1 /* ssl/s3_lib.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 125 #include <stdio.h> 126 #include <openssl/objects.h> 127 #include "ssl_locl.h" 128 #include "kssl_lcl.h" 129 #include <openssl/md5.h> 130 #ifndef OPENSSL_NO_DH 131 #include <openssl/dh.h> 132 #endif 133 #include <openssl/pq_compat.h> 134 135 const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; 136 137 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) 138 139 /* list of available SSLv3 ciphers (sorted by id) */ 140 OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 141 /* The RSA ciphers */ 142 /* Cipher 01 */ 143 { 144 1, 145 SSL3_TXT_RSA_NULL_MD5, 146 SSL3_CK_RSA_NULL_MD5, 147 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, 148 SSL_NOT_EXP|SSL_STRONG_NONE, 149 0, 150 0, 151 0, 152 SSL_ALL_CIPHERS, 153 SSL_ALL_STRENGTHS, 154 }, 155 /* Cipher 02 */ 156 { 157 1, 158 SSL3_TXT_RSA_NULL_SHA, 159 SSL3_CK_RSA_NULL_SHA, 160 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, 161 SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS, 162 0, 163 0, 164 0, 165 SSL_ALL_CIPHERS, 166 SSL_ALL_STRENGTHS, 167 }, 168 /* Cipher 03 */ 169 { 170 1, 171 SSL3_TXT_RSA_RC4_40_MD5, 172 SSL3_CK_RSA_RC4_40_MD5, 173 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3, 174 SSL_EXPORT|SSL_EXP40, 175 0, 176 40, 177 128, 178 SSL_ALL_CIPHERS, 179 SSL_ALL_STRENGTHS, 180 }, 181 /* Cipher 04 */ 182 { 183 1, 184 SSL3_TXT_RSA_RC4_128_MD5, 185 SSL3_CK_RSA_RC4_128_MD5, 186 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3, 187 SSL_NOT_EXP|SSL_MEDIUM, 188 0, 189 128, 190 128, 191 SSL_ALL_CIPHERS, 192 SSL_ALL_STRENGTHS, 193 }, 194 /* Cipher 05 */ 195 { 196 1, 197 SSL3_TXT_RSA_RC4_128_SHA, 198 SSL3_CK_RSA_RC4_128_SHA, 199 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3, 200 SSL_NOT_EXP|SSL_MEDIUM, 201 0, 202 128, 203 128, 204 SSL_ALL_CIPHERS, 205 SSL_ALL_STRENGTHS, 206 }, 207 /* Cipher 06 */ 208 { 209 1, 210 SSL3_TXT_RSA_RC2_40_MD5, 211 SSL3_CK_RSA_RC2_40_MD5, 212 SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3, 213 SSL_EXPORT|SSL_EXP40, 214 0, 215 40, 216 128, 217 SSL_ALL_CIPHERS, 218 SSL_ALL_STRENGTHS, 219 }, 220 /* Cipher 07 */ 221 #ifndef OPENSSL_NO_IDEA 222 { 223 1, 224 SSL3_TXT_RSA_IDEA_128_SHA, 225 SSL3_CK_RSA_IDEA_128_SHA, 226 SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3, 227 SSL_NOT_EXP|SSL_MEDIUM, 228 0, 229 128, 230 128, 231 SSL_ALL_CIPHERS, 232 SSL_ALL_STRENGTHS, 233 }, 234 #endif 235 /* Cipher 08 */ 236 { 237 1, 238 SSL3_TXT_RSA_DES_40_CBC_SHA, 239 SSL3_CK_RSA_DES_40_CBC_SHA, 240 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, 241 SSL_EXPORT|SSL_EXP40, 242 0, 243 40, 244 56, 245 SSL_ALL_CIPHERS, 246 SSL_ALL_STRENGTHS, 247 }, 248 /* Cipher 09 */ 249 { 250 1, 251 SSL3_TXT_RSA_DES_64_CBC_SHA, 252 SSL3_CK_RSA_DES_64_CBC_SHA, 253 SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, 254 SSL_NOT_EXP|SSL_LOW, 255 0, 256 56, 257 56, 258 SSL_ALL_CIPHERS, 259 SSL_ALL_STRENGTHS, 260 }, 261 /* Cipher 0A */ 262 { 263 1, 264 SSL3_TXT_RSA_DES_192_CBC3_SHA, 265 SSL3_CK_RSA_DES_192_CBC3_SHA, 266 SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, 267 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 268 0, 269 168, 270 168, 271 SSL_ALL_CIPHERS, 272 SSL_ALL_STRENGTHS, 273 }, 274 /* The DH ciphers */ 275 /* Cipher 0B */ 276 { 277 0, 278 SSL3_TXT_DH_DSS_DES_40_CBC_SHA, 279 SSL3_CK_DH_DSS_DES_40_CBC_SHA, 280 SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, 281 SSL_EXPORT|SSL_EXP40, 282 0, 283 40, 284 56, 285 SSL_ALL_CIPHERS, 286 SSL_ALL_STRENGTHS, 287 }, 288 /* Cipher 0C */ 289 { 290 0, 291 SSL3_TXT_DH_DSS_DES_64_CBC_SHA, 292 SSL3_CK_DH_DSS_DES_64_CBC_SHA, 293 SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, 294 SSL_NOT_EXP|SSL_LOW, 295 0, 296 56, 297 56, 298 SSL_ALL_CIPHERS, 299 SSL_ALL_STRENGTHS, 300 }, 301 /* Cipher 0D */ 302 { 303 0, 304 SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, 305 SSL3_CK_DH_DSS_DES_192_CBC3_SHA, 306 SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, 307 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 308 0, 309 168, 310 168, 311 SSL_ALL_CIPHERS, 312 SSL_ALL_STRENGTHS, 313 }, 314 /* Cipher 0E */ 315 { 316 0, 317 SSL3_TXT_DH_RSA_DES_40_CBC_SHA, 318 SSL3_CK_DH_RSA_DES_40_CBC_SHA, 319 SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, 320 SSL_EXPORT|SSL_EXP40, 321 0, 322 40, 323 56, 324 SSL_ALL_CIPHERS, 325 SSL_ALL_STRENGTHS, 326 }, 327 /* Cipher 0F */ 328 { 329 0, 330 SSL3_TXT_DH_RSA_DES_64_CBC_SHA, 331 SSL3_CK_DH_RSA_DES_64_CBC_SHA, 332 SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, 333 SSL_NOT_EXP|SSL_LOW, 334 0, 335 56, 336 56, 337 SSL_ALL_CIPHERS, 338 SSL_ALL_STRENGTHS, 339 }, 340 /* Cipher 10 */ 341 { 342 0, 343 SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, 344 SSL3_CK_DH_RSA_DES_192_CBC3_SHA, 345 SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, 346 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 347 0, 348 168, 349 168, 350 SSL_ALL_CIPHERS, 351 SSL_ALL_STRENGTHS, 352 }, 353 354 /* The Ephemeral DH ciphers */ 355 /* Cipher 11 */ 356 { 357 1, 358 SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, 359 SSL3_CK_EDH_DSS_DES_40_CBC_SHA, 360 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, 361 SSL_EXPORT|SSL_EXP40, 362 0, 363 40, 364 56, 365 SSL_ALL_CIPHERS, 366 SSL_ALL_STRENGTHS, 367 }, 368 /* Cipher 12 */ 369 { 370 1, 371 SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, 372 SSL3_CK_EDH_DSS_DES_64_CBC_SHA, 373 SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, 374 SSL_NOT_EXP|SSL_LOW, 375 0, 376 56, 377 56, 378 SSL_ALL_CIPHERS, 379 SSL_ALL_STRENGTHS, 380 }, 381 /* Cipher 13 */ 382 { 383 1, 384 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 385 SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, 386 SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, 387 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 388 0, 389 168, 390 168, 391 SSL_ALL_CIPHERS, 392 SSL_ALL_STRENGTHS, 393 }, 394 /* Cipher 14 */ 395 { 396 1, 397 SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, 398 SSL3_CK_EDH_RSA_DES_40_CBC_SHA, 399 SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, 400 SSL_EXPORT|SSL_EXP40, 401 0, 402 40, 403 56, 404 SSL_ALL_CIPHERS, 405 SSL_ALL_STRENGTHS, 406 }, 407 /* Cipher 15 */ 408 { 409 1, 410 SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, 411 SSL3_CK_EDH_RSA_DES_64_CBC_SHA, 412 SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, 413 SSL_NOT_EXP|SSL_LOW, 414 0, 415 56, 416 56, 417 SSL_ALL_CIPHERS, 418 SSL_ALL_STRENGTHS, 419 }, 420 /* Cipher 16 */ 421 { 422 1, 423 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 424 SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 425 SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, 426 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 427 0, 428 168, 429 168, 430 SSL_ALL_CIPHERS, 431 SSL_ALL_STRENGTHS, 432 }, 433 /* Cipher 17 */ 434 { 435 1, 436 SSL3_TXT_ADH_RC4_40_MD5, 437 SSL3_CK_ADH_RC4_40_MD5, 438 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, 439 SSL_EXPORT|SSL_EXP40, 440 0, 441 40, 442 128, 443 SSL_ALL_CIPHERS, 444 SSL_ALL_STRENGTHS, 445 }, 446 /* Cipher 18 */ 447 { 448 1, 449 SSL3_TXT_ADH_RC4_128_MD5, 450 SSL3_CK_ADH_RC4_128_MD5, 451 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, 452 SSL_NOT_EXP|SSL_MEDIUM, 453 0, 454 128, 455 128, 456 SSL_ALL_CIPHERS, 457 SSL_ALL_STRENGTHS, 458 }, 459 /* Cipher 19 */ 460 { 461 1, 462 SSL3_TXT_ADH_DES_40_CBC_SHA, 463 