]>
Commit | Line | Data |
---|---|---|
d02b48c6 | 1 | /* ssl/s3_lib.c */ |
58964a49 | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
d02b48c6 RE |
3 | * All rights reserved. |
4 | * | |
5 | * This package is an SSL implementation written | |
6 | * by Eric Young (eay@cryptsoft.com). | |
7 | * The implementation was written so as to conform with Netscapes SSL. | |
8 | * | |
9 | * This library is free for commercial and non-commercial use as long as | |
10 | * the following conditions are aheared to. The following conditions | |
11 | * apply to all code found in this distribution, be it the RC4, RSA, | |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 | * included with this distribution is covered by the same copyright terms | |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 | * | |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 | * the code are not to be removed. | |
18 | * If this package is used in a product, Eric Young should be given attribution | |
19 | * as the author of the parts of the library used. | |
20 | * This can be in the form of a textual message at program startup or | |
21 | * in documentation (online or textual) provided with the package. | |
22 | * | |
23 | * Redistribution and use in source and binary forms, with or without | |
24 | * modification, are permitted provided that the following conditions | |
25 | * are met: | |
26 | * 1. Redistributions of source code must retain the copyright | |
27 | * notice, this list of conditions and the following disclaimer. | |
28 | * 2. Redistributions in binary form must reproduce the above copyright | |
29 | * notice, this list of conditions and the following disclaimer in the | |
30 | * documentation and/or other materials provided with the distribution. | |
31 | * 3. All advertising materials mentioning features or use of this software | |
32 | * must display the following acknowledgement: | |
33 | * "This product includes cryptographic software written by | |
34 | * Eric Young (eay@cryptsoft.com)" | |
35 | * The word 'cryptographic' can be left out if the rouines from the library | |
36 | * being used are not cryptographic related :-). | |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 | * the apps directory (application code) you must include an acknowledgement: | |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 | * | |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
52 | * | |
53 | * The licence and distribution terms for any publically available version or | |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 | * copied and put under another distribution licence | |
56 | * [including the GNU Public Licence.] | |
57 | */ | |
58 | ||
59 | #include <stdio.h> | |
d02f751c UM |
60 | #include <openssl/md5.h> |
61 | #include <openssl/sha.h> | |
ec577822 | 62 | #include <openssl/objects.h> |
d02b48c6 RE |
63 | #include "ssl_locl.h" |
64 | ||
e778802f | 65 | const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; |
d02b48c6 RE |
66 | |
67 | #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) | |
68 | ||
d02b48c6 | 69 | static long ssl3_default_timeout(void ); |
7d7d2cbc | 70 | |
7f0dae32 | 71 | OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ |
d02b48c6 RE |
72 | /* The RSA ciphers */ |
73 | /* Cipher 01 */ | |
74 | { | |
75 | 1, | |
76 | SSL3_TXT_RSA_NULL_MD5, | |
77 | SSL3_CK_RSA_NULL_MD5, | |
018e57c7 DSH |
78 | SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, |
79 | SSL_NOT_EXP, | |
80 | 0, | |
81 | 0, | |
d02b48c6 RE |
82 | 0, |
83 | SSL_ALL_CIPHERS, | |
018e57c7 | 84 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
85 | }, |
86 | /* Cipher 02 */ | |
87 | { | |
88 | 1, | |
89 | SSL3_TXT_RSA_NULL_SHA, | |
90 | SSL3_CK_RSA_NULL_SHA, | |
018e57c7 DSH |
91 | SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, |
92 | SSL_NOT_EXP, | |
93 | 0, | |
94 | 0, | |
d02b48c6 RE |
95 | 0, |
96 | SSL_ALL_CIPHERS, | |
018e57c7 | 97 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
98 | }, |
99 | ||
100 | /* anon DH */ | |
101 | /* Cipher 17 */ | |
102 | { | |
103 | 1, | |
104 | SSL3_TXT_ADH_RC4_40_MD5, | |
105 | SSL3_CK_ADH_RC4_40_MD5, | |
018e57c7 DSH |
106 | SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, |
107 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 108 | 0, |
018e57c7 DSH |
109 | 40, |
110 | 128, | |
d02b48c6 | 111 | SSL_ALL_CIPHERS, |
018e57c7 | 112 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
113 | }, |
114 | /* Cipher 18 */ | |
115 | { | |
116 | 1, | |
117 | SSL3_TXT_ADH_RC4_128_MD5, | |
118 | SSL3_CK_ADH_RC4_128_MD5, | |
018e57c7 DSH |
119 | SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3, |
120 | SSL_NOT_EXP, | |
d02b48c6 | 121 | 0, |
018e57c7 DSH |
122 | 128, |
123 | 128, | |
d02b48c6 | 124 | SSL_ALL_CIPHERS, |
018e57c7 | 125 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
126 | }, |
127 | /* Cipher 19 */ | |
128 | { | |
129 | 1, | |
130 | SSL3_TXT_ADH_DES_40_CBC_SHA, | |
131 | SSL3_CK_ADH_DES_40_CBC_SHA, | |
018e57c7 DSH |
132 | SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3, |
133 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 134 | 0, |
018e57c7 DSH |
135 | 40, |
136 | 128, | |
d02b48c6 | 137 | SSL_ALL_CIPHERS, |
018e57c7 | 138 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
139 | }, |
140 | /* Cipher 1A */ | |
141 | { | |
142 | 1, | |
143 | SSL3_TXT_ADH_DES_64_CBC_SHA, | |
144 | SSL3_CK_ADH_DES_64_CBC_SHA, | |
