1 /* ssl/s3_lib.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * 114 * Portions of the attached software ("Contribution") are developed by 115 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. 116 * 117 * The Contribution is licensed pursuant to the OpenSSL open source 118 * license provided above. 119 * 120 * ECC cipher suite support in OpenSSL originally written by 121 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories. 122 * 123 */ 124 125 #include <stdio.h> 126 #include <openssl/objects.h> 127 #include "ssl_locl.h" 128 #include "kssl_lcl.h" 129 #include <openssl/md5.h> 130 #ifndef OPENSSL_NO_DH 131 #include <openssl/dh.h> 132 #endif 133 #include <openssl/pq_compat.h> 134 135 const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; 136 137 #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) 138 139 /* list of available SSLv3 ciphers (sorted by id) */ 140 OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 141 /* The RSA ciphers */ 142 /* Cipher 01 */ 143 { 144 1, 145 SSL3_TXT_RSA_NULL_MD5, 146 SSL3_CK_RSA_NULL_MD5, 147 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, 148 SSL_NOT_EXP|SSL_STRONG_NONE, 149 0, 150 0, 151 0, 152 SSL_ALL_CIPHERS, 153 SSL_ALL_STRENGTHS, 154 }, 155 /* Cipher 02 */ 156 { 157 1, 158 SSL3_TXT_RSA_NULL_SHA, 159 SSL3_CK_RSA_NULL_SHA, 160 SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, 161 SSL_NOT_EXP|SSL_STRONG_NONE, 162 0, 163 0, 164 0, 165 SSL_ALL_CIPHERS, 166 SSL_ALL_STRENGTHS, 167 }, 168 /* Cipher 03 */ 169 { 170 1, 171 SSL3_TXT_RSA_RC4_40_MD5, 172 SSL3_CK_RSA_RC4_40_MD5, 173 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3, 174 SSL_EXPORT|SSL_EXP40, 175 0, 176 40, 177 128, 178 SSL_ALL_CIPHERS, 179 SSL_ALL_STRENGTHS, 180 }, 181 /* Cipher 04 */ 182 { 183 1, 184 SSL3_TXT_RSA_RC4_128_MD5, 185 SSL3_CK_RSA_RC4_128_MD5, 186 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3, 187 SSL_NOT_EXP|SSL_MEDIUM, 188 0, 189 128, 190 128, 191 SSL_ALL_CIPHERS, 192 SSL_ALL_STRENGTHS, 193 }, 194 /* Cipher 05 */ 195 { 196 1, 197 SSL3_TXT_RSA_RC4_128_SHA, 198 SSL3_CK_RSA_RC4_128_SHA, 199 SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3, 200 SSL_NOT_EXP|SSL_MEDIUM, 201 0, 202 128, 203 128, 204 SSL_ALL_CIPHERS, 205 SSL_ALL_STRENGTHS, 206 }, 207 /* Cipher 06 */ 208 { 209 1, 210 SSL3_TXT_RSA_RC2_40_MD5, 211 SSL3_CK_RSA_RC2_40_MD5, 212 SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3, 213 SSL_EXPORT|SSL_EXP40, 214 0, 215 40, 216 128, 217 SSL_ALL_CIPHERS, 218 SSL_ALL_STRENGTHS, 219 }, 220 /* Cipher 07 */ 221 #ifndef OPENSSL_NO_IDEA 222 { 223 1, 224 SSL3_TXT_RSA_IDEA_128_SHA, 225 SSL3_CK_RSA_IDEA_128_SHA, 226 SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3, 227 SSL_NOT_EXP|SSL_MEDIUM, 228 0, 229 128, 230 128, 231 SSL_ALL_CIPHERS, 232 SSL_ALL_STRENGTHS, 233 }, 234 #endif 235 /* Cipher 08 */ 236 { 237 1, 238 SSL3_TXT_RSA_DES_40_CBC_SHA, 239 SSL3_CK_RSA_DES_40_CBC_SHA, 240 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, 241 SSL_EXPORT|SSL_EXP40, 242 0, 243 40, 244 56, 245 SSL_ALL_CIPHERS, 246 SSL_ALL_STRENGTHS, 247 }, 248 /* Cipher 09 */ 249 { 250 1, 251 SSL3_TXT_RSA_DES_64_CBC_SHA, 252 SSL3_CK_RSA_DES_64_CBC_SHA, 253 SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, 254 SSL_NOT_EXP|SSL_LOW, 255 0, 256 56, 257 56, 258 SSL_ALL_CIPHERS, 259 SSL_ALL_STRENGTHS, 260 }, 261 /* Cipher 0A */ 262 { 263 1, 264 SSL3_TXT_RSA_DES_192_CBC3_SHA, 265 SSL3_CK_RSA_DES_192_CBC3_SHA, 266 SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, 267 SSL_NOT_EXP|SSL_HIGH, 268 0, 269 168, 270 168, 271 SSL_ALL_CIPHERS, 272 SSL_ALL_STRENGTHS, 273 }, 274 /* The DH ciphers */ 275 /* Cipher 0B */ 276 { 277 0, 278 SSL3_TXT_DH_DSS_DES_40_CBC_SHA, 279 SSL3_CK_DH_DSS_DES_40_CBC_SHA, 280 SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, 281 SSL_EXPORT|SSL_EXP40, 282 0, 283 40, 284 56, 285 SSL_ALL_CIPHERS, 286 SSL_ALL_STRENGTHS, 287 }, 288 /* Cipher 0C */ 289 { 290 0, 291 SSL3_TXT_DH_DSS_DES_64_CBC_SHA, 292 SSL3_CK_DH_DSS_DES_64_CBC_SHA, 293 SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, 294 SSL_NOT_EXP|SSL_LOW, 295 0, 296 56, 297 56, 298 SSL_ALL_CIPHERS, 299 SSL_ALL_STRENGTHS, 300 }, 301 /* Cipher 0D */ 302 { 303 0, 304 SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, 305 SSL3_CK_DH_DSS_DES_192_CBC3_SHA, 306 SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, 307 SSL_NOT_EXP|SSL_HIGH, 308 0, 309 168, 310 168, 311 SSL_ALL_CIPHERS, 312 SSL_ALL_STRENGTHS, 313 }, 314 /* Cipher 0E */ 315 { 316 0, 317 SSL3_TXT_DH_RSA_DES_40_CBC_SHA, 318 SSL3_CK_DH_RSA_DES_40_CBC_SHA, 319 SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, 320 SSL_EXPORT|SSL_EXP40, 321 0, 322 40, 323 56, 324 SSL_ALL_CIPHERS, 325 SSL_ALL_STRENGTHS, 326 }, 327 /* Cipher 0F */ 328 { 329 0, 330 SSL3_TXT_DH_RSA_DES_64_CBC_SHA, 331 SSL3_CK_DH_RSA_DES_64_CBC_SHA, 332 SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, 333 SSL_NOT_EXP|SSL_LOW, 334 0, 335 56, 336 56, 337 SSL_ALL_CIPHERS, 338 SSL_ALL_STRENGTHS, 339 }, 340 /* Cipher 10 */ 341 { 342 0, 343 SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, 344 SSL3_CK_DH_RSA_DES_192_CBC3_SHA, 345 SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, 346 SSL_NOT_EXP|SSL_HIGH, 347 0, 348 168, 349 168, 350 SSL_ALL_CIPHERS, 351 SSL_ALL_STRENGTHS, 352 }, 353 354 /* The Ephemeral DH ciphers */ 355 /* Cipher 11 */ 356 { 357 1, 358 SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, 359 SSL3_CK_EDH_DSS_DES_40_CBC_SHA, 360 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, 361 SSL_EXPORT|SSL_EXP40, 362 0, 363 40, 364 56, 365 SSL_ALL_CIPHERS, 366 SSL_ALL_STRENGTHS, 367 }, 368 /* Cipher 12 */ 369 { 370 1, 371 SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, 372 SSL3_CK_EDH_DSS_DES_64_CBC_SHA, 373 SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, 374 SSL_NOT_EXP|SSL_LOW, 375 0, 376 56, 377 56, 378 SSL_ALL_CIPHERS, 379 SSL_ALL_STRENGTHS, 380 }, 381 /* Cipher 13 */ 382 { 383 1, 384 SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 385 SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, 386 SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, 387 