SSL3_CK_ADH_DES_40_CBC_SHA, 464 SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, 465 SSL_EXPORT|SSL_EXP40, 466 0, 467 40, 468 128, 469 SSL_ALL_CIPHERS, 470 SSL_ALL_STRENGTHS, 471 }, 472 /* Cipher 1A */ 473 { 474 1, 475 SSL3_TXT_ADH_DES_64_CBC_SHA, 476 SSL3_CK_ADH_DES_64_CBC_SHA, 477 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, 478 SSL_NOT_EXP|SSL_LOW, 479 0, 480 56, 481 56, 482 SSL_ALL_CIPHERS, 483 SSL_ALL_STRENGTHS, 484 }, 485 /* Cipher 1B */ 486 { 487 1, 488 SSL3_TXT_ADH_DES_192_CBC_SHA, 489 SSL3_CK_ADH_DES_192_CBC_SHA, 490 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, 491 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 492 0, 493 168, 494 168, 495 SSL_ALL_CIPHERS, 496 SSL_ALL_STRENGTHS, 497 }, 498 499 /* Fortezza */ 500 /* Cipher 1C */ 501 { 502 0, 503 SSL3_TXT_FZA_DMS_NULL_SHA, 504 SSL3_CK_FZA_DMS_NULL_SHA, 505 SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, 506 SSL_NOT_EXP|SSL_STRONG_NONE, 507 0, 508 0, 509 0, 510 SSL_ALL_CIPHERS, 511 SSL_ALL_STRENGTHS, 512 }, 513 514 /* Cipher 1D */ 515 { 516 0, 517 SSL3_TXT_FZA_DMS_FZA_SHA, 518 SSL3_CK_FZA_DMS_FZA_SHA, 519 SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, 520 SSL_NOT_EXP|SSL_STRONG_NONE, 521 0, 522 0, 523 0, 524 SSL_ALL_CIPHERS, 525 SSL_ALL_STRENGTHS, 526 }, 527 528 #if 0 529 /* Cipher 1E */ 530 { 531 0, 532 SSL3_TXT_FZA_DMS_RC4_SHA, 533 SSL3_CK_FZA_DMS_RC4_SHA, 534 SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3, 535 SSL_NOT_EXP|SSL_MEDIUM, 536 0, 537 128, 538 128, 539 SSL_ALL_CIPHERS, 540 SSL_ALL_STRENGTHS, 541 }, 542 #endif 543 544 #ifndef OPENSSL_NO_KRB5 545 /* The Kerberos ciphers */ 546 /* Cipher 1E */ 547 { 548 1, 549 SSL3_TXT_KRB5_DES_64_CBC_SHA, 550 SSL3_CK_KRB5_DES_64_CBC_SHA, 551 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, 552 SSL_NOT_EXP|SSL_LOW, 553 0, 554 56, 555 56, 556 SSL_ALL_CIPHERS, 557 SSL_ALL_STRENGTHS, 558 }, 559 560 /* Cipher 1F */ 561 { 562 1, 563 SSL3_TXT_KRB5_DES_192_CBC3_SHA, 564 SSL3_CK_KRB5_DES_192_CBC3_SHA, 565 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, 566 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 567 0, 568 168, 569 168, 570 SSL_ALL_CIPHERS, 571 SSL_ALL_STRENGTHS, 572 }, 573 574 /* Cipher 20 */ 575 { 576 1, 577 SSL3_TXT_KRB5_RC4_128_SHA, 578 SSL3_CK_KRB5_RC4_128_SHA, 579 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, 580 SSL_NOT_EXP|SSL_MEDIUM, 581 0, 582 128, 583 128, 584 SSL_ALL_CIPHERS, 585 SSL_ALL_STRENGTHS, 586 }, 587 588 /* Cipher 21 */ 589 { 590 1, 591 SSL3_TXT_KRB5_IDEA_128_CBC_SHA, 592 SSL3_CK_KRB5_IDEA_128_CBC_SHA, 593 SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_SHA1 |SSL_SSLV3, 594 SSL_NOT_EXP|SSL_MEDIUM, 595 0, 596 128, 597 128, 598 SSL_ALL_CIPHERS, 599 SSL_ALL_STRENGTHS, 600 }, 601 602 /* Cipher 22 */ 603 { 604 1, 605 SSL3_TXT_KRB5_DES_64_CBC_MD5, 606 SSL3_CK_KRB5_DES_64_CBC_MD5, 607 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, 608 SSL_NOT_EXP|SSL_LOW, 609 0, 610 56, 611 56, 612 SSL_ALL_CIPHERS, 613 SSL_ALL_STRENGTHS, 614 }, 615 616 /* Cipher 23 */ 617 { 618 1, 619 SSL3_TXT_KRB5_DES_192_CBC3_MD5, 620 SSL3_CK_KRB5_DES_192_CBC3_MD5, 621 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, 622 SSL_NOT_EXP|SSL_HIGH, 623 0, 624 168, 625 168, 626 SSL_ALL_CIPHERS, 627 SSL_ALL_STRENGTHS, 628 }, 629 630 /* Cipher 24 */ 631 { 632 1, 633 SSL3_TXT_KRB5_RC4_128_MD5, 634 SSL3_CK_KRB5_RC4_128_MD5, 635 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, 636 SSL_NOT_EXP|SSL_MEDIUM, 637 0, 638 128, 639 128, 640 SSL_ALL_CIPHERS, 641 SSL_ALL_STRENGTHS, 642 }, 643 644 /* Cipher 25 */ 645 { 646 1, 647 SSL3_TXT_KRB5_IDEA_128_CBC_MD5, 648 SSL3_CK_KRB5_IDEA_128_CBC_MD5, 649 SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_MD5 |SSL_SSLV3, 650 SSL_NOT_EXP|SSL_MEDIUM, 651 0, 652 128, 653 128, 654 SSL_ALL_CIPHERS, 655 SSL_ALL_STRENGTHS, 656 }, 657 658 /* Cipher 26 */ 659 { 660 1, 661 SSL3_TXT_KRB5_DES_40_CBC_SHA, 662 SSL3_CK_KRB5_DES_40_CBC_SHA, 663 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, 664 SSL_EXPORT|SSL_EXP40, 665 0, 666 40, 667 56, 668 SSL_ALL_CIPHERS, 669 SSL_ALL_STRENGTHS, 670 }, 671 672 /* Cipher 27 */ 673 { 674 1, 675 SSL3_TXT_KRB5_RC2_40_CBC_SHA, 676 SSL3_CK_KRB5_RC2_40_CBC_SHA, 677 SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_SHA1 |SSL_SSLV3, 678 SSL_EXPORT|SSL_EXP40, 679 0, 680 40, 681 128, 682 SSL_ALL_CIPHERS, 683 SSL_ALL_STRENGTHS, 684 }, 685 686 /* Cipher 28 */ 687 { 688 1, 689 SSL3_TXT_KRB5_RC4_40_SHA, 690 SSL3_CK_KRB5_RC4_40_SHA, 691 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, 692 SSL_EXPORT|SSL_EXP40, 693 0, 694 40, 695 128, 696 SSL_ALL_CIPHERS, 697 SSL_ALL_STRENGTHS, 698 }, 699 700 /* Cipher 29 */ 701 { 702 1, 703 SSL3_TXT_KRB5_DES_40_CBC_MD5, 704 SSL3_CK_KRB5_DES_40_CBC_MD5, 705 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, 706 SSL_EXPORT|SSL_EXP40, 707 0, 708 40, 709 56, 710 SSL_ALL_CIPHERS, 711 SSL_ALL_STRENGTHS, 712 }, 713 714 /* Cipher 2A */ 715 { 716 1, 717 SSL3_TXT_KRB5_RC2_40_CBC_MD5, 718 SSL3_CK_KRB5_RC2_40_CBC_MD5, 719 SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_MD5 |SSL_SSLV3, 720 SSL_EXPORT|SSL_EXP40, 721 0, 722 40, 723 128, 724 SSL_ALL_CIPHERS, 725 SSL_ALL_STRENGTHS, 726 }, 727 728 /* Cipher 2B */ 729 { 730 1, 731 SSL3_TXT_KRB5_RC4_40_MD5, 732 SSL3_CK_KRB5_RC4_40_MD5, 733 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, 734 SSL_EXPORT|SSL_EXP40, 735 0, 736 40, 737 128, 738 SSL_ALL_CIPHERS, 739 SSL_ALL_STRENGTHS, 740 }, 741 #endif /* OPENSSL_NO_KRB5 */ 742 743 /* New AES ciphersuites */ 744 /* Cipher 2F */ 745 { 746 1, 747 TLS1_TXT_RSA_WITH_AES_128_SHA, 748 TLS1_CK_RSA_WITH_AES_128_SHA, 749 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, 750 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 751 0, 752 128, 753 128, 754 SSL_ALL_CIPHERS, 755 SSL_ALL_STRENGTHS, 756 }, 757 /* Cipher 30 */ 758 { 759 0, 760 TLS1_TXT_DH_DSS_WITH_AES_128_SHA, 761 TLS1_CK_DH_DSS_WITH_AES_128_SHA, 762 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 763 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 764 0, 765 128, 766 128, 767 SSL_ALL_CIPHERS, 768 SSL_ALL_STRENGTHS, 769 }, 770 /* Cipher 31 */ 771 { 772 0, 773 TLS1_TXT_DH_RSA_WITH_AES_128_SHA, 774 TLS1_CK_DH_RSA_WITH_AES_128_SHA, 775 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 776 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 777 0, 778 128, 779 128, 780 SSL_ALL_CIPHERS, 781 SSL_ALL_STRENGTHS, 782 }, 783 /* Cipher 32 */ 784 { 785 1, 786 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, 787 TLS1_CK_DHE_DSS_WITH_AES_128_SHA, 788 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, 789 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 790 0, 791 128, 792 128, 793 SSL_ALL_CIPHERS, 794 SSL_ALL_STRENGTHS, 795 }, 796 /* Cipher 33 */ 797 { 798 1, 799 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 800 TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 801 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 802 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 803 0, 804 128, 805 128, 806 SSL_ALL_CIPHERS, 807 SSL_ALL_STRENGTHS, 808 }, 809 /* Cipher 34 */ 810 { 811 1, 812 TLS1_TXT_ADH_WITH_AES_128_SHA, 813 TLS1_CK_ADH_WITH_AES_128_SHA, 814 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 815 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 816 0, 817 128, 818 128, 819 SSL_ALL_CIPHERS, 820 SSL_ALL_STRENGTHS, 821 }, 822 823 /* Cipher 35 */ 824 { 825 1, 826 TLS1_TXT_RSA_WITH_AES_256_SHA, 827 