diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2014-04-14 13:10:36 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2014-04-14 13:10:36 +0000 |
| commit | e520a2b754f378d4aabb09cb96197a6ddaf681dd (patch) | |
| tree | 81be403f0fa168f762ccf801b25667a92f2a14dd /lib/libssl/ssl_ciph.c | |
| parent | 5522cd38d5534e249994bc116649fca9d7221856 (diff) | |
First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.
Diffstat (limited to 'lib/libssl/ssl_ciph.c')
| -rw-r--r-- | lib/libssl/ssl_ciph.c | 1393 |
1 files changed, 680 insertions, 713 deletions
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c index 0aba8e048c5..f37c70cf915 100644 --- a/lib/libssl/ssl_ciph.c +++ b/lib/libssl/ssl_ciph.c @@ -167,15 +167,15 @@ #define SSL_ENC_NUM_IDX 14 -static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ - NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL - }; +static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = { + NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL +}; #define SSL_COMP_NULL_IDX 0 #define SSL_COMP_ZLIB_IDX 1 #define SSL_COMP_NUM_IDX 2 -static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; +static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; #define SSL_MD_MD5_IDX 0 #define SSL_MD_SHA1_IDX 1 @@ -187,27 +187,27 @@ static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL; * defined in the * ssl_locl.h */ #define SSL_MD_NUM_IDX SSL_MAX_DIGEST -static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={ - NULL,NULL,NULL,NULL,NULL,NULL - }; +static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = { + NULL, NULL, NULL, NULL, NULL, NULL +}; /* PKEY_TYPE for GOST89MAC is known in advance, but, because * implementation is engine-provided, we'll fill it only if * corresponding EVP_PKEY_METHOD is found */ -static int ssl_mac_pkey_id[SSL_MD_NUM_IDX]={ - EVP_PKEY_HMAC,EVP_PKEY_HMAC,EVP_PKEY_HMAC,NID_undef, - EVP_PKEY_HMAC,EVP_PKEY_HMAC - }; +static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { + EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, + EVP_PKEY_HMAC, EVP_PKEY_HMAC +}; -static int ssl_mac_secret_size[SSL_MD_NUM_IDX]={ - 0,0,0,0,0,0 - }; +static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = { + 0, 0, 0, 0, 0, 0 +}; -static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ - SSL_HANDSHAKE_MAC_MD5,SSL_HANDSHAKE_MAC_SHA, +static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX] = { + SSL_HANDSHAKE_MAC_MD5, SSL_HANDSHAKE_MAC_SHA, SSL_HANDSHAKE_MAC_GOST94, 0, SSL_HANDSHAKE_MAC_SHA256, SSL_HANDSHAKE_MAC_SHA384 - }; +}; #define CIPHER_ADD 1 #define CIPHER_KILL 2 @@ -215,376 +215,371 @@ static int ssl_handshake_digest_flag[SSL_MD_NUM_IDX]={ #define CIPHER_ORD 4 #define CIPHER_SPECIAL 5 -typedef struct cipher_order_st - { +typedef struct cipher_order_st { const SSL_CIPHER *cipher; int active; int dead; - struct cipher_order_st *next,*prev; - } CIPHER_ORDER; + struct cipher_order_st *next, *prev; +} CIPHER_ORDER; -static const SSL_CIPHER cipher_aliases[]={ +static const SSL_CIPHER cipher_aliases[] = { /* "ALL" doesn't include eNULL (must be specifically enabled) */ - {0,SSL_TXT_ALL,0, 0,0,~SSL_eNULL,0,0,0,0,0,0}, + {0, SSL_TXT_ALL, 0, 0, 0,~SSL_eNULL, 0, 0, 0, 0, 0, 0}, /* "COMPLEMENTOFALL" */ - {0,SSL_TXT_CMPALL,0, 0,0,SSL_eNULL,0,0,0,0,0,0}, + {0, SSL_TXT_CMPALL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */ - {0,SSL_TXT_CMPDEF,0, SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0}, + {0, SSL_TXT_CMPDEF, 0, SSL_kEDH|SSL_kEECDH, SSL_aNULL,~SSL_eNULL, 0, 0, 0, 0, 0, 0}, /* key exchange aliases * (some of those using only a single bit here combine * multiple key exchange algs according to the RFCs, * e.g. kEDH combines DHE_DSS and DHE_RSA) */ - {0,SSL_TXT_kRSA,0, SSL_kRSA, 0,0,0,0,0,0,0,0}, + {0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0}, {0,SSL_TXT_kDHr,0, SSL_kDHr, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ {0,SSL_TXT_kDHd,0, SSL_kDHd, 0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ {0,SSL_TXT_kDH,0, SSL_kDHr|SSL_kDHd,0,0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ - {0,SSL_TXT_kEDH,0, SSL_kEDH, 0,0,0,0,0,0,0,0}, - {0,SSL_TXT_DH,0, SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0}, + {0, SSL_TXT_kEDH, 0, SSL_kEDH, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_DH, 0, SSL_kDHr|SSL_kDHd|SSL_kEDH, 0, 0, 0, 0, 0, 0, 0, 0}, - {0,SSL_TXT_kKRB5,0, SSL_kKRB5, 0,0,0,0,0,0,0,0}, + {0, SSL_TXT_kKRB5, 0, SSL_kKRB5, 0, 0, 0, 0, 0, 0, 0, 0}, - {0,SSL_TXT_kECDHr,0, SSL_kECDHr,0,0,0,0,0,0,0,0}, - {0,SSL_TXT_kECDHe,0, SSL_kECDHe,0,0,0,0,0,0,0,0}, - {0,SSL_TXT_kECDH,0, SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0}, - {0,SSL_TXT_kEECDH,0, SSL_kEECDH,0,0,0,0,0,0,0,0}, - {0,SSL_TXT_ECDH,0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH,0,0,0,0,0,0,0,0}, + {0, SSL_TXT_kECDHr, 0, SSL_kECDHr, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kECDHe, 0, SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kECDH, 0, SSL_kECDHr|SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kEECDH, 0, SSL_kEECDH, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_ECDH, 0, SSL_kECDHr|SSL_kECDHe|SSL_kEECDH, 0, 0, 0, 0, 0, 0, 0, 0}, - {0,SSL_TXT_kPSK,0, SSL_kPSK, 0,0,0,0,0,0,0,0}, - {0,SSL_TXT_kSRP,0, SSL_kSRP, 0,0,0,0,0,0,0,0}, - {0,SSL_TXT_kGOST,0, SSL_kGOST,0,0,0,0,0,0,0,0}, + {0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kSRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_kGOST, 0, SSL_kGOST, 0, 0, 0, 0, 0, 0, 0, 0}, /* server authentication aliases */ - {0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0}, - {0,SSL_TXT_aDSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0}, - {0,SSL_TXT_DSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0}, - {0,SSL_TXT_aKRB5,0, 0,SSL_aKRB5, 0,0,0,0,0,0,0}, - {0,SSL_TXT_aNULL,0, 0,SSL_aNULL, 0,0,0,0,0,0,0}, + {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aKRB5, 0, 0, SSL_aKRB5, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, {0,SSL_TXT_aDH,0, 0,SSL_aDH, 0,0,0,0,0,0,0}, /* no such ciphersuites supported! */ - {0,SSL_TXT_aECDH,0, 0,SSL_aECDH, 0,0,0,0,0,0,0}, - {0,SSL_TXT_aECDSA,0, 0,SSL_aECDSA,0,0,0,0,0,0,0}, - {0,SSL_TXT_ECDSA,0, 0,SSL_aECDSA, 0,0,0,0,0,0,0}, - {0,SSL_TXT_aPSK,0, 0,SSL_aPSK, 0,0,0,0,0,0,0}, - {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0}, - {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0}, - {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0}, + {0, SSL_TXT_aECDH, 0, 0, SSL_aECDH, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aGOST94, 0, 0, SSL_aGOST94, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST94|SSL_aGOST01, 0, 0, 0, 0, 0, 0, 0}, /* aliases combining key exchange and server authentication */ - {0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0}, - {0,SSL_TXT_EECDH,0, SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0}, - {0,SSL_TXT_NULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0}, - {0,SSL_TXT_KRB5,0, SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0}, - {0,SSL_TXT_RSA,0, SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0}, - {0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0}, - {0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0}, - {0,SSL_TXT_PSK,0, SSL_kPSK,SSL_aPSK,0,0,0,0,0,0,0}, - {0,SSL_TXT_SRP,0, SSL_kSRP,0,0,0,0,0,0,0,0}, + {0, SSL_TXT_EDH, 0, SSL_kEDH,~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_EECDH, 0, SSL_kEECDH,~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_KRB5, 0, SSL_kKRB5, SSL_aKRB5, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_ADH, 0, SSL_kEDH, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_AECDH, 0, SSL_kEECDH, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_PSK, 0, SSL_kPSK, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SRP, 0, SSL_kSRP, 0, 0, 0, 0, 0, 0, 0, 0}, /* symmetric encryption aliases */ - {0,SSL_TXT_DES,0, 0,0,SSL_DES, 0,0,0,0,0,0}, - {0,SSL_TXT_3DES,0, 0,0,SSL_3DES, 0,0,0,0,0,0}, - {0,SSL_TXT_RC4,0, 0,0,SSL_RC4, 0,0,0,0,0,0}, - {0,SSL_TXT_RC2,0, 0,0,SSL_RC2, 0,0,0,0,0,0}, - {0,SSL_TXT_IDEA,0, 0,0,SSL_IDEA, 0,0,0,0,0,0}, - {0,SSL_TXT_SEED,0, 0,0,SSL_SEED, 0,0,0,0,0,0}, - {0,SSL_TXT_eNULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0}, - {0,SSL_TXT_AES128,0, 0,0,SSL_AES128|SSL_AES128GCM,0,0,0,0,0,0}, - {0,SSL_TXT_AES256,0, 0,0,SSL_AES256|SSL_AES256GCM,0,0,0,0,0,0}, - {0,SSL_TXT_AES,0, 0,0,SSL_AES,0,0,0,0,0,0}, - {0,SSL_TXT_AES_GCM,0, 0,0,SSL_AES128GCM|SSL_AES256GCM,0,0,0,0,0,0}, - {0,SSL_TXT_CAMELLIA128,0,0,0,SSL_CAMELLIA128,0,0,0,0,0,0}, - {0,SSL_TXT_CAMELLIA256,0,0,0,SSL_CAMELLIA256,0,0,0,0,0,0}, - {0,SSL_TXT_CAMELLIA ,0,0,0,SSL_CAMELLIA128|SSL_CAMELLIA256,0,0,0,0,0,0}, - - /* MAC aliases */ - {0,SSL_TXT_MD5,0, 0,0,0,SSL_MD5, 0,0,0,0,0}, - {0,SSL_TXT_SHA1,0, 0,0,0,SSL_SHA1, 0,0,0,0,0}, - {0,SSL_TXT_SHA,0, 0,0,0,SSL_SHA1, 0,0,0,0,0}, - {0,SSL_TXT_GOST94,0, 0,0,0,SSL_GOST94, 0,0,0,0,0}, - {0,SSL_TXT_GOST89MAC,0, 0,0,0,SSL_GOST89MAC, 0,0,0,0,0}, - {0,SSL_TXT_SHA256,0, 0,0,0,SSL_SHA256, 0,0,0,0,0}, - {0,SSL_TXT_SHA384,0, 0,0,0,SSL_SHA384, 0,0,0,0,0}, + {0, SSL_TXT_DES, 0, 0, 0, SSL_DES, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_RC2, 0, 0, 0, SSL_RC2, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128|SSL_AES128GCM, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256|SSL_AES256GCM, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM|SSL_AES256GCM, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0}, + {0, SSL_TXT_CAMELLIA , 0, 0, 0, SSL_CAMELLIA128|SSL_CAMELLIA256, 0, 0, 0, 0, 0, 0}, + + /* MAC aliases */ + {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0}, + {0, SSL_TXT_GOST94, 0, 0, 0, 0, SSL_GOST94, 0, 0, 0, 0, 0}, + {0, SSL_TXT_GOST89MAC, 0, 0, 0, 0, SSL_GOST89MAC, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256, 0, 0, 0, 0, 0}, + {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384, 