#define SSL_ENC_SEED_IDX 11
#define SSL_ENC_AES128GCM_IDX 12
#define SSL_ENC_AES256GCM_IDX 13
-#define SSL_ENC_NUM_IDX 14
+#define SSL_ENC_AES128CCM_IDX 14
+#define SSL_ENC_AES256CCM_IDX 15
+#define SSL_ENC_AES128CCM8_IDX 16
+#define SSL_ENC_AES256CCM8_IDX 17
+#define SSL_ENC_NUM_IDX 18
+
+/* NB: make sure indices in these tables match values above */
+
+typedef struct {
+ unsigned long mask;
+ int nid;
+} ssl_cipher_table;
+
+/* Table of NIDs for each cipher */
+static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
+ {SSL_DES, NID_des_cbc}, /* SSL_ENC_DES_IDX 0 */
+ {SSL_3DES, NID_des_ede3_cbc}, /* SSL_ENC_3DES_IDX 1 */
+ {SSL_RC4, NID_rc4}, /* SSL_ENC_RC4_IDX 2 */
+ {SSL_RC2, NID_rc2_cbc}, /* SSL_ENC_RC2_IDX 3 */
+ {SSL_IDEA, NID_idea_cbc}, /* SSL_ENC_IDEA_IDX 4 */
+ {SSL_eNULL, NID_undef}, /* SSL_ENC_NULL_IDX 5 */
+ {SSL_AES128, NID_aes_128_cbc}, /* SSL_ENC_AES128_IDX 6 */
+ {SSL_AES256, NID_aes_256_cbc}, /* SSL_ENC_AES256_IDX 7 */
+ {SSL_CAMELLIA128, NID_camellia_128_cbc}, /* SSL_ENC_CAMELLIA128_IDX 8 */
+ {SSL_CAMELLIA256, NID_camellia_256_cbc}, /* SSL_ENC_CAMELLIA256_IDX 9 */
+ {SSL_eGOST2814789CNT, NID_gost89_cnt}, /* SSL_ENC_GOST89_IDX 10 */
+ {SSL_SEED, NID_seed_cbc}, /* SSL_ENC_SEED_IDX 11 */
+ {SSL_AES128GCM, NID_aes_128_gcm}, /* SSL_ENC_AES128GCM_IDX 12 */
+ {SSL_AES256GCM, NID_aes_256_gcm}, /* SSL_ENC_AES256GCM_IDX 13 */
+ {SSL_AES128CCM, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM_IDX 14 */
+ {SSL_AES256CCM, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM_IDX 15 */
+ {SSL_AES128CCM8, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM8_IDX 16 */
+ {SSL_AES256CCM8, NID_aes_256_ccm} /* SSL_ENC_AES256CCM8_IDX 17 */
+};
static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
* Constant SSL_MAX_DIGEST equal to size of digests array should be defined
* in the ssl_locl.h
*/
+
#define SSL_MD_NUM_IDX SSL_MAX_DIGEST
+
+/* NB: make sure indices in this table matches values above */
+static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
+ {SSL_MD5, NID_md5}, /* SSL_MD_MD5_IDX 0 */
+ {SSL_SHA1, NID_sha1}, /* SSL_MD_SHA1_IDX 1 */
+ {SSL_GOST94, NID_id_GostR3411_94}, /* SSL_MD_GOST94_IDX 2 */
+ {SSL_GOST89MAC, NID_id_Gost28147_89_MAC}, /* SSL_MD_GOST89MAC_IDX 3 */
+ {SSL_SHA256, NID_sha256}, /* SSL_MD_SHA256_IDX 4 */
+ {SSL_SHA384, NID_sha384} /* SSL_MD_SHA384_IDX 5 */
+};
+
static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
NULL, NULL, NULL, NULL, NULL, NULL
};
+/* Utility function for table lookup */
+static int ssl_cipher_info_find(const ssl_cipher_table * table,
+ size_t table_cnt, unsigned long mask)
+{
+ size_t i;
+ for (i = 0; i < table_cnt; i++, table++) {
+ if (table->mask == mask)
+ return i;
+ }
+ return -1;
+}
+
+#define ssl_cipher_info_lookup(table, x) \
+ ssl_cipher_info_find(table, OSSL_NELEM(table), x)
+
/*
* PKEY_TYPE for GOST89MAC is known in advance, but, because implementation
* is engine-provided, we'll fill it only if corresponding EVP_PKEY_METHOD is
{0, SSL_TXT_DH, 0, SSL_kDHr | SSL_kDHd | SSL_kDHE, 0, 0, 0, 0, 0, 0, 0,
0},
- {0, SSL_TXT_kKRB5, 0, SSL_kKRB5, 0, 0, 0, 0, 0, 0, 0, 0},
-
{0, SSL_TXT_kECDHr, 0, SSL_kECDHr, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_kECDHe, 0, SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_kECDH, 0, SSL_kECDHr | SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0},
