Reorganize the data used for SSL ciphersuite pattern matching.
authorBodo Möller <bodo@openssl.org>
Sat, 17 Feb 2007 06:45:38 +0000 (06:45 +0000)
committerBodo Möller <bodo@openssl.org>
Sat, 17 Feb 2007 06:45:38 +0000 (06:45 +0000)
This change resolves a number of problems and obviates multiple kludges.
A new feature is that you can now say "AES256" or "AES128" (not just
"AES", which enables both).

In some cases the ciphersuite list generated from a given string is
affected by this change.  I hope this is just in those cases where the
previous behaviour did not make sense.

18 files changed:
CHANGES
LICENSE
README
crypto/opensslv.h
ssl/d1_clnt.c
ssl/d1_srvr.c
ssl/s2_lib.c
ssl/s3_clnt.c
ssl/s3_enc.c
ssl/s3_lib.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssl_cert.c
ssl/ssl_ciph.c
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/t1_enc.c
ssl/t1_lib.c

diff --git a/CHANGES b/CHANGES
index ec1cf22..80db3ae 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,28 @@
 
  Changes between 0.9.8e and 0.9.9  [xx XXX xxxx]
 
+  *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
+     processing) into multiple integers instead of setting
+     "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
+     "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
+     (These masks as well as the individual bit definitions are hidden
+     away into the non-exported interface ssl/ssl_locl.h, so this
+     change to the definition of the SSL_CIPHER structure shouldn't
+     affect applications.)  This give us more bits for each of these
+     categories, so there is no longer a need to coagulate AES128 and
+     AES256 into a single algorithm bit, and to coagulate Camellia128
+     and Camellia256 into a single algorithm bit, which has led to all
+     kinds of kludges.
+
+     Thus, among other things, the kludge introduced in 0.9.7m and
+     0.9.8e for masking out AES256 independently of AES128 or masking
+     out Camellia256 independently of AES256 is not needed here in 0.9.9.
+
+     With the change, we also introduce new ciphersuite aliases that
+     so far were missing: "AES128", "AES256", "CAMELLIA128", and
+     "CAMELLIA256".
+     [Bodo Moeller]
+
   *) Add support for dsa-with-SHA224 and dsa-with-SHA256.
      Use the leftmost N bytes of the signature input if the input is
      larger than the prime q (with N being the size in bytes of q).
 
  Changes between 0.9.8d and 0.9.8e  [XX xxx XXXX]
 
+  *) Since AES128 and AES256 (and similarly Camellia128 and
+     Camellia256) share a single mask bit in the logic of
+     ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
+     kludge to work properly if AES128 is available and AES256 isn't
+     (or if Camellia128 is available and Camellia256 isn't).
+     [Victor Duchovni]
+
   *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
      (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
      When a point or a seed is encoded in a BIT STRING, we need to
 
  Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
 
+  *) Since AES128 and AES256 share a single mask bit in the logic of
+     ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
+     kludge to work properly if AES128 is available and AES256 isn't.
+     [Victor Duchovni]
+
   *) Have SSL/TLS server implementation tolerate "mismatched" record
      protocol version while receiving ClientHello even if the
      ClientHello is fragmented.  (The server can't insist on the
diff --git a/LICENSE b/LICENSE
index c21f132..ff99d97 100644 (file)
--- a/LICENSE
+++ b/LICENSE
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
diff --git a/README b/README
index 092ab7d..d9a7fce 100644 (file)
--- a/README
+++ b/README
@@ -1,7 +1,7 @@
 
  OpenSSL 0.9.9-dev XX xxx XXXX
 
- Copyright (c) 1998-2005 The OpenSSL Project
+ Copyright (c) 1998-2007 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
index dc3a89a..3d665b8 100644 (file)
@@ -83,7 +83,7 @@
  * should only keep the versions that are binary compatible with the current.
  */
 #define SHLIB_VERSION_HISTORY ""
-#define SHLIB_VERSION_NUMBER "0.9.8"
+#define SHLIB_VERSION_NUMBER "0.9.9"
 
 
 #endif /* HEADER_OPENSSLV_H */
index 2dd9da2..0f3dd70 100644 (file)
@@ -4,7 +4,7 @@
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
  */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -274,7 +274,7 @@ int dtls1_connect(SSL *s)
                case SSL3_ST_CR_CERT_A:
                case SSL3_ST_CR_CERT_B:
                        /* Check if it is anon DH */
-                       if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+                       if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
                                {
                                ret=ssl3_get_server_certificate(s);
                                if (ret <= 0) goto end;
@@ -335,7 +335,6 @@ int dtls1_connect(SSL *s)
                case SSL3_ST_CW_KEY_EXCH_B:
                        ret=dtls1_send_client_key_exchange(s);
                        if (ret <= 0) goto end;
-                       l=s->s3->tmp.new_cipher->algorithms;
                        /* EAY EAY EAY need to check for DH fix cert
                         * sent back */
                        /* For TLS, cert_req is set to 2, so a cert chain
@@ -684,7 +683,7 @@ int dtls1_send_client_key_exchange(SSL *s)
        {
        unsigned char *p,*d;
        int n;
-       unsigned long l;
+       unsigned long alg_k;
 #ifndef OPENSSL_NO_RSA
        unsigned char *q;
        EVP_PKEY *pkey=NULL;
@@ -697,13 +696,13 @@ int dtls1_send_client_key_exchange(SSL *s)
                {
                d=(unsigned char *)s->init_buf->data;
                p= &(d[DTLS1_HM_HEADER_LENGTH]);
-
-               l=s->s3->tmp.new_cipher->algorithms;
+               
+               alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
 
                 /* Fool emacs indentation */
                 if (0) {}
 #ifndef OPENSSL_NO_RSA
-               else if (l & SSL_kRSA)
+               else if (alg_k & SSL_kRSA)
                        {
                        RSA *rsa;
                        unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -762,7 +761,7 @@ int dtls1_send_client_key_exchange(SSL *s)
                        }
 #endif
 #ifndef OPENSSL_NO_KRB5
-               else if (l & SSL_kKRB5)
+               else if (alg_k & SSL_kKRB5)
                         {
                         krb5_error_code        krb5rc;
                         KSSL_CTX       *kssl_ctx = s->kssl_ctx;
@@ -781,7 +780,7 @@ int dtls1_send_client_key_exchange(SSL *s)
 
 #ifdef KSSL_DEBUG
                         printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                                l, SSL_kKRB5);
+                                alg_k, SSL_kKRB5);
 #endif /* KSSL_DEBUG */
 
                        authp = NULL;
@@ -894,7 +893,7 @@ int dtls1_send_client_key_exchange(SSL *s)
                         }
 #endif
 #ifndef OPENSSL_NO_DH
-               else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+               else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
                        {
                        DH *dh_srvr,*dh_clnt;
 
index 67baf80..450524a 100644 (file)
@@ -4,7 +4,7 @@
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
  */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -148,6 +148,7 @@ int dtls1_accept(SSL *s)
        unsigned long l,Time=(unsigned long)time(NULL);
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
        long num1;
+       unsigned long alg_k;
        int ret= -1;
        int new_state,state,skip=0;
 
@@ -237,11 +238,11 @@ int dtls1_accept(SSL *s)
                                s->state=SSL3_ST_SW_HELLO_REQ_A;
                                }
 
-            if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
-                s->d1->send_cookie = 1;
-            else
-                s->d1->send_cookie = 0;
-
+                       if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
+                               s->d1->send_cookie = 1;
+                       else
+                               s->d1->send_cookie = 0;
+                       
                        break;
 
                case SSL3_ST_SW_HELLO_REQ_A:
@@ -270,7 +271,7 @@ int dtls1_accept(SSL *s)
                        if (ret <= 0) goto end;
                        s->new_session = 2;
 
-                       if ( s->d1->send_cookie)
+                       if (s->d1->send_cookie)
                                s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
                        else
                                s->state = SSL3_ST_SW_SRVR_HELLO_A;
@@ -303,7 +304,7 @@ int dtls1_accept(SSL *s)
                case SSL3_ST_SW_CERT_A:
                case SSL3_ST_SW_CERT_B:
                        /* Check if it is anon DH */
-                       if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+                       if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
                                {
                                ret=dtls1_send_server_certificate(s);
                                if (ret <= 0) goto end;
@@ -316,13 +317,13 @@ int dtls1_accept(SSL *s)
 
                case SSL3_ST_SW_KEY_EXCH_A:
                case SSL3_ST_SW_KEY_EXCH_B:
-                       l=s->s3->tmp.new_cipher->algorithms;
+                       alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
                        /* clear this, it may get reset by
                         * send_server_key_exchange */
                        if ((s->options & SSL_OP_EPHEMERAL_RSA)
 #ifndef OPENSSL_NO_KRB5
-                               && !(l & SSL_KRB5)
+                               && !(alg_k & SSL_kKRB5)
 #endif /* OPENSSL_NO_KRB5 */
                                )
                                /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
@@ -336,8 +337,8 @@ int dtls1_accept(SSL *s)
                        /* only send if a DH key exchange or
                         * RSA but we have a sign only certificate */
                        if (s->s3->tmp.use_rsa_tmp
-                           || (l & SSL_DH)
-                           || ((l & SSL_kRSA)
+                           || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+                           || ((alg_k & SSL_kRSA)
                                && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
                                    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
                                        && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
@@ -367,12 +368,12 @@ int dtls1_accept(SSL *s)
                                /* never request cert in anonymous ciphersuites
                                 * (see section "Certificate request" in SSL 3 drafts
                                 * and in RFC 2246): */
-                               ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
+                               ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
                                 /* ... except when the application insists on verification
                                  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
                                 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
-                                 /* never request cert in Kerberos ciphersuites */
-                                (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
+                                /* never request cert in Kerberos ciphersuites */
+                               (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
                                {
                                /* no cert request */
                                skip=1;
@@ -625,15 +626,15 @@ int dtls1_send_hello_verify_request(SSL *s)
                *(p++) = s->version & 0xFF;
 
                *(p++) = (unsigned char) s->d1->cookie_len;
-        if ( s->ctx->app_gen_cookie_cb != NULL &&
-            s->ctx->app_gen_cookie_cb(s, s->d1->cookie, 
-                &(s->d1->cookie_len)) == 0)
-            {
-                       SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
-            return 0;
-            }
-        /* else the cookie is assumed to have 
-         * been initialized by the application */
+       if (s->ctx->app_gen_cookie_cb != NULL &&
+           s->ctx->app_gen_cookie_cb(s, s->d1->cookie, 
+               &(s->d1->cookie_len)) == 0)
+               {
+               SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
+               return 0;
+               }
+       /* else the cookie is assumed to have 
+        * been initialized by the application */
 
                memcpy(p, s->d1->cookie, s->d1->cookie_len);
                p += s->d1->cookie_len;
@@ -784,7 +785,7 @@ int dtls1_send_server_key_exchange(SSL *s)
        EVP_MD_CTX_init(&md_ctx);
        if (s->state == SSL3_ST_SW_KEY_EXCH_A)
                {
-               type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
+               type=s->s3->tmp.new_cipher->algorithm_mkey;
                cert=s->cert;
 
                buf=s->init_buf;
@@ -889,7 +890,7 @@ int dtls1_send_server_key_exchange(SSL *s)
                        n+=2+nr[i];
                        }
 
-               if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+               if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
                        {
                        if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
                                == NULL)
@@ -1107,14 +1108,15 @@ int dtls1_send_server_certificate(SSL *s)
        if (s->state == SSL3_ST_SW_CERT_A)
                {
                x=ssl_get_server_send_cert(s);
-               if (x == NULL &&
-                        /* VRS: allow null cert if auth == KRB5 */
-                        (s->s3->tmp.new_cipher->algorithms
-                                & (SSL_MKEY_MASK|SSL_AUTH_MASK))
-                        != (SSL_aKRB5|SSL_kKRB5))
+               if (x == NULL)
                        {
-                       SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
-                       return(0);
+                       /* VRS: allow null cert if auth == KRB5 */
+                       if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
+                           (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5))
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+                               return(0);
+                               }
                        }
 
                l=dtls1_output_cert_chain(s,x);
index debaece..30ca860 100644 (file)
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include "ssl_locl.h"
 #ifndef OPENSSL_NO_SSL2
@@ -69,131 +122,158 @@ const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT;
 
 /* list of available SSLv2 ciphers (sorted by id) */
 OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
-/* NULL_WITH_MD5 v3 */
 #if 0
+/* NULL_WITH_MD5 v3 */
        {
        1,
        SSL2_TXT_NULL_WITH_MD5,
        SSL2_CK_NULL_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_eNULL,
+       SSL_MD5,
+       SSL_SSLV2,
        SSL_EXPORT|SSL_EXP40|SSL_STRONG_NONE,
        0,
        0,
        0,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 #endif
+
 /* RC4_128_WITH_MD5 */
        {
        1,
        SSL2_TXT_RC4_128_WITH_MD5,
        SSL2_CK_RC4_128_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC4,
+       SSL_MD5,
+       SSL_SSLV2,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* RC4_128_EXPORT40_WITH_MD5 */
        {
        1,
        SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
        SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC4,
+       SSL_MD5,
+       SSL_SSLV2,
        SSL_EXPORT|SSL_EXP40,
        SSL2_CF_5_BYTE_ENC,
        40,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* RC2_128_CBC_WITH_MD5 */
        {
        1,
        SSL2_TXT_RC2_128_CBC_WITH_MD5,
        SSL2_CK_RC2_128_CBC_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC2,
+       SSL_MD5,
+       SSL_SSLV2,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* RC2_128_CBC_EXPORT40_WITH_MD5 */
        {
        1,
        SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
        SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC2,
+       SSL_MD5,
+       SSL_SSLV2,
        SSL_EXPORT|SSL_EXP40,
        SSL2_CF_5_BYTE_ENC,
        40,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
-/* IDEA_128_CBC_WITH_MD5 */
+
 #ifndef OPENSSL_NO_IDEA
+/* IDEA_128_CBC_WITH_MD5 */
        {
        1,
        SSL2_TXT_IDEA_128_CBC_WITH_MD5,
        SSL2_CK_IDEA_128_CBC_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_SSLV2,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_IDEA,
+       SSL_MD5,
+       SSL_SSLV2,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 #endif
+
 /* DES_64_CBC_WITH_MD5 */
        {
        1,
        SSL2_TXT_DES_64_CBC_WITH_MD5,
        SSL2_CK_DES_64_CBC_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_SSLV2,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_DES,
+       SSL_MD5,
+       SSL_SSLV2,
        SSL_NOT_EXP|SSL_LOW,
        0,
        56,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* DES_192_EDE3_CBC_WITH_MD5 */
        {
        1,
        SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
        SSL2_CK_DES_192_EDE3_CBC_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_SSLV2,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_3DES,
+       SSL_MD5,
+       SSL_SSLV2,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        168,
        168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
-/* RC4_64_WITH_MD5 */
+
 #if 0
+/* RC4_64_WITH_MD5 */
        {
        1,
        SSL2_TXT_RC4_64_WITH_MD5,
        SSL2_CK_RC4_64_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC4,
+       SSL_MD5,
+       SSL_SSLV2,
        SSL_NOT_EXP|SSL_LOW,
        SSL2_CF_8_BYTE_ENC,
        64,
        64,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 #endif
-/* NULL SSLeay (testing) */
+
 #if 0
+/* NULL SSLeay (testing) */
        {       
        0,
        SSL2_TXT_NULL,
@@ -203,8 +283,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
        0,
        0,
        0,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 #endif
 
index 4a34b44..2a19ec4 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -180,7 +180,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
 int ssl3_connect(SSL *s)
        {
        BUF_MEM *buf=NULL;
-       unsigned long Time=(unsigned long)time(NULL),l;
+       unsigned long Time=(unsigned long)time(NULL);
        long num1;
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
        int ret= -1;
@@ -288,8 +288,8 @@ int ssl3_connect(SSL *s)
                case SSL3_ST_CR_CERT_B:
                        /* Check if it is anon DH/ECDH */
                        /* or PSK */
-                       if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
-                               && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
+                       if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
+                           !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
                                {
                                ret=ssl3_get_server_certificate(s);
                                if (ret <= 0) goto end;
@@ -350,7 +350,6 @@ int ssl3_connect(SSL *s)
                case SSL3_ST_CW_KEY_EXCH_B:
                        ret=ssl3_send_client_key_exchange(s);
                        if (ret <= 0) goto end;
-                       l=s->s3->tmp.new_cipher->algorithms;
                        /* EAY EAY EAY need to check for DH fix cert
                         * sent back */
                        /* For TLS, cert_req is set to 2, so a cert chain
@@ -940,10 +939,10 @@ int ssl3_get_server_certificate(SSL *s)
        i=ssl_verify_cert_chain(s,sk);
        if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
 #ifndef OPENSSL_NO_KRB5
-               && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
-               != (SSL_aKRB5|SSL_kKRB5)
+           && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
+                (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
 #endif /* OPENSSL_NO_KRB5 */
-               )
+               )
                {
                al=ssl_verify_alarm_type(s->verify_result);
                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
@@ -967,15 +966,15 @@ int ssl3_get_server_certificate(SSL *s)
        pkey=X509_get_pubkey(x);
 
        /* VRS: allow null cert if auth == KRB5 */
-       need_cert =     ((s->s3->tmp.new_cipher->algorithms
-                        & (SSL_MKEY_MASK|SSL_AUTH_MASK))
-                        == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
+       need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
+                   (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
+                   ? 0 : 1;
 
