]>
Commit | Line | Data |
---|---|---|
d02b48c6 | 1 | /* ssl/ssl_ciph.c */ |
58964a49 | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
d02b48c6 RE |
3 | * All rights reserved. |
4 | * | |
5 | * This package is an SSL implementation written | |
6 | * by Eric Young (eay@cryptsoft.com). | |
7 | * The implementation was written so as to conform with Netscapes SSL. | |
8 | * | |
9 | * This library is free for commercial and non-commercial use as long as | |
10 | * the following conditions are aheared to. The following conditions | |
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 | * included with this distribution is covered by the same copyright terms | |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 | * | |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 | * the code are not to be removed. | |
18 | * If this package is used in a product, Eric Young should be given attribution | |
19 | * as the author of the parts of the library used. | |
20 | * This can be in the form of a textual message at program startup or | |
21 | * in documentation (online or textual) provided with the package. | |
22 | * | |
23 | * Redistribution and use in source and binary forms, with or without | |
24 | * modification, are permitted provided that the following conditions | |
25 | * are met: | |
26 | * 1. Redistributions of source code must retain the copyright | |
27 | * notice, this list of conditions and the following disclaimer. | |
28 | * 2. Redistributions in binary form must reproduce the above copyright | |
29 | * notice, this list of conditions and the following disclaimer in the | |
30 | * documentation and/or other materials provided with the distribution. | |
31 | * 3. All advertising materials mentioning features or use of this software | |
32 | * must display the following acknowledgement: | |
33 | * "This product includes cryptographic software written by | |
34 | * Eric Young (eay@cryptsoft.com)" | |
35 | * The word 'cryptographic' can be left out if the rouines from the library | |
36 | * being used are not cryptographic related :-). | |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 | * the apps directory (application code) you must include an acknowledgement: | |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 | * | |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
52 | * | |
53 | * The licence and distribution terms for any publically available version or | |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 | * copied and put under another distribution licence | |
56 | * [including the GNU Public Licence.] | |
57 | */ | |
58 | ||
59 | #include <stdio.h> | |
ec577822 BM |
60 | #include <openssl/objects.h> |
61 | #include <openssl/comp.h> | |
d02b48c6 RE |
62 | #include "ssl_locl.h" |
63 | ||
64 | #define SSL_ENC_DES_IDX 0 | |
65 | #define SSL_ENC_3DES_IDX 1 | |
66 | #define SSL_ENC_RC4_IDX 2 | |
67 | #define SSL_ENC_RC2_IDX 3 | |
68 | #define SSL_ENC_IDEA_IDX 4 | |
69 | #define SSL_ENC_eFZA_IDX 5 | |
70 | #define SSL_ENC_NULL_IDX 6 | |
71 | #define SSL_ENC_NUM_IDX 7 | |
72 | ||
e778802f | 73 | static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ |
d02b48c6 RE |
74 | NULL,NULL,NULL,NULL,NULL,NULL, |
75 | }; | |
76 | ||
f73e07cf | 77 | static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; |
413c4f45 | 78 | |
d02b48c6 | 79 | #define SSL_MD_MD5_IDX 0 |
58964a49 RE |
80 | #define SSL_MD_SHA1_IDX 1 |
81 | #define SSL_MD_NUM_IDX 2 | |
e778802f | 82 | static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ |
58964a49 | 83 | NULL,NULL, |
d02b48c6 RE |
84 | }; |
85 | ||
d02b48c6 RE |
86 | #define CIPHER_ADD 1 |
87 | #define CIPHER_KILL 2 | |
88 | #define CIPHER_DEL 3 | |
58964a49 | 89 | #define CIPHER_ORD 4 |
018e57c7 | 90 | #define CIPHER_SPECIAL 5 |
d02b48c6 | 91 | |
58964a49 RE |
92 | typedef struct cipher_order_st |
93 | { | |
94 | SSL_CIPHER *cipher; | |
95 | int active; | |
96 | int dead; | |
97 | struct cipher_order_st *next,*prev; | |
98 | } CIPHER_ORDER; | |
99 | ||
018e57c7 | 100 | static const SSL_CIPHER cipher_aliases[]={ |
bc420ac5 | 101 | /* Don't include eNULL unless specifically enabled */ |
018e57c7 DSH |
102 | {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ |
103 | {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, | |
104 | {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, | |
105 | {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0}, | |
106 | {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0}, | |
107 | {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0}, | |
108 | {0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0}, | |
109 | {0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0}, | |
