#define SSL_ENC_RC4_IDX 2
#define SSL_ENC_RC2_IDX 3
#define SSL_ENC_IDEA_IDX 4
-#define SSL_ENC_eFZA_IDX 5
-#define SSL_ENC_NULL_IDX 6
-#define SSL_ENC_AES128_IDX 7
-#define SSL_ENC_AES256_IDX 8
-#define SSL_ENC_NUM_IDX 9
-#define SSL_ENC_CAMELLIA128_IDX 9
-#define SSL_ENC_CAMELLIA256_IDX 10
-#undef SSL_ENC_NUM_IDX
-#define SSL_ENC_NUM_IDX 11
+#define SSL_ENC_NULL_IDX 5
+#define SSL_ENC_AES128_IDX 6
+#define SSL_ENC_AES256_IDX 7
+#define SSL_ENC_CAMELLIA128_IDX 8
+#define SSL_ENC_CAMELLIA256_IDX 9
+#define SSL_ENC_NUM_IDX 10
static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
} CIPHER_ORDER;
static const SSL_CIPHER cipher_aliases[]={
- /* Don't include eNULL unless specifically enabled. */
- /* Don't include ECC in ALL because these ciphers are not yet official. */
- {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_kECDH & ~SSL_kECDHE, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
- /* TODO: COMPLEMENT OF ALL and COMPLEMENT OF DEFAULT do not have ECC cipher suites handled properly. */
- {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */
- {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0},
- {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
+ /* "ALL" doesn't include eNULL (must be specifically enabled) */
+ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL},
+ /* "COMPLEMENTOFALL" */
+ {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
+
+ /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */
+ {0,SSL_TXT_CMPDEF,0,SSL_ADH|SSL_AECDH|(SSL_ENC_MASK & ~SSL_eNULL), 0,0,0,0,SSL_AUTH_MASK|SSL_ENC_MASK,0},
+
+ /* Single key exchange bits
+ * (some of these are multiple key exchange algs according to the RFCs,
+ * e.g. kEDH combines DHE_DSS and DHE_RSA) */
{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
- {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
- {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, /* no such ciphersuites supported! */
+ {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0}, /* no such ciphersuites supported! */
{0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0},
- {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kECDHr,0,SSL_kECDHr,0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kECDHe,0,SSL_kECDHe,0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kEECDH,0,SSL_kEECDH,0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kPSK,0,SSL_kPSK, 0,0,0,0,SSL_MKEY_MASK,0},
+
+ /* More key exchange aliases (combined bits) */
{0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0},
- {0,SSL_TXT_ECC, 0,(SSL_kECDH|SSL_kECDHE), 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
- {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */
+ {0,SSL_TXT_kECDH,0,SSL_kECDH,0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_ECDH,0,SSL_ECDH, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_EECDH,0,SSL_EECDH,0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
+
+ /* Single authentication bits */
{0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0},
- {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0},
- {0,SSL_TXT_aPSK,0,SSL_aPSK, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0},
- {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0}, /* no such ciphersuites supported! */
+ {0,SSL_TXT_aECDH, 0,SSL_aECDH,0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aECDSA, 0,SSL_aECDSA,0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aPSK,0,SSL_aPSK, 0,0,0,0,SSL_AUTH_MASK,0},
+
+ /* More authentication aliases */
{0,SSL_TXT_DSS, 0,SSL_DSS, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_ECDSA,0,SSL_ECDSA,0,0,0,0,SSL_AUTH_MASK,0},
+ /* Single encryption bits */
{0,SSL_TXT_DES, 0,SSL_DES, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0},
#endif
{0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
- {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_CAMELLIA, 0,SSL_CAMELLIA, 0,0,0,0,SSL_ENC_MASK,0},
+ /* Single MAC bits */
{0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0},
+ /* More aliases */
{0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
- {0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
+ {0,SSL_TXT_AECDH,0,SSL_AECDH,0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_PSK, 0,SSL_PSK, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0},
static unsigned long ssl_cipher_get_disabled(void)
{
- unsigned long mask;
+ unsigned long mask = 0;
- mask = SSL_kFZA;
#ifdef OPENSSL_NO_RSA
mask |= SSL_aRSA|SSL_kRSA;
#endif
#ifdef OPENSSL_NO_KRB5
mask |= SSL_kKRB5|SSL_aKRB5;
#endif
+#ifdef OPENSSL_NO_ECDSA
+ mask |= SSL_aECDSA;
+#endif
#ifdef OPENSSL_NO_ECDH
- mask |= SSL_kECDH|SSL_kECDHE;
+ mask |= SSL_kECDHe|SSL_kECDHr|SSL_kECDHE|SSL_aECDH;
#endif
#ifdef OPENSSL_NO_PSK
mask |= SSL_kPSK;
mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
- mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0;
mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0;
CIPHER_ORDER *ciph_curr;
SSL_CIPHER **ca_curr;
int i;
+ unsigned long enabled_mask = ~mask;
/*
* First, add the real ciphers as already collected
/*
* Now we add the available ones from the cipher_aliases[] table.
- * They represent either an algorithm, that must be fully
- * supported (not match any bit in mask) or represent a cipher
- * strength value (will be added in any case because algorithms=0).
+ * They represent either one or more algorithms, some of which
+ * in any affected category must be supported (set in enabled_mask),
+ * or represent a cipher strength value (will be added in any case because algorithms=0).