SSL_NOT_EXP|SSL_HIGH, 388 0, 389 168, 390 168, 391 SSL_ALL_CIPHERS, 392 SSL_ALL_STRENGTHS, 393 }, 394 /* Cipher 14 */ 395 { 396 1, 397 SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, 398 SSL3_CK_EDH_RSA_DES_40_CBC_SHA, 399 SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, 400 SSL_EXPORT|SSL_EXP40, 401 0, 402 40, 403 56, 404 SSL_ALL_CIPHERS, 405 SSL_ALL_STRENGTHS, 406 }, 407 /* Cipher 15 */ 408 { 409 1, 410 SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, 411 SSL3_CK_EDH_RSA_DES_64_CBC_SHA, 412 SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, 413 SSL_NOT_EXP|SSL_LOW, 414 0, 415 56, 416 56, 417 SSL_ALL_CIPHERS, 418 SSL_ALL_STRENGTHS, 419 }, 420 /* Cipher 16 */ 421 { 422 1, 423 SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 424 SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, 425 SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, 426 SSL_NOT_EXP|SSL_HIGH, 427 0, 428 168, 429 168, 430 SSL_ALL_CIPHERS, 431 SSL_ALL_STRENGTHS, 432 }, 433 /* Cipher 17 */ 434 { 435 1, 436 SSL3_TXT_ADH_RC4_40_MD5, 437 SSL3_CK_ADH_RC4_40_MD5, 438 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, 439 SSL_EXPORT|SSL_EXP40, 440 0, 441 40, 442 128, 443 SSL_ALL_CIPHERS, 444 SSL_ALL_STRENGTHS, 445 }, 446 /* Cipher 18 */ 447 { 448 1, 449 SSL3_TXT_ADH_RC4_128_MD5, 450 SSL3_CK_ADH_RC4_128_MD5, 451 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, 452 SSL_NOT_EXP|SSL_MEDIUM, 453 0, 454 128, 455 128, 456 SSL_ALL_CIPHERS, 457 SSL_ALL_STRENGTHS, 458 }, 459 /* Cipher 19 */ 460 { 461 1, 462 SSL3_TXT_ADH_DES_40_CBC_SHA, 463 SSL3_CK_ADH_DES_40_CBC_SHA, 464 SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, 465 SSL_EXPORT|SSL_EXP40, 466 0, 467 40, 468 128, 469 SSL_ALL_CIPHERS, 470 SSL_ALL_STRENGTHS, 471 }, 472 /* Cipher 1A */ 473 { 474 1, 475 SSL3_TXT_ADH_DES_64_CBC_SHA, 476 SSL3_CK_ADH_DES_64_CBC_SHA, 477 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, 478 SSL_NOT_EXP|SSL_LOW, 479 0, 480 56, 481 56, 482 SSL_ALL_CIPHERS, 483 SSL_ALL_STRENGTHS, 484 }, 485 /* Cipher 1B */ 486 { 487 1, 488 SSL3_TXT_ADH_DES_192_CBC_SHA, 489 SSL3_CK_ADH_DES_192_CBC_SHA, 490 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, 491 SSL_NOT_EXP|SSL_HIGH, 492 0, 493 168, 494 168, 495 SSL_ALL_CIPHERS, 496 SSL_ALL_STRENGTHS, 497 }, 498 499 /* Fortezza */ 500 /* Cipher 1C */ 501 { 502 0, 503 SSL3_TXT_FZA_DMS_NULL_SHA, 504 SSL3_CK_FZA_DMS_NULL_SHA, 505 SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, 506 SSL_NOT_EXP|SSL_STRONG_NONE, 507 0, 508 0, 509 0, 510 SSL_ALL_CIPHERS, 511 SSL_ALL_STRENGTHS, 512 }, 513 514 /* Cipher 1D */ 515 { 516 0, 517 SSL3_TXT_FZA_DMS_FZA_SHA, 518 SSL3_CK_FZA_DMS_FZA_SHA, 519 SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, 520 SSL_NOT_EXP|SSL_STRONG_NONE, 521 0, 522 0, 523 0, 524 SSL_ALL_CIPHERS, 525 SSL_ALL_STRENGTHS, 526 }, 527 528 #if 0 529 /* Cipher 1E */ 530 { 531 0, 532 SSL3_TXT_FZA_DMS_RC4_SHA, 533 SSL3_CK_FZA_DMS_RC4_SHA, 534 SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3, 535 SSL_NOT_EXP|SSL_MEDIUM, 536 0, 537 128, 538 128, 539 SSL_ALL_CIPHERS, 540 SSL_ALL_STRENGTHS, 541 }, 542 #endif 543 544 #ifndef OPENSSL_NO_KRB5 545 /* The Kerberos ciphers 546 ** 20000107 VRS: And the first shall be last, 547 ** in hopes of avoiding the lynx ssl renegotiation problem. 548 */ 549 /* Cipher 1E VRS */ 550 { 551 1, 552 SSL3_TXT_KRB5_DES_64_CBC_SHA, 553 SSL3_CK_KRB5_DES_64_CBC_SHA, 554 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, 555 SSL_NOT_EXP|SSL_LOW, 556 0, 557 56, 558 56, 559 SSL_ALL_CIPHERS, 560 SSL_ALL_STRENGTHS, 561 }, 562 563 /* Cipher 1F VRS */ 564 { 565 1, 566 SSL3_TXT_KRB5_DES_192_CBC3_SHA, 567 SSL3_CK_KRB5_DES_192_CBC3_SHA, 568 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, 569 SSL_NOT_EXP|SSL_HIGH, 570 0, 571 112, 572 168, 573 SSL_ALL_CIPHERS, 574 SSL_ALL_STRENGTHS, 575 }, 576 577 /* Cipher 20 VRS */ 578 { 579 1, 580 SSL3_TXT_KRB5_RC4_128_SHA, 581 SSL3_CK_KRB5_RC4_128_SHA, 582 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, 583 SSL_NOT_EXP|SSL_MEDIUM, 584 0, 585 128, 586 128, 587 SSL_ALL_CIPHERS, 588 SSL_ALL_STRENGTHS, 589 }, 590 591 /* Cipher 21 VRS */ 592 { 593 1, 594 SSL3_TXT_KRB5_IDEA_128_CBC_SHA, 595 SSL3_CK_KRB5_IDEA_128_CBC_SHA, 596 SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_SHA1 |SSL_SSLV3, 597 SSL_NOT_EXP|SSL_MEDIUM, 598 0, 599 128, 600 128, 601 SSL_ALL_CIPHERS, 602 SSL_ALL_STRENGTHS, 603 }, 604 605 /* Cipher 22 VRS */ 606 { 607 1, 608 SSL3_TXT_KRB5_DES_64_CBC_MD5, 609 SSL3_CK_KRB5_DES_64_CBC_MD5, 610 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, 611 SSL_NOT_EXP|SSL_LOW, 612 0, 613 56, 614 56, 615 SSL_ALL_CIPHERS, 616 SSL_ALL_STRENGTHS, 617 }, 618 619 /* Cipher 23 VRS */ 620 { 621 1, 622 SSL3_TXT_KRB5_DES_192_CBC3_MD5, 623 SSL3_CK_KRB5_DES_192_CBC3_MD5, 624 SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, 625 SSL_NOT_EXP|SSL_HIGH, 626 0, 627 112, 628 168, 629 SSL_ALL_CIPHERS, 630 SSL_ALL_STRENGTHS, 631 }, 632 633 /* Cipher 24 VRS */ 634 { 635 1, 636 SSL3_TXT_KRB5_RC4_128_MD5, 637 SSL3_CK_KRB5_RC4_128_MD5, 638 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, 639 SSL_NOT_EXP|SSL_MEDIUM, 640 0, 641 128, 642 128, 643 SSL_ALL_CIPHERS, 644 SSL_ALL_STRENGTHS, 645 }, 646 647 /* Cipher 25 VRS */ 648 { 649 1, 650 SSL3_TXT_KRB5_IDEA_128_CBC_MD5, 651 SSL3_CK_KRB5_IDEA_128_CBC_MD5, 652 SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_MD5 |SSL_SSLV3, 653 SSL_NOT_EXP|SSL_MEDIUM, 654 0, 655 128, 656 128, 657 SSL_ALL_CIPHERS, 658 SSL_ALL_STRENGTHS, 659 }, 660 661 /* Cipher 26 VRS */ 662 { 663 1, 664 SSL3_TXT_KRB5_DES_40_CBC_SHA, 665 SSL3_CK_KRB5_DES_40_CBC_SHA, 666 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, 667 SSL_EXPORT|SSL_EXP40, 668 0, 669 40, 670 56, 671 SSL_ALL_CIPHERS, 672 SSL_ALL_STRENGTHS, 673 }, 674 675 /* Cipher 27 VRS */ 676 { 677 1, 678 SSL3_TXT_KRB5_RC2_40_CBC_SHA, 679 SSL3_CK_KRB5_RC2_40_CBC_SHA, 680 SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_SHA1 |SSL_SSLV3, 681 SSL_EXPORT|SSL_EXP40, 682 0, 683 40, 684 128, 685 SSL_ALL_CIPHERS, 686 SSL_ALL_STRENGTHS, 687 }, 688 689 /* Cipher 28 VRS */ 690 { 691 1, 692 SSL3_TXT_KRB5_RC4_40_SHA, 