X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_ciph.c;h=1599d7971ca496a4e4a4c3f99708f2c12195f732;hp=1927969a76decc56c722fb3b05f7285bcc7b1c01;hb=1939187922a8240b3dd18c455da3636ac754983d;hpb=b45e874d7c4a8fdac7ec10cff43f21d02e75d511

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 1927969a76..1599d7971c 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -203,7 +203,7 @@ static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={
 	0,0,0,0,0,0
 	};
 
-static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
+static const int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={
 	SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA,
 	SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256,
 	SSL_HANDSHAKE_MAC_SHA384
@@ -272,6 +272,7 @@ static const SSL_CIPHER cipher_aliases[]={
 	{0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
 	{0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
 	{0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
+	{0,SSL_TXT_aSRP,0,    0,SSL_aSRP,  0,0,0,0,0,0,0},
 
 	/* aliases combining key exchange and server authentication */
 	{0,SSL_TXT_EDH,0,     SSL_kDHE,~SSL_aNULL,0,0,0,0,0,0,0},
@@ -313,7 +314,6 @@ static const SSL_CIPHER cipher_aliases[]={
 	{0,SSL_TXT_SHA384,0,    0,0,0,SSL_SHA384,  0,0,0,0,0},
 
 	/* protocol version aliases */
-	{0,SSL_TXT_SSLV2,0,   0,0,0,0,SSL_SSLV2, 0,0,0,0},
 	{0,SSL_TXT_SSLV3,0,   0,0,0,0,SSL_SSLV3, 0,0,0,0},
 	{0,SSL_TXT_TLSV1,0,   0,0,0,0,SSL_TLSV1, 0,0,0,0},
 	{0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0},
@@ -581,7 +581,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		break;
 		}
 
-	if ((i < 0) || (i > SSL_ENC_NUM_IDX))
+	if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
 		*enc=NULL;
 	else
 		{
@@ -615,7 +615,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		i= -1;
 		break;
 		}
-	if ((i < 0) || (i > SSL_MD_NUM_IDX))
+	if ((i < 0) || (i >= SSL_MD_NUM_IDX))
 	{
 		*md=NULL; 
 		if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
@@ -643,10 +643,8 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 		    s->ssl_version < TLS1_VERSION)
 			return 1;
 
-#ifdef OPENSSL_FIPS
 		if (FIPS_mode())
 			return 1;
-#endif
 
 		if	(c->algorithm_enc == SSL_RC4 &&
 			 c->algorithm_mac == SSL_MD5 &&
@@ -814,7 +812,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 
 	/*
 	 * We have num_of_ciphers descriptions compiled in, depending on the
-	 * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
+	 * method selected (SSLv3, TLSv1 etc).
 	 * These will later be sorted in a linked list with at most num
 	 * entries.
 	 */
@@ -826,9 +824,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
 		c = ssl_method->get_cipher(i);
 		/* drop those that use any of that is not available */
 		if ((c != NULL) && c->valid &&
-#ifdef OPENSSL_FIPS
 		    (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) &&
-#endif
 		    !(c->algorithm_mkey & disabled_mkey) &&
 		    !(c->algorithm_auth & disabled_auth) &&
 		    !(c->algorithm_enc & disabled_enc) &&
@@ -953,7 +949,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 		int rule, int strength_bits,
 		CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
 	{
-	CIPHER_ORDER *head, *tail, *curr, *curr2, *last;
+	CIPHER_ORDER *head, *tail, *curr, *next, *last;
 	const SSL_CIPHER *cp;
 	int reverse = 0;
 
@@ -970,21 +966,25 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 
 	if (reverse)
 		{
-		curr = tail;
+		next = tail;
 		last = head;
 		}
 	else
 		{
-		curr = head;
+		next = head;
 		last = tail;
 		}
 
-	curr2 = curr;
+	curr = NULL;
 	for (;;)
 		{
-		if ((curr == NULL) || (curr == last)) break;
-		curr = curr2;
-		curr2 = reverse ? curr->prev : curr->next;
+		if (curr == last) break;
+
+		curr = next;
+
+		if (curr == NULL) break;
+
+		next = reverse ? curr->prev : curr->next;
 
 		cp = curr->cipher;
 
@@ -1133,7 +1133,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
 
 static int ssl_cipher_process_rulestr(const char *rule_str,
                 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
-                const SSL_CIPHER **ca_list)
+                const SSL_CIPHER **ca_list, CERT *c)
 	{
 	unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
 	const char *l, *buf;
@@ -1182,9 +1182,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			while (	((ch >= 'A') && (ch <= 'Z')) ||
 				((ch >= '0') && (ch <= '9')) ||
 				((ch >= 'a') && (ch <= 'z')) ||
-				 (ch == '-') || (ch == '.'))
+				 (ch == '-') || (ch == '.')  ||
+				 (ch == '='))
 #else
-			while (	isalnum(ch) || (ch == '-') || (ch == '.'))
+			while (	isalnum(ch) || (ch == '-') || (ch == '.') ||
+				(ch == '='))
 #endif
 				 {
 				 ch = *(++l);
@@ -1350,6 +1352,20 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
 			if ((buflen == 8) &&
 				!strncmp(buf, "STRENGTH", 8))
 				ok = ssl_cipher_strength_sort(head_p, tail_p);
+			else if (buflen == 10 && !strncmp(buf, "SECLEVEL=", 9))
+				{
+				int level = buf[9] - '0';
+				if (level < 0 || level > 5)
+					{
+					SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+						SSL_R_INVALID_COMMAND);
+					}
+				else
+					{
+					c->sec_level = level;
+					ok = 1;
+					}
+				}
 			else
 				SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
 					SSL_R_INVALID_COMMAND);
@@ -1441,7 +1457,6 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
 	}
 #endif
 
