X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=dec84188ee9dce48cecfc4562c2ce01bb6914d74;hp=d438cbb10d0114a7cb05c78d6382da7abe4146bc;hb=48ae85b6ffe85e327f63c59d8de6a94a8b8f2d3b;hpb=7e69565fe680b8bf244a076f0b069f8937b6c7b8 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index d438cbb10d..dec84188ee 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -181,7 +181,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, }, @@ -196,8 +196,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_eNULL, SSL_SHA1, SSL_SSLV3, - SSL_NOT_EXP|SSL_STRONG_NONE, - 0, + SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, }, @@ -213,7 +213,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, }, @@ -229,7 +229,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -245,7 +245,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -261,7 +261,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, }, @@ -278,7 +278,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -295,7 +295,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, }, @@ -311,7 +311,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, }, @@ -326,8 +326,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -344,7 +344,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, }, @@ -360,7 +360,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, }, @@ -375,8 +375,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -392,7 +392,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, }, @@ -408,7 +408,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, }, @@ -423,8 +423,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -441,7 +441,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, }, @@ -457,7 +457,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, }, @@ -472,8 +472,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -489,7 +489,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, }, @@ -505,7 +505,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, }, @@ -520,8 +520,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -537,7 +537,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, }, @@ -553,7 +553,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -569,7 +569,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, }, @@ -585,7 +585,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, }, @@ -600,8 +600,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -619,7 +619,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, }, @@ -635,7 +635,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_STRONG_NONE, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, }, @@ -651,17 +651,14 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, #endif #ifndef OPENSSL_NO_KRB5 -/* The Kerberos ciphers -** 20000107 VRS: And the first shall be last, -** in hopes of avoiding the lynx ssl renegotiation problem. -*/ +/* The Kerberos ciphers*/ /* Cipher 1E */ { 1, @@ -673,7 +670,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, }, @@ -688,8 +685,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_3DES, SSL_SHA1, SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -705,7 +702,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -721,7 +718,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -737,7 +734,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_NOT_EXP|SSL_LOW, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, }, @@ -753,7 +750,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -769,7 +766,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -785,7 +782,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -801,7 +798,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, }, @@ -817,7 +814,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, }, @@ -833,7 +830,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, }, @@ -849,7 +846,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 56, }, @@ -865,7 +862,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, }, @@ -881,7 +878,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_SSLV3, SSL_EXPORT|SSL_EXP40, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 40, 128, }, @@ -898,8 +895,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES128, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -913,8 +910,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES128, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -928,8 +925,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES128, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -943,8 +940,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES128, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -958,8 +955,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES128, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -973,8 +970,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES128, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -989,8 +986,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES256, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1004,8 +1001,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES256, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1020,8 +1017,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES256, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1036,8 +1033,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES256, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1052,8 +1049,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES256, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1068,8 +1065,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_AES256, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1088,7 +1085,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1104,7 +1101,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1120,7 +1117,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1136,7 +1133,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1152,7 +1149,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1168,7 +1165,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1188,7 +1185,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_TLSV1, SSL_EXPORT|SSL_EXP56, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 128, }, @@ -1204,7 +1201,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_MD5, SSL_TLSV1, SSL_EXPORT|SSL_EXP56, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 128, }, @@ -1221,7 +1218,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_EXPORT|SSL_EXP56, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, }, @@ -1237,7 +1234,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_EXPORT|SSL_EXP56, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 56, }, @@ -1253,7 +1250,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_EXPORT|SSL_EXP56, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 128, }, @@ -1269,7 +1266,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_EXPORT|SSL_EXP56, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 56, 128, }, @@ -1285,11 +1282,67 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, #endif + { + 1, + "GOST94-GOST89-GOST89", + 0x3000080, + SSL_kGOST, + SSL_aGOST94, + SSL_eGOST2814789CNT, + SSL_GOST89MAC, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|TLS1_STREAM_MAC, + 256, + 256 + }, + { + 1, + "GOST2001-GOST89-GOST89", + 0x3000081, + SSL_kGOST, + SSL_aGOST01, + SSL_eGOST2814789CNT, + SSL_GOST89MAC, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94|TLS1_STREAM_MAC, + 256, + 256 + }, + { + 1, + "GOST94-NULL-GOST94", + 0x3000082, + SSL_kGOST, + SSL_aGOST94, + SSL_eNULL, + SSL_GOST94, + SSL_TLSV1, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, + 0, + 0 + }, + { + 1, + "GOST2001-NULL-GOST94", + 0x3000083, + SSL_kGOST, + SSL_aGOST01, + SSL_eNULL, + SSL_GOST94, + SSL_TLSV1, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_GOST94|TLS1_PRF_GOST94, + 0, + 0 + }, #ifndef OPENSSL_NO_CAMELLIA /* Camellia ciphersuites from RFC4132 (256-bit portion) */ @@ -1305,7 +1358,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1320,7 +1373,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1336,7 +1389,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1352,7 +1405,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1368,7 +1421,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1384,7 +1437,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1402,7 +1455,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_MEDIUM, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1418,7 +1471,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -1434,7 +1487,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1450,12 +1503,113 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, #endif /* OPENSSL_NO_PSK */ +#ifndef OPENSSL_NO_SEED + /* SEED ciphersuites from RFC4162 */ + + /* Cipher 96 */ + { + 1, + TLS1_TXT_RSA_WITH_SEED_SHA, + TLS1_CK_RSA_WITH_SEED_SHA, + SSL_kRSA, + SSL_aRSA, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, + + /* Cipher 97 */ + { + 0, /* not implemented (non-ephemeral DH) */ + TLS1_TXT_DH_DSS_WITH_SEED_SHA, + TLS1_CK_DH_DSS_WITH_SEED_SHA, + SSL_kDHd, + SSL_aDH, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, + + /* Cipher 98 */ + { + 0, /* not implemented (non-ephemeral DH) */ + TLS1_TXT_DH_RSA_WITH_SEED_SHA, + TLS1_CK_DH_RSA_WITH_SEED_SHA, + SSL_kDHr, + SSL_aDH, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, + + /* Cipher 99 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_SEED_SHA, + TLS1_CK_DHE_DSS_WITH_SEED_SHA, + SSL_kEDH, + SSL_aDSS, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, + + /* Cipher 9A */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_SEED_SHA, + TLS1_CK_DHE_RSA_WITH_SEED_SHA, + SSL_kEDH, + SSL_aRSA, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, + + /* Cipher 9B */ + { + 1, + TLS1_TXT_ADH_WITH_SEED_SHA, + TLS1_CK_ADH_WITH_SEED_SHA, + SSL_kEDH, + SSL_aNULL, + SSL_SEED, + SSL_SHA1, + SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 128, + 128, + }, + +#endif /* OPENSSL_NO_SEED */ + #ifndef OPENSSL_NO_ECDH /* Cipher C001 */ { @@ -1467,8 +1621,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_eNULL, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP, - 0, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, }, @@ -1483,8 +1637,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_RC4, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP, - 0, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1500,7 +1654,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -1516,7 +1670,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1532,7 +1686,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1547,8 +1701,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_eNULL, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP, - 0, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, }, @@ -1563,8 +1717,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_RC4, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP, - 0, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1580,7 +1734,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -1596,7 +1750,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1612,7 +1766,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1627,8 +1781,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_eNULL, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP, - 0, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, }, @@ -1643,8 +1797,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_RC4, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP, - 0, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1660,7 +1814,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -1676,7 +1830,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1692,7 +1846,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1707,8 +1861,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_eNULL, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP, - 0, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, }, @@ -1723,8 +1877,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_RC4, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP, - 0, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1740,7 +1894,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -1756,7 +1910,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1772,7 +1926,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, @@ -1787,8 +1941,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_eNULL, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP, - 0, + SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, 0, }, @@ -1803,8 +1957,8 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_RC4, SSL_SHA1, SSL_TLSV1, - SSL_NOT_EXP, - 0, + SSL_NOT_EXP|SSL_MEDIUM, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1820,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 168, 168, }, @@ -1836,7 +1990,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, 128, }, @@ -1852,18 +2006,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, - 0, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, 256, }, #endif /* OPENSSL_NO_ECDH */ +#ifdef TEMP_GOST_TLS +/* Cipher FF00 */ + { + 1, + "GOST-MD5", + 0x0300ff00, + SSL_kRSA, + SSL_aRSA, + SSL_eGOST2814789CNT, + SSL_MD5, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256, + }, + { + 1, + "GOST-GOST94", + 0x0300ff01, + SSL_kRSA, + SSL_aRSA, + SSL_eGOST2814789CNT, + SSL_GOST94, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256 + }, + { + 1, + "GOST-GOST89MAC", + 0x0300ff02, + SSL_kRSA, + SSL_aRSA, + SSL_eGOST2814789CNT, + SSL_GOST89MAC, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, + 256, + 256 + }, + { + 1, + "GOST-GOST89STREAM", + 0x0300ff03, + SSL_kRSA, + SSL_aRSA, + SSL_eGOST2814789CNT, + SSL_GOST89MAC, + SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF|TLS1_STREAM_MAC, + 256, + 256 + }, +#endif + /* end of list */ }; SSL3_ENC_METHOD SSLv3_enc_data={ ssl3_enc, - ssl3_mac, + n_ssl3_mac, ssl3_setup_key_block, ssl3_generate_master_secret, ssl3_change_cipher_state, @@ -1887,7 +2101,7 @@ int ssl3_num_ciphers(void) return(SSL3_NUM_CIPHERS); } -SSL_CIPHER *ssl3_get_cipher(unsigned int u) +const SSL_CIPHER *ssl3_get_cipher(unsigned int u) { if (u < SSL3_NUM_CIPHERS) return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u])); @@ -1909,8 +2123,6 @@ int ssl3_new(SSL *s) if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err; memset(s3,0,sizeof *s3); - EVP_MD_CTX_init(&s3->finish_dgst1); - EVP_MD_CTX_init(&s3->finish_dgst2); memset(s3->rrec.seq_num,0,sizeof(s3->rrec.seq_num)); memset(s3->wrec.seq_num,0,sizeof(s3->wrec.seq_num)); @@ -1927,11 +2139,18 @@ void ssl3_free(SSL *s) if(s == NULL) return; +#ifdef TLSEXT_TYPE_opaque_prf_input + if (s->s3->client_opaque_prf_input != NULL) + OPENSSL_free(s->s3->client_opaque_prf_input); + if (s->s3->server_opaque_prf_input != NULL) + OPENSSL_free(s->s3->server_opaque_prf_input); +#endif + ssl3_cleanup_key_block(s); if (s->s3->rbuf.buf != NULL) - OPENSSL_free(s->s3->rbuf.buf); + ssl3_release_read_buffer(s); if (s->s3->wbuf.buf != NULL) - OPENSSL_free(s->s3->wbuf.buf); + ssl3_release_write_buffer(s); if (s->s3->rrec.comp != NULL) OPENSSL_free(s->s3->rrec.comp); #ifndef OPENSSL_NO_DH @@ -1945,9 +2164,10 @@ void ssl3_free(SSL *s) if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); - EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); - EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); - + if (s->s3->handshake_buffer) { + BIO_free(s->s3->handshake_buffer); + } + if (s->s3->handshake_dgst) ssl3_free_digest_list(s); OPENSSL_cleanse(s->s3,sizeof *s->s3); OPENSSL_free(s->s3); s->s3=NULL; @@ -1958,6 +2178,15 @@ void ssl3_clear(SSL *s) unsigned char *rp,*wp; size_t rlen, wlen; +#ifdef TLSEXT_TYPE_opaque_prf_input + if (s->s3->client_opaque_prf_input != NULL) + OPENSSL_free(s->s3->client_opaque_prf_input); + s->s3->client_opaque_prf_input = NULL; + if (s->s3->server_opaque_prf_input != NULL) + OPENSSL_free(s->s3->server_opaque_prf_input); + s->s3->server_opaque_prf_input = NULL; +#endif + ssl3_cleanup_key_block(s); if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); @@ -1980,10 +2209,13 @@ void ssl3_clear(SSL *s) wp = s->s3->wbuf.buf; rlen = s->s3->rbuf.len; wlen = s->s3->wbuf.len; - - EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); - EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); - + if (s->s3->handshake_buffer) { + BIO_free(s->s3->handshake_buffer); + s->s3->handshake_buffer = NULL; + } + if (s->s3->handshake_dgst) { + ssl3_free_digest_list(s); + } memset(s->s3,0,sizeof *s->s3); s->s3->rbuf.buf = rp; s->s3->wbuf.buf = wp; @@ -1994,6 +2226,7 @@ void ssl3_clear(SSL *s) s->packet_length=0; s->s3->renegotiate=0; + s->s3->new_session=0; s->s3->total_renegotiations=0; s->s3->num_renegotiations=0; s->s3->in_read_app_data=0; @@ -2178,8 +2411,73 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); return 0; } - s->options |= SSL_OP_NO_SSLv2; /* can't use extension w/ SSL 2.0 format */ break; + case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: + s->tlsext_debug_arg=parg; + ret = 1; + break; + +#ifdef TLSEXT_TYPE_opaque_prf_input + case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT: + if (larg > 12288) /* actual internal limit is 2^16 for the complete hello message + * (including the cert chain and everything) */ + { + SSLerr(SSL_F_SSL3_CTRL, SSL_R_OPAQUE_PRF_INPUT_TOO_LONG); + break; + } + if (s->tlsext_opaque_prf_input != NULL) + OPENSSL_free(s->tlsext_opaque_prf_input); + if ((size_t)larg == 0) + s->tlsext_opaque_prf_input = OPENSSL_malloc(1); /* dummy byte just to get non-NULL */ + else + s->tlsext_opaque_prf_input = BUF_memdup(parg, (size_t)larg); + if (s->tlsext_opaque_prf_input != NULL) + { + s->tlsext_opaque_prf_input_len = (size_t)larg; + ret = 1; + } + else + s->tlsext_opaque_prf_input_len = 0; + break; +#endif + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: + s->tlsext_status_type=larg; + ret = 1; + break; + + case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: + *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts; + ret = 1; + break; + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: + s->tlsext_ocsp_exts = parg; + ret = 1; + break; + + case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: + *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids; + ret = 1; + break; + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: + s->tlsext_ocsp_ids = parg; + ret = 1; + break; + + case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: + *(unsigned char **)parg = s->tlsext_ocsp_resp; + return s->tlsext_ocsp_resplen; + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: + if (s->tlsext_ocsp_resp) + OPENSSL_free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = parg; + s->tlsext_ocsp_resplen = larg; + ret = 1; + break; + #endif /* !OPENSSL_NO_TLSEXT */ default: break; @@ -2231,6 +2529,12 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; } break; +#endif +#ifndef OPENSSL_NO_TLSEXT + case SSL_CTRL_SET_TLSEXT_DEBUG_CB: + s->tlsext_debug_cb=(void (*)(SSL *,int ,int, + unsigned char *, int, void *))fp; + break; #endif default: break; @@ -2369,7 +2673,45 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: ctx->tlsext_servername_arg=parg; break; + case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: + case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: + { + unsigned char *keys = parg; + if (!keys) + return 48; + if (larg != 48) + { + SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH); + return 0; + } + if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) + { + memcpy(ctx->tlsext_tick_key_name, keys, 16); + memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); + memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); + } + else + { + memcpy(keys, ctx->tlsext_tick_key_name, 16); + memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); + memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); + } + return 1; + } + +#ifdef TLSEXT_TYPE_opaque_prf_input + case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG: + ctx->tlsext_opaque_prf_input_callback_arg = parg; + return 1; +#endif + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: + ctx->tlsext_status_arg=parg; + return 1; + break; + #endif /* !OPENSSL_NO_TLSEXT */ + /* A Thawte special :-) */ case SSL_CTRL_EXTRA_CHAIN_CERT: if (ctx->extra_certs == NULL) @@ -2419,6 +2761,24 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: ctx->tlsext_servername_callback=(int (*)(SSL *,int *,void *))fp; break; + +#ifdef TLSEXT_TYPE_opaque_prf_input + case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB: + ctx->tlsext_opaque_prf_input_callback = (int (*)(SSL *,void *, size_t, void *))fp; + break; +#endif + + case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: + ctx->tlsext_status_cb=(int (*)(SSL *,void *))fp; + break; + + case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: + ctx->tlsext_ticket_key_cb=(int (*)(SSL *,unsigned char *, + unsigned char *, + EVP_CIPHER_CTX *, + HMAC_CTX *, int))fp; + break; + #endif default: return(0); @@ -2428,17 +2788,15 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) /* This function needs to check if the ciphers required are actually * available */ -SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) +const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) { - SSL_CIPHER c,*cp; + SSL_CIPHER c; + const SSL_CIPHER *cp; unsigned long id; id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1]; c.id=id; - cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c, - (char *)ssl3_ciphers, - SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER), - FP_ICC ssl_cipher_id_cmp); + cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); if (cp == NULL || cp->valid == 0) return NULL; else @@ -2465,13 +2823,11 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, SSL_CIPHER *c,*ret=NULL; STACK_OF(SSL_CIPHER) *prio, *allow; int i,ii,ok; +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_EC) unsigned int j; -#ifndef OPENSSL_NO_TLSEXT -#ifndef OPENSSL_NO_EC int ec_ok, ec_nid; unsigned char ec_search1 = 0, ec_search2 = 0; -#endif /* OPENSSL_NO_EC */ -#endif /* OPENSSL_NO_TLSEXT */ +#endif CERT *cert; unsigned long alg_k,alg_a,mask_k,mask_a,emask_k,emask_a; @@ -2489,30 +2845,30 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #endif #ifdef CIPHER_DEBUG - printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr); - for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) - { - c=sk_SSL_CIPHER_value(srvr,i); - printf("%p:%s\n",c,c->name); - } - printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt); - for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) + printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr); + for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) + { + c=sk_SSL_CIPHER_value(srvr,i); + printf("%p:%s\n",(void *)c,c->name); + } + printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt); + for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) { c=sk_SSL_CIPHER_value(clnt,i); - printf("%p:%s\n",c,c->name); + printf("%p:%s\n",(void *)c,c->name); } #endif if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) - { - prio = srvr; - allow = clnt; - } + { + prio = srvr; + allow = clnt; + } else - { - prio = clnt; - allow = srvr; - } + { + prio = clnt; + allow = srvr; + } for (i=0; iexport_mask_a; #ifdef KSSL_DEBUG - printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms); +/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ #endif /* KSSL_DEBUG */ alg_k=c->algorithm_mkey; alg_a=c->algorithm_auth; #ifndef OPENSSL_NO_KRB5 - if (alg_k & SSL_kKRB5) - { - if ( !kssl_keytab_is_available(s->kssl_ctx) ) - continue; - } + if (alg_k & SSL_kKRB5) + { + if ( !kssl_keytab_is_available(s->kssl_ctx) ) + continue; + } #endif /* OPENSSL_NO_KRB5 */ #ifndef OPENSSL_NO_PSK /* with PSK there must be server callback set */ @@ -2549,14 +2905,14 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, ok = (alg_k & emask_k) && (alg_a & emask_a); #ifdef CIPHER_DEBUG printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a, - c,c->name); + (void *)c,c->name); #endif } else { ok = (alg_k & mask_k) && (alg_a & mask_a); #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,c, + printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c, c->name); #endif } @@ -2733,6 +3089,18 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) alg_k = s->s3->tmp.new_cipher->algorithm_mkey; +#ifndef OPENSSL_NO_GOST + if (s->version >= TLS1_VERSION) + { + if (alg_k & SSL_kGOST) + { + p[ret++]=TLS_CT_GOST94_SIGN; + p[ret++]=TLS_CT_GOST01_SIGN; + return(ret); + } + } +#endif + #ifndef OPENSSL_NO_DH if (alg_k & (SSL_kDHr|SSL_kEDH)) { @@ -2782,6 +3150,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) int ssl3_shutdown(SSL *s) { + int ret; /* Don't do anything much if we have not done the handshake or * we don't want to send messages :-) */ @@ -2799,18 +3168,32 @@ int ssl3_shutdown(SSL *s) #endif /* our shutdown alert has been sent now, and if it still needs * to be written, s->s3->alert_dispatch will be true */ + if (s->s3->alert_dispatch) + return(-1); /* return WANT_WRITE */ } else if (s->s3->alert_dispatch) { /* resend it if not sent */ #if 1 - s->method->ssl_dispatch_alert(s); + ret=s->method->ssl_dispatch_alert(s); + if(ret == -1) + { + /* we only get to return -1 here the 2nd/Nth + * invocation, we must have already signalled + * return 0 upon a previous invoation, + * return WANT_WRITE */ + return(ret); + } #endif } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ s->method->ssl_read_bytes(s,0,NULL,0,0); + if(!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) + { + return(-1); /* return WANT_READ */ + } } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&