1 /* ssl/s3_lib.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay (at) cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay (at) cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core (at) openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay (at) cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh (at) cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 125 #include <stdio.h> 126 #include <openssl/objects.h> 127 #include "ssl_locl.h" 128 #include "kssl_lcl.h" 129 #include <openssl/md5.h> 130 #ifndef OPENSSL_NO_DH 131 #include <openssl/dh.h> 132 #endif 133 #include <openssl/pq_compat.h> 134 135 const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; 136 137 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) 138 139 /* list of available SSLv3 ciphers (sorted by id) */ 140 OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 141 /* The RSA ciphers */ 142 /* Cipher 01 */ 143 { 144 1, 145 SSL3_TXT_RSA_NULL_MD5, 146 SSL3_CK_RSA_NULL_MD5, 147 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, 148 SSL_NOT_EXP|SSL_STRONG_NONE, 149 0, 150 0, 151 0, 152 SSL_ALL_CIPHERS, 153 SSL_ALL_STRENGTHS, 154 }, 155 /* Cipher 02 */ 156 { 157 1, 158 SSL3_TXT_RSA_NULL_SHA, 159 SSL3_CK_RSA_NULL_SHA, 160 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, 161 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS, 162 0, 163 0, 164 0, 165 SSL_ALL_CIPHERS, 166 SSL_ALL_STRENGTHS, 167 }, 168 /* Cipher 03 */ 169 { 170 1, 171 SSL3_TXT_RSA_RC4_40_MD5, 172 SSL3_CK_RSA_RC4_40_MD5, 173 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3, 174 SSL_EXPORT|SSL_EXP40, 175 0, 176 40, 177 128, 178 SSL_ALL_CIPHERS, 179 SSL_ALL_STRENGTHS, 180 }, 181 /* Cipher 04 */ 182 { 183 1, 184 SSL3_TXT_RSA_RC4_128_MD5, 185 SSL3_CK_RSA_RC4_128_MD5, 186 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3, 187 SSL_NOT_EXP|SSL_MEDIUM, 188 0, 189 128, 190 128, 191 SSL_ALL_CIPHERS, 192 SSL_ALL_STRENGTHS, 193 }, 194 /* Cipher 05 */ 195 { 196 1, 197 SSL3_TXT_RSA_RC4_128_SHA, 198 SSL3_CK_RSA_RC4_128_SHA, 199 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3, 200 SSL_NOT_EXP|SSL_MEDIUM, 201 0, 202 128, 203 128, 204 SSL_ALL_CIPHERS, 205 SSL_ALL_STRENGTHS, 206 }, 207 /* Cipher 06 */ 208 { 209 1, 210 SSL3_TXT_RSA_RC2_40_MD5, 211 SSL3_CK_RSA_RC2_40_MD5, 212 SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3, 213 SSL_EXPORT|SSL_EXP40, 214 0, 215 40, 216 128, 217 SSL_ALL_CIPHERS, 218 SSL_ALL_STRENGTHS, 219 }, 220 /* Cipher 07 */ 221 #ifndef OPENSSL_NO_IDEA 222 { 223 1, 224 SSL3_TXT_RSA_IDEA_128_SHA, 225 SSL3_CK_RSA_IDEA_128_SHA, 226 SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3, 227 SSL_NOT_EXP|SSL_MEDIUM, 228 0, 229 128, 230 128, 231 SSL_ALL_CIPHERS, 232 SSL_ALL_STRENGTHS, 233 }, 234 #endif 235 /* Cipher 08 */ 236 { 237 1, 238 SSL3_TXT_RSA_DES_40_CBC_SHA, 239 SSL3_CK_RSA_DES_40_CBC_SHA, 240 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, 241 SSL_EXPORT|SSL_EXP40, 242 0, 243 40, 244 56, 245 SSL_ALL_CIPHERS, 246 SSL_ALL_STRENGTHS, 247 }, 248 /* Cipher 09 */ 249 { 250 1, 251 SSL3_TXT_RSA_DES_64_CBC_SHA, 252 SSL3_CK_RSA_DES_64_CBC_SHA, 253 SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, 254 SSL_NOT_EXP|SSL_LOW, 255 0, 256 56, 257 56, 258 SSL_ALL_CIPHERS, 259 SSL_ALL_STRENGTHS, 260 }, 261 /* Cipher 0A */ 262 { 263 1, 264 SSL3_TXT_RSA_DES_192_CBC3_SHA, 265 SSL3_CK_RSA_DES_192_CBC3_SHA, 266 SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, 267 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 268 0, 269 168, 270 168, 271 SSL_ALL_CIPHERS, 272 SSL_ALL_STRENGTHS, 273 }, 274 /* The DH ciphers */ 275 /* Cipher 0B */ 276 { 277 0, 278 SSL3_TXT_DH_DSS_DES_40_CBC_SHA, 279 SSL3_CK_DH_DSS_DES_40_CBC_SHA, 280 SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, 281 SSL_EXPORT|SSL_EXP40, 282 0, 283 40, 284 56, 285 SSL_ALL_CIPHERS, 286 SSL_ALL_STRENGTHS, 287 }, 288 /* Cipher 0C */ 289 { 290 0, 291 SSL3_TXT_DH_DSS_DES_64_CBC_SHA, 292 SSL3_CK_DH_DSS_DES_64_CBC_SHA, 293 SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, 294 SSL_NOT_EXP|SSL_LOW, 295 0, 296 56, 297 56, 298 SSL_ALL_CIPHERS, 299 SSL_ALL_STRENGTHS, 300 }, 301 /* Cipher 0D */ 302 { 303 0, 304 SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, 305 SSL3_CK_DH_DSS_DES_192_CBC3_SHA, 306 SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, 307 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 308 0, 309 168, 310 168, 311 SSL_ALL_CIPHERS, 312 SSL_ALL_STRENGTHS, 313 }, 314 /* Cipher 0E */ 315 { 316 0, 317 SSL3_TXT_DH_RSA_DES_40_CBC_SHA, 318 SSL3_CK_DH_RSA_DES_40_CBC_SHA, 319 SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, 320 SSL_EXPORT|SSL_EXP40, 321 0, 322 40, 323 56, 324 SSL_ALL_CIPHERS, 325 SSL_ALL_STRENGTHS, 326 }, 327 /* Cipher 0F */ 328 { 329 0, 330 SSL3_TXT_DH_RSA_DES_64_CBC_SHA, 331 SSL3_CK_DH_RSA_DES_64_CBC_SHA, 332 SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, 333 SSL_NOT_EXP|SSL_LOW, 334 0, 335 56, 336 56, 337 SSL_ALL_CIPHERS, 338 SSL_ALL_STRENGTHS, 339 }, 340 /* Cipher 10 */ 341 { 342 0, 343 SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, 344 SSL3_CK_DH_RSA_DES_192_CBC3_SHA, 345 SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, 346 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 347 0, 348 168, 349 168, 350 SSL_ALL_CIPHERS, 351 SSL_ALL_STRENGTHS, 352 }, 353 354 /* The Ephemeral DH ciphers */ 355 /* Cipher 11 */ 356 { 357 1, 358 SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, 359 SSL3_CK_EDH_DSS_DES_40_CBC_SHA, 360 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, 361 SSL_EXPORT|SSL_EXP40, 362 0, 363 40, 364 56, 365 SSL_ALL_CIPHERS, 366 SSL_ALL_STRENGTHS, 367 }, 368 /* Cipher 12 */ 369 { 370 1, 371 SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, 372 SSL3_CK_EDH_DSS_DES_64_CBC_SHA, 373 SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, 374 SSL_NOT_EXP|SSL_LOW, 375 0, 376 56, 377 56, 378 SSL_ALL_CIPHERS, 379 SSL_ALL_STRENGTHS, 380 }, 381 /* Cipher 13 */ 382 { 383 1, 384 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 385 SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, 386 SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, 387 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 388 0, 389 168, 390 168, 391 SSL_ALL_CIPHERS, 392 SSL_ALL_STRENGTHS, 393 }, 394 /* Cipher 14 */ 395 { 396 1, 397 SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, 398 SSL3_CK_EDH_RSA_DES_40_CBC_SHA, 399 SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, 400 SSL_EXPORT|SSL_EXP40, 401 0, 402 40, 403 56, 404 SSL_ALL_CIPHERS, 405 SSL_ALL_STRENGTHS, 406 }, 407 /* Cipher 15 */ 408 { 409 1, 410 SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, 411 SSL3_CK_EDH_RSA_DES_64_CBC_SHA, 412 SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, 413 SSL_NOT_EXP|SSL_LOW, 414 0, 415 56, 416 56, 417 SSL_ALL_CIPHERS, 418 SSL_ALL_STRENGTHS, 419 }, 420 /* Cipher 16 */ 421 { 422 1, 423 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 424 SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 425 SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, 426 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 427 0, 428 168, 429 168, 430 SSL_ALL_CIPHERS, 431 SSL_ALL_STRENGTHS, 432 }, 433 /* Cipher 17 */ 434 { 435 1, 436 SSL3_TXT_ADH_RC4_40_MD5, 437 SSL3_CK_ADH_RC4_40_MD5, 438 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, 439 SSL_EXPORT|SSL_EXP40, 440 0, 441 40, 442 128, 443 SSL_ALL_CIPHERS, 444 SSL_ALL_STRENGTHS, 445 }, 446 /* Cipher 18 */ 447 { 448 1, 449 SSL3_TXT_ADH_RC4_128_MD5, 450 