]>
Commit | Line | Data |
---|---|---|
d02b48c6 | 1 | /* ssl/s3_lib.c */ |
58964a49 | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
d02b48c6 RE |
3 | * All rights reserved. |
4 | * | |
5 | * This package is an SSL implementation written | |
6 | * by Eric Young (eay@cryptsoft.com). | |
7 | * The implementation was written so as to conform with Netscapes SSL. | |
8 | * | |
9 | * This library is free for commercial and non-commercial use as long as | |
10 | * the following conditions are aheared to. The following conditions | |
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 | * included with this distribution is covered by the same copyright terms | |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 | * | |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 | * the code are not to be removed. | |
18 | * If this package is used in a product, Eric Young should be given attribution | |
19 | * as the author of the parts of the library used. | |
20 | * This can be in the form of a textual message at program startup or | |
21 | * in documentation (online or textual) provided with the package. | |
22 | * | |
23 | * Redistribution and use in source and binary forms, with or without | |
24 | * modification, are permitted provided that the following conditions | |
25 | * are met: | |
26 | * 1. Redistributions of source code must retain the copyright | |
27 | * notice, this list of conditions and the following disclaimer. | |
28 | * 2. Redistributions in binary form must reproduce the above copyright | |
29 | * notice, this list of conditions and the following disclaimer in the | |
30 | * documentation and/or other materials provided with the distribution. | |
31 | * 3. All advertising materials mentioning features or use of this software | |
32 | * must display the following acknowledgement: | |
33 | * "This product includes cryptographic software written by | |
34 | * Eric Young (eay@cryptsoft.com)" | |
35 | * The word 'cryptographic' can be left out if the rouines from the library | |
36 | * being used are not cryptographic related :-). | |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 | * the apps directory (application code) you must include an acknowledgement: | |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 | * | |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
52 | * | |
53 | * The licence and distribution terms for any publically available version or | |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 | * copied and put under another distribution licence | |
56 | * [including the GNU Public Licence.] | |
57 | */ | |
58 | ||
59 | #include <stdio.h> | |
d02f751c UM |
60 | #include <openssl/md5.h> |
61 | #include <openssl/sha.h> | |
ec577822 | 62 | #include <openssl/objects.h> |
d02b48c6 RE |
63 | #include "ssl_locl.h" |
64 | ||
e778802f | 65 | const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; |
d02b48c6 RE |
66 | |
67 | #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) | |
68 | ||
d02b48c6 | 69 | static long ssl3_default_timeout(void ); |
7d7d2cbc | 70 | |
7f0dae32 | 71 | OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ |
d02b48c6 RE |
72 | /* The RSA ciphers */ |
73 | /* Cipher 01 */ | |
74 | { | |
75 | 1, | |
76 | SSL3_TXT_RSA_NULL_MD5, | |
77 | SSL3_CK_RSA_NULL_MD5, | |
018e57c7 DSH |
78 | SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, |
79 | SSL_NOT_EXP, | |
80 | 0, | |
81 | 0, | |
d02b48c6 RE |
82 | 0, |
83 | SSL_ALL_CIPHERS, | |
018e57c7 | 84 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
85 | }, |
86 | /* Cipher 02 */ | |
87 | { | |
88 | 1, | |
89 | SSL3_TXT_RSA_NULL_SHA, | |
90 | SSL3_CK_RSA_NULL_SHA, | |
018e57c7 DSH |
91 | SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, |
92 | SSL_NOT_EXP, | |
93 | 0, | |
94 | 0, | |
d02b48c6 RE |
95 | 0, |
96 | SSL_ALL_CIPHERS, | |
018e57c7 | 97 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
98 | }, |
99 | ||
100 | /* anon DH */ | |
101 | /* Cipher 17 */ | |
102 | { | |
103 | 1, | |
104 | SSL3_TXT_ADH_RC4_40_MD5, | |
105 | SSL3_CK_ADH_RC4_40_MD5, | |
018e57c7 DSH |
106 | SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, |
107 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 108 | 0, |
018e57c7 DSH |
109 | 40, |
110 | 128, | |
d02b48c6 | 111 | SSL_ALL_CIPHERS, |
018e57c7 | 112 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
113 | }, |
114 | /* Cipher 18 */ | |
115 | { | |
116 | 1, | |
117 | SSL3_TXT_ADH_RC4_128_MD5, | |
118 | SSL3_CK_ADH_RC4_128_MD5, | |
018e57c7 DSH |
119 | SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, |
120 | SSL_NOT_EXP, | |
d02b48c6 | 121 | 0, |
018e57c7 DSH |
122 | 128, |
123 | 128, | |
d02b48c6 | 124 | SSL_ALL_CIPHERS, |
018e57c7 | 125 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
126 | }, |
127 | /* Cipher 19 */ | |
128 | { | |
129 | 1, | |
130 | SSL3_TXT_ADH_DES_40_CBC_SHA, | |
131 | SSL3_CK_ADH_DES_40_CBC_SHA, | |
018e57c7 DSH |
132 | SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, |
133 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 134 | 0, |
018e57c7 DSH |
135 | 40, |
136 | 128, | |
d02b48c6 | 137 | SSL_ALL_CIPHERS, |
018e57c7 | 138 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
139 | }, |
140 | /* Cipher 1A */ | |