TLS1_CK_RSA_WITH_AES_256_SHA, 828 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, 829 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 830 0, 831 256, 832 256, 833 SSL_ALL_CIPHERS, 834 SSL_ALL_STRENGTHS, 835 }, 836 /* Cipher 36 */ 837 { 838 0, 839 TLS1_TXT_DH_DSS_WITH_AES_256_SHA, 840 TLS1_CK_DH_DSS_WITH_AES_256_SHA, 841 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 842 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 843 0, 844 256, 845 256, 846 SSL_ALL_CIPHERS, 847 SSL_ALL_STRENGTHS, 848 }, 849 /* Cipher 37 */ 850 { 851 0, 852 TLS1_TXT_DH_RSA_WITH_AES_256_SHA, 853 TLS1_CK_DH_RSA_WITH_AES_256_SHA, 854 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 855 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 856 0, 857 256, 858 256, 859 SSL_ALL_CIPHERS, 860 SSL_ALL_STRENGTHS, 861 }, 862 /* Cipher 38 */ 863 { 864 1, 865 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, 866 TLS1_CK_DHE_DSS_WITH_AES_256_SHA, 867 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, 868 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 869 0, 870 256, 871 256, 872 SSL_ALL_CIPHERS, 873 SSL_ALL_STRENGTHS, 874 }, 875 /* Cipher 39 */ 876 { 877 1, 878 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 879 TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 880 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 881 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 882 0, 883 256, 884 256, 885 SSL_ALL_CIPHERS, 886 SSL_ALL_STRENGTHS, 887 }, 888 /* Cipher 3A */ 889 { 890 1, 891 TLS1_TXT_ADH_WITH_AES_256_SHA, 892 TLS1_CK_ADH_WITH_AES_256_SHA, 893 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 894 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 895 0, 896 256, 897 256, 898 SSL_ALL_CIPHERS, 899 SSL_ALL_STRENGTHS, 900 }, 901 902 #ifndef OPENSSL_NO_CAMELLIA 903 /* Camellia ciphersuites from RFC4132 (128-bit portion) */ 904 905 /* Cipher 41 */ 906 { 907 1, 908 TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA, 909 TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA, 910 SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 911 SSL_NOT_EXP|SSL_HIGH, 912 0, 913 128, 914 128, 915 SSL_ALL_CIPHERS, 916 SSL_ALL_STRENGTHS 917 }, 918 /* Cipher 42 */ 919 { 920 0, /* not implemented (non-ephemeral DH) */ 921 TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, 922 TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA, 923 SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 924 SSL_NOT_EXP|SSL_HIGH, 925 0, 926 128, 927 128, 928 SSL_ALL_CIPHERS, 929 SSL_ALL_STRENGTHS 930 }, 931 /* Cipher 43 */ 932 { 933 0, /* not implemented (non-ephemeral DH) */ 934 TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, 935 TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA, 936 SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 937 SSL_NOT_EXP|SSL_HIGH, 938 0, 939 128, 940 128, 941 SSL_ALL_CIPHERS, 942 SSL_ALL_STRENGTHS 943 }, 944 /* Cipher 44 */ 945 { 946 1, 947 TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, 948 TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, 949 SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 950 SSL_NOT_EXP|SSL_HIGH, 951 0, 952 128, 953 128, 954 SSL_ALL_CIPHERS, 955 SSL_ALL_STRENGTHS 956 }, 957 /* Cipher 45 */ 958 { 959 1, 960 TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 961 TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 962 SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 963 SSL_NOT_EXP|SSL_HIGH, 964 0, 965 128, 966 128, 967 SSL_ALL_CIPHERS, 968 SSL_ALL_STRENGTHS 969 }, 970 /* Cipher 46 */ 971 { 972 1, 973 TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA, 974 TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA, 975 SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 976 SSL_NOT_EXP|SSL_HIGH, 977 0, 978 128, 979 128, 980 SSL_ALL_CIPHERS, 981 SSL_ALL_STRENGTHS 982 }, 983 #endif /* OPENSSL_NO_CAMELLIA */ 984 985 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 986 /* New TLS Export CipherSuites from expired ID */ 987 #if 0 988 /* Cipher 60 */ 989 { 990 1, 991 TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, 992 TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, 993 SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1, 994 SSL_EXPORT|SSL_EXP56, 995 0, 996 56, 997 128, 998 SSL_ALL_CIPHERS, 999 SSL_ALL_STRENGTHS, 1000 }, 1001 /* Cipher 61 */ 1002 { 1003 1, 1004 TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, 1005 TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, 1006 SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1, 1007 SSL_EXPORT|SSL_EXP56, 1008 0, 1009 56, 1010 128, 1011 SSL_ALL_CIPHERS, 1012 SSL_ALL_STRENGTHS, 1013 }, 1014 #endif 1015 /* Cipher 62 */ 1016 { 1017 1, 1018 TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, 1019 TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, 1020 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, 1021 SSL_EXPORT|SSL_EXP56, 1022 0, 1023 56, 1024 56, 1025 SSL_ALL_CIPHERS, 1026 SSL_ALL_STRENGTHS, 1027 }, 1028 /* Cipher 63 */ 1029 { 1030 1, 1031 TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, 1032 TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, 1033 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, 1034 SSL_EXPORT|SSL_EXP56, 1035 0, 1036 56, 1037 56, 1038 SSL_ALL_CIPHERS, 1039 SSL_ALL_STRENGTHS, 1040 }, 1041 /* Cipher 64 */ 1042 { 1043 1, 1044 TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, 1045 TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, 1046 SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1047 SSL_EXPORT|SSL_EXP56, 1048 0, 1049 56, 1050 128, 1051 SSL_ALL_CIPHERS, 1052 SSL_ALL_STRENGTHS, 1053 }, 1054 /* Cipher 65 */ 1055 { 1056 1, 1057 TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, 1058 TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, 1059 SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, 1060 SSL_EXPORT|SSL_EXP56, 1061 0, 1062 56, 1063 128, 1064 SSL_ALL_CIPHERS, 1065 SSL_ALL_STRENGTHS, 1066 }, 1067 /* Cipher 66 */ 1068 { 1069 1, 1070 TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, 1071 TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, 1072 SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, 1073 SSL_NOT_EXP|SSL_MEDIUM, 1074 0, 1075 128, 1076 128, 1077 SSL_ALL_CIPHERS, 1078 SSL_ALL_STRENGTHS 1079 }, 1080 #endif 1081 1082 #ifndef OPENSSL_NO_CAMELLIA 1083 /* Camellia ciphersuites from RFC4132 (256-bit portion) */ 1084 1085 /* Cipher 84 */ 1086 { 1087 1, 1088 TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA, 1089 TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA, 1090 SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1091 SSL_NOT_EXP|SSL_HIGH, 1092 0, 1093 256, 1094 256, 1095 SSL_ALL_CIPHERS, 1096 SSL_ALL_STRENGTHS 1097 }, 1098 /* Cipher 85 */ 1099 { 1100 0, /* not implemented (non-ephemeral DH) */ 1101 TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, 1102 TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA, 1103 SSL_kDHd|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1104 SSL_NOT_EXP|SSL_HIGH, 1105 0, 1106 256, 1107 256, 1108 SSL_ALL_CIPHERS, 1109 SSL_ALL_STRENGTHS 1110 }, 1111 /* Cipher 86 */ 1112 { 1113 0, /* not implemented (non-ephemeral DH) */ 1114 TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, 1115 TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA, 1116 SSL_kDHr|SSL_aDH|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1117 SSL_NOT_EXP|SSL_HIGH, 