 #ifdef KSSL_DEBUG
        printf("pkey,x = %p, %p\n", pkey,x);
        printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
-       printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
-               s->s3->tmp.new_cipher->algorithms, need_cert);
+       printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
+               s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
 #endif    /* KSSL_DEBUG */
 
        if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
@@ -1047,7 +1046,7 @@ int ssl3_get_key_exchange(SSL *s)
        EVP_MD_CTX md_ctx;
        unsigned char *param,*p;
        int al,i,j,param_len,ok;
-       long n,alg;
+       long n,alg_k,alg_a;
        EVP_PKEY *pkey=NULL;
 #ifndef OPENSSL_NO_RSA
        RSA *rsa=NULL;
@@ -1080,7 +1079,7 @@ int ssl3_get_key_exchange(SSL *s)
                   omitted if no identity hint is sent. Set
                   session->sess_cert anyway to avoid problems
                   later.*/
-                if (s->s3->tmp.new_cipher->algorithms & SSL_kPSK)
+               if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
                        {
                        s->session->sess_cert=ssl_sess_cert_new();
                        if (s->ctx->psk_identity_hint)
@@ -1123,12 +1122,13 @@ int ssl3_get_key_exchange(SSL *s)
                }
 
        param_len=0;
-       alg=s->s3->tmp.new_cipher->algorithms;
+       alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
+       alg_a=s->s3->tmp.new_cipher->algorithm_auth;
        EVP_MD_CTX_init(&md_ctx);
 
 #ifndef OPENSSL_NO_PSK
-       if (alg & SSL_kPSK)
-               {
+       if (alg_k & SSL_kPSK)
+               {
                char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
 
                al=SSL_AD_HANDSHAKE_FAILURE;
@@ -1164,7 +1164,7 @@ int ssl3_get_key_exchange(SSL *s)
                        {
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
                        goto f_err;
-                       }           
+                       }          
 
                p+=i;
                n-=param_len;
@@ -1172,7 +1172,7 @@ int ssl3_get_key_exchange(SSL *s)
        else
 #endif /* !OPENSSL_NO_PSK */
 #ifndef OPENSSL_NO_RSA
-       if (alg & SSL_kRSA)
+       if (alg_k & SSL_kRSA)
                {
                if ((rsa=RSA_new()) == NULL)
                        {
@@ -1211,7 +1211,7 @@ int ssl3_get_key_exchange(SSL *s)
                n-=param_len;
 
                /* this should be because we are using an export cipher */
-               if (alg & SSL_aRSA)
+               if (alg_a & SSL_aRSA)
                        pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
                else
                        {
@@ -1226,7 +1226,7 @@ int ssl3_get_key_exchange(SSL *s)
                ;
 #endif
 #ifndef OPENSSL_NO_DH
-       else if (alg & SSL_kEDH)
+       else if (alg_k & SSL_kEDH)
                {
                if ((dh=DH_new()) == NULL)
                        {
@@ -1280,14 +1280,14 @@ int ssl3_get_key_exchange(SSL *s)
                n-=param_len;
 
 #ifndef OPENSSL_NO_RSA
-               if (alg & SSL_aRSA)
+               if (alg_a & SSL_aRSA)
                        pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
 #else
                if (0)
                        ;
 #endif
 #ifndef OPENSSL_NO_DSA
-               else if (alg & SSL_aDSS)
+               else if (alg_a & SSL_aDSS)
                        pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
 #endif
                /* else anonymous DH, so no certificate or pkey. */
@@ -1295,7 +1295,7 @@ int ssl3_get_key_exchange(SSL *s)
                s->session->sess_cert->peer_dh_tmp=dh;
                dh=NULL;
                }
-       else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
+       else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd))
                {
                al=SSL_AD_ILLEGAL_PARAMETER;
                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
@@ -1304,7 +1304,7 @@ int ssl3_get_key_exchange(SSL *s)
 #endif /* !OPENSSL_NO_DH */
 
 #ifndef OPENSSL_NO_ECDH
-       else if (alg & SSL_kEECDH)
+       else if (alg_k & SSL_kEECDH)
                {
                EC_GROUP *ngroup;
                const EC_GROUP *group;
@@ -1388,11 +1388,11 @@ int ssl3_get_key_exchange(SSL *s)
                 */
                if (0) ;
 #ifndef OPENSSL_NO_RSA
-               else if (alg & SSL_aRSA)
+               else if (alg_a & SSL_aRSA)
                        pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
 #endif
 #ifndef OPENSSL_NO_ECDSA
-               else if (alg & SSL_aECDSA)
+               else if (alg_a & SSL_aECDSA)
                        pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
 #endif
                /* else anonymous ECDH, so no certificate or pkey. */
@@ -1403,7 +1403,7 @@ int ssl3_get_key_exchange(SSL *s)
                EC_POINT_free(srvr_ecpoint);
                srvr_ecpoint = NULL;
                }
-       else if (alg)
+       else if (alg_k)
                {
                al=SSL_AD_UNEXPECTED_MESSAGE;
                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
@@ -1508,7 +1508,7 @@ int ssl3_get_key_exchange(SSL *s)
                }
        else
                {
-               if (!(alg & SSL_aNULL) && !(alg & SSL_kPSK))
+               if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
                        /* aNULL or kPSK do not need public keys */
                        {
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
@@ -1584,8 +1584,7 @@ int ssl3_get_certificate_request(SSL *s)
        /* TLS does not like anon-DH with client cert */
        if (s->version > SSL3_VERSION)
                {
-               l=s->s3->tmp.new_cipher->algorithms;
-               if (l & SSL_aNULL)
+               if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
                        {
                        ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
                        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
@@ -1724,7 +1723,7 @@ int ssl3_send_client_key_exchange(SSL *s)
        {
        unsigned char *p,*d;
        int n;
-       unsigned long l;
+       unsigned long alg_k;
 #ifndef OPENSSL_NO_RSA
        unsigned char *q;
        EVP_PKEY *pkey=NULL;
@@ -1746,12 +1745,12 @@ int ssl3_send_client_key_exchange(SSL *s)
                d=(unsigned char *)s->init_buf->data;
                p= &(d[4]);
 
-               l=s->s3->tmp.new_cipher->algorithms;
+               alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
 
                /* Fool emacs indentation */
                if (0) {}
 #ifndef OPENSSL_NO_RSA
-               else if (l & SSL_kRSA)
+               else if (alg_k & SSL_kRSA)
                        {
                        RSA *rsa;
                        unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -1810,7 +1809,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                        }
 #endif
 #ifndef OPENSSL_NO_KRB5
-               else if (l & SSL_kKRB5)
+               else if (alg_k & SSL_kKRB5)
                        {
                        krb5_error_code krb5rc;
                        KSSL_CTX        *kssl_ctx = s->kssl_ctx;
@@ -1829,7 +1828,7 @@ int ssl3_send_client_key_exchange(SSL *s)
 
 #ifdef KSSL_DEBUG
                        printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                               l, SSL_kKRB5);
+                               l, SSL_kKRB5);
 #endif /* KSSL_DEBUG */
 
                        authp = NULL;
@@ -1935,7 +1934,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                        n+=outl + 2;
 
                        s->session->master_key_length=
-                               s->method->ssl3_enc->generate_master_secret(s,
+                               s->method->ssl3_enc->generate_master_secret(s,
                                        s->session->master_key,
                                        tmp_buf, sizeof tmp_buf);
 
@@ -1944,7 +1943,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                        }
 #endif
 #ifndef OPENSSL_NO_DH
-               else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+               else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
                        {
                        DH *dh_srvr,*dh_clnt;
 
@@ -2001,7 +2000,7 @@ int ssl3_send_client_key_exchange(SSL *s)
 #endif
 
 #ifndef OPENSSL_NO_ECDH 
-               else if ((l & SSL_kECDH) || (l & SSL_kEECDH))
+               else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
                        {
                        const EC_GROUP *srvr_group = NULL;
                        EC_KEY *tkey;
@@ -2013,7 +2012,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                         * computation as part of client certificate?
                         * If so, set ecdh_clnt_cert to 1.
                         */
-                       if ((l & SSL_kECDH) && (s->cert != NULL)) 
+                       if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 
                                {
                                /* XXX: For now, we do not support client
                                 * authentication using ECDH certificates.
@@ -2186,7 +2185,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                        }
 #endif /* !OPENSSL_NO_ECDH */
 #ifndef OPENSSL_NO_PSK
-               else if (l & SSL_kPSK)
+               else if (alg_k & SSL_kPSK)
                        {
                        char identity[PSK_MAX_IDENTITY_LEN];
                        unsigned char *t = NULL;
@@ -2259,7 +2258,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                        psk_err = 0;
                psk_err:
                        OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
-                       OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));  
+                       OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
                        if (psk_err != 0)
                                {
                                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
@@ -2468,7 +2467,7 @@ int ssl3_send_client_certificate(SSL *s)
 int ssl3_check_cert_and_algorithm(SSL *s)
        {
        int i,idx;
-       long algs;
+       long alg_k,alg_a;
        EVP_PKEY *pkey=NULL;
        SESS_CERT *sc;
 #ifndef OPENSSL_NO_RSA
@@ -2485,10 +2484,11 @@ int ssl3_check_cert_and_algorithm(SSL *s)
                goto err;
                }
 
-       algs=s->s3->tmp.new_cipher->algorithms;
+       alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
+       alg_a=s->s3->tmp.new_cipher->algorithm_auth;
 
        /* we don't have a certificate */
-       if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5|SSL_kPSK))
+       if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
                return(1);
 
 #ifndef OPENSSL_NO_RSA
@@ -2508,7 +2508,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
                    s->s3->tmp.new_cipher) == 0) 
                        { /* check failed */
                        SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
-                       goto f_err;                     
+                       goto f_err;
                        }
                else 
                        {
@@ -2522,20 +2522,20 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 
        
        /* Check that we have a certificate if we require one */
-       if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
+       if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
                {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
                goto f_err;
                }
 #ifndef OPENSSL_NO_DSA
-       else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
+       else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
                {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
                goto f_err;
                }
 #endif
 #ifndef OPENSSL_NO_RSA
-       if ((algs & SSL_kRSA) &&
+       if ((alg_k & SSL_kRSA) &&
                !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
                {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
@@ -2543,19 +2543,19 @@ int ssl3_check_cert_and_algorithm(SSL *s)
                }
 #endif
 #ifndef OPENSSL_NO_DH
-       if ((algs & SSL_kEDH) &&
+       if ((alg_k & SSL_kEDH) &&
                !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
                {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
                goto f_err;
                }
-       else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
+       else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
                {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
                goto f_err;
                }
 #ifndef OPENSSL_NO_DSA
-       else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
+       else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
                {
                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
                goto f_err;
@@ -2566,7 +2566,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
        if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
                {
 #ifndef OPENSSL_NO_RSA
-               if (algs & SSL_kRSA)
+               if (alg_k & SSL_kRSA)
                        {
                        if (rsa == NULL
                            || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
@@ -2578,7 +2578,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
                else
 #endif
 #ifndef OPENSSL_NO_DH
-                       if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+                       if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
                            {
                            if (dh == NULL
                                || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
index 1690663..8f3ba93 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -430,11 +430,11 @@ int ssl3_setup_key_block(SSL *s)
 
                if (s->session->cipher != NULL)
                        {
-                       if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
+                       if (s->session->cipher->algorithm_enc == SSL_eNULL)
                                s->s3->need_empty_fragments = 0;
                        
 #ifndef OPENSSL_NO_RC4
-                       if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
+                       if (s->session->cipher->algorithm_enc == SSL_RC4)
                                s->s3->need_empty_fragments = 0;
 #endif
                        }
index 4527429..37d8ce4 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -168,217 +168,265 @@ const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT;
 
 /* list of available SSLv3 ciphers (sorted by id) */
 OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+
 /* The RSA ciphers */
 /* Cipher 01 */
        {
        1,
        SSL3_TXT_RSA_NULL_MD5,
        SSL3_CK_RSA_NULL_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_eNULL,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 02 */
        {
        1,
        SSL3_TXT_RSA_NULL_SHA,
        SSL3_CK_RSA_NULL_SHA,
-       SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_eNULL,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 03 */
        {
        1,
        SSL3_TXT_RSA_RC4_40_MD5,
        SSL3_CK_RSA_RC4_40_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC4,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 04 */
        {
        1,
        SSL3_TXT_RSA_RC4_128_MD5,
        SSL3_CK_RSA_RC4_128_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_MD5|SSL_SSLV3,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC4,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 05 */
        {
        1,
        SSL3_TXT_RSA_RC4_128_SHA,
        SSL3_CK_RSA_RC4_128_SHA,
-       SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_SSLV3,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 06 */
        {
        1,
        SSL3_TXT_RSA_RC2_40_MD5,
        SSL3_CK_RSA_RC2_40_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_RC2  |SSL_MD5 |SSL_SSLV3,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC2,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 07 */
 #ifndef OPENSSL_NO_IDEA
        {
        1,
        SSL3_TXT_RSA_IDEA_128_SHA,
        SSL3_CK_RSA_IDEA_128_SHA,
-       SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_IDEA,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 #endif
+
 /* Cipher 08 */
        {
        1,
        SSL3_TXT_RSA_DES_40_CBC_SHA,
        SSL3_CK_RSA_DES_40_CBC_SHA,
-       SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 09 */
        {
        1,
        SSL3_TXT_RSA_DES_64_CBC_SHA,
        SSL3_CK_RSA_DES_64_CBC_SHA,
-       SSL_kRSA|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_LOW,
        0,
        56,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 0A */
        {
        1,
        SSL3_TXT_RSA_DES_192_CBC3_SHA,
        SSL3_CK_RSA_DES_192_CBC3_SHA,
-       SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        168,
        168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* The DH ciphers */
 /* Cipher 0B */
        {
        0,
        SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
        SSL3_CK_DH_DSS_DES_40_CBC_SHA,
-       SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
+       SSL_kDHd,
+       SSL_aDH,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 0C */
        {
        0, /* not implemented (non-ephemeral DH) */
        SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
        SSL3_CK_DH_DSS_DES_64_CBC_SHA,
-       SSL_kDHd |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+       SSL_kDHd,
+       SSL_aDH,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_LOW,
        0,
        56,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 0D */
        {
        0, /* not implemented (non-ephemeral DH) */
        SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
        SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
-       SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+       SSL_kDHd,
+       SSL_aDH,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        168,
        168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 0E */
        {
        0, /* not implemented (non-ephemeral DH) */
        SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
        SSL3_CK_DH_RSA_DES_40_CBC_SHA,
-       SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
+       SSL_kDHr,
+       SSL_aDH,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 0F */
        {
        0, /* not implemented (non-ephemeral DH) */
        SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
        SSL3_CK_DH_RSA_DES_64_CBC_SHA,
-       SSL_kDHr |SSL_aDH|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+       SSL_kDHr,
+       SSL_aDH,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_LOW,
        0,
        56,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 10 */
        {
        0, /* not implemented (non-ephemeral DH) */
        SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
        SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
-       SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+       SSL_kDHr,
+       SSL_aDH,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        168,
        168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* The Ephemeral DH ciphers */
@@ -387,143 +435,175 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
        SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
-       SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aDSS,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 12 */
        {
        1,
        SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
        SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
-       SSL_kEDH|SSL_aDSS|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aDSS,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_LOW,
        0,
        56,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 13 */
        {
        1,
        SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
        SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
-       SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aDSS,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        168,
        168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 14 */
        {
        1,
        SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
        SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
-       SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aRSA,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 15 */
        {
        1,
        SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
        SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
-       SSL_kEDH|SSL_aRSA|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aRSA,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_LOW,
        0,
        56,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 16 */
        {
        1,
        SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
        SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
-       SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aRSA,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        168,
        168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 17 */
        {
        1,
        SSL3_TXT_ADH_RC4_40_MD5,
        SSL3_CK_ADH_RC4_40_MD5,
-       SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aNULL,
+       SSL_RC4,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 18 */
        {
        1,
        SSL3_TXT_ADH_RC4_128_MD5,
        SSL3_CK_ADH_RC4_128_MD5,
-       SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aNULL,
+       SSL_RC4,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 19 */
        {
        1,
        SSL3_TXT_ADH_DES_40_CBC_SHA,
        SSL3_CK_ADH_DES_40_CBC_SHA,
-       SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aNULL,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 1A */
        {
        1,
        SSL3_TXT_ADH_DES_64_CBC_SHA,
        SSL3_CK_ADH_DES_64_CBC_SHA,
-       SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aNULL,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_LOW,
        0,
        56,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 1B */
        {
        1,
        SSL3_TXT_ADH_DES_192_CBC_SHA,
        SSL3_CK_ADH_DES_192_CBC_SHA,
-       SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+       SSL_kEDH,
+       SSL_aNULL,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        168,
        168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Fortezza ciphersuite from SSL 3.0 spec */
@@ -533,13 +613,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        0,
        SSL3_TXT_FZA_DMS_NULL_SHA,
        SSL3_CK_FZA_DMS_NULL_SHA,
-       SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
+       SSL_kFZA,
+       SSL_aFZA,
+       SSL_eNULL,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 1D */
@@ -547,13 +629,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        0,
        SSL3_TXT_FZA_DMS_FZA_SHA,
        SSL3_CK_FZA_DMS_FZA_SHA,
-       SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
+       SSL_kFZA,
+       SSL_aFZA,
+       SSL_eFZA,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 1E */
@@ -561,13 +645,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        0,
        SSL3_TXT_FZA_DMS_RC4_SHA,
        SSL3_CK_FZA_DMS_RC4_SHA,
-       SSL_kFZA|SSL_aFZA |SSL_RC4  |SSL_SHA1|SSL_SSLV3,
+       SSL_kFZA,
+       SSL_aFZA,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 #endif
 