018e57c7 DSH |
145 | SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3, |
146 | SSL_NOT_EXP, | |
d02b48c6 | 147 | 0, |
018e57c7 DSH |
148 | 56, |
149 | 56, | |
d02b48c6 | 150 | SSL_ALL_CIPHERS, |
018e57c7 | 151 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
152 | }, |
153 | /* Cipher 1B */ | |
154 | { | |
155 | 1, | |
58964a49 RE |
156 | SSL3_TXT_ADH_DES_192_CBC_SHA, |
157 | SSL3_CK_ADH_DES_192_CBC_SHA, | |
018e57c7 DSH |
158 | SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
159 | SSL_NOT_EXP, | |
d02b48c6 | 160 | 0, |
018e57c7 DSH |
161 | 168, |
162 | 168, | |
d02b48c6 | 163 | SSL_ALL_CIPHERS, |
018e57c7 | 164 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
165 | }, |
166 | ||
167 | /* RSA again */ | |
168 | /* Cipher 03 */ | |
169 | { | |
170 | 1, | |
171 | SSL3_TXT_RSA_RC4_40_MD5, | |
172 | SSL3_CK_RSA_RC4_40_MD5, | |
018e57c7 DSH |
173 | SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3, |
174 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 175 | 0, |
018e57c7 DSH |
176 | 40, |
177 | 128, | |
d02b48c6 | 178 | SSL_ALL_CIPHERS, |
018e57c7 | 179 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
180 | }, |
181 | /* Cipher 04 */ | |
182 | { | |
183 | 1, | |
184 | SSL3_TXT_RSA_RC4_128_MD5, | |
185 | SSL3_CK_RSA_RC4_128_MD5, | |
018e57c7 DSH |
186 | SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3, |
187 | SSL_NOT_EXP|SSL_MEDIUM, | |
d02b48c6 | 188 | 0, |
018e57c7 DSH |
189 | 128, |
190 | 128, | |
d02b48c6 | 191 | SSL_ALL_CIPHERS, |
018e57c7 | 192 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
193 | }, |
194 | /* Cipher 05 */ | |
195 | { | |
196 | 1, | |
197 | SSL3_TXT_RSA_RC4_128_SHA, | |
198 | SSL3_CK_RSA_RC4_128_SHA, | |
018e57c7 DSH |
199 | SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3, |
200 | SSL_NOT_EXP|SSL_MEDIUM, | |
d02b48c6 | 201 | 0, |
018e57c7 DSH |
202 | 128, |
203 | 128, | |
d02b48c6 | 204 | SSL_ALL_CIPHERS, |
018e57c7 | 205 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
206 | }, |
207 | /* Cipher 06 */ | |
208 | { | |
209 | 1, | |
210 | SSL3_TXT_RSA_RC2_40_MD5, | |
211 | SSL3_CK_RSA_RC2_40_MD5, | |
018e57c7 DSH |
212 | SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3, |
213 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 214 | 0, |
018e57c7 DSH |
215 | 40, |
216 | 128, | |
d02b48c6 | 217 | SSL_ALL_CIPHERS, |
018e57c7 | 218 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
219 | }, |
220 | /* Cipher 07 */ | |
221 | { | |
222 | 1, | |
223 | SSL3_TXT_RSA_IDEA_128_SHA, | |
224 | SSL3_CK_RSA_IDEA_128_SHA, | |
018e57c7 DSH |
225 | SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3, |
226 | SSL_NOT_EXP|SSL_MEDIUM, | |
d02b48c6 | 227 | 0, |
018e57c7 DSH |
228 | 128, |
229 | 128, | |
d02b48c6 | 230 | SSL_ALL_CIPHERS, |
018e57c7 | 231 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
232 | }, |
233 | /* Cipher 08 */ | |
234 | { | |
235 | 1, | |
236 | SSL3_TXT_RSA_DES_40_CBC_SHA, | |
237 | SSL3_CK_RSA_DES_40_CBC_SHA, | |
018e57c7 DSH |
238 | SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, |
239 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 240 | 0, |
018e57c7 DSH |
241 | 40, |
242 | 56, | |
d02b48c6 | 243 | SSL_ALL_CIPHERS, |
018e57c7 | 244 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
245 | }, |
246 | /* Cipher 09 */ | |
247 | { | |
248 | 1, | |
249 | SSL3_TXT_RSA_DES_64_CBC_SHA, | |
250 | SSL3_CK_RSA_DES_64_CBC_SHA, | |
018e57c7 DSH |
251 | SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, |
252 | SSL_NOT_EXP|SSL_LOW, | |
d02b48c6 | 253 | 0, |
018e57c7 DSH |
254 | 56, |
255 | 56, | |
d02b48c6 | 256 | SSL_ALL_CIPHERS, |
018e57c7 | 257 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
258 | }, |
259 | /* Cipher 0A */ | |
260 | { | |
261 | 1, | |
262 | SSL3_TXT_RSA_DES_192_CBC3_SHA, | |
263 | SSL3_CK_RSA_DES_192_CBC3_SHA, | |
018e57c7 DSH |
264 | SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
265 | SSL_NOT_EXP|SSL_HIGH, | |
d02b48c6 | 266 | 0, |
018e57c7 DSH |
267 | 168, |
268 | 168, | |
d02b48c6 | 269 | SSL_ALL_CIPHERS, |
018e57c7 | 270 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
271 | }, |
272 | ||
273 | /* The DH ciphers */ | |
274 | /* Cipher 0B */ | |
275 | { | |
276 | 0, | |
277 | SSL3_TXT_DH_DSS_DES_40_CBC_SHA, | |
278 | SSL3_CK_DH_DSS_DES_40_CBC_SHA, | |
018e57c7 DSH |
279 | SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, |
280 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 281 | 0, |
018e57c7 DSH |
282 | 40, |
283 | 56, | |
d02b48c6 | 284 | SSL_ALL_CIPHERS, |
018e57c7 | 285 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
286 | }, |
287 | /* Cipher 0C */ | |
288 | { | |
289 | 0, | |
290 | SSL3_TXT_DH_DSS_DES_64_CBC_SHA, | |
291 | SSL3_CK_DH_DSS_DES_64_CBC_SHA, | |
018e57c7 DSH |
292 | SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, |
293 | SSL_NOT_EXP|SSL_LOW, | |
d02b48c6 | 294 | 0, |
018e57c7 DSH |
295 | 56, |
296 | 56, | |
d02b48c6 | 297 | SSL_ALL_CIPHERS, |
018e57c7 | 298 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
299 | }, |
300 | /* Cipher 0D */ | |
301 | { | |
302 | 0, | |
303 | SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, | |
304 | SSL3_CK_DH_DSS_DES_192_CBC3_SHA, | |
018e57c7 DSH |
305 | SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
306 | SSL_NOT_EXP|SSL_HIGH, | |
d02b48c6 | 307 | 0, |
018e57c7 DSH |
308 | 168, |
309 | 168, | |
d02b48c6 | 310 | SSL_ALL_CIPHERS, |