110 | ||
111 | {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0}, | |
112 | {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0}, | |
113 | {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0}, | |
114 | {0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0}, | |
115 | {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0}, | |
116 | {0,SSL_TXT_DSS, 0,SSL_DSS, 0,0,0,0,SSL_AUTH_MASK,0}, | |
117 | ||
118 | {0,SSL_TXT_DES, 0,SSL_DES, 0,0,0,0,SSL_ENC_MASK,0}, | |
119 | {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0}, | |
120 | {0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0}, | |
121 | {0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0}, | |
122 | {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0}, | |
123 | {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, | |
124 | {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0}, | |
125 | ||
126 | {0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0}, | |
127 | {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0}, | |
128 | {0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0}, | |
129 | ||
130 | {0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0}, | |
131 | {0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, | |
132 | {0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, | |
133 | {0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0}, | |
134 | ||
135 | {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0}, | |
136 | {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0}, | |
137 | {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0}, | |
138 | ||
139 | {0,SSL_TXT_EXP ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK}, | |
140 | {0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK}, | |
141 | {0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK}, | |
142 | {0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK}, | |
143 | {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK}, | |
144 | {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK}, | |
145 | {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK}, | |
d02b48c6 RE |
146 | }; |
147 | ||
148 | static int init_ciphers=1; | |
d02b48c6 | 149 | |
6b691a5c | 150 | static void load_ciphers(void) |
d02b48c6 RE |
151 | { |
152 | init_ciphers=0; | |
153 | ssl_cipher_methods[SSL_ENC_DES_IDX]= | |
154 | EVP_get_cipherbyname(SN_des_cbc); | |
155 | ssl_cipher_methods[SSL_ENC_3DES_IDX]= | |
156 | EVP_get_cipherbyname(SN_des_ede3_cbc); | |
157 | ssl_cipher_methods[SSL_ENC_RC4_IDX]= | |
158 | EVP_get_cipherbyname(SN_rc4); | |
159 | ssl_cipher_methods[SSL_ENC_RC2_IDX]= | |
160 | EVP_get_cipherbyname(SN_rc2_cbc); | |
161 | ssl_cipher_methods[SSL_ENC_IDEA_IDX]= | |
162 | EVP_get_cipherbyname(SN_idea_cbc); | |
163 | ||
164 | ssl_digest_methods[SSL_MD_MD5_IDX]= | |
165 | EVP_get_digestbyname(SN_md5); | |
d02b48c6 RE |
166 | ssl_digest_methods[SSL_MD_SHA1_IDX]= |
167 | EVP_get_digestbyname(SN_sha1); | |
168 | } | |
169 | ||
6b691a5c UM |
170 | int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc, |
171 | const EVP_MD **md, SSL_COMP **comp) | |
d02b48c6 RE |
172 | { |
173 | int i; | |
413c4f45 | 174 | SSL_CIPHER *c; |
d02b48c6 | 175 | |
413c4f45 | 176 | c=s->cipher; |
d02b48c6 | 177 | if (c == NULL) return(0); |
413c4f45 MC |
178 | if (comp != NULL) |
179 | { | |
180 | SSL_COMP ctmp; | |
181 | ||
182 | if (s->compress_meth == 0) | |
183 | *comp=NULL; | |
184 | else if (ssl_comp_methods == NULL) | |
185 | { | |
186 | /* bad */ | |
187 | *comp=NULL; | |
188 | } | |
189 | else | |
190 | { | |
191 | ||
192 | ctmp.id=s->compress_meth; | |
f73e07cf | 193 | i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp); |
413c4f45 | 194 | if (i >= 0) |
f73e07cf | 195 | *comp=sk_SSL_COMP_value(ssl_comp_methods,i); |
413c4f45 MC |
196 | else |
197 | *comp=NULL; | |
198 | } | |
199 | } | |
200 | ||
201 | if ((enc == NULL) || (md == NULL)) return(0); | |
d02b48c6 RE |
202 | |
203 | switch (c->algorithms & SSL_ENC_MASK) | |
204 | { | |
205 | case SSL_DES: | |
206 | i=SSL_ENC_DES_IDX; | |
207 | break; | |
208 | case SSL_3DES: | |
209 | i=SSL_ENC_3DES_IDX; | |
210 | break; | |
211 | case SSL_RC4: | |
212 | i=SSL_ENC_RC4_IDX; | |
213 | break; | |
214 | case SSL_RC2: | |
215 | i=SSL_ENC_RC2_IDX; | |
216 | break; | |
217 | case SSL_IDEA: | |
218 | i=SSL_ENC_IDEA_IDX; | |
219 | break; | |
220 | case SSL_eNULL: | |
221 | i=SSL_ENC_NULL_IDX; | |
222 | break; | |
d02b48c6 RE |
223 | default: |
224 | i= -1; | |
225 | break; | |
226 | } | |
227 | ||
228 | if ((i < 0) || (i > SSL_ENC_NUM_IDX)) | |
229 | *enc=NULL; | |
230 | else | |
231 | { | |
232 | if (i == SSL_ENC_NULL_IDX) | |