0, 0, 0},
{0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kRSAPSK, 0, SSL_kRSAPSK, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kECDHEPSK, 0, SSL_kECDHEPSK, 0, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_kDHEPSK, 0, SSL_kDHEPSK, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_kSRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_kGOST, 0, SSL_kGOST, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aKRB5, 0, 0, SSL_aKRB5, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
/* no such ciphersuites supported! */
{0, SSL_TXT_aDH, 0, 0, SSL_aDH, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aGOST94, 0, 0, SSL_aGOST94, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST94 | SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_aSRP, 0, 0, SSL_aSRP, 0, 0, 0, 0, 0, 0, 0},
/* aliases combining key exchange and server authentication */
{0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_KRB5, 0, SSL_kKRB5, SSL_aKRB5, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_PSK, 0, SSL_kPSK, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
+ {0, SSL_TXT_PSK, 0, SSL_PSK, 0, 0, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_SRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0},
/* symmetric encryption aliases */
{0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128 | SSL_AES128GCM, 0, 0, 0, 0, 0,
- 0},
- {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256 | SSL_AES256GCM, 0, 0, 0, 0, 0,
- 0},
+ {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8, 0,
+ 0, 0, 0, 0, 0},
+ {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8, 0,
+ 0, 0, 0, 0, 0},
{0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM, 0, 0, 0, 0,
0, 0},
+ {0, SSL_TXT_AES_CCM, 0, 0, 0, SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8, 0, 0, 0, 0,
+ 0, 0},
+ {0, SSL_TXT_AES_CCM_8, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8, 0, 0, 0, 0,
+ 0, 0},
{0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0},
{0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA128 | SSL_CAMELLIA256, 0, 0, 0,
#endif
+/* masks of disabled algorithms */
+static unsigned long disabled_enc_mask;
+static unsigned long disabled_mac_mask;
+static unsigned long disabled_mkey_mask;
+static unsigned long disabled_auth_mask;
+
void ssl_load_ciphers(void)
{
- ssl_cipher_methods[SSL_ENC_DES_IDX] = EVP_get_cipherbyname(SN_des_cbc);
- ssl_cipher_methods[SSL_ENC_3DES_IDX] =
- EVP_get_cipherbyname(SN_des_ede3_cbc);
- ssl_cipher_methods[SSL_ENC_RC4_IDX] = EVP_get_cipherbyname(SN_rc4);
- ssl_cipher_methods[SSL_ENC_RC2_IDX] = EVP_get_cipherbyname(SN_rc2_cbc);
-#ifndef OPENSSL_NO_IDEA
- ssl_cipher_methods[SSL_ENC_IDEA_IDX] = EVP_get_cipherbyname(SN_idea_cbc);
-#else
- ssl_cipher_methods[SSL_ENC_IDEA_IDX] = NULL;
+ size_t i;
+ const ssl_cipher_table *t;
+ disabled_enc_mask = 0;
+ for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) {
+ if (t->nid == NID_undef) {
+ ssl_cipher_methods[i] = NULL;
+ } else {
+ const EVP_CIPHER *cipher = EVP_get_cipherbynid(t->nid);
+ ssl_cipher_methods[i] = cipher;
+ if (cipher == NULL)
+ disabled_enc_mask |= t->mask;
+ }
+ }
+#ifdef SSL_FORBID_ENULL
