X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=f94c0d957df4b7f6aeb0e2417e34f2a615409575;hp=686992406c0b37a6a392b747d67b7055b7e7d4c7;hb=61094cf3dc1cc0086f8bcb70f73cc5822a53b2be;hpb=82b0bf0b8792bdc113cadc04a1f9d40f0e0cfbfc diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 686992406c..f94c0d957d 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -108,19 +108,34 @@ * Hudson (tjh@cryptsoft.com). * */ +/* ==================================================================== + * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. + * + * Portions of the attached software ("Contribution") are developed by + * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. + * + * The Contribution is licensed pursuant to the OpenSSL open source + * license provided above. + * + * ECC cipher suite support in OpenSSL originally written by + * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. + * + */ #include #include #include "ssl_locl.h" #include "kssl_lcl.h" #include +#ifndef OPENSSL_NO_DH +#include +#endif const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) -static long ssl3_default_timeout(void ); - +/* list of available SSLv3 ciphers (sorted by id) */ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ /* The RSA ciphers */ /* Cipher 01 */ @@ -129,7 +144,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_MD5, SSL3_CK_RSA_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -142,82 +157,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - -/* anon DH */ -/* Cipher 17 */ - { - 1, - SSL3_TXT_ADH_RC4_40_MD5, - SSL3_CK_ADH_RC4_40_MD5, - SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, - 0, - 40, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* Cipher 18 */ - { - 1, - SSL3_TXT_ADH_RC4_128_MD5, - SSL3_CK_ADH_RC4_128_MD5, - SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* Cipher 19 */ - { - 1, - SSL3_TXT_ADH_DES_40_CBC_SHA, - SSL3_CK_ADH_DES_40_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, - 0, - 40, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* Cipher 1A */ - { - 1, - SSL3_TXT_ADH_DES_64_CBC_SHA, - SSL3_CK_ADH_DES_64_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_LOW, - 0, - 56, - 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* Cipher 1B */ - { - 1, - SSL3_TXT_ADH_DES_192_CBC_SHA, - SSL3_CK_ADH_DES_192_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, - 0, - 168, - 168, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - -/* RSA again */ /* Cipher 03 */ { 1, @@ -271,6 +217,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, /* Cipher 07 */ +#ifndef OPENSSL_NO_IDEA { 1, SSL3_TXT_RSA_IDEA_128_SHA, @@ -283,6 +230,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, +#endif /* Cipher 08 */ { 1, @@ -322,8 +270,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - -/* The DH ciphers */ +/* The DH ciphers */ /* Cipher 0B */ { 0, @@ -482,6 +429,71 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, +/* Cipher 17 */ + { + 1, + SSL3_TXT_ADH_RC4_40_MD5, + SSL3_CK_ADH_RC4_40_MD5, + SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +/* Cipher 18 */ + { + 1, + SSL3_TXT_ADH_RC4_128_MD5, + SSL3_CK_ADH_RC4_128_MD5, + SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +/* Cipher 19 */ + { + 1, + SSL3_TXT_ADH_DES_40_CBC_SHA, + SSL3_CK_ADH_DES_40_CBC_SHA, + SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +/* Cipher 1A */ + { + 1, + SSL3_TXT_ADH_DES_64_CBC_SHA, + SSL3_CK_ADH_DES_64_CBC_SHA, + SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, + SSL_NOT_EXP|SSL_LOW, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +/* Cipher 1B */ + { + 1, + SSL3_TXT_ADH_DES_192_CBC_SHA, + SSL3_CK_ADH_DES_192_CBC_SHA, + SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, + SSL_NOT_EXP|SSL_HIGH, + 0, + 168, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, /* Fortezza */ /* Cipher 1C */ @@ -490,7 +502,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_NULL_SHA, SSL3_CK_FZA_DMS_NULL_SHA, SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -504,7 +516,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_FZA_SHA, SSL3_CK_FZA_DMS_FZA_SHA, SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -512,6 +524,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, +#if 0 /* Cipher 1E */ { 0, @@ -525,97 +538,679 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, +#endif + +#ifndef OPENSSL_NO_KRB5 +/* The Kerberos ciphers +** 20000107 VRS: And the first shall be last, +** in hopes of avoiding the lynx ssl renegotiation problem. +*/ +/* Cipher 1E VRS */ + { + 1, + SSL3_TXT_KRB5_DES_64_CBC_SHA, + SSL3_CK_KRB5_DES_64_CBC_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, + SSL_NOT_EXP|SSL_LOW, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 1F VRS */ + { + 1, + SSL3_TXT_KRB5_DES_192_CBC3_SHA, + SSL3_CK_KRB5_DES_192_CBC3_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, + SSL_NOT_EXP|SSL_HIGH, + 0, + 112, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 20 VRS */ + { + 1, + SSL3_TXT_KRB5_RC4_128_SHA, + SSL3_CK_KRB5_RC4_128_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 21 VRS */ + { + 1, + SSL3_TXT_KRB5_IDEA_128_CBC_SHA, + SSL3_CK_KRB5_IDEA_128_CBC_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_SHA1 |SSL_SSLV3, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 22 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_64_CBC_MD5, + SSL3_CK_KRB5_DES_64_CBC_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_LOW, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 23 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_192_CBC3_MD5, + SSL3_CK_KRB5_DES_192_CBC3_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_HIGH, + 0, + 112, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 24 VRS */ + { + 1, + SSL3_TXT_KRB5_RC4_128_MD5, + SSL3_CK_KRB5_RC4_128_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 25 VRS */ + { + 1, + SSL3_TXT_KRB5_IDEA_128_CBC_MD5, + SSL3_CK_KRB5_IDEA_128_CBC_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 26 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_40_CBC_SHA, + SSL3_CK_KRB5_DES_40_CBC_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 27 VRS */ + { + 1, + SSL3_TXT_KRB5_RC2_40_CBC_SHA, + SSL3_CK_KRB5_RC2_40_CBC_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_SHA1 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 28 VRS */ + { + 1, + SSL3_TXT_KRB5_RC4_40_SHA, + SSL3_CK_KRB5_RC4_40_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 29 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_40_CBC_MD5, + SSL3_CK_KRB5_DES_40_CBC_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 2A VRS */ + { + 1, + SSL3_TXT_KRB5_RC2_40_CBC_MD5, + SSL3_CK_KRB5_RC2_40_CBC_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_MD5 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 2B VRS */ + { + 1, + SSL3_TXT_KRB5_RC4_40_MD5, + SSL3_CK_KRB5_RC4_40_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +#endif /* OPENSSL_NO_KRB5 */ +/* New AES ciphersuites */ + +/* Cipher 2F */ + { + 1, + TLS1_TXT_RSA_WITH_AES_128_SHA, + TLS1_CK_RSA_WITH_AES_128_SHA, + SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +/* Cipher 30 */ + { + 0, + TLS1_TXT_DH_DSS_WITH_AES_128_SHA, + TLS1_CK_DH_DSS_WITH_AES_128_SHA, + SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +/* Cipher 31 */ + { + 0, + TLS1_TXT_DH_RSA_WITH_AES_128_SHA, + TLS1_CK_DH_RSA_WITH_AES_128_SHA, + SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +/* Cipher 32 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, + TLS1_CK_DHE_DSS_WITH_AES_128_SHA, + SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +/* Cipher 33 */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, + TLS1_CK_DHE_RSA_WITH_AES_128_SHA, + SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +/* Cipher 34 */ + { + 1, + TLS1_TXT_ADH_WITH_AES_128_SHA, + TLS1_CK_ADH_WITH_AES_128_SHA, + SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, -#ifndef OPENSSL_NO_KRB5 -/* The Kerberos ciphers -** 20000107 VRS: And the first shall be last, -** in hopes of avoiding the lynx ssl renegotiation problem. -*/ -/* Cipher 21 VRS */ +/* Cipher 35 */ { 1, - SSL3_TXT_KRB5_DES_40_CBC_SHA, - SSL3_CK_KRB5_DES_40_CBC_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, + TLS1_TXT_RSA_WITH_AES_256_SHA, + TLS1_CK_RSA_WITH_AES_256_SHA, + SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 40, - 56, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - -/* Cipher 22 VRS */ +/* Cipher 36 */ { - 