1118 0, 1119 256, 1120 256, 1121 SSL_ALL_CIPHERS, 1122 SSL_ALL_STRENGTHS 1123 }, 1124 /* Cipher 87 */ 1125 { 1126 1, 1127 TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, 1128 TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, 1129 SSL_kEDH|SSL_aDSS|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1130 SSL_NOT_EXP|SSL_HIGH, 1131 0, 1132 256, 1133 256, 1134 SSL_ALL_CIPHERS, 1135 SSL_ALL_STRENGTHS 1136 }, 1137 /* Cipher 88 */ 1138 { 1139 1, 1140 TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 1141 TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, 1142 SSL_kEDH|SSL_aRSA|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1143 SSL_NOT_EXP|SSL_HIGH, 1144 0, 1145 256, 1146 256, 1147 SSL_ALL_CIPHERS, 1148 SSL_ALL_STRENGTHS 1149 }, 1150 /* Cipher 89 */ 1151 { 1152 1, 1153 TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA, 1154 TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA, 1155 SSL_kEDH|SSL_aNULL|SSL_CAMELLIA|SSL_SHA|SSL_TLSV1, 1156 SSL_NOT_EXP|SSL_HIGH, 1157 0, 1158 256, 1159 256, 1160 SSL_ALL_CIPHERS, 1161 SSL_ALL_STRENGTHS 1162 }, 1163 #endif /* OPENSSL_NO_CAMELLIA */ 1164 1165 #ifndef OPENSSL_NO_SEED 1166 /* SEED ciphersuites from RFC4162 */ 1167 1168 /* Cipher 96 */ 1169 { 1170 1, 1171 TLS1_TXT_RSA_WITH_SEED_SHA, 1172 TLS1_CK_RSA_WITH_SEED_SHA, 1173 SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1174 SSL_NOT_EXP|SSL_MEDIUM, 1175 0, 1176 128, 1177 128, 1178 SSL_ALL_CIPHERS, 1179 SSL_ALL_STRENGTHS, 1180 }, 1181 1182 /* Cipher 97 */ 1183 { 1184 0, /* not implemented (non-ephemeral DH) */ 1185 TLS1_TXT_DH_DSS_WITH_SEED_SHA, 1186 TLS1_CK_DH_DSS_WITH_SEED_SHA, 1187 SSL_kDHd|SSL_aDH|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1188 SSL_NOT_EXP|SSL_MEDIUM, 1189 0, 1190 128, 1191 128, 1192 SSL_ALL_CIPHERS, 1193 SSL_ALL_STRENGTHS, 1194 }, 1195 1196 /* Cipher 98 */ 1197 { 1198 0, /* not implemented (non-ephemeral DH) */ 1199 TLS1_TXT_DH_RSA_WITH_SEED_SHA, 1200 TLS1_CK_DH_RSA_WITH_SEED_SHA, 1201 SSL_kDHr|SSL_aDH|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1202 SSL_NOT_EXP|SSL_MEDIUM, 1203 0, 1204 128, 1205 128, 1206 SSL_ALL_CIPHERS, 1207 SSL_ALL_STRENGTHS, 1208 }, 1209 1210 /* Cipher 99 */ 1211 { 1212 1, 1213 TLS1_TXT_DHE_DSS_WITH_SEED_SHA, 1214 TLS1_CK_DHE_DSS_WITH_SEED_SHA, 1215 SSL_kEDH|SSL_aDSS|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1216 SSL_NOT_EXP|SSL_MEDIUM, 1217 0, 1218 128, 1219 128, 1220 SSL_ALL_CIPHERS, 1221 SSL_ALL_STRENGTHS, 1222 }, 1223 1224 /* Cipher 9A */ 1225 { 1226 1, 1227 TLS1_TXT_DHE_RSA_WITH_SEED_SHA, 1228 TLS1_CK_DHE_RSA_WITH_SEED_SHA, 1229 SSL_kEDH|SSL_aRSA|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1230 SSL_NOT_EXP|SSL_MEDIUM, 1231 0, 1232 128, 1233 128, 1234 SSL_ALL_CIPHERS, 1235 SSL_ALL_STRENGTHS, 1236 }, 1237 1238 /* Cipher 9B */ 1239 { 1240 1, 1241 TLS1_TXT_ADH_WITH_SEED_SHA, 1242 TLS1_CK_ADH_WITH_SEED_SHA, 1243 SSL_kEDH|SSL_aNULL|SSL_SEED|SSL_SHA1|SSL_TLSV1, 1244 SSL_NOT_EXP|SSL_MEDIUM, 1245 0, 1246 128, 1247 128, 1248 SSL_ALL_CIPHERS, 1249 SSL_ALL_STRENGTHS, 1250 }, 1251 1252 #endif /* OPENSSL_NO_SEED */ 1253 1254 #ifndef OPENSSL_NO_ECDH 1255 /* Cipher C001 */ 1256 { 1257 1, 1258 TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, 1259 TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, 1260 SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1261 SSL_NOT_EXP, 1262 0, 1263 0, 1264 0, 1265 SSL_ALL_CIPHERS, 1266 SSL_ALL_STRENGTHS, 1267 }, 1268 1269 /* Cipher C002 */ 1270 { 1271 1, 1272 TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, 1273 TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, 1274 SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1275 SSL_NOT_EXP, 1276 0, 1277 128, 1278 128, 1279 SSL_ALL_CIPHERS, 1280 SSL_ALL_STRENGTHS, 1281 }, 1282 1283 /* Cipher C003 */ 1284 { 1285 1, 1286 TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, 1287 TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, 1288 SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1289 SSL_NOT_EXP|SSL_HIGH, 1290 0, 1291 168, 1292 168, 1293 SSL_ALL_CIPHERS, 1294 SSL_ALL_STRENGTHS, 1295 }, 1296 1297 /* Cipher C004 */ 1298 { 1299 1, 1300 TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 1301 TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 1302 SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1303 SSL_NOT_EXP|SSL_HIGH, 1304 0, 1305 128, 1306 128, 1307 SSL_ALL_CIPHERS, 1308 SSL_ALL_STRENGTHS, 1309 }, 1310 1311 /* Cipher C005 */ 1312 { 1313 1, 1314 TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 1315 TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 1316 SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1317 SSL_NOT_EXP|SSL_HIGH, 1318 0, 1319 256, 1320 256, 1321 SSL_ALL_CIPHERS, 1322 SSL_ALL_STRENGTHS, 1323 }, 1324 1325 /* Cipher C006 */ 1326 { 1327 1, 1328 TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 1329 TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 1330 SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1331 SSL_NOT_EXP, 1332 0, 1333 0, 1334 0, 1335 SSL_ALL_CIPHERS, 1336 SSL_ALL_STRENGTHS, 1337 }, 1338 1339 /* Cipher C007 */ 1340 { 1341 1, 1342 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 1343 TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 1344 SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1345 SSL_NOT_EXP, 1346 0, 1347 128, 1348 128, 1349 SSL_ALL_CIPHERS, 1350 SSL_ALL_STRENGTHS, 1351 }, 1352 1353 /* Cipher C008 */ 1354 { 1355 1, 1356 TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 1357 TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 1358 SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1359 SSL_NOT_EXP|SSL_HIGH, 1360 0, 1361 168, 1362 168, 1363 SSL_ALL_CIPHERS, 1364 SSL_ALL_STRENGTHS, 1365 }, 1366 1367 /* Cipher C009 */ 1368 { 1369 1, 1370 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1371 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1372 SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1373 SSL_NOT_EXP|SSL_HIGH, 1374 0, 1375 128, 1376 128, 1377 SSL_ALL_CIPHERS, 1378 SSL_ALL_STRENGTHS, 1379 }, 1380 1381 /* Cipher C00A */ 1382 { 1383 1, 1384 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1385 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1386 SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1387 SSL_NOT_EXP|SSL_HIGH, 1388 0, 1389 256, 1390 256, 1391 SSL_ALL_CIPHERS, 1392 SSL_ALL_STRENGTHS, 1393 }, 1394 1395 /* Cipher C00B */ 1396 { 1397 1, 1398 TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, 1399 TLS1_CK_ECDH_RSA_WITH_NULL_SHA, 1400 SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1401 SSL_NOT_EXP, 1402 0, 1403 0, 1404 0, 1405 SSL_ALL_CIPHERS, 1406 SSL_ALL_STRENGTHS, 1407 }, 1408 1409 /* Cipher C00C */ 1410 { 1411 1, 1412 TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, 1413 TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, 1414 SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1415 SSL_NOT_EXP, 1416 0, 1417 128, 1418 128, 1419 SSL_ALL_CIPHERS, 1420 SSL_ALL_STRENGTHS, 1421 }, 1422 1423 /* Cipher C00D */ 1424 { 1425 1, 1426 TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, 1427 TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, 1428 SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1429 SSL_NOT_EXP|SSL_HIGH, 1430 0, 1431 168, 1432 168, 1433 SSL_ALL_CIPHERS, 1434 SSL_ALL_STRENGTHS, 1435 }, 1436 1437 /* Cipher C00E */ 1438 { 1439 1, 1440 TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, 1441 TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, 1442 SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1443 SSL_NOT_EXP|SSL_HIGH, 1444 0, 1445 128, 1446 128, 1447 SSL_ALL_CIPHERS, 1448 SSL_ALL_STRENGTHS, 1449 }, 1450 1451 /* Cipher C00F */ 1452 { 1453 1, 1454 TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, 1455 TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, 1456 SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1457 SSL_NOT_EXP|SSL_HIGH, 1458 0, 1459 256, 1460 256, 1461 SSL_ALL_CIPHERS, 1462 SSL_ALL_STRENGTHS, 1463 }, 1464 1465 /* Cipher C010 */ 1466 { 1467 1, 1468 TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1469 TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1470 SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1471 SSL_NOT_EXP, 1472 0, 1473 0, 1474 0, 1475 SSL_ALL_CIPHERS, 1476 SSL_ALL_STRENGTHS, 1477 }, 1478 1479 /* Cipher C011 */ 1480 { 1481 1, 1482 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1483 TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1484 SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1485 SSL_NOT_EXP, 1486 0, 1487 128, 1488 128, 1489 SSL_ALL_CIPHERS, 1490 SSL_ALL_STRENGTHS, 1491 }, 1492 1493 /* Cipher C012 */ 1494 { 1495 1, 1496 TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1497 TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1498 SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1499 SSL_NOT_EXP|SSL_HIGH, 1500 0, 1501 168, 1502 168, 1503 SSL_ALL_CIPHERS, 1504 SSL_ALL_STRENGTHS, 1505 }, 1506 1507 /* Cipher C013 */ 1508 { 1509 1, 1510 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1511 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1512 SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1513 SSL_NOT_EXP|SSL_HIGH, 1514 0, 1515 128, 1516 128, 1517 SSL_ALL_CIPHERS, 1518 SSL_ALL_STRENGTHS, 1519 }, 1520 1521 /* Cipher C014 */ 1522 { 1523 1, 1524 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1525 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1526 SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1527 SSL_NOT_EXP|SSL_HIGH, 1528 0, 1529 256, 1530 256, 1531 SSL_ALL_CIPHERS, 1532 SSL_ALL_STRENGTHS, 1533 }, 1534 1535 /* Cipher C015 */ 1536 { 1537 1, 1538 TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1539 TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1540 SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1541 SSL_NOT_EXP, 1542 0, 1543 0, 1544 0, 1545 SSL_ALL_CIPHERS, 1546 SSL_ALL_STRENGTHS, 1547 }, 1548 1549 /* Cipher C016 */ 1550 { 1551 1, 1552 TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1553 TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1554 SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1, 1555 SSL_NOT_EXP, 1556 0, 1557 128, 1558 128, 1559 SSL_ALL_CIPHERS, 1560 SSL_ALL_STRENGTHS, 1561 }, 1562 1563 /* Cipher C017 */ 1564 { 1565 1, 1566 TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1567 TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1568 SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1, 1569 SSL_NOT_EXP|SSL_HIGH, 1570 0, 1571 168, 1572 168, 1573 SSL_ALL_CIPHERS, 1574 SSL_ALL_STRENGTHS, 1575 }, 1576 1577 /* Cipher C018 */ 1578 { 1579 1, 1580 TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1581 TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1582 SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 1583 SSL_NOT_EXP|SSL_HIGH, 1584 0, 1585 128, 1586 128, 1587 SSL_ALL_CIPHERS, 1588 SSL_ALL_STRENGTHS, 1589 }, 1590 1591 /* Cipher C019 */ 1592 { 1593 1, 1594 TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1595 TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1596 SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 1597 SSL_NOT_EXP|SSL_HIGH, 1598 0, 1599 256, 1600 256, 1601 SSL_ALL_CIPHERS, 1602 SSL_ALL_STRENGTHS, 1603 }, 1604 #endif /* OPENSSL_NO_ECDH */ 1605 1606 1607 /* end of list */ 1608 }; 1609 1610 SSL3_ENC_METHOD SSLv3_enc_data={ 1611 ssl3_enc, 1612 ssl3_mac, 1613 ssl3_setup_key_block, 1614 ssl3_generate_master_secret, 1615 ssl3_change_cipher_state, 1616 ssl3_final_finish_mac, 1617 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 1618 ssl3_cert_verify_mac, 1619 SSL3_MD_CLIENT_FINISHED_CONST,4, 1620 SSL3_MD_SERVER_FINISHED_CONST,4, 1621 ssl3_alert_code, 1622 }; 1623 1624 long ssl3_default_timeout(void) 1625 { 1626 /* 2 hours, the 24 hours mentioned in the SSLv3 spec 1627 * is way too long for http, the cache would over fill */ 1628 return(60*60*2); 1629 } 1630 1631 IMPLEMENT_ssl3_meth_func(sslv3_base_method, 1632 ssl_undefined_function, 1633 ssl_undefined_function, 1634 ssl_bad_method) 1635 1636 int ssl3_num_ciphers(void) 1637 { 1638 return(SSL3_NUM_CIPHERS); 1639 } 1640 1641 SSL_CIPHER *ssl3_get_cipher(unsigned int u) 1642 { 1643 if (u < SSL3_NUM_CIPHERS) 1644 return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u])); 1645 else 1646 return(NULL); 1647 } 1648 1649 int ssl3_pending(const SSL *s) 1650 { 1651 if (s->rstate == SSL_ST_READ_BODY) 1652 return 0; 1653 1654 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; 1655 } 1656 1657 int ssl3_new(SSL *s) 1658 { 1659 SSL3_STATE *s3; 1660 1661 if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err; 1662 memset(s3,0,sizeof *s3); 1663 EVP_MD_CTX_init(&s3->finish_dgst1); 1664 EVP_MD_CTX_init(&s3->finish_dgst2); 1665 pq_64bit_init(&(s3->rrec.seq_num)); 1666 pq_64bit_init(&(s3->wrec.seq_num)); 1667 1668 s->s3=s3; 1669 1670 s->method->ssl_clear(s); 1671 return(1); 1672 err: 1673 return(0); 1674 } 1675 1676 void ssl3_free(SSL *s) 1677 { 1678 if(s == NULL) 1679 return; 1680 1681 ssl3_cleanup_key_block(s); 1682 if (s->s3->rbuf.buf != NULL) 1683 OPENSSL_free(s->s3->rbuf.buf); 1684 if (s->s3->wbuf.buf != NULL) 1685 OPENSSL_free(s->s3->wbuf.buf); 1686 if (s->s3->rrec.comp != NULL) 1687 OPENSSL_free(s->s3->rrec.comp); 1688 #ifndef OPENSSL_NO_DH 1689 if (s->s3->tmp.dh != NULL) 1690 DH_free(s->s3->tmp.dh); 1691 #endif 1692 #ifndef OPENSSL_NO_ECDH 1693 if (s->s3->tmp.ecdh != NULL) 1694 EC_KEY_free(s->s3->tmp.ecdh); 1695 #endif 1696 1697 if (s->s3->tmp.ca_names != NULL) 1698 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1699 EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); 1700 EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); 1701 pq_64bit_free(&(s->s3->rrec.seq_num)); 1702 pq_64bit_free(&(s->s3->wrec.seq_num)); 1703 1704 OPENSSL_cleanse(s->s3,sizeof *s->s3); 1705 OPENSSL_free(s->s3); 1706 s->s3=NULL; 1707 } 1708 1709 void ssl3_clear(SSL *s) 1710 { 1711 unsigned char *rp,*wp; 1712 size_t rlen, wlen; 1713 1714 ssl3_cleanup_key_block(s); 1715 if (s->s3->tmp.ca_names != NULL) 1716 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1717 1718 if (s->s3->rrec.comp != NULL) 1719 { 1720 OPENSSL_free(s->s3->rrec.comp); 1721 s->s3->rrec.comp=NULL; 1722 } 1723 #ifndef OPENSSL_NO_DH 1724 if (s->s3->tmp.dh != NULL) 1725 { 1726 DH_free(s->s3->tmp.dh); 1727 s->s3->tmp.dh = NULL; 1728 } 1729 #endif 1730 #ifndef OPENSSL_NO_ECDH 1731 if (s->s3->tmp.ecdh != NULL) 1732 { 1733 EC_KEY_free(s->s3->tmp.ecdh); 1734 s->s3->tmp.ecdh = NULL; 1735 } 1736 #endif 1737 1738 rp = s->s3->rbuf.buf; 1739 wp = s->s3->wbuf.buf; 1740 rlen = s->s3->rbuf.len; 1741 wlen = s->s3->wbuf.len; 1742 1743 EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); 1744 EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); 1745 1746 memset(s->s3,0,sizeof *s->s3); 1747 s->s3->rbuf.buf = rp; 1748 s->s3->wbuf.buf = wp; 1749 s->s3->rbuf.len = rlen; 1750 s->s3->wbuf.len = wlen; 1751 1752 ssl_free_wbio_buffer(s); 1753 1754 s->packet_length=0; 1755 s->s3->renegotiate=0; 1756 s->s3->total_renegotiations=0; 1757 s->s3->num_renegotiations=0; 1758 s->s3->in_read_app_data=0; 1759 s->version=SSL3_VERSION; 1760 } 1761 1762 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 1763 { 1764 int ret=0; 1765 1766 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) 1767 if ( 1768 #ifndef OPENSSL_NO_RSA 1769 cmd == SSL_CTRL_SET_TMP_RSA || 1770 cmd == SSL_CTRL_SET_TMP_RSA_CB || 1771 #endif 1772 #ifndef OPENSSL_NO_DSA 1773 cmd == SSL_CTRL_SET_TMP_DH || 1774 cmd == SSL_CTRL_SET_TMP_DH_CB || 1775 #endif 1776 0) 1777 { 1778 if (!ssl_cert_inst(&s->cert)) 1779 { 1780 SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); 1781 return(0); 1782 } 1783 } 1784 #endif 1785 1786 switch (cmd) 1787 { 1788 case SSL_CTRL_GET_SESSION_REUSED: 1789 ret=s->hit; 1790 break; 1791 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 1792 break; 1793 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 1794 ret=s->s3->num_renegotiations; 1795 break; 1796 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 1797 ret=s->s3->num_renegotiations; 1798 s->s3->num_renegotiations=0; 1799 break; 1800 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 1801 ret=s->s3->total_renegotiations; 1802 break; 1803 case SSL_CTRL_GET_FLAGS: 1804 ret=(int)(s->s3->flags); 1805 break; 1806 #ifndef OPENSSL_NO_RSA 1807 case SSL_CTRL_NEED_TMP_RSA: 1808 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && 1809 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 1810 (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))) 1811 ret = 1; 1812 break; 1813 case SSL_CTRL_SET_TMP_RSA: 1814 { 1815 RSA *rsa = (RSA *)parg; 1816 if (rsa == NULL) 1817 { 1818 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); 1819 return(ret); 1820 } 1821 if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) 1822 { 1823 SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB); 1824 return(ret); 1825 } 1826 if (s->cert->rsa_tmp != NULL) 1827 RSA_free(s->cert->rsa_tmp); 1828 s->cert->rsa_tmp = rsa; 1829 ret = 1; 1830 } 1831 break; 1832 case SSL_CTRL_SET_TMP_RSA_CB: 1833 { 1834 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1835 return(ret); 1836 } 1837 break; 1838 #endif 1839 #ifndef OPENSSL_NO_DH 1840 case SSL_CTRL_SET_TMP_DH: 1841 { 1842 DH *dh = (DH *)parg; 1843 if (dh == NULL) 1844 { 1845 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); 1846 return(ret); 1847 } 1848 if ((dh = DHparams_dup(dh)) == NULL) 1849 { 1850 SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); 1851 return(ret); 1852 } 1853 if (!(s->options & SSL_OP_SINGLE_DH_USE)) 1854 { 1855 if (!DH_generate_key(dh)) 1856 { 1857 DH_free(dh); 1858 SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); 1859 return(ret); 1860 } 1861 } 1862 if (s->cert->dh_tmp != NULL) 1863 DH_free(s->cert->dh_tmp); 1864 s->cert->dh_tmp = dh; 1865 ret = 1; 1866 } 1867 break; 1868 case SSL_CTRL_SET_TMP_DH_CB: 1869 { 1870 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1871 return(ret); 1872 } 1873 break; 1874 #endif 1875 #ifndef OPENSSL_NO_ECDH 1876 case SSL_CTRL_SET_TMP_ECDH: 1877 { 1878 EC_KEY *ecdh = NULL; 1879 1880 if (parg == NULL) 1881 { 1882 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); 1883 return(ret); 1884 } 1885 if (!EC_KEY_up_ref((EC_KEY *)parg)) 1886 { 1887 SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB); 1888 return(ret); 1889 } 1890 ecdh = (EC_KEY *)parg; 1891 if (!(s->options & SSL_OP_SINGLE_ECDH_USE)) 1892 { 1893 if (!EC_KEY_generate_key(ecdh)) 1894 { 1895 EC_KEY_free(ecdh); 1896 SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB); 1897 return(ret); 1898 } 1899 } 1900 if (s->cert->ecdh_tmp != NULL) 1901 EC_KEY_free(s->cert->ecdh_tmp); 1902 s->cert->ecdh_tmp = ecdh; 1903 ret = 1; 1904 } 1905 break; 1906 case SSL_CTRL_SET_TMP_ECDH_CB: 1907 { 1908 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1909 return(ret); 1910 } 1911 break; 1912 #endif /* !OPENSSL_NO_ECDH */ 1913 #ifndef OPENSSL_NO_TLSEXT 1914 case SSL_CTRL_SET_TLSEXT_HOSTNAME: 1915 if (larg == TLSEXT_NAMETYPE_host_name) 1916 { 1917 if (s->tlsext_hostname != NULL) 1918 OPENSSL_free(s->tlsext_hostname); 1919 s->tlsext_hostname = NULL; 1920 1921 ret = 1; 1922 if (parg == NULL) 1923 break; 1924 if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) 1925 { 1926 SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); 1927 return 0; 1928 } 1929 if ((s->tlsext_hostname = BUF_strdup((char *)parg)) == NULL) 1930 { 1931 SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR); 1932 return 0; 1933 } 1934 } 1935 else 1936 { 1937 SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE); 1938 return 0; 1939 } 1940 break; 1941 case SSL_CTRL_SET_TLSEXT_DEBUG_ARG: 1942 s->tlsext_debug_arg=parg; 1943 ret = 1; 1944 break; 1945 1946 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE: 1947 s->tlsext_status_type=larg; 1948 ret = 1; 1949 break; 1950 1951 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS: 1952 *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts; 1953 ret = 1; 1954 break; 1955 1956 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS: 1957 s->tlsext_ocsp_exts = parg; 1958 ret = 1; 1959 break; 1960 1961 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS: 1962 *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids; 1963 ret = 1; 1964 break; 1965 1966 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS: 1967 s->tlsext_ocsp_ids = parg; 1968 ret = 1; 1969 break; 1970 1971 case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP: 1972 *(unsigned char **)parg = s->tlsext_ocsp_resp; 1973 return s->tlsext_ocsp_resplen; 1974 1975 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: 1976 if (s->tlsext_ocsp_resp) 1977 OPENSSL_free(s->tlsext_ocsp_resp); 1978 s->tlsext_ocsp_resp = parg; 1979 s->tlsext_ocsp_resplen = larg; 1980 ret = 1; 1981 break; 1982 1983 #endif /* !OPENSSL_NO_TLSEXT */ 1984 default: 1985 break; 1986 } 1987 return(ret); 1988 } 1989 1990 long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 1991 { 1992 int ret=0; 1993 1994 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) 1995 if ( 1996 #ifndef OPENSSL_NO_RSA 1997 cmd == SSL_CTRL_SET_TMP_RSA_CB || 1998 #endif 1999 #ifndef OPENSSL_NO_DSA 2000 cmd == SSL_CTRL_SET_TMP_DH_CB || 2001 #endif 2002 0) 2003 { 2004 if (!ssl_cert_inst(&s->cert)) 2005 { 2006 SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE); 2007 return(0); 2008 } 2009 } 2010 #endif 2011 2012 switch (cmd) 2013 { 2014 #ifndef OPENSSL_NO_RSA 2015 case SSL_CTRL_SET_TMP_RSA_CB: 2016 { 2017 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 2018 } 2019 break; 2020 #endif 2021 #ifndef OPENSSL_NO_DH 2022 case SSL_CTRL_SET_TMP_DH_CB: 2023 { 2024 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2025 } 2026 break; 2027 #endif 2028 #ifndef OPENSSL_NO_ECDH 2029 case SSL_CTRL_SET_TMP_ECDH_CB: 2030 { 2031 s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 2032 } 2033 break; 2034 #endif 2035 #ifndef OPENSSL_NO_TLSEXT 2036 case SSL_CTRL_SET_TLSEXT_DEBUG_CB: 2037 s->tlsext_debug_cb=(void (*)(SSL *,int ,int, 2038 unsigned char *, int, void *))fp; 2039 break; 2040 #endif 2041 default: 2042 break; 2043 } 2044 return(ret); 2045 } 2046 2047 long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 2048 { 2049 CERT *cert; 2050 2051 cert=ctx->cert; 2052 2053 switch (cmd) 2054 { 2055 #ifndef OPENSSL_NO_RSA 2056 case SSL_CTRL_NEED_TMP_RSA: 2057 if ( (cert->rsa_tmp == NULL) && 2058 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 2059 (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))) 2060 ) 2061 return(1); 2062 else 2063 return(0); 2064 /* break; */ 2065 case SSL_CTRL_SET_TMP_RSA: 2066 { 2067 RSA *rsa; 2068 int i; 2069 2070 rsa=(RSA *)parg; 2071 i=1; 2072 if (rsa == NULL) 2073 i=0; 2074 else 2075 { 2076 if ((rsa=RSAPrivateKey_dup(rsa)) == NULL) 2077 i=0; 2078 } 2079 if (!i) 2080 { 2081 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB); 2082 return(0); 2083 } 2084 else 2085 { 2086 if (cert->rsa_tmp != NULL) 2087 RSA_free(cert->rsa_tmp); 2088 cert->rsa_tmp=rsa; 2089 return(1); 2090 } 2091 } 2092 /* break; */ 2093 case SSL_CTRL_SET_TMP_RSA_CB: 2094 { 2095 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2096 return(0); 2097 } 2098 break; 2099 #endif 2100 #ifndef OPENSSL_NO_DH 2101 case SSL_CTRL_SET_TMP_DH: 2102 { 2103 DH *new=NULL,*dh; 2104 2105 dh=(DH *)parg; 2106 if ((new=DHparams_dup(dh)) == NULL) 2107 { 2108 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); 2109 return 0; 2110 } 2111 if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) 2112 { 2113 if (!DH_generate_key(new)) 2114 { 2115 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); 2116 DH_free(new); 2117 return 0; 2118 } 2119 } 2120 if (cert->dh_tmp != NULL) 2121 DH_free(cert->dh_tmp); 2122 cert->dh_tmp=new; 2123 return 1; 2124 } 2125 /*break; */ 2126 case SSL_CTRL_SET_TMP_DH_CB: 2127 { 2128 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2129 return(0); 2130 } 2131 break; 2132 #endif 2133 #ifndef OPENSSL_NO_ECDH 2134 case SSL_CTRL_SET_TMP_ECDH: 2135 { 2136 EC_KEY *ecdh = NULL; 2137 2138 if (parg == NULL) 2139 { 2140 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB); 2141 return 0; 2142 } 2143 ecdh = EC_KEY_dup((EC_KEY *)parg); 2144 if (ecdh == NULL) 2145 { 2146 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_EC_LIB); 2147 return 0; 2148 } 2149 if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE)) 2150 { 2151 if (!EC_KEY_generate_key(ecdh)) 2152 { 2153 EC_KEY_free(ecdh); 2154 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB); 2155 return 0; 2156 } 2157 } 2158 2159 if (cert->ecdh_tmp != NULL) 2160 { 2161 EC_KEY_free(cert->ecdh_tmp); 2162 } 2163 cert->ecdh_tmp = ecdh; 2164 return 1; 2165 } 2166 /* break; */ 2167 case SSL_CTRL_SET_TMP_ECDH_CB: 2168 { 2169 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 2170 return(0); 2171 } 2172 break; 2173 #endif /* !OPENSSL_NO_ECDH */ 2174 #ifndef OPENSSL_NO_TLSEXT 2175 case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG: 2176 ctx->tlsext_servername_arg=parg; 2177 break; 2178 case SSL_CTRL_SET_TLSEXT_TICKET_KEYS: 2179 case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: 2180 { 2181 unsigned char *keys = parg; 2182 if (!keys) 2183 return 48; 2184 if (larg != 48) 2185 { 2186 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH); 2187 return 0; 2188 } 2189 if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) 2190 { 2191 memcpy(ctx->tlsext_tick_key_name, keys, 16); 2192 memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); 2193 memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); 2194 } 2195 else 2196 { 2197 memcpy(keys, ctx->tlsext_tick_key_name, 16); 2198 memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); 2199 memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); 2200 } 2201 return 1; 2202 } 2203 2204 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: 2205 ctx->tlsext_status_arg=parg; 2206 return 1; 2207 break; 2208 2209 #endif /* !OPENSSL_NO_TLSEXT */ 2210 /* A Thawte special :-) */ 2211 case SSL_CTRL_EXTRA_CHAIN_CERT: 2212 if (ctx->extra_certs == NULL) 2213 { 2214 if ((ctx->extra_certs=sk_X509_new_null()) == NULL) 2215 return(0); 2216 } 2217 sk_X509_push(ctx->extra_certs,(X509 *)parg); 2218 break; 2219 2220 default: 2221 return(0); 2222 } 2223 return(1); 2224 } 2225 2226 long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 2227 { 2228 CERT *cert; 2229 2230 cert=ctx->cert; 2231 2232 switch (cmd) 2233 { 2234 #ifndef OPENSSL_NO_RSA 2235 case SSL_CTRL_SET_TMP_RSA_CB: 2236 { 2237 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 2238 } 2239 break; 2240 #endif 2241 #ifndef OPENSSL_NO_DH 2242 case SSL_CTRL_SET_TMP_DH_CB: 2243 { 2244 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 2245 } 2246 break; 2247 #endif 2248 #ifndef OPENSSL_NO_ECDH 2249 case SSL_CTRL_SET_TMP_ECDH_CB: 2250 { 2251 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 2252 } 2253 break; 2254 #endif 2255 #ifndef OPENSSL_NO_TLSEXT 2256 case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: 2257 ctx->tlsext_servername_callback=(int (*)(SSL *,int *,void *))fp; 2258 break; 2259 2260 case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: 2261 ctx->tlsext_status_cb=(int (*)(SSL *,void *))fp; 2262 break; 2263 2264 case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: 2265 ctx->tlsext_ticket_key_cb=(int (*)(SSL *,unsigned char *, 2266 unsigned char *, 2267 EVP_CIPHER_CTX *, 2268 HMAC_CTX *, int))fp; 2269 break; 2270 2271 #endif 2272 default: 2273 return(0); 2274 } 2275 return(1); 2276 } 2277 2278 /* This function needs to check if the ciphers required are actually 2279 * available */ 2280 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) 2281 { 2282 SSL_CIPHER c,*cp; 2283 unsigned long id; 2284 2285 id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1]; 2286 c.id=id; 2287 cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c, 2288 (char *)ssl3_ciphers, 2289 SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER), 2290 FP_ICC ssl_cipher_id_cmp); 2291 if (cp == NULL || cp->valid == 0) 2292 return NULL; 2293 else 2294 return cp; 2295 } 2296 2297 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) 2298 { 2299 long l; 2300 2301 if (p != NULL) 2302 { 2303 l=c->id; 2304 if ((l & 0xff000000) != 0x03000000) return(0); 2305 p[0]=((unsigned char)(l>> 8L))&0xFF; 2306 p[1]=((unsigned char)(l ))&0xFF; 2307 } 2308 return(2); 2309 } 2310 2311 SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 2312 STACK_OF(SSL_CIPHER) *srvr) 2313 { 2314 SSL_CIPHER *c,*ret=NULL; 2315 STACK_OF(SSL_CIPHER) *prio, *allow; 2316 int i,j,ok; 2317 2318 CERT *cert; 2319 unsigned long alg,mask,emask; 2320 2321 /* Let's see which ciphers we can support */ 2322 cert=s->cert; 2323 2324 #if 0 2325 /* Do not set the compare functions, because this may lead to a 2326 * reordering by "id". We want to keep the original ordering. 