141 | { | |
142 | 1, | |
143 | SSL3_TXT_ADH_DES_64_CBC_SHA, | |
144 | SSL3_CK_ADH_DES_64_CBC_SHA, | |
018e57c7 DSH |
145 | SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, |
146 | SSL_NOT_EXP, | |
d02b48c6 | 147 | 0, |
018e57c7 DSH |
148 | 56, |
149 | 56, | |
d02b48c6 | 150 | SSL_ALL_CIPHERS, |
018e57c7 | 151 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
152 | }, |
153 | /* Cipher 1B */ | |
154 | { | |
155 | 1, | |
58964a49 RE |
156 | SSL3_TXT_ADH_DES_192_CBC_SHA, |
157 | SSL3_CK_ADH_DES_192_CBC_SHA, | |
018e57c7 DSH |
158 | SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
159 | SSL_NOT_EXP, | |
d02b48c6 | 160 | 0, |
018e57c7 DSH |
161 | 168, |
162 | 168, | |
d02b48c6 | 163 | SSL_ALL_CIPHERS, |
018e57c7 | 164 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
165 | }, |
166 | ||
167 | /* RSA again */ | |
168 | /* Cipher 03 */ | |
169 | { | |
170 | 1, | |
171 | SSL3_TXT_RSA_RC4_40_MD5, | |
172 | SSL3_CK_RSA_RC4_40_MD5, | |
018e57c7 DSH |
173 | SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3, |
174 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 175 | 0, |
018e57c7 DSH |
176 | 40, |
177 | 128, | |
d02b48c6 | 178 | SSL_ALL_CIPHERS, |
018e57c7 | 179 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
180 | }, |
181 | /* Cipher 04 */ | |
182 | { | |
183 | 1, | |
184 | SSL3_TXT_RSA_RC4_128_MD5, | |
185 | SSL3_CK_RSA_RC4_128_MD5, | |
018e57c7 DSH |
186 | SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3, |
187 | SSL_NOT_EXP|SSL_MEDIUM, | |
d02b48c6 | 188 | 0, |
018e57c7 DSH |
189 | 128, |
190 | 128, | |
d02b48c6 | 191 | SSL_ALL_CIPHERS, |
018e57c7 | 192 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
193 | }, |
194 | /* Cipher 05 */ | |
195 | { | |
196 | 1, | |
197 | SSL3_TXT_RSA_RC4_128_SHA, | |
198 | SSL3_CK_RSA_RC4_128_SHA, | |
018e57c7 DSH |
199 | SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3, |
200 | SSL_NOT_EXP|SSL_MEDIUM, | |
d02b48c6 | 201 | 0, |
018e57c7 DSH |
202 | 128, |
203 | 128, | |
d02b48c6 | 204 | SSL_ALL_CIPHERS, |
018e57c7 | 205 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
206 | }, |
207 | /* Cipher 06 */ | |
208 | { | |
209 | 1, | |
210 | SSL3_TXT_RSA_RC2_40_MD5, | |
211 | SSL3_CK_RSA_RC2_40_MD5, | |
018e57c7 DSH |
212 | SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3, |
213 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 214 | 0, |
018e57c7 DSH |
215 | 40, |
216 | 128, | |
d02b48c6 | 217 | SSL_ALL_CIPHERS, |
018e57c7 | 218 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
219 | }, |
220 | /* Cipher 07 */ | |
221 | { | |
222 | 1, | |
223 | SSL3_TXT_RSA_IDEA_128_SHA, | |
224 | SSL3_CK_RSA_IDEA_128_SHA, | |
018e57c7 DSH |
225 | SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3, |
226 | SSL_NOT_EXP|SSL_MEDIUM, | |
d02b48c6 | 227 | 0, |
018e57c7 DSH |
228 | 128, |
229 | 128, | |
d02b48c6 | 230 | SSL_ALL_CIPHERS, |
018e57c7 | 231 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
232 | }, |
233 | /* Cipher 08 */ | |
234 | { | |
235 | 1, | |
236 | SSL3_TXT_RSA_DES_40_CBC_SHA, | |
237 | SSL3_CK_RSA_DES_40_CBC_SHA, | |
018e57c7 DSH |
238 | SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, |
239 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 240 | 0, |
018e57c7 DSH |
241 | 40, |
242 | 56, | |
d02b48c6 | 243 | SSL_ALL_CIPHERS, |
018e57c7 | 244 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
245 | }, |
246 | /* Cipher 09 */ | |
247 | { | |
248 | 1, | |
249 | SSL3_TXT_RSA_DES_64_CBC_SHA, | |
250 | SSL3_CK_RSA_DES_64_CBC_SHA, | |
018e57c7 DSH |
251 | SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, |
252 | SSL_NOT_EXP|SSL_LOW, | |
d02b48c6 | 253 | 0, |
018e57c7 DSH |
254 | 56, |
255 | 56, | |
d02b48c6 | 256 | SSL_ALL_CIPHERS, |
018e57c7 | 257 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
258 | }, |
259 | /* Cipher 0A */ | |
260 | { | |
261 | 1, | |
262 | SSL3_TXT_RSA_DES_192_CBC3_SHA, | |
263 | SSL3_CK_RSA_DES_192_CBC3_SHA, | |
018e57c7 DSH |
264 | SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
265 | SSL_NOT_EXP|SSL_HIGH, | |
d02b48c6 | 266 | 0, |
018e57c7 DSH |
267 | 168, |
268 | 168, | |
d02b48c6 | 269 | SSL_ALL_CIPHERS, |
018e57c7 | 270 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
271 | }, |
272 | ||
273 | /* The DH ciphers */ | |
274 | /* Cipher 0B */ | |
275 | { | |
276 | 0, | |
277 | SSL3_TXT_DH_DSS_DES_40_CBC_SHA, | |
278 | SSL3_CK_DH_DSS_DES_40_CBC_SHA, | |
018e57c7 DSH |
279 | SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, |
280 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 281 | 0, |
018e57c7 DSH |
282 | 40, |
283 | 56, | |
d02b48c6 | 284 | SSL_ALL_CIPHERS, |
018e57c7 | 285 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
286 | }, |
287 | /* Cipher 0C */ | |
288 | { | |
289 | 0, | |
290 | SSL3_TXT_DH_DSS_DES_64_CBC_SHA, | |
291 | SSL3_CK_DH_DSS_DES_64_CBC_SHA, | |
018e57c7 DSH |
292 | SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, |
293 | SSL_NOT_EXP|SSL_LOW, | |
d02b48c6 | 294 | 0, |
018e57c7 DSH |
295 | 56, |
296 | 56, | |
d02b48c6 | 297 | SSL_ALL_CIPHERS, |
018e57c7 | 298 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
299 | }, |
300 | /* Cipher 0D */ | |
301 | { | |
302 | 0, | |
303 | SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, | |