@@ -581,13 +667,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_DES_64_CBC_SHA,
        SSL3_CK_KRB5_DES_64_CBC_SHA,
-       SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_LOW,
        0,
        56,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 1F */
@@ -595,13 +683,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_DES_192_CBC3_SHA,
        SSL3_CK_KRB5_DES_192_CBC3_SHA,
-       SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        112,
        168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 20 */
@@ -609,13 +699,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_RC4_128_SHA,
        SSL3_CK_KRB5_RC4_128_SHA,
-       SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1  |SSL_SSLV3,
-       SSL_NOT_EXP|SSL_MEDIUM,
+       SSL_kKRB5,SSL_aKRB5,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_SSLV3,
+       SSL_NOT_EXP,
+       SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 21 */
@@ -623,13 +715,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
        SSL3_CK_KRB5_IDEA_128_CBC_SHA,
-       SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_SHA1  |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_IDEA,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 22 */
@@ -637,13 +731,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_DES_64_CBC_MD5,
        SSL3_CK_KRB5_DES_64_CBC_MD5,
-       SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_DES,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_LOW,
        0,
        56,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 23 */
@@ -651,13 +747,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_DES_192_CBC3_MD5,
        SSL3_CK_KRB5_DES_192_CBC3_MD5,
-       SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_MD5   |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_3DES,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        112,
        168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 24 */
@@ -665,13 +763,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_RC4_128_MD5,
        SSL3_CK_KRB5_RC4_128_MD5,
-       SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5  |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_RC4,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 25 */
@@ -679,13 +779,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
        SSL3_CK_KRB5_IDEA_128_CBC_MD5,
-       SSL_kKRB5|SSL_aKRB5|  SSL_IDEA|SSL_MD5  |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_IDEA,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 26 */
@@ -693,13 +795,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_DES_40_CBC_SHA,
        SSL3_CK_KRB5_DES_40_CBC_SHA,
-       SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_DES,
+       SSL_SHA1,
+       |SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 27 */
@@ -707,13 +811,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_RC2_40_CBC_SHA,
        SSL3_CK_KRB5_RC2_40_CBC_SHA,
-       SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_SHA1   |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_RC2,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 28 */
@@ -721,13 +827,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_RC4_40_SHA,
        SSL3_CK_KRB5_RC4_40_SHA,
-       SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_SHA1   |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 29 */
@@ -735,13 +843,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_DES_40_CBC_MD5,
        SSL3_CK_KRB5_DES_40_CBC_MD5,
-       SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_MD5    |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_DES,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 2A */
@@ -749,13 +859,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_RC2_40_CBC_MD5,
        SSL3_CK_KRB5_RC2_40_CBC_MD5,
-       SSL_kKRB5|SSL_aKRB5|  SSL_RC2|SSL_MD5    |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_RC2,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        40,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 2B */
@@ -763,13 +875,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        SSL3_TXT_KRB5_RC4_40_MD5,
        SSL3_CK_KRB5_RC4_40_MD5,
-       SSL_kKRB5|SSL_aKRB5|  SSL_RC4|SSL_MD5    |SSL_SSLV3,
+       SSL_kKRB5,
+       SSL_aKRB5,
+       SSL_RC4,
+       SSL_MD5,
+       SSL_SSLV3,
        SSL_EXPORT|SSL_EXP40,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 #endif /* OPENSSL_NO_KRB5 */
 
@@ -779,78 +893,90 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        TLS1_TXT_RSA_WITH_AES_128_SHA,
        TLS1_CK_RSA_WITH_AES_128_SHA,
-       SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 /* Cipher 30 */
        {
        0,
        TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
        TLS1_CK_DH_DSS_WITH_AES_128_SHA,
-       SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kDHd,
+       SSL_aDH,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 /* Cipher 31 */
        {
        0,
        TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
        TLS1_CK_DH_RSA_WITH_AES_128_SHA,
-       SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kDHr,
+       SSL_aDH,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 /* Cipher 32 */
        {
        1,
        TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
        TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
-       SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aDSS,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 /* Cipher 33 */
        {
        1,
        TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
        TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
-       SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aRSA,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 /* Cipher 34 */
        {
        1,
        TLS1_TXT_ADH_WITH_AES_128_SHA,
        TLS1_CK_ADH_WITH_AES_128_SHA,
-       SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aNULL,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 /* Cipher 35 */
@@ -858,78 +984,94 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        TLS1_TXT_RSA_WITH_AES_256_SHA,
        TLS1_CK_RSA_WITH_AES_256_SHA,
-       SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 /* Cipher 36 */
        {
        0,
        TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
        TLS1_CK_DH_DSS_WITH_AES_256_SHA,
-       SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kDHd,
+       SSL_aDH,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 37 */
        {
        0, /* not implemented (non-ephemeral DH) */
        TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
        TLS1_CK_DH_RSA_WITH_AES_256_SHA,
-       SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kDHr,
+       SSL_aDH,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 38 */
        {
        1,
        TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
        TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
-       SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aDSS,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
 /* Cipher 39 */
        {
        1,
        TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
        TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
-       SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aRSA,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
+
        /* Cipher 3A */
        {
        1,
        TLS1_TXT_ADH_WITH_AES_256_SHA,
        TLS1_CK_ADH_WITH_AES_256_SHA,
-       SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aNULL,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
 #ifndef OPENSSL_NO_CAMELLIA
@@ -940,78 +1082,95 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
        TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
-       SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_CAMELLIA128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
+
        /* Cipher 42 */
        {
        0, /* not implemented (non-ephemeral DH) */
        TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
        TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
-       SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kDHd,
+       SSL_aDH,
+       SSL_CAMELLIA128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
+
        /* Cipher 43 */
        {
        0, /* not implemented (non-ephemeral DH) */
        TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
        TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
-       SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kDHr,
+       SSL_aDH,
+       SSL_CAMELLIA128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
+
        /* Cipher 44 */
        {
        1,
        TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
        TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
-       SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aDSS,
+       SSL_CAMELLIA128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
+
        /* Cipher 45 */
        {
        1,
        TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
        TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
-       SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aRSA,
+       SSL_CAMELLIA128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
+
        /* Cipher 46 */
        {
        1,
        TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
        TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
-       SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aNULL,
+       SSL_CAMELLIA128,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
 #endif /* OPENSSL_NO_CAMELLIA */
 
@@ -1019,97 +1178,117 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        /* New TLS Export CipherSuites from expired ID */
 #if 0
        /* Cipher 60 */
-           {
-           1,
-           TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
-           TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
-           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
+       {
+       1,
+       TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
+       TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC4,
+       SSL_MD5,
+       SSL_TLSV1,
+       SSL_EXPORT|SSL_EXP56,
+       0,
+       56,
+       128,
+       },
+
        /* Cipher 61 */
-           {
-           1,
-           TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-           TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-           SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
+       {
+       1,
+       TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+       TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC2,
+       SSL_MD5,
+       SSL_TLSV1,
+       SSL_EXPORT|SSL_EXP56,
+       0,
+       56,
+       128,
+       },
 #endif
+
        /* Cipher 62 */
-           {
-           1,
-           TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-           TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           56,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
+       {
+       1,
+       TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+       TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_EXPORT|SSL_EXP56,
+       0,
+       56,
+       56,
+       },
+
        /* Cipher 63 */
-           {
-           1,
-           TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-           TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-           SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           56,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
+       {
+       1,
+       TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+       TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+       SSL_kEDH,
+       SSL_aDSS,
+       SSL_DES,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_EXPORT|SSL_EXP56,
+       0,
+       56,
+       56,
+       },
+
        /* Cipher 64 */
-           {
-           1,
-           TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
-           TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
-           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
+       {
+       1,
+       TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
+       TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_EXPORT|SSL_EXP56,
+       0,
+       56,
+       128,
+       },
+
        /* Cipher 65 */
-           {
-           1,
-           TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-           TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-           SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
+       {
+       1,
+       TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+       TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+       SSL_kEDH,
+       SSL_aDSS,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_EXPORT|SSL_EXP56,
+       0,
+       56,
+       128,
+       },
+
        /* Cipher 66 */
-           {
-           1,
-           TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
-           TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
-           SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_MEDIUM,
-           0,
-           128,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS
-           },
+       {
+       1,
+       TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
+       TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
+       SSL_kEDH,
+       SSL_aDSS,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       },
 #endif
 
 #ifndef OPENSSL_NO_CAMELLIA
@@ -1120,78 +1299,94 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
        TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
-       SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kRSA,
+       SSL_aRSA,
+       SSL_CAMELLIA256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
        /* Cipher 85 */
        {
        0, /* not implemented (non-ephemeral DH) */
        TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
        TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
-       SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kDHd,
+       SSL_aDH,
+       SSL_CAMELLIA256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
+
        /* Cipher 86 */
        {
        0, /* not implemented (non-ephemeral DH) */
        TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
        TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
-       SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kDHr,
+       SSL_aDH,
+       SSL_CAMELLIA256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
+
        /* Cipher 87 */
        {
        1,
        TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
        TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
-       SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aDSS,
+       SSL_CAMELLIA256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
+
        /* Cipher 88 */
        {
        1,
        TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
        TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-       SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aRSA,
+       SSL_CAMELLIA256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
+
        /* Cipher 89 */
        {
        1,
        TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
        TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
-       SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1,
+       SSL_kEDH,
+       SSL_aNULL,
+       SSL_CAMELLIA256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS
        },
 #endif /* OPENSSL_NO_CAMELLIA */
 
@@ -1201,13 +1396,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        TLS1_TXT_PSK_WITH_RC4_128_SHA,
        TLS1_CK_PSK_WITH_RC4_128_SHA,
-       SSL_kPSK|SSL_aPSK|SSL_RC4|SSL_SHA|SSL_TLSV1,
+       SSL_kPSK,
+       SSL_aPSK,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_MEDIUM,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
        /* Cipher 8B */
@@ -1215,13 +1412,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA,
        TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA,
-       SSL_kPSK|SSL_aPSK|SSL_3DES|SSL_SHA|SSL_TLSV1,
+       SSL_kPSK,
+       SSL_aPSK,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        168,
        168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
        /* Cipher 8C */
@@ -1229,13 +1428,15 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
        TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
-       SSL_kPSK|SSL_aPSK|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_MEDIUM,
+       SSL_kPSK,
+       SSL_aPSK,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
        0,
        128,
        128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 
        /* Cipher 8D */
@@ -1243,369 +1444,420 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        1,
        TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
        TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
-       SSL_kPSK|SSL_aPSK|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_kPSK,
+       SSL_aPSK,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
        SSL_NOT_EXP|SSL_HIGH,
        0,
        256,
        256,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
        },
 #endif  /* OPENSSL_NO_PSK */
 
 #ifndef OPENSSL_NO_ECDH
        /* Cipher C001 */
-           {
-            1,
-            TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
-            TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
-            SSL_kECDHe|SSL_aECDH|SSL_eNULL|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP,
-            0,
-            0,
-            0,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
+       TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
+       SSL_kECDHe,
+       SSL_aECDH,
+       SSL_eNULL,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP,
+       0,
+       0,
+       0,
+       },
 
        /* Cipher C002 */
-           {
-            1,
-            TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
-            TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
-            SSL_kECDHe|SSL_aECDH|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
+       TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
+       SSL_kECDHe,
+       SSL_aECDH,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP,
+       0,
+       128,
+       128,
+       },
 
        /* Cipher C003 */
-           {
-            1,
-            TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
-            TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
-            SSL_kECDHe|SSL_aECDH|SSL_3DES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            168,
-            168,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
+       TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
+       SSL_kECDHe,
+       SSL_aECDH,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       168,
+       168,
+       },
 
        /* Cipher C004 */
-           {
-            1,
-            TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-            TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
-            SSL_kECDHe|SSL_aECDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+       TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+       SSL_kECDHe,
+       SSL_aECDH,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       128,
+       128,
+       },
 
        /* Cipher C005 */
-           {
-            1,
-            TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-            TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
-            SSL_kECDHe|SSL_aECDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+       TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+       SSL_kECDHe,
+       SSL_aECDH,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       },
 
        /* Cipher C006 */
-           {
-            1,
-            TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
-            TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
-            SSL_kEECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP,
-            0,
-            0,
-            0,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
+       TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
+       SSL_kEECDH,
+       SSL_aECDSA,
+       SSL_eNULL,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP,
+       0,
+       0,
+       0,
+       },
 
        /* Cipher C007 */
-           {
-            1,
-            TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
-            TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
-            SSL_kEECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
+       TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
+       SSL_kEECDH,
+       SSL_aECDSA,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP,
+       0,
+       128,
+       128,
+       },
 
        /* Cipher C008 */
-           {
-            1,
-            TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
-            TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
-            SSL_kEECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            168,
-            168,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
+       TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
+       SSL_kEECDH,
+       SSL_aECDSA,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       168,
+       168,
+       },
 
        /* Cipher C009 */
-           {
-            1,
-            TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-            TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-            SSL_kEECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+       TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+       SSL_kEECDH,
+       SSL_aECDSA,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       128,
+       128,
+       },
 
        /* Cipher C00A */
-           {
-            1,
-            TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-            TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-            SSL_kEECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+       TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+       SSL_kEECDH,
+       SSL_aECDSA,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       },
 
        /* Cipher C00B */
-           {
-            1,
-            TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
-            TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
-            SSL_kECDHr|SSL_aECDH|SSL_eNULL|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP,
-            0,
-            0,
-            0,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
+       TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
+       SSL_kECDHr,
+       SSL_aECDH,
+       SSL_eNULL,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP,
+       0,
+       0,
+       0,
+       },
 
        /* Cipher C00C */
-           {
-            1,
-            TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
-            TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
-            SSL_kECDHr|SSL_aECDH|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
+       TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
+       SSL_kECDHr,
+       SSL_aECDH,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP,
+       0,
+       128,
+       128,
+       },
 
        /* Cipher C00D */
-           {
-            1,
-            TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
-            TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
-            SSL_kECDHr|SSL_aECDH|SSL_3DES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            168,
-            168,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
+       TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
+       SSL_kECDHr,
+       SSL_aECDH,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       168,
+       168,
+       },
 
        /* Cipher C00E */
-           {
-            1,
-            TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
-            TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
-            SSL_kECDHr|SSL_aECDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
+       TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
+       SSL_kECDHr,
+       SSL_aECDH,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       128,
+       128,
+       },
 
        /* Cipher C00F */
-           {
-            1,
-            TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
-            TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
-            SSL_kECDHr|SSL_aECDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
+       TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
+       SSL_kECDHr,
+       SSL_aECDH,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       },
 
        /* Cipher C010 */
-           {
-            1,
-            TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
-            TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
-            SSL_kEECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP,
-            0,
-            0,
-            0,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
+       TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
+       SSL_kEECDH,
+       SSL_aRSA,
+       SSL_eNULL,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP,
+       0,
+       0,
+       0,
+       },
 
        /* Cipher C011 */
-           {
-            1,
-            TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
-            TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
-            SSL_kEECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
+       TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
+       SSL_kEECDH,
+       SSL_aRSA,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP,
+       0,
+       128,
+       128,
+       },
 
        /* Cipher C012 */
-           {
-            1,
-            TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
-            TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
-            SSL_kEECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            168,
-            168,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
+       TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
+       SSL_kEECDH,
+       SSL_aRSA,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       168,
+       168,
+       },
 
        /* Cipher C013 */
-           {
-            1,
-            TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-            TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-            SSL_kEECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+       TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+       SSL_kEECDH,
+       SSL_aRSA,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       128,
+       128,
+       },
 
        /* Cipher C014 */
-           {
-            1,
-            TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-            TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-            SSL_kEECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+       TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+       SSL_kEECDH,
+       SSL_aRSA,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       },
 
        /* Cipher C015 */
-            {
-            1,
-            TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
-            TLS1_CK_ECDH_anon_WITH_NULL_SHA,
-            SSL_kEECDH|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP,
-            0,
-            0,
-            0,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-           },
+       {
+       1,
+       TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
+       TLS1_CK_ECDH_anon_WITH_NULL_SHA,
+       SSL_kEECDH,
+       SSL_aNULL,
+       SSL_eNULL,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP,
+       0,
+       0,
+       0,
+       },
 
        /* Cipher C016 */
-            {
-            1,
-            TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
-            TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
-            SSL_kEECDH|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-           },
+       {
+       1,
+       TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
+       TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
+       SSL_kEECDH,
+       SSL_aNULL,
+       SSL_RC4,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP,
+       0,
+       128,
+       128,
+       },
 
        /* Cipher C017 */
-           {
-            1,
-            TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
-            TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
-            SSL_kEECDH|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            168,
-            168,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
+       TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
+       SSL_kEECDH,
+       SSL_aNULL,
+       SSL_3DES,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       168,
+       168,
+       },
 
        /* Cipher C018 */
-           {
-            1,
-            TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
-            TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
-            SSL_kEECDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            128,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
+       TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
+       SSL_kEECDH,
+       SSL_aNULL,
+       SSL_AES128,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       128,
+       128,
+       },
 
        /* Cipher C019 */
-           {
-            1,
-            TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
-            TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
-            SSL_kEECDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-            SSL_NOT_EXP|SSL_HIGH,
-            0,
-            256,
-            256,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
+       {
+       1,
+       TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
+       TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
+       SSL_kEECDH,
+       SSL_aNULL,
+       SSL_AES256,
+       SSL_SHA1,
+       SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       },
 #endif /* OPENSSL_NO_ECDH */
 
-
 /* end of list */
        };
 
@@ -2221,7 +2473,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif /* OPENSSL_NO_EC */
 #endif /* OPENSSL_NO_TLSEXT */
        CERT *cert;
-       unsigned long alg,mask,emask;
+       unsigned long alg_k,alg_a,mask_k,mask_a,emask_k,emask_a;
 
        /* Let's see which ciphers we can support */
        cert=s->cert;
@@ -2267,16 +2519,20 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                c=sk_SSL_CIPHER_value(prio,i);
 
                ssl_set_cert_masks(cert,c);
-               mask=cert->mask;
-               emask=cert->export_mask;
+               mask_k = cert->mask_k;
+               mask_a = cert->mask_a;
+               emask_k = cert->export_mask_k;
+               emask_a = cert->export_mask_a;
                        
 #ifdef KSSL_DEBUG
                printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);
 #endif    /* KSSL_DEBUG */
 