018e57c7 | 311 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
312 | }, |
313 | /* Cipher 0E */ | |
314 | { | |
315 | 0, | |
316 | SSL3_TXT_DH_RSA_DES_40_CBC_SHA, | |
317 | SSL3_CK_DH_RSA_DES_40_CBC_SHA, | |
018e57c7 DSH |
318 | SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3, |
319 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 320 | 0, |
018e57c7 DSH |
321 | 40, |
322 | 56, | |
d02b48c6 | 323 | SSL_ALL_CIPHERS, |
018e57c7 | 324 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
325 | }, |
326 | /* Cipher 0F */ | |
327 | { | |
328 | 0, | |
329 | SSL3_TXT_DH_RSA_DES_64_CBC_SHA, | |
330 | SSL3_CK_DH_RSA_DES_64_CBC_SHA, | |
018e57c7 DSH |
331 | SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3, |
332 | SSL_NOT_EXP|SSL_LOW, | |
d02b48c6 | 333 | 0, |
018e57c7 DSH |
334 | 56, |
335 | 56, | |
d02b48c6 | 336 | SSL_ALL_CIPHERS, |
018e57c7 | 337 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
338 | }, |
339 | /* Cipher 10 */ | |
340 | { | |
341 | 0, | |
342 | SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, | |
343 | SSL3_CK_DH_RSA_DES_192_CBC3_SHA, | |
018e57c7 DSH |
344 | SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
345 | SSL_NOT_EXP|SSL_HIGH, | |
d02b48c6 | 346 | 0, |
018e57c7 DSH |
347 | 168, |
348 | 168, | |
d02b48c6 | 349 | SSL_ALL_CIPHERS, |
018e57c7 | 350 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
351 | }, |
352 | ||
353 | /* The Ephemeral DH ciphers */ | |
354 | /* Cipher 11 */ | |
355 | { | |
356 | 1, | |
357 | SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, | |
358 | SSL3_CK_EDH_DSS_DES_40_CBC_SHA, | |
018e57c7 DSH |
359 | SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3, |
360 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 361 | 0, |
018e57c7 DSH |
362 | 40, |
363 | 56, | |
d02b48c6 | 364 | SSL_ALL_CIPHERS, |
018e57c7 | 365 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
366 | }, |
367 | /* Cipher 12 */ | |
368 | { | |
369 | 1, | |
370 | SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, | |
371 | SSL3_CK_EDH_DSS_DES_64_CBC_SHA, | |
018e57c7 DSH |
372 | SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3, |
373 | SSL_NOT_EXP|SSL_LOW, | |
d02b48c6 | 374 | 0, |
018e57c7 DSH |
375 | 56, |
376 | 56, | |
d02b48c6 | 377 | SSL_ALL_CIPHERS, |
018e57c7 | 378 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
379 | }, |
380 | /* Cipher 13 */ | |
381 | { | |
382 | 1, | |
383 | SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, | |
384 | SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, | |
018e57c7 DSH |
385 | SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
386 | SSL_NOT_EXP|SSL_HIGH, | |
d02b48c6 | 387 | 0, |
018e57c7 DSH |
388 | 168, |
389 | 168, | |
d02b48c6 | 390 | SSL_ALL_CIPHERS, |
018e57c7 | 391 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
392 | }, |
393 | /* Cipher 14 */ | |
394 | { | |
395 | 1, | |
396 | SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, | |
397 | SSL3_CK_EDH_RSA_DES_40_CBC_SHA, | |
018e57c7 DSH |
398 | SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3, |
399 | SSL_EXPORT|SSL_EXP40, | |
d02b48c6 | 400 | 0, |
018e57c7 DSH |
401 | 40, |
402 | 56, | |
d02b48c6 | 403 | SSL_ALL_CIPHERS, |
018e57c7 | 404 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
405 | }, |
406 | /* Cipher 15 */ | |
407 | { | |
408 | 1, | |
409 | SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, | |
410 | SSL3_CK_EDH_RSA_DES_64_CBC_SHA, | |
018e57c7 DSH |
411 | SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3, |
412 | SSL_NOT_EXP|SSL_LOW, | |
d02b48c6 | 413 | 0, |
018e57c7 DSH |
414 | 56, |
415 | 56, | |
d02b48c6 | 416 | SSL_ALL_CIPHERS, |
018e57c7 | 417 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
418 | }, |
419 | /* Cipher 16 */ | |
420 | { | |
421 | 1, | |
422 | SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, | |
423 | SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, | |
018e57c7 DSH |
424 | SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, |
425 | SSL_NOT_EXP|SSL_HIGH, | |
d02b48c6 | 426 | 0, |
018e57c7 DSH |
427 | 168, |
428 | 168, | |
d02b48c6 | 429 | SSL_ALL_CIPHERS, |
018e57c7 | 430 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
431 | }, |
432 | ||
433 | /* Fortezza */ | |
434 | /* Cipher 1C */ | |
435 | { | |
436 | 0, | |
437 | SSL3_TXT_FZA_DMS_NULL_SHA, | |
438 | SSL3_CK_FZA_DMS_NULL_SHA, | |
018e57c7 DSH |
439 | SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, |
440 | SSL_NOT_EXP, | |
441 | 0, | |
442 | 0, | |
d02b48c6 RE |
443 | 0, |
444 | SSL_ALL_CIPHERS, | |
018e57c7 | 445 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
446 | }, |
447 | ||
448 | /* Cipher 1D */ | |
449 | { | |
450 | 0, | |
451 | SSL3_TXT_FZA_DMS_FZA_SHA, | |
452 | SSL3_CK_FZA_DMS_FZA_SHA, | |
018e57c7 DSH |
453 | SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, |
454 | SSL_NOT_EXP, | |
455 | 0, | |
456 | 0, | |
d02b48c6 RE |
457 | 0, |
458 | SSL_ALL_CIPHERS, | |
018e57c7 | 459 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
460 | }, |
461 | ||
462 | /* Cipher 1E */ | |
463 | { | |
464 | 0, | |
465 | SSL3_TXT_FZA_DMS_RC4_SHA, | |
466 | SSL3_CK_FZA_DMS_RC4_SHA, | |
018e57c7 DSH |
467 | SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3, |
468 | SSL_NOT_EXP, | |
d02b48c6 | 469 | 0, |
018e57c7 DSH |
470 | 128, |
471 | 128, | |
d02b48c6 | 472 | SSL_ALL_CIPHERS, |
018e57c7 | 473 | SSL_ALL_STRENGTHS, |