233 | *enc=EVP_enc_null(); | |
234 | else | |
235 | *enc=ssl_cipher_methods[i]; | |
236 | } | |
237 | ||
238 | switch (c->algorithms & SSL_MAC_MASK) | |
239 | { | |
240 | case SSL_MD5: | |
241 | i=SSL_MD_MD5_IDX; | |
242 | break; | |
d02b48c6 RE |
243 | case SSL_SHA1: |
244 | i=SSL_MD_SHA1_IDX; | |
245 | break; | |
246 | default: | |
247 | i= -1; | |
248 | break; | |
249 | } | |
250 | if ((i < 0) || (i > SSL_MD_NUM_IDX)) | |
251 | *md=NULL; | |
252 | else | |
253 | *md=ssl_digest_methods[i]; | |
254 | ||
255 | if ((*enc != NULL) && (*md != NULL)) | |
256 | return(1); | |
257 | else | |
258 | return(0); | |
259 | } | |
260 | ||
58964a49 RE |
261 | #define ITEM_SEP(a) \ |
262 | (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) | |
263 | ||
6b691a5c UM |
264 | static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, |
265 | CIPHER_ORDER **tail) | |
58964a49 RE |
266 | { |
267 | if (curr == *tail) return; | |
268 | if (curr == *head) | |
269 | *head=curr->next; | |
270 | if (curr->prev != NULL) | |
271 | curr->prev->next=curr->next; | |
272 | if (curr->next != NULL) /* should always be true */ | |
273 | curr->next->prev=curr->prev; | |
274 | (*tail)->next=curr; | |
275 | curr->prev= *tail; | |
276 | curr->next=NULL; | |
277 | *tail=curr; | |
278 | } | |
279 | ||
018e57c7 | 280 | static unsigned long ssl_cipher_get_disabled(void) |
d02b48c6 | 281 | { |
018e57c7 | 282 | unsigned long mask; |
d02b48c6 | 283 | |
018e57c7 | 284 | mask = SSL_kFZA; |
d02b48c6 | 285 | #ifdef NO_RSA |
018e57c7 | 286 | mask |= SSL_aRSA|SSL_kRSA; |
d02b48c6 RE |
287 | #endif |
288 | #ifdef NO_DSA | |
018e57c7 | 289 | mask |= SSL_aDSS; |
d02b48c6 RE |
290 | #endif |
291 | #ifdef NO_DH | |
018e57c7 | 292 | mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH; |
d02b48c6 RE |
293 | #endif |
294 | ||
988788f6 | 295 | #ifdef SSL_FORBID_ENULL |
018e57c7 | 296 | mask |= SSL_eNULL; |
d02b48c6 RE |
297 | #endif |
298 | ||
018e57c7 DSH |
299 | mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0; |
300 | mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0; | |
301 | mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0; | |
302 | mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; | |
303 | mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; | |
304 | mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0; | |
d02b48c6 | 305 | |
018e57c7 DSH |
306 | mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; |
307 | mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; | |
d02b48c6 | 308 | |
018e57c7 DSH |
309 | return(mask); |
310 | } | |
311 | ||
312 | static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, | |
313 | int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list, | |
314 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | |
315 | { | |
316 | unsigned int i, list_num; | |
317 | SSL_CIPHER *c; | |
318 | ||
319 | /* | |
320 | * We have num_of_ciphers descriptions compiled in, depending on the | |
321 | * method selected (SSLv2 and/or SSLv3, TLSv1 etc). | |
322 | * These will later be sorted in a linked list with at most num | |
323 | * entries. | |
324 | */ | |
58964a49 | 325 | |
d02b48c6 | 326 | /* Get the initial list of ciphers */ |
018e57c7 DSH |
327 | list_num = 0; /* actual count of ciphers */ |
328 | for (i = 0; i < num_of_ciphers; i++) | |
d02b48c6 | 329 | { |
018e57c7 | 330 | c = ssl_method->get_cipher(i); |
d02b48c6 RE |
331 | /* drop those that use any of that is not available */ |
332 | if ((c != NULL) && c->valid && !(c->algorithms & mask)) | |
333 | { | |
018e57c7 DSH |
334 | list[list_num].cipher = c; |
335 | list[list_num].next = NULL; | |
336 | list[list_num].prev = NULL; | |
337 | list[list_num].active = 0; | |
58964a49 | 338 | list_num++; |
018e57c7 | 339 | /* |
d02b48c6 | 340 | if (!sk_push(ca_list,(char *)c)) goto err; |
018e57c7 | 341 | */ |
d02b48c6 RE |
342 | } |
343 | } | |
018e57c7 DSH |
344 | |
345 | /* | |
346 | * Prepare linked list from list entries | |
347 | */ | |
348 | for (i = 1; i < list_num - 1; i++) | |
58964a49 | 349 | { |
018e57c7 DSH |
350 | list[i].prev = &(list[i-1]); |
351 | list[i].next = &(list[i+1]); | |
58964a49 RE |
352 | } |
353 | if (list_num > 0) | |
354 | { | |
018e57c7 DSH |
355 | (*head_p) = &(list[0]); |
356 | (*head_p)->prev = NULL; | |
357 | (*head_p)->next = &(list[1]); | |
358 | (*tail_p) = &(list[list_num - 1]); | |
359 | (*tail_p)->prev = &(list[list_num - 2]); | |
360 | (*tail_p)->next = NULL; | |
58964a49 | 361 | } |
018e57c7 | 362 | } |
d02b48c6 | 363 | |
018e57c7 DSH |
364 | static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list, |
365 | int num_of_group_aliases, unsigned long mask, | |