+ disabled_enc_mask |= SSL_eNULL;
#endif
- ssl_cipher_methods[SSL_ENC_AES128_IDX] =
- EVP_get_cipherbyname(SN_aes_128_cbc);
- ssl_cipher_methods[SSL_ENC_AES256_IDX] =
- EVP_get_cipherbyname(SN_aes_256_cbc);
- ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] =
- EVP_get_cipherbyname(SN_camellia_128_cbc);
- ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] =
- EVP_get_cipherbyname(SN_camellia_256_cbc);
- ssl_cipher_methods[SSL_ENC_GOST89_IDX] =
- EVP_get_cipherbyname(SN_gost89_cnt);
- ssl_cipher_methods[SSL_ENC_SEED_IDX] = EVP_get_cipherbyname(SN_seed_cbc);
-
- ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] =
- EVP_get_cipherbyname(SN_aes_128_gcm);
- ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] =
- EVP_get_cipherbyname(SN_aes_256_gcm);
-
- ssl_digest_methods[SSL_MD_MD5_IDX] = EVP_get_digestbyname(SN_md5);
- ssl_mac_secret_size[SSL_MD_MD5_IDX] =
- EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
- OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
- ssl_digest_methods[SSL_MD_SHA1_IDX] = EVP_get_digestbyname(SN_sha1);
- ssl_mac_secret_size[SSL_MD_SHA1_IDX] =
- EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
- OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
- ssl_digest_methods[SSL_MD_GOST94_IDX] =
- EVP_get_digestbyname(SN_id_GostR3411_94);
- if (ssl_digest_methods[SSL_MD_GOST94_IDX]) {
- ssl_mac_secret_size[SSL_MD_GOST94_IDX] =
- EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
- OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
+ disabled_mac_mask = 0;
+ for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) {
+ const EVP_MD *md = EVP_get_digestbynid(t->nid);
+ ssl_digest_methods[i] = md;
+ if (md == NULL) {
+ disabled_mac_mask |= t->mask;
+ } else {
+ ssl_mac_secret_size[i] = EVP_MD_size(md);
+ OPENSSL_assert(ssl_mac_secret_size[i] >= 0);
+ }
}
- ssl_digest_methods[SSL_MD_GOST89MAC_IDX] =
- EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
+ /* Make sure we can access MD5 and SHA1 */
+ OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
+ OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL);
+
+ disabled_mkey_mask = 0;
+ disabled_auth_mask = 0;
+
+#ifdef OPENSSL_NO_RSA
+ disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
+ disabled_auth_mask |= SSL_aRSA;
+#endif
+#ifdef OPENSSL_NO_DSA
+ disabled_auth_mask |= SSL_aDSS;
+#endif
+#ifdef OPENSSL_NO_DH
+ disabled_mkey_mask |= SSL_kDHr | SSL_kDHd | SSL_kDHE | SSL_kDHEPSK;
+ disabled_auth_mask |= SSL_aDH;
+#endif
+#ifdef OPENSSL_NO_EC
+ disabled_mkey_mask |= SSL_kECDHe | SSL_kECDHr | SSL_kECDHEPSK;
+ disabled_auth_mask |= SSL_aECDSA | SSL_aECDH;
+#endif
+#ifdef OPENSSL_NO_PSK
+ disabled_mkey_mask |= SSL_PSK;
+ disabled_auth_mask |= SSL_aPSK;
+#endif
+#ifdef OPENSSL_NO_SRP
+ disabled_mkey_mask |= SSL_kSRP;
+#endif
+
+ /*
+ * Check for presence of GOST 34.10 algorithms, and if they are not
+ * present, disable appropriate auth and key exchange
+ */
ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
+ } else {
+ disabled_mac_mask |= SSL_GOST89MAC;
}
- ssl_digest_methods[SSL_MD_SHA256_IDX] = EVP_get_digestbyname(SN_sha256);
- ssl_mac_secret_size[SSL_MD_SHA256_IDX] =
- EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
