_CB ||
#endif
case SSL_CTRL_GET_FLAGS:
ret=(int)(s->s3->flags);
break;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_NEED_TMP_RSA:
if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *dh = (DH *)parg;
{
int ret=0;
-#if !defined(NO_DSA) || !defined(NO_RSA)
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
if (
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
cmd == SSL_CTRL_SET_TMP_RSA_CB ||
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
cmd == SSL_CTRL_SET_TMP_DH_CB ||
#endif
0)
switch (cmd)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_SET_TMP_RSA_CB:
{
s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
switch (cmd)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_NEED_TMP_RSA:
if ( (cert->rsa_tmp == NULL) &&
((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *new=NULL,*dh;
switch (cmd)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_SET_TMP_RSA_CB:
{
cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
return(2);
}
-SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
- STACK_OF(SSL_CIPHER) *pref)
+SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+ STACK_OF(SSL_CIPHER) *srvr)
{
SSL_CIPHER *c,*ret=NULL;
+ STACK_OF(SSL_CIPHER) *prio, *allow;
int i,j,ok;
CERT *cert;
unsigned long alg,mask,emask;
/* Let's see which ciphers we can support */
cert=s->cert;
- sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
+#if 0
+ /* Do not set the compare functions, because this may lead to a
+ * reordering by "id". We want to keep the original ordering.
+ * We may pay a price in performance during sk_SSL_CIPHER_find(),
+ * but would have to pay with the price of sk_SSL_CIPHER_dup().
+ */
+ sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
+ sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
+#endif
#ifdef CIPHER_DEBUG
- printf("Have %d from %p:\n", sk_SSL_CIPHER_num(pref), pref);
- for(i=0 ; i < sk_SSL_CIPHER_num(pref) ; ++i)
+ printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr);
+ for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
+ {
+ c=sk_SSL_CIPHER_value(srvr,i);
+ printf("%p:%s\n",c,c->name);
+ }
+ printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt);
+ for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
{
- c=sk_SSL_CIPHER_value(pref,i);
+ c=sk_SSL_CIPHER_value(clnt,i);
printf("%p:%s\n",c,c->name);
}
#endif
- for (i=0; i<sk_SSL_CIPHER_num(have); i++)
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ {
+ prio = srvr;
+ allow = clnt;
+ }
+ else
+ {
+ prio = clnt;
+ allow = srvr;
+ }
+
+ for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
{
- c=sk_SSL_CIPHER_value(have,i);
+ c=sk_SSL_CIPHER_value(prio,i);
ssl_set_cert_masks(cert,c);
mask=cert->mask;
if (!ok) continue;
- j=sk_SSL_CIPHER_find(pref,c);
+ j=sk_SSL_CIPHER_find(allow,c);
if (j >= 0)
{
- ret=sk_SSL_CIPHER_value(pref,j);
+ ret=sk_SSL_CIPHER_value(allow,j);
break;
}
}
alg=s->s3->tmp.new_cipher->algorithms;
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (alg & (SSL_kDHr|SSL_kEDH))
{
-# ifndef NO_RSA
+# ifndef OPENSSL_NO_RSA
p[ret++]=SSL3_CT_RSA_FIXED_DH;
# endif
-# ifndef NO_DSA
+# ifndef OPENSSL_NO_DSA
p[ret++]=SSL3_CT_DSS_FIXED_DH;
# endif
}
if ((s->version == SSL3_VERSION) &&
(alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
{
-# ifndef NO_RSA
+# ifndef OPENSSL_NO_RSA
p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
# endif
-# ifndef NO_DSA
+# ifndef OPENSSL_NO_DSA
p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
# endif
}
-#endif /* !NO_DH */
-#ifndef NO_RSA
+#endif /* !OPENSSL_NO_DH */
+#ifndef OPENSSL_NO_RSA
p[ret++]=SSL3_CT_RSA_SIGN;
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
p[ret++]=SSL3_CT_DSS_SIGN;
#endif
return(ret);
return ssl3_read_internal(s, buf, len, 0);
}
-int ssl3_peek(SSL *s, char *buf, int len)
+int ssl3_peek(SSL *s, void *buf, int len)
{
return ssl3_read_internal(s, buf, len, 1);
}