366 | CIPHER_ORDER *head) | |
367 | { | |
368 | CIPHER_ORDER *ciph_curr; | |
369 | SSL_CIPHER **ca_curr; | |
370 | int i; | |
d02b48c6 | 371 | |
018e57c7 DSH |
372 | /* |
373 | * First, add the real ciphers as already collected | |
374 | */ | |
375 | ciph_curr = head; | |
376 | ca_curr = ca_list; | |
377 | while (ciph_curr != NULL) | |
d02b48c6 | 378 | { |
018e57c7 DSH |
379 | *ca_curr = ciph_curr->cipher; |
380 | ca_curr++; | |
381 | ciph_curr = ciph_curr->next; | |
d02b48c6 RE |
382 | } |
383 | ||
018e57c7 DSH |
384 | /* |
385 | * Now we add the available ones from the cipher_aliases[] table. | |
386 | * They represent either an algorithm, that must be fully | |
387 | * supported (not match any bit in mask) or represent a cipher | |
388 | * strength value (will be added in any case because algorithms=0). | |
389 | */ | |
390 | for (i = 0; i < num_of_group_aliases; i++) | |
391 | { | |
392 | if ((i == 0) || /* always fetch "ALL" */ | |
393 | !(cipher_aliases[i].algorithms & mask)) | |
394 | { | |
395 | *ca_curr = (SSL_CIPHER *)(cipher_aliases + i); | |
396 | ca_curr++; | |
397 | } | |
398 | } | |
d02b48c6 | 399 | |
018e57c7 DSH |
400 | *ca_curr = NULL; /* end of list */ |
401 | } | |
d02b48c6 | 402 | |
018e57c7 DSH |
403 | static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, |
404 | unsigned long algo_strength, unsigned long mask_strength, | |
405 | int rule, int strength_bits, CIPHER_ORDER *list, | |
406 | CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) | |
407 | { | |
408 | CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2; | |
409 | SSL_CIPHER *cp; | |
410 | unsigned long ma, ma_s; | |
411 | ||
412 | #ifdef CIPHER_DEBUG | |
413 | printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n", | |
414 | rule, algorithms, mask, algo_strength, mask_strength, | |
415 | strength_bits); | |
416 | #endif | |
d02b48c6 | 417 | |
018e57c7 DSH |
418 | curr = head = *head_p; |
419 | curr2 = head; | |
420 | tail2 = tail = *tail_p; | |
d02b48c6 RE |
421 | for (;;) |
422 | { | |
018e57c7 DSH |
423 | if ((curr == NULL) || (curr == tail2)) break; |
424 | curr = curr2; | |
425 | curr2 = curr->next; | |
426 | ||
427 | cp = curr->cipher; | |
428 | ||
429 | /* | |
430 | * Selection criteria is either the number of strength_bits | |
431 | * or the algorithm used. | |
432 | */ | |
433 | if (strength_bits == -1) | |
434 | { | |
435 | ma = mask & cp->algorithms; | |
436 | ma_s = mask_strength & cp->algo_strength; | |
437 | ||
438 | #ifdef CIPHER_DEBUG | |
439 | printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength); | |
440 | printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength); | |
441 | #endif | |
442 | /* | |
443 | * Select: if none of the mask bit was met from the | |
444 | * cipher or not all of the bits were met, the | |
445 | * selection does not apply. | |
446 | */ | |
447 | if (((ma == 0) && (ma_s == 0)) || | |
448 | ((ma & algorithms) != ma) || | |
449 | ((ma_s & algo_strength) != ma_s)) | |
450 | continue; /* does not apply */ | |
451 | } | |
452 | else if (strength_bits != cp->strength_bits) | |
453 | continue; /* does not apply */ | |
454 | ||
455 | #ifdef CIPHER_DEBUG | |
456 | printf("Action = %d\n", rule); | |
457 | #endif | |
458 | ||
459 | /* add the cipher if it has not been added yet. */ | |
460 | if (rule == CIPHER_ADD) | |
461 | { | |
462 | if (!curr->active) | |
463 | { | |
464 | ll_append_tail(&head, curr, &tail); | |
465 | curr->active = 1; | |
466 | } | |
467 | } | |
468 | /* Move the added cipher to this location */ | |
469 | else if (rule == CIPHER_ORD) | |
470 | { | |
471 | if (curr->active) | |
472 | { | |
473 | ll_append_tail(&head, curr, &tail); | |
474 | } | |
475 | } | |
476 | else if (rule == CIPHER_DEL) | |
477 | curr->active = 0; | |
478 | else if (rule == CIPHER_KILL) | |
479 | { | |
480 | if (head == curr) | |
481 | head = curr->next; | |
482 | else | |
483 | curr->prev->next = curr->next; | |
484 | if (tail == curr) | |
485 | tail = curr->prev; | |
486 | curr->active = 0; | |
487 | if (curr->next != NULL) | |
488 | curr->next->prev = curr->prev; | |
489 | if (curr->prev != NULL) | |
490 | curr->prev->next = curr->next; | |
491 | curr->next = NULL; | |
492 | curr->prev = NULL; | |
493 | } | |
494 | } | |
495 | ||
496 | *head_p = head; | |
497 | *tail_p = tail; | |
498 | } | |
499 | ||
500 | static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p, | |
501 | CIPHER_ORDER **tail_p) | |
502 | { | |
503 | int max_strength_bits, i, *number_uses; | |
504 | CIPHER_ORDER *curr; | |
505 | ||
506 | /* | |
507 | * This routine sorts the ciphers with descending strength. The sorting | |