-               alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
+               alg_k=c->algorithm_mkey;
+               alg_a=c->algorithm_auth;
+
 #ifndef OPENSSL_NO_KRB5
-                if (alg & SSL_KRB5) 
+                if (alg_k & SSL_kKRB5)
                         {
                         if ( !kssl_keytab_is_available(s->kssl_ctx) )
                             continue;
@@ -2284,23 +2540,23 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #endif /* OPENSSL_NO_KRB5 */
 #ifndef OPENSSL_NO_PSK
                /* with PSK there must be server callback set */
-               if ((alg & SSL_PSK) && s->psk_server_callback == NULL)
+               if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL)
                        continue;
 #endif /* OPENSSL_NO_PSK */
 
                if (SSL_C_IS_EXPORT(c))
                        {
-                       ok=((alg & emask) == alg)?1:0;
+                       ok = (alg_k & emask_k) && (alg_a & emask_a);
 #ifdef CIPHER_DEBUG
-                       printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask,
+                       printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s (export)\n",ok,alg_k,alg_a,emask_k,emask_a,
                               c,c->name);
 #endif
                        }
                else
                        {
-                       ok=((alg & mask) == alg)?1:0;
+                       ok = (alg_k & mask_k) && (alg_a & mask_a);
 #ifdef CIPHER_DEBUG
-                       printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c,
+                       printf("%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n",ok,alg_k,alg_a,mask_k,mask_a,c,
                               c->name);
 #endif
                        }
@@ -2309,7 +2565,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 #ifndef OPENSSL_NO_EC
                if (
                        /* if we are considering an ECC cipher suite that uses our certificate */
-                       (alg & SSL_aECDSA || alg & SSL_aECDH)
+                       (alg_a & SSL_aECDSA || alg_a & SSL_aECDH)
                        /* and we have an ECC certificate */
                        && (s->cert->pkeys[SSL_PKEY_ECC].x509 != NULL)
                        /* and the client specified a Supported Point Formats extension */
@@ -2361,7 +2617,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                        }
                if (
                        /* if we are considering an ECC cipher suite that uses our certificate */
-                       (alg & SSL_aECDSA || alg & SSL_aECDH)
+                       (alg_a & SSL_aECDSA || alg_a & SSL_aECDH)
                        /* and we have an ECC certificate */
                        && (s->cert->pkeys[SSL_PKEY_ECC].x509 != NULL)
                        /* and the client specified an EllipticCurves extension */
@@ -2411,7 +2667,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                        }
                if (
                        /* if we are considering an ECC cipher suite that uses an ephemeral EC key */
-                       (alg & SSL_kEECDH)
+                       (alg_k & SSL_kEECDH)
                        /* and we have an ephemeral EC key */
                        && (s->cert->ecdh_tmp != NULL)
                        /* and the client specified an EllipticCurves extension */
@@ -2473,12 +2729,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
 int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
        {
        int ret=0;
-       unsigned long alg;
+       unsigned long alg_k;
 
-       alg=s->s3->tmp.new_cipher->algorithms;
+       alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
 #ifndef OPENSSL_NO_DH
-       if (alg & (SSL_kDHr|SSL_kEDH))
+       if (alg_k & (SSL_kDHr|SSL_kEDH))
                {
 #  ifndef OPENSSL_NO_RSA
                p[ret++]=SSL3_CT_RSA_FIXED_DH;
@@ -2488,7 +2744,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
 #  endif
                }
        if ((s->version == SSL3_VERSION) &&
-               (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
+               (alg_k & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
                {
 #  ifndef OPENSSL_NO_RSA
                p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
@@ -2505,10 +2761,7 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
        p[ret++]=SSL3_CT_DSS_SIGN;
 #endif
 #ifndef OPENSSL_NO_ECDH
-       /* We should ask for fixed ECDH certificates only
-        * for SSL_kECDH (and not SSL_kEECDH)
-        */
-       if ((alg & SSL_kECDH) && (s->version >= TLS1_VERSION))
+       if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->version >= TLS1_VERSION))
                {
                p[ret++]=TLS_CT_RSA_FIXED_ECDH;
                p[ret++]=TLS_CT_ECDSA_FIXED_ECDH;
index 11828d3..e7452dc 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -186,7 +186,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
 int ssl3_accept(SSL *s)
        {
        BUF_MEM *buf;
-       unsigned long l,Time=(unsigned long)time(NULL);
+       unsigned long alg_k,Time=(unsigned long)time(NULL);
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
        long num1;
        int ret= -1;
@@ -325,9 +325,9 @@ int ssl3_accept(SSL *s)
                case SSL3_ST_SW_CERT_B:
                        /* Check if it is anon DH or anon ECDH, */
                        /* normal PSK or KRB5 */
-                       if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
-                               && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK)
-                               && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
+                       if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
+                               && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
+                               && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
                                {
                                ret=ssl3_send_server_certificate(s);
                                if (ret <= 0) goto end;
@@ -340,13 +340,13 @@ int ssl3_accept(SSL *s)
 
                case SSL3_ST_SW_KEY_EXCH_A:
                case SSL3_ST_SW_KEY_EXCH_B:
-                       l=s->s3->tmp.new_cipher->algorithms;
+                       alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
 
                        /* clear this, it may get reset by
                         * send_server_key_exchange */
                        if ((s->options & SSL_OP_EPHEMERAL_RSA)
 #ifndef OPENSSL_NO_KRB5
-                               && !(l & SSL_KRB5)
+                               && !(alg_k & SSL_kKRB5)
 #endif /* OPENSSL_NO_KRB5 */
                                )
                                /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
@@ -373,11 +373,11 @@ int ssl3_accept(SSL *s)
                        /* PSK: send ServerKeyExchange if PSK identity
                         * hint if provided */
 #ifndef OPENSSL_NO_PSK
-                           || ((l & SSL_kPSK) && s->ctx->psk_identity_hint)
+                           || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
 #endif
-                           || (l & SSL_DH)
-                           || (l & SSL_kEECDH)
-                           || ((l & SSL_kRSA)
+                           || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
+                           || (alg_k & SSL_kEECDH)
+                           || ((alg_k & SSL_kRSA)
                                && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
                                    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
                                        && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
@@ -407,15 +407,15 @@ int ssl3_accept(SSL *s)
                                /* never request cert in anonymous ciphersuites
                                 * (see section "Certificate request" in SSL 3 drafts
                                 * and in RFC 2246): */
-                               ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
+                               ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
                                 /* ... except when the application insists on verification
                                  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
                                 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
-                                 /* never request cert in Kerberos ciphersuites */
-                                (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)
+                                /* never request cert in Kerberos ciphersuites */
+                               (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
                                /* With normal PSK Certificates and
                                 * Certificate Requests are omitted */
-                                || (s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
+                               || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
                                {
                                /* no cert request */
                                skip=1;
@@ -1025,7 +1025,7 @@ int ssl3_get_client_hello(SSL *s)
                        for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
                                {
                                c=sk_SSL_CIPHER_value(sk,i);
-                               if (c->algorithms & SSL_eNULL)
+                               if (c->algorithm_enc & SSL_eNULL)
                                        nc=c;
                                if (SSL_C_IS_EXPORT(c))
                                        ec=c;
@@ -1209,7 +1209,7 @@ int ssl3_send_server_key_exchange(SSL *s)
        EVP_MD_CTX_init(&md_ctx);
        if (s->state == SSL3_ST_SW_KEY_EXCH_A)
                {
-               type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
+               type=s->s3->tmp.new_cipher->algorithm_mkey;
                cert=s->cert;
 
                buf=s->init_buf;
@@ -1450,8 +1450,8 @@ int ssl3_send_server_key_exchange(SSL *s)
                        n+=2+nr[i];
                        }
 
-               if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
-                       && !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
+               if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
+                       && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
                        {
                        if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
                                == NULL)
@@ -1712,7 +1712,7 @@ int ssl3_get_client_key_exchange(SSL *s)
        {
        int i,al,ok;
        long n;
-       unsigned long l;
+       unsigned long alg_k;
        unsigned char *p;
 #ifndef OPENSSL_NO_RSA
        RSA *rsa=NULL;
@@ -1723,7 +1723,7 @@ int ssl3_get_client_key_exchange(SSL *s)
        DH *dh_srvr;
 #endif
 #ifndef OPENSSL_NO_KRB5
-        KSSL_ERR kssl_err;
+       KSSL_ERR kssl_err;
 #endif /* OPENSSL_NO_KRB5 */
 
 #ifndef OPENSSL_NO_ECDH
@@ -1743,10 +1743,10 @@ int ssl3_get_client_key_exchange(SSL *s)
        if (!ok) return((int)n);
        p=(unsigned char *)s->init_msg;
 
-       l=s->s3->tmp.new_cipher->algorithms;
+       alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
 
 #ifndef OPENSSL_NO_RSA
-       if (l & SSL_kRSA)
+       if (alg_k & SSL_kRSA)
                {
                /* FIX THIS UP EAY EAY EAY EAY */
                if (s->s3->tmp.use_rsa_tmp)
@@ -1852,7 +1852,7 @@ int ssl3_get_client_key_exchange(SSL *s)
        else
 #endif
 #ifndef OPENSSL_NO_DH
-               if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+               if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
                {
                n2s(p,i);
                if (n != i+2)
@@ -1915,25 +1915,25 @@ int ssl3_get_client_key_exchange(SSL *s)
        else
 #endif
 #ifndef OPENSSL_NO_KRB5
-        if (l & SSL_kKRB5)
-                {
-                krb5_error_code                krb5rc;
+       if (alg_k & SSL_kKRB5)
+               {
+               krb5_error_code         krb5rc;
                krb5_data               enc_ticket;
                krb5_data               authenticator;
                krb5_data               enc_pms;
-                KSSL_CTX               *kssl_ctx = s->kssl_ctx;
+               KSSL_CTX                *kssl_ctx = s->kssl_ctx;
                EVP_CIPHER_CTX          ciph_ctx;
                EVP_CIPHER              *enc = NULL;
                unsigned char           iv[EVP_MAX_IV_LENGTH];
                unsigned char           pms[SSL_MAX_MASTER_KEY_LENGTH
-                                               + EVP_MAX_BLOCK_LENGTH];
-               int                     padl, outl;
+                                              + EVP_MAX_BLOCK_LENGTH];
+               int                  padl, outl;
                krb5_timestamp          authtime = 0;
                krb5_ticket_times       ttimes;
 
                EVP_CIPHER_CTX_init(&ciph_ctx);
 
-                if (!kssl_ctx)  kssl_ctx = kssl_ctx_new();
+               if (!kssl_ctx)  kssl_ctx = kssl_ctx_new();
 
                n2s(p,i);
                enc_ticket.length = i;
@@ -1984,19 +1984,19 @@ int ssl3_get_client_key_exchange(SSL *s)
                        goto err;
                        }
 
-                if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
+               if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
                                        &kssl_err)) != 0)
-                        {
+                       {
 #ifdef KSSL_DEBUG
-                        printf("kssl_sget_tkt rtn %d [%d]\n",
-                                krb5rc, kssl_err.reason);
-                        if (kssl_err.text)
-                                printf("kssl_err text= %s\n", kssl_err.text);
+                       printf("kssl_sget_tkt rtn %d [%d]\n",
+                               krb5rc, kssl_err.reason);
+                       if (kssl_err.text)
+                               printf("kssl_err text= %s\n", kssl_err.text);
 #endif /* KSSL_DEBUG */
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                kssl_err.reason);
-                        goto err;
-                        }
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               kssl_err.reason);
+                       goto err;
+                       }
 
                /*  Note: no authenticator is not considered an error,
                **  but will return authtime == 0.
@@ -2005,29 +2005,29 @@ int ssl3_get_client_key_exchange(SSL *s)
                                        &authtime, &kssl_err)) != 0)
                        {
 #ifdef KSSL_DEBUG
-                        printf("kssl_check_authent rtn %d [%d]\n",
-                                krb5rc, kssl_err.reason);
-                        if (kssl_err.text)
-                                printf("kssl_err text= %s\n", kssl_err.text);
+                       printf("kssl_check_authent rtn %d [%d]\n",
+                               krb5rc, kssl_err.reason);
+                       if (kssl_err.text)
+                               printf("kssl_err text= %s\n", kssl_err.text);
 #endif /* KSSL_DEBUG */
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                kssl_err.reason);
-                        goto err;
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               kssl_err.reason);
+                       goto err;
                        }
 
                if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
                        {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
-                        goto err;
+                       goto err;
                        }
 
 #ifdef KSSL_DEBUG
-                kssl_ctx_show(kssl_ctx);
+               kssl_ctx_show(kssl_ctx);
 #endif /* KSSL_DEBUG */
 
                enc = kssl_map_enc(kssl_ctx->enctype);
-                if (enc == NULL)
-                    goto err;
+               if (enc == NULL)
+                   goto err;
 
                memset(iv, 0, sizeof iv);       /* per RFC 1510 */
 
@@ -2075,7 +2075,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                     */
                    if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
                           (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
-                       {
+                       {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                               SSL_AD_DECODE_ERROR);
                        goto err;
@@ -2084,32 +2084,32 @@ int ssl3_get_client_key_exchange(SSL *s)
 
                EVP_CIPHER_CTX_cleanup(&ciph_ctx);
 
-                s->session->master_key_length=
-                        s->method->ssl3_enc->generate_master_secret(s,
-                                s->session->master_key, pms, outl);
+               s->session->master_key_length=
+                       s->method->ssl3_enc->generate_master_secret(s,
+                               s->session->master_key, pms, outl);
 
-                if (kssl_ctx->client_princ)
-                        {
-                        size_t len = strlen(kssl_ctx->client_princ);
-                        if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 
-                                {
-                                s->session->krb5_client_princ_len = len;
-                                memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
-                                }
-                        }
+               if (kssl_ctx->client_princ)
+                       {
+                       size_t len = strlen(kssl_ctx->client_princ);
+                       if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 
+                               {
+                               s->session->krb5_client_princ_len = len;
+                               memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
+                               }
+                       }
 
 
-                /*  Was doing kssl_ctx_free() here,
+               /*  Was doing kssl_ctx_free() here,
                **  but it caused problems for apache.
-                **  kssl_ctx = kssl_ctx_free(kssl_ctx);
-                **  if (s->kssl_ctx)  s->kssl_ctx = NULL;
-                */
-                }
+               **  kssl_ctx = kssl_ctx_free(kssl_ctx);
+               **  if (s->kssl_ctx)  s->kssl_ctx = NULL;
+               */
+               }
        else
 #endif /* OPENSSL_NO_KRB5 */
 
 #ifndef OPENSSL_NO_ECDH
-               if ((l & SSL_kECDH) || (l & SSL_kEECDH))
+               if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
                {
                int ret = 1;
                int field_size = 0;
@@ -2117,18 +2117,18 @@ int ssl3_get_client_key_exchange(SSL *s)
                const EC_GROUP *group;
                const BIGNUM *priv_key;
 
-                /* initialize structures for server's ECDH key pair */
+               /* initialize structures for server's ECDH key pair */
                if ((srvr_ecdh = EC_KEY_new()) == NULL) 
                        {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                            ERR_R_MALLOC_FAILURE);
-                       goto err;
+                       goto err;
                        }
 
                /* Let's get server private key and group information */
-               if (l & SSL_kECDH) 
+               if (alg_k & (SSL_kECDHr|SSL_kECDHe))
                        { 
-                        /* use the certificate */
+                       /* use the certificate */
                        tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
                        }
                else
@@ -2158,20 +2158,20 @@ int ssl3_get_client_key_exchange(SSL *s)
                        goto err;
                        }
 
-                if (n == 0L) 
-                        {
+               if (n == 0L) 
+                       {
                        /* Client Publickey was in Client Certificate */
 
-                        if (l & SSL_kEECDH)
+                        if (alg_k & SSL_kEECDH)
                                 {
                                 al=SSL_AD_HANDSHAKE_FAILURE;
                                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
                                 goto f_err;
                                 }
-                        if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
+                       if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
                            == NULL) || 
                            (clnt_pub_pkey->type != EVP_PKEY_EC))
-                               {
+                               {
                                /* XXX: For now, we do not support client
                                 * authentication using ECDH certificates
                                 * so this branch (n == 0L) of the code is
@@ -2183,11 +2183,11 @@ int ssl3_get_client_key_exchange(SSL *s)
                                 * the two ECDH shares are for the same
                                 * group.
                                 */
-                               al=SSL_AD_HANDSHAKE_FAILURE;
-                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               al=SSL_AD_HANDSHAKE_FAILURE;
+                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                    SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
-                               goto f_err;
-                               }
+                               goto f_err;
+                               }
 
                        if (EC_POINT_copy(clnt_ecpoint,
                            EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0)
@@ -2196,10 +2196,10 @@ int ssl3_get_client_key_exchange(SSL *s)
                                        ERR_R_EC_LIB);
                                goto err;
                                }
-                        ret = 2; /* Skip certificate verify processing */
-                        }
-                else
-                        {
+                       ret = 2; /* Skip certificate verify processing */
+                       }
+               else
+                       {
                        /* Get client's public key from encoded point
                         * in the ClientKeyExchange message.
                         */
@@ -2210,21 +2210,21 @@ int ssl3_get_client_key_exchange(SSL *s)
                                goto err;
                                }
 
-                        /* Get encoded point length */
-                        i = *p; 
+                       /* Get encoded point length */
+                       i = *p; 
                        p += 1;
-                        if (EC_POINT_oct2point(group, 
+                       if (EC_POINT_oct2point(group, 
                            clnt_ecpoint, p, i, bn_ctx) == 0)
                                {
                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                                    ERR_R_EC_LIB);
                                goto err;
                                }
-                        /* p is pointing to somewhere in the buffer
-                         * currently, so set it to the start 
-                         */ 
-                        p=(unsigned char *)s->init_buf->data;
-                        }
+                       /* p is pointing to somewhere in the buffer
+                        * currently, so set it to the start 
+                        */ 
+                       p=(unsigned char *)s->init_buf->data;
+                       }
 
                /* Compute the shared pre-master secret */
                field_size = EC_GROUP_get_degree(group);
@@ -2235,12 +2235,12 @@ int ssl3_get_client_key_exchange(SSL *s)
                        goto err;
                        }
                i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
-                if (i <= 0)
-                        {
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+               if (i <= 0)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
                            ERR_R_ECDH_LIB);
-                        goto err;
-                        }
+                       goto err;
+                       }
 
                EVP_PKEY_free(clnt_pub_pkey);
                EC_POINT_free(clnt_ecpoint);
@@ -2249,16 +2249,16 @@ int ssl3_get_client_key_exchange(SSL *s)
                BN_CTX_free(bn_ctx);
 