0, 0, 0, 0, 0}, /* protocol version aliases */ - {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, - {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0}, - {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0}, - {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0}, + {0, SSL_TXT_SSLV2, 0, 0, 0, 0, 0, SSL_SSLV2, 0, 0, 0, 0}, + {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0}, + {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0}, + {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0}, /* export flag */ - {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, - {0,SSL_TXT_EXPORT,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, + {0, SSL_TXT_EXP, 0, 0, 0, 0, 0, 0, SSL_EXPORT, 0, 0, 0}, + {0, SSL_TXT_EXPORT, 0, 0, 0, 0, 0, 0, SSL_EXPORT, 0, 0, 0}, /* strength classes */ - {0,SSL_TXT_EXP40,0, 0,0,0,0,0,SSL_EXP40, 0,0,0}, - {0,SSL_TXT_EXP56,0, 0,0,0,0,0,SSL_EXP56, 0,0,0}, - {0,SSL_TXT_LOW,0, 0,0,0,0,0,SSL_LOW, 0,0,0}, - {0,SSL_TXT_MEDIUM,0, 0,0,0,0,0,SSL_MEDIUM,0,0,0}, - {0,SSL_TXT_HIGH,0, 0,0,0,0,0,SSL_HIGH, 0,0,0}, + {0, SSL_TXT_EXP40, 0, 0, 0, 0, 0, 0, SSL_EXP40, 0, 0, 0}, + {0, SSL_TXT_EXP56, 0, 0, 0, 0, 0, 0, SSL_EXP56, 0, 0, 0}, + {0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, SSL_LOW, 0, 0, 0}, + {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0}, + {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0}, /* FIPS 140-2 approved ciphersuite */ - {0,SSL_TXT_FIPS,0, 0,0,~SSL_eNULL,0,0,SSL_FIPS, 0,0,0}, - }; + {0, SSL_TXT_FIPS, 0, 0, 0,~SSL_eNULL, 0, 0, SSL_FIPS, 0, 0, 0}, +}; /* Search for public key algorithm with given name and * return its pkey_id if it is available. Otherwise return 0 */ #ifdef OPENSSL_NO_ENGINE -static int get_optional_pkey_id(const char *pkey_name) - { +static int +get_optional_pkey_id(const char *pkey_name) +{ const EVP_PKEY_ASN1_METHOD *ameth; - int pkey_id=0; - ameth = EVP_PKEY_asn1_find_str(NULL,pkey_name,-1); - if (ameth) - { - EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth); - } - return pkey_id; + int pkey_id = 0; + ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1); + if (ameth) { + EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); } + return pkey_id; +} #else -static int get_optional_pkey_id(const char *pkey_name) - { +static int +get_optional_pkey_id(const char *pkey_name) +{ const EVP_PKEY_ASN1_METHOD *ameth; ENGINE *tmpeng = NULL; - int pkey_id=0; - ameth = EVP_PKEY_asn1_find_str(&tmpeng,pkey_name,-1); - if (ameth) - { - EVP_PKEY_asn1_get0_info(&pkey_id, NULL,NULL,NULL,NULL,ameth); - } - if (tmpeng) ENGINE_finish(tmpeng); - return pkey_id; + int pkey_id = 0; + ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1); + if (ameth) { + EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); } + if (tmpeng) + ENGINE_finish(tmpeng); + return pkey_id; +} #endif -void ssl_load_ciphers(void) - { - ssl_cipher_methods[SSL_ENC_DES_IDX]= - EVP_get_cipherbyname(SN_des_cbc); +void +ssl_load_ciphers(void) +{ + ssl_cipher_methods[SSL_ENC_DES_IDX]= + EVP_get_cipherbyname(SN_des_cbc); ssl_cipher_methods[SSL_ENC_3DES_IDX]= - EVP_get_cipherbyname(SN_des_ede3_cbc); + EVP_get_cipherbyname(SN_des_ede3_cbc); ssl_cipher_methods[SSL_ENC_RC4_IDX]= - EVP_get_cipherbyname(SN_rc4); - ssl_cipher_methods[SSL_ENC_RC2_IDX]= - EVP_get_cipherbyname(SN_rc2_cbc); + EVP_get_cipherbyname(SN_rc4); + ssl_cipher_methods[SSL_ENC_RC2_IDX]= + EVP_get_cipherbyname(SN_rc2_cbc); #ifndef OPENSSL_NO_IDEA - ssl_cipher_methods[SSL_ENC_IDEA_IDX]= - EVP_get_cipherbyname(SN_idea_cbc); + ssl_cipher_methods[SSL_ENC_IDEA_IDX]= + EVP_get_cipherbyname(SN_idea_cbc); #else - ssl_cipher_methods[SSL_ENC_IDEA_IDX]= NULL; + ssl_cipher_methods[SSL_ENC_IDEA_IDX] = NULL; #endif ssl_cipher_methods[SSL_ENC_AES128_IDX]= - EVP_get_cipherbyname(SN_aes_128_cbc); + EVP_get_cipherbyname(SN_aes_128_cbc); ssl_cipher_methods[SSL_ENC_AES256_IDX]= - EVP_get_cipherbyname(SN_aes_256_cbc); + EVP_get_cipherbyname(SN_aes_256_cbc); ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX]= - EVP_get_cipherbyname(SN_camellia_128_cbc); + EVP_get_cipherbyname(SN_camellia_128_cbc); ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX]= - EVP_get_cipherbyname(SN_camellia_256_cbc); + EVP_get_cipherbyname(SN_camellia_256_cbc); ssl_cipher_methods[SSL_ENC_GOST89_IDX]= - EVP_get_cipherbyname(SN_gost89_cnt); + EVP_get_cipherbyname(SN_gost89_cnt); ssl_cipher_methods[SSL_ENC_SEED_IDX]= - EVP_get_cipherbyname(SN_seed_cbc); + EVP_get_cipherbyname(SN_seed_cbc); ssl_cipher_methods[SSL_ENC_AES128GCM_IDX]= - EVP_get_cipherbyname(SN_aes_128_gcm); + EVP_get_cipherbyname(SN_aes_128_gcm); ssl_cipher_methods[SSL_ENC_AES256GCM_IDX]= - EVP_get_cipherbyname(SN_aes_256_gcm); + EVP_get_cipherbyname(SN_aes_256_gcm); ssl_digest_methods[SSL_MD_MD5_IDX]= - EVP_get_digestbyname(SN_md5); + EVP_get_digestbyname(SN_md5); ssl_mac_secret_size[SSL_MD_MD5_IDX]= - EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]); + EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]); OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0); ssl_digest_methods[SSL_MD_SHA1_IDX]= - EVP_get_digestbyname(SN_sha1); + EVP_get_digestbyname(SN_sha1); ssl_mac_secret_size[SSL_MD_SHA1_IDX]= - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]); + EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]); OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0); ssl_digest_methods[SSL_MD_GOST94_IDX]= - EVP_get_digestbyname(SN_id_GostR3411_94); - if (ssl_digest_methods[SSL_MD_GOST94_IDX]) - { + EVP_get_digestbyname(SN_id_GostR3411_94); + if (ssl_digest_methods[SSL_MD_GOST94_IDX]) { ssl_mac_secret_size[SSL_MD_GOST94_IDX]= - EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]); + EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]); OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0); - } + } ssl_digest_methods[SSL_MD_GOST89MAC_IDX]= - EVP_get_digestbyname(SN_id_Gost28147_89_MAC); - ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac"); - if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) { - ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX]=32; - } + EVP_get_digestbyname(SN_id_Gost28147_89_MAC); + ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac"); + if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) { + ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32; + } ssl_digest_methods[SSL_MD_SHA256_IDX]= - EVP_get_digestbyname(SN_sha256); + EVP_get_digestbyname(SN_sha256); ssl_mac_secret_size[SSL_MD_SHA256_IDX]= - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]); + EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]); ssl_digest_methods[SSL_MD_SHA384_IDX]= - EVP_get_digestbyname(SN_sha384); + EVP_get_digestbyname(SN_sha384); ssl_mac_secret_size[SSL_MD_SHA384_IDX]= - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]); - } + EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]); +} #ifndef OPENSSL_NO_COMP -static int sk_comp_cmp(const SSL_COMP * const *a, - const SSL_COMP * const *b) - { - return((*a)->id-(*b)->id); - } +static int +sk_comp_cmp(const SSL_COMP * const *a, + const SSL_COMP * const *b) +{ + return ((*a)->id - (*b)->id); +} -static void load_builtin_compressions(void) - { +static void +load_builtin_compressions(void) +{ int got_write_lock = 0; CRYPTO_r_lock(CRYPTO_LOCK_SSL); - if (ssl_comp_methods == NULL) - { + if (ssl_comp_methods == NULL) { CRYPTO_r_unlock(CRYPTO_LOCK_SSL); CRYPTO_w_lock(CRYPTO_LOCK_SSL); got_write_lock = 1; - - if (ssl_comp_methods == NULL) - { + + if (ssl_comp_methods == NULL) { SSL_COMP *comp = NULL; MemCheck_off(); - ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); - if (ssl_comp_methods != NULL) - { - comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); - if (comp != NULL) - { - comp->method=COMP_zlib(); + ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp); + if (ssl_comp_methods != NULL) { + comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + if (comp != NULL) { + comp->method = COMP_zlib(); if (comp->method && comp->method->type == NID_undef) - OPENSSL_free(comp); - else - { - comp->id=SSL_COMP_ZLIB_IDX; - comp->name=comp->method->name; - sk_SSL_COMP_push(ssl_comp_methods,comp); - } + OPENSSL_free(comp); + else { + comp->id = SSL_COMP_ZLIB_IDX; + comp->name = comp->method->name; + sk_SSL_COMP_push(ssl_comp_methods, comp); } - sk_SSL_COMP_sort(ssl_comp_methods); } - MemCheck_on(); + sk_SSL_COMP_sort(ssl_comp_methods); } + MemCheck_on(); } - + } + if (got_write_lock) CRYPTO_w_unlock(CRYPTO_LOCK_SSL); else CRYPTO_r_unlock(CRYPTO_LOCK_SSL); - } +} #endif -int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, - const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,SSL_COMP **comp) - { +int +ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, + const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size, SSL_COMP **comp) +{ int i; const SSL_CIPHER *c; - c=s->cipher; - if (c == NULL) return(0); - if (comp != NULL) - { + c = s->cipher; + if (c == NULL) + return (0); + if (comp != NULL) { SSL_COMP ctmp; #ifndef OPENSSL_NO_COMP load_builtin_compressions(); #endif - *comp=NULL; - ctmp.id=s->compress_meth; - if (ssl_comp_methods != NULL) - { - i=sk_SSL_COMP_find(ssl_comp_methods,&ctmp); + *comp = NULL; + ctmp.id = s->compress_meth; + if (ssl_comp_methods != NULL) { + i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp); if (i >= 0) - *comp=sk_SSL_COMP_value(ssl_comp_methods,i); + *comp = sk_SSL_COMP_value(ssl_comp_methods, i); else - *comp=NULL; - } + *comp = NULL; } + } - if ((enc == NULL) || (md == NULL)) return(0); + if ((enc == NULL) + || (md == NULL)) return (0); - switch (c->algorithm_enc) - { + switch (c->algorithm_enc) { case SSL_DES: - i=SSL_ENC_DES_IDX; + i = SSL_ENC_DES_IDX; break; case SSL_3DES: - i=SSL_ENC_3DES_IDX; + i = SSL_ENC_3DES_IDX; break; case SSL_RC4: - i=SSL_ENC_RC4_IDX; + i = SSL_ENC_RC4_IDX; break; case SSL_RC2: - i=SSL_ENC_RC2_IDX; + i = SSL_ENC_RC2_IDX; break; case SSL_IDEA: - i=SSL_ENC_IDEA_IDX; + i = SSL_ENC_IDEA_IDX; break; case SSL_eNULL: - i=SSL_ENC_NULL_IDX; + i = SSL_ENC_NULL_IDX; break; case SSL_AES128: - i=SSL_ENC_AES128_IDX; + i = SSL_ENC_AES128_IDX; break; case SSL_AES256: - i=SSL_ENC_AES256_IDX; + i = SSL_ENC_AES256_IDX; break; case SSL_CAMELLIA128: - i=SSL_ENC_CAMELLIA128_IDX; + i = SSL_ENC_CAMELLIA128_IDX; break; case SSL_CAMELLIA256: - i=SSL_ENC_CAMELLIA256_IDX; + i = SSL_ENC_CAMELLIA256_IDX; break; case SSL_eGOST2814789CNT: - i=SSL_ENC_GOST89_IDX; + i = SSL_ENC_GOST89_IDX; break; case SSL_SEED: - i=SSL_ENC_SEED_IDX; + i = SSL_ENC_SEED_IDX; break; case SSL_AES128GCM: - i=SSL_ENC_AES128GCM_IDX; + i = SSL_ENC_AES128GCM_IDX; break; case SSL_AES256GCM: - i=SSL_ENC_AES256GCM_IDX; + i = SSL_ENC_AES256GCM_IDX; break; default: - i= -1; + i = -1; break; - } + } if ((i < 0) || (i > SSL_ENC_NUM_IDX)) - *enc=NULL; - else - { + *enc = NULL; + else { if (i == SSL_ENC_NULL_IDX) - *enc=EVP_enc_null(); + *enc = EVP_enc_null(); else - *enc=ssl_cipher_methods[i]; - } + *enc = ssl_cipher_methods[i]; + } - switch (c->algorithm_mac) - { + switch (c->algorithm_mac) { case SSL_MD5: - i=SSL_MD_MD5_IDX; + i = SSL_MD_MD5_IDX; break; case SSL_SHA1: - i=SSL_MD_SHA1_IDX; + i = SSL_MD_SHA1_IDX; break; case SSL_SHA256: - i=SSL_MD_SHA256_IDX; + i = SSL_MD_SHA256_IDX; break; case SSL_SHA384: - i=SSL_MD_SHA384_IDX; + i = SSL_MD_SHA384_IDX; break; case SSL_GOST94: i = SSL_MD_GOST94_IDX; @@ -593,63 +588,63 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, i = SSL_MD_GOST89MAC_IDX; break; default: - i= -1; + i = -1; break; - } - if ((i < 0) || (i > SSL_MD_NUM_IDX)) - { - *md=NULL; - if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef; - if (mac_secret_size!=NULL) *mac_secret_size = 0; + } + if ((i < 0) || (i > SSL_MD_NUM_IDX)) { + *md = NULL; + + if (mac_pkey_type != NULL) + *mac_pkey_type = NID_undef; + if (mac_secret_size != NULL) + *mac_secret_size = 0; if (c->algorithm_mac == SSL_AEAD) mac_pkey_type = NULL; - } - else - { - *md=ssl_digest_methods[i]; - if (mac_pkey_type!=NULL) *mac_pkey_type = ssl_mac_pkey_id[i]; - if (mac_secret_size!=NULL) *mac_secret_size = ssl_mac_secret_size[i]; + } else { + *md = ssl_digest_methods[i]; + if (mac_pkey_type != NULL) + *mac_pkey_type = ssl_mac_pkey_id[i]; + if (mac_secret_size != NULL) + *mac_secret_size = ssl_mac_secret_size[i]; } if ((*enc != NULL) && - (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) && - (!mac_pkey_type||*mac_pkey_type != NID_undef)) - { + (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) && + (!mac_pkey_type || *mac_pkey_type != NID_undef)) { const EVP_CIPHER *evp; - if (s->ssl_version>>8 != TLS1_VERSION_MAJOR || - s->ssl_version < TLS1_VERSION) - return 1; + if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR || + s->ssl_version < TLS1_VERSION) + return 1; #ifdef OPENSSL_FIPS if (FIPS_mode()) return 1; #endif - if (c->algorithm_enc == SSL_RC4 && - c->algorithm_mac == SSL_MD5 && - (evp=EVP_get_cipherbyname("RC4-HMAC-MD5"))) - *enc = evp, *md = NULL; + if (c->algorithm_enc == SSL_RC4 && + c->algorithm_mac == SSL_MD5 && + (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) + *enc = evp, *md = NULL; else if (c->algorithm_enc == SSL_AES128 && - c->algorithm_mac == SSL_SHA1 && - (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) - *enc = evp, *md = NULL; + c->algorithm_mac == SSL_SHA1 && + (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) + *enc = evp, *md = NULL; else if (c->algorithm_enc == SSL_AES256 && - c->algorithm_mac == SSL_SHA1 && - (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) - *enc = evp, *md = NULL; - return(1); - } - else - return(0); - } + c->algorithm_mac == SSL_SHA1 && + (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) + *enc = evp, *md = NULL; + return (1); + } else + return (0); +} -int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md) +int +ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md) { - if (idx <0||idx>=SSL_MD_NUM_IDX) - { + if (idx < 0 || idx >= SSL_MD_NUM_IDX) { return 0; - } + } *mask = ssl_handshake_digest_flag[idx]; if (*mask) *md = ssl_digest_methods[idx]; @@ -661,40 +656,45 @@ int ssl_get_handshake_digest(int idx, long *mask, const EVP_MD **md) #define ITEM_SEP(a) \ (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) -static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, - CIPHER_ORDER **tail) - { - if (curr == *tail) return; +static void +ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, + CIPHER_ORDER **tail) +{ + if (curr == *tail) + return; if (curr == *head) - *head=curr->next; + *head = curr->next; if (curr->prev != NULL) - curr->prev->next=curr->next; + curr->prev->next = curr->next; if (curr->next != NULL) - curr->next->prev=curr->prev; - (*tail)->next=curr; + curr->next->prev = curr->prev; + (*tail)->next = curr; curr->prev= *tail; - curr->next=NULL; - *tail=curr; - } + curr->next = NULL; + *tail = curr; +} -static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, - CIPHER_ORDER **tail) - { - if (curr == *head) return; +static void +ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, + CIPHER_ORDER **tail) +{ + if (curr == *head) + return; if (curr == *tail) - *tail=curr->prev; + *tail = curr->prev; if (curr->next != NULL) - curr->next->prev=curr->prev; + curr->next->prev = curr->prev; if (curr->prev != NULL) - curr->prev->next=curr->next; - (*head)->prev=curr; + curr->prev->next = curr->next; + (*head)->prev = curr; curr->next= *head; - curr->prev=NULL; - *head=curr; - } + curr->prev = NULL; + *head = curr; +} -static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl) - { +static void +ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long *enc, unsigned long *mac, unsigned long *ssl) +{ *mkey = 0; *auth = 0; *enc = 0; @@ -743,44 +743,45 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, un /* Disable GOST key exchange if no GOST signature algs are available * */ if ((*auth & (SSL_aGOST94|SSL_aGOST01)) == (SSL_aGOST94|SSL_aGOST01)) { *mkey |= SSL_kGOST; - } + } #ifdef SSL_FORBID_ENULL *enc |= SSL_eNULL; #endif - - - - *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0; - *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0; - *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0; - *enc |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; - *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128:0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256:0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM:0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM:0; - *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128:0; - *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256:0; - *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT:0; - *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED:0; - - *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; - *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; - *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256:0; - *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384:0; - *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94:0; - *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef)? SSL_GOST89MAC:0; - } -static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, - int num_of_ciphers, - unsigned long disabled_mkey, unsigned long disabled_auth, - unsigned long disabled_enc, unsigned long disabled_mac, - unsigned long disabled_ssl, - CIPHER_ORDER *co_list, - CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) - { + + *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128 : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256 : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT : 0; + *enc |= (ssl_cipher_methods[SSL_ENC_SEED_IDX] == NULL) ? SSL_SEED : 0; + + *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 : 0; + *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0; + *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0; + *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0; + *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0; + *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL || ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]==NID_undef) ? SSL_GOST89MAC : 0; + +} + +static void +ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, + int num_of_ciphers, +unsigned long disabled_mkey, unsigned long disabled_auth, + unsigned long disabled_enc, unsigned long disabled_mac, +unsigned long disabled_ssl, + CIPHER_ORDER *co_list, +CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) +{ int i, co_list_num; const SSL_CIPHER *c; @@ -793,68 +794,64 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, /* Get the initial list of ciphers */ co_list_num = 0; /* actual count of ciphers */ - for (i = 0; i < num_of_ciphers; i++) - { + for (i = 0; i < num_of_ciphers; i++) { c = ssl_method->get_cipher(i); /* drop those that use any of that is not available */ if ((c != NULL) && c->valid && #ifdef OPENSSL_FIPS - (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) && + (!FIPS_mode() || (c->algo_strength & SSL_FIPS)) && #endif - !(c->algorithm_mkey & disabled_mkey) && - !(c->algorithm_auth & disabled_auth) && - !(c->algorithm_enc & disabled_enc) && - !(c->algorithm_mac & disabled_mac) && - !(c->algorithm_ssl & disabled_ssl)) - { + !(c->algorithm_mkey & disabled_mkey) && + !(c->algorithm_auth & disabled_auth) && + !(c->algorithm_enc & disabled_enc) && + !(c->algorithm_mac & disabled_mac) && + !