304 | SSL3_CK_DH_DSS_DES_192_CBC3_SHA, | |
018e57c7 DSH |
305 | SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
306 | SSL_NOT_EXP|SSL_HIGH, | |
d02b48c6 | 307 | 0, |
018e57c7 DSH |
308 | 168, |
309 | 168, | |
d02b48c6 | 310 | SSL_ALL_CIPHERS, |
018e57c7 | 311 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
312 | }, |
313 | /* Cipher 0E */ | |
314 | { | |
315 | 0, | |
316 | SSL3_TXT_DH_RSA_DES_40_CBC_SHA, | |
317 | SSL3_CK_DH_RSA_DES_40_CBC_SHA, | |
018e57c7 DSH |
318 | SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, |
319 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 320 | 0, |
018e57c7 DSH |
321 | 40, |
322 | 56, | |
d02b48c6 | 323 | SSL_ALL_CIPHERS, |
018e57c7 | 324 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
325 | }, |
326 | /* Cipher 0F */ | |
327 | { | |
328 | 0, | |
329 | SSL3_TXT_DH_RSA_DES_64_CBC_SHA, | |
330 | SSL3_CK_DH_RSA_DES_64_CBC_SHA, | |
018e57c7 DSH |
331 | SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, |
332 | SSL_NOT_EXP|SSL_LOW, | |
d02b48c6 | 333 | 0, |
018e57c7 DSH |
334 | 56, |
335 | 56, | |
d02b48c6 | 336 | SSL_ALL_CIPHERS, |
018e57c7 | 337 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
338 | }, |
339 | /* Cipher 10 */ | |
340 | { | |
341 | 0, | |
342 | SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, | |
343 | SSL3_CK_DH_RSA_DES_192_CBC3_SHA, | |
018e57c7 DSH |
344 | SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
345 | SSL_NOT_EXP|SSL_HIGH, | |
d02b48c6 | 346 | 0, |
018e57c7 DSH |
347 | 168, |
348 | 168, | |
d02b48c6 | 349 | SSL_ALL_CIPHERS, |
018e57c7 | 350 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
351 | }, |
352 | ||
353 | /* The Ephemeral DH ciphers */ | |
354 | /* Cipher 11 */ | |
355 | { | |
356 | 1, | |
357 | SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, | |
358 | SSL3_CK_EDH_DSS_DES_40_CBC_SHA, | |
018e57c7 DSH |
359 | SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, |
360 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 361 | 0, |
018e57c7 DSH |
362 | 40, |
363 | 56, | |
d02b48c6 | 364 | SSL_ALL_CIPHERS, |
018e57c7 | 365 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
366 | }, |
367 | /* Cipher 12 */ | |
368 | { | |
369 | 1, | |
370 | SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, | |
371 | SSL3_CK_EDH_DSS_DES_64_CBC_SHA, | |
018e57c7 DSH |
372 | SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, |
373 | SSL_NOT_EXP|SSL_LOW, | |
d02b48c6 | 374 | 0, |
018e57c7 DSH |
375 | 56, |
376 | 56, | |
d02b48c6 | 377 | SSL_ALL_CIPHERS, |
018e57c7 | 378 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
379 | }, |
380 | /* Cipher 13 */ | |
381 | { | |
382 | 1, | |
383 | SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, | |
384 | SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, | |
018e57c7 DSH |
385 | SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
386 | SSL_NOT_EXP|SSL_HIGH, | |
d02b48c6 | 387 | 0, |
018e57c7 DSH |
388 | 168, |
389 | 168, | |
d02b48c6 | 390 | SSL_ALL_CIPHERS, |
018e57c7 | 391 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
392 | }, |
393 | /* Cipher 14 */ | |
394 | { | |
395 | 1, | |
396 | SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, | |
397 | SSL3_CK_EDH_RSA_DES_40_CBC_SHA, | |
018e57c7 DSH |
398 | SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, |
399 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 400 | 0, |
018e57c7 DSH |
401 | 40, |
402 | 56, | |
d02b48c6 | 403 | SSL_ALL_CIPHERS, |
018e57c7 | 404 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
405 | }, |
406 | /* Cipher 15 */ | |
407 | { | |
408 | 1, | |
409 | SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, | |
410 | SSL3_CK_EDH_RSA_DES_64_CBC_SHA, | |
018e57c7 DSH |
411 | SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, |
412 | SSL_NOT_EXP|SSL_LOW, | |
d02b48c6 | 413 | 0, |
018e57c7 DSH |
414 | 56, |
415 | 56, | |
d02b48c6 | 416 | SSL_ALL_CIPHERS, |
018e57c7 | 417 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
418 | }, |
419 | /* Cipher 16 */ | |
420 | { | |
421 | 1, | |
422 | SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, | |
423 | SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, | |
018e57c7 DSH |
424 | SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
425 | SSL_NOT_EXP|SSL_HIGH, | |
d02b48c6 | 426 | 0, |
018e57c7 DSH |
427 | 168, |
428 | 168, | |
d02b48c6 | 429 | SSL_ALL_CIPHERS, |
018e57c7 | 430 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
431 | }, |
432 | ||
433 | /* Fortezza */ | |
434 | /* Cipher 1C */ | |
435 | { | |
436 | 0, | |
437 | SSL3_TXT_FZA_DMS_NULL_SHA, | |
438 | SSL3_CK_FZA_DMS_NULL_SHA, | |
018e57c7 DSH |
439 | SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, |
440 | SSL_NOT_EXP, | |
441 | 0, | |
442 | 0, | |
d02b48c6 RE |
443 | 0, |
444 | SSL_ALL_CIPHERS, | |
018e57c7 | 445 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
446 | }, |
447 | ||
448 | /* Cipher 1D */ | |
449 | { | |
450 | 0, | |
451 | SSL3_TXT_FZA_DMS_FZA_SHA, | |
452 | SSL3_CK_FZA_DMS_FZA_SHA, | |
018e57c7 DSH |
453 | SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, |
454 | SSL_NOT_EXP, | |
455 | 0, | |
456 | 0, | |
d02b48c6 RE |
457 | 0, |
458 | SSL_ALL_CIPHERS, | |
