X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_ciph.c;h=3c005f7e1a6707bec379c2f3d3ea25a8f7811959;hp=64764342af2ee80301949ee8f6583d94b3de91ae;hb=8cb30232ed9c5c0f99b8858eb3b0c85978f8aa36;hpb=5a21cadbeb9fa13ddeffb31b5749336cdd8c4081 diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 64764342af..3c005f7e1a 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -203,7 +203,7 @@ static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={ 0,0,0,0,0,0 }; -static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ +static const int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA, SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256, SSL_HANDSHAKE_MAC_SHA384 @@ -272,6 +272,7 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0}, {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0}, {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0}, + {0,SSL_TXT_aSRP,0, 0,SSL_aSRP, 0,0,0,0,0,0,0}, /* aliases combining key exchange and server authentication */ {0,SSL_TXT_EDH,0, SSL_kDHE,~SSL_aNULL,0,0,0,0,0,0,0}, @@ -330,6 +331,21 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0}, /* FIPS 140-2 approved ciphersuite */ {0,SSL_TXT_FIPS,0, 0,0,~SSL_eNULL,0,0,SSL_FIPS, 0,0,0}, + + /* "EDH-" aliases to "DHE-" labels (for backward compatibility) */ + {0,SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,0, + SSL_kDHE,SSL_aDSS,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_EXPORT|SSL_EXP40,0,0,0,}, + {0,SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,0, + SSL_kDHE,SSL_aDSS,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_LOW,0,0,0,}, + {0,SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,0, + SSL_kDHE,SSL_aDSS,SSL_3DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,0,0,0,}, + {0,SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,0, + SSL_kDHE,SSL_aRSA,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_EXPORT|SSL_EXP40,0,0,0,}, + {0,SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,0, + SSL_kDHE,SSL_aRSA,SSL_DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_LOW,0,0,0,}, + {0,SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,0, + SSL_kDHE,SSL_aRSA,SSL_3DES,SSL_SHA1,SSL_SSLV3,SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,0,0,0,}, + }; /* Search for public key algorithm with given name and * return its pkey_id if it is available. Otherwise return 0 @@ -566,7 +582,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, break; } - if ((i < 0) || (i > SSL_ENC_NUM_IDX)) + if ((i < 0) || (i >= SSL_ENC_NUM_IDX)) *enc=NULL; else { @@ -600,7 +616,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, i= -1; break; } - if ((i < 0) || (i > SSL_MD_NUM_IDX)) + if ((i < 0) || (i >= SSL_MD_NUM_IDX)) { *md=NULL; if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef; @@ -938,7 +954,7 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, int rule, int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { - CIPHER_ORDER *head, *tail, *curr, *curr2, *last; + CIPHER_ORDER *head, *tail, *curr, *next, *last; const SSL_CIPHER *cp; int reverse = 0; @@ -955,21 +971,25 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, if (reverse) { - curr = tail; + next = tail; last = head; } else { - curr = head; + next = head; last = tail; } - curr2 = curr; + curr = NULL; for (;;) { - if ((curr == NULL) || (curr == last)) break; - curr = curr2; - curr2 = reverse ? curr->prev : curr->next; + if (curr == last) break; + + curr = next; + + if (curr == NULL) break; + + next = reverse ? curr->prev : curr->next; cp = curr->cipher; @@ -1118,7 +1138,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, static int ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p, - const SSL_CIPHER **ca_list) + const SSL_CIPHER **ca_list, CERT *c) { unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength; const char *l, *buf; @@ -1167,9 +1187,11 @@ static int ssl_cipher_process_rulestr(const char *rule_str, while ( ((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || - (ch == '-') || (ch == '.')) + (ch == '-') || (ch == '.') || + (ch == '=')) #else - while ( isalnum(ch) || (ch == '-') || (ch == '.')) + while ( isalnum(ch) || (ch == '-') || (ch == '.') || + (ch == '=')) #endif { ch = *(++l); @@ -1335,6 +1357,20 @@ static int ssl_cipher_process_rulestr(const char *rule_str, if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) ok = ssl_cipher_strength_sort(head_p, tail_p); + else if (buflen == 10 && !strncmp(buf, "SECLEVEL=", 9)) + { + int level = buf[9] - '0'; + if (level < 0 || level > 5) + { + SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, + SSL_R_INVALID_COMMAND); + } + else + { + c->sec_level = level; + ok = 1; + } + } else SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND); @@ -1426,7 +1462,6 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, } #endif - STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) **cipher_list_by_id, @@ -1548,14 +1583,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, if (strncmp(rule_str,"DEFAULT",7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - &head, &tail, ca_list); + &head, &tail, ca_list, c); rule_p += 7; if (*rule_p == ':') rule_p++; } if (ok && (strlen(rule_p) > 0)) - ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list); + ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c); OPENSSL_free((void *)ca_list); /* Not needed anymore */ @@ -1679,6 +1714,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kSRP: kx="SRP"; break; + case SSL_kGOST: + kx="GOST"; + break; default: kx="unknown"; } @@ -1709,6 +1747,15 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aPSK: au="PSK"; break; + case SSL_aSRP: + au="SRP"; + break; + case SSL_aGOST94: + au="GOST94"; + break; + case SSL_aGOST01: + au="GOST01"; + break; default: au="unknown"; break; @@ -1756,6 +1803,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_SEED: enc="SEED(128)"; break; + case SSL_eGOST2814789CNT: + enc="GOST89(256)"; + break; default: enc="unknown"; break; @@ -1778,6 +1828,12 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_AEAD: mac="AEAD"; break; + case SSL_GOST89MAC: + mac="GOST89"; + break; + case SSL_GOST94: + mac="GOST94"; + break; default: mac="unknown"; break; @@ -1877,6 +1933,25 @@ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) return(ssl_comp_methods); } +STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) *meths) + { + STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods; + ssl_comp_methods = meths; + return old_meths; + } + +static void cmeth_free(SSL_COMP *cm) + { + OPENSSL_free(cm); + } + +void SSL_COMP_free_compression_methods(void) + { + STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods; + ssl_comp_methods = NULL; + sk_SSL_COMP_pop_free(old_meths, cmeth_free); + } + int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { SSL_COMP *comp;