- ssl_digest_methods[SSL_MD_SHA384_IDX] = EVP_get_digestbyname(SN_sha384);
- ssl_mac_secret_size[SSL_MD_SHA384_IDX] =
- EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
+ if (!get_optional_pkey_id("gost2001"))
+ disabled_auth_mask |= SSL_aGOST01;
+ /*
+ * Disable GOST key exchange if no GOST signature algs are available *
+ */
+ if ((disabled_auth_mask & SSL_aGOST01) == SSL_aGOST01)
+ disabled_mkey_mask |= SSL_kGOST;
}
#ifndef OPENSSL_NO_COMP
if (ssl_comp_methods == NULL) {
SSL_COMP *comp = NULL;
+ COMP_METHOD *method = COMP_zlib();
MemCheck_off();
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
- if (ssl_comp_methods != NULL) {
- comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ if (COMP_get_type(method) != NID_undef
+ && ssl_comp_methods != NULL) {
+ comp = OPENSSL_malloc(sizeof(*comp));
if (comp != NULL) {
- comp->method = COMP_zlib();
- if (comp->method && comp->method->type == NID_undef)
- OPENSSL_free(comp);
- else {
- comp->id = SSL_COMP_ZLIB_IDX;
- comp->name = comp->method->name;
- sk_SSL_COMP_push(ssl_comp_methods, comp);
- }
+ comp->method = method;
+ comp->id = SSL_COMP_ZLIB_IDX;
+ comp->name = COMP_get_name(method);
+ sk_SSL_COMP_push(ssl_comp_methods, comp);
+ sk_SSL_COMP_sort(ssl_comp_methods);
}
- sk_SSL_COMP_sort(ssl_comp_methods);
}
MemCheck_on();
}
else
*comp = NULL;
}
+ /* If were only interested in comp then return success */
+ if ((enc == NULL) && (md == NULL))
+ return 1;
}
if ((enc == NULL) || (md == NULL))
- return (0);
+ return 0;
- switch (c->algorithm_enc) {
- case SSL_DES:
- i = SSL_ENC_DES_IDX;
- break;
- case SSL_3DES:
- i = SSL_ENC_3DES_IDX;
- break;
- case SSL_RC4:
- i = SSL_ENC_RC4_IDX;
- break;
- case SSL_RC2:
- i = SSL_ENC_RC2_IDX;
- break;
- case SSL_IDEA:
- i = SSL_ENC_IDEA_IDX;
- break;
- case SSL_eNULL:
- i = SSL_ENC_NULL_IDX;
- break;
- case SSL_AES128:
- i = SSL_ENC_AES128_IDX;
- break;
- case SSL_AES256:
- i = SSL_ENC_AES256_IDX;
- break;
- case SSL_CAMELLIA128:
- i = SSL_ENC_CAMELLIA128_IDX;
- break;
- case SSL_CAMELLIA256:
- i = SSL_ENC_CAMELLIA256_IDX;
- break;
- case SSL_eGOST2814789CNT:
- i = SSL_ENC_GOST89_IDX;
- break;
- case SSL_SEED:
- i = SSL_ENC_SEED_IDX;
- break;
- case SSL_AES128GCM:
- i = SSL_ENC_AES128GCM_IDX;
- break;
- case SSL_AES256GCM:
- i = SSL_ENC_AES256GCM_IDX;
- break;
- default:
- i = -1;
- break;
- }
+ i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);
- if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
+ if (i == -1)
*enc = NULL;
else {
if (i == SSL_ENC_NULL_IDX)
*enc = ssl_cipher_methods[i];
}
- switch (c->algorithm_mac) {
- case SSL_MD5:
- i = SSL_MD_MD5_IDX;
- break;
- case SSL_SHA1:
- i = SSL_MD_SHA1_IDX;
- break;
- case SSL_SHA256:
- i = SSL_MD_SHA256_IDX;
- break;
- case SSL_SHA384:
- i = SSL_MD_SHA384_IDX;
- break;
- case SSL_GOST94:
- i = SSL_MD_GOST94_IDX;
- break;
- case SSL_GOST89MAC:
- i = SSL_MD_GOST89MAC_IDX;
- break;
- default:
- i = -1;
- break;
- }
- if ((i < 0) || (i >= SSL_MD_NUM_IDX)) {
+ i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
+ if (i == -1) {
*md = NULL;
if (mac_pkey_type != NULL)
*mac_pkey_type = NID_undef;
*head = curr;
}
-static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
- unsigned long *enc, unsigned long *mac,
- unsigned long *ssl)
-{
- *mkey = 0;
- *auth = 0;
