X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=fcaaa7bf703860b8e1dc348f7bcbd09e812fffcf;hp=9ff7f15877bc600c08e79e72bb8593dd1469c04a;hb=6d23cf97443bfedf755341b4f2d0d7fce254e020;hpb=b362ccab5c1d52086f19d29a32f4acc11073b86b diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 9ff7f15877..fcaaa7bf70 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -162,7 +162,7 @@ const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) /* list of available SSLv3 ciphers (sorted by id) */ -OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ +OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[]={ /* The RSA ciphers */ /* Cipher 01 */ @@ -323,7 +323,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -372,7 +372,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -420,7 +420,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -469,7 +469,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -517,7 +517,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -597,7 +597,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -682,7 +682,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -746,7 +746,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -1680,7 +1680,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -2028,6 +2028,202 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ }, #endif +#ifndef OPENSSL_NO_CAMELLIA + /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ + + /* Cipher BA */ + { + 1, + TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_CAMELLIA128, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 128, + 128, + }, + + /* Cipher BB */ + { + 1, + TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kDHd, + SSL_aDH, + SSL_CAMELLIA128, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 128, + 128, + }, + + /* Cipher BC */ + { + 1, + TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kDHr, + SSL_aDH, + SSL_CAMELLIA128, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 128, + 128, + }, + + /* Cipher BD */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kEDH, + SSL_aDSS, + SSL_CAMELLIA128, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 128, + 128, + }, + + /* Cipher BE */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kEDH, + SSL_aRSA, + SSL_CAMELLIA128, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 128, + 128, + }, + + /* Cipher BF */ + { + 1, + TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kEDH, + SSL_aNULL, + SSL_CAMELLIA128, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 128, + 128, + }, + + /* Cipher C0 */ + { + 1, + TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256, + SSL_kRSA, + SSL_aRSA, + SSL_CAMELLIA256, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 256, + 256, + }, + + /* Cipher C1 */ + { + 1, + TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256, + SSL_kDHd, + SSL_aDH, + SSL_CAMELLIA256, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 256, + 256, + }, + + /* Cipher C2 */ + { + 1, + TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256, + SSL_kDHr, + SSL_aDH, + SSL_CAMELLIA256, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 256, + 256, + }, + + /* Cipher C3 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, + SSL_kEDH, + SSL_aDSS, + SSL_CAMELLIA256, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 256, + 256, + }, + + /* Cipher C4 */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, + SSL_kEDH, + SSL_aRSA, + SSL_CAMELLIA256, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 256, + 256, + }, + + /* Cipher C5 */ + { + 1, + TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256, + TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256, + SSL_kEDH, + SSL_aNULL, + SSL_CAMELLIA256, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 256, + 256, + }, +#endif + #ifndef OPENSSL_NO_ECDH /* Cipher C001 */ { @@ -2073,7 +2269,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -2153,7 +2349,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -2233,7 +2429,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -2313,7 +2509,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -2393,7 +2589,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -2437,13 +2633,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA, TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA, SSL_kSRP, - SSL_aNULL, + SSL_aSRP, SSL_3DES, SSL_SHA1, SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -2459,7 +2655,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -2475,7 +2671,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_TLSV1, SSL_NOT_EXP|SSL_HIGH, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - 168, + 112, 168, }, @@ -2485,7 +2681,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA, TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA, SSL_kSRP, - SSL_aNULL, + SSL_aSRP, SSL_AES128, SSL_SHA1, SSL_TLSV1, @@ -2533,7 +2729,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA, TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA, SSL_kSRP, - SSL_aNULL, + SSL_aSRP, SSL_AES256, SSL_SHA1, SSL_TLSV1, @@ -2837,6 +3033,127 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 256, }, +#ifndef OPENSSL_NO_CAMELLIA + { /* Cipher C072 */ + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kECDHE, + SSL_aECDSA, + SSL_CAMELLIA128, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 128, + 128 + }, + + { /* Cipher C073 */ + 1, + TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + SSL_kECDHE, + SSL_aECDSA, + SSL_CAMELLIA256, + SSL_SHA384, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, + 256, + 256 + }, + + { /* Cipher C074 */ + 1, + TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kECDHe, + SSL_aECDH, + SSL_CAMELLIA128, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 128, + 128 + }, + + { /* Cipher C075 */ + 1, + TLS1_TXT_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS1_CK_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, + SSL_kECDHe, + SSL_aECDH, + SSL_CAMELLIA256, + SSL_SHA384, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, + 256, + 256 + }, + + { /* Cipher C076 */ + 1, + TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kECDHE, + SSL_aRSA, + SSL_CAMELLIA128, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 128, + 128 + }, + + { /* Cipher C077 */ + 1, + TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, + SSL_kECDHE, + SSL_aRSA, + SSL_CAMELLIA256, + SSL_SHA384, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, + 256, + 256 + }, + + { /* Cipher C078 */ + 1, + TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, + TLS1_CK_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, + SSL_kECDHr, + SSL_aECDH, + SSL_CAMELLIA128, + SSL_SHA256, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256, + 128, + 128 + }, + + { /* Cipher C079 */ + 1, + TLS1_TXT_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, + TLS1_CK_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, + SSL_kECDHr, + SSL_aECDH, + SSL_CAMELLIA256, + SSL_SHA384, + SSL_TLSV1_2, + SSL_NOT_EXP|SSL_HIGH, + SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384, + 256, + 256 + }, +#endif /* OPENSSL_NO_CAMELLIA */ #endif /* OPENSSL_NO_ECDH */ @@ -2903,7 +3220,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ /* end of list */ }; -SSL3_ENC_METHOD SSLv3_enc_data={ +const SSL3_ENC_METHOD SSLv3_enc_data={ ssl3_enc, n_ssl3_mac, ssl3_setup_key_block, @@ -3027,10 +3344,6 @@ void ssl3_free(SSL *s) #ifndef OPENSSL_NO_SRP SSL_SRP_CTX_free(s); -#endif -#ifndef OPENSSL_NO_TLSEXT - if (s->s3->serverinfo_client_tlsext_custom_types != NULL) - OPENSSL_free(s->s3->serverinfo_client_tlsext_custom_types); #endif OPENSSL_cleanse(s->s3,sizeof *s->s3); OPENSSL_free(s->s3); @@ -3076,12 +3389,6 @@ void ssl3_clear(SSL *s) } #endif #ifndef OPENSSL_NO_TLSEXT - if (s->s3->serverinfo_client_tlsext_custom_types != NULL) - { - OPENSSL_free(s->s3->serverinfo_client_tlsext_custom_types); - s->s3->serverinfo_client_tlsext_custom_types = NULL; - } - s->s3->serverinfo_client_tlsext_custom_types_count = 0; #ifndef OPENSSL_NO_EC s->s3->is_probably_safari = 0; #endif /* !OPENSSL_NO_EC */ @@ -3134,7 +3441,7 @@ void ssl3_clear(SSL *s) } #ifndef OPENSSL_NO_SRP -static char * MS_CALLBACK srp_password_from_info_cb(SSL *s, void *arg) +static char * srp_password_from_info_cb(SSL *s, void *arg) { return BUF_strdup(s->srp_ctx.info) ; } @@ -3450,8 +3757,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) cipher = s->s3->tmp.new_cipher; if (!cipher) return 0; - /* No certificate for unauthenticated ciphersuites */ - if (cipher->algorithm_auth & SSL_aNULL) + /* No certificate for unauthenticated ciphersuites + * or using SRP authentication + */ + if (cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) return 2; cpk = ssl_get_server_send_pkey(s); if (!cpk) @@ -3501,9 +3810,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_GET_SHARED_CURVE: return tls1_shared_curve(s, larg); +#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_ECDH_AUTO: s->cert->ecdh_tmp_auto = larg; return 1; +#endif #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3575,7 +3886,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) EVP_PKEY *ptmp; int rv = 0; sc = s->session->sess_cert; -#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDH) if (!sc->peer_rsa_tmp && !sc->peer_dh_tmp && !sc->peer_ecdh_tmp) return 0; @@ -3615,6 +3926,31 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (int)sess->tlsext_ecpointformatlist_length; } #endif + + case SSL_CTRL_CHECK_PROTO_VERSION: + /* For library-internal use; checks that the current protocol + * is the highest enabled version (according to s->ctx->method, + * as version negotiation may have changed s->method). */ + if (s->version == s->ctx->method->version) + return 1; + /* Apparently we're using a version-flexible SSL_METHOD + * (not at its highest protocol version). */ + if (s->ctx->method->version == SSLv23_method()->version) + { +#if TLS_MAX_VERSION != TLS1_2_VERSION +# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION. +#endif + if (!(s->options & SSL_OP_NO_TLSv1_2)) + return s->version == TLS1_2_VERSION; + if (!(s->options & SSL_OP_NO_TLSv1_1)) + return s->version == TLS1_1_VERSION; + if (!(s->options & SSL_OP_NO_TLSv1)) + return s->version == TLS1_VERSION; + if (!(s->options & SSL_OP_NO_SSLv3)) + return s->version == SSL3_VERSION; + } + return 0; /* Unexpected state; fail closed. */ + default: break; } @@ -3903,9 +4239,11 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist, &ctx->tlsext_ellipticcurvelist_length, parg); +#ifndef OPENSSL_NO_ECDH case SSL_CTRL_SET_ECDH_AUTO: ctx->cert->ecdh_tmp_auto = larg; return 1; +#endif #endif case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); @@ -4119,17 +4457,17 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, #endif #ifdef CIPHER_DEBUG - printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr); + fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), (void *)srvr); for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) { c=sk_SSL_CIPHER_value(srvr,i); - printf("%p:%s\n",(void *)c,c->name); + fprintf(stderr, "%p:%s\n",(void *)c,c->name); } - printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt); + fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), (void *)clnt); for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) { c=sk_SSL_CIPHER_value(clnt,i); - printf("%p:%s\n",(void *)c,c->name); + fprintf(stderr, "%p:%s\n",(void *)c,c->name); } #endif @@ -4161,12 +4499,17 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, emask_k = cert->export_mask_k; emask_a = cert->export_mask_a; #ifndef OPENSSL_NO_SRP - mask_k=cert->mask_k | s->srp_ctx.srp_Mask; - emask_k=cert->export_mask_k | s->srp_ctx.srp_Mask; + if (s->srp_ctx.srp_Mask & SSL_kSRP) + { + mask_k |= SSL_kSRP; + emask_k |= SSL_kSRP; + mask_a |= SSL_aSRP; + emask_a |= SSL_aSRP; + } #endif #ifdef KSSL_DEBUG -/* printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ +/* fprintf(stderr,"ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/ #endif /* KSSL_DEBUG */ alg_k=c->algorithm_mkey; @@ -4189,7 +4532,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, { ok = (alg_k & emask_k) && (alg_a & emask_a); #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a, + fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a, (void *)c,c->name); #endif } @@ -4197,17 +4540,19 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, { ok = (alg_k & mask_k) && (alg_a & mask_a); #ifdef CIPHER_DEBUG - printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c, + fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,(void *)c, c->name); #endif } #ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_EC +#ifndef OPENSSL_NO_ECDH /* if we are considering an ECC cipher suite that uses * an ephemeral EC key check it */ if (alg_k & SSL_kECDHE) ok = ok && tls1_check_ec_tmp_key(s, c->id); +#endif /* OPENSSL_NO_ECDH */ #endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_TLSEXT */ @@ -4530,4 +4875,3 @@ long ssl_get_algorithm2(SSL *s) return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; return alg2; } -