d02b48c6 RE |
474 | }, |
475 | ||
bc348244 | 476 | #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES |
06ab81f9 BL |
477 | /* New TLS Export CipherSuites */ |
478 | /* Cipher 60 */ | |
479 | { | |
480 | 1, | |
abed0b8a BL |
481 | TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, |
482 | TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, | |
018e57c7 DSH |
483 | SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1, |
484 | SSL_EXPORT|SSL_EXP56, | |
06ab81f9 | 485 | 0, |
018e57c7 DSH |
486 | 56, |
487 | 128, | |
488 | SSL_ALL_CIPHERS, | |
489 | SSL_ALL_STRENGTHS, | |
06ab81f9 BL |
490 | }, |
491 | /* Cipher 61 */ | |
492 | { | |
493 | 1, | |
abed0b8a BL |
494 | TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, |
495 | TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, | |
018e57c7 DSH |
496 | SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1, |
497 | SSL_EXPORT|SSL_EXP56, | |
06ab81f9 | 498 | 0, |
018e57c7 DSH |
499 | 56, |
500 | 128, | |
501 | SSL_ALL_CIPHERS, | |
502 | SSL_ALL_STRENGTHS, | |
06ab81f9 BL |
503 | }, |
504 | /* Cipher 62 */ | |
505 | { | |
506 | 1, | |
abed0b8a BL |
507 | TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, |
508 | TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA, | |
018e57c7 DSH |
509 | SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1, |
510 | SSL_EXPORT|SSL_EXP56, | |
06ab81f9 | 511 | 0, |
018e57c7 DSH |
512 | 56, |
513 | 56, | |
514 | SSL_ALL_CIPHERS, | |
515 | SSL_ALL_STRENGTHS, | |
06ab81f9 | 516 | }, |
abed0b8a BL |
517 | /* Cipher 63 */ |
518 | { | |
519 | 1, | |
520 | TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, | |
521 | TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, | |
018e57c7 DSH |
522 | SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1, |
523 | SSL_EXPORT|SSL_EXP56, | |
abed0b8a | 524 | 0, |
018e57c7 DSH |
525 | 56, |
526 | 56, | |
527 | SSL_ALL_CIPHERS, | |
528 | SSL_ALL_STRENGTHS, | |
abed0b8a BL |
529 | }, |
530 | /* Cipher 64 */ | |
531 | { | |
532 | 1, | |
533 | TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, | |
534 | TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA, | |
018e57c7 DSH |
535 | SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1, |
536 | SSL_EXPORT|SSL_EXP56, | |
abed0b8a | 537 | 0, |
018e57c7 DSH |
538 | 56, |
539 | 128, | |
540 | SSL_ALL_CIPHERS, | |
541 | SSL_ALL_STRENGTHS, | |
abed0b8a BL |
542 | }, |
543 | /* Cipher 65 */ | |
544 | { | |
545 | 1, | |
546 | TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, | |
547 | TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, | |
018e57c7 DSH |
548 | SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, |
549 | SSL_EXPORT|SSL_EXP56, | |
abed0b8a | 550 | 0, |
018e57c7 DSH |
551 | 56, |
552 | 128, | |
553 | SSL_ALL_CIPHERS, | |
554 | SSL_ALL_STRENGTHS, | |
abed0b8a BL |
555 | }, |
556 | /* Cipher 66 */ | |
557 | { | |
558 | 1, | |
559 | TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA, | |
560 | TLS1_CK_DHE_DSS_WITH_RC4_128_SHA, | |
561 | SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1, | |
018e57c7 | 562 | SSL_NOT_EXP, |
abed0b8a | 563 | 0, |
018e57c7 DSH |
564 | 128, |
565 | 128, | |
566 | SSL_ALL_CIPHERS, | |
567 | SSL_ALL_STRENGTHS | |
abed0b8a | 568 | }, |
bc348244 | 569 | #endif |
06ab81f9 | 570 | |
d02b48c6 RE |
571 | /* end of list */ |
572 | }; | |
573 | ||
58964a49 RE |
574 | static SSL3_ENC_METHOD SSLv3_enc_data={ |
575 | ssl3_enc, | |
576 | ssl3_mac, | |
577 | ssl3_setup_key_block, | |
578 | ssl3_generate_master_secret, | |
579 | ssl3_change_cipher_state, | |
580 | ssl3_final_finish_mac, | |
581 | MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, | |
582 | ssl3_cert_verify_mac, | |
583 | SSL3_MD_CLIENT_FINISHED_CONST,4, | |
584 | SSL3_MD_SERVER_FINISHED_CONST,4, | |
585 | ssl3_alert_code, | |
586 | }; | |
587 | ||
d02b48c6 | 588 | static SSL_METHOD SSLv3_data= { |
58964a49 | 589 | SSL3_VERSION, |
d02b48c6 RE |
590 | ssl3_new, |
591 | ssl3_clear, | |
592 | ssl3_free, | |
593 | ssl_undefined_function, | |
594 | ssl_undefined_function, | |
595 | ssl3_read, | |
596 | ssl3_peek, | |
597 | ssl3_write, | |
598 | ssl3_shutdown, | |
599 | ssl3_renegotiate, | |
dfeab068 | 600 | ssl3_renegotiate_check, |
d02b48c6 RE |
601 | ssl3_ctrl, |
602 | ssl3_ctx_ctrl, | |
603 | ssl3_get_cipher_by_char, | |
604 | ssl3_put_cipher_by_char, | |
605 | ssl3_pending, | |
606 | ssl3_num_ciphers, | |
607 | ssl3_get_cipher, | |
608 | ssl_bad_method, | |
609 | ssl3_default_timeout, | |
58964a49 | 610 | &SSLv3_enc_data, |
d3442bc7 RL |
611 | ssl_undefined_function, |
612 | ssl3_callback_ctrl, | |
613 | ssl3_ctx_callback_ctrl, | |
a9188d4e RL |
614 | }; |
615 | ||
6b691a5c | 616 | static long ssl3_default_timeout(void) |
d02b48c6 RE |
617 | { |
618 | /* 2 hours, the 24 hours mentioned in the SSLv3 spec | |
619 | * is way too long for http, the cache would over fill */ | |
620 | return(60*60*2); | |
621 | } | |
622 | ||
6b691a5c | 623 | SSL_METHOD *sslv3_base_method(void) |
d02b48c6 RE |
624 | { |
625 | return(&SSLv3_data); | |
626 | } | |
627 | ||
6b691a5c | 628 | int ssl3_num_ciphers(void) |
d02b48c6 RE |
629 | { |
630 | return(SSL3_NUM_CIPHERS); | |
631 | } | |
632 | ||
6b691a5c | 633 | SSL_CIPHER *ssl3_get_cipher(unsigned int u) |
d02b48c6 RE |
634 | { |
635 | if (u < SSL3_NUM_CIPHERS) | |
636 | return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u])); | |
637 | else | |
