174664626SKris Kennaway /* ssl/ssl_ciph.c */ 274664626SKris Kennaway /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 374664626SKris Kennaway * All rights reserved. 474664626SKris Kennaway * 574664626SKris Kennaway * This package is an SSL implementation written 674664626SKris Kennaway * by Eric Young (eay@cryptsoft.com). 774664626SKris Kennaway * The implementation was written so as to conform with Netscapes SSL. 874664626SKris Kennaway * 974664626SKris Kennaway * This library is free for commercial and non-commercial use as long as 1074664626SKris Kennaway * the following conditions are aheared to. The following conditions 1174664626SKris Kennaway * apply to all code found in this distribution, be it the RC4, RSA, 1274664626SKris Kennaway * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1374664626SKris Kennaway * included with this distribution is covered by the same copyright terms 1474664626SKris Kennaway * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1574664626SKris Kennaway * 1674664626SKris Kennaway * Copyright remains Eric Young's, and as such any Copyright notices in 1774664626SKris Kennaway * the code are not to be removed. 1874664626SKris Kennaway * If this package is used in a product, Eric Young should be given attribution 1974664626SKris Kennaway * as the author of the parts of the library used. 2074664626SKris Kennaway * This can be in the form of a textual message at program startup or 2174664626SKris Kennaway * in documentation (online or textual) provided with the package. 2274664626SKris Kennaway * 2374664626SKris Kennaway * Redistribution and use in source and binary forms, with or without 2474664626SKris Kennaway * modification, are permitted provided that the following conditions 2574664626SKris Kennaway * are met: 2674664626SKris Kennaway * 1. Redistributions of source code must retain the copyright 2774664626SKris Kennaway * notice, this list of conditions and the following disclaimer. 2874664626SKris Kennaway * 2. Redistributions in binary form must reproduce the above copyright 2974664626SKris Kennaway * notice, this list of conditions and the following disclaimer in the 3074664626SKris Kennaway * documentation and/or other materials provided with the distribution. 3174664626SKris Kennaway * 3. All advertising materials mentioning features or use of this software 3274664626SKris Kennaway * must display the following acknowledgement: 3374664626SKris Kennaway * "This product includes cryptographic software written by 3474664626SKris Kennaway * Eric Young (eay@cryptsoft.com)" 3574664626SKris Kennaway * The word 'cryptographic' can be left out if the rouines from the library 3674664626SKris Kennaway * being used are not cryptographic related :-). 3774664626SKris Kennaway * 4. If you include any Windows specific code (or a derivative thereof) from 3874664626SKris Kennaway * the apps directory (application code) you must include an acknowledgement: 3974664626SKris Kennaway * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4074664626SKris Kennaway * 4174664626SKris Kennaway * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4274664626SKris Kennaway * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4374664626SKris Kennaway * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4474664626SKris Kennaway * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4574664626SKris Kennaway * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4674664626SKris Kennaway * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4774664626SKris Kennaway * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4874664626SKris Kennaway * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4974664626SKris Kennaway * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5074664626SKris Kennaway * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5174664626SKris Kennaway * SUCH DAMAGE. 5274664626SKris Kennaway * 5374664626SKris Kennaway * The licence and distribution terms for any publically available version or 5474664626SKris Kennaway * derivative of this code cannot be changed. i.e. this code cannot simply be 5574664626SKris Kennaway * copied and put under another distribution licence 5674664626SKris Kennaway * [including the GNU Public Licence.] 5774664626SKris Kennaway */ 583b4e3dcbSSimon L. B. Nielsen /* ==================================================================== 593b4e3dcbSSimon L. B. Nielsen * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 603b4e3dcbSSimon L. B. Nielsen * ECC cipher suite support in OpenSSL originally developed by 613b4e3dcbSSimon L. B. Nielsen * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 623b4e3dcbSSimon L. B. Nielsen */ 6374664626SKris Kennaway #include <stdio.h> 6474664626SKris Kennaway #include <openssl/objects.h> 6574664626SKris Kennaway #include <openssl/comp.h> 6674664626SKris Kennaway #include "ssl_locl.h" 6774664626SKris Kennaway 6874664626SKris Kennaway #define SSL_ENC_DES_IDX 0 6974664626SKris Kennaway #define SSL_ENC_3DES_IDX 1 7074664626SKris Kennaway #define SSL_ENC_RC4_IDX 2 7174664626SKris Kennaway #define SSL_ENC_RC2_IDX 3 7274664626SKris Kennaway #define SSL_ENC_IDEA_IDX 4 7374664626SKris Kennaway #define SSL_ENC_eFZA_IDX 5 7474664626SKris Kennaway #define SSL_ENC_NULL_IDX 6 755c87c606SMark Murray #define SSL_ENC_AES128_IDX 7 765c87c606SMark Murray #define SSL_ENC_AES256_IDX 8 775c87c606SMark Murray #define SSL_ENC_NUM_IDX 9 7874664626SKris Kennaway 7974664626SKris Kennaway static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ 8074664626SKris Kennaway NULL,NULL,NULL,NULL,NULL,NULL, 8174664626SKris Kennaway }; 8274664626SKris Kennaway 833b4e3dcbSSimon L. B. Nielsen #define SSL_COMP_NULL_IDX 0 843b4e3dcbSSimon L. B. Nielsen #define SSL_COMP_ZLIB_IDX 1 853b4e3dcbSSimon L. B. Nielsen #define SSL_COMP_NUM_IDX 2 863b4e3dcbSSimon L. B. Nielsen 8774664626SKris Kennaway static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; 8874664626SKris Kennaway 8974664626SKris Kennaway #define SSL_MD_MD5_IDX 0 9074664626SKris Kennaway #define SSL_MD_SHA1_IDX 1 9174664626SKris Kennaway #define SSL_MD_NUM_IDX 2 9274664626SKris Kennaway static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ 9374664626SKris Kennaway NULL,NULL, 9474664626SKris Kennaway }; 9574664626SKris Kennaway 9674664626SKris Kennaway #define CIPHER_ADD 1 9774664626SKris Kennaway #define CIPHER_KILL 2 9874664626SKris Kennaway #define CIPHER_DEL 3 9974664626SKris Kennaway #define CIPHER_ORD 4 100f579bf8eSKris Kennaway #define CIPHER_SPECIAL 5 10174664626SKris Kennaway 10274664626SKris Kennaway typedef struct cipher_order_st 10374664626SKris Kennaway { 10474664626SKris Kennaway SSL_CIPHER *cipher; 10574664626SKris Kennaway int active; 10674664626SKris Kennaway int dead; 10774664626SKris Kennaway struct cipher_order_st *next,*prev; 10874664626SKris Kennaway } CIPHER_ORDER; 10974664626SKris Kennaway 110f579bf8eSKris Kennaway static const SSL_CIPHER cipher_aliases[]={ 1115c87c606SMark Murray /* Don't include eNULL unless specifically enabled. */ 1123b4e3dcbSSimon L. B. Nielsen /* Don't include ECC in ALL because these ciphers are not yet official. */ 1133b4e3dcbSSimon L. B. Nielsen {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_kECDH & ~SSL_kECDHE, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ 1143b4e3dcbSSimon L. B. Nielsen /* TODO: COMPLEMENT OF ALL and COMPLEMENT OF DEFAULT do not have ECC cipher suites handled properly. */ 1155c87c606SMark Murray {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ 1165c87c606SMark Murray {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, 1175c87c606SMark Murray {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ 118f579bf8eSKris Kennaway {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, 119f579bf8eSKris Kennaway {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, 120f579bf8eSKris Kennaway {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0}, 121f579bf8eSKris Kennaway {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0}, 122f579bf8eSKris Kennaway {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0}, 123f579bf8eSKris Kennaway {0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0}, 1243b4e3dcbSSimon L. B. Nielsen {0,SSL_TXT_ECC, 0,(SSL_kECDH|SSL_kECDHE), 0,0,0,0,SSL_MKEY_MASK,0}, 125f579bf8eSKris Kennaway {0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0}, 1265c87c606SMark Murray {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */ 127f579bf8eSKris Kennaway {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0}, 128f579bf8eSKris Kennaway {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0}, 129f579bf8eSKris Kennaway {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0}, 130f579bf8eSKris Kennaway {0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0}, 131f579bf8eSKris Kennaway {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0}, 132f579bf8eSKris Kennaway {0,SSL_TXT_DSS, 0,SSL_DSS, 0,0,0,0,SSL_AUTH_MASK,0}, 13374664626SKris Kennaway 134f579bf8eSKris Kennaway {0,SSL_TXT_DES, 0,SSL_DES, 0,0,0,0,SSL_ENC_MASK,0}, 135f579bf8eSKris Kennaway {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0}, 136f579bf8eSKris Kennaway {0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0}, 137f579bf8eSKris Kennaway {0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0}, 138ced566fdSJacques Vidrine #ifndef OPENSSL_NO_IDEA 139f579bf8eSKris Kennaway {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0}, 140ced566fdSJacques Vidrine #endif 141f579bf8eSKris Kennaway {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, 142f579bf8eSKris Kennaway {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0}, 1435c87c606SMark Murray {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0}, 14474664626SKris Kennaway 145f579bf8eSKris Kennaway {0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0}, 146f579bf8eSKris Kennaway {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0}, 147f579bf8eSKris Kennaway {0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0}, 14874664626SKris Kennaway 149f579bf8eSKris Kennaway {0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0}, 1505c87c606SMark Murray {0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, 151f579bf8eSKris Kennaway {0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, 152f579bf8eSKris Kennaway {0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, 153f579bf8eSKris Kennaway {0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0}, 15474664626SKris Kennaway 155f579bf8eSKris Kennaway {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0}, 156f579bf8eSKris Kennaway {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0}, 157f579bf8eSKris Kennaway {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0}, 158f579bf8eSKris Kennaway 159f579bf8eSKris Kennaway {0,SSL_TXT_EXP ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK}, 160f579bf8eSKris Kennaway {0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK}, 161f579bf8eSKris Kennaway {0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK}, 162f579bf8eSKris Kennaway {0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK}, 163f579bf8eSKris Kennaway {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK}, 164f579bf8eSKris Kennaway {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK}, 165f579bf8eSKris Kennaway {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK}, 16674664626SKris Kennaway }; 16774664626SKris Kennaway 1683b4e3dcbSSimon L. B. Nielsen void ssl_load_ciphers(void) 16974664626SKris Kennaway { 17074664626SKris Kennaway ssl_cipher_methods[SSL_ENC_DES_IDX]= 17174664626SKris Kennaway EVP_get_cipherbyname(SN_des_cbc); 17274664626SKris Kennaway ssl_cipher_methods[SSL_ENC_3DES_IDX]= 17374664626SKris Kennaway EVP_get_cipherbyname(SN_des_ede3_cbc); 17474664626SKris Kennaway ssl_cipher_methods[SSL_ENC_RC4_IDX]= 17574664626SKris Kennaway EVP_get_cipherbyname(SN_rc4); 17674664626SKris Kennaway ssl_cipher_methods[SSL_ENC_RC2_IDX]= 17774664626SKris Kennaway EVP_get_cipherbyname(SN_rc2_cbc); 178ced566fdSJacques Vidrine #ifndef OPENSSL_NO_IDEA 17974664626SKris Kennaway ssl_cipher_methods[SSL_ENC_IDEA_IDX]= 18074664626SKris Kennaway EVP_get_cipherbyname(SN_idea_cbc); 181ced566fdSJacques Vidrine #else 182ced566fdSJacques Vidrine ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL; 183ced566fdSJacques Vidrine #endif 1845c87c606SMark Murray ssl_cipher_methods[SSL_ENC_AES128_IDX]= 1855c87c606SMark Murray EVP_get_cipherbyname(SN_aes_128_cbc); 1865c87c606SMark Murray ssl_cipher_methods[SSL_ENC_AES256_IDX]= 1875c87c606SMark Murray EVP_get_cipherbyname(SN_aes_256_cbc); 18874664626SKris Kennaway 18974664626SKris Kennaway ssl_digest_methods[SSL_MD_MD5_IDX]= 19074664626SKris Kennaway EVP_get_digestbyname(SN_md5); 19174664626SKris Kennaway ssl_digest_methods[SSL_MD_SHA1_IDX]= 19274664626SKris Kennaway EVP_get_digestbyname(SN_sha1); 19374664626SKris Kennaway } 19474664626SKris Kennaway 1953b4e3dcbSSimon L. B. Nielsen 1963b4e3dcbSSimon L. B. Nielsen #ifndef OPENSSL_NO_COMP 1973b4e3dcbSSimon L. B. Nielsen 1983b4e3dcbSSimon L. B. Nielsen static int sk_comp_cmp(const SSL_COMP * const *a, 1993b4e3dcbSSimon L. B. Nielsen const SSL_COMP * const *b) 2003b4e3dcbSSimon L. B. Nielsen { 2013b4e3dcbSSimon L. B. Nielsen return((*a)->id-(*b)->id); 2023b4e3dcbSSimon L. B. Nielsen } 2033b4e3dcbSSimon L. B. Nielsen 2043b4e3dcbSSimon L. B. Nielsen static void load_builtin_compressions(void) 2053b4e3dcbSSimon L. B. Nielsen { 2063b4e3dcbSSimon L. B. Nielsen if (ssl_comp_methods != NULL) 2073b4e3dcbSSimon L. B. Nielsen return; 2083b4e3dcbSSimon L. B. Nielsen 2093b4e3dcbSSimon L. B. Nielsen CRYPTO_w_lock(CRYPTO_LOCK_SSL); 2103b4e3dcbSSimon L. B. Nielsen if (ssl_comp_methods == NULL) 2113b4e3dcbSSimon L. B. Nielsen { 2123b4e3dcbSSimon L. B. Nielsen SSL_COMP *comp = NULL; 2133b4e3dcbSSimon L. B. Nielsen 2143b4e3dcbSSimon L. B. Nielsen MemCheck_off(); 2153b4e3dcbSSimon L. B. Nielsen ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); 2163b4e3dcbSSimon L. B. Nielsen if (ssl_comp_methods != NULL) 2173b4e3dcbSSimon L. B. Nielsen { 2183b4e3dcbSSimon L. B. Nielsen comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); 2193b4e3dcbSSimon L. B. Nielsen if (comp != NULL) 2203b4e3dcbSSimon L. B. Nielsen { 2213b4e3dcbSSimon L. B. Nielsen comp->method=COMP_zlib(); 2223b4e3dcbSSimon L. B. Nielsen if (comp->method 2233b4e3dcbSSimon L. B. Nielsen && comp->method->type == NID_undef) 2243b4e3dcbSSimon L. B. Nielsen OPENSSL_free(comp); 2253b4e3dcbSSimon L. B. Nielsen else 2263b4e3dcbSSimon L. B. Nielsen { 2273b4e3dcbSSimon L. B. Nielsen comp->id=SSL_COMP_ZLIB_IDX; 2283b4e3dcbSSimon L. B. Nielsen comp->name=comp->method->name; 2293b4e3dcbSSimon L. B. Nielsen sk_SSL_COMP_push(ssl_comp_methods,comp); 2303b4e3dcbSSimon L. B. Nielsen } 2313b4e3dcbSSimon L. B. Nielsen } 2323b4e3dcbSSimon L. B. Nielsen } 2333b4e3dcbSSimon L. B. Nielsen MemCheck_on(); 2343b4e3dcbSSimon L. B. Nielsen } 2353b4e3dcbSSimon L. B. Nielsen CRYPTO_w_unlock(CRYPTO_LOCK_SSL); 2363b4e3dcbSSimon L. B. Nielsen } 2373b4e3dcbSSimon L. B. Nielsen #endif 2383b4e3dcbSSimon L. B. Nielsen 2393b4e3dcbSSimon L. B. Nielsen int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, 24074664626SKris Kennaway const EVP_MD **md, SSL_COMP **comp) 24174664626SKris Kennaway { 24274664626SKris Kennaway int i; 24374664626SKris Kennaway SSL_CIPHER *c; 24474664626SKris Kennaway 24574664626SKris Kennaway c=s->cipher; 24674664626SKris Kennaway if (c == NULL) return(0); 24774664626SKris Kennaway if (comp != NULL) 24874664626SKris Kennaway { 24974664626SKris Kennaway SSL_COMP ctmp; 2503b4e3dcbSSimon