SSL3_CK_ADH_RC4_128_MD5, 451 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, 452 SSL_NOT_EXP|SSL_MEDIUM, 453 0, 454 128, 455 128, 456 SSL_ALL_CIPHERS, 457 SSL_ALL_STRENGTHS, 458 }, 459 /* Cipher 19 */ 460 { 461 1, 462 SSL3_TXT_ADH_DES_40_CBC_SHA, 463 SSL3_CK_ADH_DES_40_CBC_SHA, 464 SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, 465 SSL_EXPORT|SSL_EXP40, 466 0, 467 40, 468 128, 469 SSL_ALL_CIPHERS, 470 SSL_ALL_STRENGTHS, 471 }, 472 /* Cipher 1A */ 473 { 474 1, 475 SSL3_TXT_ADH_DES_64_CBC_SHA, 476 SSL3_CK_ADH_DES_64_CBC_SHA, 477 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, 478 SSL_NOT_EXP|SSL_LOW, 479 0, 480 56, 481 56, 482 SSL_ALL_CIPHERS, 483 SSL_ALL_STRENGTHS, 484 }, 485 /* Cipher 1B */ 486 { 487 1, 488 SSL3_TXT_ADH_DES_192_CBC_SHA, 489 SSL3_CK_ADH_DES_192_CBC_SHA, 490 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, 491 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 492 0, 493 168, 494 168, 495 SSL_ALL_CIPHERS, 496 SSL_ALL_STRENGTHS, 497 }, 498 499 /* Fortezza */ 500 /* Cipher 1C */ 501 { 502 0, 503 SSL3_TXT_FZA_DMS_NULL_SHA, 504 SSL3_CK_FZA_DMS_NULL_SHA, 505 SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, 506 SSL_NOT_EXP|SSL_STRONG_NONE, 507 0, 508 0, 509 0, 510 SSL_ALL_CIPHERS, 511 SSL_ALL_STRENGTHS, 512 }, 513 514 /* Cipher 1D */ 515 { 516 0, 517 SSL3_TXT_FZA_DMS_FZA_SHA, 518 SSL3_CK_FZA_DMS_FZA_SHA, 519 SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, 520 SSL_NOT_EXP|SSL_STRONG_NONE, 521 0, 522 0, 523 0, 524 SSL_ALL_CIPHERS, 525 SSL_ALL_STRENGTHS, 526 }, 527 528 #if 0 529 /* Cipher 1E */ 530 { 531 0, 532 SSL3_TXT_FZA_DMS_RC4_SHA, 533 SSL3_CK_FZA_DMS_RC4_SHA, 534 SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3, 535 SSL_NOT_EXP|SSL_MEDIUM, 536 0, 537 128, 538 128, 539 SSL_ALL_CIPHERS, 540 SSL_ALL_STRENGTHS, 541 }, 542 #endif 543 544 #ifndef OPENSSL_NO_KRB5 545 /* The Kerberos ciphers */ 546 /* Cipher 1E */ 547 { 548 1, 549 SSL3_TXT_KRB5_DES_64_CBC_SHA, 550 SSL3_CK_KRB5_DES_64_CBC_SHA, 551 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, 552 SSL_NOT_EXP|SSL_LOW, 553 0, 554 56, 555 56, 556 SSL_ALL_CIPHERS, 557 SSL_ALL_STRENGTHS, 558 }, 559 560 /* Cipher 1F */ 561 { 562 1, 563 SSL3_TXT_KRB5_DES_192_CBC3_SHA, 564 SSL3_CK_KRB5_DES_192_CBC3_SHA, 565 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, 566 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 567 0, 568 168, 569 168, 570 SSL_ALL_CIPHERS, 571 SSL_ALL_STRENGTHS, 572 }, 573 574 /* Cipher 20 */ 575 { 576 1, 577 SSL3_TXT_KRB5_RC4_128_SHA, 578 SSL3_CK_KRB5_RC4_128_SHA, 579 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, 580 SSL_NOT_EXP|SSL_MEDIUM, 581 0, 582 128, 583 128, 584 SSL_ALL_CIPHERS, 585 SSL_ALL_STRENGTHS, 586 }, 587 588 /* Cipher 21 */ 589 { 590 1, 591 SSL3_TXT_KRB5_IDEA_128_CBC_SHA, 592 SSL3_CK_KRB5_IDEA_128_CBC_SHA, 593 SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_SHA1 |SSL_SSLV3, 594 SSL_NOT_EXP|SSL_MEDIUM, 595 0, 596 128, 597 128, 598 SSL_ALL_CIPHERS, 599 SSL_ALL_STRENGTHS, 600 }, 601 602 /* Cipher 22 */ 603 { 604 1, 605 SSL3_TXT_KRB5_DES_64_CBC_MD5, 606 SSL3_CK_KRB5_DES_64_CBC_MD5, 607 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, 608 SSL_NOT_EXP|SSL_LOW, 609 0, 610 56, 611 56, 612 SSL_ALL_CIPHERS, 613 SSL_ALL_STRENGTHS, 614 }, 615 616 /* Cipher 23 */ 617 { 618 1, 619 SSL3_TXT_KRB5_DES_192_CBC3_MD5, 620 SSL3_CK_KRB5_DES_192_CBC3_MD5, 621 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, 622 SSL_NOT_EXP|SSL_HIGH, 623 0, 624 168, 625 168, 626 SSL_ALL_CIPHERS, 627 SSL_ALL_STRENGTHS, 628 }, 629 630 /* Cipher 24 */ 631 { 632 1, 633 SSL3_TXT_KRB5_RC4_128_MD5, 634 SSL3_CK_KRB5_RC4_128_MD5, 635 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, 636 SSL_NOT_EXP|SSL_MEDIUM, 637 0, 638 128, 639 128, 640 SSL_ALL_CIPHERS, 641 SSL_ALL_STRENGTHS, 642 }, 643 644 /* Cipher 25 */ 645 { 646 1, 647 SSL3_TXT_KRB5_IDEA_128_CBC_MD5, 648 SSL3_CK_KRB5_IDEA_128_CBC_MD5, 649 SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_MD5 |SSL_SSLV3, 650 SSL_NOT_EXP|SSL_MEDIUM, 651 0, 652 128, 653 128, 654 SSL_ALL_CIPHERS, 655 SSL_ALL_STRENGTHS, 656 }, 657 658 /* Cipher 26 */ 659 { 660 1, 661 SSL3_TXT_KRB5_DES_40_CBC_SHA, 662 SSL3_CK_KRB5_DES_40_CBC_SHA, 663 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, 664 SSL_EXPORT|SSL_EXP40, 665 0, 666 40, 667 56, 668 SSL_ALL_CIPHERS, 669 SSL_ALL_STRENGTHS, 670 }, 671 672 /* Cipher 27 */ 673 { 674 1, 675 SSL3_TXT_KRB5_RC2_40_CBC_SHA, 676 SSL3_CK_KRB5_RC2_40_CBC_SHA, 677 SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_SHA1 |SSL_SSLV3, 678 SSL_EXPORT|SSL_EXP40, 679 0, 680 40, 681 128, 682 SSL_ALL_CIPHERS, 683 SSL_ALL_STRENGTHS, 684 }, 685 686 /* Cipher 28 */ 687 { 688 1, 689 SSL3_TXT_KRB5_RC4_40_SHA, 690 SSL3_CK_KRB5_RC4_40_SHA, 691 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, 692 SSL_EXPORT|SSL_EXP40, 693 0, 694 40, 695 128, 696 SSL_ALL_CIPHERS, 697 SSL_ALL_STRENGTHS, 698 }, 699 700 /* Cipher 29 */ 701 { 702 1, 703 SSL3_TXT_KRB5_DES_40_CBC_MD5, 704 SSL3_CK_KRB5_DES_40_CBC_MD5, 705 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, 706 SSL_EXPORT|SSL_EXP40, 707 0, 708 40, 709 56, 710 SSL_ALL_CIPHERS, 711 SSL_ALL_STRENGTHS, 712 }, 713 714 /* Cipher 2A */ 715 { 716 1, 717 SSL3_TXT_KRB5_RC2_40_CBC_MD5, 718 SSL3_CK_KRB5_RC2_40_CBC_MD5, 719 SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_MD5 |SSL_SSLV3, 720 SSL_EXPORT|SSL_EXP40, 721 0, 722 40, 723 128, 724 SSL_ALL_CIPHERS, 725 SSL_ALL_STRENGTHS, 726 }, 727 728 /* Cipher 2B */ 729 { 730 1, 731 SSL3_TXT_KRB5_RC4_40_MD5, 732 SSL3_CK_KRB5_RC4_40_MD5, 733 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, 734 SSL_EXPORT|SSL_EXP40, 735 0, 736 40, 737 128, 738 SSL_ALL_CIPHERS, 739 SSL_ALL_STRENGTHS, 740 }, 741 #endif /* OPENSSL_NO_KRB5 */ 742 743 /* New AES ciphersuites */ 744 /* Cipher 2F */ 745 { 746 1, 747 TLS1_TXT_RSA_WITH_AES_128_SHA, 748 TLS1_CK_RSA_WITH_AES_128_SHA, 749 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, 750 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 751 0, 752 128, 753 128, 754 SSL_ALL_CIPHERS, 755 SSL_ALL_STRENGTHS, 756 }, 757 /* Cipher 30 */ 758 { 759 0, 760 TLS1_TXT_DH_DSS_WITH_AES_128_SHA, 761 TLS1_CK_DH_DSS_WITH_AES_128_SHA, 762 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 763 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 764 0, 765 128, 766 128, 767 SSL_ALL_CIPHERS, 768 SSL_ALL_STRENGTHS, 769 }, 770 /* Cipher 31 */ 771 { 772 0, 773 TLS1_TXT_DH_RSA_WITH_AES_128_SHA, 774 TLS1_CK_DH_RSA_WITH_AES_128_SHA, 775 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 776 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 777 0, 778 128, 779 128, 780 SSL_ALL_CIPHERS, 781 SSL_ALL_STRENGTHS, 782 }, 783 /* Cipher 32 */ 784 { 785 1, 786 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, 787 TLS1_CK_DHE_DSS_WITH_AES_128_SHA, 788 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, 789 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 790 0, 791 128, 792 128, 793 SSL_ALL_CIPHERS, 794 SSL_ALL_STRENGTHS, 795 }, 796 /* Cipher 33 */ 797 { 798 1, 799 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 800 TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 801 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 802 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 803 0, 804 128, 805 128, 806 SSL_ALL_CIPHERS, 807 SSL_ALL_STRENGTHS, 808 }, 809 /* Cipher 34 */ 810 { 811 1, 812 TLS1_TXT_ADH_WITH_AES_128_SHA, 813 TLS1_CK_ADH_WITH_AES_128_SHA, 814 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 815 