1, - SSL3_TXT_KRB5_DES_40_CBC_MD5, - SSL3_CK_KRB5_DES_40_CBC_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, - SSL_EXPORT|SSL_EXP40, 0, - 40, - 56, + TLS1_TXT_DH_DSS_WITH_AES_256_SHA, + TLS1_CK_DH_DSS_WITH_AES_256_SHA, + SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - -/* Cipher 23 VRS */ +/* Cipher 37 */ { - 1, - SSL3_TXT_KRB5_DES_64_CBC_SHA, - SSL3_CK_KRB5_DES_64_CBC_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, - SSL_NOT_EXP|SSL_LOW, 0, - 56, - 56, + TLS1_TXT_DH_RSA_WITH_AES_256_SHA, + TLS1_CK_DH_RSA_WITH_AES_256_SHA, + SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - -/* Cipher 24 VRS */ +/* Cipher 38 */ { 1, - SSL3_TXT_KRB5_DES_64_CBC_MD5, - SSL3_CK_KRB5_DES_64_CBC_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, - SSL_NOT_EXP|SSL_LOW, + TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, + TLS1_CK_DHE_DSS_WITH_AES_256_SHA, + SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, 0, - 56, - 56, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - -/* Cipher 25 VRS */ +/* Cipher 39 */ { 1, - SSL3_TXT_KRB5_DES_192_CBC3_SHA, - SSL3_CK_KRB5_DES_192_CBC3_SHA, - SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, + TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, + TLS1_CK_DHE_RSA_WITH_AES_256_SHA, + SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, - 112, - 168, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, - -/* Cipher 26 VRS */ + /* Cipher 3A */ { 1, - SSL3_TXT_KRB5_DES_192_CBC3_MD5, - SSL3_CK_KRB5_DES_192_CBC3_MD5, - SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, + TLS1_TXT_ADH_WITH_AES_256_SHA, + TLS1_CK_ADH_WITH_AES_256_SHA, + SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, 0, - 112, - 168, + 256, + 256, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, -#endif /* OPENSSL_NO_KRB5 */ +#ifndef OPENSSL_NO_ECDH + /* Cipher 47 */ + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, + TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, + SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 0, + 0, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 48 */ + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, + TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, + SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 49 */ + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_DES_CBC_SHA, + TLS1_CK_ECDH_ECDSA_WITH_DES_CBC_SHA, + SSL_kECDH|SSL_aECDSA|SSL_DES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_LOW, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 4A */ + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, + SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 168, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 4B */ + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 4C */ + { + 1, + TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 4D */ + { + 1, + TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, + TLS1_CK_ECDH_RSA_WITH_NULL_SHA, + SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 0, + 0, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 4E */ + { + 1, + TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, + TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, + SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 4F */ + { + 1, + TLS1_TXT_ECDH_RSA_WITH_DES_CBC_SHA, + TLS1_CK_ECDH_RSA_WITH_DES_CBC_SHA, + SSL_kECDH|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_LOW, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 50 */ + { + 1, + TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, + SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 168, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 51 */ + { + 1, + TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, + SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 52 */ + { + 1, + TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, + TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, + SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 53 */ + { + 1, + TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_40_SHA, + TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_40_SHA, + SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 54 */ + { + 1, + TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_56_SHA, + TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_56_SHA, + SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 55 */ + { + 1, + TLS1_TXT_ECDH_anon_WITH_NULL_SHA, + TLS1_CK_ECDH_anon_WITH_NULL_SHA, + SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 0, + 0, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 56 */ + { + 1, + TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, + TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, + SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 57 */ + { + 1, + TLS1_TXT_ECDH_anon_WITH_DES_CBC_SHA, + TLS1_CK_ECDH_anon_WITH_DES_CBC_SHA, + SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_LOW, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 58 */ + { + 1, + TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, + TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, + SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 168, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 59 */ + { + 1, + TLS1_TXT_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA, + TLS1_CK_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA, + SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 5A */ + { + 1, + TLS1_TXT_ECDH_anon_EXPORT_WITH_RC4_40_SHA, + TLS1_CK_ECDH_anon_EXPORT_WITH_RC4_40_SHA, + SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 5B */ + /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4B for this */ + { + 1, + TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA, + TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA, + SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 5C */ + /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4C for this */ + { + 1, + TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA, + TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA, + SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, + SSL_EXPORT|SSL_EXP56, + 0, + 56, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +#endif /* OPENSSL_NO_ECDH */ #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES /* New TLS Export CipherSuites */ @@ -711,170 +1306,50 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS }, #endif - /* New AES ciphersuites */ - - /* Cipher 2F */ - { - 1, - TLS1_TXT_RSA_WITH_AES_128_SHA, - TLS1_CK_RSA_WITH_AES_128_SHA, - SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 30 */ - { - 0, - TLS1_TXT_DH_DSS_WITH_AES_128_SHA, - TLS1_CK_DH_DSS_WITH_AES_128_SHA, - SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 31 */ - { - 0, - TLS1_TXT_DH_RSA_WITH_AES_128_SHA, - TLS1_CK_DH_RSA_WITH_AES_128_SHA, - SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 32 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, - TLS1_CK_DHE_DSS_WITH_AES_128_SHA, - SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 33 */ - { - 1, - TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, - TLS1_CK_DHE_RSA_WITH_AES_128_SHA, - SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 34 */ - { - 1, - TLS1_TXT_ADH_WITH_AES_128_SHA, - TLS1_CK_ADH_WITH_AES_128_SHA, - SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_MEDIUM, - 0, - 128, - 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 35 */ - { - 1, - TLS1_TXT_RSA_WITH_AES_256_SHA, - TLS1_CK_RSA_WITH_AES_256_SHA, - SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 36 */ - { - 0, - TLS1_TXT_DH_DSS_WITH_AES_256_SHA, - TLS1_CK_DH_DSS_WITH_AES_256_SHA, - SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 37 */ - { - 0, - TLS1_TXT_DH_RSA_WITH_AES_256_SHA, - TLS1_CK_DH_RSA_WITH_AES_256_SHA, - SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 38 */ - { - 1, - TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, - TLS1_CK_DHE_DSS_WITH_AES_256_SHA, - SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 39 */ +#ifndef OPENSSL_NO_ECDH + /* Cipher 77 XXX: ECC ciphersuites offering forward secrecy + * are not yet specified in the ECC/TLS draft but our code + * allows them to be implemented very easily. To add such + * a cipher suite, one needs to add two constant definitions + * to tls1.h and a new structure in this file as shown below. We + * illustrate the process for the made-up cipher + * ECDHE-ECDSA-AES128-SHA. + */ { - 1, - TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, - TLS1_CK_DHE_RSA_WITH_AES_256_SHA, - SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, - /* Cipher 3A */ + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 78 XXX: Another made-up ECC cipher suite that + * offers forward secrecy (ECDHE-RSA-AES128-SHA). + */ { - 1, - TLS1_TXT_ADH_WITH_AES_256_SHA, - TLS1_CK_ADH_WITH_AES_256_SHA, - SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, - 256, - 256, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, + 1, + TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, + SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +#endif /* !OPENSSL_NO_ECDH */ /* end of list */ }; -static SSL3_ENC_METHOD SSLv3_enc_data={ +SSL3_ENC_METHOD SSLv3_enc_data={ ssl3_enc, ssl3_mac, ssl3_setup_key_block, @@ -888,46 +1363,13 @@ static SSL3_ENC_METHOD SSLv3_enc_data={ ssl3_alert_code, }; -static SSL_METHOD SSLv3_data= { - SSL3_VERSION, - ssl3_new, - ssl3_clear, - ssl3_free, - ssl_undefined_function, - ssl_undefined_function, - ssl3_read, - ssl3_peek, - ssl3_write, - ssl3_shutdown, - ssl3_renegotiate, - ssl3_renegotiate_check, - ssl3_ctrl, - ssl3_ctx_ctrl, - ssl3_get_cipher_by_char, - ssl3_put_cipher_by_char, - ssl3_pending, - ssl3_num_ciphers, - ssl3_get_cipher, - ssl_bad_method, - ssl3_default_timeout, - &SSLv3_enc_data, - ssl_undefined_function, - ssl3_callback_ctrl, - ssl3_ctx_callback_ctrl, - }; - -static long ssl3_default_timeout(void) +long ssl3_default_timeout(void) { /* 2 hours, the 24 hours mentioned in the SSLv3 spec * is way too long for http, the cache would over fill */ return(60*60*2); } -SSL_METHOD *sslv3_base_method(void) - { - return(&SSLv3_data); - } - int ssl3_num_ciphers(void) { return(SSL3_NUM_CIPHERS); @@ -941,7 +1383,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u) return(NULL); } -int ssl3_pending(SSL *s) +int ssl3_pending(const SSL *s) { if (s->rstate == SSL_ST_READ_BODY) return 0; @@ -957,6 +1399,8 @@ int ssl3_new(SSL *s) memset(s3,0,sizeof *s3); EVP_MD_CTX_init(&s3->finish_dgst1); EVP_MD_CTX_init(&s3->finish_dgst2); + memset(s3->rrec.seq_num,0,sizeof(s3->rrec.seq_num)); + memset(s3->wrec.seq_num,0,sizeof(s3->wrec.seq_num)); s->s3=s3; @@ -982,11 +1426,17 @@ void ssl3_free(SSL *s) if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); #endif +#ifndef OPENSSL_NO_ECDH + if (s->s3->tmp.ecdh != NULL) + EC_KEY_free(s->s3->tmp.ecdh); +#endif + if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); - memset(s->s3,0,sizeof *s->s3); + + OPENSSL_cleanse(s->s3,sizeof *s->s3); OPENSSL_free(s->s3); s->s3=NULL; } @@ -1009,6 +1459,10 @@ void ssl3_clear(SSL *s) if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); #endif +#ifndef OPENSSL_NO_ECDH + if (s->s3->tmp.ecdh != NULL) + EC_KEY_free(s->s3->tmp.ecdh); +#endif rp = s->s3->rbuf.buf; wp = s->s3->wbuf.buf; @@ -1147,13 +1601,51 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } break; #endif +#ifndef OPENSSL_NO_ECDH + case SSL_CTRL_SET_TMP_ECDH: + { + EC_KEY *ecdh = NULL; + + if (parg == NULL) + { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); + return(ret); + } + if (!EC_KEY_up_ref((EC_KEY *)parg)) + { + SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB); + return(ret); + } + ecdh = (EC_KEY *)parg; + if (!(s->options & SSL_OP_SINGLE_ECDH_USE)) + { + if (!EC_KEY_generate_key(ecdh)) + { + EC_KEY_free(ecdh); + SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB); + return(ret); + } + } + if (s->cert->ecdh_tmp != NULL) + EC_KEY_free(s->cert->ecdh_tmp); + s->cert->ecdh_tmp = ecdh; + ret = 1; + } + break; + case SSL_CTRL_SET_TMP_ECDH_CB: + { + SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return(ret); + } + break; +#endif /* !OPENSSL_NO_ECDH */ default: break; } return(ret); } -long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)()) +long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) { int ret=0; @@ -1190,6 +1682,13 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)()) s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; +#endif +#ifndef OPENSSL_NO_ECDH + case SSL_CTRL_SET_TMP_ECDH_CB: + { + s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; + } + break; #endif default: break; @@ -1283,6 +1782,47 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) } break; #endif +#ifndef