                /* Compute the master secret */
-                s->session->master_key_length = s->method->ssl3_enc-> \
+               s->session->master_key_length = s->method->ssl3_enc-> \
                    generate_master_secret(s, s->session->master_key, p, i);
                
-                OPENSSL_cleanse(p, i);
-                return (ret);
+               OPENSSL_cleanse(p, i);
+               return (ret);
                }
        else
 #endif
 #ifndef OPENSSL_NO_PSK
-               if (l & SSL_kPSK)
+               if (alg_k & SSL_kPSK)
                        {
                        unsigned char *t = NULL;
                        unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
@@ -2347,8 +2347,8 @@ int ssl3_get_client_key_exchange(SSL *s)
                        psk_err = 0;
                psk_err:
                        OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
-                        if (psk_err != 0)
-                                goto f_err;
+                       if (psk_err != 0)
+                               goto f_err;
                        }
                else
 #endif
@@ -2694,14 +2694,15 @@ int ssl3_send_server_certificate(SSL *s)
        if (s->state == SSL3_ST_SW_CERT_A)
                {
                x=ssl_get_server_send_cert(s);
-               if (x == NULL &&
-                        /* VRS: allow null cert if auth == KRB5 */
-                        (s->s3->tmp.new_cipher->algorithms
-                                & (SSL_MKEY_MASK|SSL_AUTH_MASK))
-                        != (SSL_aKRB5|SSL_kKRB5))
-                       {
-                       SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
-                       return(0);
+               if (x == NULL)
+                       {
+                       /* VRS: allow null cert if auth == KRB5 */
+                       if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
+                           (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5))
+                               {
+                               SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+                               return(0);
+                               }
                        }
 
                l=ssl3_output_cert_chain(s,x);
index b55cb15..0581256 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -273,10 +220,15 @@ extern "C" {
 #define SSL_MAX_KEY_ARG_LENGTH                 8
 #define SSL_MAX_MASTER_KEY_LENGTH              48
 
+
 /* These are used to specify which ciphers to use and not to use */
+
+#define SSL_TXT_EXP40          "EXPORT40"
+#define SSL_TXT_EXP56          "EXPORT56"
 #define SSL_TXT_LOW            "LOW"
 #define SSL_TXT_MEDIUM         "MEDIUM"
 #define SSL_TXT_HIGH           "HIGH"
+
 #define SSL_TXT_kFZA           "kFZA" /* unused! */
 #define        SSL_TXT_aFZA            "aFZA" /* unused! */
 #define SSL_TXT_eFZA           "eFZA" /* unused! */
@@ -289,6 +241,7 @@ extern "C" {
 #define SSL_TXT_kRSA           "kRSA"
 #define SSL_TXT_kDHr           "kDHr" /* no such ciphersuites supported! */
 #define SSL_TXT_kDHd           "kDHd" /* no such ciphersuites supported! */
+#define SSL_TXT_kDH            "kDH"  /* no such ciphersuites supported! */
 #define SSL_TXT_kEDH           "kEDH"
 #define SSL_TXT_kKRB5          "kKRB5"
 #define SSL_TXT_kECDHr         "kECDHr"
@@ -314,25 +267,31 @@ extern "C" {
 #define SSL_TXT_EECDH          "EECDH" /* same as "kEECDH:-AECDH" */
 #define SSL_TXT_AECDH          "AECDH"
 #define SSL_TXT_ECDSA          "ECDSA"
+#define SSL_TXT_KRB5           "KRB5"
+#define SSL_TXT_PSK             "PSK"
+
 #define SSL_TXT_DES            "DES"
 #define SSL_TXT_3DES           "3DES"
 #define SSL_TXT_RC4            "RC4"
 #define SSL_TXT_RC2            "RC2"
 #define SSL_TXT_IDEA           "IDEA"
+#define SSL_TXT_AES128         "AES128"
+#define SSL_TXT_AES256         "AES256"
 #define SSL_TXT_AES            "AES"
+#define SSL_TXT_CAMELLIA128    "CAMELLIA128"
+#define SSL_TXT_CAMELLIA256    "CAMELLIA256"
 #define SSL_TXT_CAMELLIA       "CAMELLIA"
+
 #define SSL_TXT_MD5            "MD5"
 #define SSL_TXT_SHA1           "SHA1"
-#define SSL_TXT_SHA            "SHA"
-#define SSL_TXT_EXP            "EXP"
-#define SSL_TXT_EXPORT         "EXPORT"
-#define SSL_TXT_EXP40          "EXPORT40"
-#define SSL_TXT_EXP56          "EXPORT56"
+#define SSL_TXT_SHA            "SHA" /* same as "SHA1" */
+
 #define SSL_TXT_SSLV2          "SSLv2"
 #define SSL_TXT_SSLV3          "SSLv3"
 #define SSL_TXT_TLSV1          "TLSv1"
-#define SSL_TXT_KRB5           "KRB5"
-#define SSL_TXT_PSK             "PSK"
+
+#define SSL_TXT_EXP            "EXP"
+#define SSL_TXT_EXPORT         "EXPORT"
 
 #define SSL_TXT_ALL            "ALL"
 
@@ -389,13 +348,18 @@ typedef struct ssl_cipher_st
        int valid;
        const char *name;               /* text name */
        unsigned long id;               /* id, 4 bytes, first is version */
-       unsigned long algorithms;       /* what ciphers are used */
+
+       /* changed in 0.9.9: these four used to be portions of a single value 'algorithms' */
+       unsigned long algorithm_mkey;   /* key exchange algorithm */
+       unsigned long algorithm_auth;   /* server authentication */
+       unsigned long algorithm_enc;    /* symmetric encryption */
+       unsigned long algorithm_mac;    /* symmetric authentication */
+       unsigned long algorithm_ssl;    /* (major) protocol version */
+
        unsigned long algo_strength;    /* strength and export flags */
        unsigned long algorithm2;       /* Extra flags */
        int strength_bits;              /* Number of bits really used */
        int alg_bits;                   /* Number of bits for algorithm */
-       unsigned long mask;             /* used for matching */
-       unsigned long mask_strength;    /* also used for matching */
        } SSL_CIPHER;
 
 DECLARE_STACK_OF(SSL_CIPHER)
index fb08009..bb07175 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -197,8 +197,10 @@ CERT *ssl_cert_dup(CERT *cert)
         * if you find that more readable */
 
        ret->valid = cert->valid;
-       ret->mask = cert->mask;
-       ret->export_mask = cert->export_mask;
+       ret->mask_k = cert->mask_k;
+       ret->mask_a = cert->mask_a;
+       ret->export_mask_k = cert->export_mask_k;
+       ret->export_mask_a = cert->export_mask_a;
 
 #ifndef OPENSSL_NO_RSA
        if (cert->rsa_tmp != NULL)
index 23049c7..3e94de8 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -191,83 +191,94 @@ typedef struct cipher_order_st
 
 static const SSL_CIPHER cipher_aliases[]={
        /* "ALL" doesn't include eNULL (must be specifically enabled) */
-       {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL},
+       {0,SSL_TXT_ALL,0,     0,0,~SSL_eNULL,0,0,0,0,0,0},
        /* "COMPLEMENTOFALL" */
-       {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
+       {0,SSL_TXT_CMPALL,0,  0,0,SSL_eNULL,0,0,0,0,0,0},
 
        /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */
-       {0,SSL_TXT_CMPDEF,0,SSL_ADH|SSL_AECDH|(SSL_ENC_MASK & ~SSL_eNULL), 0,0,0,0,SSL_AUTH_MASK|SSL_ENC_MASK,0},
+       {0,SSL_TXT_CMPDEF,0,  SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},
 
-       /* Single key exchange bits
-        * (some of these are multiple key exchange algs according to the RFCs,
+       /* key exchange aliases
+        * (some of those using only a single bit here combine
+        * multiple key exchange algs according to the RFCs,
         * e.g. kEDH combines DHE_DSS and DHE_RSA) */
-       {0,SSL_TXT_kRSA,0,SSL_kRSA,  0,0,0,0,SSL_MKEY_MASK,0},
-       {0,SSL_TXT_kDHr,0,SSL_kDHr,  0,0,0,0,SSL_MKEY_MASK,0}, /* no such ciphersuites supported! */
-       {0,SSL_TXT_kDHd,0,SSL_kDHd,  0,0,0,0,SSL_MKEY_MASK,0}, /* no such ciphersuites supported! */
-       {0,SSL_TXT_kEDH,0,SSL_kEDH,  0,0,0,0,SSL_MKEY_MASK,0},
-       {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0},
-       {0,SSL_TXT_kECDHr,0,SSL_kECDHr,0,0,0,0,SSL_MKEY_MASK,0},
-       {0,SSL_TXT_kECDHe,0,SSL_kECDHe,0,0,0,0,SSL_MKEY_MASK,0},
-       {0,SSL_TXT_kEECDH,0,SSL_kEECDH,0,0,0,0,SSL_MKEY_MASK,0},
-        {0,SSL_TXT_kPSK,0,SSL_kPSK,  0,0,0,0,SSL_MKEY_MASK,0},
-
-       /* More key exchange aliases (combined bits) */
-       {0,SSL_TXT_DH,  0,SSL_DH,    0,0,0,0,SSL_MKEY_MASK,0},
-       {0,SSL_TXT_EDH, 0,SSL_EDH,   0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
-       {0,SSL_TXT_kECDH,0,SSL_kECDH,0,0,0,0,SSL_MKEY_MASK,0},
-       {0,SSL_TXT_ECDH,0,SSL_ECDH,  0,0,0,0,SSL_MKEY_MASK,0},
-       {0,SSL_TXT_EECDH,0,SSL_EECDH,0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
-
-       /* Single authentication bits */
-       {0,SSL_TXT_aRSA,0,SSL_aRSA,  0,0,0,0,SSL_AUTH_MASK,0},
-       {0,SSL_TXT_aDSS,0,SSL_aDSS,  0,0,0,0,SSL_AUTH_MASK,0},
-       {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0},
-       {0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0},
-       {0,SSL_TXT_aDH, 0,SSL_aDH,   0,0,0,0,SSL_AUTH_MASK,0}, /* no such ciphersuites supported! */
-       {0,SSL_TXT_aECDH, 0,SSL_aECDH,0,0,0,0,SSL_AUTH_MASK,0},
-       {0,SSL_TXT_aECDSA, 0,SSL_aECDSA,0,0,0,0,SSL_AUTH_MASK,0},
-        {0,SSL_TXT_aPSK,0,SSL_aPSK,  0,0,0,0,SSL_AUTH_MASK,0},
-
-       /* More authentication aliases */
-       {0,SSL_TXT_DSS, 0,SSL_DSS,   0,0,0,0,SSL_AUTH_MASK,0},
-       {0,SSL_TXT_ECDSA,0,SSL_ECDSA,0,0,0,0,SSL_AUTH_MASK,0},
-
-       /* Single encryption bits */
-       {0,SSL_TXT_DES, 0,SSL_DES,   0,0,0,0,SSL_ENC_MASK,0},
-       {0,SSL_TXT_3DES,0,SSL_3DES,  0,0,0,0,SSL_ENC_MASK,0},
-       {0,SSL_TXT_RC4, 0,SSL_RC4,   0,0,0,0,SSL_ENC_MASK,0},
-       {0,SSL_TXT_RC2, 0,SSL_RC2,   0,0,0,0,SSL_ENC_MASK,0},
-#ifndef OPENSSL_NO_IDEA
-       {0,SSL_TXT_IDEA,0,SSL_IDEA,  0,0,0,0,SSL_ENC_MASK,0},
-#endif
-       {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
-       {0,SSL_TXT_AES, 0,SSL_AES,   0,0,0,0,SSL_ENC_MASK,0},
-       {0,SSL_TXT_CAMELLIA,    0,SSL_CAMELLIA,   0,0,0,0,SSL_ENC_MASK,0},
-
-       /* Single MAC bits */   
-       {0,SSL_TXT_MD5, 0,SSL_MD5,   0,0,0,0,SSL_MAC_MASK,0},
-       {0,SSL_TXT_SHA1,0,SSL_SHA1,  0,0,0,0,SSL_MAC_MASK,0},
-       {0,SSL_TXT_SHA, 0,SSL_SHA,   0,0,0,0,SSL_MAC_MASK,0},
-
-       /* More aliases */
-       {0,SSL_TXT_NULL,0,SSL_NULL,  0,0,0,0,SSL_ENC_MASK,0},
-       {0,SSL_TXT_KRB5,0,SSL_KRB5,  0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
-       {0,SSL_TXT_RSA, 0,SSL_RSA,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
-       {0,SSL_TXT_ADH, 0,SSL_ADH,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
-       {0,SSL_TXT_AECDH,0,SSL_AECDH,0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
-        {0,SSL_TXT_PSK, 0,SSL_PSK,   0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
-
-       {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0},
-       {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0},
-       {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0},
-
-       {0,SSL_TXT_EXP   ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
-       {0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
-       {0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK},
-       {0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK},
-       {0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
-       {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
-       {0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
+       {0,SSL_TXT_kRSA,0,    SSL_kRSA,  0,0,0,0,0,0,0,0},
+
+       {0,SSL_TXT_kDHr,0,    SSL_kDHr,  0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
+       {0,SSL_TXT_kDHd,0,    SSL_kDHd,  0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
+       {0,SSL_TXT_kDH,0,     SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
+       {0,SSL_TXT_kEDH,0,    SSL_kEDH,  0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_DH,0,      SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0},
+
+       {0,SSL_TXT_kKRB5,0,   SSL_kKRB5, 0,0,0,0,0,0,0,0},
+
+       {0,SSL_TXT_kECDHr,0,  SSL_kECDHr,0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_kECDHe,0,  SSL_kECDHe,0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_kECDH,0,   SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_kEECDH,0,  SSL_kEECDH,0,0,0,0,0,0,0,0},
+       {0,SSL_TXT_ECDH,0,    SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0},
+
+        {0,SSL_TXT_kPSK,0,    SSL_kPSK,  0,0,0,0,0,0,0,0},
+
+
+       /* server authentication aliases */
+       {0,SSL_TXT_aRSA,0,    0,SSL_aRSA,  0,0,0,0,0,0,0},
+       {0,SSL_TXT_aDSS,0,    0,SSL_aDSS,  0,0,0,0,0,0,0},
+       {0,SSL_TXT_DSS,0,     0,SSL_aDSS,   0,0,0,0,0,0,0},
+       {0,SSL_TXT_aKRB5,0,   0,SSL_aKRB5, 0,0,0,0,0,0,0},
+       {0,SSL_TXT_aNULL,0,   0,SSL_aNULL, 0,0,0,0,0,0,0},
+       {0,SSL_TXT_aDH,0,     0,SSL_aDH,   0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
+       {0,SSL_TXT_aECDH,0,   0,SSL_aECDH, 0,0,0,0,0,0,0},
+       {0,SSL_TXT_aECDSA,0,  0,SSL_aECDSA,0,0,0,0,0,0,0},
+       {0,SSL_TXT_ECDSA,0,   0,SSL_aECDSA, 0,0,0,0,0,0,0},
+        {0,SSL_TXT_aPSK,0,    0,SSL_aPSK,  0,0,0,0,0,0,0},
+
+
+       /* aliases combining key exchange and server authentication */
+       {0,SSL_TXT_EDH,0,     SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_EECDH,0,   SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_NULL,0,    0,0,SSL_eNULL, 0,0,0,0,0,0},
+       {0,SSL_TXT_KRB5,0,    SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0},
+       {0,SSL_TXT_RSA,0,     SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0},
+       {0,SSL_TXT_ADH,0,     SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},
+       {0,SSL_TXT_AECDH,0,   SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},
+        {0,SSL_TXT_PSK,0,     SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0},
+
+
+       /* symmetric encryption aliases */
+       {0,SSL_TXT_DES,0,     0,0,SSL_DES,   0,0,0,0,0,0},
+       {0,SSL_TXT_3DES,0,    0,0,SSL_3DES,  0,0,0,0,0,0},
+       {0,SSL_TXT_RC4,0,     0,0,SSL_RC4,   0,0,0,0,0,0},
+       {0,SSL_TXT_RC2,0,     0,0,SSL_RC2,   0,0,0,0,0,0},
+       {0,SSL_TXT_IDEA,0,    0,0,SSL_IDEA,  0,0,0,0,0,0},
+       {0,SSL_TXT_eNULL,0,   0,0,SSL_eNULL, 0,0,0,0,0,0},
+       {0,SSL_TXT_AES128,0,  0,0,SSL_AES128,0,0,0,0,0,0},
+       {0,SSL_TXT_AES256,0,  0,0,SSL_AES256,0,0,0,0,0,0},
+       {0,SSL_TXT_AES,0,     0,0,SSL_AES128|SSL_AES256,0,0,0,0,0,0},
+       {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0},
+       {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0},
+       {0,SSL_TXT_CAMELLIA   ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0},
+
+       /* MAC aliases */       
+       {0,SSL_TXT_MD5,0,     0,0,0,SSL_MD5,   0,0,0,0,0},
+       {0,SSL_TXT_SHA1,0,    0,0,0,SSL_SHA1,  0,0,0,0,0},
+       {0,SSL_TXT_SHA,0,     0,0,0,SSL_SHA1,  0,0,0,0,0},
+
+       /* protocol version aliases */
+       {0,SSL_TXT_SSLV2,0,   0,0,0,0,SSL_SSLV2, 0,0,0,0},
+       {0,SSL_TXT_SSLV3,0,   0,0,0,0,SSL_SSLV3, 0,0,0,0},
+       {0,SSL_TXT_TLSV1,0,   0,0,0,0,SSL_TLSV1, 0,0,0,0},
+
+       /* export flag */
+       {0,SSL_TXT_EXP,0,     0,0,0,0,0,SSL_EXPORT,0,0,0},
+       {0,SSL_TXT_EXPORT,0,  0,0,0,0,0,SSL_EXPORT,0,0,0},
+
+       /* strength classes */
+       {0,SSL_TXT_EXP40,0,   0,0,0,0,0,SSL_EXP40, 0,0,0},
+       {0,SSL_TXT_EXP56,0,   0,0,0,0,0,SSL_EXP56, 0,0,0},
+       {0,SSL_TXT_LOW,0,     0,0,0,0,0,SSL_LOW,   0,0,0},
+       {0,SSL_TXT_MEDIUM,0,  0,0,0,0,0,SSL_MEDIUM,0,0,0},
+       {0,SSL_TXT_HIGH,0,    0,0,0,0,0,SSL_HIGH,  0,0,0},
        };
 
 void ssl_load_ciphers(void)
@@ -384,7 +395,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 
        if ((enc == NULL) || (md == NULL)) return(0);
 