L. B. Nielsen #ifndef OPENSSL_NO_COMP 2513b4e3dcbSSimon L. B. Nielsen load_builtin_compressions(); 2523b4e3dcbSSimon L. B. Nielsen #endif 25374664626SKris Kennaway 25474664626SKris Kennaway *comp=NULL; 25574664626SKris Kennaway ctmp.id=s->compress_meth; 2563b4e3dcbSSimon L. B. Nielsen if (ssl_comp_methods != NULL) 2573b4e3dcbSSimon L. B. Nielsen { 25874664626SKris Kennaway i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp); 25974664626SKris Kennaway if (i >= 0) 26074664626SKris Kennaway *comp=sk_SSL_COMP_value(ssl_comp_methods,i); 26174664626SKris Kennaway else 26274664626SKris Kennaway *comp=NULL; 26374664626SKris Kennaway } 26474664626SKris Kennaway } 26574664626SKris Kennaway 26674664626SKris Kennaway if ((enc == NULL) || (md == NULL)) return(0); 26774664626SKris Kennaway 26874664626SKris Kennaway switch (c->algorithms & SSL_ENC_MASK) 26974664626SKris Kennaway { 27074664626SKris Kennaway case SSL_DES: 27174664626SKris Kennaway i=SSL_ENC_DES_IDX; 27274664626SKris Kennaway break; 27374664626SKris Kennaway case SSL_3DES: 27474664626SKris Kennaway i=SSL_ENC_3DES_IDX; 27574664626SKris Kennaway break; 27674664626SKris Kennaway case SSL_RC4: 27774664626SKris Kennaway i=SSL_ENC_RC4_IDX; 27874664626SKris Kennaway break; 27974664626SKris Kennaway case SSL_RC2: 28074664626SKris Kennaway i=SSL_ENC_RC2_IDX; 28174664626SKris Kennaway break; 28274664626SKris Kennaway case SSL_IDEA: 28374664626SKris Kennaway i=SSL_ENC_IDEA_IDX; 28474664626SKris Kennaway break; 28574664626SKris Kennaway case SSL_eNULL: 28674664626SKris Kennaway i=SSL_ENC_NULL_IDX; 28774664626SKris Kennaway break; 2885c87c606SMark Murray case SSL_AES: 2895c87c606SMark Murray switch(c->alg_bits) 2905c87c606SMark Murray { 2915c87c606SMark Murray case 128: i=SSL_ENC_AES128_IDX; break; 2925c87c606SMark Murray case 256: i=SSL_ENC_AES256_IDX; break; 2935c87c606SMark Murray default: i=-1; break; 2945c87c606SMark Murray } 2955c87c606SMark Murray break; 29674664626SKris Kennaway default: 29774664626SKris Kennaway i= -1; 29874664626SKris Kennaway break; 29974664626SKris Kennaway } 30074664626SKris Kennaway 30174664626SKris Kennaway if ((i < 0) || (i > SSL_ENC_NUM_IDX)) 30274664626SKris Kennaway *enc=NULL; 30374664626SKris Kennaway else 30474664626SKris Kennaway { 30574664626SKris Kennaway if (i == SSL_ENC_NULL_IDX) 30674664626SKris Kennaway *enc=EVP_enc_null(); 30774664626SKris Kennaway else 30874664626SKris Kennaway *enc=ssl_cipher_methods[i]; 30974664626SKris Kennaway } 31074664626SKris Kennaway 31174664626SKris Kennaway switch (c->algorithms & SSL_MAC_MASK) 31274664626SKris Kennaway { 31374664626SKris Kennaway case SSL_MD5: 31474664626SKris Kennaway i=SSL_MD_MD5_IDX; 31574664626SKris Kennaway break; 31674664626SKris Kennaway case SSL_SHA1: 31774664626SKris Kennaway i=SSL_MD_SHA1_IDX; 31874664626SKris Kennaway break; 31974664626SKris Kennaway default: 32074664626SKris Kennaway i= -1; 32174664626SKris Kennaway break; 32274664626SKris Kennaway } 32374664626SKris Kennaway if ((i < 0) || (i > SSL_MD_NUM_IDX)) 32474664626SKris Kennaway *md=NULL; 32574664626SKris Kennaway else 32674664626SKris Kennaway *md=ssl_digest_methods[i]; 32774664626SKris Kennaway 32874664626SKris Kennaway if ((*enc != NULL) && (*md != NULL)) 32974664626SKris Kennaway return(1); 33074664626SKris Kennaway else 33174664626SKris Kennaway return(0); 33274664626SKris Kennaway } 33374664626SKris Kennaway 33474664626SKris Kennaway #define ITEM_SEP(a) \ 33574664626SKris Kennaway (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) 33674664626SKris Kennaway 33774664626SKris Kennaway static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, 33874664626SKris Kennaway CIPHER_ORDER **tail) 33974664626SKris Kennaway { 34074664626SKris Kennaway if (curr == *tail) return; 34174664626SKris Kennaway if (curr == *head) 34274664626SKris Kennaway *head=curr->next; 34374664626SKris Kennaway if (curr->prev != NULL) 34474664626SKris Kennaway curr->prev->next=curr->next; 34574664626SKris Kennaway if (curr->next != NULL) /* should always be true */ 34674664626SKris Kennaway curr->next->prev=curr->prev; 34774664626SKris Kennaway (*tail)->next=curr; 34874664626SKris Kennaway curr->prev= *tail; 34974664626SKris Kennaway curr->next=NULL; 35074664626SKris Kennaway *tail=curr; 35174664626SKris Kennaway } 35274664626SKris Kennaway 353f579bf8eSKris Kennaway static unsigned long ssl_cipher_get_disabled(void) 35474664626SKris Kennaway { 355f579bf8eSKris Kennaway unsigned long mask; 35674664626SKris Kennaway 35774664626SKris Kennaway mask = SSL_kFZA; 3585c87c606SMark Murray #ifdef OPENSSL_NO_RSA 35974664626SKris Kennaway mask |= SSL_aRSA|SSL_kRSA; 36074664626SKris Kennaway #endif 3615c87c606SMark Murray #ifdef OPENSSL_NO_DSA 36274664626SKris Kennaway mask |= SSL_aDSS; 36374664626SKris Kennaway #endif 3645c87c606SMark Murray #ifdef OPENSSL_NO_DH 36574664626SKris Kennaway mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH; 36674664626SKris Kennaway #endif 3675c87c606SMark Murray #ifdef OPENSSL_NO_KRB5 3685c87c606SMark Murray mask |= SSL_kKRB5|SSL_aKRB5; 3695c87c606SMark Murray #endif 3703b4e3dcbSSimon L. B. Nielsen #ifdef OPENSSL_NO_ECDH 3713b4e3dcbSSimon L. B. Nielsen mask |= SSL_kECDH|SSL_kECDHE; 3723b4e3dcbSSimon L. B. Nielsen #endif 37374664626SKris Kennaway #ifdef SSL_FORBID_ENULL 37474664626SKris Kennaway mask |= SSL_eNULL; 37574664626SKris Kennaway #endif 37674664626SKris Kennaway 37774664626SKris Kennaway mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0; 37874664626SKris Kennaway mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0; 37974664626SKris Kennaway mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0; 38074664626SKris Kennaway mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; 38174664626SKris Kennaway mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; 38274664626SKris Kennaway mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0; 3835c87c606SMark Murray mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; 38474664626SKris Kennaway 38574664626SKris Kennaway mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; 38674664626SKris Kennaway mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; 38774664626SKris Kennaway 388f579bf8eSKris Kennaway return(mask); 389f579bf8eSKris Kennaway } 390f579bf8eSKris Kennaway 391f579bf8eSKris Kennaway static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, 392ced566fdSJacques Vidrine int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list, 393f579bf8eSKris Kennaway CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) 394f579bf8eSKris Kennaway { 395ced566fdSJacques Vidrine int i, co_list_num; 396f579bf8eSKris Kennaway SSL_CIPHER *c; 397f579bf8eSKris Kennaway 398f579bf8eSKris Kennaway /* 399f579bf8eSKris Kennaway * We have num_of_ciphers descriptions compiled in, depending on the 400f579bf8eSKris Kennaway * method selected (SSLv2 and/or SSLv3, TLSv1 etc). 401f579bf8eSKris Kennaway * These will later be sorted in a linked list with at most num 402f579bf8eSKris Kennaway * entries. 403f579bf8eSKris Kennaway */ 40474664626SKris Kennaway 40574664626SKris Kennaway /* Get the initial list of ciphers */ 406ced566fdSJacques Vidrine co_list_num = 0; /* actual count of ciphers */ 407f579bf8eSKris Kennaway for (i = 0; i < num_of_ciphers; i++) 40874664626SKris Kennaway { 409f579bf8eSKris Kennaway c = ssl_method->get_cipher(i); 41074664626SKris Kennaway /* drop those that use any of that is not available */ 41174664626SKris Kennaway if ((c != NULL) && c->valid && !