018e57c7 | 459 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
460 | }, |
461 | ||
462 | /* Cipher 1E */ | |
463 | { | |
464 | 0, | |
465 | SSL3_TXT_FZA_DMS_RC4_SHA, | |
466 | SSL3_CK_FZA_DMS_RC4_SHA, | |
018e57c7 DSH |
467 | SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3, |
468 | SSL_NOT_EXP, | |
d02b48c6 | 469 | 0, |
018e57c7 DSH |
470 | 128, |
471 | 128, | |
d02b48c6 | 472 | SSL_ALL_CIPHERS, |
018e57c7 | 473 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
474 | }, |
475 | ||
bc348244 | 476 | #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES |
06ab81f9 BL |
477 | /* New TLS Export CipherSuites */ |
478 | /* Cipher 60 */ | |
479 | { | |
480 | 1, | |
abed0b8a BL |
481 | TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, |
482 | TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, | |
018e57c7 DSH |
483 | SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1, |
484 | SSL_EXPORT|SSL_EXP56, | |
06ab81f9 | 485 | 0, |
018e57c7 DSH |
486 | 56, |
487 | 128, | |
488 | SSL_ALL_CIPHERS, | |
489 | SSL_ALL_STRENGTHS, | |
06ab81f9 BL |
490 | }, |
491 | /* Cipher 61 */ | |
492 | { | |
493 | 1, | |
abed0b8a BL |
494 | TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, |
495 | TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, | |
018e57c7 DSH |
496 | SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1, |
497 | SSL_EXPORT|SSL_EXP56, | |
06ab81f9 | 498 | 0, |
018e57c7 DSH |
499 | 56, |
500 | 128, | |
501 | SSL_ALL_CIPHERS, | |
502 | SSL_ALL_STRENGTHS, | |
06ab81f9 BL |
503 | }, |
504 | /* Cipher 62 */ | |
505 | { | |
506 | 1, | |
abed0b8a BL |
507 | TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, |
508 | TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, | |
018e57c7 DSH |
509 | SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, |
510 | SSL_EXPORT|SSL_EXP56, | |
06ab81f9 | 511 | 0, |
018e57c7 DSH |
512 | 56, |
513 | 56, | |
514 | SSL_ALL_CIPHERS, | |
515 | SSL_ALL_STRENGTHS, | |
06ab81f9 | 516 | }, |
abed0b8a BL |
517 | /* Cipher 63 */ |
518 | { | |
519 | 1, | |
520 | TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, | |
521 | TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, | |
018e57c7 DSH |
522 | SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, |
523 | SSL_EXPORT|SSL_EXP56, | |
abed0b8a | 524 | 0, |
018e57c7 DSH |
525 | 56, |
526 | 56, | |
527 | SSL_ALL_CIPHERS, | |
528 | SSL_ALL_STRENGTHS, | |
abed0b8a BL |
529 | }, |
530 | /* Cipher 64 */ | |
531 | { | |
532 | 1, | |
533 | TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, | |
534 | TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, | |
018e57c7 DSH |
535 | SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, |
536 | SSL_EXPORT|SSL_EXP56, | |
abed0b8a | 537 | 0, |
018e57c7 DSH |
538 | 56, |
539 | 128, | |
540 | SSL_ALL_CIPHERS, | |
541 | SSL_ALL_STRENGTHS, | |
abed0b8a BL |
542 | }, |
543 | /* Cipher 65 */ | |
544 | { | |
545 | 1, | |
546 | TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, | |
547 | TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, | |
018e57c7 DSH |
548 | SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, |
549 | SSL_EXPORT|SSL_EXP56, | |
abed0b8a | 550 | 0, |
018e57c7 DSH |
551 | 56, |
552 | 128, | |
553 | SSL_ALL_CIPHERS, | |
554 | SSL_ALL_STRENGTHS, | |
abed0b8a BL |
555 | }, |
556 | /* Cipher 66 */ | |
557 | { | |
558 | 1, | |
559 | TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, | |
560 | TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, | |
561 | SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, | |
018e57c7 | 562 | SSL_NOT_EXP, |
abed0b8a | 563 | 0, |
018e57c7 DSH |
564 | 128, |
565 | 128, | |
566 | SSL_ALL_CIPHERS, | |
567 | SSL_ALL_STRENGTHS | |
abed0b8a | 568 | }, |
bc348244 | 569 | #endif |
06ab81f9 | 570 | |
d02b48c6 RE |
571 | /* end of list */ |
572 | }; | |
573 | ||
58964a49 RE |
574 | static SSL3_ENC_METHOD SSLv3_enc_data={ |
575 | ssl3_enc, | |
576 | ssl3_mac, | |
577 | ssl3_setup_key_block, | |
578 | ssl3_generate_master_secret, | |
579 | ssl3_change_cipher_state, | |
580 | ssl3_final_finish_mac, | |
581 | MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, | |
582 | ssl3_cert_verify_mac, | |
583 | SSL3_MD_CLIENT_FINISHED_CONST,4, | |
584 | SSL3_MD_SERVER_FINISHED_CONST,4, | |
585 | ssl3_alert_code, | |
586 | }; | |
587 | ||
d02b48c6 | 588 | static SSL_METHOD SSLv3_data= { |
58964a49 | 589 | SSL3_VERSION, |
d02b48c6 RE |
590 | ssl3_new, |
591 | ssl3_clear, | |
592 | ssl3_free, | |
593 | ssl_undefined_function, | |
594 | ssl_undefined_function, | |
595 | ssl3_read, | |
596 | ssl3_peek, | |
597 | ssl3_write, | |
598 | ssl3_shutdown, | |
599 | ssl3_renegotiate, | |
dfeab068 | 600 | ssl3_renegotiate_check, |
d02b48c6 RE |
601 | ssl3_ctrl, |
602 | ssl3_ctx_ctrl, | |
603 | ssl3_get_cipher_by_char, | |
604 | ssl3_put_cipher_by_char, | |
605 | ssl3_pending, | |
606 | ssl3_num_ciphers, | |
607 | ssl3_get_cipher, | |
608 | ssl_bad_method, | |
609 | ssl3_default_timeout, | |
58964a49 | 610 | &SSLv3_enc_data, |
d02b48c6 RE |
611 | }; |
612 | ||
a9188d4e RL |
613 | union rsa_fn_to_char_u |
614 | { | |
615 | char *char_p; | |
616 | RSA *(*fn_p)(SSL *, int, int); | |
617 | }; | |
618 | ||
619 | union dh_fn_to_char_u | |
620 | { | |