-       switch (c->algorithms & SSL_ENC_MASK)
+       switch (c->algorithm_enc)
                {
        case SSL_DES:
                i=SSL_ENC_DES_IDX;
@@ -404,23 +415,18 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
        case SSL_eNULL:
                i=SSL_ENC_NULL_IDX;
                break;
-       case SSL_AES:
-               switch(c->alg_bits)
-                       {
-               case 128: i=SSL_ENC_AES128_IDX; break;
-               case 256: i=SSL_ENC_AES256_IDX; break;
-               default: i=-1; break;
-                       }
+       case SSL_AES128:
+               i=SSL_ENC_AES128_IDX;
                break;
-       case SSL_CAMELLIA:
-               switch(c->alg_bits)
-                       {
-               case 128: i=SSL_ENC_CAMELLIA128_IDX; break;
-               case 256: i=SSL_ENC_CAMELLIA256_IDX; break;
-               default: i=-1; break;
-                       }
+       case SSL_AES256:
+               i=SSL_ENC_AES256_IDX;
+               break;
+       case SSL_CAMELLIA128:
+               i=SSL_ENC_CAMELLIA128_IDX;
+               break;
+       case SSL_CAMELLIA256:
+               i=SSL_ENC_CAMELLIA256_IDX;
                break;
-
        default:
                i= -1;
                break;
@@ -436,7 +442,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                        *enc=ssl_cipher_methods[i];
                }
 
-       switch (c->algorithms & SSL_MAC_MASK)
+       switch (c->algorithm_mac)
                {
        case SSL_MD5:
                i=SSL_MD_MD5_IDX;
@@ -478,52 +484,67 @@ static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
        *tail=curr;
        }
 
-static unsigned long ssl_cipher_get_disabled(void)
+static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl)
        {
-       unsigned long mask = 0;
+       *mkey = 0;
+       *auth = 0;
+       *enc = 0;
+       *mac = 0;
+       *ssl = 0;
 
 #ifdef OPENSSL_NO_RSA
-       mask |= SSL_aRSA|SSL_kRSA;
+       *mkey |= SSL_kRSA;
+       *auth |= SSL_aRSA;
 #endif
 #ifdef OPENSSL_NO_DSA
-       mask |= SSL_aDSS;
+       *auth |= SSL_aDSS;
 #endif
+       *mkey |= SSL_kDHr|SSL_kDHd; /* no such ciphersuites supported! */
+       *auth |= SSL_aDH;
 #ifdef OPENSSL_NO_DH
-       mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
+       *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH;
+       *auth |= SSL_aDH;
 #endif
 #ifdef OPENSSL_NO_KRB5
-       mask |= SSL_kKRB5|SSL_aKRB5;
+       *mkey |= SSL_kKRB5;
+       *auth |= SSL_aKRB5;
 #endif
 #ifdef OPENSSL_NO_ECDSA
-       mask |= SSL_aECDSA;
+       *auth |= SSL_aECDSA;
 #endif
 #ifdef OPENSSL_NO_ECDH
-       mask |= SSL_kECDHe|SSL_kECDHr|SSL_aECDH;
+       *mkey |= SSL_kECDHe|SSL_kECDHr;
+       *auth |= SSL_aECDH;
 #endif
 #ifdef OPENSSL_NO_PSK
-       mask |= SSL_kPSK;
+       *mkey |= SSL_kPSK;
+       *auth |= SSL_aPSK;
 #endif
 #ifdef SSL_FORBID_ENULL
-       mask |= SSL_eNULL;
+       *enc |= SSL_eNULL;
 #endif
 
-       mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
-       mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
-       mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
-       mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
-       mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
-       mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0;
-       mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0;
-
-       mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
-       mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
-
-       return(mask);
+       *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
+       *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
+       *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
+       *enc |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
+       *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
+       *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0;
+       *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0;
+       *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0;
+       *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0;
+
+       *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
+       *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
        }
 
 static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
-               int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list,
-               CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
+                int num_of_ciphers,
+                unsigned long disabled_mkey, unsigned long disabled_auth,
+                unsigned long disabled_enc, unsigned long disabled_mac,
+                unsigned long disabled_ssl,
+                CIPHER_ORDER *co_list,
+                CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
        {
        int i, co_list_num;
        SSL_CIPHER *c;
@@ -541,7 +562,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                {
                c = ssl_method->get_cipher(i);
                /* drop those that use any of that is not available */
-               if ((c != NULL) && c->valid && !(c->algorithms & mask))
+               if ((c != NULL) && c->valid &&
+                   !(c->algorithm_mkey & disabled_mkey) &&
+                   !(c->algorithm_auth & disabled_auth) &&
+                   !(c->algorithm_enc & disabled_enc) &&
+                   !(c->algorithm_mac & disabled_mac) &&
+                   !(c->algorithm_ssl & disabled_ssl))
                        {
                        co_list[co_list_num].cipher = c;
                        co_list[co_list_num].next = NULL;
@@ -549,7 +575,7 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                        co_list[co_list_num].active = 0;
                        co_list_num++;
 #ifdef KSSL_DEBUG
-                       printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms);
+                       printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth);
 #endif /* KSSL_DEBUG */
                        /*
                        if (!sk_push(ca_list,(char *)c)) goto err;
@@ -577,13 +603,20 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
        }
 
 static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
-                       int num_of_group_aliases, unsigned long mask,
+                        int num_of_group_aliases,
+                        unsigned long disabled_mkey, unsigned long disabled_auth,
+                        unsigned long disabled_enc, unsigned long disabled_mac,
+                        unsigned long disabled_ssl,
                        CIPHER_ORDER *head)
        {
        CIPHER_ORDER *ciph_curr;
        SSL_CIPHER **ca_curr;
        int i;
-       unsigned long enabled_mask = ~mask;
+       unsigned long mask_mkey = ~disabled_mkey;
+       unsigned long mask_auth = ~disabled_auth;
+       unsigned long mask_enc = ~disabled_enc;
+       unsigned long mask_mac = ~disabled_mac;
+       unsigned long mask_ssl = ~disabled_ssl;
 
        /*
         * First, add the real ciphers as already collected
@@ -605,31 +638,31 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
         */
        for (i = 0; i < num_of_group_aliases; i++)
                {
-               int algorithms = cipher_aliases[i].algorithms;
-
-               if (SSL_MKEY_MASK & algorithms)
-                       {
-                       if ((SSL_MKEY_MASK & algorithms & enabled_mask) == 0)
+               unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey;
+               unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth;
+               unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc;
+               unsigned long algorithm_mac = cipher_aliases[i].algorithm_mac;
+               unsigned long algorithm_ssl = cipher_aliases[i].algorithm_ssl;
+
+               if (algorithm_mkey)
+                       if ((algorithm_mkey & mask_mkey) == 0)
+                               continue;
+       
+               if (algorithm_auth)
+                       if ((algorithm_auth & mask_auth) == 0)
                                continue;
-                       }
                
-               if (SSL_AUTH_MASK & algorithms)
-                       {
-                       if ((SSL_AUTH_MASK & algorithms & enabled_mask) == 0)
+               if (algorithm_enc)
+                       if ((algorithm_enc & mask_enc) == 0)
                                continue;
-                       }
                
-               if (SSL_ENC_MASK & algorithms)
-                       {
-                       if ((SSL_ENC_MASK & algorithms & enabled_mask) == 0)
+               if (algorithm_mac)
+                       if ((algorithm_mac & mask_mac) == 0)
                                continue;
-                       }
                
-               if (SSL_MAC_MASK & algorithms)
-                       {
-                       if ((SSL_MAC_MASK & algorithms & enabled_mask) == 0)
+               if (algorithm_ssl)
+                       if ((algorithm_ssl & mask_ssl) == 0)
                                continue;
-                       }
                
                *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
                ca_curr++;
@@ -638,20 +671,20 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
        *ca_curr = NULL;        /* end of list */
        }
 
-static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_version,
-               unsigned long algorithms, unsigned long mask,
-               unsigned long algo_strength, unsigned long mask_strength,
+static void ssl_cipher_apply_rule(unsigned long cipher_id,
+                unsigned long alg_mkey, unsigned long alg_auth,
+                unsigned long alg_enc, unsigned long alg_mac,
+                unsigned long alg_ssl,
+               unsigned long algo_strength,
                int rule, int strength_bits,
                CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
        {
        CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
        SSL_CIPHER *cp;
-       unsigned long ma, ma_s;
 
 #ifdef CIPHER_DEBUG
-       printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n",
-               rule, algorithms, mask, algo_strength, mask_strength,
-               strength_bits);
+       printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n",
+               rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits);
 #endif
 
        curr = head = *head_p;
@@ -665,40 +698,36 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_ver
 
                cp = curr->cipher;
 
-               /* If explicit cipher suite, match only that one for its own protocol version.
-                * Usual selection criteria will be used for similar ciphersuites from other version! */
-
-               if (cipher_id && (cp->algorithms & SSL_SSL_MASK) == ssl_version)
+               /*
+                * Selection criteria is either the value of strength_bits
+                * or the algorithms used.
+                */
+               if (strength_bits >= 0)
                        {
-                       if (cp->id != cipher_id)
+                       if (strength_bits != cp->strength_bits)
                                continue;
                        }
-
-               /*
-                * Selection criteria is either the number of strength_bits
-                * or the algorithm used.
-                */
-               else if (strength_bits == -1)
+               else
                        {
-                       ma = mask & cp->algorithms;
-                       ma_s = mask_strength & cp->algo_strength;
-
 #ifdef CIPHER_DEBUG
-                       printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength);
-                       printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength);
+                       printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
 #endif
-                       /*
-                        * Select: if none of the mask bit was met from the
-                        * cipher or not all of the bits were met, the
-                        * selection does not apply.
-                        */
-                       if (((ma == 0) && (ma_s == 0)) ||
-                           ((ma & algorithms) != ma) ||
-                           ((ma_s & algo_strength) != ma_s))
-                               continue; /* does not apply */
+
+                       if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
+                               continue;
+                       if (alg_auth && !(alg_auth & cp->algorithm_auth))
+                               continue;
+                       if (alg_enc && !(alg_enc & cp->algorithm_enc))
+                               continue;
+                       if (alg_mac && !(alg_mac & cp->algorithm_mac))
+                               continue;
+                       if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
+                               continue;
+                       if ((algo_strength & SSL_EXP_MASK) && !(algo_strength & SSL_EXP_MASK & cp->algo_strength))
+                               continue;
+                       if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
+                               continue;
                        }
-               else if (strength_bits != cp->strength_bits)
-                       continue;       /* does not apply */
 
 #ifdef CIPHER_DEBUG
                printf("Action = %d\n", rule);
@@ -768,10 +797,10 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
 
        number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
        if (!number_uses)
-       {
+               {
                SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
                return(0);
-       }
+               }
        memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
 
        /*
@@ -790,8 +819,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
         */
        for (i = max_strength_bits; i >= 0; i--)
                if (number_uses[i] > 0)
-                       ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i,
-                                       head_p, tail_p);
+                       ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p);
 
        OPENSSL_free(number_uses);
        return(1);
@@ -801,10 +829,10 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p,
                 SSL_CIPHER **ca_list)
        {
-       unsigned long algorithms, mask, algo_strength, mask_strength;
+       unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
        const char *l, *start, *buf;
        int j, multi, found, rule, retval, ok, buflen;
-       unsigned long cipher_id = 0, ssl_version = 0;
+       unsigned long cipher_id = 0;
        char ch;
 
        retval = 1;
@@ -832,7 +860,12 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                        continue;
                        }
 
-               algorithms = mask = algo_strength = mask_strength = 0;
+               alg_mkey = 0;
+               alg_auth = 0;
+               alg_enc = 0;
+               alg_mac = 0;
+               alg_ssl = 0;
+               algo_strength = 0;
 
                start=l;
                for (;;)
@@ -893,10 +926,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                         * sufficient, we have to strncmp() anyway. (We cannot
                         * use strcmp(), because buf is not '\0' terminated.)
                         */
-                        j = found = 0;
-                        cipher_id = 0;
-                        ssl_version = 0;
-                        while (ca_list[j])
+                       j = found = 0;
+                       cipher_id = 0;
+                       while (ca_list[j])
                                {
                                if (!strncmp(buf, ca_list[j]->name, buflen) &&
                                    (ca_list[j]->name[buflen] == '\0'))
@@ -907,31 +939,100 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                                else
                                        j++;
                                }
+
                        if (!found)
                                break;  /* ignore this entry */
 
-                       /* New algorithms:
-                        *  1 - any old restrictions apply outside new mask
-                        *  2 - any new restrictions apply outside old mask
-                        *  3 - enforce old & new where masks intersect
-                        */
-                       algorithms = (algorithms & ~ca_list[j]->mask) |         /* 1 */
-                                    (ca_list[j]->algorithms & ~mask) |         /* 2 */
-                                    (algorithms & ca_list[j]->algorithms);     /* 3 */
-                       mask |= ca_list[j]->mask;
-                       algo_strength = (algo_strength & ~ca_list[j]->mask_strength) |
-                                       (ca_list[j]->algo_strength & ~mask_strength) |
-                                       (algo_strength & ca_list[j]->algo_strength);
-                       mask_strength |= ca_list[j]->mask_strength;
-
-                       /* explicit ciphersuite found */
+                       if (ca_list[j]->algorithm_mkey)
+                               {
+                               if (alg_mkey)
+                                       {
+                                       alg_mkey &= ca_list[j]->algorithm_mkey;
+                                       if (!alg_mkey) { found = 0; break; }
+                                       }
+                               else
+                                       alg_mkey = ca_list[j]->algorithm_mkey;
+                               }
+
+                       if (ca_list[j]->algorithm_auth)
+                               {
+                               if (alg_auth)
+                                       {
+                                       alg_auth &= ca_list[j]->algorithm_auth;
+                                       if (!alg_auth) { found = 0; break; }
+                                       }
+                               else
+                                       alg_auth = ca_list[j]->algorithm_auth;
+                               }
+                       
+                       if (ca_list[j]->algorithm_enc)
+                               {
+                               if (alg_enc)
+                                       {
+                                       alg_enc &= ca_list[j]->algorithm_enc;
+                                       if (!alg_enc) { found = 0; break; }
+                                       }
+                               else
+                                       alg_enc = ca_list[j]->algorithm_enc;
+                               }
+                                               
+                       if (ca_list[j]->algorithm_mac)
+                               {
+                               if (alg_mac)
+                                       {
+                                       alg_mac &= ca_list[j]->algorithm_mac;
+                                       if (!alg_mac) { found = 0; break; }
+                                       }
+                               else
+                                       alg_mac = ca_list[j]->algorithm_mac;
+                               }
+                       
+                       if (ca_list[j]->algo_strength & SSL_EXP_MASK)
+                               {
+                               if (algo_strength & SSL_EXP_MASK)
+                                       {
+                                       algo_strength &= (ca_list[j]->algo_strength & SSL_EXP_MASK) | ~SSL_EXP_MASK;
+                                       if (!(algo_strength & SSL_EXP_MASK)) { found = 0; break; }
+                                       }
+                               else
+                                       algo_strength |= ca_list[j]->algo_strength & SSL_EXP_MASK;
+                               }
+
+                       if (ca_list[j]->algo_strength & SSL_STRONG_MASK)
+                               {
+                               if (algo_strength & SSL_STRONG_MASK)
+                                       {
+                                       algo_strength &= (ca_list[j]->algo_strength & SSL_STRONG_MASK) | ~SSL_STRONG_MASK;
+                                       if (!(algo_strength & SSL_STRONG_MASK)) { found = 0; break; }
+                                       }
+                               else
+                                       algo_strength |= ca_list[j]->algo_strength & SSL_STRONG_MASK;
+                               }
+                       
                        if (ca_list[j]->valid)
                                {
+                               /* explicit ciphersuite found; its protocol version
+                                * does not become part of the search pattern!*/
+
                                cipher_id = ca_list[j]->id;
-                               ssl_version = ca_list[j]->algorithms & SSL_SSL_MASK;
-                               break;
                                }
+                       else
+                               {
+                               /* not an explicit ciphersuite; only in this case, the
+                                * protocol version is considered part of the search pattern */
 
+                               if (ca_list[j]->algorithm_ssl)
+                                       {
+                                       if (alg_ssl)
+                                               {
+                                               alg_ssl &= ca_list[j]->algorithm_ssl;
+                                               if (!alg_ssl) { found = 0; break; }
+                                               }
+                                       else
+                                               alg_ssl = ca_list[j]->algorithm_ssl;
+                                       }
+                               }
+                       
                        if (!multi) break;
                        }
 
@@ -955,18 +1056,18 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                         * rest of the command, if any left, until
                         * end or ':' is found.
                         */
-                       while ((*l != '\0') && ITEM_SEP(*l))
+                       while ((*l != '\0') && !ITEM_SEP(*l))
                                l++;
                        }
                else if (found)
                        {
-                       ssl_cipher_apply_rule(cipher_id, ssl_version, algorithms, mask,
-                               algo_strength, mask_strength, rule, -1,
-                               head_p, tail_p);
+                       ssl_cipher_apply_rule(cipher_id,
+                               alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength,
+                               rule, -1, head_p, tail_p);
                        }
                else
                        {
-                       while ((*l != '\0') && ITEM_SEP(*l))
+                       while ((*l != '\0') && !ITEM_SEP(*l))
                                l++;
                        }
                if (*l == '\0') break; /* done */
@@ -981,7 +1082,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                const char *rule_str)
        {
        int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
-       unsigned long disabled_mask;
+       unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
        STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
        const char *rule_p;
        CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
@@ -997,7 +1098,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         * To reduce the work to do we only want to process the compiled
         * in algorithms, so we first get the mask of disabled ciphers.
         */
-       disabled_mask = ssl_cipher_get_disabled();
+       ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &disabled_mac, &disabled_ssl);
 
