SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
+ 112,
168,
},
SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
return(ret);
}
+ if (!ssl_security(s, SSL_SECOP_TMP_DH,
+ DH_security_bits(dh), 0, dh))
+ {
+ SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL);
+ return(ret);
+ }
if ((dh = DHparams_dup(dh)) == NULL)
{
SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
case SSL_CTRL_CHAIN:
if (larg)
- return ssl_cert_set1_chain(s->cert,
+ return ssl_cert_set1_chain(s, NULL,
(STACK_OF (X509) *)parg);
else
- return ssl_cert_set0_chain(s->cert,
+ return ssl_cert_set0_chain(s, NULL,
(STACK_OF (X509) *)parg);
case SSL_CTRL_CHAIN_CERT:
if (larg)
- return ssl_cert_add1_chain_cert(s->cert, (X509 *)parg);
+ return ssl_cert_add1_chain_cert(s, NULL, (X509 *)parg);
else
- return ssl_cert_add0_chain_cert(s->cert, (X509 *)parg);
+ return ssl_cert_add0_chain_cert(s, NULL, (X509 *)parg);
case SSL_CTRL_GET_CHAIN_CERTS:
*(STACK_OF(X509) **)parg = s->cert->key->chain;
return ssl3_set_req_cert_type(s->cert, parg, larg);
case SSL_CTRL_BUILD_CERT_CHAIN:
- return ssl_build_cert_chain(s->cert, s->ctx->cert_store, larg);
+ return ssl_build_cert_chain(s, NULL, larg);
case SSL_CTRL_SET_VERIFY_CERT_STORE:
return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
DH *new=NULL,*dh;
dh=(DH *)parg;
+ if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
+ DH_security_bits(dh), 0, dh))
+ {
+ SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
+ return 0;
+ }
if ((new=DHparams_dup(dh)) == NULL)
{
SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
case SSL_CTRL_BUILD_CERT_CHAIN:
- return ssl_build_cert_chain(ctx->cert, ctx->cert_store, larg);
+ return ssl_build_cert_chain(NULL, ctx, larg);
case SSL_CTRL_SET_VERIFY_CERT_STORE:
return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
case SSL_CTRL_CHAIN:
if (larg)
- return ssl_cert_set1_chain(ctx->cert,
+ return ssl_cert_set1_chain(NULL, ctx,
(STACK_OF (X509) *)parg);
else
- return ssl_cert_set0_chain(ctx->cert,
+ return ssl_cert_set0_chain(NULL, ctx,
(STACK_OF (X509) *)parg);
case SSL_CTRL_CHAIN_CERT:
if (larg)
- return ssl_cert_add1_chain_cert(ctx->cert, (X509 *)parg);
+ return ssl_cert_add1_chain_cert(NULL, ctx, (X509 *)parg);
else
- return ssl_cert_add0_chain_cert(ctx->cert, (X509 *)parg);
+ return ssl_cert_add0_chain_cert(NULL, ctx, (X509 *)parg);
case SSL_CTRL_GET_CHAIN_CERTS:
*(STACK_OF(X509) **)parg = ctx->cert->key->chain;
ii=sk_SSL_CIPHER_find(allow,c);
if (ii >= 0)
{
+ /* Check security callback permits this cipher */
+ if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
+ c->strength_bits, 0, c))
+ continue;
#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
{
int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
{
int ret=0;
- const unsigned char *sig;
- size_t i, siglen;
- int have_rsa_sign = 0, have_dsa_sign = 0;
-#ifndef OPENSSL_NO_ECDSA
- int have_ecdsa_sign = 0;
-#endif
int nostrict = 1;
- unsigned long alg_k;
+ unsigned long alg_k, alg_a = 0;
/* If we have custom certificate types set, use them */
if (s->cert->ctypes)
memcpy(p, s->cert->ctypes, s->cert->ctype_num);
return (int)s->cert->ctype_num;
}
- /* get configured sigalgs */
- siglen = tls12_get_psigalgs(s, &sig);
+ /* Get mask of algorithms disabled by signature list */
+ ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK);
if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
nostrict = 0;
- for (i = 0; i < siglen; i+=2, sig+=2)
- {
- switch(sig[1])
- {
- case TLSEXT_signature_rsa:
- have_rsa_sign = 1;
- break;
-
- case TLSEXT_signature_dsa:
- have_dsa_sign = 1;
- break;
-#ifndef OPENSSL_NO_ECDSA
- case TLSEXT_signature_ecdsa:
- have_ecdsa_sign = 1;
- break;
-#endif
- }
- }
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
/* Since this refers to a certificate signed with an RSA
* algorithm, only check for rsa signing in strict mode.
*/
- if (nostrict || have_rsa_sign)
+ if (nostrict || !(alg_a & SSL_aRSA))
p[ret++]=SSL3_CT_RSA_FIXED_DH;
# endif
# ifndef OPENSSL_NO_DSA
- if (nostrict || have_dsa_sign)
+ if (nostrict || !(alg_a & SSL_aDSS))
p[ret++]=SSL3_CT_DSS_FIXED_DH;
# endif
}
}
#endif /* !OPENSSL_NO_DH */
#ifndef OPENSSL_NO_RSA
- if (have_rsa_sign)
+ if (!(alg_a & SSL_aRSA))
p[ret++]=SSL3_CT_RSA_SIGN;
#endif
#ifndef OPENSSL_NO_DSA
- if (have_dsa_sign)
+ if (!(alg_a & SSL_aDSS))
p[ret++]=SSL3_CT_DSS_SIGN;
#endif
#ifndef OPENSSL_NO_ECDH
if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION))
{
- if (nostrict || have_rsa_sign)
+ if (nostrict || !(alg_a & SSL_aRSA))
p[ret++]=TLS_CT_RSA_FIXED_ECDH;
- if (nostrict || have_ecdsa_sign)
+ if (nostrict || !(alg_a & SSL_aECDSA))
p[ret++]=TLS_CT_ECDSA_FIXED_ECDH;
}
#endif
*/
if (s->version >= TLS1_VERSION)
{
- if (have_ecdsa_sign)
+ if (!(alg_a & SSL_aECDSA))
p[ret++]=TLS_CT_ECDSA_SIGN;
}
#endif
projects / openssl.git / blobdiff