X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_ciph.c;h=f05e86f0c5d756484aa27067231354be51efc0b1;hp=2d2395c5c15c516201012f875bbbc23062cc9f79;hb=db0f35dda18403accabe98e7780f3dfc516f49de;hpb=d42d0a4dc7925e3ea398821028a254c94665d733 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 2d2395c5c1..f05e86f0c5 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -371,7 +371,7 @@ static uint32_t disabled_mac_mask; static uint32_t disabled_mkey_mask; static uint32_t disabled_auth_mask; -void ssl_load_ciphers(void) +int ssl_load_ciphers(void) { size_t i; const ssl_cipher_table *t; @@ -388,9 +388,6 @@ void ssl_load_ciphers(void) disabled_enc_mask |= t->mask; } } -#ifdef SSL_FORBID_ENULL - disabled_enc_mask |= SSL_eNULL; -#endif disabled_mac_mask = 0; for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) { const EVP_MD *md = EVP_get_digestbynid(t->nid); @@ -399,13 +396,16 @@ void ssl_load_ciphers(void) disabled_mac_mask |= t->mask; } else { int tmpsize = EVP_MD_size(md); - OPENSSL_assert(tmpsize >= 0); + if (!ossl_assert(tmpsize >= 0)) + return 0; ssl_mac_secret_size[i] = tmpsize; } } /* Make sure we can access MD5 and SHA1 */ - OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL); - OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL); + if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL)) + return 0; + if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL)) + return 0; disabled_mkey_mask = 0; disabled_auth_mask = 0; @@ -463,6 +463,8 @@ void ssl_load_ciphers(void) if ((disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) == (SSL_aGOST01 | SSL_aGOST12)) disabled_mkey_mask |= SSL_kGOST; + + return 1; } #ifndef OPENSSL_NO_COMP @@ -577,9 +579,6 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, s->ssl_version < TLS1_VERSION) return 1; - if (FIPS_mode()) - return 1; - if (c->algorithm_enc == SSL_RC4 && c->algorithm_mac == SSL_MD5 && (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) @@ -687,8 +686,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, /* drop those that use any of that is not available */ if (c == NULL || !c->valid) continue; - if (FIPS_mode() && (c->algo_strength & SSL_FIPS)) - continue; if ((c->algorithm_mkey & disabled_mkey) || (c->algorithm_auth & disabled_auth) || (c->algorithm_enc & disabled_enc) || @@ -706,9 +703,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, co_list[co_list_num].prev = NULL; co_list[co_list_num].active = 0; co_list_num++; - /* - * if (!sk_push(ca_list,(char *)c)) goto err; - */ } /* @@ -1495,8 +1489,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ for (curr = head; curr != NULL; curr = curr->next) { - if (curr->active - && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) { + if (curr->active) { if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { OPENSSL_free(co_list); sk_SSL_CIPHER_free(cipherstack); @@ -1915,11 +1908,12 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c) return -1; } -const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr) +const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr, + int all) { const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr); - if (c == NULL || c->valid == 0) + if (c == NULL || (!all && c->valid == 0)) return NULL; return c; }