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 816 0, 817 128, 818 128, 819 SSL_ALL_CIPHERS, 820 SSL_ALL_STRENGTHS, 821 }, 822 823 /* Cipher 35 */ 824 { 825 1, 826 TLS1_TXT_RSA_WITH_AES_256_SHA, 827 TLS1_CK_RSA_WITH_AES_256_SHA, 828 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, 829 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 830 0, 831 256, 832 256, 833 SSL_ALL_CIPHERS, 834 SSL_ALL_STRENGTHS, 835 }, 836 /* Cipher 36 */ 837 { 838 0, 839 TLS1_TXT_DH_DSS_WITH_AES_256_SHA, 840 TLS1_CK_DH_DSS_WITH_AES_256_SHA, 841 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 842 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 843 0, 844 256, 845 256, 846 SSL_ALL_CIPHERS, 847 SSL_ALL_STRENGTHS, 848 }, 849 /* Cipher 37 */ 850 { 851 0, 852 TLS1_TXT_DH_RSA_WITH_AES_256_SHA, 853 TLS1_CK_DH_RSA_WITH_AES_256_SHA, 854 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 855 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 856 0, 857 256, 858 256, 859 SSL_ALL_CIPHERS, 860 SSL_ALL_STRENGTHS, 861 }, 862 /* Cipher 38 */ 863 { 864 1, 865 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, 866 TLS1_CK_DHE_DSS_WITH_AES_256_SHA, 867 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, 868 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 869 0, 870 256, 871 256, 872 SSL_ALL_CIPHERS, 873 SSL_ALL_STRENGTHS, 874 }, 875 /* Cipher 39 */ 876 { 877 1, 878 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 879 TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 880 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 881 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 882 0, 883 256, 884 256, 885 SSL_ALL_CIPHERS, 886 SSL_ALL_STRENGTHS, 887 }, 888 /* Cipher 3A */ 889 { 890 1, 891 TLS1_TXT_ADH_WITH_AES_256_SHA, 892 TLS1_CK_ADH_WITH_AES_256_SHA, 893 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 894 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 895 0, 896 256, 897 256, 898 SSL_ALL_CIPHERS, 899 SSL_ALL_STRENGTHS, 900 }, 901 902 #ifndef OPENSSL_NO_CAMELLIA 903 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 904 905 /* Cipher 41 */ 906 { 907 1, 908 TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 909 TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 910 SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 911 SSL_NOT_EXP|SSL_HIGH, 912 0, 913 128, 914 128, 915 SSL_ALL_CIPHERS, 916 SSL_ALL_STRENGTHS 917 }, 918 /* Cipher 42 */ 919 { 920 0, /* not implemented (non-ephemeral DH) */ 921 TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, 922 TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, 923 SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 924 SSL_NOT_EXP|SSL_HIGH, 925 0, 926 128, 927 128, 928 SSL_ALL_CIPHERS, 929 SSL_ALL_STRENGTHS 930 }, 931 /* Cipher 43 */ 932 { 933 0, /* not implemented (non-ephemeral DH) */ 934 TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, 935 TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, 936 SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 937 SSL_NOT_EXP|SSL_HIGH, 938 0, 939 128, 940 128, 941 SSL_ALL_CIPHERS, 942 SSL_ALL_STRENGTHS 943 }, 944 /* Cipher 44 */ 945 { 946 1, 947 TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, 948 TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, 949 SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 950 SSL_NOT_EXP|SSL_HIGH, 951 0, 952 128, 953 128, 954 SSL_ALL_CIPHERS, 955 SSL_ALL_STRENGTHS 956 }, 957 /* Cipher 45 */ 958 { 959 1, 960 TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 961 TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 962 SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 963 SSL_NOT_EXP|SSL_HIGH, 964 0, 965 128, 966 128, 967 SSL_ALL_CIPHERS, 968 SSL_ALL_STRENGTHS 969 }, 970 /* Cipher 46 */ 971 { 972 1, 973 TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 974 TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 975 SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 976 SSL_NOT_EXP|SSL_HIGH, 977 0, 978 128, 979 128, 980 SSL_ALL_CIPHERS, 981 SSL_ALL_STRENGTHS 982 }, 983 #endif /* OPENSSL_NO_CAMELLIA */ 984 985 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 986 /* New TLS Export CipherSuites from expired ID */ 987 #if 0 988 /* Cipher 60 */ 989 { 990 1, 991 TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, 992 TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, 993 SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1, 994 SSL_EXPORT|SSL_EXP56, 995 0, 996 56, 997 128, 998 SSL_ALL_CIPHERS, 999 SSL_ALL_STRENGTHS, 1000 }, 1001 /* Cipher 61 */ 1002 { 1003 1, 1004 TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, 1005 TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, 1006 SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1, 1007 SSL_EXPORT|SSL_EXP56, 1008 0, 1009 56, 1010 128, 1011 SSL_ALL_CIPHERS, 1012 SSL_ALL_STRENGTHS, 1013 }, 1014 #endif 1015 /* Cipher 62 */ 1016 { 1017 1, 1018 TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, 1019 TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, 1020 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, 1021 SSL_EXPORT|SSL_EXP56, 1022 0, 1023 56, 1024 56, 1025 SSL_ALL_CIPHERS, 1026 SSL_ALL_STRENGTHS, 1027 }, 1028 /* Cipher 63 */ 1029 { 1030 1, 1031 TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, 1032 TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, 1033 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, 1034 SSL_EXPORT|SSL_EXP56, 1035 0, 1036 56, 1037 56, 1038 SSL_ALL_CIPHERS, 1039 SSL_ALL_STRENGTHS, 1040 }, 1041 /* Cipher 64 */ 1042 { 1043 1, 1044 TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, 1045 TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, 1046 SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1047 SSL_EXPORT|SSL_EXP56, 1048 0, 1049 56, 1050 128, 1051 SSL_ALL_CIPHERS, 1052 SSL_ALL_STRENGTHS, 1053 }, 1054 /* Cipher 65 */ 1055 { 1056 1, 1057 TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, 1058 TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, 1059 SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, 1060 SSL_EXPORT|SSL_EXP56, 1061 0, 1062 56, 1063 128, 1064 SSL_ALL_CIPHERS, 1065 SSL_ALL_STRENGTHS, 1066 }, 1067 /* Cipher 66 */ 1068 { 1069 1, 1070 TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, 1071 TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, 1072 SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, 1073 SSL_NOT_EXP|SSL_MEDIUM, 1074 0, 1075 128, 1076 128, 1077 SSL_ALL_CIPHERS, 1078 SSL_ALL_STRENGTHS 1079 }, 1080 #endif 1081 1082 #ifndef OPENSSL_NO_CAMELLIA 1083 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 1084 1085 /* Cipher 84 */ 1086 { 1087 1, 1088 TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 1089 TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 1090 SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1091 SSL_NOT_EXP|SSL_HIGH, 1092 0, 1093 256, 1094 256, 1095 SSL_ALL_CIPHERS, 1096 SSL_ALL_STRENGTHS 1097 }, 1098 /* Cipher 85 */ 1099 { 1100 0, /* not implemented (non-ephemeral DH) */ 1101 TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, 1102 TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, 1103 SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1104 SSL_NOT_EXP|SSL_HIGH, 1105 0, 1106 256, 1107 256, 1108 SSL_ALL_CIPHERS, 1109 SSL_ALL_STRENGTHS 1110 }, 1111 /* Cipher 86 */ 1112 { 1113 0, /* not implemented (non-ephemeral DH) */ 1114 TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, 1115 TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, 1116 SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1117 SSL_NOT_EXP|SSL_HIGH, 1118 0, 1119 256, 1120 256, 1121 SSL_ALL_CIPHERS, 1122 SSL_ALL_STRENGTHS 1123 }, 1124 /* Cipher 87 */ 1125 { 1126 1, 1127 TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, 1128 TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, 1129 SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1130 SSL_NOT_EXP|SSL_HIGH, 1131 0, 1132 256, 1133 256, 1134 SSL_ALL_CIPHERS, 1135 SSL_ALL_STRENGTHS 1136 }, 1137 /* Cipher 88 */ 1138 { 1139 1, 1140 TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 1141 TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 1142 SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1143 SSL_NOT_EXP|SSL_HIGH, 1144 0, 1145 256, 1146 256, 1147 SSL_ALL_CIPHERS, 1148 SSL_ALL_STRENGTHS 1149 }, 1150 /* Cipher 89 */ 1151 { 1152 1, 1153 TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 1154 TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 1155 SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1156 SSL_NOT_EXP|SSL_HIGH, 1157 0, 1158 256, 1159 256, 1160 SSL_ALL_CIPHERS, 1161 SSL_ALL_STRENGTHS 1162 }, 1163 #endif /* OPENSSL_NO_CAMELLIA */ 1164 1165 #ifndef OPENSSL_NO_SEED 1166 /* SEED ciphersuites from RFC4162 */ 1167 1168 /* Cipher 96 */ 1169 { 1170 1, 1171 TLS1_TXT_RSA_WITH_SEED_SHA, 1172 TLS1_CK_RSA_WITH_SEED_SHA, 1173 SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1174 SSL_NOT_EXP|SSL_MEDIUM, 1175 0, 1176 128, 1177 128, 1178 SSL_ALL_CIPHERS, 1179 SSL_ALL_STRENGTHS, 1180 }, 1181 1182 /* Cipher 97 */ 1183 { 1184 0, /* not implemented (non-ephemeral DH) */ 1185 TLS1_TXT_DH_DSS_WITH_SEED_SHA, 1186 TLS1_CK_DH_DSS_WITH_SEED_SHA, 1187 SSL_kDHd|SSL_aDH|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1188 SSL_NOT_EXP|SSL_MEDIUM, 1189 0, 1190 128, 1191 128, 1192 SSL_ALL_CIPHERS, 1193 SSL_ALL_STRENGTHS, 1194 }, 1195 1196 /* Cipher 98 */ 1197 { 1198 0, /* not implemented (non-ephemeral DH) */ 1199 TLS1_TXT_DH_RSA_WITH_SEED_SHA, 1200 TLS1_CK_DH_RSA_WITH_SEED_SHA, 1201 SSL_kDHr|SSL_aDH|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1202 SSL_NOT_EXP|SSL_MEDIUM, 1203 0, 1204 128, 1205 128, 1206 SSL_ALL_CIPHERS, 1207 SSL_ALL_STRENGTHS, 1208 }, 1209 1210 /* Cipher 99 */ 1211 { 1212 1, 1213 TLS1_TXT_DHE_DSS_WITH_SEED_SHA, 1214 TLS1_CK_DHE_DSS_WITH_SEED_SHA, 1215 SSL_kEDH|SSL_aDSS|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1216 SSL_NOT_EXP|SSL_MEDIUM, 1217 0, 1218 128, 1219 128, 1220 SSL_ALL_CIPHERS, 1221 SSL_ALL_STRENGTHS, 1222 }, 1223 1224 /* Cipher 9A */ 1225 { 1226 1, 1227 TLS1_TXT_DHE_RSA_WITH_SEED_SHA, 1228 TLS1_CK_DHE_RSA_WITH_SEED_SHA, 1229 SSL_kEDH|SSL_aRSA|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1230 SSL_NOT_EXP|SSL_MEDIUM, 1231 0, 1232 128, 1233 128, 1234 SSL_ALL_CIPHERS, 1235 SSL_ALL_STRENGTHS, 1236 }, 1237 1238 /* Cipher 9B */ 1239 { 1240 1, 1241 TLS1_TXT_ADH_WITH_SEED_SHA, 1242 TLS1_CK_ADH_WITH_SEED_SHA, 1243 SSL_kEDH|SSL_aNULL|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1244 SSL_NOT_EXP|SSL_MEDIUM, 1245 0, 1246 128, 1247 128, 1248 SSL_ALL_CIPHERS, 1249 SSL_ALL_STRENGTHS, 1250 }, 1251 1252 #endif /* OPENSSL_NO_SEED */ 1253 1254 #ifndef OPENSSL_NO_ECDH 1255 /* Cipher C001 */ 1256 { 1257 1, 1258 TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, 1259 TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, 1260 SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1261 SSL_NOT_EXP, 1262 0, 1263 0, 1264 0, 1265 SSL_ALL_CIPHERS, 1266 SSL_ALL_STRENGTHS, 1267 }, 1268 1269 /* Cipher C002 */ 1270 { 1271 1, 1272 TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, 1273 TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, 1274 SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1275 SSL_NOT_EXP, 1276 0, 1277 128, 1278 128, 1279 SSL_ALL_CIPHERS, 1280 SSL_ALL_STRENGTHS, 1281 }, 1282 1283 /* Cipher C003 */ 1284 { 1285 1, 1286 TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, 1287 TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, 1288 SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1289 SSL_NOT_EXP|SSL_HIGH, 1290 0, 1291 168, 1292 168, 1293 SSL_ALL_CIPHERS, 1294 SSL_ALL_STRENGTHS, 1295 }, 1296 1297 /* Cipher C004 */ 1298 { 1299 1, 1300 TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 1301 TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 1302 SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1303 SSL_NOT_EXP|SSL_HIGH, 1304 0, 1305 128, 1306 128, 1307 SSL_ALL_CIPHERS, 1308 SSL_ALL_STRENGTHS, 1309 }, 1310 1311 /* Cipher C005 */ 1312 { 1313 1, 1314 TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 1315 TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 1316 SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1317 SSL_NOT_EXP|SSL_HIGH, 1318 0, 1319 256, 1320 256, 1321 SSL_ALL_CIPHERS, 1322 SSL_ALL_STRENGTHS, 1323 }, 1324 1325 /* Cipher C006 */ 1326 { 1327 1, 1328 TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 1329 TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 1330 SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1331 SSL_NOT_EXP, 1332 0, 1333 0, 1334 0, 1335 SSL_ALL_CIPHERS, 1336 SSL_ALL_STRENGTHS, 1337 }, 1338 1339 /* Cipher C007 */ 1340 { 1341 1, 1342 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 1343 TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 1344 SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1345 SSL_NOT_EXP, 1346 0, 1347 128, 1348 128, 1349 SSL_ALL_CIPHERS, 1350 SSL_ALL_STRENGTHS, 1351 }, 1352 1353 /* Cipher C008 */ 1354 { 1355 1, 1356 TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 1357 TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 1358 SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1359 SSL_NOT_EXP|SSL_HIGH, 1360 0, 1361 168, 1362 168, 1363 SSL_ALL_CIPHERS, 1364 SSL_ALL_STRENGTHS, 1365 }, 1366 1367 /* Cipher C009 */ 1368 { 1369 1, 1370 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1371 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1372 SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1373 SSL_NOT_EXP|SSL_HIGH, 1374 0, 1375 128, 1376 128, 1377 SSL_ALL_CIPHERS, 1378 SSL_ALL_STRENGTHS, 1379 }, 1380 1381 /* Cipher C00A */ 1382 { 1383 1, 1384 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1385 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1386 SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1387 SSL_NOT_EXP|SSL_HIGH, 1388 0, 1389 256, 1390 256, 1391 SSL_ALL_CIPHERS, 1392 SSL_ALL_STRENGTHS, 1393 }, 1394 1395 /* Cipher C00B */ 1396 { 1397 1, 1398 TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, 1399 TLS1_CK_ECDH_RSA_WITH_NULL_SHA, 1400 SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1401 SSL_NOT_EXP, 1402 0, 1403 0, 1404 0, 1405 SSL_ALL_CIPHERS, 1406 SSL_ALL_STRENGTHS, 1407 }, 1408 1409 /* Cipher C00C */ 1410 { 1411 1, 1412 TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, 1413 TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, 1414 SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1415 SSL_NOT_EXP, 1416 0, 1417 128, 1418 128, 1419 SSL_ALL_CIPHERS, 1420 SSL_ALL_STRENGTHS, 1421 }, 1422 1423 /* Cipher C00D */ 1424 { 1425 1, 1426 TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, 1427 TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, 1428 SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1429 SSL_NOT_EXP|SSL_HIGH, 1430 0, 1431 168, 1432 168, 1433 SSL_ALL_CIPHERS, 1434 SSL_ALL_STRENGTHS, 1435 }, 1436 1437 /* Cipher C00E */ 1438 { 1439 1, 1440 TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, 