638 | return(NULL); | |
639 | } | |
640 | ||
641 | /* The problem is that it may not be the correct record type */ | |
6b691a5c | 642 | int ssl3_pending(SSL *s) |
d02b48c6 RE |
643 | { |
644 | return(s->s3->rrec.length); | |
645 | } | |
646 | ||
6b691a5c | 647 | int ssl3_new(SSL *s) |
d02b48c6 | 648 | { |
b35e9050 | 649 | SSL3_STATE *s3; |
d02b48c6 | 650 | |
b35e9050 BM |
651 | if ((s3=Malloc(sizeof *s3)) == NULL) goto err; |
652 | memset(s3,0,sizeof *s3); | |
d02b48c6 RE |
653 | |
654 | s->s3=s3; | |
d02b48c6 | 655 | |
58964a49 | 656 | s->method->ssl_clear(s); |
d02b48c6 RE |
657 | return(1); |
658 | err: | |
659 | return(0); | |
660 | } | |
661 | ||
6b691a5c | 662 | void ssl3_free(SSL *s) |
d02b48c6 | 663 | { |
e03ddfae BL |
664 | if(s == NULL) |
665 | return; | |
666 | ||
d02b48c6 RE |
667 | ssl3_cleanup_key_block(s); |
668 | if (s->s3->rbuf.buf != NULL) | |
669 | Free(s->s3->rbuf.buf); | |
670 | if (s->s3->wbuf.buf != NULL) | |
671 | Free(s->s3->wbuf.buf); | |
dfeab068 RE |
672 | if (s->s3->rrec.comp != NULL) |
673 | Free(s->s3->rrec.comp); | |
d02b48c6 RE |
674 | #ifndef NO_DH |
675 | if (s->s3->tmp.dh != NULL) | |
676 | DH_free(s->s3->tmp.dh); | |
677 | #endif | |
678 | if (s->s3->tmp.ca_names != NULL) | |
f73e07cf | 679 | sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); |
b35e9050 | 680 | memset(s->s3,0,sizeof *s->s3); |
d02b48c6 RE |
681 | Free(s->s3); |
682 | s->s3=NULL; | |
683 | } | |
684 | ||
6b691a5c | 685 | void ssl3_clear(SSL *s) |
d02b48c6 RE |
686 | { |
687 | unsigned char *rp,*wp; | |
688 | ||
689 | ssl3_cleanup_key_block(s); | |
690 | if (s->s3->tmp.ca_names != NULL) | |
f73e07cf | 691 | sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); |
d02b48c6 | 692 | |
413c4f45 MC |
693 | if (s->s3->rrec.comp != NULL) |
694 | { | |
695 | Free(s->s3->rrec.comp); | |
696 | s->s3->rrec.comp=NULL; | |
697 | } | |
698 | ||
d02b48c6 RE |
699 | rp=s->s3->rbuf.buf; |
700 | wp=s->s3->wbuf.buf; | |
701 | ||
b35e9050 | 702 | memset(s->s3,0,sizeof *s->s3); |
58964a49 RE |
703 | if (rp != NULL) s->s3->rbuf.buf=rp; |
704 | if (wp != NULL) s->s3->wbuf.buf=wp; | |
dfeab068 | 705 | |
413c4f45 | 706 | ssl_free_wbio_buffer(s); |
dfeab068 | 707 | |
d02b48c6 | 708 | s->packet_length=0; |
58964a49 RE |
709 | s->s3->renegotiate=0; |
710 | s->s3->total_renegotiations=0; | |
711 | s->s3->num_renegotiations=0; | |
712 | s->s3->in_read_app_data=0; | |
713 | s->version=SSL3_VERSION; | |
d02b48c6 RE |
714 | } |
715 | ||
6b691a5c | 716 | long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg) |
d02b48c6 | 717 | { |
58964a49 RE |
718 | int ret=0; |
719 | ||
15d21c2d RE |
720 | #if !defined(NO_DSA) || !defined(NO_RSA) |
721 | if ( | |
722 | #ifndef NO_RSA | |
723 | cmd == SSL_CTRL_SET_TMP_RSA || | |
724 | cmd == SSL_CTRL_SET_TMP_RSA_CB || | |
725 | #endif | |
726 | #ifndef NO_DSA | |
727 | cmd == SSL_CTRL_SET_TMP_DH || | |
728 | cmd == SSL_CTRL_SET_TMP_DH_CB || | |
729 | #endif | |
730 | 0) | |
731 | { | |
ca8e5b9b | 732 | if (!ssl_cert_inst(&s->cert)) |
15d21c2d RE |
733 | { |
734 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); | |
735 | return(0); | |
736 | } | |
737 | } | |
738 | #endif | |
739 | ||
58964a49 RE |
740 | switch (cmd) |
741 | { | |
742 | case SSL_CTRL_GET_SESSION_REUSED: | |
743 | ret=s->hit; | |
744 | break; | |
745 | case SSL_CTRL_GET_CLIENT_CERT_REQUEST: | |
746 | break; | |
747 | case SSL_CTRL_GET_NUM_RENEGOTIATIONS: | |
748 | ret=s->s3->num_renegotiations; | |
749 | break; | |
750 | case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS: | |
751 | ret=s->s3->num_renegotiations; | |
752 | s->s3->num_renegotiations=0; | |
753 | break; | |
754 | case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: | |
755 | ret=s->s3->total_renegotiations; | |
756 | break; | |
dfeab068 | 757 | case SSL_CTRL_GET_FLAGS: |
651d0aff | 758 | ret=(int)(s->s3->flags); |
dfeab068 | 759 | break; |
15d21c2d RE |
760 | #ifndef NO_RSA |
761 | case SSL_CTRL_NEED_TMP_RSA: | |
762 | if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && | |
763 | ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || | |
764 | (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))) | |
765 | ret = 1; | |
766 | break; | |
767 | case SSL_CTRL_SET_TMP_RSA: | |
768 | { | |
769 | RSA *rsa = (RSA *)parg; | |
770 | if (rsa == NULL) { | |
771 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); | |
772 | return(ret); | |
773 | } | |
774 | if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) { | |
775 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB); | |
776 | return(ret); | |
777 | } | |
778 | if (s->cert->rsa_tmp != NULL) | |
779 | RSA_free(s->cert->rsa_tmp); | |
780 | s->cert->rsa_tmp = rsa; | |
781 | ret = 1; | |
782 | } | |
783 | break; | |
784 | case SSL_CTRL_SET_TMP_RSA_CB: | |
a9188d4e | 785 | { |
d3442bc7 RL |
786 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
787 | return(ret); | |
a9188d4e | 788 | } |
15d21c2d RE |
789 | break; |
790 | #endif | |
791 | #ifndef NO_DH | |
792 | case SSL_CTRL_SET_TMP_DH: | |
793 | { | |
794 | DH *dh = (DH *)parg; | |
795 | if (dh == NULL) { | |
796 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER); | |
797 | return(ret); | |
798 | } | |
799 | if ((dh = DHparams_dup(dh)) == NULL) { | |
800 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); | |
801 | return(ret); | |
802 | } | |
803 | if (!DH_generate_key(dh)) { | |
804 | DH_free(dh); | |