693 SSL3_CK_KRB5_RC4_40_SHA, 694 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, 695 SSL_EXPORT|SSL_EXP40, 696 0, 697 128, 698 128, 699 SSL_ALL_CIPHERS, 700 SSL_ALL_STRENGTHS, 701 }, 702 703 /* Cipher 29 VRS */ 704 { 705 1, 706 SSL3_TXT_KRB5_DES_40_CBC_MD5, 707 SSL3_CK_KRB5_DES_40_CBC_MD5, 708 SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, 709 SSL_EXPORT|SSL_EXP40, 710 0, 711 40, 712 56, 713 SSL_ALL_CIPHERS, 714 SSL_ALL_STRENGTHS, 715 }, 716 717 /* Cipher 2A VRS */ 718 { 719 1, 720 SSL3_TXT_KRB5_RC2_40_CBC_MD5, 721 SSL3_CK_KRB5_RC2_40_CBC_MD5, 722 SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_MD5 |SSL_SSLV3, 723 SSL_EXPORT|SSL_EXP40, 724 0, 725 40, 726 128, 727 SSL_ALL_CIPHERS, 728 SSL_ALL_STRENGTHS, 729 }, 730 731 /* Cipher 2B VRS */ 732 { 733 1, 734 SSL3_TXT_KRB5_RC4_40_MD5, 735 SSL3_CK_KRB5_RC4_40_MD5, 736 SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, 737 SSL_EXPORT|SSL_EXP40, 738 0, 739 128, 740 128, 741 SSL_ALL_CIPHERS, 742 SSL_ALL_STRENGTHS, 743 }, 744 #endif /* OPENSSL_NO_KRB5 */ 745 /* New AES ciphersuites */ 746 747 /* Cipher 2F */ 748 { 749 1, 750 TLS1_TXT_RSA_WITH_AES_128_SHA, 751 TLS1_CK_RSA_WITH_AES_128_SHA, 752 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, 753 SSL_NOT_EXP|SSL_HIGH, 754 0, 755 128, 756 128, 757 SSL_ALL_CIPHERS, 758 SSL_ALL_STRENGTHS, 759 }, 760 /* Cipher 30 */ 761 { 762 0, 763 TLS1_TXT_DH_DSS_WITH_AES_128_SHA, 764 TLS1_CK_DH_DSS_WITH_AES_128_SHA, 765 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 766 SSL_NOT_EXP|SSL_HIGH, 767 0, 768 128, 769 128, 770 SSL_ALL_CIPHERS, 771 SSL_ALL_STRENGTHS, 772 }, 773 /* Cipher 31 */ 774 { 775 0, 776 TLS1_TXT_DH_RSA_WITH_AES_128_SHA, 777 TLS1_CK_DH_RSA_WITH_AES_128_SHA, 778 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 779 SSL_NOT_EXP|SSL_HIGH, 780 0, 781 128, 782 128, 783 SSL_ALL_CIPHERS, 784 SSL_ALL_STRENGTHS, 785 }, 786 /* Cipher 32 */ 787 { 788 1, 789 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, 790 TLS1_CK_DHE_DSS_WITH_AES_128_SHA, 791 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, 792 SSL_NOT_EXP|SSL_HIGH, 793 0, 794 128, 795 128, 796 SSL_ALL_CIPHERS, 797 SSL_ALL_STRENGTHS, 798 }, 799 /* Cipher 33 */ 800 { 801 1, 802 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 803 TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 804 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 805 SSL_NOT_EXP|SSL_HIGH, 806 0, 807 128, 808 128, 809 SSL_ALL_CIPHERS, 810 SSL_ALL_STRENGTHS, 811 }, 812 /* Cipher 34 */ 813 { 814 1, 815 TLS1_TXT_ADH_WITH_AES_128_SHA, 816 TLS1_CK_ADH_WITH_AES_128_SHA, 817 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 818 SSL_NOT_EXP|SSL_HIGH, 819 0, 820 128, 821 128, 822 SSL_ALL_CIPHERS, 823 SSL_ALL_STRENGTHS, 824 }, 825 826 /* Cipher 35 */ 827 { 828 1, 829 TLS1_TXT_RSA_WITH_AES_256_SHA, 830 TLS1_CK_RSA_WITH_AES_256_SHA, 831 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, 832 SSL_NOT_EXP|SSL_HIGH, 833 0, 834 256, 835 256, 836 SSL_ALL_CIPHERS, 837 SSL_ALL_STRENGTHS, 838 }, 839 /* Cipher 36 */ 840 { 841 0, 842 TLS1_TXT_DH_DSS_WITH_AES_256_SHA, 843 TLS1_CK_DH_DSS_WITH_AES_256_SHA, 844 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 845 SSL_NOT_EXP|SSL_HIGH, 846 0, 847 256, 848 256, 849 SSL_ALL_CIPHERS, 850 SSL_ALL_STRENGTHS, 851 }, 852 /* Cipher 37 */ 853 { 854 0, 855 TLS1_TXT_DH_RSA_WITH_AES_256_SHA, 856 TLS1_CK_DH_RSA_WITH_AES_256_SHA, 857 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, 858 SSL_NOT_EXP|SSL_HIGH, 859 0, 860 256, 861 256, 862 SSL_ALL_CIPHERS, 863 SSL_ALL_STRENGTHS, 864 }, 865 /* Cipher 38 */ 866 { 867 1, 868 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, 869 TLS1_CK_DHE_DSS_WITH_AES_256_SHA, 870 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, 871 SSL_NOT_EXP|SSL_HIGH, 872 0, 873 256, 874 256, 875 SSL_ALL_CIPHERS, 876 SSL_ALL_STRENGTHS, 877 }, 878 /* Cipher 39 */ 879 { 880 1, 881 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 882 TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 883 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 884 SSL_NOT_EXP|SSL_HIGH, 885 0, 886 256, 887 256, 888 SSL_ALL_CIPHERS, 889 SSL_ALL_STRENGTHS, 890 }, 891 /* Cipher 3A */ 892 { 893 1, 894 TLS1_TXT_ADH_WITH_AES_256_SHA, 895 TLS1_CK_ADH_WITH_AES_256_SHA, 896 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 897 SSL_NOT_EXP|SSL_HIGH, 898 0, 899 256, 900 256, 901 SSL_ALL_CIPHERS, 902 SSL_ALL_STRENGTHS, 903 }, 904 905 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 906 /* New TLS Export CipherSuites */ 907 /* Cipher 60 */ 908 { 909 1, 910 TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, 911 TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, 912 SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1, 913 SSL_EXPORT|SSL_EXP56, 914 0, 915 56, 916 128, 917 SSL_ALL_CIPHERS, 918 SSL_ALL_STRENGTHS, 919 }, 920 /* Cipher 61 */ 921 { 922 1, 923 TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, 924 TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, 925 SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1, 926 SSL_EXPORT|SSL_EXP56, 927 0, 928 56, 929 128, 930 SSL_ALL_CIPHERS, 931 SSL_ALL_STRENGTHS, 932 }, 933 /* Cipher 62 */ 934 { 935 1, 936 TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, 937 TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, 938 SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, 939 SSL_EXPORT|SSL_EXP56, 940 0, 941 56, 942 56, 943 SSL_ALL_CIPHERS, 944 SSL_ALL_STRENGTHS, 945 }, 946 /* Cipher 63 */ 947 { 948 1, 949 TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, 950 TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, 951 SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, 952 SSL_EXPORT|SSL_EXP56, 953 0, 954 56, 955 56, 956 SSL_ALL_CIPHERS, 957 SSL_ALL_STRENGTHS, 958 }, 959 /* Cipher 64 */ 960 { 961 1, 962 TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, 963 TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, 964 SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 965 SSL_EXPORT|SSL_EXP56, 966 0, 967 56, 968 128, 969 SSL_ALL_CIPHERS, 970 SSL_ALL_STRENGTHS, 971 }, 972 /* Cipher 65 */ 973 { 974 1, 975 TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, 976 TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, 977 SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, 978 SSL_EXPORT|SSL_EXP56, 979 0, 980 56, 981 128, 982 SSL_ALL_CIPHERS, 983 SSL_ALL_STRENGTHS, 984 }, 985 /* Cipher 66 */ 986 { 987 1, 988 TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, 989 TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, 990 SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, 991 SSL_NOT_EXP|SSL_MEDIUM, 992 0, 993 128, 994 128, 995 SSL_ALL_CIPHERS, 996 SSL_ALL_STRENGTHS 997 }, 998 #endif 999 #ifndef OPENSSL_NO_ECDH 1000 /* Cipher C001 */ 1001 { 1002 1, 1003 TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA, 1004 TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA, 1005 SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1006 SSL_NOT_EXP, 1007 0, 1008 0, 1009 0, 1010 SSL_ALL_CIPHERS, 1011 SSL_ALL_STRENGTHS, 1012 }, 1013 1014 /* Cipher C002 */ 1015 { 1016 1, 1017 TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA, 1018 TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA, 1019 SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1020 SSL_NOT_EXP, 1021 0, 1022 128, 1023 128, 1024 SSL_ALL_CIPHERS, 1025 SSL_ALL_STRENGTHS, 1026 }, 1027 1028 /* Cipher C003 */ 1029 { 1030 1, 1031 TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, 1032 TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA, 1033 SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1034 SSL_NOT_EXP|SSL_HIGH, 1035 0, 1036 168, 1037 168, 1038 SSL_ALL_CIPHERS, 1039 SSL_ALL_STRENGTHS, 1040 }, 1041 1042 /* Cipher C004 */ 1043 { 1044 1, 1045 TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 1046 TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 1047 SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1048 SSL_NOT_EXP|SSL_HIGH, 1049 0, 1050 128, 1051 128, 1052 SSL_ALL_CIPHERS, 1053 SSL_ALL_STRENGTHS, 1054 }, 1055 1056 /* Cipher C005 */ 1057 { 1058 1, 1059 TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 1060 TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 1061 SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1062 SSL_NOT_EXP|SSL_HIGH, 1063 0, 1064 256, 1065 256, 1066 SSL_ALL_CIPHERS, 1067 SSL_ALL_STRENGTHS, 1068 }, 1069 1070 /* Cipher C006 */ 1071 { 1072 1, 1073 TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA, 1074 TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA, 1075 SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1076 SSL_NOT_EXP, 1077 0, 1078 0, 1079 0, 1080 SSL_ALL_CIPHERS, 1081 SSL_ALL_STRENGTHS, 1082 }, 1083 1084 /* Cipher C007 */ 1085 { 1086 1, 1087 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 1088 TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 1089 SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1090 SSL_NOT_EXP, 1091 0, 1092 128, 1093 128, 1094 SSL_ALL_CIPHERS, 1095 SSL_ALL_STRENGTHS, 1096 }, 1097 1098 /* Cipher C008 */ 1099 { 1100 1, 1101 TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 1102 TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA, 1103 SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1104 SSL_NOT_EXP|SSL_HIGH, 1105 0, 1106 168, 1107 168, 1108 SSL_ALL_CIPHERS, 1109 SSL_ALL_STRENGTHS, 1110 }, 1111 1112 /* Cipher C009 */ 1113 { 1114 1, 1115 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1116 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 1117 SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1118 SSL_NOT_EXP|SSL_HIGH, 1119 0, 1120 128, 1121 128, 1122 SSL_ALL_CIPHERS, 1123 SSL_ALL_STRENGTHS, 1124 }, 1125 1126 /* Cipher C00A */ 1127 { 1128 1, 1129 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1130 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 1131 SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1132 SSL_NOT_EXP|SSL_HIGH, 1133 0, 1134 256, 1135 256, 1136 SSL_ALL_CIPHERS, 1137 SSL_ALL_STRENGTHS, 1138 }, 1139 1140 /* Cipher C00B */ 1141 { 1142 1, 1143 TLS1_TXT_ECDH_RSA_WITH_NULL_SHA, 1144 TLS1_CK_ECDH_RSA_WITH_NULL_SHA, 1145 SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1146 SSL_NOT_EXP, 1147 0, 1148 0, 1149 0, 1150 SSL_ALL_CIPHERS, 1151 SSL_ALL_STRENGTHS, 1152 }, 1153 1154 /* Cipher C00C */ 1155 { 1156 1, 1157 TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA, 1158 TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA, 1159 SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1160 SSL_NOT_EXP, 1161 0, 1162 128, 1163 128, 1164 SSL_ALL_CIPHERS, 1165 SSL_ALL_STRENGTHS, 1166 }, 1167 1168 /* Cipher C00D */ 1169 { 1170 1, 1171 TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA, 1172 TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA, 1173 SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1174 SSL_NOT_EXP|SSL_HIGH, 1175 0, 1176 168, 1177 168, 1178 SSL_ALL_CIPHERS, 1179 SSL_ALL_STRENGTHS, 1180 }, 1181 1182 /* Cipher C00E */ 1183 { 1184 1, 1185 TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA, 1186 TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA, 1187 SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1188 SSL_NOT_EXP|SSL_HIGH, 1189 0, 1190 128, 1191 128, 1192 SSL_ALL_CIPHERS, 1193 SSL_ALL_STRENGTHS, 1194 }, 1195 1196 /* Cipher C00F */ 1197 { 1198 1, 1199 TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA, 1200 TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA, 1201 SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1202 SSL_NOT_EXP|SSL_HIGH, 1203 0, 1204 256, 1205 256, 1206 SSL_ALL_CIPHERS, 1207 SSL_ALL_STRENGTHS, 1208 }, 1209 1210 /* Cipher C010 */ 1211 { 1212 1, 1213 TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA, 1214 TLS1_CK_ECDHE_RSA_WITH_NULL_SHA, 1215 SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1216 SSL_NOT_EXP, 1217 0, 1218 0, 1219 0, 1220 SSL_ALL_CIPHERS, 1221 SSL_ALL_STRENGTHS, 1222 }, 1223 1224 /* Cipher C011 */ 1225 { 1226 1, 1227 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 1228 TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 1229 SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, 1230 