        /*
         * Now we have to collect the available ciphers from the compiled
@@ -1015,8 +1116,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                return(NULL);   /* Failure */
                }
 
-       ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
-                                  co_list, &head, &tail);
+       ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
+                                  disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,
+                                  co_list, &head, &tail);
 
        /*
         * We also need cipher aliases for selecting based on the rule_str.
@@ -1036,8 +1138,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
                SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
                return(NULL);   /* Failure */
                }
-       ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask,
-                                  head);
+       ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
+                                  disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,
+                                  head);
 
        /*
         * If the rule_string begins with DEFAULT, apply the default rule
@@ -1112,14 +1215,19 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
        int is_export,pkl,kl;
        const char *ver,*exp_str;
        const char *kx,*au,*enc,*mac;
-       unsigned long alg,alg2,alg_s;
+       unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2,alg_s;
 #ifdef KSSL_DEBUG
-       static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n";
+       static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
 #else
        static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
 #endif /* KSSL_DEBUG */
 
-       alg=cipher->algorithms;
+       alg_mkey = cipher->algorithm_mkey;
+       alg_auth = cipher->algorithm_auth;
+       alg_enc = cipher->algorithm_enc;
+       alg_mac = cipher->algorithm_mac;
+       alg_ssl = cipher->algorithm_ssl;
+
        alg_s=cipher->algo_strength;
        alg2=cipher->algorithm2;
 
@@ -1128,14 +1236,14 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
        kl=SSL_C_EXPORT_KEYLENGTH(cipher);
        exp_str=is_export?" export":"";
        
-       if (alg & SSL_SSLV2)
+       if (alg_ssl & SSL_SSLV2)
                ver="SSLv2";
-       else if (alg & SSL_SSLV3)
+       else if (alg_ssl & SSL_SSLV3)
                ver="SSLv3";
        else
                ver="unknown";
 
-       switch (alg&SSL_MKEY_MASK)
+       switch (alg_mkey)
                {
        case SSL_kRSA:
                kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
@@ -1168,7 +1276,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
                kx="unknown";
                }
 
-       switch (alg&SSL_AUTH_MASK)
+       switch (alg_auth)
                {
        case SSL_aRSA:
                au="RSA";
@@ -1199,7 +1307,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
                break;
                }
 
-       switch (alg&SSL_ENC_MASK)
+       switch (alg_enc)
                {
        case SSL_DES:
                enc=(is_export && kl == 5)?"DES(40)":"DES(56)";
@@ -1220,30 +1328,24 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
        case SSL_eNULL:
                enc="None";
                break;
-       case SSL_AES:
-               switch(cipher->strength_bits)
-                       {
-               case 128: enc="AES(128)"; break;
-               case 192: enc="AES(192)"; break;
-               case 256: enc="AES(256)"; break;
-               default: enc="AES(?""?""?)"; break;
-                       }
+       case SSL_AES128:
+               enc="AES(128)";
                break;
-       case SSL_CAMELLIA:
-               switch(cipher->strength_bits)
-                       {
-               case 128: enc="Camellia(128)"; break;
-               case 256: enc="Camellia(256)"; break;
-               default: enc="Camellia(?""?""?)"; break;
-                       }
+       case SSL_AES256:
+               enc="AES(256)";
+               break;
+       case SSL_CAMELLIA128:
+               enc="Camellia(128)";
+               break;
+       case SSL_CAMELLIA256:
+               enc="Camellia(256)";
                break;
-               
        default:
                enc="unknown";
                break;
                }
 
-       switch (alg&SSL_MAC_MASK)
+       switch (alg_mac)
                {
        case SSL_MD5:
                mac="MD5";
@@ -1266,7 +1368,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
                return("Buffer too small");
 
 #ifdef KSSL_DEBUG
-       BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg);
+       BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl);
 #else
        BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str);
 #endif /* KSSL_DEBUG */
index 1cc3ac9..1c28daa 100644 (file)
@@ -58,7 +58,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -858,7 +858,7 @@ int SSL_check_private_key(const SSL *ssl)
                }
        if (ssl->cert == NULL)
                {
-                SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
+               SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY,SSL_R_NO_CERTIFICATE_ASSIGNED);
                return 0;
                }
        if (ssl->cert->key->x509 == NULL)
@@ -1218,8 +1218,8 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
        /* ssl_create_cipher_list may return an empty stack if it
         * was unable to find a cipher matching the given rule string
         * (for example if the rule string specifies a cipher which
-        * has been disabled). This is not an error as far as 
-        * ssl_create_cipher_list is concerned, and hence 
+        * has been disabled). This is not an error as far as
+        * ssl_create_cipher_list is concerned, and hence
         * ctx->cipher_list and ctx->cipher_list_by_id has been
         * updated. */
        if (sk == NULL)
@@ -1287,13 +1287,13 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
        }
 
 int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
-                             int (*put_cb)(const SSL_CIPHER *, unsigned char *))
+                            int (*put_cb)(const SSL_CIPHER *, unsigned char *))
        {
        int i,j=0;
        SSL_CIPHER *c;
        unsigned char *q;
 #ifndef OPENSSL_NO_KRB5
-        int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
+       int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
 #endif /* OPENSSL_NO_KRB5 */
 
        if (sk == NULL) return(0);
@@ -1303,12 +1303,14 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
                {
                c=sk_SSL_CIPHER_value(sk,i);
 #ifndef OPENSSL_NO_KRB5
-                if ((c->algorithms & SSL_KRB5) && nokrb5)
-                    continue;
-#endif /* OPENSSL_NO_KRB5 */                    
+               if (((c->algorithm_mkey & SSL_kKRB5) || (c->algorithm_auth & SSL_aKRB5)) &&
+                   nokrb5)
+                   continue;
+#endif /* OPENSSL_NO_KRB5 */
 #ifndef OPENSSL_NO_PSK
                /* with PSK there must be client callback set */
-               if ((c->algorithms & SSL_PSK) && s->psk_client_callback == NULL)
+               if (((c->algorithm_mkey & SSL_kPSK) || (c->algorithm_auth & SSL_aPSK)) &&
+                   s->psk_client_callback == NULL)
                        continue;
 #endif /* OPENSSL_NO_PSK */
                j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
@@ -1363,7 +1365,7 @@ err:
 
 
 #ifndef OPENSSL_TLSEXT
-/** return a servername extension value if provided in Client Hello, or NULL. 
+/** return a servername extension value if provided in Client Hello, or NULL.
  * So far, only host_name types are defined (RFC 3546).
  */
 
@@ -1379,7 +1381,7 @@ const char *SSL_get_servername(const SSL *s, const int type)
 
 int SSL_get_servername_type(const SSL *s)
        {
-       if (s->session && (!s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname)) 
+       if (s->session && (!s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname))
                return TLSEXT_NAMETYPE_host_name;
        return -1;
        }
@@ -1656,7 +1658,7 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
        int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
        int rsa_enc_export,dh_rsa_export,dh_dsa_export;
        int rsa_tmp_export,dh_tmp_export,kl;
-       unsigned long mask,emask;
+       unsigned long mask_k,mask_a,emask_k,emask_a;
        int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size;
 #ifndef OPENSSL_NO_ECDH
        int have_ecdh_tmp;
@@ -1703,8 +1705,10 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
        dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl);
        cpk= &(c->pkeys[SSL_PKEY_ECC]);
        have_ecc_cert= (cpk->x509 != NULL && cpk->privatekey != NULL);
-       mask=0;
-       emask=0;
+       mask_k=0;
+       mask_a=0;
+       emask_k=0;
+       emask_a=0;
 
 #ifdef CIPHER_DEBUG
        printf("rt=%d rte=%d dht=%d ecdht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
@@ -1713,50 +1717,52 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 #endif
 
        if (rsa_enc || (rsa_tmp && rsa_sign))
-               mask|=SSL_kRSA;
+               mask_k|=SSL_kRSA;
        if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
-               emask|=SSL_kRSA;
+               emask_k|=SSL_kRSA;
 
 #if 0
        /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
-       if (    (dh_tmp || dh_rsa || dh_dsa) && 
+       if (    (dh_tmp || dh_rsa || dh_dsa) &&
                (rsa_enc || rsa_sign || dsa_sign))
-               mask|=SSL_kEDH;
+               mask_k|=SSL_kEDH;
        if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
                (rsa_enc || rsa_sign || dsa_sign))
-               emask|=SSL_kEDH;
+               emask_k|=SSL_kEDH;
 #endif
 
-       if (dh_tmp_export) 
-               emask|=SSL_kEDH;
+       if (dh_tmp_export)
+               emask_k|=SSL_kEDH;
 
        if (dh_tmp)
-               mask|=SSL_kEDH;
+               mask_k|=SSL_kEDH;
 
-       if (dh_rsa) mask|=SSL_kDHr;
-       if (dh_rsa_export) emask|=SSL_kDHr;
+       if (dh_rsa) mask_k|=SSL_kDHr;
+       if (dh_rsa_export) emask_k|=SSL_kDHr;
 
-       if (dh_dsa) mask|=SSL_kDHd;
-       if (dh_dsa_export) emask|=SSL_kDHd;
+       if (dh_dsa) mask_k|=SSL_kDHd;
+       if (dh_dsa_export) emask_k|=SSL_kDHd;
 
        if (rsa_enc || rsa_sign)
                {
-               mask|=SSL_aRSA;
-               emask|=SSL_aRSA;
+               mask_a|=SSL_aRSA;
+               emask_a|=SSL_aRSA;
                }
 
        if (dsa_sign)
                {
-               mask|=SSL_aDSS;
-               emask|=SSL_aDSS;
+               mask_a|=SSL_aDSS;
+               emask_a|=SSL_aDSS;
                }
 
-       mask|=SSL_aNULL;
-       emask|=SSL_aNULL;
+       mask_a|=SSL_aNULL;
+       emask_a|=SSL_aNULL;
 
 #ifndef OPENSSL_NO_KRB5
-       mask|=SSL_kKRB5|SSL_aKRB5;
-       emask|=SSL_kKRB5|SSL_aKRB5;
+       mask_k|=SSL_kKRB5;
+       mask_a|=SSL_aKRB5;
+       emask_k|=SSL_kKRB5;
+       emask_a|=SSL_aKRB5;
 #endif
 
        /* An ECC certificate may be usable for ECDH and/or
@@ -1764,7 +1770,7 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
         */
        if (have_ecc_cert)
                {
-                /* This call populates extension flags (ex_flags) */
+               /* This call populates extension flags (ex_flags) */
                x = (c->pkeys[SSL_PKEY_ECC]).x509;
                X509_check_purpose(x, -1, 0);
                ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
@@ -1772,7 +1778,7 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
                ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
                    (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
                ecc_pkey = X509_get_pubkey(x);
-               ecc_pkey_size = (ecc_pkey != NULL) ? 
+               ecc_pkey_size = (ecc_pkey != NULL) ?
                    EVP_PKEY_bits(ecc_pkey) : 0;
                EVP_PKEY_free(ecc_pkey);
                if ((x->sig_alg) && (x->sig_alg->algorithm))
@@ -1789,24 +1795,32 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
                                
                        if (strstr(sig, "WithRSA"))
                                {
-                               mask|=SSL_kECDHr|SSL_aECDH;
+                               mask_k|=SSL_kECDHr;
+                               mask_a|=SSL_aECDH;
                                if (ecc_pkey_size <= 163)
-                                       emask|=SSL_kECDHr|SSL_aECDH;
+                                       {
+                                       emask_k|=SSL_kECDHr;
+                                       emask_a|=SSL_aECDH;
+                                       }
                                }
 
                        if (signature_nid == NID_ecdsa_with_SHA1)
                                {
-                               mask|=SSL_kECDHe|SSL_aECDH;
+                               mask_k|=SSL_kECDHe;
+                               mask_a|=SSL_aECDH;
                                if (ecc_pkey_size <= 163)
-                                       emask|=SSL_kECDHe|SSL_aECDH;
+                                       {
+                                       emask_k|=SSL_kECDHe;
+                                       emask_a|=SSL_aECDH;
+                                       }
                                }
                        }
 #endif
 #ifndef OPENSSL_NO_ECDSA
                if (ecdsa_ok)
                        {
-                       mask|=SSL_aECDSA;
-                       emask|=SSL_aECDSA;
+                       mask_a|=SSL_aECDSA;
+                       emask_a|=SSL_aECDSA;
                        }
 #endif
                }
@@ -1814,18 +1828,22 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 #ifndef OPENSSL_NO_ECDH
        if (have_ecdh_tmp)
                {
-               mask|=SSL_kEECDH;
-               emask|=SSL_kEECDH;
+               mask_k|=SSL_kEECDH;
+               emask_k|=SSL_kEECDH;
                }
 #endif
 
 #ifndef OPENSSL_NO_PSK
-       mask  |= SSL_kPSK | SSL_aPSK;
-       emask |= SSL_kPSK | SSL_aPSK;
+       mask_k |= SSL_kPSK;
+       mask_a |= SSL_aPSK;
+       emask_k |= SSL_kPSK;
+       emask_a |= SSL_aPSK;
 #endif
 
-       c->mask=mask;
-       c->export_mask=emask;
+       c->mask_k=mask_k;
+       c->mask_a=mask_a;
+       c->export_mask_k=emask_k;
+       c->export_mask_a=emask_a;
        c->valid=1;
        }
 
@@ -1835,11 +1853,14 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
 
 int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
        {
-       unsigned long alg = cs->algorithms;
+       unsigned long alg_k, alg_a;
        EVP_PKEY *pkey = NULL;
        int keysize = 0;
        int signature_nid = 0;
 
+       alg_k = cs->algorithm_mkey;
+       alg_a = cs->algorithm_auth;
+
        if (SSL_C_IS_EXPORT(cs))
                {
                /* ECDH key length in export ciphers must be <= 163 bits */
@@ -1854,7 +1875,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
        X509_check_purpose(x, -1, 0);
        if ((x->sig_alg) && (x->sig_alg->algorithm))
                signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
-       if (alg & SSL_kECDHe || alg & SSL_kECDHr) 
+       if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
                {
                /* key usage, if present, must allow key agreement */
                if (ku_reject(x, X509v3_KU_KEY_AGREEMENT))
@@ -1862,7 +1883,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
                        SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
                        return 0;
                        }
-               if (alg & SSL_kECDHe)
+               if (alg_k & SSL_kECDHe)
                        {
                        /* signature alg must be ECDSA */
                        if (signature_nid != NID_ecdsa_with_SHA1)
@@ -1871,7 +1892,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
                                return 0;
                                }
                        }
-               if (alg & SSL_kECDHr)
+               if (alg_k & SSL_kECDHr)
                        {
                        /* signature alg must be RSA */
 
@@ -1887,8 +1908,8 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
                                return 0;
                                }
                        }
-               } 
-       if (alg & SSL_aECDSA)
+               }
+       if (alg_a & SSL_aECDSA)
                {
                /* key usage, if present, must allow signing */
                if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE))
@@ -1904,18 +1925,28 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
 /* THIS NEEDS CLEANING UP */
 X509 *ssl_get_server_send_cert(SSL *s)
        {
-       unsigned long alg,mask,kalg;
+       unsigned long alg_k,alg_a,mask_k,mask_a;
        CERT *c;
        int i,is_export;
 
        c=s->cert;
        ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
-       alg=s->s3->tmp.new_cipher->algorithms;
        is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
-       mask=is_export?c->export_mask:c->mask;
-       kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
+       if (is_export)
+               {
+               mask_k = c->export_mask_k;
+               mask_a = c->export_mask_a;
+               }
+       else
+               {
+               mask_k = c->mask_k;
+               mask_a = c->mask_a;
+               }
+       
+       alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+       alg_a = s->s3->tmp.new_cipher->algorithm_auth;
 
-       if (kalg & SSL_kECDH)
+       if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
                {
                /* we don't need to look at SSL_kEECDH
                 * since no certificate is needed for
@@ -1930,29 +1961,29 @@ X509 *ssl_get_server_send_cert(SSL *s)
                 */
                i=SSL_PKEY_ECC;
                }
-       else if (kalg & SSL_aECDSA)
+       else if (alg_a & SSL_aECDSA)
                {
                i=SSL_PKEY_ECC;
                }
-       else if (kalg & SSL_kDHr)
+       else if (alg_k & SSL_kDHr)
                i=SSL_PKEY_DH_RSA;
-       else if (kalg & SSL_kDHd)
+       else if (alg_k & SSL_kDHd)
                i=SSL_PKEY_DH_DSA;
-       else if (kalg & SSL_aDSS)
+       else if (alg_a & SSL_aDSS)
                i=SSL_PKEY_DSA_SIGN;
-       else if (kalg & SSL_aRSA)
+       else if (alg_a & SSL_aRSA)
                {
                if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL)
                        i=SSL_PKEY_RSA_SIGN;
                else
                        i=SSL_PKEY_RSA_ENC;
                }
-       else if (kalg & SSL_aKRB5)
+       else if (alg_a & SSL_aKRB5)
                {
                /* VRS something else here? */
                return(NULL);
                }
-       else /* if (kalg & SSL_aNULL) */
+       else /* if (alg_a & SSL_aNULL) */
                {
                SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
                return(NULL);
@@ -1964,16 +1995,16 @@ X509 *ssl_get_server_send_cert(SSL *s)
 
 EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
        {
-       unsigned long alg;
+       unsigned long alg_a;
        CERT *c;
 
-       alg=cipher->algorithms;
+       alg_a = cipher->algorithm_auth;
        c=s->cert;
 