(c->algorithms & mask)) 41274664626SKris Kennaway { 413ced566fdSJacques Vidrine co_list[co_list_num].cipher = c; 414ced566fdSJacques Vidrine co_list[co_list_num].next = NULL; 415ced566fdSJacques Vidrine co_list[co_list_num].prev = NULL; 416ced566fdSJacques Vidrine co_list[co_list_num].active = 0; 417ced566fdSJacques Vidrine co_list_num++; 4185c87c606SMark Murray #ifdef KSSL_DEBUG 4195c87c606SMark Murray printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms); 4205c87c606SMark Murray #endif /* KSSL_DEBUG */ 421f579bf8eSKris Kennaway /* 42274664626SKris Kennaway if (!sk_push(ca_list,(char *)c)) goto err; 423f579bf8eSKris Kennaway */ 42474664626SKris Kennaway } 42574664626SKris Kennaway } 42674664626SKris Kennaway 427f579bf8eSKris Kennaway /* 428f579bf8eSKris Kennaway * Prepare linked list from list entries 429f579bf8eSKris Kennaway */ 430ced566fdSJacques Vidrine for (i = 1; i < co_list_num - 1; i++) 43174664626SKris Kennaway { 432ced566fdSJacques Vidrine co_list[i].prev = &(co_list[i-1]); 433ced566fdSJacques Vidrine co_list[i].next = &(co_list[i+1]); 43474664626SKris Kennaway } 435ced566fdSJacques Vidrine if (co_list_num > 0) 43674664626SKris Kennaway { 437ced566fdSJacques Vidrine (*head_p) = &(co_list[0]); 438f579bf8eSKris Kennaway (*head_p)->prev = NULL; 439ced566fdSJacques Vidrine (*head_p)->next = &(co_list[1]); 440ced566fdSJacques Vidrine (*tail_p) = &(co_list[co_list_num - 1]); 441ced566fdSJacques Vidrine (*tail_p)->prev = &(co_list[co_list_num - 2]); 442f579bf8eSKris Kennaway (*tail_p)->next = NULL; 443f579bf8eSKris Kennaway } 44474664626SKris Kennaway } 44574664626SKris Kennaway 446f579bf8eSKris Kennaway static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list, 447f579bf8eSKris Kennaway int num_of_group_aliases, unsigned long mask, 448f579bf8eSKris Kennaway CIPHER_ORDER *head) 44974664626SKris Kennaway { 450f579bf8eSKris Kennaway CIPHER_ORDER *ciph_curr; 451f579bf8eSKris Kennaway SSL_CIPHER **ca_curr; 452f579bf8eSKris Kennaway int i; 453f579bf8eSKris Kennaway 454f579bf8eSKris Kennaway /* 455f579bf8eSKris Kennaway * First, add the real ciphers as already collected 456f579bf8eSKris Kennaway */ 457f579bf8eSKris Kennaway ciph_curr = head; 458f579bf8eSKris Kennaway ca_curr = ca_list; 459f579bf8eSKris Kennaway while (ciph_curr != NULL) 460f579bf8eSKris Kennaway { 461f579bf8eSKris Kennaway *ca_curr = ciph_curr->cipher; 462f579bf8eSKris Kennaway ca_curr++; 463f579bf8eSKris Kennaway ciph_curr = ciph_curr->next; 46474664626SKris Kennaway } 46574664626SKris Kennaway 466f579bf8eSKris Kennaway /* 467f579bf8eSKris Kennaway * Now we add the available ones from the cipher_aliases[] table. 468f579bf8eSKris Kennaway * They represent either an algorithm, that must be fully 469f579bf8eSKris Kennaway * supported (not match any bit in mask) or represent a cipher 470f579bf8eSKris Kennaway * strength value (will be added in any case because algorithms=0). 471f579bf8eSKris Kennaway */ 472f579bf8eSKris Kennaway for (i = 0; i < num_of_group_aliases; i++) 47374664626SKris Kennaway { 474f579bf8eSKris Kennaway if ((i == 0) || /* always fetch "ALL" */ 475f579bf8eSKris Kennaway !(cipher_aliases[i].algorithms & mask)) 47674664626SKris Kennaway { 477f579bf8eSKris Kennaway *ca_curr = (SSL_CIPHER *)(cipher_aliases + i); 478f579bf8eSKris Kennaway ca_curr++; 47974664626SKris Kennaway } 480f579bf8eSKris Kennaway } 48174664626SKris Kennaway 482f579bf8eSKris Kennaway *ca_curr = NULL; /* end of list */ 483f579bf8eSKris Kennaway } 484f579bf8eSKris Kennaway 4853b4e3dcbSSimon L. B. Nielsen static void ssl_cipher_apply_rule(unsigned long cipher_id, 4863b4e3dcbSSimon L. B. Nielsen unsigned long algorithms, unsigned long mask, 487f579bf8eSKris Kennaway unsigned long algo_strength, unsigned long mask_strength, 488ced566fdSJacques Vidrine int rule, int strength_bits, CIPHER_ORDER *co_list, 489f579bf8eSKris Kennaway CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) 49074664626SKris Kennaway { 491f579bf8eSKris Kennaway CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2; 492f579bf8eSKris Kennaway SSL_CIPHER *cp; 493f579bf8eSKris Kennaway unsigned long ma, ma_s; 494f579bf8eSKris Kennaway 495f579bf8eSKris Kennaway #ifdef CIPHER_DEBUG 496f579bf8eSKris Kennaway printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n", 497f579bf8eSKris Kennaway rule, algorithms, mask, algo_strength, mask_strength, 498f579bf8eSKris Kennaway strength_bits); 49974664626SKris Kennaway #endif 50074664626SKris Kennaway 501f579bf8eSKris Kennaway curr = head = *head_p; 50274664626SKris Kennaway curr2 = head; 503f579bf8eSKris Kennaway tail2 = tail = *tail_p; 50474664626SKris Kennaway for (;;) 50574664626SKris Kennaway { 50674664626SKris Kennaway if ((curr == NULL) || (curr == tail2)) break; 50774664626SKris Kennaway curr = curr2; 50874664626SKris Kennaway curr2 = curr->next; 50974664626SKris Kennaway 51074664626SKris Kennaway cp = curr->cipher; 511f579bf8eSKris Kennaway 5123b4e3dcbSSimon L. B. Nielsen /* If explicit cipher suite match that one only */ 5133b4e3dcbSSimon L. B. Nielsen 5143b4e3dcbSSimon L. B. Nielsen if (cipher_id) 5153b4e3dcbSSimon L. B. Nielsen { 5163b4e3dcbSSimon L. B. Nielsen if (cp->id != cipher_id) 5173b4e3dcbSSimon L. B. Nielsen continue; 5183b4e3dcbSSimon L. B. Nielsen } 5193b4e3dcbSSimon L. B. Nielsen 520f579bf8eSKris Kennaway /* 521f579bf8eSKris Kennaway * Selection criteria is either the number of strength_bits 522f579bf8eSKris Kennaway * or the algorithm used. 523f579bf8eSKris Kennaway */ 5243b4e3dcbSSimon L. B. Nielsen else if (strength_bits == -1) 52574664626SKris Kennaway { 526f579bf8eSKris Kennaway ma = mask & cp->algorithms; 527f579bf8eSKris Kennaway ma_s = mask_strength & cp->algo_strength; 528f579bf8eSKris Kennaway 529f579bf8eSKris Kennaway #ifdef CIPHER_DEBUG 530f579bf8eSKris Kennaway printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength); 531f579bf8eSKris Kennaway printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength); 532f579bf8eSKris Kennaway #endif 533f579bf8eSKris Kennaway /* 534f579bf8eSKris Kennaway * Select: if none of the mask bit was met from the 535f579bf8eSKris Kennaway * cipher or not all of the bits were met, the 536f579bf8eSKris Kennaway * selection does not apply. 537f579bf8eSKris Kennaway */ 538f579bf8eSKris Kennaway if (((ma == 0) && (ma_s == 0)) || 539f579bf8eSKris Kennaway ((ma & algorithms) != ma) || 540f579bf8eSKris Kennaway ((ma_s & algo_strength) != ma_s)) 541f579bf8eSKris Kennaway continue; /* does not apply */ 54274664626SKris Kennaway } 543f579bf8eSKris Kennaway else if (strength_bits != cp->strength_bits) 544f579bf8eSKris Kennaway continue; /* does not apply */ 545f579bf8eSKris Kennaway 546f579bf8eSKris Kennaway #ifdef CIPHER_DEBUG 547f579bf8eSKris Kennaway printf("Action = %d\n", rule); 548f579bf8eSKris Kennaway #endif 54974664626SKris Kennaway 55074664626SKris Kennaway /* add the cipher if it has not been added yet. */ 551f579bf8eSKris Kennaway if (rule == CIPHER_ADD) 55274664626SKris Kennaway { 55374664626SKris Kennaway if (!curr->active) 55474664626SKris Kennaway { 55574664626SKris Kennaway ll_append_tail(&head, curr, &tail); 55674664626SKris Kennaway curr->active = 1; 55774664626SKris Kennaway } 55874664626SKris Kennaway } 55974664626SKris Kennaway /* Move the added cipher to this location */ 560f579bf8eSKris Kennaway else if (rule == CIPHER_ORD) 56174664626SKris Kennaway { 56274664626SKris Kennaway if (curr->active) 56374664626SKris Kennaway { 56474664626SKris Kennaway ll_append_tail(&head, curr, &tail); 56574664626SKris Kennaway } 56674664626SKris Kennaway } 567f579bf8eSKris Kennaway else if (rule == CIPHER_DEL) 56874664626SKris Kennaway curr->active = 0; 569f579bf8eSKris Kennaway else if (rule == CIPHER_KILL) 57074664626SKris Kennaway { 57174664626SKris Kennaway if (head == curr) 57274664626SKris Kennaway head = curr->next; 57374664626SKris Kennaway else 57474664626SKris Kennaway curr->prev->next = curr->next; 57574664626SKris Kennaway if (tail == curr) 57674664626SKris Kennaway tail = curr->prev; 57774664626SKris Kennaway curr->active = 0; 57874664626SKris Kennaway if (curr->next != NULL) 57974664626SKris Kennaway curr->next->prev = curr->prev; 58074664626SKris Kennaway if (curr->prev != NULL) 58174664626SKris Kennaway curr->prev->next = curr->next; 58274664626SKris Kennaway curr->next = NULL; 58374664626SKris Kennaway curr->prev = NULL; 58474664626SKris Kennaway } 58574664626SKris Kennaway } 586f579bf8eSKris Kennaway 587f579bf8eSKris Kennaway *head_p = head; 588f579bf8eSKris Kennaway *tail_p = tail; 58974664626SKris Kennaway } 59074664626SKris Kennaway 591ced566fdSJacques Vidrine static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list, 592ced566fdSJacques Vidrine CIPHER_ORDER **head_p, 593f579bf8eSKris Kennaway CIPHER_ORDER **tail_p) 594f579bf8eSKris Kennaway { 595f579bf8eSKris Kennaway int max_strength_bits, i, *number_uses; 596f579bf8eSKris Kennaway CIPHER_ORDER *curr; 597f579bf8eSKris Kennaway 598f579bf8eSKris Kennaway /* 599f579bf8eSKris Kennaway * This routine sorts the ciphers with descending strength. The sorting 600f579bf8eSKris Kennaway * must keep the pre-sorted sequence, so we apply the normal sorting 601f579bf8eSKris Kennaway * routine as '+' movement to the end of the list. 602f579bf8eSKris Kennaway */ 603f579bf8eSKris Kennaway max_strength_bits = 0; 604f579bf8eSKris Kennaway curr = *head_p; 605f579bf8eSKris Kennaway while (curr != NULL) 606f579bf8eSKris Kennaway { 607f579bf8eSKris Kennaway if (curr->active && 608f579bf8eSKris Kennaway (curr->cipher->strength_bits > max_strength_bits)) 609f579bf8eSKris Kennaway max_strength_bits = curr->cipher->strength_bits; 610f579bf8eSKris Kennaway curr = curr->next; 611f579bf8eSKris Kennaway } 612f579bf8eSKris Kennaway 613ddd58736SKris Kennaway number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); 614f579bf8eSKris Kennaway if (!number_uses) 615f579bf8eSKris Kennaway { 616f579bf8eSKris Kennaway SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE); 617f579bf8eSKris Kennaway return(0); 618f579bf8eSKris Kennaway } 619f579bf8eSKris Kennaway memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); 620f579bf8eSKris Kennaway 621f579bf8eSKris Kennaway /* 622f579bf8eSKris Kennaway * Now find the strength_bits values actually used 623f579bf8eSKris Kennaway */ 624f579bf8eSKris Kennaway curr = *head_p; 625f579bf8eSKris Kennaway while (curr != NULL) 626f579bf8eSKris Kennaway { 627f579bf8eSKris Kennaway if (curr->active) 628f579bf8eSKris Kennaway number_uses[curr->cipher->strength_bits]++; 629f579bf8eSKris Kennaway curr = curr->next; 630f579bf8eSKris Kennaway } 631f579bf8eSKris Kennaway /* 632f579bf8eSKris Kennaway * Go through the list of used strength_bits values in descending 633f579bf8eSKris Kennaway * order. 634f579bf8eSKris Kennaway */ 635f579bf8eSKris Kennaway for (i = max_strength_bits; i >= 0; i--) 636f579bf8eSKris Kennaway if (number_uses[i] > 0) 6373b4e3dcbSSimon L. B. Nielsen ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i, 638ced566fdSJacques Vidrine co_list, head_p, tail_p); 639f579bf8eSKris Kennaway 640ddd58736SKris Kennaway OPENSSL_free(number_uses); 641f579bf8eSKris Kennaway return(1); 642f579bf8eSKris Kennaway } 643f579bf8eSKris Kennaway 644f579bf8eSKris Kennaway static int ssl_cipher_process_rulestr(const char *rule_str, 645ced566fdSJacques Vidrine CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, 646f579bf8eSKris Kennaway CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list) 647f579bf8eSKris Kennaway { 648f579bf8eSKris Kennaway unsigned long algorithms, mask, algo_strength, mask_strength; 649f579bf8eSKris Kennaway const char *l, *start, *buf; 650f579bf8eSKris Kennaway int j, multi, found, rule, retval, ok, buflen; 6513b4e3dcbSSimon L. B. Nielsen unsigned long cipher_id; 652f579bf8eSKris Kennaway char ch; 653f579bf8eSKris Kennaway 654f579bf8eSKris Kennaway retval = 1; 655f579bf8eSKris Kennaway l = rule_str; 656f579bf8eSKris Kennaway for (;;) 657f579bf8eSKris Kennaway { 658f579bf8eSKris Kennaway ch = *l; 659f579bf8eSKris Kennaway 660f579bf8eSKris Kennaway if (ch == '\0') 661f579bf8eSKris Kennaway break; /* done */ 662f579bf8eSKris Kennaway if (ch == '-') 663f579bf8eSKris Kennaway { rule = CIPHER_DEL; l++; } 664f579bf8eSKris Kennaway else if (ch == '+') 665f579bf8eSKris Kennaway { rule = CIPHER_ORD; l++; } 666f579bf8eSKris Kennaway else if (ch == '!') 667f579bf8eSKris Kennaway { rule = CIPHER_KILL; l++; } 668f579bf8eSKris Kennaway else if (ch == '@') 669f579bf8eSKris Kennaway { rule = CIPHER_SPECIAL; l++; } 670f579bf8eSKris Kennaway else 671f579bf8eSKris Kennaway { rule = CIPHER_ADD; } 672f579bf8eSKris Kennaway 673f579bf8eSKris Kennaway if (ITEM_SEP(ch)) 674f579bf8eSKris Kennaway { 675f579bf8eSKris Kennaway l++; 676f579bf8eSKris Kennaway continue; 677f579bf8eSKris Kennaway } 678f579bf8eSKris Kennaway 679f579bf8eSKris Kennaway algorithms = mask = algo_strength = mask_strength = 0; 680f579bf8eSKris Kennaway 681f579bf8eSKris Kennaway start=l; 682f579bf8eSKris Kennaway for (;;) 683f579bf8eSKris Kennaway { 684f579bf8eSKris Kennaway ch = *l; 685f579bf8eSKris Kennaway buf = l; 686f579bf8eSKris Kennaway buflen = 0; 687f579bf8eSKris Kennaway #ifndef CHARSET_EBCDIC 688f579bf8eSKris Kennaway while ( ((ch >= 'A') && (ch <= 'Z')) || 689f579bf8eSKris Kennaway ((ch >= '0') && (ch <= '9')) || 690f579bf8eSKris Kennaway ((ch >= 'a') && (ch <= 'z')) || 691f579bf8eSKris Kennaway (ch == '-')) 692f579bf8eSKris Kennaway #else 693f579bf8eSKris Kennaway while ( isalnum(ch) || (ch == '-')) 694f579bf8eSKris Kennaway #endif 695f579bf8eSKris Kennaway { 696f579bf8eSKris Kennaway ch = *(++l); 697f579bf8eSKris Kennaway buflen++; 698f579bf8eSKris Kennaway } 699f579bf8eSKris Kennaway 700f579bf8eSKris Kennaway if (buflen == 0) 701f579bf8eSKris Kennaway { 702f579bf8eSKris Kennaway /* 703f579bf8eSKris Kennaway * We hit something we cannot deal with, 704f579bf8eSKris Kennaway * it is no command or separator nor 705f579bf8eSKris Kennaway * alphanumeric, so we call this an error. 706f579bf8eSKris Kennaway */ 707f579bf8eSKris Kennaway SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, 708f579bf8eSKris Kennaway SSL_R_INVALID_COMMAND); 709f579bf8eSKris Kennaway retval = found = 0; 710f579bf8eSKris Kennaway l++; 711f579bf8eSKris Kennaway break; 712f579bf8eSKris Kennaway } 713f579bf8eSKris Kennaway 714f579bf8eSKris Kennaway if (rule == CIPHER_SPECIAL) 715f579bf8eSKris Kennaway { 716f579bf8eSKris Kennaway found = 0; /* unused -- avoid compiler warning */ 717f579bf8eSKris Kennaway break; /* special treatment */ 718f579bf8eSKris Kennaway } 719f579bf8eSKris Kennaway 720f579bf8eSKris Kennaway /* check for multi-part specification */ 721f579bf8eSKris Kennaway if (ch == '+') 722f579bf8eSKris Kennaway { 723f579bf8eSKris Kennaway multi=1; 724f579bf8eSKris Kennaway l++; 725f579bf8eSKris Kennaway } 726f579bf8eSKris Kennaway else 727f579bf8eSKris Kennaway multi=0; 728f579bf8eSKris Kennaway 729f579bf8eSKris Kennaway /* 730f579bf8eSKris Kennaway * Now search for the cipher alias in the ca_list. Be careful 731f579bf8eSKris Kennaway * with the strncmp, because the "buflen" limitation 732f579bf8eSKris Kennaway * will make the rule "ADH:SOME" and the cipher 733f579bf8eSKris Kennaway * "ADH-MY-CIPHER" look like a match for buflen=3. 734f579bf8eSKris Kennaway * So additionally check whether the cipher name found 735f579bf8eSKris Kennaway * has the correct length. We can save a strlen() call: 736f579bf8eSKris Kennaway * just checking for the '\0' at the right place is 73750ef0093SJacques Vidrine * sufficient, we have to strncmp() anyway. (We cannot 73850ef0093SJacques Vidrine * use strcmp(), because buf is not '\0' terminated.) 