508 | * must keep the pre-sorted sequence, so we apply the normal sorting | |
509 | * routine as '+' movement to the end of the list. | |
510 | */ | |
511 | max_strength_bits = 0; | |
512 | curr = *head_p; | |
513 | while (curr != NULL) | |
514 | { | |
515 | if (curr->active && | |
516 | (curr->cipher->strength_bits > max_strength_bits)) | |
517 | max_strength_bits = curr->cipher->strength_bits; | |
518 | curr = curr->next; | |
519 | } | |
520 | ||
521 | number_uses = Malloc((max_strength_bits + 1) * sizeof(int)); | |
522 | if (!number_uses) | |
523 | { | |
524 | SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE); | |
525 | return(0); | |
526 | } | |
527 | memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); | |
528 | ||
529 | /* | |
530 | * Now find the strength_bits values actually used | |
531 | */ | |
532 | curr = *head_p; | |
533 | while (curr != NULL) | |
534 | { | |
535 | if (curr->active) | |
536 | number_uses[curr->cipher->strength_bits]++; | |
537 | curr = curr->next; | |
538 | } | |
539 | #if 0 | |
540 | /* | |
541 | * Go through the list of used strength_bits values in descending | |
542 | * order, omit strength_bits "0". | |
543 | */ | |
544 | for (i = max_strength_bits; i > 0; i--) | |
545 | /* Do we really want this? If so "ALL:eNULL:@STRENGTH" puts eNULL | |
546 | * ciphers first??? | |
547 | */ | |
548 | ||
549 | #else | |
550 | for (i = max_strength_bits; i >= 0; i--) | |
551 | #endif | |
552 | if (number_uses[i] > 0) | |
553 | ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i, | |
554 | list, head_p, tail_p); | |
555 | ||
556 | Free(number_uses); | |
557 | return(1); | |
558 | } | |
559 | ||
560 | static int ssl_cipher_process_rulestr(const char *rule_str, | |
561 | CIPHER_ORDER *list, CIPHER_ORDER **head_p, | |
562 | CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list) | |
563 | { | |
564 | unsigned long algorithms, mask, algo_strength, mask_strength; | |
565 | const char *l, *start, *buf; | |
566 | int j, multi, found, rule, retval, ok, buflen; | |
567 | char ch; | |
58964a49 | 568 | |
018e57c7 DSH |
569 | retval = 1; |
570 | l = rule_str; | |
571 | for (;;) | |
572 | { | |
573 | ch = *l; | |
58964a49 | 574 | |
018e57c7 DSH |
575 | if (ch == '\0') |
576 | break; /* done */ | |
d02b48c6 | 577 | if (ch == '-') |
018e57c7 | 578 | { rule = CIPHER_DEL; l++; } |
d02b48c6 | 579 | else if (ch == '+') |
018e57c7 | 580 | { rule = CIPHER_ORD; l++; } |
d02b48c6 | 581 | else if (ch == '!') |
018e57c7 DSH |
582 | { rule = CIPHER_KILL; l++; } |
583 | else if (ch == '@') | |
584 | { rule = CIPHER_SPECIAL; l++; } | |
585 | else | |
586 | { rule = CIPHER_ADD; } | |
d02b48c6 | 587 | |
58964a49 | 588 | if (ITEM_SEP(ch)) |
d02b48c6 RE |
589 | { |
590 | l++; | |
591 | continue; | |
592 | } | |
018e57c7 DSH |
593 | |
594 | algorithms = mask = algo_strength = mask_strength = 0; | |
d02b48c6 RE |
595 | |
596 | start=l; | |
597 | for (;;) | |
598 | { | |
018e57c7 DSH |
599 | ch = *l; |
600 | buf = l; | |
601 | buflen = 0; | |
ca570cfd | 602 | #ifndef CHARSET_EBCDIC |
d02b48c6 RE |
603 | while ( ((ch >= 'A') && (ch <= 'Z')) || |
604 | ((ch >= '0') && (ch <= '9')) || | |
605 | ((ch >= 'a') && (ch <= 'z')) || | |
606 | (ch == '-')) | |
ca570cfd UM |
607 | #else |
608 | while ( isalnum(ch) || (ch == '-')) | |
609 | #endif | |
d02b48c6 | 610 | { |
018e57c7 DSH |
611 | ch = *(++l); |
612 | buflen++; | |
d02b48c6 | 613 | } |
018e57c7 DSH |
614 | |
615 | if (buflen == 0) | |
616 | { | |
617 | /* | |
618 | * We hit something, we cannot deal with, | |
619 | * it is no command or seperator nor | |
620 | * alphanumeric, so we call this an error. | |
621 | */ | |
622 | SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, | |
623 | SSL_R_INVALID_COMMAND); | |
624 | retval = found = 0; | |
625 | l++; | |
626 | break; | |
627 | } | |
628 | ||
629 | if (rule == CIPHER_SPECIAL) | |
630 | { | |
631 | break; /* special treatment */ | |
632 | } | |
d02b48c6 RE |
633 | |
634 | /* check for multi-part specification */ | |
58964a49 RE |
635 | if (ch == '+') |
636 | { | |
637 | multi=1; | |
638 | l++; | |
639 | } | |
640 | else | |
641 | multi=0; | |
d02b48c6 | 642 | |
018e57c7 DSH |
643 | /* |
644 | * Now search for the name in the ca_list. Be carefule | |
645 | * with the strncmp, because the "buflen" limitation | |
646 | * will make the rule "ADH:SOME" and the cipher | |
647 | * "ADH-MY-CIPHER" look like a match for buflen=3. | |
648 | * So additionally check, whether the cipher name found | |
649 | * has the correct length. We can save a strlen() call, | |
650 | * just checking for the '\0' at the right place is | |
651 | * sufficient, we have to strncmp() anyway. | |
652 | */ | |
653 | j = found = 0; | |