621 | char *char_p; | |
622 | DH *(*fn_p)(SSL *, int, int); | |
623 | }; | |
624 | ||
6b691a5c | 625 | static long ssl3_default_timeout(void) |
d02b48c6 RE |
626 | { |
627 | /* 2 hours, the 24 hours mentioned in the SSLv3 spec | |
628 | * is way too long for http, the cache would over fill */ | |
629 | return(60*60*2); | |
630 | } | |
631 | ||
6b691a5c | 632 | SSL_METHOD *sslv3_base_method(void) |
d02b48c6 RE |
633 | { |
634 | return(&SSLv3_data); | |
635 | } | |
636 | ||
6b691a5c | 637 | int ssl3_num_ciphers(void) |
d02b48c6 RE |
638 | { |
639 | return(SSL3_NUM_CIPHERS); | |
640 | } | |
641 | ||
6b691a5c | 642 | SSL_CIPHER *ssl3_get_cipher(unsigned int u) |
d02b48c6 RE |
643 | { |
644 | if (u < SSL3_NUM_CIPHERS) | |
645 | return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u])); | |
646 | else | |
647 | return(NULL); | |
648 | } | |
649 | ||
650 | /* The problem is that it may not be the correct record type */ | |
6b691a5c | 651 | int ssl3_pending(SSL *s) |
d02b48c6 RE |
652 | { |
653 | return(s->s3->rrec.length); | |
654 | } | |
655 | ||
6b691a5c | 656 | int ssl3_new(SSL *s) |
d02b48c6 RE |
657 | { |
658 | SSL3_CTX *s3; | |
659 | ||
660 | if ((s3=(SSL3_CTX *)Malloc(sizeof(SSL3_CTX))) == NULL) goto err; | |
58964a49 | 661 | memset(s3,0,sizeof(SSL3_CTX)); |
d02b48c6 RE |
662 | |
663 | s->s3=s3; | |
58964a49 | 664 | /* |
d02b48c6 RE |
665 | s->s3->tmp.ca_names=NULL; |
666 | s->s3->tmp.key_block=NULL; | |
58964a49 | 667 | s->s3->tmp.key_block_length=0; |
d02b48c6 RE |
668 | s->s3->rbuf.buf=NULL; |
669 | s->s3->wbuf.buf=NULL; | |
58964a49 | 670 | */ |
d02b48c6 | 671 | |
58964a49 | 672 | s->method->ssl_clear(s); |
d02b48c6 RE |
673 | return(1); |
674 | err: | |
675 | return(0); | |
676 | } | |
677 | ||
6b691a5c | 678 | void ssl3_free(SSL *s) |
d02b48c6 | 679 | { |
e03ddfae BL |
680 | if(s == NULL) |
681 | return; | |
682 | ||
d02b48c6 RE |
683 | ssl3_cleanup_key_block(s); |
684 | if (s->s3->rbuf.buf != NULL) | |
685 | Free(s->s3->rbuf.buf); | |
686 | if (s->s3->wbuf.buf != NULL) | |
687 | Free(s->s3->wbuf.buf); | |
dfeab068 RE |
688 | if (s->s3->rrec.comp != NULL) |
689 | Free(s->s3->rrec.comp); | |
d02b48c6 RE |
690 | #ifndef NO_DH |
691 | if (s->s3->tmp.dh != NULL) | |
692 | DH_free(s->s3->tmp.dh); | |
693 | #endif | |
694 | if (s->s3->tmp.ca_names != NULL) | |
f73e07cf | 695 | sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); |
d02b48c6 RE |
696 | memset(s->s3,0,sizeof(SSL3_CTX)); |
697 | Free(s->s3); | |
698 | s->s3=NULL; | |
699 | } | |
700 | ||
6b691a5c | 701 | void ssl3_clear(SSL *s) |
d02b48c6 RE |
702 | { |
703 | unsigned char *rp,*wp; | |
704 | ||
705 | ssl3_cleanup_key_block(s); | |
706 | if (s->s3->tmp.ca_names != NULL) | |
f73e07cf | 707 | sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); |
d02b48c6 | 708 | |
413c4f45 MC |
709 | if (s->s3->rrec.comp != NULL) |
710 | { | |
711 | Free(s->s3->rrec.comp); | |
712 | s->s3->rrec.comp=NULL; | |
713 | } | |
714 | ||
d02b48c6 RE |
715 | rp=s->s3->rbuf.buf; |
716 | wp=s->s3->wbuf.buf; | |
717 | ||
718 | memset(s->s3,0,sizeof(SSL3_CTX)); | |
58964a49 RE |
719 | if (rp != NULL) s->s3->rbuf.buf=rp; |
720 | if (wp != NULL) s->s3->wbuf.buf=wp; | |
dfeab068 | 721 | |
413c4f45 | 722 | ssl_free_wbio_buffer(s); |
dfeab068 | 723 | |
d02b48c6 | 724 | s->packet_length=0; |
58964a49 RE |
725 | s->s3->renegotiate=0; |
726 | s->s3->total_renegotiations=0; | |
727 | s->s3->num_renegotiations=0; | |
728 | s->s3->in_read_app_data=0; | |
729 | s->version=SSL3_VERSION; | |
d02b48c6 RE |
730 | } |
731 | ||
6b691a5c | 732 | long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg) |
d02b48c6 | 733 | { |
58964a49 RE |
734 | int ret=0; |
735 | ||
15d21c2d RE |
736 | #if !defined(NO_DSA) || !defined(NO_RSA) |
737 | if ( | |
738 | #ifndef NO_RSA | |
739 | cmd == SSL_CTRL_SET_TMP_RSA || | |
740 | cmd == SSL_CTRL_SET_TMP_RSA_CB || | |
741 | #endif | |
742 | #ifndef NO_DSA | |
743 | cmd == SSL_CTRL_SET_TMP_DH || | |
744 | cmd == SSL_CTRL_SET_TMP_DH_CB || | |
745 | #endif | |
746 | 0) | |
747 | { | |
ca8e5b9b | 748 | if (!ssl_cert_inst(&s->cert)) |
15d21c2d RE |
749 | { |
750 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); | |
751 | return(0); | |
752 | } | |
753 | } | |
754 | #endif | |
755 | ||
58964a49 RE |
756 | switch (cmd) |
757 | { | |
758 | case SSL_CTRL_GET_SESSION_REUSED: | |
759 | ret=s->hit; | |
760 | break; | |
761 | case SSL_CTRL_GET_CLIENT_CERT_REQUEST: | |
762 | break; | |
763 | case SSL_CTRL_GET_NUM_RENEGOTIATIONS: | |
764 | ret=s->s3->num_renegotiations; | |
765 | break; | |
766 | case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: | |
767 | ret=s->s3->num_renegotiations; | |
768 | s->s3->num_renegotiations=0; | |
769 | break; | |
770 | case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: | |
771 | ret=s->s3->total_renegotiations; | |
772 | break; | |
dfeab068 | 773 | case SSL_CTRL_GET_FLAGS: |
651d0aff | 774 | ret=(int)(s->s3->flags); |
dfeab068 | 775 | break; |
15d21c2d RE |
776 | #ifndef NO_RSA |
777 | case SSL_CTRL_NEED_TMP_RSA: | |
778 | if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && | |
779 | ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || | |
780 | (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))) | |
781 | ret = 1; | |