-       if ((alg & SSL_aDSS) &&
+       if ((alg_a & SSL_aDSS) &&
                (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
                return(c->pkeys[SSL_PKEY_DSA_SIGN].privatekey);
-       else if (alg & SSL_aRSA)
+       else if (alg_a & SSL_aRSA)
                {
                if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
                        return(c->pkeys[SSL_PKEY_RSA_SIGN].privatekey);
@@ -1982,10 +2013,10 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
                else
                        return(NULL);
                }
-       else if ((alg & SSL_aECDSA) &&
+       else if ((alg_a & SSL_aECDSA) &&
                 (c->pkeys[SSL_PKEY_ECC].privatekey != NULL))
                return(c->pkeys[SSL_PKEY_ECC].privatekey);
-       else /* if (alg & SSL_aNULL) */
+       else /* if (alg_a & SSL_aNULL) */
                {
                SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
                return(NULL);
@@ -2226,7 +2257,7 @@ SSL *SSL_dup(SSL *s)
        X509_NAME *xn;
        SSL *ret;
        int i;
-                
+       
        if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
            return(NULL);
 
@@ -2474,7 +2505,7 @@ void ssl_free_wbio_buffer(SSL *s)
                s->wbio=BIO_pop(s->wbio);
 #ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids adding one more preprocessor symbol */
                assert(s->wbio != NULL);
-#endif 
+#endif
        }
        BIO_free(s->bbio);
        s->bbio=NULL;
@@ -2522,7 +2553,7 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
 
 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
        {
-       if (ssl->ctx == ctx) 
+       if (ssl->ctx == ctx)
                return ssl->ctx;
        if (ctx == NULL)
                ctx = ssl->initial_ctx;
@@ -2557,7 +2588,7 @@ void SSL_set_info_callback(SSL *ssl,
 
 /* One compiler (Diab DCC) doesn't like argument names in returned
    function pointer.  */
-void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) 
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
        {
        return ssl->info_callback;
        }
@@ -2678,13 +2709,13 @@ RSA *cb(SSL *ssl,int is_export,int keylength)
 
 #ifndef OPENSSL_NO_DH
 void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
-                                                       int keylength))
+                                                        int keylength))
        {
        SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
        }
 
 void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
-                                               int keylength))
+                                                int keylength))
        {
        SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)(void))dh);
        }
@@ -2692,13 +2723,13 @@ void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
 
 #ifndef OPENSSL_NO_ECDH
 void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
-                                                       int keylength))
+                                                                int keylength))
        {
        SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
        }
 
 void SSL_set_tmp_ecdh_callback(SSL *ssl,EC_KEY *(*ecdh)(SSL *ssl,int is_export,
-                                               int keylength))
+                                                        int keylength))
        {
        SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH_CB,(void (*)(void))ecdh);
        }
@@ -2765,34 +2796,34 @@ const char *SSL_get_psk_identity(const SSL *s)
        return(s->session->psk_identity);
        }
 
-void SSL_set_psk_client_callback(SSL *s, 
-       unsigned int (*cb)(SSL *ssl, const char *hint,
-                char *identity, unsigned int max_identity_len, unsigned char *psk,
-                unsigned int max_psk_len))
+void SSL_set_psk_client_callback(SSL *s,
+    unsigned int (*cb)(SSL *ssl, const char *hint,
+                       char *identity, unsigned int max_identity_len, unsigned char *psk,
+                       unsigned int max_psk_len))
        {
-       s->psk_client_callback = cb;    
+       s->psk_client_callback = cb;
        }
 
 void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
-       unsigned int (*cb)(SSL *ssl, const char *hint,
-                char *identity, unsigned int max_identity_len, unsigned char *psk,
-                unsigned int max_psk_len))
+    unsigned int (*cb)(SSL *ssl, const char *hint,
+                       char *identity, unsigned int max_identity_len, unsigned char *psk,
+                       unsigned int max_psk_len))
        {
-       ctx->psk_client_callback = cb;  
+       ctx->psk_client_callback = cb;
        }
 
-void SSL_set_psk_server_callback(SSL *s, 
-       unsigned int (*cb)(SSL *ssl, const char *identity,
-                unsigned char *psk, unsigned int max_psk_len))
+void SSL_set_psk_server_callback(SSL *s,
+    unsigned int (*cb)(SSL *ssl, const char *identity,
+                       unsigned char *psk, unsigned int max_psk_len))
        {
-       s->psk_server_callback = cb;    
+       s->psk_server_callback = cb;
        }
 
 void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
-       unsigned int (*cb)(SSL *ssl, const char *identity,
-                unsigned char *psk, unsigned int max_psk_len))
+    unsigned int (*cb)(SSL *ssl, const char *identity,
+                       unsigned char *psk, unsigned int max_psk_len))
        {
-       ctx->psk_server_callback = cb;  
+       ctx->psk_server_callback = cb;
        }
 #endif
 
index 36307ba..d4d773a 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * that the different entities within are mutually exclusive:
  * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
  */
-#define SSL_MKEY_MASK          0x200000FFL
+
+/* Bits for algorithm_mkey (key exchange algorithm) */
 #define SSL_kRSA               0x00000001L /* RSA key exchange */
 #define SSL_kDHr               0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
 #define SSL_kDHd               0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
 #define SSL_kEDH               0x00000008L /* tmp DH key no DH cert */
-#define SSL_EDH                        (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
 #define SSL_kKRB5              0x00000010L /* Kerberos5 key exchange */
 #define SSL_kECDHr             0x00000020L /* ECDH cert, RSA CA cert */
 #define SSL_kECDHe             0x00000040L /* ECDH cert, ECDSA CA cert */
-#define SSL_kECDH              (SSL_kECDHr|SSL_kECDHe)
 #define SSL_kEECDH             0x00000080L /* ephemeral ECDH */
-#define SSL_EECDH              (SSL_kEECDH|(SSL_AUTH_MASK^SSL_aNULL))
-#define SSL_kPSK               0x20000000L /* PSK */
-
-#define SSL_AUTH_MASK          0x10007f00L
-#define SSL_aRSA               0x00000100L /* RSA auth */
-#define SSL_aDSS               0x00000200L /* DSS auth */
-#define SSL_DSS                SSL_aDSS
-#define SSL_aNULL              0x00000400L /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aDH                0x00000800L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
-#define SSL_aECDH              0x00001000L /* Fixed ECDH auth (kECDHe or kECDHr) */
-#define SSL_aKRB5               0x00002000L /* KRB5 auth */
-#define SSL_aECDSA              0x00004000L /* ECDSA auth*/
-#define SSL_ECDSA              SSL_aECDSA
-#define SSL_aPSK                0x10000000L /* PSK auth */
-
-#define SSL_NULL               (SSL_eNULL)
-#define SSL_RSA                        (SSL_kRSA|SSL_aRSA)
-#define SSL_DH                 (SSL_kDHr|SSL_kDHd|SSL_kEDH)
-#define SSL_ADH                        (SSL_kEDH|SSL_aNULL)
-#define SSL_ECDH               (SSL_kECDH|SSL_kEECDH)
-#define SSL_AECDH              (SSL_kEECDH|SSL_aNULL)
-#define SSL_KRB5                (SSL_kKRB5|SSL_aKRB5)
-#define SSL_PSK                 (SSL_kPSK|SSL_aPSK)
-
-#define SSL_ENC_MASK           0x0C3F8000L
-#define SSL_DES                        0x00008000L
-#define SSL_3DES               0x00010000L
-#define SSL_RC4                        0x00020000L
-#define SSL_RC2                        0x00040000L
-#define SSL_IDEA               0x00080000L
-#define SSL_eNULL              0x00200000L
-#define SSL_AES                        0x04000000L
-#define SSL_CAMELLIA           0x08000000L
-
-#define SSL_MAC_MASK           0x00c00000L
-#define SSL_MD5                        0x00400000L
-#define SSL_SHA1               0x00800000L
-#define SSL_SHA                        (SSL_SHA1)
-
-#define SSL_SSL_MASK           0x03000000L
-#define SSL_SSLV2              0x01000000L
-#define SSL_SSLV3              0x02000000L
+#define SSL_kPSK               0x00000100L /* PSK */
+
+
+/* Bits for algorithm_auth (server authentication) */
+#define SSL_aRSA               0x00000001L /* RSA auth */
+#define SSL_aDSS               0x00000002L /* DSS auth */
+#define SSL_aNULL              0x00000004L /* no auth (i.e. use ADH or AECDH) */
+#define SSL_aDH                0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
+#define SSL_aECDH              0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
+#define SSL_aKRB5               0x00000020L /* KRB5 auth */
+#define SSL_aECDSA              0x00000040L /* ECDSA auth*/
+#define SSL_aPSK                0x00000080L /* PSK auth */
+
+
+/* Bits for algorithm_enc (symmetric encryption) */
+#define SSL_DES                        0x00000001L
+#define SSL_3DES               0x00000002L
+#define SSL_RC4                        0x00000004L
+#define SSL_RC2                        0x00000008L
+#define SSL_IDEA               0x00000010L
+#define SSL_eNULL              0x00000020L
+#define SSL_AES128             0x00000040L
+#define SSL_AES256             0x00000080L
+#define SSL_CAMELLIA128                0x00000100L
+#define SSL_CAMELLIA256                0x00000200L
+
+#define SSL_AES                        (SSL_AES128|SSL_AES256)
+#define SSL_CAMELLIA           (SSL_CAMELLIA128|SSL_CAMELLIA256)
+
+
+/* Bits for algorithm_mac (symmetric authentication) */
+#define SSL_MD5                        0x00000001L
+#define SSL_SHA1               0x00000002L
+
+
+/* Bits for algorithm_ssl (protocol version) */
+#define SSL_SSLV2              0x00000001L
+#define SSL_SSLV3              0x00000002L
 #define SSL_TLSV1              SSL_SSLV3       /* for now */
 
-/* we have used 3fffffff - 2 bits left to go. */
 
 /*
  * Export and cipher strength information. For each cipher we have to decide
  * be possible.
  */
 #define SSL_EXP_MASK           0x00000003L
+#define SSL_STRONG_MASK                0x000000fcL
+
 #define SSL_NOT_EXP            0x00000001L
 #define SSL_EXPORT             0x00000002L
 
-#define SSL_STRONG_MASK                0x000000fcL
 #define SSL_STRONG_NONE                0x00000004L
 #define SSL_EXP40              0x00000008L
 #define SSL_MICRO              (SSL_EXP40)
 #define SSL_C_IS_EXPORT40(c)   SSL_IS_EXPORT40((c)->algo_strength)
 
 #define SSL_EXPORT_KEYLENGTH(a,s)      (SSL_IS_EXPORT40(s) ? 5 : \
-                                ((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
+                                (a) == SSL_DES ? 8 : 7)
 #define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
-#define SSL_C_EXPORT_KEYLENGTH(c)      SSL_EXPORT_KEYLENGTH((c)->algorithms, \
+#define SSL_C_EXPORT_KEYLENGTH(c)      SSL_EXPORT_KEYLENGTH((c)->algorithm_enc, \
                                (c)->algo_strength)
 #define SSL_C_EXPORT_PKEYLENGTH(c)     SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
 
 
-#define SSL_ALL                        0xffffffffL
-#define SSL_ALL_CIPHERS                (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
-                               SSL_MAC_MASK)
-#define SSL_ALL_STRENGTHS      (SSL_EXP_MASK|SSL_STRONG_MASK)
+
 
 /* Mostly for SSLv3 */
 #define SSL_PKEY_RSA_ENC       0
@@ -444,8 +436,10 @@ typedef struct cert_st
        /* The following masks are for the key and auth
         * algorithms that are supported by the certs below */
        int valid;
-       unsigned long mask;
-       unsigned long export_mask;
+       unsigned long mask_k;
+       unsigned long mask_a;
+       unsigned long export_mask_k;
+       unsigned long export_mask_a;
 #ifndef OPENSSL_NO_RSA
        RSA *rsa_tmp;
        RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
index 29892e6..8398d27 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -274,8 +274,10 @@ int tls1_change_cipher_state(SSL *s, int which)
 
 #ifdef KSSL_DEBUG
        printf("tls1_change_cipher_state(which= %d) w/\n", which);
-       printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms,
-                comp);
+       printf("\talg= %ld/%ld, comp= %p\n",
+              s->s3->tmp.new_cipher->algorithm_mkey,
+              s->s3->tmp.new_cipher->algorithm_auth,
+              comp);
        printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
        printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
                 c->nid,c->block_size,c->key_len,c->iv_len);
@@ -531,11 +533,11 @@ printf("\nkey block\n");
 
                if (s->session->cipher != NULL)
                        {
-                       if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
+                       if (s->session->cipher->algorithm_enc == SSL_eNULL)
                                s->s3->need_empty_fragments = 0;
                        
 #ifndef OPENSSL_NO_RC4
-                       if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
+                       if (s->session->cipher->algorithm_enc == SSL_RC4)
                                s->s3->need_empty_fragments = 0;
 #endif
                        }
index 9742c3f..bf6aac1 100644 (file)
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -171,13 +171,13 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                long lenmax; 
 
                /* check for enough space.
-                   4 for the servername type and entension length
-                   2 for servernamelist length
-                   1 for the hostname type
-                   2 for hostname length
-                   + hostname length 
+                  4 for the servername type and entension length
+                  2 for servernamelist length
+                  1 for the hostname type
+                  2 for hostname length
+                  + hostname length 
                */
-                   
+                  
                if ((lenmax = limit - p - 9) < 0 
                || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax) 
                        return NULL;
@@ -248,7 +248,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 
        s2n(extdatalen,p);
        return ret;
-}
+       }
 
 unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
        {
@@ -294,7 +294,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
 
        s2n(extdatalen,p);
        return ret;
-}
+       }
 
 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
        {
@@ -308,7 +308,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                return 1;
        n2s(data,len);
 
-        if (data > (d+n-len)) 
+       if (data > (d+n-len)) 
                return 1;
 
        while (data <= (d+n-4))
@@ -354,7 +354,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                return 0;
                                }
                        n2s(data,dsize);  
-                       size -= 2;                    
+                       size -= 2;
                        if (dsize > size  ) 
                                {
                                *al = SSL_AD_DECODE_ERROR;
@@ -377,7 +377,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                switch (servname_type)
                                        {
                                case TLSEXT_NAMETYPE_host_name:
-                                        if (s->session->tlsext_hostname == NULL)
+                                       if (s->session->tlsext_hostname == NULL)
                                                {
                                                if (len > TLSEXT_MAXLEN_host_name || 
                                                        ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
@@ -404,7 +404,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                default:
                                        break;
                                        }
-                                 
+                                
                                dsize -= len;
                                }
                        if (dsize != 0) 
@@ -477,7 +477,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
        *p = data;
        return 1;
-}
+       }
 
 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
        {
@@ -572,7 +572,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
        *p = data;
        return 1;
-}
+       }
 
 #ifndef OPENSSL_NO_EC
 static int nid_list[] =
@@ -681,17 +681,20 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
        int using_ecc = 0;
        int i;
        unsigned char *j;
-       int algs;
+       unsigned long alg_k, alg_a;
        STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
+
        for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
                {
-               algs = (sk_SSL_CIPHER_value(cipher_stack, i))->algorithms;
-               if ((algs & SSL_kECDH) || (algs & SSL_kEECDH) || (algs & SSL_aECDSA)) 
+               SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
+
+               alg_k = c->algorithm_mkey;
+               alg_a = c->algorithm_auth;
+               if ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe) || (alg_a & SSL_aECDSA)))
                        {
                        using_ecc = 1;
                        break;
                        }
-
                }
        using_ecc = using_ecc && (s->version == TLS1_VERSION);
        if (using_ecc)
@@ -721,7 +724,7 @@ int ssl_prepare_clienthello_tlsext(SSL *s)
                }
 #endif /* OPENSSL_NO_EC */
        return 1;
-}
+       }
 
 int ssl_prepare_serverhello_tlsext(SSL *s)
        {
@@ -730,10 +733,12 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
         * if the client sent us an ECPointsFormat extension.  Note that the server is not
         * supposed to send an EllipticCurves extension.
         */
-       int algs = s->s3->tmp.new_cipher->algorithms;
-       int using_ecc = (algs & SSL_kECDH) || (algs & SSL_kEECDH) || (algs & SSL_aECDSA);
-       using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
 
+       unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+       unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+       int using_ecc = (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA);
+       using_ecc = using_ecc && (s->session->tlsext_ecpointformatlist != NULL);
+       
        if (using_ecc)
                {
                if (s->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->tlsext_ecpointformatlist);
@@ -749,7 +754,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
                }
 #endif /* OPENSSL_NO_EC */
        return 1;
-}
+       }
 
 int ssl_check_clienthello_tlsext(SSL *s)
        {
@@ -770,7 +775,8 @@ int ssl_check_clienthello_tlsext(SSL *s)
        else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
                ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
 
-       switch (ret) {
+       switch (ret)
+               {
                case SSL_TLSEXT_ERR_ALERT_FATAL:
                        ssl3_send_alert(s,SSL3_AL_FATAL,al); 
                        return -1;
@@ -783,8 +789,8 @@ int ssl_check_clienthello_tlsext(SSL *s)
                        s->servername_done=0;
                        default:
                return 1;
+               }
        }
-}
 
 int ssl_check_serverhello_tlsext(SSL *s)
        {
@@ -795,9 +801,10 @@ int ssl_check_serverhello_tlsext(SSL *s)
        /* If we are client and using an elliptic curve cryptography cipher suite, then server
         * must return a an EC point formats lists containing uncompressed.
         */
-       int algs = s->s3->tmp.new_cipher->algorithms;
+       unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+       unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
        if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && 
-           ((algs & SSL_kECDH) || (algs & SSL_kEECDH) || (algs & SSL_aECDSA))) 
+           ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA)))
                {
                /* we are using an ECC cipher */
                size_t i;
@@ -831,7 +838,8 @@ int ssl_check_serverhello_tlsext(SSL *s)
        else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
                ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
 
-       switch (ret) {
+       switch (ret)
+               {
                case SSL_TLSEXT_ERR_ALERT_FATAL:
                        ssl3_send_alert(s,SSL3_AL_FATAL,al); 
                        return -1;
@@ -844,7 +852,7 @@ int ssl_check_serverhello_tlsext(SSL *s)
                        s->servername_done=0;
                        default:
                return 1;
+               }
        }
-}
 #endif