654 | while (ca_list[j]) | |
655 | { | |
656 | if ((ca_list[j]->name[buflen] == '\0') && | |
657 | !strncmp(buf, ca_list[j]->name, buflen)) | |
658 | { | |
659 | found = 1; | |
660 | break; | |
661 | } | |
662 | else | |
663 | j++; | |
664 | } | |
665 | if (!found) | |
666 | break; /* ignore this entry */ | |
667 | ||
668 | algorithms |= ca_list[j]->algorithms; | |
669 | mask |= ca_list[j]->mask; | |
670 | algo_strength |= ca_list[j]->algo_strength; | |
671 | mask_strength |= ca_list[j]->mask_strength; | |
d02b48c6 | 672 | |
d02b48c6 RE |
673 | if (!multi) break; |
674 | } | |
018e57c7 DSH |
675 | |
676 | /* | |
677 | * Ok, we have the rule, now apply it | |
678 | */ | |
679 | if (rule == CIPHER_SPECIAL) | |
680 | { /* special command */ | |
681 | ok = 0; | |
682 | if (!strncmp(buf, "STRENGTH", buflen)) | |
683 | ok = ssl_cipher_strength_sort(list, | |
684 | head_p, tail_p); | |
685 | else | |
686 | SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, | |
687 | SSL_R_INVALID_COMMAND); | |
688 | if (ok == 0) | |
689 | retval = 0; | |
690 | /* | |
691 | * We do not support any "multi" options | |
692 | * together with "@", so through away the | |
693 | * rest of the command, if any left, until | |
694 | * end or ':' is found. | |
695 | */ | |
696 | while ((*l != '\0') && ITEM_SEP(*l)) | |
697 | l++; | |
698 | } | |
699 | else if (found) | |
700 | { | |
701 | ssl_cipher_apply_rule(algorithms, mask, | |
702 | algo_strength, mask_strength, rule, -1, | |
703 | list, head_p, tail_p); | |
704 | } | |
705 | else | |
706 | { | |
707 | while ((*l != '\0') && ITEM_SEP(*l)) | |
708 | l++; | |
709 | } | |
710 | if (*l == '\0') break; /* done */ | |
d02b48c6 RE |
711 | } |
712 | ||
018e57c7 DSH |
713 | return(retval); |
714 | } | |
715 | ||
716 | STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, | |
717 | STACK_OF(SSL_CIPHER) **cipher_list, | |
718 | STACK_OF(SSL_CIPHER) **cipher_list_by_id, | |
719 | const char *rule_str) | |
720 | { | |
721 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; | |
722 | unsigned long disabled_mask; | |
723 | STACK_OF(SSL_CIPHER) *cipherstack; | |
724 | const char *rule_p; | |
725 | CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr; | |
726 | SSL_CIPHER **ca_list = NULL; | |
727 | ||
728 | /* | |
729 | * Return with error if nothing to do. | |
730 | */ | |
731 | if (rule_str == NULL) return(NULL); | |
732 | ||
733 | if (init_ciphers) load_ciphers(); | |
d02b48c6 | 734 | |
018e57c7 DSH |
735 | /* |
736 | * To reduce the work to do we only want to process the compiled | |
737 | * in algorithms, so we first get the mask of disabled ciphers. | |
738 | */ | |
739 | disabled_mask = ssl_cipher_get_disabled(); | |
740 | ||
741 | /* | |
742 | * Now we have to collect the available ciphers from the compiled | |
743 | * in ciphers. We cannot get more than the number compiled in, so | |
744 | * it is used for allocation. | |
745 | */ | |
746 | num_of_ciphers = ssl_method->num_ciphers(); | |
747 | list = (CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); | |
748 | if (list == NULL) | |
d02b48c6 | 749 | { |
018e57c7 DSH |
750 | SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); |
751 | return(NULL); /* Failure */ | |
752 | } | |
58964a49 | 753 | |
018e57c7 DSH |
754 | ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, |
755 | list, &head, &tail); | |
756 | ||
757 | /* | |
758 | * We also need cipher aliases for selecting based on the rule_str. | |
759 | * There might be two types of entries in the rule_str: 1) names | |
760 | * of ciphers themselves 2) aliases for groups of ciphers. | |
761 | * For 1) we need the available ciphers and for 2) the cipher | |
762 | * groups of cipher_aliases added togehter in one list (otherwise | |
763 | * we would be happy with just the cipher_aliases table). | |
764 | */ | |
765 | num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER); | |
766 | num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; | |
767 | ca_list = | |
768 | (SSL_CIPHER **)Malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); | |
769 | if (ca_list == NULL) | |
770 | { | |
771 | Free(list); | |
772 | SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); | |
773 | return(NULL); /* Failure */ | |
774 | } | |
775 | ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask, | |
776 | head); | |
777 | ||
778 | /* | |
779 | * If the rule_string begins with DEFAULT, apply the default rule | |
780 | * before using the (possibly available) additional rules. | |
781 | */ | |
782 | ok = 1; | |
783 | rule_p = rule_str; | |
784 | if (strncmp(rule_str,"DEFAULT",7) == 0) | |
785 | { | |
786 | ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, | |