805 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); | |
806 | return(ret); | |
807 | } | |
808 | if (s->cert->dh_tmp != NULL) | |
809 | DH_free(s->cert->dh_tmp); | |
810 | s->cert->dh_tmp = dh; | |
811 | ret = 1; | |
812 | } | |
813 | break; | |
814 | case SSL_CTRL_SET_TMP_DH_CB: | |
a9188d4e | 815 | { |
d3442bc7 RL |
816 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
817 | return(ret); | |
818 | } | |
819 | break; | |
820 | #endif | |
821 | default: | |
822 | break; | |
823 | } | |
824 | return(ret); | |
825 | } | |
a9188d4e | 826 | |
d3442bc7 RL |
827 | long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)()) |
828 | { | |
829 | int ret=0; | |
830 | ||
831 | #if !defined(NO_DSA) || !defined(NO_RSA) | |
832 | if ( | |
833 | #ifndef NO_RSA | |
834 | cmd == SSL_CTRL_SET_TMP_RSA_CB || | |
835 | #endif | |
836 | #ifndef NO_DSA | |
837 | cmd == SSL_CTRL_SET_TMP_DH_CB || | |
838 | #endif | |
839 | 0) | |
840 | { | |
841 | if (!ssl_cert_inst(&s->cert)) | |
842 | { | |
843 | SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE); | |
844 | return(0); | |
845 | } | |
846 | } | |
847 | #endif | |
848 | ||
849 | switch (cmd) | |
850 | { | |
851 | #ifndef NO_RSA | |
852 | case SSL_CTRL_SET_TMP_RSA_CB: | |
853 | { | |
854 | s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; | |
855 | } | |
856 | break; | |
857 | #endif | |
858 | #ifndef NO_DH | |
859 | case SSL_CTRL_SET_TMP_DH_CB: | |
860 | { | |
861 | s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; | |
a9188d4e | 862 | } |
15d21c2d RE |
863 | break; |
864 | #endif | |
58964a49 RE |
865 | default: |
866 | break; | |
867 | } | |
868 | return(ret); | |
d02b48c6 RE |
869 | } |
870 | ||
6b691a5c | 871 | long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) |
d02b48c6 RE |
872 | { |
873 | CERT *cert; | |
874 | ||
ca8e5b9b | 875 | cert=ctx->cert; |
d02b48c6 RE |
876 | |
877 | switch (cmd) | |
878 | { | |
879 | #ifndef NO_RSA | |
880 | case SSL_CTRL_NEED_TMP_RSA: | |
881 | if ( (cert->rsa_tmp == NULL) && | |
882 | ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || | |
883 | (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))) | |
884 | ) | |
885 | return(1); | |
886 | else | |
887 | return(0); | |
dfeab068 | 888 | /* break; */ |
d02b48c6 RE |
889 | case SSL_CTRL_SET_TMP_RSA: |
890 | { | |
891 | RSA *rsa; | |
892 | int i; | |
893 | ||
894 | rsa=(RSA *)parg; | |
895 | i=1; | |
896 | if (rsa == NULL) | |
897 | i=0; | |
898 | else | |
899 | { | |
900 | if ((rsa=RSAPrivateKey_dup(rsa)) == NULL) | |
901 | i=0; | |
902 | } | |
903 | if (!i) | |
904 | { | |
905 | SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB); | |
906 | return(0); | |
907 | } | |
908 | else | |
909 | { | |
910 | if (cert->rsa_tmp != NULL) | |
911 | RSA_free(cert->rsa_tmp); | |
912 | cert->rsa_tmp=rsa; | |
913 | return(1); | |
914 | } | |
915 | } | |
dfeab068 | 916 | /* break; */ |
d02b48c6 | 917 | case SSL_CTRL_SET_TMP_RSA_CB: |
a9188d4e | 918 | { |
d3442bc7 RL |
919 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
920 | return(0); | |
a9188d4e | 921 | } |
d02b48c6 RE |
922 | break; |
923 | #endif | |
924 | #ifndef NO_DH | |
925 | case SSL_CTRL_SET_TMP_DH: | |
926 | { | |
927 | DH *new=NULL,*dh; | |
dfeab068 | 928 | int rret=0; |
d02b48c6 RE |
929 | |
930 | dh=(DH *)parg; | |
931 | if ( ((new=DHparams_dup(dh)) == NULL) || | |
932 | (!DH_generate_key(new))) | |
933 | { | |
934 | SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); | |
935 | if (new != NULL) DH_free(new); | |
d02b48c6 RE |
936 | } |
937 | else | |
938 | { | |
939 | if (cert->dh_tmp != NULL) | |
940 | DH_free(cert->dh_tmp); | |
941 | cert->dh_tmp=new; | |
dfeab068 | 942 | rret=1; |
d02b48c6 | 943 | } |
dfeab068 | 944 | return(rret); |
d02b48c6 | 945 | } |
dfeab068 | 946 | /*break; */ |
d02b48c6 | 947 | case SSL_CTRL_SET_TMP_DH_CB: |
a9188d4e | 948 | { |
d3442bc7 RL |
949 | SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
950 | return(0); | |
a9188d4e | 951 | } |
d02b48c6 RE |
952 | break; |
953 | #endif | |
651d0aff | 954 | /* A Thawte special :-) */ |
dfeab068 RE |
955 | case SSL_CTRL_EXTRA_CHAIN_CERT: |
956 | if (ctx->extra_certs == NULL) | |
957 | { | |
f73e07cf | 958 | if ((ctx->extra_certs=sk_X509_new_null()) == NULL) |
dfeab068 RE |
959 | return(0); |
960 | } | |
f73e07cf | 961 | sk_X509_push(ctx->extra_certs,(X509 *)parg); |
dfeab068 RE |
962 | break; |
963 | ||
d02b48c6 RE |
964 | default: |
965 | return(0); | |
966 | } | |
967 | return(1); | |
968 | } | |
969 | ||
d3442bc7 RL |
970 | long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) |
971 | { | |
972 | CERT *cert; | |
973 | ||
974 | cert=ctx->cert; | |
975 | ||
976 | switch (cmd) | |
977 | { | |
978 | #ifndef NO_RSA | |
979 | case SSL_CTRL_SET_TMP_RSA_CB: | |
980 | { | |
981 | cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; | |
982 | } | |
983 | break; | |
984 | #endif | |
985 | #ifndef NO_DH | |
986 | case SSL_CTRL_SET_TMP_DH_CB: | |
987 | { | |
988 | cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; | |
989 | } | |
990 | break; | |
991 | #endif | |
992 | default: | |
993 | return(0); | |
994 | } | |
995 | return(1); | |
996 | } | |
997 | ||
d02b48c6 RE |
998 | /* This function needs to check if the ciphers required are actually |
999 | * available */ | |
6b691a5c | 1000 | SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) |
d02b48c6 RE |
1001 | { |
1002 | static int init=1; | |