SSL_NOT_EXP, 1231 0, 1232 128, 1233 128, 1234 SSL_ALL_CIPHERS, 1235 SSL_ALL_STRENGTHS, 1236 }, 1237 1238 /* Cipher C012 */ 1239 { 1240 1, 1241 TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1242 TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA, 1243 SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1, 1244 SSL_NOT_EXP|SSL_HIGH, 1245 0, 1246 168, 1247 168, 1248 SSL_ALL_CIPHERS, 1249 SSL_ALL_STRENGTHS, 1250 }, 1251 1252 /* Cipher C013 */ 1253 { 1254 1, 1255 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1256 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 1257 SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1258 SSL_NOT_EXP|SSL_HIGH, 1259 0, 1260 128, 1261 128, 1262 SSL_ALL_CIPHERS, 1263 SSL_ALL_STRENGTHS, 1264 }, 1265 1266 /* Cipher C014 */ 1267 { 1268 1, 1269 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1270 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 1271 SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, 1272 SSL_NOT_EXP|SSL_HIGH, 1273 0, 1274 256, 1275 256, 1276 SSL_ALL_CIPHERS, 1277 SSL_ALL_STRENGTHS, 1278 }, 1279 1280 /* Cipher C015 */ 1281 { 1282 1, 1283 TLS1_TXT_ECDH_anon_WITH_NULL_SHA, 1284 TLS1_CK_ECDH_anon_WITH_NULL_SHA, 1285 SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1, 1286 SSL_NOT_EXP, 1287 0, 1288 0, 1289 0, 1290 SSL_ALL_CIPHERS, 1291 SSL_ALL_STRENGTHS, 1292 }, 1293 1294 /* Cipher C016 */ 1295 { 1296 1, 1297 TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, 1298 TLS1_CK_ECDH_anon_WITH_RC4_128_SHA, 1299 SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1, 1300 SSL_NOT_EXP, 1301 0, 1302 128, 1303 128, 1304 SSL_ALL_CIPHERS, 1305 SSL_ALL_STRENGTHS, 1306 }, 1307 1308 /* Cipher C017 */ 1309 { 1310 1, 1311 TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA, 1312 TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA, 1313 SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1, 1314 SSL_NOT_EXP|SSL_HIGH, 1315 0, 1316 168, 1317 168, 1318 SSL_ALL_CIPHERS, 1319 SSL_ALL_STRENGTHS, 1320 }, 1321 1322 /* Cipher C018 */ 1323 { 1324 1, 1325 TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA, 1326 TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, 1327 SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 1328 SSL_NOT_EXP|SSL_HIGH, 1329 0, 1330 128, 1331 128, 1332 SSL_ALL_CIPHERS, 1333 SSL_ALL_STRENGTHS, 1334 }, 1335 1336 /* Cipher C019 */ 1337 { 1338 1, 1339 TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA, 1340 TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, 1341 SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, 1342 SSL_NOT_EXP|SSL_HIGH, 1343 0, 1344 256, 1345 256, 1346 SSL_ALL_CIPHERS, 1347 SSL_ALL_STRENGTHS, 1348 }, 1349 #endif /* OPENSSL_NO_ECDH */ 1350 1351 /* end of list */ 1352 }; 1353 1354 SSL3_ENC_METHOD SSLv3_enc_data={ 1355 ssl3_enc, 1356 ssl3_mac, 1357 ssl3_setup_key_block, 1358 ssl3_generate_master_secret, 1359 ssl3_change_cipher_state, 1360 ssl3_final_finish_mac, 1361 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 1362 ssl3_cert_verify_mac, 1363 SSL3_MD_CLIENT_FINISHED_CONST,4, 1364 SSL3_MD_SERVER_FINISHED_CONST,4, 1365 ssl3_alert_code, 1366 }; 1367 1368 long ssl3_default_timeout(void) 1369 { 1370 /* 2 hours, the 24 hours mentioned in the SSLv3 spec 1371 * is way too long for http, the cache would over fill */ 1372 return(60*60*2); 1373 } 1374 1375 IMPLEMENT_ssl3_meth_func(sslv3_base_method, 1376 ssl_undefined_function, 1377 ssl_undefined_function, 1378 ssl_bad_method) 1379 1380 int ssl3_num_ciphers(void) 1381 { 1382 return(SSL3_NUM_CIPHERS); 1383 } 1384 1385 SSL_CIPHER *ssl3_get_cipher(unsigned int u) 1386 { 1387 if (u < SSL3_NUM_CIPHERS) 1388 return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u])); 1389 else 1390 return(NULL); 1391 } 1392 1393 int ssl3_pending(const SSL *s) 1394 { 1395 if (s->rstate == SSL_ST_READ_BODY) 1396 return 0; 1397 1398 return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; 1399 } 1400 1401 int ssl3_new(SSL *s) 1402 { 1403 SSL3_STATE *s3; 1404 1405 if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err; 1406 memset(s3,0,sizeof *s3); 1407 EVP_MD_CTX_init(&s3->finish_dgst1); 1408 EVP_MD_CTX_init(&s3->finish_dgst2); 1409 pq_64bit_init(&(s3->rrec.seq_num)); 1410 pq_64bit_init(&(s3->wrec.seq_num)); 1411 1412 s->s3=s3; 1413 1414 s->method->ssl_clear(s); 1415 return(1); 1416 err: 1417 return(0); 1418 } 1419 1420 void ssl3_free(SSL *s) 1421 { 1422 if(s == NULL) 1423 return; 1424 1425 ssl3_cleanup_key_block(s); 1426 if (s->s3->rbuf.buf != NULL) 1427 OPENSSL_free(s->s3->rbuf.buf); 1428 if (s->s3->wbuf.buf != NULL) 1429 OPENSSL_free(s->s3->wbuf.buf); 1430 if (s->s3->rrec.comp != NULL) 1431 OPENSSL_free(s->s3->rrec.comp); 1432 #ifndef OPENSSL_NO_DH 1433 if (s->s3->tmp.dh != NULL) 1434 DH_free(s->s3->tmp.dh); 1435 #endif 1436 #ifndef OPENSSL_NO_ECDH 1437 if (s->s3->tmp.ecdh != NULL) 1438 EC_KEY_free(s->s3->tmp.ecdh); 1439 #endif 1440 1441 if (s->s3->tmp.ca_names != NULL) 1442 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1443 EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); 1444 EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); 1445 pq_64bit_free(&(s->s3->rrec.seq_num)); 1446 pq_64bit_free(&(s->s3->wrec.seq_num)); 1447 1448 OPENSSL_cleanse(s->s3,sizeof *s->s3); 1449 OPENSSL_free(s->s3); 1450 s->s3=NULL; 1451 } 1452 1453 void ssl3_clear(SSL *s) 1454 { 1455 unsigned char *rp,*wp; 1456 size_t rlen, wlen; 1457 1458 ssl3_cleanup_key_block(s); 1459 if (s->s3->tmp.ca_names != NULL) 1460 sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); 1461 1462 if (s->s3->rrec.comp != NULL) 1463 { 1464 OPENSSL_free(s->s3->rrec.comp); 1465 s->s3->rrec.comp=NULL; 1466 } 1467 #ifndef OPENSSL_NO_DH 1468 if (s->s3->tmp.dh != NULL) 1469 DH_free(s->s3->tmp.dh); 1470 #endif 1471 #ifndef OPENSSL_NO_ECDH 1472 if (s->s3->tmp.ecdh != NULL) 1473 EC_KEY_free(s->s3->tmp.ecdh); 1474 #endif 1475 1476 rp = s->s3->rbuf.buf; 1477 wp = s->s3->wbuf.buf; 1478 rlen = s->s3->rbuf.len; 1479 wlen = s->s3->wbuf.len; 1480 1481 EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); 1482 EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); 1483 1484 memset(s->s3,0,sizeof *s->s3); 1485 s->s3->rbuf.buf = rp; 1486 s->s3->wbuf.buf = wp; 1487 s->s3->rbuf.len = rlen; 1488 s->s3->wbuf.len = wlen; 1489 1490 ssl_free_wbio_buffer(s); 1491 1492 s->packet_length=0; 1493 s->s3->renegotiate=0; 1494 s->s3->total_renegotiations=0; 1495 s->s3->num_renegotiations=0; 1496 s->s3->in_read_app_data=0; 1497 s->version=SSL3_VERSION; 1498 } 1499 1500 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 1501 { 1502 int ret=0; 1503 1504 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) 1505 if ( 1506 #ifndef OPENSSL_NO_RSA 1507 cmd == SSL_CTRL_SET_TMP_RSA || 1508 cmd == SSL_CTRL_SET_TMP_RSA_CB || 1509 #endif 1510 #ifndef OPENSSL_NO_DSA 1511 cmd == SSL_CTRL_SET_TMP_DH || 1512 cmd == SSL_CTRL_SET_TMP_DH_CB || 1513 #endif 1514 0) 1515 { 1516 if (!ssl_cert_inst(&s->cert)) 1517 { 1518 SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); 1519 return(0); 1520 } 1521 } 1522 #endif 1523 1524 switch (cmd) 1525 { 1526 case SSL_CTRL_GET_SESSION_REUSED: 1527 ret=s->hit; 1528 break; 1529 case SSL_CTRL_GET_CLIENT_CERT_REQUEST: 1530 break; 1531 case SSL_CTRL_GET_NUM_RENEGOTIATIONS: 1532 ret=s->s3->num_renegotiations; 1533 break; 1534 case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: 1535 ret=s->s3->num_renegotiations; 1536 s->s3->num_renegotiations=0; 1537 break; 1538 case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: 1539 ret=s->s3->total_renegotiations; 1540 break; 1541 case SSL_CTRL_GET_FLAGS: 1542 ret=(int)(s->s3->flags); 1543 break; 1544 #ifndef OPENSSL_NO_RSA 1545 case SSL_CTRL_NEED_TMP_RSA: 1546 if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && 1547 ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 1548 (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))) 1549 ret = 1; 1550 break; 1551 case SSL_CTRL_SET_TMP_RSA: 1552 { 1553 RSA *rsa = (RSA *)parg; 1554 if (rsa == NULL) 1555 { 1556 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); 1557 return(ret); 1558 } 1559 if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) 1560 { 1561 SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB); 1562 return(ret); 1563 } 1564 if (s->cert->rsa_tmp != NULL) 1565 RSA_free(s->cert->rsa_tmp); 1566 s->cert->rsa_tmp = rsa; 1567 ret = 1; 1568 } 1569 break; 1570 case SSL_CTRL_SET_TMP_RSA_CB: 1571 { 1572 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1573 return(ret); 1574 } 1575 break; 1576 #endif 1577 #ifndef OPENSSL_NO_DH 1578 case SSL_CTRL_SET_TMP_DH: 1579 { 1580 DH *dh = (DH *)parg; 1581 if (dh == NULL) 1582 { 1583 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); 1584 return(ret); 1585 } 1586 if ((dh = DHparams_dup(dh)) == NULL) 1587 { 1588 SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); 1589 return(ret); 1590 } 1591 if (!(s->options & SSL_OP_SINGLE_DH_USE)) 1592 { 1593 if (!DH_generate_key(dh)) 1594 { 1595 DH_free(dh); 1596 SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); 1597 return(ret); 1598 } 1599 } 1600 if (s->cert->dh_tmp != NULL) 1601 DH_free(s->cert->dh_tmp); 1602 s->cert->dh_tmp = dh; 1603 ret = 1; 1604 } 1605 break; 1606 case SSL_CTRL_SET_TMP_DH_CB: 1607 { 1608 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1609 return(ret); 1610 } 1611 break; 1612 #endif 1613 #ifndef OPENSSL_NO_ECDH 1614 case SSL_CTRL_SET_TMP_ECDH: 1615 { 1616 EC_KEY *ecdh = NULL; 1617 1618 if (parg == NULL) 1619 { 1620 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); 1621 return(ret); 1622 } 1623 if (!EC_KEY_up_ref((EC_KEY *)parg)) 1624 { 1625 SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB); 1626 return(ret); 1627 } 1628 ecdh = (EC_KEY *)parg; 1629 if (!(s->options & SSL_OP_SINGLE_ECDH_USE)) 1630 { 1631 if (!EC_KEY_generate_key(ecdh)) 1632 { 1633 EC_KEY_free(ecdh); 1634 SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB); 1635 return(ret); 1636 } 1637 } 1638 if (s->cert->ecdh_tmp != NULL) 1639 EC_KEY_free(s->cert->ecdh_tmp); 1640 s->cert->ecdh_tmp = ecdh; 1641 ret = 1; 1642 } 1643 break; 1644 case SSL_CTRL_SET_TMP_ECDH_CB: 1645 { 1646 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1647 return(ret); 1648 } 1649 break; 1650 #endif /* !OPENSSL_NO_ECDH */ 1651 default: 1652 break; 1653 } 1654 return(ret); 1655 } 1656 1657 long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) 1658 { 1659 int ret=0; 1660 1661 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) 1662 if ( 1663 #ifndef OPENSSL_NO_RSA 1664 cmd == SSL_CTRL_SET_TMP_RSA_CB || 1665 #endif 1666 #ifndef OPENSSL_NO_DSA 1667 cmd == SSL_CTRL_SET_TMP_DH_CB || 1668 #endif 1669 0) 1670 { 1671 if (!ssl_cert_inst(&s->cert)) 1672 { 1673 SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE); 1674 return(0); 1675 } 1676 } 1677 #endif 1678 1679 switch (cmd) 1680 { 1681 #ifndef OPENSSL_NO_RSA 1682 case SSL_CTRL_SET_TMP_RSA_CB: 1683 { 1684 s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 1685 } 1686 break; 1687 #endif 1688 #ifndef OPENSSL_NO_DH 1689 case SSL_CTRL_SET_TMP_DH_CB: 1690 { 1691 s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 1692 } 1693 break; 1694 #endif 1695 #ifndef OPENSSL_NO_ECDH 1696 case SSL_CTRL_SET_TMP_ECDH_CB: 1697 { 1698 s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 1699 } 1700 break; 1701 #endif 1702 default: 1703 break; 1704 } 1705 return(ret); 1706 } 1707 1708 long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 1709 { 1710 CERT *cert; 1711 1712 cert=ctx->cert; 1713 1714 switch (cmd) 1715 { 1716 #ifndef OPENSSL_NO_RSA 1717 case SSL_CTRL_NEED_TMP_RSA: 1718 if ( (cert->rsa_tmp == NULL) && 1719 ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || 1720 (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))) 1721 ) 1722 return(1); 1723 else 1724 return(0); 1725 /* break; */ 1726 case SSL_CTRL_SET_TMP_RSA: 1727 { 1728 RSA *rsa; 1729 int i; 1730 1731 rsa=(RSA *)parg; 1732 i=1; 1733 if (rsa == NULL) 1734 i=0; 1735 else 1736 { 1737 if ((rsa=RSAPrivateKey_dup(rsa)) == NULL) 1738 i=0; 1739 } 1740 if (!i) 1741 { 1742 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB); 1743 return(0); 1744 } 1745 else 1746 { 1747 if (cert->rsa_tmp != NULL) 1748 RSA_free(cert->rsa_tmp); 1749 cert->rsa_tmp=rsa; 1750 return(1); 1751 } 1752 } 1753 /* break; */ 1754 case SSL_CTRL_SET_TMP_RSA_CB: 1755 { 1756 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1757 return(0); 1758 } 1759 break; 1760 #endif 1761 #ifndef OPENSSL_NO_DH 1762 case SSL_CTRL_SET_TMP_DH: 1763 { 1764 DH *new=NULL,*dh; 1765 1766 dh=(DH *)parg; 1767 if ((new=DHparams_dup(dh)) == NULL) 1768 { 1769 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); 1770 return 0; 1771 } 1772 if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) 1773 { 1774 if (!DH_generate_key(new)) 1775 { 1776 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); 1777 DH_free(new); 1778 return 0; 1779 } 1780 } 1781 if (cert->dh_tmp != NULL) 1782 DH_free(cert->dh_tmp); 1783 cert->dh_tmp=new; 1784 return 1; 1785 } 1786 /*break; */ 1787 case SSL_CTRL_SET_TMP_DH_CB: 1788 { 1789 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1790 return(0); 1791 } 1792 break; 1793 #endif 1794 #ifndef OPENSSL_NO_ECDH 1795 case SSL_CTRL_SET_TMP_ECDH: 1796 { 1797 EC_KEY *ecdh = NULL; 1798 1799 if (parg == NULL) 1800 { 1801 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB); 1802 return 0; 1803 } 1804 ecdh = EC_KEY_dup((EC_KEY *)parg); 1805 if (ecdh == NULL) 1806 { 1807 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_EC_LIB); 1808 return 0; 1809 } 1810 if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE)) 1811 { 1812 if (!EC_KEY_generate_key(ecdh)) 1813 { 1814 EC_KEY_free(ecdh); 1815 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB); 1816 return 0; 1817 } 1818 } 1819 1820 if (cert->ecdh_tmp != NULL) 1821 { 1822 EC_KEY_free(cert->ecdh_tmp); 1823 } 1824 cert->ecdh_tmp = ecdh; 1825 return 1; 1826 } 1827 /* break; */ 1828 case SSL_CTRL_SET_TMP_ECDH_CB: 1829 { 1830 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 1831 return(0); 1832 } 1833 break; 1834 #endif /* !OPENSSL_NO_ECDH */ 1835 /* A Thawte special :-) */ 1836 case SSL_CTRL_EXTRA_CHAIN_CERT: 1837 if (ctx->extra_certs == NULL) 1838 { 1839 if ((ctx->extra_certs=sk_X509_new_null()) == NULL) 1840 return(0); 1841 } 1842 sk_X509_push(ctx->extra_certs,(X509 *)parg); 1843 break; 1844 1845 default: 1846 return(0); 1847 } 1848 return(1); 1849 } 1850 1851 long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) 1852 { 1853 CERT *cert; 1854 1855 cert=ctx->cert; 1856 1857 switch (cmd) 1858 { 1859 #ifndef OPENSSL_NO_RSA 1860 case SSL_CTRL_SET_TMP_RSA_CB: 1861 { 1862 cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; 1863 } 1864 break; 1865 #endif 1866 #ifndef OPENSSL_NO_DH 1867 case SSL_CTRL_SET_TMP_DH_CB: 1868 { 1869 cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; 1870 } 1871 break; 1872 #endif 1873 #ifndef OPENSSL_NO_ECDH 1874 case SSL_CTRL_SET_TMP_ECDH_CB: 1875 { 1876 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp; 1877 } 1878 break; 1879 #endif 1880 default: 1881 return(0); 1882 } 1883 return(1); 1884 } 1885 1886 /* This function needs to check if the ciphers required are actually 1887 * available */ 1888 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) 1889 { 1890 SSL_CIPHER c,*cp; 1891 unsigned long id; 1892 1893 id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1]; 1894 c.id=id; 1895 cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c, 1896 (char *)ssl3_ciphers, 1897 SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER), 1898 FP_ICC ssl_cipher_id_cmp); 1899 if (cp == NULL || cp->valid == 0) 1900 return NULL; 1901 else 1902 return cp; 1903 } 1904 1905 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) 1906 { 1907 long l; 1908 1909 if (p != NULL) 1910 { 1911 l=c->id; 1912 if ((l & 0xff000000) != 0x03000000) return(0); 1913 p[0]=((unsigned char)(l>> 8L))&0xFF; 1914 p[1]=((unsigned char)(l ))&0xFF; 1915 } 1916 return(2); 1917 } 1918 1919 SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, 1920 STACK_OF(SSL_CIPHER) *srvr) 1921 { 1922 SSL_CIPHER *c,*ret=NULL; 1923 STACK_OF(SSL_CIPHER) *prio, *allow; 1924 int i,j,ok; 1925 CERT *cert; 1926 unsigned long alg,mask,emask; 1927 1928 /* Let's see which ciphers we can support */ 1929 cert=s->cert; 1930 1931 #if 0 1932 /* Do not set the compare functions, because this may lead to a 1933 * reordering by "id". We want to keep the original ordering. 1934 * We may pay a price in performance during sk_SSL_CIPHER_find(), 1935 * but would have to pay with the price of sk_SSL_CIPHER_dup(). 1936 */ 1937 sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp); 1938 sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp); 1939 #endif 1940 1941 #ifdef CIPHER_DEBUG 1942 printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr); 1943 for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) 1944 { 1945 c=sk_SSL_CIPHER_value(srvr,i); 1946 printf("%p:%s\n",c,c->name); 1947 } 1948 printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt); 1949 for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) 1950 { 1951 c=sk_SSL_CIPHER_value(clnt,i); 1952 printf("%p:%s\n",c,c->name); 1953 } 1954 #endif 1955 1956 if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) 1957 { 1958 prio = srvr; 1959 allow = clnt; 1960 } 1961 else 1962 { 1963 prio = clnt; 1964 allow = srvr; 1965 } 1966 1967 for (i=0; i<sk_SSL_CIPHER_num(prio); i++) 1968 { 1969 c=sk_SSL_CIPHER_value(prio,i); 1970 1971 ssl_set_cert_masks(cert,c); 1972 mask=cert->mask; 1973 emask=cert->export_mask; 1974 1975 #ifdef KSSL_DEBUG 1976 printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms); 1977 #endif /* KSSL_DEBUG */ 1978 1979 alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); 1980 #ifndef OPENSSL_NO_KRB5 1981 if (alg & SSL_KRB5) 1982 { 1983 if ( !kssl_keytab_is_available(s->kssl_ctx) ) 1984 continue; 1985 } 1986 #endif /* OPENSSL_NO_KRB5 */ 1987 if (SSL_C_IS_EXPORT(c)) 1988 { 1989 ok=((alg & emask) == alg)?1:0; 1990 #ifdef CIPHER_DEBUG 1991 printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, 1992 c,c->name); 1993 #endif 1994 } 1995 else 1996 { 1997 ok=((alg & mask) == alg)?1:0; 1998 #ifdef CIPHER_DEBUG 1999 printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, 