1441 TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, 1442 SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1443 SSL_NOT_EXP|SSL_HIGH, 1444 0, 1445 128, 1446 128, 1447 SSL_ALL_CIPHERS, 1448 SSL_ALL_STRENGTHS, 1449 }, 1450 1451 /* Cipher C00F */ 1452 { 1453 1, 1454 TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, 1455 TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, 1456 SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1457 SSL_NOT_EXP|SSL_HIGH, 1458 0, 1459 256, 1460 256, 1461 SSL_ALL_CIPHERS, 1462 SSL_ALL_STRENGTHS, 1463 }, 1464 1465 /* Cipher C010 */ 1466 { 1467 1, 1468 TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1469 TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1470 SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1471 SSL_NOT_EXP, 1472 0, 1473 0, 1474 0, 1475 SSL_ALL_CIPHERS, 1476 SSL_ALL_STRENGTHS, 1477 }, 1478 1479 /* Cipher C011 */ 1480 { 1481 1, 1482 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1483 TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1484 SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1485 SSL_NOT_EXP, 1486 0, 1487 128, 1488 128, 1489 SSL_ALL_CIPHERS, 1490 SSL_ALL_STRENGTHS, 1491 }, 1492 1493 /* Cipher C012 */ 1494 { 1495 1, 1496 TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1497 TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1498 SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1499 SSL_NOT_EXP|SSL_HIGH, 1500 0, 1501 168, 1502 168, 1503 SSL_ALL_CIPHERS, 1504 SSL_ALL_STRENGTHS, 1505 }, 1506 1507 /* Cipher C013 */ 1508 { 1509 1, 1510 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1511 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1512 SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1513 SSL_NOT_EXP|SSL_HIGH, 1514 0, 1515 128, 1516 128, 1517 SSL_ALL_CIPHERS, 1518 SSL_ALL_STRENGTHS, 1519 }, 1520 1521 /* Cipher C014 */ 1522 { 1523 1, 1524 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1525 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1526 SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1527 SSL_NOT_EXP|SSL_HIGH, 1528 0, 1529 256, 1530 256, 1531 SSL_ALL_CIPHERS, 1532 SSL_ALL_STRENGTHS, 1533 }, 1534 1535 /* Cipher C015 */ 1536 { 1537 1, 1538 TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1539 TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1540 SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1541 SSL_NOT_EXP, 1542 0, 1543 0, 1544 0, 1545 SSL_ALL_CIPHERS, 1546 SSL_ALL_STRENGTHS, 1547 }, 1548 1549 /* Cipher C016 */ 1550 { 1551 1, 1552 TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1553 TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1554 SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1, 1555 SSL_NOT_EXP, 1556 0, 1557 128, 1558 128, 1559 SSL_ALL_CIPHERS, 1560 SSL_ALL_STRENGTHS, 1561 }, 1562 1563 /* Cipher C017 */ 1564 { 1565 1, 1566 TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1567 TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1568 SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1, 1569 SSL_NOT_EXP|SSL_HIGH, 1570 0, 1571 168, 1572 168, 1573 SSL_ALL_CIPHERS, 1574 SSL_ALL_STRENGTHS, 1575 }, 1576 1577 /* Cipher C018 */ 1578 { 1579 1, 1580 TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1581 TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1582 SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 1583 SSL_NOT_EXP|SSL_HIGH, 1584 0, 1585 128, 1586 128, 1587 SSL_ALL_CIPHERS, 1588 SSL_ALL_STRENGTHS, 1589 }, 1590 1591 /* Cipher C019 */ 1592 { 1593 1, 1594 TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1595 TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1596 SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 1597 SSL_NOT_EXP|SSL_HIGH, 1598 0, 1599 256, 1600 256, 1601 SSL_ALL_CIPHERS, 1602 SSL_ALL_STRENGTHS, 1603 }, 1604 #endif /* OPENSSL_NO_ECDH */ 1605 1606 1607 /* end of list */ 1608 }; 1609 1610 SSL3_ENC_METHOD SSLv3_enc_data={ 1611 ssl3_enc, 1612 ssl3_mac, 1613 ssl3_setup_key_block, 1614 ssl3_generate_master_secret, 1615 ssl3_change_cipher_state, 1616 ssl3_final_finish_mac, 1617 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 1618 ssl3_cert_verify_mac, 1619 SSL3_MD_CLIENT_FINISHED_CONST,4, 1620 SSL3_MD_SERVER_FINISHED_CONST,4, 1621 ssl3_alert_code, 1622 }; 1623 1624 long ssl3_default_timeout(void) 1625 { 1626 /* 2 hours, the 24 hours mentioned in the SSLv3 spec 1627 * is way too long for http, the cache would over fill */ 1628 return(60*60*2); 1629 } 1630 1631 IMPLEMENT_ssl3_meth_func(sslv3_base_method, 1632 ssl_undefined_function, 1633 ssl_undefined_function, 1634 ssl_bad_method) 1635 1636 int ssl3_num_ciphers(void) 1637 { 1638 return(SSL3_NUM_CIPHERS); 1639 } 1640 1641 SSL_CIPHER *ssl3_get_cipher(unsigned int u) 1642 { 1643 if (u < SSL3_NUM_CIPHERS) 1644 return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u])); 1645 else 1646 return(NULL); 1647 } 1648 1649 int ssl3_pending(const SSL *s) 1650 { 1651 if (s->rstate == SSL_ST_READ_BODY) 1652 return 0; 1653 1654 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; 1655 } 1656 1657 int ssl3_new(SSL *s) 1658 { 1659 SSL3_STATE *s3; 1660 1661 if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err; 1662 memset(s3,0,sizeof *s3); 1663 EVP_MD_CTX_init(&s3->finish_dgst1); 1664 EVP_MD_CTX_init(&s3->finish_dgst2); 1665 pq_64bit_init(&(s3->rrec.seq_num)); 1666 pq_64bit_init(&(s3->wrec.seq_num)); 1667 1668 s->s3=s3; 1669 1670 s->method->ssl_clear(s); 1671 return(1); 1672 err: 1673 return(0); 1674 } 1675 1676 void ssl3_free(SSL *s) 1677 { 1678 if(s == NULL) 1679 return; 1680 1681 ssl3_cleanup_key_block(s); 1682 if (s->s3->rbuf.buf != NULL) 1683 OPENSSL_free(s->s3->rbuf.buf); 1684 if (s->s3->wbuf.buf != NULL) 1685 OPENSSL_free(s->s3->wbuf.buf); 1686 if (s->s3->rrec.comp != NULL) 1687 OPENSSL_free(s->s3->rrec.comp); 1688 #ifndef OPENSSL_NO_DH 1689 if (s->s3->tmp.dh != NULL) 1690 DH_free(s->s3->tmp.dh); 1691 #endif 1692 #ifndef OPENSSL_NO_ECDH 1693 if (s->s3->tmp.ecdh != NULL) 1694 EC_KEY_free(s->s3->tmp.ecdh); 1695 #endif 1696 1697 if (s->s3->tmp.ca_names != NULL) 1698 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1699 EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); 1700 EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); 1701 pq_64bit_free(&(s->s3->rrec.seq_num)); 1702 pq_64bit_free(&(s->s3->wrec.seq_num)); 1703 1704 OPENSSL_cleanse(s->s3,sizeof *s->s3); 1705 OPENSSL_free(s->s3); 1706 s->s3=NULL; 1707 } 1708 1709 void ssl3_clear(SSL *s) 1710 { 1711 unsigned char *rp,*wp; 1712 size_t rlen, wlen; 1713 1714 ssl3_cleanup_key_block(s); 1715 if (s->s3->tmp.ca_names != NULL) 1716 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1717 1718 if (s->s3->rrec.comp != NULL) 1719 { 1720 OPENSSL_free(s->s3->rrec.comp); 1721 s->s3->rrec.comp=NULL; 1722 } 1723 #ifndef OPENSSL_NO_DH 1724 if (s->s3->tmp.dh != NULL) 1725 DH_free(s->s3->tmp.dh); 1726 #endif 1727 #ifndef OPENSSL_NO_ECDH 1728 if (s->s3->tmp.ecdh != NULL) 1729 EC_KEY_free(s->s3->tmp.ecdh); 1730 #endif 1731 1732 rp = s->s3->rbuf.buf; 1733 wp = s->s3->wbuf.buf; 1734 rlen = s->s3->rbuf.len; 1735 wlen = s->s3->wbuf.len; 1736 1737 EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); 1738 EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); 1739 1740 memset(s->s3,0,sizeof *s->s3); 1741 s->s3->rbuf.buf = rp; 1742 s->s3->wbuf.buf = wp; 1743 s->s3->rbuf.len = rlen; 1744 s->s3->wbuf.len = wlen; 1745 1746 ssl_free_wbio_buffer(s); 1747 1748 s->packet_length=0; 1749 s->s3->renegotiate=0; 1750 