1003 | static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS]; | |
1004 | SSL_CIPHER c,*cp= &c,**cpp; | |
1005 | unsigned long id; | |
1006 | int i; | |
1007 | ||
1008 | if (init) | |
1009 | { | |
5cc146f3 | 1010 | CRYPTO_w_lock(CRYPTO_LOCK_SSL); |
d02b48c6 RE |
1011 | |
1012 | for (i=0; i<SSL3_NUM_CIPHERS; i++) | |
1013 | sorted[i]= &(ssl3_ciphers[i]); | |
1014 | ||
1015 | qsort( (char *)sorted, | |
1016 | SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *), | |
1017 | FP_ICC ssl_cipher_ptr_id_cmp); | |
5cc146f3 BM |
1018 | |
1019 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL); | |
1020 | ||
1021 | init=0; | |
d02b48c6 RE |
1022 | } |
1023 | ||
1024 | id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1]; | |
1025 | c.id=id; | |
1026 | cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp, | |
1027 | (char *)sorted, | |
1028 | SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *), | |
1029 | (int (*)())ssl_cipher_ptr_id_cmp); | |
1030 | if ((cpp == NULL) || !(*cpp)->valid) | |
1031 | return(NULL); | |
1032 | else | |
1033 | return(*cpp); | |
1034 | } | |
1035 | ||
6b691a5c | 1036 | int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) |
d02b48c6 RE |
1037 | { |
1038 | long l; | |
1039 | ||
1040 | if (p != NULL) | |
1041 | { | |
1042 | l=c->id; | |
1043 | if ((l & 0xff000000) != 0x03000000) return(0); | |
1044 | p[0]=((unsigned char)(l>> 8L))&0xFF; | |
1045 | p[1]=((unsigned char)(l ))&0xFF; | |
1046 | } | |
1047 | return(2); | |
1048 | } | |
1049 | ||
6b691a5c UM |
1050 | SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, |
1051 | STACK_OF(SSL_CIPHER) *pref) | |
d02b48c6 RE |
1052 | { |
1053 | SSL_CIPHER *c,*ret=NULL; | |
1054 | int i,j,ok; | |
1055 | CERT *cert; | |
1056 | unsigned long alg,mask,emask; | |
1057 | ||
ca8e5b9b BM |
1058 | /* Let's see which ciphers we can support */ |
1059 | cert=s->cert; | |
d02b48c6 | 1060 | |
f73e07cf | 1061 | sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); |
d02b48c6 | 1062 | |
f415fa32 BL |
1063 | #ifdef CIPHER_DEBUG |
1064 | printf("Have:\n"); | |
1065 | for(i=0 ; i < sk_num(pref) ; ++i) | |
1066 | { | |
1067 | c=(SSL_CIPHER *)sk_value(pref,i); | |
1068 | printf("%p:%s\n",c,c->name); | |
1069 | } | |
1070 | #endif | |
1071 | ||
f73e07cf | 1072 | for (i=0; i<sk_SSL_CIPHER_num(have); i++) |
d02b48c6 | 1073 | { |
f73e07cf | 1074 | c=sk_SSL_CIPHER_value(have,i); |
60e31c3a | 1075 | |
ca8e5b9b | 1076 | ssl_set_cert_masks(cert,c); |
60e31c3a BL |
1077 | mask=cert->mask; |
1078 | emask=cert->export_mask; | |
1079 | ||
d02b48c6 | 1080 | alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); |
018e57c7 | 1081 | if (SSL_C_IS_EXPORT(c)) |
d02b48c6 RE |
1082 | { |
1083 | ok=((alg & emask) == alg)?1:0; | |
1084 | #ifdef CIPHER_DEBUG | |
f415fa32 BL |
1085 | printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, |
1086 | c,c->name); | |
d02b48c6 RE |
1087 | #endif |
1088 | } | |
1089 | else | |
1090 | { | |
1091 | ok=((alg & mask) == alg)?1:0; | |
1092 | #ifdef CIPHER_DEBUG | |
f415fa32 BL |
1093 | printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, |
1094 | c->name); | |
d02b48c6 RE |
1095 | #endif |
1096 | } | |
1097 | ||
1098 | if (!ok) continue; | |
1099 | ||
f73e07cf | 1100 | j=sk_SSL_CIPHER_find(pref,c); |
d02b48c6 RE |
1101 | if (j >= 0) |
1102 | { | |
f73e07cf | 1103 | ret=sk_SSL_CIPHER_value(pref,j); |
d02b48c6 RE |
1104 | break; |
1105 | } | |
1106 | } | |
1107 | return(ret); | |
1108 | } | |
1109 | ||
6b691a5c | 1110 | int ssl3_get_req_cert_type(SSL *s, unsigned char *p) |
d02b48c6 RE |
1111 | { |
1112 | int ret=0; | |
1113 | unsigned long alg; | |
1114 | ||
1115 | alg=s->s3->tmp.new_cipher->algorithms; | |
1116 | ||
1117 | #ifndef NO_DH | |
1118 | if (alg & (SSL_kDHr|SSL_kEDH)) | |
1119 | { | |
dfeab068 | 1120 | # ifndef NO_RSA |
d02b48c6 | 1121 | p[ret++]=SSL3_CT_RSA_FIXED_DH; |
dfeab068 RE |
1122 | # endif |
1123 | # ifndef NO_DSA | |
d02b48c6 | 1124 | p[ret++]=SSL3_CT_DSS_FIXED_DH; |
dfeab068 | 1125 | # endif |
d02b48c6 | 1126 | } |
58964a49 RE |
1127 | if ((s->version == SSL3_VERSION) && |
1128 | (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) | |
d02b48c6 | 1129 | { |
dfeab068 | 1130 | # ifndef NO_RSA |
d02b48c6 | 1131 | p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; |
dfeab068 RE |
1132 | # endif |
1133 | # ifndef NO_DSA | |
d02b48c6 | 1134 | p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; |
dfeab068 | 1135 | # endif |
d02b48c6 RE |
1136 | } |
1137 | #endif /* !NO_DH */ | |
1138 | #ifndef NO_RSA | |
1139 | p[ret++]=SSL3_CT_RSA_SIGN; | |
1140 | #endif | |
dfeab068 | 1141 | #ifndef NO_DSA |
58964a49 | 1142 | p[ret++]=SSL3_CT_DSS_SIGN; |
dfeab068 | 1143 | #endif |
d02b48c6 RE |
1144 | return(ret); |
1145 | } | |
1146 | ||
6b691a5c | 1147 | int ssl3_shutdown(SSL *s) |
d02b48c6 RE |
1148 | { |
1149 | ||
1150 | /* Don't do anything much if we have not done the handshake or | |
1151 | * we don't want to send messages :-) */ | |
1152 | if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE)) | |
1153 | { | |
1154 | s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); | |
1155 | return(1); | |
1156 | } | |
1157 | ||
1158 | if (!(s->shutdown & SSL_SENT_SHUTDOWN)) | |
1159 | { | |
1160 | s->shutdown|=SSL_SENT_SHUTDOWN; | |
1161 | #if 1 | |
58964a49 | 1162 | ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY); |
d02b48c6 RE |
1163 | #endif |