2327 * We may pay a price in performance during sk_SSL_CIPHER_find(), 2328 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 2329 */ 2330 sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp); 2331 sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp); 2332 #endif 2333 2334 #ifdef CIPHER_DEBUG 2335 printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr); 2336 for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) 2337 { 2338 c=sk_SSL_CIPHER_value(srvr,i); 2339 printf("%p:%s\n",c,c->name); 2340 } 2341 printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt); 2342 for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) 2343 { 2344 c=sk_SSL_CIPHER_value(clnt,i); 2345 printf("%p:%s\n",c,c->name); 2346 } 2347 #endif 2348 2349 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) 2350 { 2351 prio = srvr; 2352 allow = clnt; 2353 } 2354 else 2355 { 2356 prio = clnt; 2357 allow = srvr; 2358 } 2359 2360 for (i=0; i<sk_SSL_CIPHER_num(prio); i++) 2361 { 2362 c=sk_SSL_CIPHER_value(prio,i); 2363 2364 ssl_set_cert_masks(cert,c); 2365 mask=cert->mask; 2366 emask=cert->export_mask; 2367 2368 #ifdef KSSL_DEBUG 2369 printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms); 2370 #endif /* KSSL_DEBUG */ 2371 2372 alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); 2373 #ifndef OPENSSL_NO_KRB5 2374 if (alg & SSL_KRB5) 2375 { 2376 if ( !kssl_keytab_is_available(s->kssl_ctx) ) 2377 continue; 2378 } 2379 #endif /* OPENSSL_NO_KRB5 */ 2380 if (SSL_C_IS_EXPORT(c)) 2381 { 2382 ok=((alg & emask) == alg)?1:0; 2383 #ifdef CIPHER_DEBUG 2384 printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, 2385 c,c->name); 2386 #endif 2387 } 2388 else 2389 { 2390 ok=((alg & mask) == alg)?1:0; 2391 #ifdef CIPHER_DEBUG 2392 printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, 2393 c->name); 2394 #endif 2395 } 2396 2397 if (!ok) continue; 2398 j=sk_SSL_CIPHER_find(allow,c); 2399 if (j >= 0) 2400 { 2401 ret=sk_SSL_CIPHER_value(allow,j); 2402 break; 2403 } 2404 } 2405 return(ret); 2406 } 2407 2408 int ssl3_get_req_cert_type(SSL *s, unsigned char *p) 2409 { 2410 int ret=0; 2411 unsigned long alg; 2412 2413 alg=s->s3->tmp.new_cipher->algorithms; 2414 2415 #ifndef OPENSSL_NO_DH 2416 if (alg & (SSL_kDHr|SSL_kEDH)) 2417 { 2418 # ifndef OPENSSL_NO_RSA 2419 p[ret++]=SSL3_CT_RSA_FIXED_DH; 2420 # endif 2421 # ifndef OPENSSL_NO_DSA 2422 p[ret++]=SSL3_CT_DSS_FIXED_DH; 2423 # endif 2424 } 2425 if ((s->version == SSL3_VERSION) && 2426 (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) 2427 { 2428 # ifndef OPENSSL_NO_RSA 2429 p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; 2430 # endif 2431 # ifndef OPENSSL_NO_DSA 2432 p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; 2433 # endif 2434 } 2435 #endif /* !OPENSSL_NO_DH */ 2436 #ifndef OPENSSL_NO_RSA 2437 p[ret++]=SSL3_CT_RSA_SIGN; 2438 #endif 2439 #ifndef OPENSSL_NO_DSA 2440 p[ret++]=SSL3_CT_DSS_SIGN; 2441 #endif 2442 #ifndef OPENSSL_NO_ECDH 2443 /* We should ask for fixed ECDH certificates only 2444 * for SSL_kECDH (and not SSL_kECDHE) 2445 */ 2446 if ((alg & SSL_kECDH) && (s->version >= TLS1_VERSION)) 2447 { 2448 p[ret++]=TLS_CT_RSA_FIXED_ECDH; 2449 p[ret++]=TLS_CT_ECDSA_FIXED_ECDH; 2450 } 2451 #endif 2452 2453 #ifndef OPENSSL_NO_ECDSA 2454 /* ECDSA certs can be used with RSA cipher suites as well 2455 * so we don't need to check for SSL_kECDH or SSL_kECDHE 2456 */ 2457 if (s->version >= TLS1_VERSION) 2458 { 2459 p[ret++]=TLS_CT_ECDSA_SIGN; 2460 } 2461 #endif 2462 return(ret); 2463 } 2464 2465 int ssl3_shutdown(SSL *s) 2466 { 2467 int ret; 2468 2469 /* Don't do anything much if we have not done the handshake or 2470 * we don't want to send messages :-) */ 2471 if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE)) 2472 { 2473 s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2474 return(1); 2475 } 2476 2477 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) 2478 { 2479 s->shutdown|=SSL_SENT_SHUTDOWN; 2480 #if 1 2481 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY); 2482 #endif 2483 /* our shutdown alert has been sent now, and if it still needs 2484 * to be written, s->s3->alert_dispatch will be true */ 2485 if (s->s3->alert_dispatch) 2486 return(-1); /* return WANT_WRITE */ 2487 } 2488 else if (s->s3->alert_dispatch) 2489 { 2490 /* resend it if not sent */ 2491 #if 1 2492 ret=s->method->ssl_dispatch_alert(s); 2493 if(ret == -1) 2494 { 2495 /* we only get to return -1 here the 2nd/Nth 2496 * invocation, we must have already signalled 2497 * return 0 upon a previous invoation, 2498 * return WANT_WRITE */ 2499 return(ret); 2500 } 2501 #endif 2502 } 2503 else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) 2504 { 2505 /* If we are waiting for a close from our peer, we are closed */ 2506 s->method->ssl_read_bytes(s,0,NULL,0,0); 2507 if(!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) 2508 { 2509 return(-1); /* return WANT_READ */ 2510 } 2511 } 2512 2513 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2514 !s->s3->alert_dispatch) 2515 return(1); 2516 else 2517 return(0); 2518 } 2519 2520 int ssl3_write(SSL *s, const void *buf, int len) 2521 { 2522 int ret,n; 2523 2524 #if 0 2525 if (s->shutdown & SSL_SEND_SHUTDOWN) 2526 { 2527 s->rwstate=SSL_NOTHING; 2528 return(0); 2529 } 2530 #endif 2531 clear_sys_error(); 2532 if (s->s3->renegotiate) ssl3_renegotiate_check(s); 2533 2534 /* This is an experimental flag that sends the 2535 * last handshake message in the same packet as the first 2536 * use data - used to see if it helps the TCP protocol during 2537 * session-id reuse */ 2538 /* The second test is because the buffer may have been removed */ 2539 if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) 2540 { 2541 /* First time through, we write into the buffer */ 2542 if (s->s3->delay_buf_pop_ret == 0) 2543 { 2544 ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, 2545 buf,len); 2546 if (ret <= 0) return(ret); 2547 2548 s->s3->delay_buf_pop_ret=ret; 2549 } 2550 2551 s->rwstate=SSL_WRITING; 2552 n=BIO_flush(s->wbio); 2553 if (n <= 0) return(n); 2554 s->rwstate=SSL_NOTHING; 2555 2556 /* We have flushed the buffer, so remove it */ 2557 ssl_free_wbio_buffer(s); 2558 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 2559 2560 ret=s->s3->delay_buf_pop_ret; 2561 s->s3->delay_buf_pop_ret=0; 2562 } 2563 else 2564 { 2565 ret=s->method->ssl_write_bytes(s,SSL3_RT_APPLICATION_DATA, 2566 buf,len); 2567 if (ret <= 0) return(ret); 2568 } 2569 2570 return(ret); 2571 } 2572 2573 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2574 { 2575 int ret; 2576 2577 clear_sys_error(); 2578 if (s->s3->renegotiate) ssl3_renegotiate_check(s); 2579 s->s3->in_read_app_data=1; 2580 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); 2581 if ((ret == -1) && (s->s3->in_read_app_data == 2)) 2582 { 2583 /* ssl3_read_bytes decided to call s->handshake_func, which 2584 * called ssl3_read_bytes to read handshake data. 2585 * However, ssl3_read_bytes actually found application data 2586 * and thinks that application data makes sense here; so disable 2587 * handshake processing and try to read application data again. */ 2588 s->in_handshake++; 2589 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); 2590 s->in_handshake--; 2591 } 2592 else 2593 s->s3->in_read_app_data=0; 2594 2595 return(ret); 2596 } 2597 2598 int ssl3_read(SSL *s, void *buf, int len) 2599 { 2600 return ssl3_read_internal(s, buf, len, 0); 2601 } 2602 2603 int ssl3_peek(SSL *s, void *buf, int len) 2604 { 2605 return ssl3_read_internal(s, buf, len, 1); 2606 } 2607 2608 int ssl3_renegotiate(SSL *s) 2609 { 2610 if (s->handshake_func == NULL) 2611 return(1); 2612 2613 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2614 return(0); 2615 2616 s->s3->renegotiate=1; 2617 return(1); 2618 } 2619 2620 int ssl3_renegotiate_check(SSL *s) 2621 { 2622 int ret=0; 2623 2624 if (s->s3->renegotiate) 2625 { 2626 if ( (s->s3->rbuf.left == 0) && 2627 (s->s3->wbuf.left == 0) && 2628 !SSL_in_init(s)) 2629 { 2630 /* 2631 if we are the server, and we have sent a 'RENEGOTIATE' message, we 2632 need to go to SSL_ST_ACCEPT. 2633 */ 2634 /* SSL_ST_ACCEPT */ 2635 s->state=SSL_ST_RENEGOTIATE; 2636 s->s3->renegotiate=0; 2637 s->s3->num_renegotiations++; 2638 s->s3->total_renegotiations++; 2639 ret=1; 2640 } 2641 } 2642 return(ret); 2643 } 2644 2645