782 | break; | |
783 | case SSL_CTRL_SET_TMP_RSA: | |
784 | { | |
785 | RSA *rsa = (RSA *)parg; | |
786 | if (rsa == NULL) { | |
787 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); | |
788 | return(ret); | |
789 | } | |
790 | if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) { | |
791 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB); | |
792 | return(ret); | |
793 | } | |
794 | if (s->cert->rsa_tmp != NULL) | |
795 | RSA_free(s->cert->rsa_tmp); | |
796 | s->cert->rsa_tmp = rsa; | |
797 | ret = 1; | |
798 | } | |
799 | break; | |
800 | case SSL_CTRL_SET_TMP_RSA_CB: | |
a9188d4e RL |
801 | { |
802 | union rsa_fn_to_char_u rsa_tmp_cb; | |
803 | ||
804 | rsa_tmp_cb.char_p = parg; | |
805 | s->cert->rsa_tmp_cb = rsa_tmp_cb.fn_p; | |
806 | } | |
15d21c2d RE |
807 | break; |
808 | #endif | |
809 | #ifndef NO_DH | |
810 | case SSL_CTRL_SET_TMP_DH: | |
811 | { | |
812 | DH *dh = (DH *)parg; | |
813 | if (dh == NULL) { | |
814 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); | |
815 | return(ret); | |
816 | } | |
817 | if ((dh = DHparams_dup(dh)) == NULL) { | |
818 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); | |
819 | return(ret); | |
820 | } | |
821 | if (!DH_generate_key(dh)) { | |
822 | DH_free(dh); | |
823 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); | |
824 | return(ret); | |
825 | } | |
826 | if (s->cert->dh_tmp != NULL) | |
827 | DH_free(s->cert->dh_tmp); | |
828 | s->cert->dh_tmp = dh; | |
829 | ret = 1; | |
830 | } | |
831 | break; | |
832 | case SSL_CTRL_SET_TMP_DH_CB: | |
a9188d4e RL |
833 | { |
834 | union dh_fn_to_char_u dh_tmp_cb; | |
835 | ||
836 | dh_tmp_cb.char_p = parg; | |
837 | s->cert->dh_tmp_cb = dh_tmp_cb.fn_p; | |
838 | } | |
15d21c2d RE |
839 | break; |
840 | #endif | |
58964a49 RE |
841 | default: |
842 | break; | |
843 | } | |
844 | return(ret); | |
d02b48c6 RE |
845 | } |
846 | ||
6b691a5c | 847 | long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) |
d02b48c6 RE |
848 | { |
849 | CERT *cert; | |
850 | ||
ca8e5b9b | 851 | cert=ctx->cert; |
d02b48c6 RE |
852 | |
853 | switch (cmd) | |
854 | { | |
855 | #ifndef NO_RSA | |
856 | case SSL_CTRL_NEED_TMP_RSA: | |
857 | if ( (cert->rsa_tmp == NULL) && | |
858 | ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || | |
859 | (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))) | |
860 | ) | |
861 | return(1); | |
862 | else | |
863 | return(0); | |
dfeab068 | 864 | /* break; */ |
d02b48c6 RE |
865 | case SSL_CTRL_SET_TMP_RSA: |
866 | { | |
867 | RSA *rsa; | |
868 | int i; | |
869 | ||
870 | rsa=(RSA *)parg; | |
871 | i=1; | |
872 | if (rsa == NULL) | |
873 | i=0; | |
874 | else | |
875 | { | |
876 | if ((rsa=RSAPrivateKey_dup(rsa)) == NULL) | |
877 | i=0; | |
878 | } | |
879 | if (!i) | |
880 | { | |
881 | SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB); | |
882 | return(0); | |
883 | } | |
884 | else | |
885 | { | |
886 | if (cert->rsa_tmp != NULL) | |
887 | RSA_free(cert->rsa_tmp); | |
888 | cert->rsa_tmp=rsa; | |
889 | return(1); | |
890 | } | |
891 | } | |
dfeab068 | 892 | /* break; */ |
d02b48c6 | 893 | case SSL_CTRL_SET_TMP_RSA_CB: |
a9188d4e RL |
894 | { |
895 | union rsa_fn_to_char_u rsa_tmp_cb; | |
896 | ||
897 | rsa_tmp_cb.char_p = parg; | |
898 | cert->rsa_tmp_cb = rsa_tmp_cb.fn_p; | |
899 | } | |
d02b48c6 RE |
900 | break; |
901 | #endif | |
902 | #ifndef NO_DH | |
903 | case SSL_CTRL_SET_TMP_DH: | |
904 | { | |
905 | DH *new=NULL,*dh; | |
dfeab068 | 906 | int rret=0; |
d02b48c6 RE |
907 | |
908 | dh=(DH *)parg; | |
909 | if ( ((new=DHparams_dup(dh)) == NULL) || | |
910 | (!DH_generate_key(new))) | |
911 | { | |
912 | SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); | |
913 | if (new != NULL) DH_free(new); | |
d02b48c6 RE |
914 | } |
915 | else | |
916 | { | |
917 | if (cert->dh_tmp != NULL) | |
918 | DH_free(cert->dh_tmp); | |
919 | cert->dh_tmp=new; | |
dfeab068 | 920 | rret=1; |
d02b48c6 | 921 | } |
dfeab068 | 922 | return(rret); |
d02b48c6 | 923 | } |
dfeab068 | 924 | /*break; */ |
d02b48c6 | 925 | case SSL_CTRL_SET_TMP_DH_CB: |
a9188d4e RL |
926 | { |
927 | union dh_fn_to_char_u dh_tmp_cb; | |
928 | ||
929 | dh_tmp_cb.char_p = parg; | |
930 | cert->dh_tmp_cb = dh_tmp_cb.fn_p; | |
931 | } | |
d02b48c6 RE |
932 | break; |
933 | #endif | |
651d0aff | 934 | /* A Thawte special :-) */ |
dfeab068 RE |
935 | case SSL_CTRL_EXTRA_CHAIN_CERT: |
936 | if (ctx->extra_certs == NULL) | |
937 | { | |
f73e07cf | 938 | if ((ctx->extra_certs=sk_X509_new_null()) == NULL) |
dfeab068 RE |
939 | return(0); |
940 | } | |
f73e07cf | 941 | sk_X509_push(ctx->extra_certs,(X509 *)parg); |
dfeab068 RE |
942 | break; |
943 | ||
d02b48c6 RE |
944 | default: |
945 | return(0); | |
946 | } | |
947 | return(1); | |
948 | } | |
949 | ||
950 | /* This function needs to check if the ciphers required are actually | |
951 | * available */ | |
6b691a5c | 952 | SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) |
d02b48c6 RE |
953 | { |
954 | static int init=1; | |
955 | static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS]; | |
956 | SSL_CIPHER c,*cp= &c,**cpp; | |
957 | unsigned long id; | |
958 | int i; | |
959 | ||
960 | if (init) | |
961 | { | |
5cc146f3 | 962 | CRYPTO_w_lock(CRYPTO_LOCK_SSL); |