739f579bf8eSKris Kennaway */ 740f579bf8eSKris Kennaway j = found = 0; 7413b4e3dcbSSimon L. B. Nielsen cipher_id = 0; 742f579bf8eSKris Kennaway while (ca_list[j]) 743f579bf8eSKris Kennaway { 74450ef0093SJacques Vidrine if (!strncmp(buf, ca_list[j]->name, buflen) && 74550ef0093SJacques Vidrine (ca_list[j]->name[buflen] == '\0')) 746f579bf8eSKris Kennaway { 747f579bf8eSKris Kennaway found = 1; 748f579bf8eSKris Kennaway break; 749f579bf8eSKris Kennaway } 750f579bf8eSKris Kennaway else 751f579bf8eSKris Kennaway j++; 752f579bf8eSKris Kennaway } 753f579bf8eSKris Kennaway if (!found) 754f579bf8eSKris Kennaway break; /* ignore this entry */ 755f579bf8eSKris Kennaway 7563b4e3dcbSSimon L. B. Nielsen if (ca_list[j]->valid) 7573b4e3dcbSSimon L. B. Nielsen { 7583b4e3dcbSSimon L. B. Nielsen cipher_id = ca_list[j]->id; 7593b4e3dcbSSimon L. B. Nielsen break; 7603b4e3dcbSSimon L. B. Nielsen } 7613b4e3dcbSSimon L. B. Nielsen 7623b4e3dcbSSimon L. B. Nielsen /* New algorithms: 7633b4e3dcbSSimon L. B. Nielsen * 1 - any old restrictions apply outside new mask 7643b4e3dcbSSimon L. B. Nielsen * 2 - any new restrictions apply outside old mask 7653b4e3dcbSSimon L. B. Nielsen * 3 - enforce old & new where masks intersect 7663b4e3dcbSSimon L. B. Nielsen */ 7673b4e3dcbSSimon L. B. Nielsen algorithms = (algorithms & ~ca_list[j]->mask) | /* 1 */ 7683b4e3dcbSSimon L. B. Nielsen (ca_list[j]->algorithms & ~mask) | /* 2 */ 7693b4e3dcbSSimon L. B. Nielsen (algorithms & ca_list[j]->algorithms); /* 3 */ 770f579bf8eSKris Kennaway mask |= ca_list[j]->mask; 7713b4e3dcbSSimon L. B. Nielsen algo_strength = (algo_strength & ~ca_list[j]->mask_strength) | 7723b4e3dcbSSimon L. B. Nielsen (ca_list[j]->algo_strength & ~mask_strength) | 7733b4e3dcbSSimon L. B. Nielsen (algo_strength & ca_list[j]->algo_strength); 774f579bf8eSKris Kennaway mask_strength |= ca_list[j]->mask_strength; 775f579bf8eSKris Kennaway 776f579bf8eSKris Kennaway if (!multi) break; 777f579bf8eSKris Kennaway } 778f579bf8eSKris Kennaway 779f579bf8eSKris Kennaway /* 780f579bf8eSKris Kennaway * Ok, we have the rule, now apply it 781f579bf8eSKris Kennaway */ 782f579bf8eSKris Kennaway if (rule == CIPHER_SPECIAL) 783f579bf8eSKris Kennaway { /* special command */ 784f579bf8eSKris Kennaway ok = 0; 785f579bf8eSKris Kennaway if ((buflen == 8) && 786f579bf8eSKris Kennaway !strncmp(buf, "STRENGTH", 8)) 787ced566fdSJacques Vidrine ok = ssl_cipher_strength_sort(co_list, 788f579bf8eSKris Kennaway head_p, tail_p); 789f579bf8eSKris Kennaway else 790f579bf8eSKris Kennaway SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, 791f579bf8eSKris Kennaway SSL_R_INVALID_COMMAND); 792f579bf8eSKris Kennaway if (ok == 0) 793f579bf8eSKris Kennaway retval = 0; 794f579bf8eSKris Kennaway /* 795f579bf8eSKris Kennaway * We do not support any "multi" options 796f579bf8eSKris Kennaway * together with "@", so throw away the 797f579bf8eSKris Kennaway * rest of the command, if any left, until 798f579bf8eSKris Kennaway * end or ':' is found. 799f579bf8eSKris Kennaway */ 800f579bf8eSKris Kennaway while ((*l != '\0') && ITEM_SEP(*l)) 801f579bf8eSKris Kennaway l++; 802f579bf8eSKris Kennaway } 803f579bf8eSKris Kennaway else if (found) 804f579bf8eSKris Kennaway { 8053b4e3dcbSSimon L. B. Nielsen ssl_cipher_apply_rule(cipher_id, algorithms, mask, 806f579bf8eSKris Kennaway algo_strength, mask_strength, rule, -1, 807ced566fdSJacques Vidrine co_list, head_p, tail_p); 808f579bf8eSKris Kennaway } 809f579bf8eSKris Kennaway else 810f579bf8eSKris Kennaway { 811f579bf8eSKris Kennaway while ((*l != '\0') && ITEM_SEP(*l)) 812f579bf8eSKris Kennaway l++; 813f579bf8eSKris Kennaway } 814f579bf8eSKris Kennaway if (*l == '\0') break; /* done */ 815f579bf8eSKris Kennaway } 816f579bf8eSKris Kennaway 817f579bf8eSKris Kennaway return(retval); 818f579bf8eSKris Kennaway } 819f579bf8eSKris Kennaway 820f579bf8eSKris Kennaway STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, 821f579bf8eSKris Kennaway STACK_OF(SSL_CIPHER) **cipher_list, 822f579bf8eSKris Kennaway STACK_OF(SSL_CIPHER) **cipher_list_by_id, 823f579bf8eSKris Kennaway const char *rule_str) 824f579bf8eSKris Kennaway { 825f579bf8eSKris Kennaway int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; 826f579bf8eSKris Kennaway unsigned long disabled_mask; 8273b4e3dcbSSimon L. B. Nielsen STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; 828f579bf8eSKris Kennaway const char *rule_p; 829ced566fdSJacques Vidrine CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; 830f579bf8eSKris Kennaway SSL_CIPHER **ca_list = NULL; 831f579bf8eSKris Kennaway 832f579bf8eSKris Kennaway /* 833f579bf8eSKris Kennaway * Return with error if nothing to do. 834f579bf8eSKris Kennaway */ 8353b4e3dcbSSimon L. B. Nielsen if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) 8363b4e3dcbSSimon L. B. Nielsen return NULL; 837f579bf8eSKris Kennaway 838f579bf8eSKris Kennaway /* 839f579bf8eSKris Kennaway * To reduce the work to do we only want to process the compiled 840f579bf8eSKris Kennaway * in algorithms, so we first get the mask of disabled ciphers. 841f579bf8eSKris Kennaway */ 842f579bf8eSKris Kennaway disabled_mask = ssl_cipher_get_disabled(); 843f579bf8eSKris Kennaway 844f579bf8eSKris Kennaway /* 845f579bf8eSKris Kennaway * Now we have to collect the available ciphers from the compiled 846f579bf8eSKris Kennaway * in ciphers. We cannot get more than the number compiled in, so 847f579bf8eSKris Kennaway * it is used for allocation. 848f579bf8eSKris Kennaway */ 849f579bf8eSKris Kennaway num_of_ciphers = ssl_method->num_ciphers(); 8505c87c606SMark Murray #ifdef KSSL_DEBUG 8515c87c606SMark Murray printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); 8525c87c606SMark Murray #endif /* KSSL_DEBUG */ 853ced566fdSJacques Vidrine co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); 854ced566fdSJacques Vidrine if (co_list == NULL) 855f579bf8eSKris Kennaway { 856f579bf8eSKris Kennaway SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); 857f579bf8eSKris Kennaway return(NULL); /* Failure */ 858f579bf8eSKris Kennaway } 859f579bf8eSKris Kennaway 860f579bf8eSKris Kennaway ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, 861ced566fdSJacques Vidrine co_list, &head, &tail); 862f579bf8eSKris Kennaway 863f579bf8eSKris Kennaway /* 864f579bf8eSKris Kennaway * We also need cipher aliases for selecting based on the rule_str. 865f579bf8eSKris Kennaway * There might be two types of entries in the rule_str: 1) names 866f579bf8eSKris Kennaway * of ciphers themselves 2) aliases for groups of ciphers. 867f579bf8eSKris Kennaway * For 1) we need the available ciphers and for 2) the cipher 868f579bf8eSKris Kennaway * groups of cipher_aliases added together in one list (otherwise 869f579bf8eSKris Kennaway * we would be happy with just the cipher_aliases table). 870f579bf8eSKris Kennaway */ 871f579bf8eSKris Kennaway num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER); 872f579bf8eSKris Kennaway num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; 873f579bf8eSKris Kennaway ca_list = 874ddd58736SKris Kennaway (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); 875f579bf8eSKris Kennaway if (ca_list == NULL) 876f579bf8eSKris Kennaway { 877ced566fdSJacques Vidrine OPENSSL_free(co_list); 878f579bf8eSKris Kennaway SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); 879f579bf8eSKris Kennaway return(NULL); /* Failure */ 880f579bf8eSKris Kennaway } 881f579bf8eSKris Kennaway ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask, 882f579bf8eSKris Kennaway head); 883f579bf8eSKris Kennaway 884f579bf8eSKris Kennaway /* 885f579bf8eSKris Kennaway * If the rule_string begins with DEFAULT, apply the default rule 886f579bf8eSKris Kennaway * before using the (possibly available) additional rules. 