*/
for (i = 0; i < num_of_group_aliases; i++)
{
- if ((i == 0) || /* always fetch "ALL" */
- !(cipher_aliases[i].algorithms & mask))
+ int algorithms = cipher_aliases[i].algorithms;
+
+ if (SSL_MKEY_MASK & algorithms)
+ {
+ if ((SSL_MKEY_MASK & algorithms & enabled_mask) == 0)
+ continue;
+ }
+
+ if (SSL_AUTH_MASK & algorithms)
+ {
+ if ((SSL_AUTH_MASK & algorithms & enabled_mask) == 0)
+ continue;
+ }
+
+ if (SSL_ENC_MASK & algorithms)
{
- *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
- ca_curr++;
+ if ((SSL_ENC_MASK & algorithms & enabled_mask) == 0)
+ continue;
+ }
+
+ if (SSL_MAC_MASK & algorithms)
+ {
+ if ((SSL_MAC_MASK & algorithms & enabled_mask) == 0)
+ continue;
}
+
+ *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
+ ca_curr++;
}
*ca_curr = NULL; /* end of list */
}
-static void ssl_cipher_apply_rule(unsigned long cipher_id,
+static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_version,
unsigned long algorithms, unsigned long mask,
unsigned long algo_strength, unsigned long mask_strength,
- int rule, int strength_bits, CIPHER_ORDER *co_list,
+ int rule, int strength_bits,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
{
CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
cp = curr->cipher;
- /* If explicit cipher suite match that one only */
+ /* If explicit cipher suite, match only that one for its own protocol version.
+ * Usual selection criteria will be used for similar ciphersuites from other version! */
- if (cipher_id)
+ if (cipher_id && (cp->algorithms & SSL_SSL_MASK) == ssl_version)
{
if (cp->id != cipher_id)
continue;
*tail_p = tail;
}
-static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
- CIPHER_ORDER **head_p,
+static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p)
{
int max_strength_bits, i, *number_uses;
*/
for (i = max_strength_bits; i >= 0; i--)
if (number_uses[i] > 0)
- ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i,
- co_list, head_p, tail_p);
+ ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i,
+ head_p, tail_p);
OPENSSL_free(number_uses);
return(1);
}
static int ssl_cipher_process_rulestr(const char *rule_str,
- CIPHER_ORDER *co_list, CIPHER_ORDER **head_p,
- CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list)
+ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
+ SSL_CIPHER **ca_list)
{
unsigned long algorithms, mask, algo_strength, mask_strength;
const char *l, *start, *buf;
int j, multi, found, rule, retval, ok, buflen;
- unsigned long cipher_id;
+ unsigned long cipher_id = 0, ssl_version = 0;
char ch;
retval = 1;
*/
j = found = 0;
cipher_id = 0;
+ ssl_version = 0;
while (ca_list[j])
{
if (!strncmp(buf, ca_list[j]->name, buflen) &&
if (!found)
break; /* ignore this entry */
- if (ca_list[j]->valid)
- {
- cipher_id = ca_list[j]->id;
- break;
- }
-
/* New algorithms:
* 1 - any old restrictions apply outside new mask
* 2 - any new restrictions apply outside old mask
(algo_strength & ca_list[j]->algo_strength);
mask_strength |= ca_list[j]->mask_strength;
+ /* explicit ciphersuite found */
+ if (ca_list[j]->valid)
+ {
+ cipher_id = ca_list[j]->id;
+ ssl_version = ca_list[j]->algorithms & SSL_SSL_MASK;
+ break;
+ }
+
if (!multi) break;
}
ok = 0;
if ((buflen == 8) &&
!strncmp(buf, "STRENGTH", 8))
- ok = ssl_cipher_strength_sort(co_list,
- head_p, tail_p);
+ ok = ssl_cipher_strength_sort(head_p, tail_p);
else
SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
SSL_R_INVALID_COMMAND);
}
else if (found)
{
- ssl_cipher_apply_rule(cipher_id, algorithms, mask,
+ ssl_cipher_apply_rule(cipher_id, ssl_version, algorithms, mask,
algo_strength, mask_strength, rule, -1,
- co_list, head_p, tail_p);
+ head_p, tail_p);
}
else
{
if (strncmp(rule_str,"DEFAULT",7) == 0)
{
ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
- co_list, &head, &tail, ca_list);
+ &head, &tail, ca_list);
rule_p += 7;
if (*rule_p == ':')
rule_p++;
}
if (ok && (strlen(rule_p) > 0))
- ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail,
- ca_list);
+ ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
OPENSSL_free(ca_list); /* Not needed anymore */
case SSL_kDHd:
kx="DH/DSS";
break;
- case SSL_kKRB5: /* VRS */
- case SSL_KRB5: /* VRS */
- kx="KRB5";
- break;
- case SSL_kFZA:
- kx="Fortezza";
+ case SSL_kKRB5:
+ kx="KRB5";
break;
case SSL_kEDH:
kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
break;
- case SSL_kECDH:
- case SSL_kECDHE:
- kx=is_export?"ECDH(<=163)":"ECDH";
+ case SSL_kECDHr:
+ kx="ECDH/RSA";
+ break;
+ case SSL_kECDHe:
+ kx="ECDH/ECDSA";
+ break;
+ case SSL_kEECDH:
+ kx="ECDH";
break;
case SSL_kPSK:
kx="PSK";
case SSL_aDH:
au="DH";
break;
- case SSL_aKRB5: /* VRS */
- case SSL_KRB5: /* VRS */
- au="KRB5";
- break;
- case SSL_aFZA:
+ case SSL_aKRB5:
+ au="KRB5";
+ break;
+ case SSL_aECDH:
+ au="ECDH";
+ break;
case SSL_aNULL:
au="None";
break;
case SSL_IDEA:
enc="IDEA(128)";
break;
- case SSL_eFZA:
- enc="Fortezza";
- break;
case SSL_eNULL:
enc="None";
break;