* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
*/
#include <stdio.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
#include <openssl/objects.h>
#include "ssl_locl.h"
+#include "kssl_lcl.h"
+#include <openssl/md5.h>
const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
SSL_ALL_STRENGTHS,
},
-#ifndef NO_KRB5
+#ifndef OPENSSL_NO_KRB5
/* The Kerberos ciphers
** 20000107 VRS: And the first shall be last,
** in hopes of avoiding the lynx ssl renegotiation problem.
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
-#endif /* NO_KRB5 */
+#endif /* OPENSSL_NO_KRB5 */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
memset(s3,0,sizeof *s3);
+ EVP_MD_CTX_init(&s3->finish_dgst1);
+ EVP_MD_CTX_init(&s3->finish_dgst2);
s->s3=s3;
OPENSSL_free(s->s3->wbuf.buf);
if (s->s3->rrec.comp != NULL)
OPENSSL_free(s->s3->rrec.comp);
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
DH_free(s->s3->tmp.dh);
#endif
if (s->s3->tmp.ca_names != NULL)
sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+ EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
+ EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
memset(s->s3,0,sizeof *s->s3);
OPENSSL_free(s->s3);
s->s3=NULL;
OPENSSL_free(s->s3->rrec.comp);
s->s3->rrec.comp=NULL;
}
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
DH_free(s->s3->tmp.dh);
#endif
rp=s->s3->rbuf.buf;
wp=s->s3->wbuf.buf;
+ EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
+ EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
+
memset(s->s3,0,sizeof *s->s3);
if (rp != NULL) s->s3->rbuf.buf=rp;
if (wp != NULL) s->s3->wbuf.buf=wp;
s->version=SSL3_VERSION;
}
-long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
+long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
{
int ret=0;
-#if !defined(NO_DSA) || !defined(NO_RSA)
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
if (
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
cmd == SSL_CTRL_SET_TMP_RSA ||
cmd == SSL_CTRL_SET_TMP_RSA_CB ||
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
cmd == SSL_CTRL_SET_TMP_DH ||
cmd == SSL_CTRL_SET_TMP_DH_CB ||
#endif
case SSL_CTRL_GET_FLAGS:
ret=(int)(s->s3->flags);
break;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_NEED_TMP_RSA:
if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *dh = (DH *)parg;
{
int ret=0;
-#if !defined(NO_DSA) || !defined(NO_RSA)
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
if (
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
cmd == SSL_CTRL_SET_TMP_RSA_CB ||
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
cmd == SSL_CTRL_SET_TMP_DH_CB ||
#endif
0)
switch (cmd)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_SET_TMP_RSA_CB:
{
s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
return(ret);
}
-long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
+long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
{
CERT *cert;
switch (cmd)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_NEED_TMP_RSA:
if ( (cert->rsa_tmp == NULL) &&
((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *new=NULL,*dh;
switch (cmd)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_SET_TMP_RSA_CB:
{
cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
return(2);
}
-SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
- STACK_OF(SSL_CIPHER) *pref)
+SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+ STACK_OF(SSL_CIPHER) *srvr)
{
SSL_CIPHER *c,*ret=NULL;
+ STACK_OF(SSL_CIPHER) *prio, *allow;
int i,j,ok;
CERT *cert;
unsigned long alg,mask,emask;
/* Let's see which ciphers we can support */
cert=s->cert;
- sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
+#if 0
+ /* Do not set the compare functions, because this may lead to a
+ * reordering by "id". We want to keep the original ordering.
+ * We may pay a price in performance during sk_SSL_CIPHER_find(),
+ * but would have to pay with the price of sk_SSL_CIPHER_dup().
+ */
+ sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
+ sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
+#endif
#ifdef CIPHER_DEBUG
- printf("Have %d from %p:\n", sk_SSL_CIPHER_num(pref), pref);
- for(i=0 ; i < sk_SSL_CIPHER_num(pref) ; ++i)
+ printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr);
+ for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
+ {
+ c=sk_SSL_CIPHER_value(srvr,i);
+ printf("%p:%s\n",c,c->name);
+ }
+ printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt);
+ for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
{
- c=sk_SSL_CIPHER_value(pref,i);
+ c=sk_SSL_CIPHER_value(clnt,i);
printf("%p:%s\n",c,c->name);
}
#endif
- for (i=0; i<sk_SSL_CIPHER_num(have); i++)
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ {
+ prio = srvr;
+ allow = clnt;
+ }
+ else
+ {
+ prio = clnt;
+ allow = srvr;
+ }
+
+ for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
{
- c=sk_SSL_CIPHER_value(have,i);
+ c=sk_SSL_CIPHER_value(prio,i);
ssl_set_cert_masks(cert,c);
mask=cert->mask;
#endif /* KSSL_DEBUG */
alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
+#ifndef OPENSSL_NO_KRB5
+ if (alg & SSL_KRB5)
+ {
+ if ( !kssl_keytab_is_available(s->kssl_ctx) )
+ continue;
+ }
+#endif /* OPENSSL_NO_KRB5 */
if (SSL_C_IS_EXPORT(c))
{
ok=((alg & emask) == alg)?1:0;
if (!ok) continue;
- j=sk_SSL_CIPHER_find(pref,c);
+ j=sk_SSL_CIPHER_find(allow,c);
if (j >= 0)
{
- ret=sk_SSL_CIPHER_value(pref,j);
+ ret=sk_SSL_CIPHER_value(allow,j);
break;
}
}
alg=s->s3->tmp.new_cipher->algorithms;
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (alg & (SSL_kDHr|SSL_kEDH))
{
-# ifndef NO_RSA
+# ifndef OPENSSL_NO_RSA
p[ret++]=SSL3_CT_RSA_FIXED_DH;
# endif
-# ifndef NO_DSA
+# ifndef OPENSSL_NO_DSA
p[ret++]=SSL3_CT_DSS_FIXED_DH;
# endif
}
if ((s->version == SSL3_VERSION) &&
(alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
{
-# ifndef NO_RSA
+# ifndef OPENSSL_NO_RSA
p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
# endif
-# ifndef NO_DSA
+# ifndef OPENSSL_NO_DSA
p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
# endif
}
-#endif /* !NO_DH */
-#ifndef NO_RSA
+#endif /* !OPENSSL_NO_DH */
+#ifndef OPENSSL_NO_RSA
p[ret++]=SSL3_CT_RSA_SIGN;
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
p[ret++]=SSL3_CT_DSS_SIGN;
#endif
return(ret);
return ssl3_read_internal(s, buf, len, 0);
}
-int ssl3_peek(SSL *s, char *buf, int len)
+int ssl3_peek(SSL *s, void *buf, int len)
{
return ssl3_read_internal(s, buf, len, 1);
}