OPENSSL_NO_ECDH + case SSL_CTRL_SET_TMP_ECDH: + { + EC_KEY *ecdh = NULL; + + if (parg == NULL) + { + SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB); + return 0; + } + ecdh = EC_KEY_dup((EC_KEY *)parg); + if (ecdh == NULL) + { + SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_EC_LIB); + return 0; + } + if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE)) + { + if (!EC_KEY_generate_key(ecdh)) + { + EC_KEY_free(ecdh); + SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB); + return 0; + } + } + + if (cert->ecdh_tmp != NULL) + { + EC_KEY_free(cert->ecdh_tmp); + } + cert->ecdh_tmp = ecdh; + return 1; + } + /* break; */ + case SSL_CTRL_SET_TMP_ECDH_CB: + { + SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return(0); + } + break; +#endif /* !OPENSSL_NO_ECDH */ /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: if (ctx->extra_certs == NULL) @@ -1299,7 +1839,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return(1); } -long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) +long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) { CERT *cert; @@ -1320,6 +1860,13 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; } break; +#endif +#ifndef OPENSSL_NO_ECDH + case SSL_CTRL_SET_TMP_ECDH_CB: + { + cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; + } + break; #endif default: return(0); @@ -1331,38 +1878,19 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) * available */ SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) { - static int init=1; - static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS]; - SSL_CIPHER c,*cp= &c,**cpp; + SSL_CIPHER c,*cp; unsigned long id; - int i; - - if (init) - { - CRYPTO_w_lock(CRYPTO_LOCK_SSL); - - for (i=0; ivalid) - return(NULL); + cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c, + (char *)ssl3_ciphers, + SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER), + FP_ICC ssl_cipher_id_cmp); + if (cp == NULL || cp->valid == 0) + return NULL; else - return(*cpp); + return cp; } int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) @@ -1465,7 +1993,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, } if (!ok) continue; - j=sk_SSL_CIPHER_find(allow,c); if (j >= 0) { @@ -1510,6 +2037,26 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) #ifndef OPENSSL_NO_DSA p[ret++]=SSL3_CT_DSS_SIGN; #endif +#ifndef OPENSSL_NO_ECDH + /* We should ask for fixed ECDH certificates only + * for SSL_kECDH (and not SSL_kECDHE) + */ + if ((alg & SSL_kECDH) && (s->version >= TLS1_VERSION)) + { + p[ret++]=TLS_CT_RSA_FIXED_ECDH; + p[ret++]=TLS_CT_ECDSA_FIXED_ECDH; + } +#endif + +#ifndef OPENSSL_NO_ECDSA + /* ECDSA certs can be used with RSA cipher suites as well + * so we don't need to check for SSL_kECDH or SSL_kECDHE + */ + if (s->version >= TLS1_VERSION) + { + p[ret++]=TLS_CT_ECDSA_SIGN; + } +#endif return(ret); } @@ -1537,13 +2084,13 @@ int ssl3_shutdown(SSL *s) { /* resend it if not sent */ #if 1 - ssl3_dispatch_alert(s); + s->method->ssl_dispatch_alert(s); #endif } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ - ssl3_read_bytes(s,0,NULL,0,0); + s->method->ssl_read_bytes(s,0,NULL,0,0); } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && @@ -1598,8 +2145,8 @@ int ssl3_write(SSL *s, const void *buf, int len) } else { - ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, - buf,len); + ret=s->method->ssl_write_bytes(s,SSL3_RT_APPLICATION_DATA, + buf,len); if (ret <= 0) return(ret); } @@ -1613,7 +2160,7 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) clear_sys_error(); if (s->s3->renegotiate) ssl3_renegotiate_check(s); s->s3->in_read_app_data=1; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); + ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); if ((ret == -1) && (s->s3->in_read_app_data == 2)) { /* ssl3_read_bytes decided to call s->handshake_func, which @@ -1622,7 +2169,7 @@ static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) * and thinks that application data makes sense here; so disable * handshake processing and try to read application data again. */ s->in_handshake++; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); + ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); s->in_handshake--; } else