d02b48c6 RE |
963 | |
964 | for (i=0; i<SSL3_NUM_CIPHERS; i++) | |
965 | sorted[i]= &(ssl3_ciphers[i]); | |
966 | ||
967 | qsort( (char *)sorted, | |
968 | SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *), | |
969 | FP_ICC ssl_cipher_ptr_id_cmp); | |
5cc146f3 BM |
970 | |
971 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL); | |
972 | ||
973 | init=0; | |
d02b48c6 RE |
974 | } |
975 | ||
976 | id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1]; | |
977 | c.id=id; | |
978 | cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp, | |
979 | (char *)sorted, | |
980 | SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *), | |
981 | (int (*)())ssl_cipher_ptr_id_cmp); | |
982 | if ((cpp == NULL) || !(*cpp)->valid) | |
983 | return(NULL); | |
984 | else | |
985 | return(*cpp); | |
986 | } | |
987 | ||
6b691a5c | 988 | int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) |
d02b48c6 RE |
989 | { |
990 | long l; | |
991 | ||
992 | if (p != NULL) | |
993 | { | |
994 | l=c->id; | |
995 | if ((l & 0xff000000) != 0x03000000) return(0); | |
996 | p[0]=((unsigned char)(l>> 8L))&0xFF; | |
997 | p[1]=((unsigned char)(l ))&0xFF; | |
998 | } | |
999 | return(2); | |
1000 | } | |
1001 | ||
6b691a5c | 1002 | int ssl3_part_read(SSL *s, int i) |
d02b48c6 RE |
1003 | { |
1004 | s->rwstate=SSL_READING; | |
1005 | ||
1006 | if (i < 0) | |
1007 | { | |
1008 | return(i); | |
1009 | } | |
1010 | else | |
1011 | { | |
1012 | s->init_num+=i; | |
1013 | return(0); | |
1014 | } | |
1015 | } | |
1016 | ||
6b691a5c UM |
1017 | SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, |
1018 | STACK_OF(SSL_CIPHER) *pref) | |
d02b48c6 RE |
1019 | { |
1020 | SSL_CIPHER *c,*ret=NULL; | |
1021 | int i,j,ok; | |
1022 | CERT *cert; | |
1023 | unsigned long alg,mask,emask; | |
1024 | ||
ca8e5b9b BM |
1025 | /* Let's see which ciphers we can support */ |
1026 | cert=s->cert; | |
d02b48c6 | 1027 | |
f73e07cf | 1028 | sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); |
d02b48c6 | 1029 | |
f415fa32 BL |
1030 | #ifdef CIPHER_DEBUG |
1031 | printf("Have:\n"); | |
1032 | for(i=0 ; i < sk_num(pref) ; ++i) | |
1033 | { | |
1034 | c=(SSL_CIPHER *)sk_value(pref,i); | |
1035 | printf("%p:%s\n",c,c->name); | |
1036 | } | |
1037 | #endif | |
1038 | ||
f73e07cf | 1039 | for (i=0; i<sk_SSL_CIPHER_num(have); i++) |
d02b48c6 | 1040 | { |
f73e07cf | 1041 | c=sk_SSL_CIPHER_value(have,i); |
60e31c3a | 1042 | |
ca8e5b9b | 1043 | ssl_set_cert_masks(cert,c); |
60e31c3a BL |
1044 | mask=cert->mask; |
1045 | emask=cert->export_mask; | |
1046 | ||
d02b48c6 | 1047 | alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); |
018e57c7 | 1048 | if (SSL_C_IS_EXPORT(c)) |
d02b48c6 RE |
1049 | { |
1050 | ok=((alg & emask) == alg)?1:0; | |
1051 | #ifdef CIPHER_DEBUG | |
f415fa32 BL |
1052 | printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, |
1053 | c,c->name); | |
d02b48c6 RE |
1054 | #endif |
1055 | } | |
1056 | else | |
1057 | { | |
1058 | ok=((alg & mask) == alg)?1:0; | |
1059 | #ifdef CIPHER_DEBUG | |
f415fa32 BL |
1060 | printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, |
1061 | c->name); | |
d02b48c6 RE |
1062 | #endif |
1063 | } | |
1064 | ||
1065 | if (!ok) continue; | |
1066 | ||
f73e07cf | 1067 | j=sk_SSL_CIPHER_find(pref,c); |
d02b48c6 RE |
1068 | if (j >= 0) |
1069 | { | |
f73e07cf | 1070 | ret=sk_SSL_CIPHER_value(pref,j); |
d02b48c6 RE |
1071 | break; |
1072 | } | |
1073 | } | |
1074 | return(ret); | |
1075 | } | |
1076 | ||
6b691a5c | 1077 | int ssl3_get_req_cert_type(SSL *s, unsigned char *p) |
d02b48c6 RE |
1078 | { |
1079 | int ret=0; | |
1080 | unsigned long alg; | |
1081 | ||
1082 | alg=s->s3->tmp.new_cipher->algorithms; | |
1083 | ||
1084 | #ifndef NO_DH | |
1085 | if (alg & (SSL_kDHr|SSL_kEDH)) | |
1086 | { | |
dfeab068 | 1087 | # ifndef NO_RSA |
d02b48c6 | 1088 | p[ret++]=SSL3_CT_RSA_FIXED_DH; |
dfeab068 RE |
1089 | # endif |
1090 | # ifndef NO_DSA | |
d02b48c6 | 1091 | p[ret++]=SSL3_CT_DSS_FIXED_DH; |
dfeab068 | 1092 | # endif |
d02b48c6 | 1093 | } |
58964a49 RE |
1094 | if ((s->version == SSL3_VERSION) && |
1095 | (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) | |
d02b48c6 | 1096 | { |
dfeab068 | 1097 | # ifndef NO_RSA |
d02b48c6 | 1098 | p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; |
dfeab068 RE |
1099 | # endif |
1100 | # ifndef NO_DSA | |
d02b48c6 | 1101 | p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; |
dfeab068 | 1102 | # endif |
d02b48c6 RE |
1103 | } |
1104 | #endif /* !NO_DH */ | |
1105 | #ifndef NO_RSA | |
1106 | p[ret++]=SSL3_CT_RSA_SIGN; | |
1107 | #endif | |
dfeab068 | 1108 | #ifndef NO_DSA |
58964a49 | 1109 | p[ret++]=SSL3_CT_DSS_SIGN; |
dfeab068 | 1110 | #endif |
d02b48c6 RE |
1111 | return(ret); |
1112 | } | |
1113 | ||
6b691a5c | 1114 | int ssl3_shutdown(SSL *s) |
d02b48c6 RE |
1115 | { |
1116 | ||
1117 | /* Don't do anything much if we have not done the handshake or | |
1118 | * we don't want to send messages :-) */ | |
1119 | if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE)) | |
1120 | { | |
1121 | s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); | |
1122 | return(1); | |
1123 | } | |
1124 | ||
1125 | if (!(s->shutdown & SSL_SENT_SHUTDOWN)) | |
1126 | { | |