- *enc = 0;
- *mac = 0;
- *ssl = 0;
-
-#ifdef OPENSSL_NO_RSA
- *mkey |= SSL_kRSA;
- *auth |= SSL_aRSA;
-#endif
-#ifdef OPENSSL_NO_DSA
- *auth |= SSL_aDSS;
-#endif
-#ifdef OPENSSL_NO_DH
- *mkey |= SSL_kDHr | SSL_kDHd | SSL_kDHE;
- *auth |= SSL_aDH;
-#endif
-#ifdef OPENSSL_NO_KRB5
- *mkey |= SSL_kKRB5;
- *auth |= SSL_aKRB5;
-#endif
-#ifdef OPENSSL_NO_ECDSA
- *auth |= SSL_aECDSA;
-#endif
-#ifdef OPENSSL_NO_ECDH
- *mkey |= SSL_kECDHe | SSL_kECDHr;
- *auth |= SSL_aECDH;
-#endif
-#ifdef OPENSSL_NO_PSK
- *mkey |= SSL_kPSK;
- *auth |= SSL_aPSK;
-#endif
-#ifdef OPENSSL_NO_SRP
- *mkey |= SSL_kSRP;
-#endif
- /*
- * Check for presence of GOST 34.10 algorithms, and if they do not
- * present, disable appropriate auth and key exchange
- */
- if (!get_optional_pkey_id("gost94")) {
- *auth |= SSL_aGOST94;
- }
- if (!get_optional_pkey_id("gost2001")) {
- *auth |= SSL_aGOST01;
- }
- /*
- * Disable GOST key exchange if no GOST signature algs are available *
- */
- if ((*auth & (SSL_aGOST94 | SSL_aGOST01)) == (SSL_aGOST94 | SSL_aGOST01)) {
- *mkey |= SSL_kGOST;
- }
-#ifdef SSL_FORBID_ENULL
- *enc |= SSL_eNULL;
-#endif
-
- *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX] == NULL) ? SSL_DES : 0;
- *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
- *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX] == NULL) ? SSL_RC4 : 0;
- *enc |= (ssl_cipher_methods[SSL_ENC_RC2_IDX] == NULL) ? SSL_RC2 : 0;
- *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA : 0;
- *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0;
- *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0;
- *enc |=
- (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] ==
- NULL) ? SSL_AES128GCM : 0;
- *enc |=
- (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] ==
- NULL) ? SSL_AES256GCM : 0;
- *enc |=
- (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] ==
- NULL) ? SSL_CAMELLIA128 : 0;
- *enc |=
- (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] ==
- NULL) ? SSL_CAMELLIA256 : 0;
- *enc |=
- (ssl_cipher_methods[SSL_ENC_GOST89_IDX] ==
- NULL) ? SSL_eGOST2814789CNT : 0;
- *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED : 0;
-
- *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX] == NULL) ? SSL_MD5 : 0;
- *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0;
- *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0;
- *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0;
- *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0;
- *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL
- || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] ==
- NID_undef) ? SSL_GOST89MAC : 0;
-
-}
-
static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
int num_of_ciphers,
unsigned long disabled_mkey,
co_list[co_list_num].prev = NULL;
co_list[co_list_num].active = 0;
co_list_num++;
-#ifdef KSSL_DEBUG
- fprintf(stderr, "\t%d: %s %lx %lx %lx\n", i, c->name, c->id,
- c->algorithm_mkey, c->algorithm_auth);
-#endif /* KSSL_DEBUG */
/*
* if (!sk_push(ca_list,(char *)c)) goto err;
*/
curr = curr->next;
}
- number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
+ number_uses = OPENSSL_zalloc(sizeof(int) * (max_strength_bits + 1));
if (!number_uses) {
SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT, ERR_R_MALLOC_FAILURE);
return (0);
}
- memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
/*
* Now find the strength_bits values actually used
j = found = 0;
cipher_id = 0;
while (ca_list[j]) {
- if (!strncmp(buf, ca_list[j]->name, buflen) &&
- (ca_list[j]->name[buflen] == '\0')) {
+ if (strncmp(buf, ca_list[j]->name, buflen) == 0
+ && (ca_list[j]->name[buflen] == '\0')) {
found = 1;
break;
} else
*/
if (rule == CIPHER_SPECIAL) { /* special command */
ok = 0;
- if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8))
+ if ((buflen == 8) && strncmp(buf, "STRENGTH", 8) == 0)
ok = ssl_cipher_strength_sort(head_p, tail_p);
- else if (buflen == 10 && !strncmp(buf, "SECLEVEL=", 9)) {
+ else if (buflen == 10 && strncmp(buf, "SECLEVEL=", 9) == 0) {
int level = buf[9] - '0';
if (level < 0 || level > 5) {
SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
const char **prule_str)
{
unsigned int suiteb_flags = 0, suiteb_comb2 = 0;
- if (!strcmp(*prule_str, "SUITEB128"))
- suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
- else if (!strcmp(*prule_str, "SUITEB128ONLY"))
+ if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) {
suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
- else if (!strcmp(*prule_str, "SUITEB128C2")) {
+ } else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) {
suiteb_comb2 = 1;
suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
- } else if (!strcmp(*prule_str, "SUITEB192"))
+ } else if (strncmp(*prule_str, "SUITEB128", 9) == 0) {
+ suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
+ } else if (strncmp(*prule_str, "SUITEB192", 9) == 0) {
suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;
+ }
if (suiteb_flags) {
c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS;
SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE);
return 0;
}
-# ifndef OPENSSL_NO_ECDH
+# ifndef OPENSSL_NO_EC
switch (suiteb_flags) {
case SSL_CERT_FLAG_SUITEB_128_LOS:
if (suiteb_comb2)
* To reduce the work to do we only want to process the compiled
* in algorithms, so we first get the mask of disabled ciphers.
*/
- ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc,
- &disabled_mac, &disabled_ssl);
+
+ disabled_mkey = disabled_mkey_mask;
+ disabled_auth = disabled_auth_mask;
+ disabled_enc = disabled_enc_mask;
+ disabled_mac = disabled_mac_mask;
+ disabled_ssl = 0;
/*
* Now we have to collect the available ciphers from the compiled
* it is used for allocation.
*/
num_of_ciphers = ssl_method->num_ciphers();
-#ifdef KSSL_DEBUG
- fprintf(stderr, "ssl_create_cipher_list() for %d ciphers\n",
- num_of_ciphers);
-#endif /* KSSL_DEBUG */
- co_list =
- (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
+
+ co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) {
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
return (NULL); /* Failure */
&tail);
ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
&tail);
- ssl_cipher_apply_rule(0, SSL_kKRB5, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
- &tail);
/* RC4 is sort-of broken -- move the the end */
ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
* groups of cipher_aliases added together in one list (otherwise
* we would be happy with just the cipher_aliases table).