1164 | /* our shutdown alert has been sent now, and if it still needs | |
1165 | * to be written, s->s3->alert_dispatch will be true */ | |
1166 | } | |
1167 | else if (s->s3->alert_dispatch) | |
1168 | { | |
1169 | /* resend it if not sent */ | |
1170 | #if 1 | |
1171 | ssl3_dispatch_alert(s); | |
1172 | #endif | |
1173 | } | |
1174 | else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) | |
1175 | { | |
1176 | /* If we are waiting for a close from our peer, we are closed */ | |
1177 | ssl3_read_bytes(s,0,NULL,0); | |
1178 | } | |
1179 | ||
1180 | if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && | |
1181 | !s->s3->alert_dispatch) | |
1182 | return(1); | |
1183 | else | |
1184 | return(0); | |
1185 | } | |
1186 | ||
61f5b6f3 | 1187 | int ssl3_write(SSL *s, const void *buf, int len) |
d02b48c6 RE |
1188 | { |
1189 | int ret,n; | |
d02b48c6 RE |
1190 | |
1191 | #if 0 | |
1192 | if (s->shutdown & SSL_SEND_SHUTDOWN) | |
1193 | { | |
1194 | s->rwstate=SSL_NOTHING; | |
1195 | return(0); | |
1196 | } | |
1197 | #endif | |
58964a49 RE |
1198 | clear_sys_error(); |
1199 | if (s->s3->renegotiate) ssl3_renegotiate_check(s); | |
d02b48c6 RE |
1200 | |
1201 | /* This is an experimental flag that sends the | |
1202 | * last handshake message in the same packet as the first | |
1203 | * use data - used to see if it helps the TCP protocol during | |
1204 | * session-id reuse */ | |
1205 | /* The second test is because the buffer may have been removed */ | |
1206 | if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) | |
1207 | { | |
1208 | /* First time through, we write into the buffer */ | |
1209 | if (s->s3->delay_buf_pop_ret == 0) | |
1210 | { | |
1211 | ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, | |
e778802f | 1212 | buf,len); |
d02b48c6 RE |
1213 | if (ret <= 0) return(ret); |
1214 | ||
1215 | s->s3->delay_buf_pop_ret=ret; | |
1216 | } | |
1217 | ||
1218 | s->rwstate=SSL_WRITING; | |
1219 | n=BIO_flush(s->wbio); | |
1220 | if (n <= 0) return(n); | |
1221 | s->rwstate=SSL_NOTHING; | |
1222 | ||
413c4f45 MC |
1223 | /* We have flushed the buffer, so remove it */ |
1224 | ssl_free_wbio_buffer(s); | |
1225 | s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; | |
1226 | ||
d02b48c6 RE |
1227 | ret=s->s3->delay_buf_pop_ret; |
1228 | s->s3->delay_buf_pop_ret=0; | |
d02b48c6 RE |
1229 | } |
1230 | else | |
1231 | { | |
1232 | ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA, | |
e778802f | 1233 | buf,len); |
d02b48c6 RE |
1234 | if (ret <= 0) return(ret); |
1235 | } | |
58964a49 | 1236 | |
d02b48c6 RE |
1237 | return(ret); |
1238 | } | |
1239 | ||
61f5b6f3 | 1240 | int ssl3_read(SSL *s, void *buf, int len) |
d02b48c6 | 1241 | { |
58964a49 RE |
1242 | int ret; |
1243 | ||
1244 | clear_sys_error(); | |
1245 | if (s->s3->renegotiate) ssl3_renegotiate_check(s); | |
1246 | s->s3->in_read_app_data=1; | |
1247 | ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); | |
1248 | if ((ret == -1) && (s->s3->in_read_app_data == 0)) | |
1249 | { | |
b35e9050 BM |
1250 | /* ssl3_read_bytes decided to call s->handshake_func, which |
1251 | * called ssl3_read_bytes to read handshake data. | |
1252 | * However, ssl3_read_bytes actually found application data | |
1253 | * and thinks that application data makes sense here (signalled | |
1254 | * by resetting 'in_read_app_data', strangely); so disable | |
1255 | * handshake processing and try to read application data again. */ | |
58964a49 RE |
1256 | s->in_handshake++; |
1257 | ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); | |
1258 | s->in_handshake--; | |
1259 | } | |
1260 | else | |
1261 | s->s3->in_read_app_data=0; | |
1262 | ||
1263 | return(ret); | |
d02b48c6 RE |
1264 | } |
1265 | ||
6b691a5c | 1266 | int ssl3_peek(SSL *s, char *buf, int len) |
d02b48c6 RE |
1267 | { |
1268 | SSL3_RECORD *rr; | |
1269 | int n; | |
1270 | ||
1271 | rr= &(s->s3->rrec); | |
1272 | if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA)) | |
58964a49 RE |
1273 | { |
1274 | n=ssl3_read(s,buf,1); | |
1275 | if (n <= 0) return(n); | |
1276 | rr->length++; | |
1277 | rr->off--; | |
1278 | } | |
d02b48c6 RE |
1279 | |
1280 | if ((unsigned int)len > rr->length) | |
1281 | n=rr->length; | |
1282 | else | |
1283 | n=len; | |
1284 | memcpy(buf,&(rr->data[rr->off]),(unsigned int)n); | |
1285 | return(n); | |
1286 | } | |
1287 | ||
6b691a5c | 1288 | int ssl3_renegotiate(SSL *s) |
d02b48c6 RE |
1289 | { |
1290 | if (s->handshake_func == NULL) | |
1291 | return(1); | |
1292 | ||
1293 | if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) | |
1294 | return(0); | |
1295 | ||
58964a49 | 1296 | s->s3->renegotiate=1; |
d02b48c6 RE |
1297 | return(1); |
1298 | } | |
1299 | ||
6b691a5c | 1300 | int ssl3_renegotiate_check(SSL *s) |
58964a49 RE |
1301 | { |
1302 | int ret=0; | |
1303 | ||
1304 | if (s->s3->renegotiate) | |
1305 | { | |
1306 | if ( (s->s3->rbuf.left == 0) && | |
1307 | (s->s3->wbuf.left == 0) && | |
1308 | !SSL_in_init(s)) | |
1309 | { | |
1310 | /* | |
1311 | if we are the server, and we have sent a 'RENEGOTIATE' message, we | |
de808df4 | 1312 | need to go to SSL_ST_ACCEPT. |
58964a49 RE |
1313 | */ |
1314 | /* SSL_ST_ACCEPT */ | |
1315 | s->state=SSL_ST_RENEGOTIATE; | |
1316 | s->s3->renegotiate=0; | |
1317 | s->s3->num_renegotiations++; | |
1318 | s->s3->total_renegotiations++; | |
1319 | ret=1; | |
1320 | } | |
1321 | } | |
1322 | return(ret); | |
1323 | } | |
1324 |