787 | list, &head, &tail, ca_list); | |
788 | rule_p += 7; | |
789 | if (*rule_p == ':') | |
790 | rule_p++; | |
791 | } | |
58964a49 | 792 | |
018e57c7 DSH |
793 | if (ok && (strlen(rule_p) > 0)) |
794 | ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail, | |
795 | ca_list); | |
d02b48c6 | 796 | |
018e57c7 DSH |
797 | Free(ca_list); /* Not needed anymore */ |
798 | ||
799 | if (!ok) | |
800 | { /* Rule processing failure */ | |
801 | Free(list); | |
802 | return(NULL); | |
803 | } | |
804 | /* | |
805 | * Allocate new "cipherstack" for the result, return with error | |
806 | * if we cannot get one. | |
807 | */ | |
808 | if ((cipherstack = sk_SSL_CIPHER_new(NULL)) == NULL) | |
809 | { | |
810 | Free(list); | |
811 | return(NULL); | |
d02b48c6 RE |
812 | } |
813 | ||
018e57c7 DSH |
814 | /* |
815 | * The cipher selection for the list is done. The ciphers are added | |
816 | * to the resulting precedence to the STACK_OF(SSL_CIPHER). | |
817 | */ | |
818 | for (curr = head; curr != NULL; curr = curr->next) | |
d02b48c6 | 819 | { |
58964a49 | 820 | if (curr->active) |
d02b48c6 | 821 | { |
018e57c7 | 822 | sk_SSL_CIPHER_push(cipherstack, curr->cipher); |
d02b48c6 | 823 | #ifdef CIPHER_DEBUG |
58964a49 | 824 | printf("<%s>\n",curr->cipher->name); |
d02b48c6 | 825 | #endif |
d02b48c6 RE |
826 | } |
827 | } | |
018e57c7 DSH |
828 | Free(list); /* Not needed any longer */ |
829 | ||
830 | /* | |
831 | * The following passage is a little bit odd. If pointer variables | |
832 | * were supplied to hold STACK_OF(SSL_CIPHER) return information, | |
833 | * the old memory pointed to is free()ed. Then, however, the | |
834 | * cipher_list entry will be assigned just a copy of the returned | |
835 | * cipher stack. For cipher_list_by_id a copy of the cipher stack | |
836 | * will be created. See next comment... | |
837 | */ | |
d02b48c6 RE |
838 | if (cipher_list != NULL) |
839 | { | |
840 | if (*cipher_list != NULL) | |
f73e07cf | 841 | sk_SSL_CIPHER_free(*cipher_list); |
018e57c7 | 842 | *cipher_list = cipherstack; |
d02b48c6 RE |
843 | } |
844 | ||
845 | if (cipher_list_by_id != NULL) | |
846 | { | |
847 | if (*cipher_list_by_id != NULL) | |
f73e07cf | 848 | sk_SSL_CIPHER_free(*cipher_list_by_id); |
018e57c7 | 849 | *cipher_list_by_id = sk_SSL_CIPHER_dup(cipherstack); |
d02b48c6 RE |
850 | } |
851 | ||
018e57c7 DSH |
852 | /* |
853 | * Now it is getting really strange. If something failed during | |
854 | * the previous pointer assignement or if one of the pointers was | |
855 | * not requested, the error condition is met. That might be | |
856 | * discussable. The strange thing is however that in this case | |
857 | * the memory "ret" pointed to is "free()ed" and hence the pointer | |
858 | * cipher_list becomes wild. The memory reserved for | |
859 | * cipher_list_by_id however is not "free()ed" and stays intact. | |
860 | */ | |
d02b48c6 RE |
861 | if ( (cipher_list_by_id == NULL) || |
862 | (*cipher_list_by_id == NULL) || | |
863 | (cipher_list == NULL) || | |
864 | (*cipher_list == NULL)) | |
018e57c7 DSH |
865 | { |
866 | sk_SSL_CIPHER_free(cipherstack); | |
867 | return(NULL); | |
868 | } | |
869 | ||
f73e07cf | 870 | sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp); |
d02b48c6 | 871 | |
018e57c7 | 872 | return(cipherstack); |
d02b48c6 RE |
873 | } |
874 | ||
6b691a5c | 875 | char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) |
d02b48c6 | 876 | { |
b1c4fe36 | 877 | int is_export,pkl,kl; |
d02b48c6 RE |
878 | char *ver,*exp; |
879 | char *kx,*au,*enc,*mac; | |
018e57c7 | 880 | unsigned long alg,alg2,alg_s; |
d02b48c6 RE |
881 | static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n"; |
882 | ||
883 | alg=cipher->algorithms; | |
018e57c7 | 884 | alg_s=cipher->algo_strength; |
d02b48c6 RE |
885 | alg2=cipher->algorithm2; |
886 | ||
018e57c7 DSH |
887 | is_export=SSL_C_IS_EXPORT(cipher); |
888 | pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); | |
889 | kl=SSL_C_EXPORT_KEYLENGTH(cipher); | |
b1c4fe36 | 890 | exp=is_export?" export":""; |
d02b48c6 RE |
891 | |
892 | if (alg & SSL_SSLV2) | |
893 | ver="SSLv2"; | |
894 | else if (alg & SSL_SSLV3) | |
895 | ver="SSLv3"; | |
896 | else | |
897 | ver="unknown"; | |
898 | ||
899 | switch (alg&SSL_MKEY_MASK) | |
900 | { | |
901 | case SSL_kRSA: | |
b1c4fe36 | 902 | kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA"; |
d02b48c6 RE |
903 | break; |
904 | case SSL_kDHr: | |
905 | kx="DH/RSA"; | |
906 | break; | |
907 | case SSL_kDHd: | |
908 | kx="DH/DSS"; | |
909 | break; | |
910 | case SSL_kFZA: | |
911 | kx="Fortezza"; | |
912 | break; | |
913 | case SSL_kEDH: | |