-
 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 		STACK_OF(SSL_CIPHER) **cipher_list,
 		STACK_OF(SSL_CIPHER) **cipher_list_by_id,
@@ -1563,14 +1578,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	if (strncmp(rule_str,"DEFAULT",7) == 0)
 		{
 		ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
-			&head, &tail, ca_list);
+			&head, &tail, ca_list, c);
 		rule_p += 7;
 		if (*rule_p == ':')
 			rule_p++;
 		}
 
 	if (ok && (strlen(rule_p) > 0))
-		ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
+		ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c);
 
 	OPENSSL_free((void *)ca_list);	/* Not needed anymore */
 
@@ -1596,13 +1611,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	 */
 	for (curr = head; curr != NULL; curr = curr->next)
 		{
-#ifdef OPENSSL_FIPS
 		if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
-#else
-		if (curr->active)
-#endif
 			{
-			sk_SSL_CIPHER_push(cipherstack, curr->cipher);
+			if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher))
+				{
+				OPENSSL_free(co_list);
+				sk_SSL_CIPHER_free(cipherstack);
+				return NULL;
+				}
 #ifdef CIPHER_DEBUG
 			printf("<%s>\n",curr->cipher->name);
 #endif
@@ -1633,7 +1649,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	int is_export,pkl,kl;
 	const char *ver,*exp_str;
 	const char *kx,*au,*enc,*mac;
-	unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2;
+	unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl;
 #ifdef KSSL_DEBUG
 	static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
 #else
@@ -1646,16 +1662,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	alg_mac = cipher->algorithm_mac;
 	alg_ssl = cipher->algorithm_ssl;
 
-	alg2=cipher->algorithm2;
-
 	is_export=SSL_C_IS_EXPORT(cipher);
 	pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
 	kl=SSL_C_EXPORT_KEYLENGTH(cipher);
 	exp_str=is_export?" export":"";
 	
-	if (alg_ssl & SSL_SSLV2)
-		ver="SSLv2";
-	else if (alg_ssl & SSL_SSLV3)
+	if (alg_ssl & SSL_SSLV3)
 		ver="SSLv3";
 	else if (alg_ssl & SSL_TLSV1_2)
 		ver="TLSv1.2";
@@ -1694,6 +1706,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_kSRP:
 		kx="SRP";
 		break;
+	case SSL_kGOST:
+		kx="GOST";
+		break;
 	default:
 		kx="unknown";
 		}
@@ -1724,6 +1739,15 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_aPSK:
 		au="PSK";
 		break;
+	case SSL_aSRP:
+		au="SRP";
+		break;
+	case SSL_aGOST94:
+		au="GOST94";
+		break;
+	case SSL_aGOST01:
+		au="GOST01";
+		break;
 	default:
 		au="unknown";
 		break;
@@ -1738,8 +1762,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 		enc="3DES(168)";
 		break;
 	case SSL_RC4:
-		enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
-		  :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
+		enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)"):"RC4(128)";
 		break;
 	case SSL_RC2:
 		enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
@@ -1771,6 +1794,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_SEED:
 		enc="SEED(128)";
 		break;
+	case SSL_eGOST2814789CNT:
+		enc="GOST89(256)";
+		break;
 	default:
 		enc="unknown";
 		break;
@@ -1793,6 +1819,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_AEAD:
 		mac="AEAD";
 		break;
+	case SSL_GOST89MAC:
+		mac="GOST89";
+		break;
+	case SSL_GOST94:
+		mac="GOST94";
+		break;
 	default:
 		mac="unknown";
 		break;
@@ -1823,8 +1855,6 @@ char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
 	i=(int)(c->id>>24L);
 	if (i == 3)
 		return("TLSv1/SSLv3");
-	else if (i == 2)
-		return("SSLv2");
 	else
 		return("unknown");
 	}
@@ -1899,6 +1929,18 @@ STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) *meths)
 	return old_meths;
 	}
 
+static void cmeth_free(SSL_COMP *cm)
+	{
+	OPENSSL_free(cm);
+	}
+
+void SSL_COMP_free_compression_methods(void)
+	{
+	STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;
+	ssl_comp_methods = NULL;
+	sk_SSL_COMP_pop_free(old_meths, cmeth_free);
+	}
+
 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
 	{
 	SSL_COMP *comp;