887f579bf8eSKris Kennaway */ 888f579bf8eSKris Kennaway ok = 1; 889f579bf8eSKris Kennaway rule_p = rule_str; 890f579bf8eSKris Kennaway if (strncmp(rule_str,"DEFAULT",7) == 0) 891f579bf8eSKris Kennaway { 892f579bf8eSKris Kennaway ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, 893ced566fdSJacques Vidrine co_list, &head, &tail, ca_list); 894f579bf8eSKris Kennaway rule_p += 7; 895f579bf8eSKris Kennaway if (*rule_p == ':') 896f579bf8eSKris Kennaway rule_p++; 897f579bf8eSKris Kennaway } 898f579bf8eSKris Kennaway 899f579bf8eSKris Kennaway if (ok && (strlen(rule_p) > 0)) 900ced566fdSJacques Vidrine ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail, 901f579bf8eSKris Kennaway ca_list); 902f579bf8eSKris Kennaway 903ddd58736SKris Kennaway OPENSSL_free(ca_list); /* Not needed anymore */ 904f579bf8eSKris Kennaway 905f579bf8eSKris Kennaway if (!ok) 906f579bf8eSKris Kennaway { /* Rule processing failure */ 907ced566fdSJacques Vidrine OPENSSL_free(co_list); 908f579bf8eSKris Kennaway return(NULL); 909f579bf8eSKris Kennaway } 910f579bf8eSKris Kennaway /* 911f579bf8eSKris Kennaway * Allocate new "cipherstack" for the result, return with error 912f579bf8eSKris Kennaway * if we cannot get one. 913f579bf8eSKris Kennaway */ 914ddd58736SKris Kennaway if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) 915f579bf8eSKris Kennaway { 916ced566fdSJacques Vidrine OPENSSL_free(co_list); 917f579bf8eSKris Kennaway return(NULL); 918f579bf8eSKris Kennaway } 919f579bf8eSKris Kennaway 920f579bf8eSKris Kennaway /* 921f579bf8eSKris Kennaway * The cipher selection for the list is done. The ciphers are added 922f579bf8eSKris Kennaway * to the resulting precedence to the STACK_OF(SSL_CIPHER). 923f579bf8eSKris Kennaway */ 92474664626SKris Kennaway for (curr = head; curr != NULL; curr = curr->next) 92574664626SKris Kennaway { 92674664626SKris Kennaway if (curr->active) 92774664626SKris Kennaway { 928f579bf8eSKris Kennaway sk_SSL_CIPHER_push(cipherstack, curr->cipher); 92974664626SKris Kennaway #ifdef CIPHER_DEBUG 93074664626SKris Kennaway printf("<%s>\n",curr->cipher->name); 93174664626SKris Kennaway #endif 93274664626SKris Kennaway } 93374664626SKris Kennaway } 934ced566fdSJacques Vidrine OPENSSL_free(co_list); /* Not needed any longer */ 93574664626SKris Kennaway 9363b4e3dcbSSimon L. B. Nielsen tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); 9373b4e3dcbSSimon L. B. Nielsen if (tmp_cipher_list == NULL) 93874664626SKris Kennaway { 9393b4e3dcbSSimon L. B. Nielsen sk_SSL_CIPHER_free(cipherstack); 9403b4e3dcbSSimon L. B. Nielsen return NULL; 9413b4e3dcbSSimon L. B. Nielsen } 94274664626SKris Kennaway if (*cipher_list != NULL) 94374664626SKris Kennaway sk_SSL_CIPHER_free(*cipher_list); 944f579bf8eSKris Kennaway *cipher_list = cipherstack; 94574664626SKris Kennaway if (*cipher_list_by_id != NULL) 94674664626SKris Kennaway sk_SSL_CIPHER_free(*cipher_list_by_id); 9473b4e3dcbSSimon L. B. Nielsen *cipher_list_by_id = tmp_cipher_list; 94874664626SKris Kennaway sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp); 94974664626SKris Kennaway 950f579bf8eSKris Kennaway return(cipherstack); 95174664626SKris Kennaway } 95274664626SKris Kennaway 95374664626SKris Kennaway char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) 95474664626SKris Kennaway { 95574664626SKris Kennaway int is_export,pkl,kl; 9563b4e3dcbSSimon L. B. Nielsen const char *ver,*exp_str; 9573b4e3dcbSSimon L. B. Nielsen const char *kx,*au,*enc,*mac; 958f579bf8eSKris Kennaway unsigned long alg,alg2,alg_s; 9595c87c606SMark Murray #ifdef KSSL_DEBUG 9603b4e3dcbSSimon L. B. Nielsen static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n"; 9615c87c606SMark Murray #else 9623b4e3dcbSSimon L. B. Nielsen static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n"; 9635c87c606SMark Murray #endif /* KSSL_DEBUG */ 96474664626SKris Kennaway 96574664626SKris Kennaway alg=cipher->algorithms; 966f579bf8eSKris Kennaway alg_s=cipher->algo_strength; 96774664626SKris Kennaway alg2=cipher->algorithm2; 96874664626SKris Kennaway 969f579bf8eSKris Kennaway is_export=SSL_C_IS_EXPORT(cipher); 970f579bf8eSKris Kennaway pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); 971f579bf8eSKris Kennaway kl=SSL_C_EXPORT_KEYLENGTH(cipher); 972ced566fdSJacques Vidrine exp_str=is_export?" export":""; 97374664626SKris Kennaway 97474664626SKris Kennaway if (alg & SSL_SSLV2) 97574664626SKris Kennaway ver="SSLv2"; 97674664626SKris Kennaway else if (alg & SSL_SSLV3) 97774664626SKris Kennaway ver="SSLv3"; 97874664626SKris Kennaway else 97974664626SKris Kennaway ver="unknown"; 98074664626SKris Kennaway 98174664626SKris Kennaway switch (alg&SSL_MKEY_MASK) 98274664626SKris Kennaway { 98374664626SKris Kennaway case SSL_kRSA: 98474664626SKris Kennaway kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA"; 98574664626SKris Kennaway break; 98674664626SKris Kennaway case SSL_kDHr: 98774664626SKris Kennaway kx="DH/RSA"; 98874664626SKris Kennaway break; 98974664626SKris Kennaway case SSL_kDHd: 99074664626SKris Kennaway kx="DH/DSS"; 99174664626SKris Kennaway break; 9925c87c606SMark Murray case SSL_kKRB5: /* VRS */ 9935c87c606SMark Murray case SSL_KRB5: /* VRS */ 9945c87c606SMark Murray kx="KRB5"; 9955c87c606SMark Murray break; 99674664626SKris Kennaway case SSL_kFZA: 99774664626SKris Kennaway kx="Fortezza"; 99874664626SKris Kennaway break; 99974664626SKris Kennaway case SSL_kEDH: 100074664626SKris Kennaway kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; 100174664626SKris Kennaway break; 10023b4e3dcbSSimon L. B. Nielsen case SSL_kECDH: 10033b4e3dcbSSimon L. B. Nielsen case SSL_kECDHE: 10043b4e3dcbSSimon L. B. Nielsen kx=is_export?"ECDH(<=163)":"ECDH"; 10053b4e3dcbSSimon L. B. Nielsen break; 100674664626SKris Kennaway default: 100774664626SKris Kennaway kx="unknown"; 100874664626SKris Kennaway } 100974664626SKris Kennaway 101074664626SKris Kennaway switch (alg&SSL_AUTH_MASK) 101174664626SKris Kennaway { 101274664626SKris Kennaway case SSL_aRSA: 101374664626SKris Kennaway au="RSA"; 101474664626SKris Kennaway break; 101574664626SKris Kennaway case SSL_aDSS: 101674664626SKris Kennaway au="DSS"; 101774664626SKris Kennaway break; 101874664626SKris Kennaway case SSL_aDH: 101974664626SKris Kennaway au="DH"; 102074664626SKris Kennaway break; 10215c87c606SMark Murray case SSL_aKRB5: /* VRS */ 10225c87c606SMark Murray case SSL_KRB5: /* VRS */ 10235c87c606SMark Murray au="KRB5"; 10245c87c606SMark Murray break; 102574664626SKris Kennaway case SSL_aFZA: 102674664626SKris Kennaway case SSL_aNULL: 102774664626SKris Kennaway au="None"; 102874664626SKris Kennaway break; 10293b4e3dcbSSimon L. B. Nielsen case SSL_aECDSA: 10303b4e3dcbSSimon L. B. Nielsen au="ECDSA"; 10313b4e3dcbSSimon L. B. Nielsen break; 103274664626SKris Kennaway default: 103374664626SKris Kennaway au="unknown"; 103474664626SKris Kennaway break; 103574664626SKris Kennaway } 103674664626SKris Kennaway 103774664626SKris Kennaway switch (alg&SSL_ENC_MASK) 103874664626SKris Kennaway { 103974664626SKris Kennaway case SSL_DES: 104074664626SKris Kennaway enc=(is_export && kl == 5)?"DES(40)":"DES(56)"; 104174664626SKris Kennaway break; 104274664626SKris Kennaway case SSL_3DES: 104374664626SKris Kennaway enc="3DES(168)"; 104474664626SKris Kennaway break; 104574664626SKris Kennaway case SSL_RC4: 104674664626SKris Kennaway enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)") 104774664626SKris Kennaway :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); 104874664626SKris Kennaway break; 104974664626SKris Kennaway case SSL_RC2: 105074664626SKris Kennaway enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; 105174664626SKris Kennaway break; 105274664626SKris Kennaway case SSL_IDEA: 105374664626SKris Kennaway enc="IDEA(128)"; 105474664626SKris Kennaway break; 105574664626SKris Kennaway case SSL_eFZA: 105674664626SKris Kennaway enc="Fortezza"; 105774664626SKris Kennaway break; 105874664626SKris Kennaway case SSL_eNULL: 105974664626SKris Kennaway enc="None"; 106074664626SKris Kennaway break; 10615c87c606SMark Murray case SSL_AES: 10625c87c606SMark Murray switch(cipher->strength_bits) 10635c87c606SMark Murray { 10645c87c606SMark Murray case 128: enc="AES(128)"; break; 10655c87c606SMark Murray case 192: enc="AES(192)"; break; 10665c87c606SMark Murray case 256: enc="AES(256)"; break; 10675c87c606SMark Murray default: enc="AES(?""