s->s3->total_renegotiations=0; 1751 s->s3->num_renegotiations=0; 1752 s->s3->in_read_app_data=0; 1753 s->version=SSL3_VERSION; 1754 } 1755 1756 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 1757 { 1758 int ret=0; 1759 1760 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) 1761 if ( 1762 #ifndef OPENSSL_NO_RSA 1763 cmd == SSL_CTRL_SET_TMP_RSA || 1764 cmd == SSL_CTRL_SET_TMP_RSA_CB || 1765 #endif 1766 #ifndef OPENSSL_NO_DSA 1767 cmd == SSL_CTRL_SET_TMP_DH || 1768 cmd == SSL_CTRL_SET_TMP_DH_CB || 1769 #endif 1770 0) 1771 { 1772 if (!ssl_cert_inst(&s->cert)) 1773 { 1774 SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); 1775 return(0); 1776 } 1777 } 1778 #endif 1779 1780 switch (cmd) 1781 { 1782 case SSL_CTRL_GET_SESSION_REUSED: 1783 ret=s->hit; 1784 break; 1785 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 1786 break; 1787 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 1788 ret=s->s3->num_renegotiations; 1789 break; 1790 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 1791 ret=s->s3->num_renegotiations; 1792 s->s3->num_renegotiations=0; 1793 break; 1794 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 1795 ret=s->s3->total_renegotiations; 1796 break; 1797 case SSL_CTRL_GET_FLAGS: 1798 ret=(int)(s->s3->flags); 1799 break; 1800 #ifndef OPENSSL_NO_RSA 1801 case SSL_CTRL_NEED_TMP_RSA: 1802 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && 1803 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 1804 (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))) 1805 ret = 1; 1806 break; 1807 case SSL_CTRL_SET_TMP_RSA: 1808 { 1809 RSA *rsa = (RSA *)parg; 1810 if (rsa == NULL) 1811 { 1812 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); 1813 return(ret); 1814 } 1815 if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) 1816 { 1817 SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB); 1818 return(ret); 1819 } 1820 if (s->cert->rsa_tmp != NULL) 1821 RSA_free(s->cert->rsa_tmp); 1822 s->cert->rsa_tmp = rsa; 1823 ret = 1; 1824 } 1825 break; 1826 case SSL_CTRL_SET_TMP_RSA_CB: 1827 { 1828 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1829 return(ret); 1830 } 1831 break; 1832 #endif 1833 #ifndef OPENSSL_NO_DH 1834 case SSL_CTRL_SET_TMP_DH: 1835 { 1836 DH *dh = (DH *)parg; 1837 if (dh == NULL) 1838 { 1839 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); 1840 return(ret); 1841 } 1842 if ((dh = DHparams_dup(dh)) == NULL) 1843 { 1844 SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); 1845 return(ret); 1846 } 1847 if (!(s->options & SSL_OP_SINGLE_DH_USE)) 1848 { 1849 if (!DH_generate_key(dh)) 1850 { 1851 DH_free(dh); 1852 SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); 1853 return(ret); 1854 } 1855 } 1856 if (s->cert->dh_tmp != NULL) 1857 DH_free(s->cert->dh_tmp); 1858 s->cert->dh_tmp = dh; 1859 ret = 1; 1860 } 1861 break; 1862 case SSL_CTRL_SET_TMP_DH_CB: 1863 { 1864 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1865 return(ret); 1866 } 1867 break; 1868 #endif 1869 #ifndef OPENSSL_NO_ECDH 1870 case SSL_CTRL_SET_TMP_ECDH: 1871 { 1872 EC_KEY *ecdh = NULL; 1873 1874 if (parg == NULL) 1875 { 1876 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); 1877 return(ret); 1878 } 1879 if (!EC_KEY_up_ref((EC_KEY *)parg)) 1880 { 1881 SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB); 1882 return(ret); 1883 } 1884 ecdh = (EC_KEY *)parg; 1885 if (!(s->options & SSL_OP_SINGLE_ECDH_USE)) 1886 { 1887 if (!EC_KEY_generate_key(ecdh)) 1888 { 1889 EC_KEY_free(ecdh); 1890 SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB); 1891 return(ret); 1892 } 1893 } 1894 if (s->cert->ecdh_tmp != NULL) 1895 EC_KEY_free(s->cert->ecdh_tmp); 1896 s->cert->ecdh_tmp = ecdh; 1897 ret = 1; 1898 } 1899 break; 1900 case SSL_CTRL_SET_TMP_ECDH_CB: 1901 { 1902 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1903 return(ret); 1904 } 1905 break; 1906 #endif /* !OPENSSL_NO_ECDH */ 1907 #ifndef OPENSSL_NO_TLSEXT 1908 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 1909 if (larg == TLSEXT_NAMETYPE_host_name) 1910 { 1911 if (s->tlsext_hostname != NULL) 1912 OPENSSL_free(s->tlsext_hostname); 1913 s->tlsext_hostname = NULL; 1914 1915 ret = 1; 1916 if (parg == NULL) 1917 break; 1918 if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) 1919 { 1920 SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1921 return 0; 1922 } 1923 if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) 1924 { 1925 SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR); 1926 return 0; 1927 } 1928 } 1929 else 1930 { 1931 SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 1932 return 0; 1933 } 1934 break; 1935 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 1936 s->tlsext_debug_arg=parg; 1937 ret = 1; 1938 break; 1939 1940 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 1941 s->tlsext_status_type=larg; 1942 ret = 1; 1943 break; 1944 1945 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 1946 *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts; 1947 ret = 1; 1948 break; 1949 1950 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 1951 s->tlsext_ocsp_exts = parg; 1952 ret = 1; 1953 break; 1954 1955 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 1956 *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids; 1957 ret = 1; 1958 break; 1959 1960 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 1961 s->tlsext_ocsp_ids = parg; 1962 ret = 1; 1963 break; 1964 1965 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 1966 *(unsigned char **)parg = s->tlsext_ocsp_resp; 1967 return s->tlsext_ocsp_resplen; 1968 1969 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 1970 if (s->tlsext_ocsp_resp) 1971 OPENSSL_free(s->tlsext_ocsp_resp); 1972 s->tlsext_ocsp_resp = parg; 1973 s->tlsext_ocsp_resplen = larg; 1974 ret = 1; 1975 break; 1976 1977 #endif /* !OPENSSL_NO_TLSEXT */ 1978 default: 1979 break; 1980 } 1981 return(ret); 1982 } 1983 1984 long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 1985 { 1986 int ret=0; 1987 1988 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) 1989 if ( 1990 #ifndef OPENSSL_NO_RSA 1991 cmd == SSL_CTRL_SET_TMP_RSA_CB || 1992 #endif 1993 #ifndef OPENSSL_NO_DSA 1994 cmd == SSL_CTRL_SET_TMP_DH_CB || 1995 #endif 1996 0) 1997 { 1998 if (!ssl_cert_inst(&s->cert)) 1999 { 2000 SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE); 2001 return(0); 2002 } 2003 } 2004 #endif 2005 2006 switch (cmd) 2007 { 2008 #ifndef OPENSSL_NO_RSA 2009 case SSL_CTRL_SET_TMP_RSA_CB: 2010 { 2011 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 2012 } 2013 break; 2014 #endif 2015 #ifndef OPENSSL_NO_DH 2016 case SSL_CTRL_SET_TMP_DH_CB: 2017 { 2018 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2019 } 2020 break; 2021 #endif 2022 #ifndef OPENSSL_NO_ECDH 2023 case SSL_CTRL_SET_TMP_ECDH_CB: 2024 { 2025 s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 2026 } 2027 break; 2028 #endif 2029 #ifndef OPENSSL_NO_TLSEXT 2030 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2031 s->tlsext_debug_cb=(void (*)(SSL *,int ,int, 2032 unsigned char *, int, void *))fp; 2033 break; 2034 #endif 2035 default: 2036 break; 2037 } 2038 return(ret); 2039 } 2040 2041 long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2042 { 2043 CERT *cert; 2044 2045 cert=ctx->cert; 2046 2047 switch (cmd) 2048 { 2049 #ifndef OPENSSL_NO_RSA 2050 case SSL_CTRL_NEED_TMP_RSA: 2051 if ( (cert->rsa_tmp == NULL) && 2052 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 2053 (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))) 2054 ) 2055 return(1); 2056 else 2057 return(0); 2058 /* break; */ 2059 case SSL_CTRL_SET_TMP_RSA: 2060 { 2061 RSA *rsa; 2062 int i; 2063 2064 rsa=(RSA *)parg; 2065 i=1; 2066 if (rsa == NULL) 2067 i=0; 2068 else 2069 { 2070 if ((rsa=RSAPrivateKey_dup(rsa)) == NULL) 2071 i=0; 2072 } 2073 if (!i) 2074 { 2075 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB); 2076 return(0); 2077 } 2078 else 2079 { 2080 if (cert->rsa_tmp != NULL) 2081 RSA_free(cert->rsa_tmp); 2082 cert->rsa_tmp=rsa; 2083 return(1); 2084 } 2085 } 2086 /* break; */ 2087 case SSL_CTRL_SET_TMP_RSA_CB: 2088 { 2089 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2090 return(0); 2091 } 2092 break; 2093 #endif 2094 #ifndef OPENSSL_NO_DH 2095 case SSL_CTRL_SET_TMP_DH: 2096 { 2097 DH *new=NULL,*dh; 2098 2099 dh=(DH *)parg; 2100 if ((new=DHparams_dup(dh)) == NULL) 2101 { 2102 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); 2103 return 0; 2104 } 2105 if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) 2106 { 2107 if (!DH_generate_key(new)) 2108 { 2109 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); 2110 DH_free(new); 2111 return 0; 2112 } 2113 } 2114 if (cert->dh_tmp != NULL) 2115 DH_free(cert->dh_tmp); 2116 cert->dh_tmp=new; 2117 return 1; 2118 } 2119 /*break; */ 2120 case SSL_CTRL_SET_TMP_DH_CB: 2121 { 2122 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2123 return(0); 2124 } 2125 break; 2126 #endif 2127 #ifndef OPENSSL_NO_ECDH 2128 case SSL_CTRL_SET_TMP_ECDH: 2129 { 2130 EC_KEY *ecdh = NULL; 2131 2132 if (parg == NULL) 2133 { 2134 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB); 2135 return 0; 2136 } 2137 ecdh = EC_KEY_dup((EC_KEY *)parg); 2138 if (ecdh == NULL) 2139 { 2140 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_EC_LIB); 2141 return 0; 2142 } 2143 if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE)) 2144 { 2145 if (!EC_KEY_generate_key(ecdh)) 2146 { 2147 EC_KEY_free(ecdh); 2148 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB); 2149 return 0; 2150 } 2151 } 2152 2153 if (cert->ecdh_tmp != NULL) 2154 { 2155 EC_KEY_free(cert->ecdh_tmp); 2156 } 2157 cert->ecdh_tmp = ecdh; 2158 return 1; 2159 } 2160 /* break; */ 2161 case SSL_CTRL_SET_TMP_ECDH_CB: 2162 { 2163 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2164 return(0); 2165 } 2166 break; 2167 #endif /* !OPENSSL_NO_ECDH */ 2168 #ifndef OPENSSL_NO_TLSEXT 2169 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2170 ctx->tlsext_servername_arg=parg; 2171 break; 2172 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2173 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2174 { 2175 unsigned char *keys = parg; 2176 if (!keys) 2177 return 48; 2178 if (larg != 48) 2179 { 2180 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH); 2181 return 0; 2182 } 2183 if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) 2184 { 2185 memcpy(ctx->tlsext_tick_key_name, keys, 16); 2186 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); 2187 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); 2188 } 2189 else 2190 { 2191 memcpy(keys, ctx->tlsext_tick_key_name, 16); 2192 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); 2193 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); 2194 } 2195 return 1; 2196 } 2197 2198 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2199 ctx->tlsext_status_arg=parg; 2200 return 1; 2201 break; 2202 2203 #endif /* !OPENSSL_NO_TLSEXT */ 2204 /* A Thawte special :-) */ 2205 case SSL_CTRL_EXTRA_CHAIN_CERT: 2206 if (ctx->extra_certs == NULL) 2207 { 2208 if ((ctx->extra_certs=sk_X509_new_null()) == NULL) 2209 return(0); 2210 } 2211 sk_X509_push(ctx->extra_certs,(X509 *)parg); 2212 break; 2213 2214 default: 2215 return(0); 2216 } 2217 return(1); 2218 } 2219 2220 long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2221 { 2222 CERT *cert; 2223 2224 cert=ctx->cert; 2225 2226 switch (cmd) 2227 { 2228 #ifndef OPENSSL_NO_RSA 2229 case SSL_CTRL_SET_TMP_RSA_CB: 2230 { 2231 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 2232 } 2233 break; 2234 #endif 2235 #ifndef OPENSSL_NO_DH 2236 case SSL_CTRL_SET_TMP_DH_CB: 2237 { 2238 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2239 } 2240 break; 2241 #endif 2242 #ifndef OPENSSL_NO_ECDH 2243 case SSL_CTRL_SET_TMP_ECDH_CB: 2244 { 2245 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 2246 } 2247 break; 2248 #endif 2249 #ifndef OPENSSL_NO_TLSEXT 2250 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2251 ctx->tlsext_servername_callback=(int (*)(SSL *,int *,void *))fp; 2252 break; 2253 2254 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2255 ctx->tlsext_status_cb=(int (*)(SSL *,void *))fp; 2256 break; 2257 2258 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2259 ctx->tlsext_ticket_key_cb=(int (*)(SSL *,unsigned char *, 2260 unsigned char *, 2261 EVP_CIPHER_CTX *, 2262 HMAC_CTX *, int))fp; 2263 break; 2264 2265 #endif 2266 default: 2267 return(0); 2268 } 2269 return(1); 2270 } 2271 2272 /* This function needs to check if the ciphers required are actually 2273 * available */ 2274 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) 2275 { 2276 SSL_CIPHER c,*cp; 2277 unsigned long id; 2278 2279 id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1]; 2280 c.id=id; 2281 cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c, 2282 (char *)ssl3_ciphers, 2283 SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER), 2284 FP_ICC ssl_cipher_id_cmp); 2285 if (cp == NULL || cp->valid == 0) 2286 return NULL; 2287 else 2288 return cp; 2289 } 2290 2291 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) 2292 { 2293 long l; 2294 2295 if (p != NULL) 2296 { 2297 l=c->id; 2298 if ((l & 0xff000000) != 0x03000000) return(0); 2299 p[0]=((unsigned char)(l>> 8L))&0xFF; 2300 p[1]=((unsigned char)(l ))&0xFF; 2301 } 2302 return(2); 2303 } 2304 2305 SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2306 STACK_OF(SSL_CIPHER) *srvr) 2307 { 2308 SSL_CIPHER *c,*ret=NULL; 2309 STACK_OF(SSL_CIPHER) *prio, *allow; 2310 int i,j,ok; 2311 2312 CERT *cert; 2313 unsigned long alg,mask,emask; 2314 2315 /* Let's see which ciphers we can support */ 2316 cert=s->cert; 2317 2318 #if 0 2319 /* Do not set the compare functions, because this may lead to a 2320 * reordering by "id". We want to keep the original ordering. 2321 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2322 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2323 */ 2324 sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp); 2325 sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp); 2326 #endif 2327 2328 #ifdef CIPHER_DEBUG 2329 printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr); 2330 for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) 2331 { 2332 c=sk_SSL_CIPHER_value(srvr,i); 2333 printf("%p:%s\n",c,c->name); 2334 } 2335 printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt); 2336 for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) 2337 { 2338 c=sk_SSL_CIPHER_value(clnt,i); 2339 printf("%p:%s\n",c,c->name); 2340 } 2341 #endif 2342 2343 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) 2344 { 2345 prio = srvr; 2346 allow = clnt; 2347 } 2348 else 2349 { 2350 prio = clnt; 2351 allow = srvr; 2352 } 2353 2354 for (i=0; i<sk_SSL_CIPHER_num(prio); i++) 2355 { 2356 c=sk_SSL_CIPHER_value(prio,i); 2357 2358 ssl_set_cert_masks(cert,c); 2359 mask=cert->mask; 2360 emask=cert->export_mask; 2361 2362 #ifdef KSSL_DEBUG 2363 printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms); 