2000 c->name); 2001 #endif 2002 } 2003 2004 if (!ok) continue; 2005 j=sk_SSL_CIPHER_find(allow,c); 2006 if (j >= 0) 2007 { 2008 ret=sk_SSL_CIPHER_value(allow,j); 2009 break; 2010 } 2011 } 2012 return(ret); 2013 } 2014 2015 int ssl3_get_req_cert_type(SSL *s, unsigned char *p) 2016 { 2017 int ret=0; 2018 unsigned long alg; 2019 2020 alg=s->s3->tmp.new_cipher->algorithms; 2021 2022 #ifndef OPENSSL_NO_DH 2023 if (alg & (SSL_kDHr|SSL_kEDH)) 2024 { 2025 # ifndef OPENSSL_NO_RSA 2026 p[ret++]=SSL3_CT_RSA_FIXED_DH; 2027 # endif 2028 # ifndef OPENSSL_NO_DSA 2029 p[ret++]=SSL3_CT_DSS_FIXED_DH; 2030 # endif 2031 } 2032 if ((s->version == SSL3_VERSION) && 2033 (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) 2034 { 2035 # ifndef OPENSSL_NO_RSA 2036 p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; 2037 # endif 2038 # ifndef OPENSSL_NO_DSA 2039 p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; 2040 # endif 2041 } 2042 #endif /* !OPENSSL_NO_DH */ 2043 #ifndef OPENSSL_NO_RSA 2044 p[ret++]=SSL3_CT_RSA_SIGN; 2045 #endif 2046 #ifndef OPENSSL_NO_DSA 2047 p[ret++]=SSL3_CT_DSS_SIGN; 2048 #endif 2049 #ifndef OPENSSL_NO_ECDH 2050 /* We should ask for fixed ECDH certificates only 2051 * for SSL_kECDH (and not SSL_kECDHE) 2052 */ 2053 if ((alg & SSL_kECDH) && (s->version >= TLS1_VERSION)) 2054 { 2055 p[ret++]=TLS_CT_RSA_FIXED_ECDH; 2056 p[ret++]=TLS_CT_ECDSA_FIXED_ECDH; 2057 } 2058 #endif 2059 2060 #ifndef OPENSSL_NO_ECDSA 2061 /* ECDSA certs can be used with RSA cipher suites as well 2062 * so we don't need to check for SSL_kECDH or SSL_kECDHE 2063 */ 2064 if (s->version >= TLS1_VERSION) 2065 { 2066 p[ret++]=TLS_CT_ECDSA_SIGN; 2067 } 2068 #endif 2069 return(ret); 2070 } 2071 2072 int ssl3_shutdown(SSL *s) 2073 { 2074 2075 /* Don't do anything much if we have not done the handshake or 2076 * we don't want to send messages :-) */ 2077 if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE)) 2078 { 2079 s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2080 return(1); 2081 } 2082 2083 if (!(s->shutdown & SSL_SENT_SHUTDOWN)) 2084 { 2085 s->shutdown|=SSL_SENT_SHUTDOWN; 2086 #if 1 2087 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY); 2088 #endif 2089 /* our shutdown alert has been sent now, and if it still needs 2090 * to be written, s->s3->alert_dispatch will be true */ 2091 } 2092 else if (s->s3->alert_dispatch) 2093 { 2094 /* resend it if not sent */ 2095 #if 1 2096 s->method->ssl_dispatch_alert(s); 2097 #endif 2098 } 2099 else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) 2100 { 2101 /* If we are waiting for a close from our peer, we are closed */ 2102 s->method->ssl_read_bytes(s,0,NULL,0,0); 2103 } 2104 2105 if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && 2106 !s->s3->alert_dispatch) 2107 return(1); 2108 else 2109 return(0); 2110 } 2111 2112 int ssl3_write(SSL *s, const void *buf, int len) 2113 { 2114 int ret,n; 2115 2116 #if 0 2117 if (s->shutdown & SSL_SEND_SHUTDOWN) 2118 { 2119 s->rwstate=SSL_NOTHING; 2120 return(0); 2121 } 2122 #endif 2123 clear_sys_error(); 2124 if (s->s3->renegotiate) ssl3_renegotiate_check(s); 2125 2126 /* This is an experimental flag that sends the 2127 * last handshake message in the same packet as the first 2128 * use data - used to see if it helps the TCP protocol during 2129 * session-id reuse */ 2130 /* The second test is because the buffer may have been removed */ 2131 if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) 2132 { 2133 /* First time through, we write into the buffer */ 2134 if (s->s3->delay_buf_pop_ret == 0) 2135 { 2136 ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, 2137 buf,len); 2138 if (ret <= 0) return(ret); 2139 2140 s->s3->delay_buf_pop_ret=ret; 2141 } 2142 2143 s->rwstate=SSL_WRITING; 2144 n=BIO_flush(s->wbio); 2145 if (n <= 0) return(n); 2146 s->rwstate=SSL_NOTHING; 2147 2148 /* We have flushed the buffer, so remove it */ 2149 ssl_free_wbio_buffer(s); 2150 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 2151 2152 ret=s->s3->delay_buf_pop_ret; 2153 s->s3->delay_buf_pop_ret=0; 2154 } 2155 else 2156 { 2157 ret=s->method->ssl_write_bytes(s,SSL3_RT_APPLICATION_DATA, 2158 buf,len); 2159 if (ret <= 0) return(ret); 2160 } 2161 2162 return(ret); 2163 } 2164 2165 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) 2166 { 2167 int ret; 2168 2169 clear_sys_error(); 2170 if (s->s3->renegotiate) ssl3_renegotiate_check(s); 2171 s->s3->in_read_app_data=1; 2172 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); 2173 if ((ret == -1) && (s->s3->in_read_app_data == 2)) 2174 { 2175 /* ssl3_read_bytes decided to call s->handshake_func, which 2176 * called ssl3_read_bytes to read handshake data. 2177 * However, ssl3_read_bytes actually found application data 2178 * and thinks that application data makes sense here; so disable 2179 * handshake processing and try to read application data again. */ 2180 s->in_handshake++; 2181 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); 2182 s->in_handshake--; 2183 } 2184 else 2185 s->s3->in_read_app_data=0; 2186 2187 return(ret); 2188 } 2189 2190 int ssl3_read(SSL *s, void *buf, int len) 2191 { 2192 return ssl3_read_internal(s, buf, len, 0); 2193 } 2194 2195 int ssl3_peek(SSL *s, void *buf, int len) 2196 { 2197 return ssl3_read_internal(s, buf, len, 1); 2198 } 2199 2200 int ssl3_renegotiate(SSL *s) 2201 { 2202 if (s->handshake_func == NULL) 2203 return(1); 2204 2205 if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) 2206 return(0); 2207 2208 s->s3->renegotiate=1; 2209 return(1); 2210 } 2211 2212 int ssl3_renegotiate_check(SSL *s) 2213 { 2214 int ret=0; 2215 2216 if (s->s3->renegotiate) 2217 { 2218 if ( (s->s3->rbuf.left == 0) && 2219 (s->s3->wbuf.left == 0) && 2220 !SSL_in_init(s)) 2221 { 2222 /* 2223 if we are the server, and we have sent a 'RENEGOTIATE' message, we 2224 need to go to SSL_ST_ACCEPT. 2225 */ 2226 /* SSL_ST_ACCEPT */ 2227 s->state=SSL_ST_RENEGOTIATE; 2228 s->s3->renegotiate=0; 2229 s->s3->num_renegotiations++; 2230 s->s3->total_renegotiations++; 2231 ret=1; 2232 } 2233 } 2234 return(ret); 2235 } 2236 2237