*/
- num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
+ num_of_group_aliases = OSSL_NELEM(cipher_aliases);
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
- ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
+ ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
OPENSSL_free(co_list);
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
if (ok && (strlen(rule_p) > 0))
ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c);
- OPENSSL_free((void *)ca_list); /* Not needed anymore */
+ OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
OPENSSL_free(co_list);
sk_SSL_CIPHER_free(cipherstack);
return NULL;
}
- if (*cipher_list != NULL)
- sk_SSL_CIPHER_free(*cipher_list);
+ sk_SSL_CIPHER_free(*cipher_list);
*cipher_list = cipherstack;
if (*cipher_list_by_id != NULL)
sk_SSL_CIPHER_free(*cipher_list_by_id);
const char *ver, *exp_str;
const char *kx, *au, *enc, *mac;
unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
-#ifdef KSSL_DEBUG
- static const char *format =
- "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
-#else
static const char *format =
"%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
-#endif /* KSSL_DEBUG */
alg_mkey = cipher->algorithm_mkey;
alg_auth = cipher->algorithm_auth;
case SSL_kDHd:
kx = "DH/DSS";
break;
- case SSL_kKRB5:
- kx = "KRB5";
- break;
case SSL_kDHE:
kx = is_export ? (pkl == 512 ? "DH(512)" : "DH(1024)") : "DH";
break;
case SSL_kPSK:
kx = "PSK";
break;
+ case SSL_kRSAPSK:
+ kx = "RSAPSK";
+ break;
+ case SSL_kECDHEPSK:
+ kx = "ECDHEPSK";
+ break;
+ case SSL_kDHEPSK:
+ kx = "DHEPSK";
+ break;
case SSL_kSRP:
kx = "SRP";
break;
case SSL_aDH:
au = "DH";
break;
- case SSL_aKRB5:
- au = "KRB5";
- break;
case SSL_aECDH:
au = "ECDH";
break;
case SSL_aSRP:
au = "SRP";
break;
- case SSL_aGOST94:
- au = "GOST94";
- break;
case SSL_aGOST01:
au = "GOST01";
break;
case SSL_AES256GCM:
enc = "AESGCM(256)";
break;
+ case SSL_AES128CCM:
+ enc = "AESCCM(128)";
+ break;
+ case SSL_AES256CCM:
+ enc = "AESCCM(256)";
+ break;
+ case SSL_AES128CCM8:
+ enc = "AESCCM8(128)";
+ break;
+ case SSL_AES256CCM8:
+ enc = "AESCCM8(256)";
+ break;
case SSL_CAMELLIA128:
enc = "Camellia(128)";
break;
} else if (len < 128)
return ("Buffer too small");
-#ifdef KSSL_DEBUG
- BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac,
- exp_str, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl);
-#else
BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac,
exp_str);
-#endif /* KSSL_DEBUG */
+
return (buf);
}
}
#ifdef OPENSSL_NO_COMP
-void *SSL_COMP_get_compression_methods(void)
+STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
{
return NULL;
}
-
-int SSL_COMP_add_compression_method(int id, void *cm)
+STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
+ *meths)
{
- return 1;
+ return meths;
}
-
-const char *SSL_COMP_get_name(const void *comp)
+void SSL_COMP_free_compression_methods(void)
{
- return NULL;
}
+int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
+{
+ return 1;
+}
+
#else
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
{
{
SSL_COMP *comp;
- if (cm == NULL || cm->type == NID_undef)
+ if (cm == NULL || COMP_get_type(cm) == NID_undef)
return 1;
/*-
}
MemCheck_off();
- comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ comp = OPENSSL_malloc(sizeof(*comp));
if (comp == NULL) {
MemCheck_on();
SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE);
return (0);
}
}
+#endif
const char *SSL_COMP_get_name(const COMP_METHOD *comp)
{
- if (comp)
- return comp->name;
+#ifndef OPENSSL_NO_COMP
+ return comp ? COMP_get_name(comp) : NULL;
+#else
return NULL;
-}
#endif
+}
+
/* For a cipher return the index corresponding to the certificate type */
int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
{
return SSL_PKEY_DSA_SIGN;
else if (alg_a & SSL_aRSA)
return SSL_PKEY_RSA_ENC;
- else if (alg_a & SSL_aKRB5)
- /* VRS something else here? */
- return -1;
- else if (alg_a & SSL_aGOST94)
- return SSL_PKEY_GOST94;
else if (alg_a & SSL_aGOST01)
return SSL_PKEY_GOST01;
return -1;
{
return ssl->method->get_cipher_by_char(ptr);
}
+
+int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
+{
+ int i;
+ if (c == NULL)
+ return -1;
+ i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);
+ if (i == -1)
+ return -1;
+ return ssl_cipher_table_cipher[i].nid;
+}
+
+int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
+{
+ int i;
+ if (c == NULL)
+ return -1;
+ i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
+ if (i == -1)
+ return -1;
+ return ssl_cipher_table_mac[i].nid;
+}