?""?)"; break; 10685c87c606SMark Murray } 10695c87c606SMark Murray break; 107074664626SKris Kennaway default: 107174664626SKris Kennaway enc="unknown"; 107274664626SKris Kennaway break; 107374664626SKris Kennaway } 107474664626SKris Kennaway 107574664626SKris Kennaway switch (alg&SSL_MAC_MASK) 107674664626SKris Kennaway { 107774664626SKris Kennaway case SSL_MD5: 107874664626SKris Kennaway mac="MD5"; 107974664626SKris Kennaway break; 108074664626SKris Kennaway case SSL_SHA1: 108174664626SKris Kennaway mac="SHA1"; 108274664626SKris Kennaway break; 108374664626SKris Kennaway default: 108474664626SKris Kennaway mac="unknown"; 108574664626SKris Kennaway break; 108674664626SKris Kennaway } 108774664626SKris Kennaway 108874664626SKris Kennaway if (buf == NULL) 108974664626SKris Kennaway { 1090ddd58736SKris Kennaway len=128; 1091ddd58736SKris Kennaway buf=OPENSSL_malloc(len); 1092ddd58736SKris Kennaway if (buf == NULL) return("OPENSSL_malloc Error"); 109374664626SKris Kennaway } 109474664626SKris Kennaway else if (len < 128) 109574664626SKris Kennaway return("Buffer too small"); 109674664626SKris Kennaway 10975c87c606SMark Murray #ifdef KSSL_DEBUG 1098ced566fdSJacques Vidrine BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg); 10995c87c606SMark Murray #else 1100ced566fdSJacques Vidrine BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str); 11015c87c606SMark Murray #endif /* KSSL_DEBUG */ 110274664626SKris Kennaway return(buf); 110374664626SKris Kennaway } 110474664626SKris Kennaway 11053b4e3dcbSSimon L. B. Nielsen char *SSL_CIPHER_get_version(const SSL_CIPHER *c) 110674664626SKris Kennaway { 110774664626SKris Kennaway int i; 110874664626SKris Kennaway 110974664626SKris Kennaway if (c == NULL) return("(NONE)"); 111074664626SKris Kennaway i=(int)(c->id>>24L); 111174664626SKris Kennaway if (i == 3) 111274664626SKris Kennaway return("TLSv1/SSLv3"); 111374664626SKris Kennaway else if (i == 2) 111474664626SKris Kennaway return("SSLv2"); 111574664626SKris Kennaway else 111674664626SKris Kennaway return("unknown"); 111774664626SKris Kennaway } 111874664626SKris Kennaway 111974664626SKris Kennaway /* return the actual cipher being used */ 11203b4e3dcbSSimon L. B. Nielsen const char *SSL_CIPHER_get_name(const SSL_CIPHER *c) 112174664626SKris Kennaway { 112274664626SKris Kennaway if (c != NULL) 112374664626SKris Kennaway return(c->name); 112474664626SKris Kennaway return("(NONE)"); 112574664626SKris Kennaway } 112674664626SKris Kennaway 1127f579bf8eSKris Kennaway /* number of bits for symmetric cipher */ 11283b4e3dcbSSimon L. B. Nielsen int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) 112974664626SKris Kennaway { 1130f579bf8eSKris Kennaway int ret=0; 113174664626SKris Kennaway 113274664626SKris Kennaway if (c != NULL) 113374664626SKris Kennaway { 1134f579bf8eSKris Kennaway if (alg_bits != NULL) *alg_bits = c->alg_bits; 1135f579bf8eSKris Kennaway ret = c->strength_bits; 113674664626SKris Kennaway } 113774664626SKris Kennaway return(ret); 113874664626SKris Kennaway } 113974664626SKris Kennaway 114074664626SKris Kennaway SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) 114174664626SKris Kennaway { 114274664626SKris Kennaway SSL_COMP *ctmp; 114374664626SKris Kennaway int i,nn; 114474664626SKris Kennaway 114574664626SKris Kennaway if ((n == 0) || (sk == NULL)) return(NULL); 114674664626SKris Kennaway nn=sk_SSL_COMP_num(sk); 114774664626SKris Kennaway for (i=0; i<nn; i++) 114874664626SKris Kennaway { 114974664626SKris Kennaway ctmp=sk_SSL_COMP_value(sk,i); 115074664626SKris Kennaway if (ctmp->id == n) 115174664626SKris Kennaway return(ctmp); 115274664626SKris Kennaway } 115374664626SKris Kennaway return(NULL); 115474664626SKris Kennaway } 115574664626SKris Kennaway 11563b4e3dcbSSimon L. B. Nielsen #ifdef OPENSSL_NO_COMP 11573b4e3dcbSSimon L. B. Nielsen void *SSL_COMP_get_compression_methods(void) 115874664626SKris Kennaway { 11593b4e3dcbSSimon L. B. Nielsen return NULL; 11603b4e3dcbSSimon L. B. Nielsen } 11613b4e3dcbSSimon L. B. Nielsen int SSL_COMP_add_compression_method(int id, void *cm) 11623b4e3dcbSSimon L. B. Nielsen { 11633b4e3dcbSSimon L. B. Nielsen return 1; 116474664626SKris Kennaway } 116574664626SKris Kennaway 11663b4e3dcbSSimon L. B. Nielsen const char *SSL_COMP_get_name(const void *comp) 11673b4e3dcbSSimon L. B. Nielsen { 11683b4e3dcbSSimon L. B. Nielsen return NULL; 11693b4e3dcbSSimon L. B. Nielsen } 11703b4e3dcbSSimon L. B. Nielsen #else 117174664626SKris Kennaway STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) 117274664626SKris Kennaway { 11733b4e3dcbSSimon L. B. Nielsen load_builtin_compressions(); 117474664626SKris Kennaway return(ssl_comp_methods); 117574664626SKris Kennaway } 117674664626SKris Kennaway 117774664626SKris Kennaway int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) 117874664626SKris Kennaway { 117974664626SKris Kennaway SSL_COMP *comp; 118074664626SKris Kennaway 11815c87c606SMark Murray if (cm == NULL || cm->type == NID_undef) 11825c87c606SMark Murray return 1; 11835c87c606SMark Murray 11843b4e3dcbSSimon L. B. Nielsen /* According to draft-ietf-tls-compression-04.txt, the 11853b4e3dcbSSimon L. B. Nielsen compression number ranges should be the following: 11863b4e3dcbSSimon L. B. Nielsen 11873b4e3dcbSSimon L. B. Nielsen 0 to 63: methods defined by the IETF 11883b4e3dcbSSimon L. B. Nielsen 64 to 192: external party methods assigned by IANA 11893b4e3dcbSSimon L. B. Nielsen 193 to 255: reserved for private use */ 11903b4e3dcbSSimon L. B. Nielsen if (id < 193 || id > 255) 11913b4e3dcbSSimon L. B. Nielsen { 11923b4e3dcbSSimon L. B. Nielsen SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE); 11933b4e3dcbSSimon L. B. Nielsen return 0; 11943b4e3dcbSSimon L. B. Nielsen } 11953b4e3dcbSSimon L. B. Nielsen 11965c87c606SMark Murray MemCheck_off(); 1197ddd58736SKris Kennaway comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); 119874664626SKris Kennaway comp->id=id; 119974664626SKris Kennaway comp->method=cm; 12003b4e3dcbSSimon L. B. Nielsen load_builtin_compressions(); 12013b4e3dcbSSimon L. B. Nielsen if (ssl_comp_methods 12023b4e3dcbSSimon L. B. Nielsen && !sk_SSL_COMP_find(ssl_comp_methods,comp)) 120374664626SKris Kennaway { 12043b4e3dcbSSimon L. B. Nielsen OPENSSL_free(comp); 12053b4e3dcbSSimon L. B. Nielsen MemCheck_on(); 12063b4e3dcbSSimon L. B. Nielsen SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID); 12073b4e3dcbSSimon L. B. Nielsen return(1); 12083b4e3dcbSSimon L. B. Nielsen } 12093b4e3dcbSSimon L. B. Nielsen else if ((ssl_comp_methods == NULL) 12103b4e3dcbSSimon L. B. Nielsen || !sk_SSL_COMP_push(ssl_comp_methods,comp)) 12113b4e3dcbSSimon L. B. Nielsen { 12123b4e3dcbSSimon L. B. Nielsen OPENSSL_free(comp); 12135c87c606SMark Murray MemCheck_on(); 121474664626SKris Kennaway SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); 1215ced566fdSJacques Vidrine return(1); 121674664626SKris Kennaway } 121774664626SKris Kennaway else 12185c87c606SMark Murray { 12195c87c606SMark Murray MemCheck_on(); 1220ced566fdSJacques Vidrine return(0); 122174664626SKris Kennaway } 12225c87c606SMark Murray } 12233b4e3dcbSSimon L. B. Nielsen 12243b4e3dcbSSimon L. B. Nielsen const char *SSL_COMP_get_name(const COMP_METHOD *comp) 12253b4e3dcbSSimon L. B. Nielsen { 12263b4e3dcbSSimon L. B. Nielsen if (comp) 12273b4e3dcbSSimon L. B. Nielsen return comp->name; 12283b4e3dcbSSimon L. B. Nielsen return NULL; 12293b4e3dcbSSimon L. B. Nielsen } 12303b4e3dcbSSimon L. B. Nielsen 12313b4e3dcbSSimon L. B. Nielsen #endif 1232