projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fix #2400 Add NO_RENEGOTIATE option
[openssl.git]
/
ssl
/
ssl_ciph.c
diff --git
a/ssl/ssl_ciph.c
b/ssl/ssl_ciph.c
index 2d2395c5c15c516201012f875bbbc23062cc9f79..f05e86f0c5d756484aa27067231354be51efc0b1 100644
(file)
--- a/
ssl/ssl_ciph.c
+++ b/
ssl/ssl_ciph.c
@@
-371,7
+371,7
@@
static uint32_t disabled_mac_mask;
static uint32_t disabled_mkey_mask;
static uint32_t disabled_auth_mask;
static uint32_t disabled_mkey_mask;
static uint32_t disabled_auth_mask;
-
void
ssl_load_ciphers(void)
+
int
ssl_load_ciphers(void)
{
size_t i;
const ssl_cipher_table *t;
{
size_t i;
const ssl_cipher_table *t;
@@
-388,9
+388,6
@@
void ssl_load_ciphers(void)
disabled_enc_mask |= t->mask;
}
}
disabled_enc_mask |= t->mask;
}
}
-#ifdef SSL_FORBID_ENULL
- disabled_enc_mask |= SSL_eNULL;
-#endif
disabled_mac_mask = 0;
for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) {
const EVP_MD *md = EVP_get_digestbynid(t->nid);
disabled_mac_mask = 0;
for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) {
const EVP_MD *md = EVP_get_digestbynid(t->nid);
@@
-399,13
+396,16
@@
void ssl_load_ciphers(void)
disabled_mac_mask |= t->mask;
} else {
int tmpsize = EVP_MD_size(md);
disabled_mac_mask |= t->mask;
} else {
int tmpsize = EVP_MD_size(md);
- OPENSSL_assert(tmpsize >= 0);
+ if (!ossl_assert(tmpsize >= 0))
+ return 0;
ssl_mac_secret_size[i] = tmpsize;
}
}
/* Make sure we can access MD5 and SHA1 */
ssl_mac_secret_size[i] = tmpsize;
}
}
/* Make sure we can access MD5 and SHA1 */
- OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
- OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL);
+ if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))
+ return 0;
+ if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL))
+ return 0;
disabled_mkey_mask = 0;
disabled_auth_mask = 0;
disabled_mkey_mask = 0;
disabled_auth_mask = 0;
@@
-463,6
+463,8
@@
void ssl_load_ciphers(void)
if ((disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) ==
(SSL_aGOST01 | SSL_aGOST12))
disabled_mkey_mask |= SSL_kGOST;
if ((disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) ==
(SSL_aGOST01 | SSL_aGOST12))
disabled_mkey_mask |= SSL_kGOST;
+
+ return 1;
}
#ifndef OPENSSL_NO_COMP
}
#ifndef OPENSSL_NO_COMP
@@
-577,9
+579,6
@@
int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
s->ssl_version < TLS1_VERSION)
return 1;
s->ssl_version < TLS1_VERSION)
return 1;
- if (FIPS_mode())
- return 1;
-
if (c->algorithm_enc == SSL_RC4 &&
c->algorithm_mac == SSL_MD5 &&
(evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
if (c->algorithm_enc == SSL_RC4 &&
c->algorithm_mac == SSL_MD5 &&
(evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
@@
-687,8
+686,6
@@
static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
/* drop those that use any of that is not available */
if (c == NULL || !c->valid)
continue;
/* drop those that use any of that is not available */
if (c == NULL || !c->valid)
continue;
- if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
- continue;
if ((c->algorithm_mkey & disabled_mkey) ||
(c->algorithm_auth & disabled_auth) ||
(c->algorithm_enc & disabled_enc) ||
if ((c->algorithm_mkey & disabled_mkey) ||
(c->algorithm_auth & disabled_auth) ||
(c->algorithm_enc & disabled_enc) ||
@@
-706,9
+703,6
@@
static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
co_list[co_list_num].prev = NULL;
co_list[co_list_num].active = 0;
co_list_num++;
co_list[co_list_num].prev = NULL;
co_list[co_list_num].active = 0;
co_list_num++;
- /*
- * if (!sk_push(ca_list,(char *)c)) goto err;
- */
}
/*
}
/*
@@
-1495,8
+1489,7
@@
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
* to the resulting precedence to the STACK_OF(SSL_CIPHER).
*/
for (curr = head; curr != NULL; curr = curr->next) {
* to the resulting precedence to the STACK_OF(SSL_CIPHER).
*/
for (curr = head; curr != NULL; curr = curr->next) {
- if (curr->active
- && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
+ if (curr->active) {
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
OPENSSL_free(co_list);
sk_SSL_CIPHER_free(cipherstack);
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
OPENSSL_free(co_list);
sk_SSL_CIPHER_free(cipherstack);
@@
-1915,11
+1908,12
@@
int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
return -1;
}
return -1;
}
-const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr)
+const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr,
+ int all)
{
const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);
{
const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);
- if (c == NULL ||
c->valid == 0
)
+ if (c == NULL ||
(!all && c->valid == 0)
)
return NULL;
return c;
}
return NULL;
return c;
}