2364 #endif /* KSSL_DEBUG */ 2365 2366 alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); 2367 #ifndef OPENSSL_NO_KRB5 2368 if (alg & SSL_KRB5) 2369 { 2370 if ( !kssl_keytab_is_available(s->kssl_ctx) ) 2371 continue; 2372 } 2373 #endif /* OPENSSL_NO_KRB5 */ 2374 if (SSL_C_IS_EXPORT(c)) 2375 { 2376 ok=((alg & emask) == alg)?1:0; 2377 #ifdef CIPHER_DEBUG 2378 printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, 2379 c,c->name); 2380 #endif 2381 } 2382 else 2383 { 2384 ok=((alg & mask) == alg)?1:0; 2385 #ifdef CIPHER_DEBUG 2386 printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, 2387 c->name); 2388 #endif 2389 } 2390 2391 if (!ok) continue; 2392 j=sk_SSL_CIPHER_find(allow,c); 2393 if (j >= 0) 2394 { 2395 ret=sk_SSL_CIPHER_value(allow,j); 2396 break; 2397 } 2398 } 2399 return(ret); 2400 } 2401 2402 int ssl3_get_req_cert_type(SSL *s, unsigned char *p) 2403 { 2404 int ret=0; 2405 unsigned long alg; 2406 2407 alg=s->s3->tmp.new_cipher->algorithms; 2408 2409 #ifndef OPENSSL_NO_DH 2410 if (alg & (SSL_kDHr|SSL_kEDH)) 2411 { 2412 # ifndef OPENSSL_NO_RSA 2413 p[ret++]=SSL3_CT_RSA_FIXED_DH; 2414 # endif 2415 # ifndef OPENSSL_NO_DSA 2416 p[ret++]=SSL3_CT_DSS_FIXED_DH; 2417 # endif 2418 } 2419 if ((s->version == SSL3_VERSION) && 2420 (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) 2421 { 2422 # ifndef OPENSSL_NO_RSA 2423 p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; 2424 # endif 2425 # ifndef OPENSSL_NO_DSA 2426 p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; 2427 # endif 2428 } 2429 #endif /* !OPENSSL_NO_DH */ 2430 #ifndef OPENSSL_NO_RSA 2431 p[ret++]=SSL3_CT_RSA_SIGN; 2432 #endif 2433 #ifndef OPENSSL_NO_DSA 2434 p[ret++]=SSL3_CT_DSS_SIGN; 2435 #endif 2436 #ifndef OPENSSL_NO_ECDH 2437 /* We should ask for fixed ECDH certificates only 2438 * for SSL_kECDH (and not SSL_kECDHE) 2439 */ 2440 if ((alg & SSL_kECDH) && (s->version >= TLS1_VERSION)) 2441 { 2442 p[ret++]=TLS_CT_RSA_FIXED_ECDH; 2443 p[ret++]=TLS_CT_ECDSA_FIXED_ECDH; 2444 } 2445 #endif 2446 2447 #ifndef OPENSSL_NO_ECDSA 2448 /* ECDSA certs can be used with RSA cipher suites as well 2449 * so we don't need to check for SSL_kECDH or SSL_kECDHE 2450 */ 2451 if (s->version >= TLS1_VERSION) 2452 { 2453 p[ret++]=TLS_CT_ECDSA_SIGN; 2454 } 2455 #endif 2456 return(ret); 2457 } 2458 2459 int ssl3_shutdown(SSL *s) 2460 { 2461 int ret; 2462 2463 /* Don't do anything much if we have not done the handshake or 2464 * we don't want to send messages :-) */ 2465 if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE)) 2466 { 2467 s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2468 return(1); 2469 } 2470 2471 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) 2472 { 2473 s->shutdown|=SSL_SENT_SHUTDOWN; 2474 #if 1 2475 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY); 2476 #endif 2477 /* our shutdown alert has been sent now, and if it still needs 2478 * to be written, s->s3->alert_dispatch will be true */ 2479 if (s->s3->alert_dispatch) 2480 return(-1); /* return WANT_WRITE */ 2481 } 2482 else if (s->s3->alert_dispatch) 2483 { 2484 /* resend it if not sent */ 2485 #if 1 2486 ret=s->method->ssl_dispatch_alert(s); 2487 if(ret == -1) 2488 { 2489 /* we only get to return -1 here the 2nd/Nth 2490 * invocation, we must have already signalled 2491 * return 0 upon a previous invoation, 2492 * return WANT_WRITE */ 2493 return(ret); 2494 } 2495 #endif 2496 } 2497 else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) 2498 { 2499 /* If we are waiting for a close from our peer, we are closed */ 2500 s->method->ssl_read_bytes(s,0,NULL,0,0); 2501 if(!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) 2502 { 2503 return(-1); /* return WANT_READ */ 2504 } 2505 } 2506 2507 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2508 !s->s3->alert_dispatch) 2509 return(1); 2510 else 2511 return(0); 2512 } 2513 2514 int ssl3_write(SSL *s, const void *buf, int len) 2515 { 2516 int ret,n; 2517 2518 #if 0 2519 if (s->shutdown & SSL_SEND_SHUTDOWN) 2520 { 2521 s->rwstate=SSL_NOTHING; 2522 return(0); 2523 } 2524 #endif 2525 clear_sys_error(); 2526 if (s->s3->renegotiate) ssl3_renegotiate_check(s); 2527 2528 /* This is an experimental flag that sends the 2529 * last handshake message in the same packet as the first 2530 * use data - used to see if it helps the TCP protocol during 2531 * session-id reuse */ 2532 /* The second test is because the buffer may have been removed */ 2533 if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) 2534 { 2535 /* First time through, we write into the buffer */ 2536 if (s->s3->delay_buf_pop_ret == 0) 2537 { 2538 ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, 2539 buf,len); 2540 if (ret <= 0) return(ret); 2541 2542 s->s3->delay_buf_pop_ret=ret; 2543 } 2544 2545 s->rwstate=SSL_WRITING; 2546 n=BIO_flush(s->wbio); 2547 if (n <= 0) return(n); 2548 s->rwstate=SSL_NOTHING; 2549 2550 /* We have flushed the buffer, so remove it */ 2551 ssl_free_wbio_buffer(s); 2552 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 2553 2554 ret=s->s3->delay_buf_pop_ret; 2555 s->s3->delay_buf_pop_ret=0; 2556 } 2557 else 2558 { 2559 ret=s->method->ssl_write_bytes(s,SSL3_RT_APPLICATION_DATA, 2560 buf,len); 2561 if (ret <= 0) return(ret); 2562 } 2563 2564 return(ret); 2565 } 2566 2567 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2568 { 2569 int n,ret; 2570 2571 clear_sys_error(); 2572 if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) 2573 { 2574 /* Deal with an application that calls SSL_read() when handshake data 2575 * is yet to be written. 2576 */ 2577 if (BIO_wpending(s->wbio) > 0) 2578 { 2579 s->rwstate=SSL_WRITING; 2580 n=BIO_flush(s->wbio); 2581 if (n <= 0) return(n); 2582 s->rwstate=SSL_NOTHING; 2583 } 2584 } 2585 if (s->s3->renegotiate) ssl3_renegotiate_check(s); 2586 s->s3->in_read_app_data=1; 2587 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); 2588 if ((ret == -1) && (s->s3->in_read_app_data == 2)) 2589 { 2590 /* ssl3_read_bytes decided to call s->handshake_func, which 2591 * called ssl3_read_bytes to read handshake data. 2592 * However, ssl3_read_bytes actually found application data 2593 * and thinks that application data makes sense here; so disable 2594 * handshake processing and try to read application data again. */ 2595 s->in_handshake++; 2596 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); 2597 s->in_handshake--; 2598 } 2599 else 2600 s->s3->in_read_app_data=0; 2601 2602 return(ret); 2603 } 2604 2605 int ssl3_read(SSL *s, void *buf, int len) 2606 { 2607 return ssl3_read_internal(s, buf, len, 0); 2608 } 2609 2610 int ssl3_peek(SSL *s, void *buf, int len) 2611 { 2612 return ssl3_read_internal(s, buf, len, 1); 2613 } 2614 2615 int ssl3_renegotiate(SSL *s) 2616 { 2617 if (s->handshake_func == NULL) 2618 return(1); 2619 2620 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2621 return(0); 2622 2623 s->s3->renegotiate=1; 2624 return(1); 2625 } 2626 2627 int ssl3_renegotiate_check(SSL *s) 2628 { 2629 int ret=0; 2630 2631 if (s->s3->renegotiate) 2632 { 2633 if ( (s->s3->rbuf.left == 0) && 2634 (s->s3->wbuf.left == 0) && 2635 !SSL_in_init(s)) 2636 { 2637 /* 2638 if we are the server, and we have sent a 'RENEGOTIATE' message, we 2639 need to go to SSL_ST_ACCEPT. 2640 */ 2641 /* SSL_ST_ACCEPT */ 2642 s->state=SSL_ST_RENEGOTIATE; 2643 s->s3->renegotiate=0; 2644 s->s3->num_renegotiations++; 2645 s->s3->total_renegotiations++; 2646 ret=1; 2647 } 2648 } 2649 return(ret); 2650 } 2651 2652