1127 | s->shutdown|=SSL_SENT_SHUTDOWN; | |
1128 | #if 1 | |
58964a49 | 1129 | ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY); |
d02b48c6 RE |
1130 | #endif |
1131 | /* our shutdown alert has been sent now, and if it still needs | |
1132 | * to be written, s->s3->alert_dispatch will be true */ | |
1133 | } | |
1134 | else if (s->s3->alert_dispatch) | |
1135 | { | |
1136 | /* resend it if not sent */ | |
1137 | #if 1 | |
1138 | ssl3_dispatch_alert(s); | |
1139 | #endif | |
1140 | } | |
1141 | else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) | |
1142 | { | |
1143 | /* If we are waiting for a close from our peer, we are closed */ | |
1144 | ssl3_read_bytes(s,0,NULL,0); | |
1145 | } | |
1146 | ||
1147 | if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && | |
1148 | !s->s3->alert_dispatch) | |
1149 | return(1); | |
1150 | else | |
1151 | return(0); | |
1152 | } | |
1153 | ||
61f5b6f3 | 1154 | int ssl3_write(SSL *s, const void *buf, int len) |
d02b48c6 RE |
1155 | { |
1156 | int ret,n; | |
d02b48c6 RE |
1157 | |
1158 | #if 0 | |
1159 | if (s->shutdown & SSL_SEND_SHUTDOWN) | |
1160 | { | |
1161 | s->rwstate=SSL_NOTHING; | |
1162 | return(0); | |
1163 | } | |
1164 | #endif | |
58964a49 RE |
1165 | clear_sys_error(); |
1166 | if (s->s3->renegotiate) ssl3_renegotiate_check(s); | |
d02b48c6 RE |
1167 | |
1168 | /* This is an experimental flag that sends the | |
1169 | * last handshake message in the same packet as the first | |
1170 | * use data - used to see if it helps the TCP protocol during | |
1171 | * session-id reuse */ | |
1172 | /* The second test is because the buffer may have been removed */ | |
1173 | if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) | |
1174 | { | |
1175 | /* First time through, we write into the buffer */ | |
1176 | if (s->s3->delay_buf_pop_ret == 0) | |
1177 | { | |
1178 | ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, | |
e778802f | 1179 | buf,len); |
d02b48c6 RE |
1180 | if (ret <= 0) return(ret); |
1181 | ||
1182 | s->s3->delay_buf_pop_ret=ret; | |
1183 | } | |
1184 | ||
1185 | s->rwstate=SSL_WRITING; | |
1186 | n=BIO_flush(s->wbio); | |
1187 | if (n <= 0) return(n); | |
1188 | s->rwstate=SSL_NOTHING; | |
1189 | ||
413c4f45 MC |
1190 | /* We have flushed the buffer, so remove it */ |
1191 | ssl_free_wbio_buffer(s); | |
1192 | s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; | |
1193 | ||
d02b48c6 RE |
1194 | ret=s->s3->delay_buf_pop_ret; |
1195 | s->s3->delay_buf_pop_ret=0; | |
d02b48c6 RE |
1196 | } |
1197 | else | |
1198 | { | |
1199 | ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, | |
e778802f | 1200 | buf,len); |
d02b48c6 RE |
1201 | if (ret <= 0) return(ret); |
1202 | } | |
58964a49 | 1203 | |
d02b48c6 RE |
1204 | return(ret); |
1205 | } | |
1206 | ||
61f5b6f3 | 1207 | int ssl3_read(SSL *s, void *buf, int len) |
d02b48c6 | 1208 | { |
58964a49 RE |
1209 | int ret; |
1210 | ||
1211 | clear_sys_error(); | |
1212 | if (s->s3->renegotiate) ssl3_renegotiate_check(s); | |
1213 | s->s3->in_read_app_data=1; | |
1214 | ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); | |
1215 | if ((ret == -1) && (s->s3->in_read_app_data == 0)) | |
1216 | { | |
1217 | ERR_get_error(); /* clear the error */ | |
1218 | s->s3->in_read_app_data=0; | |
1219 | s->in_handshake++; | |
1220 | ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); | |
1221 | s->in_handshake--; | |
1222 | } | |
1223 | else | |
1224 | s->s3->in_read_app_data=0; | |
1225 | ||
1226 | return(ret); | |
d02b48c6 RE |
1227 | } |
1228 | ||
6b691a5c | 1229 | int ssl3_peek(SSL *s, char *buf, int len) |
d02b48c6 RE |
1230 | { |
1231 | SSL3_RECORD *rr; | |
1232 | int n; | |
1233 | ||
1234 | rr= &(s->s3->rrec); | |
1235 | if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA)) | |
58964a49 RE |
1236 | { |
1237 | n=ssl3_read(s,buf,1); | |
1238 | if (n <= 0) return(n); | |
1239 | rr->length++; | |
1240 | rr->off--; | |
1241 | } | |
d02b48c6 RE |
1242 | |
1243 | if ((unsigned int)len > rr->length) | |
1244 | n=rr->length; | |
1245 | else | |
1246 | n=len; | |
1247 | memcpy(buf,&(rr->data[rr->off]),(unsigned int)n); | |
1248 | return(n); | |
1249 | } | |
1250 | ||
6b691a5c | 1251 | int ssl3_renegotiate(SSL *s) |
d02b48c6 RE |
1252 | { |
1253 | if (s->handshake_func == NULL) | |
1254 | return(1); | |
1255 | ||
1256 | if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) | |
1257 | return(0); | |
1258 | ||
58964a49 | 1259 | s->s3->renegotiate=1; |
d02b48c6 RE |
1260 | return(1); |
1261 | } | |
1262 | ||
6b691a5c | 1263 | int ssl3_renegotiate_check(SSL *s) |
58964a49 RE |
1264 | { |
1265 | int ret=0; | |
1266 | ||
1267 | if (s->s3->renegotiate) | |
1268 | { | |
1269 | if ( (s->s3->rbuf.left == 0) && | |
1270 | (s->s3->wbuf.left == 0) && | |
1271 | !SSL_in_init(s)) | |
1272 | { | |
1273 | /* | |
1274 | if we are the server, and we have sent a 'RENEGOTIATE' message, we | |
de808df4 | 1275 | need to go to SSL_ST_ACCEPT. |
58964a49 RE |
1276 | */ |
1277 | /* SSL_ST_ACCEPT */ | |
1278 | s->state=SSL_ST_RENEGOTIATE; | |
1279 | s->s3->renegotiate=0; | |
1280 | s->s3->num_renegotiations++; | |
1281 | s->s3->total_renegotiations++; | |
1282 | ret=1; | |
1283 | } | |
1284 | } | |
1285 | return(ret); | |
1286 | } | |
1287 |