b1c4fe36 | 914 | kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; |
d02b48c6 RE |
915 | break; |
916 | default: | |
917 | kx="unknown"; | |
918 | } | |
919 | ||
920 | switch (alg&SSL_AUTH_MASK) | |
921 | { | |
922 | case SSL_aRSA: | |
923 | au="RSA"; | |
924 | break; | |
925 | case SSL_aDSS: | |
926 | au="DSS"; | |
927 | break; | |
928 | case SSL_aDH: | |
929 | au="DH"; | |
930 | break; | |
931 | case SSL_aFZA: | |
932 | case SSL_aNULL: | |
933 | au="None"; | |
934 | break; | |
935 | default: | |
936 | au="unknown"; | |
937 | break; | |
938 | } | |
939 | ||
940 | switch (alg&SSL_ENC_MASK) | |
941 | { | |
942 | case SSL_DES: | |
b1c4fe36 | 943 | enc=(is_export && kl == 5)?"DES(40)":"DES(56)"; |
d02b48c6 RE |
944 | break; |
945 | case SSL_3DES: | |
946 | enc="3DES(168)"; | |
947 | break; | |
948 | case SSL_RC4: | |
b1c4fe36 | 949 | enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)") |
06ab81f9 | 950 | :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); |
d02b48c6 RE |
951 | break; |
952 | case SSL_RC2: | |
b1c4fe36 | 953 | enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; |
d02b48c6 RE |
954 | break; |
955 | case SSL_IDEA: | |
956 | enc="IDEA(128)"; | |
957 | break; | |
958 | case SSL_eFZA: | |
959 | enc="Fortezza"; | |
960 | break; | |
961 | case SSL_eNULL: | |
962 | enc="None"; | |
963 | break; | |
964 | default: | |
965 | enc="unknown"; | |
966 | break; | |
967 | } | |
968 | ||
969 | switch (alg&SSL_MAC_MASK) | |
970 | { | |
971 | case SSL_MD5: | |
972 | mac="MD5"; | |
973 | break; | |
d02b48c6 RE |
974 | case SSL_SHA1: |
975 | mac="SHA1"; | |
976 | break; | |
977 | default: | |
978 | mac="unknown"; | |
979 | break; | |
980 | } | |
981 | ||
982 | if (buf == NULL) | |
983 | { | |
984 | buf=Malloc(128); | |
985 | if (buf == NULL) return("Malloc Error"); | |
986 | } | |
987 | else if (len < 128) | |
988 | return("Buffer too small"); | |
989 | ||
990 | sprintf(buf,format,cipher->name,ver,kx,au,enc,mac,exp); | |
991 | return(buf); | |
992 | } | |
993 | ||
6b691a5c | 994 | char *SSL_CIPHER_get_version(SSL_CIPHER *c) |
d02b48c6 RE |
995 | { |
996 | int i; | |
997 | ||
58964a49 | 998 | if (c == NULL) return("(NONE)"); |
d02b48c6 RE |
999 | i=(int)(c->id>>24L); |
1000 | if (i == 3) | |
58964a49 | 1001 | return("TLSv1/SSLv3"); |
d02b48c6 RE |
1002 | else if (i == 2) |
1003 | return("SSLv2"); | |
1004 | else | |
1005 | return("unknown"); | |
1006 | } | |
1007 | ||
1008 | /* return the actual cipher being used */ | |
6b691a5c | 1009 | const char *SSL_CIPHER_get_name(SSL_CIPHER *c) |
d02b48c6 RE |
1010 | { |
1011 | if (c != NULL) | |
1012 | return(c->name); | |
1013 | return("(NONE)"); | |
1014 | } | |
1015 | ||
1016 | /* number of bits for symetric cipher */ | |
6b691a5c | 1017 | int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits) |
d02b48c6 | 1018 | { |
018e57c7 | 1019 | int ret=0; |
d02b48c6 RE |
1020 | |
1021 | if (c != NULL) | |
1022 | { | |
018e57c7 DSH |
1023 | if (alg_bits != NULL) *alg_bits = c->alg_bits; |
1024 | ret = c->strength_bits; | |
d02b48c6 | 1025 | } |
d02b48c6 RE |
1026 | return(ret); |
1027 | } | |
1028 | ||
6b691a5c | 1029 | SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) |
413c4f45 MC |
1030 | { |
1031 | SSL_COMP *ctmp; | |
1032 | int i,nn; | |
1033 | ||
1034 | if ((n == 0) || (sk == NULL)) return(NULL); | |
f73e07cf | 1035 | nn=sk_SSL_COMP_num(sk); |
413c4f45 MC |
1036 | for (i=0; i<nn; i++) |
1037 | { | |
f73e07cf | 1038 | ctmp=sk_SSL_COMP_value(sk,i); |
413c4f45 MC |
1039 | if (ctmp->id == n) |
1040 | return(ctmp); | |
1041 | } | |
1042 | return(NULL); | |
1043 | } | |
1044 | ||
28db3401 | 1045 | static int sk_comp_cmp(SSL_COMP **a,SSL_COMP **b) |
413c4f45 MC |
1046 | { |
1047 | return((*a)->id-(*b)->id); | |
1048 | } | |
1049 | ||
6b691a5c | 1050 | STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) |
413c4f45 MC |
1051 | { |
1052 | return(ssl_comp_methods); | |
1053 | } | |
1054 | ||
6b691a5c | 1055 | int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) |
413c4f45 MC |
1056 | { |
1057 | SSL_COMP *comp; | |
f73e07cf | 1058 | STACK_OF(SSL_COMP) *sk; |
413c4f45 MC |
1059 | |
1060 | comp=(SSL_COMP *)Malloc(sizeof(SSL_COMP)); | |
1061 | comp->id=id; | |
1062 | comp->method=cm; | |
1063 | if (ssl_comp_methods == NULL) | |
f73e07cf | 1064 | sk=ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); |
413c4f45 MC |
1065 | else |
1066 | sk=ssl_comp_methods; | |
f73e07cf | 1067 | if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp)) |
413c4f45 MC |
1068 | { |
1069 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); | |
1070 | return(0); | |
1071 | } | |
1072 | else | |
1073 | return(1); | |
1074 | } | |
1075 |