(c->algorithm_ssl & disabled_ssl)) { co_list[co_list_num].cipher = c; co_list[co_list_num].next = NULL; co_list[co_list_num].prev = NULL; co_list[co_list_num].active = 0; co_list_num++; #ifdef KSSL_DEBUG - printf("\t%d: %s %lx %lx %lx\n",i,c->name,c->id,c->algorithm_mkey,c->algorithm_auth); + printf("\t%d: %s %lx %lx %lx\n", i, c->name, c->id, c->algorithm_mkey, c->algorithm_auth); #endif /* KSSL_DEBUG */ /* if (!sk_push(ca_list,(char *)c)) goto err; */ - } } + } /* * Prepare linked list from list entries */ - if (co_list_num > 0) - { + if (co_list_num > 0) { co_list[0].prev = NULL; - if (co_list_num > 1) - { + if (co_list_num > 1) { co_list[0].next = &co_list[1]; - - for (i = 1; i < co_list_num - 1; i++) - { + + for (i = 1; i < co_list_num - 1; i++) { co_list[i].prev = &co_list[i - 1]; co_list[i].next = &co_list[i + 1]; - } + } co_list[co_list_num - 1].prev = &co_list[co_list_num - 2]; - } - + } + co_list[co_list_num - 1].next = NULL; *head_p = &co_list[0]; *tail_p = &co_list[co_list_num - 1]; - } } +} -static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, - int num_of_group_aliases, - unsigned long disabled_mkey, unsigned long disabled_auth, - unsigned long disabled_enc, unsigned long disabled_mac, - unsigned long disabled_ssl, - CIPHER_ORDER *head) - { +static void +ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, + int num_of_group_aliases, +unsigned long disabled_mkey, unsigned long disabled_auth, + unsigned long disabled_enc, unsigned long disabled_mac, +unsigned long disabled_ssl, + CIPHER_ORDER *head) +{ CIPHER_ORDER *ciph_curr; const SSL_CIPHER **ca_curr; int i; @@ -869,12 +866,11 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, */ ciph_curr = head; ca_curr = ca_list; - while (ciph_curr != NULL) - { + while (ciph_curr != NULL) { *ca_curr = ciph_curr->cipher; ca_curr++; ciph_curr = ciph_curr->next; - } + } /* * Now we add the available ones from the cipher_aliases[] table. @@ -882,8 +878,7 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, * in any affected category must be supported (set in enabled_mask), * or represent a cipher strength value (will be added in any case because algorithms=0). */ - for (i = 0; i < num_of_group_aliases; i++) - { + for (i = 0; i < num_of_group_aliases; i++) { unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey; unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth; unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc; @@ -893,45 +888,46 @@ static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, if (algorithm_mkey) if ((algorithm_mkey & mask_mkey) == 0) continue; - + if (algorithm_auth) if ((algorithm_auth & mask_auth) == 0) continue; - + if (algorithm_enc) if ((algorithm_enc & mask_enc) == 0) continue; - + if (algorithm_mac) if ((algorithm_mac & mask_mac) == 0) continue; - + if (algorithm_ssl) if ((algorithm_ssl & mask_ssl) == 0) continue; - + *ca_curr = (SSL_CIPHER *)(cipher_aliases + i); ca_curr++; - } + } *ca_curr = NULL; /* end of list */ - } +} -static void ssl_cipher_apply_rule(unsigned long cipher_id, - unsigned long alg_mkey, unsigned long alg_auth, - unsigned long alg_enc, unsigned long alg_mac, - unsigned long alg_ssl, - unsigned long algo_strength, - int rule, int strength_bits, - CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) - { +static void +ssl_cipher_apply_rule(unsigned long cipher_id, + unsigned long alg_mkey, unsigned long alg_auth, +unsigned long alg_enc, unsigned long alg_mac, + unsigned long alg_ssl, +unsigned long algo_strength, + int rule, int strength_bits, +CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) +{ CIPHER_ORDER *head, *tail, *curr, *curr2, *last; const SSL_CIPHER *cp; int reverse = 0; #ifdef CIPHER_DEBUG printf("Applying rule %d with %08lx/%08lx/%08lx/%08lx/%08lx %08lx (%d)\n", - rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits); + rule, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, strength_bits); #endif if (rule == CIPHER_DEL) @@ -940,21 +936,18 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, head = *head_p; tail = *tail_p; - if (reverse) - { + if (reverse) { curr = tail; last = head; - } - else - { + } else { curr = head; last = tail; - } + } curr2 = curr; - for (;;) - { - if ((curr == NULL) || (curr == last)) break; + for (;;) { + if ((curr == NULL) + || (curr == last)) break; curr = curr2; curr2 = reverse ? curr->prev : curr->next; @@ -964,13 +957,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, * Selection criteria is either the value of strength_bits * or the algorithms used. */ - if (strength_bits >= 0) - { + if (strength_bits >= 0) { if (strength_bits != cp->strength_bits) continue; - } - else - { + } else { #ifdef CIPHER_DEBUG printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); #endif @@ -989,45 +979,36 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, continue; if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) continue; - } + } #ifdef CIPHER_DEBUG printf("Action = %d\n", rule); #endif /* add the cipher if it has not been added yet. */ - if (rule == CIPHER_ADD) - { + if (rule == CIPHER_ADD) { /* reverse == 0 */ - if (!curr->active) - { + if (!curr->active) { ll_append_tail(&head, curr, &tail); curr->active = 1; - } } + } /* Move the added cipher to this location */ - else if (rule == CIPHER_ORD) - { + else if (rule == CIPHER_ORD) { /* reverse == 0 */ - if (curr->active) - { + if (curr->active) { ll_append_tail(&head, curr, &tail); - } } - else if (rule == CIPHER_DEL) - { + } else if (rule == CIPHER_DEL) { /* reverse == 1 */ - if (curr->active) - { + if (curr->active) { /* most recently deleted ciphersuites get best positions * for any future CIPHER_ADD (note that the CIPHER_DEL loop * works in reverse to maintain the order) */ ll_append_head(&head, curr, &tail); curr->active = 0; - } } - else if (rule == CIPHER_KILL) - { + } else if (rule == CIPHER_KILL) { /* reverse == 0 */ if (head == curr) head = curr->next; @@ -1042,16 +1023,17 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, curr->prev->next = curr->next; curr->next = NULL; curr->prev = NULL; - } } + } *head_p = head; *tail_p = tail; - } +} -static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p) - { +static int +ssl_cipher_strength_sort(CIPHER_ORDER **head_p, + CIPHER_ORDER **tail_p) +{ int max_strength_bits, i, *number_uses; CIPHER_ORDER *curr; @@ -1062,32 +1044,29 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, */ max_strength_bits = 0; curr = *head_p; - while (curr != NULL) - { + while (curr != NULL) { if (curr->active && - (curr->cipher->strength_bits > max_strength_bits)) - max_strength_bits = curr->cipher->strength_bits; + (curr->cipher->strength_bits > max_strength_bits)) + max_strength_bits = curr->cipher->strength_bits; curr = curr->next; - } + } number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); - if (!number_uses) - { - SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE); - return(0); - } + if (!number_uses) { + SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT, ERR_R_MALLOC_FAILURE); + return (0); + } memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); /* * Now find the strength_bits values actually used */ curr = *head_p; - while (curr != NULL) - { + while (curr != NULL) { if (curr->active) number_uses[curr->cipher->strength_bits]++; curr = curr->next; - } + } /* * Go through the list of used strength_bits values in descending * order. @@ -1097,13 +1076,14 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p); OPENSSL_free(number_uses); - return(1); - } + return (1); +} -static int ssl_cipher_process_rulestr(const char *rule_str, - CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p, - const SSL_CIPHER **ca_list) - { +static int +ssl_cipher_process_rulestr(const char *rule_str, + CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p, +const SSL_CIPHER **ca_list) +{ unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength; const char *l, *buf; int j, multi, found, rule, retval, ok, buflen; @@ -1112,28 +1092,32 @@ static int ssl_cipher_process_rulestr(const char *rule_str, retval = 1; l = rule_str; - for (;;) - { + for (;;) { ch = *l; if (ch == '\0') - break; /* done */ + break; + /* done */ if (ch == '-') - { rule = CIPHER_DEL; l++; } - else if (ch == '+') - { rule = CIPHER_ORD; l++; } - else if (ch == '!') - { rule = CIPHER_KILL; l++; } - else if (ch == '@') - { rule = CIPHER_SPECIAL; l++; } - else - { rule = CIPHER_ADD; } + { rule = CIPHER_DEL; + l++; + } else if (ch == '+') + { rule = CIPHER_ORD; + l++; + } else if (ch == '!') + { rule = CIPHER_KILL; + l++; + } else if (ch == '@') + { rule = CIPHER_SPECIAL; + l++; + } else + { rule = CIPHER_ADD; + } - if (ITEM_SEP(ch)) - { + if (ITEM_SEP(ch)) { l++; continue; - } + } alg_mkey = 0; alg_auth = 0; @@ -1142,52 +1126,47 @@ static int ssl_cipher_process_rulestr(const char *rule_str, alg_ssl = 0; algo_strength = 0; - for (;;) - { + for (;;) { ch = *l; buf = l; buflen = 0; #ifndef CHARSET_EBCDIC - while ( ((ch >= 'A') && (ch <= 'Z')) || - ((ch >= '0') && (ch <= '9')) || - ((ch >= 'a') && (ch <= 'z')) || - (ch == '-') || (ch == '.')) + while (((ch >= 'A') && (ch <= 'Z')) || + ((ch >= '0') && (ch <= '9')) || + ((ch >= 'a') && (ch <= 'z')) || + (ch == '-') || (ch == '.')) #else - while ( isalnum(ch) || (ch == '-') || (ch == '.')) + while (isalnum(ch) || (ch == '-') || (ch == '.')) #endif - { - ch = *(++l); - buflen++; - } + { + ch = *(++l); + buflen++; + } - if (buflen == 0) - { + if (buflen == 0) { /* * We hit something we cannot deal with, * it is no command or separator nor * alphanumeric, so we call this an error. */ SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, - SSL_R_INVALID_COMMAND); + SSL_R_INVALID_COMMAND); retval = found = 0; l++; break; - } + } - if (rule == CIPHER_SPECIAL) - { + if (rule == CIPHER_SPECIAL) { found = 0; /* unused -- avoid compiler warning */ break; /* special treatment */ - } + } /* check for multi-part specification */ - if (ch == '+') - { - multi=1; + if (ch == '+') { + multi = 1; l++; - } - else - multi=0; + } else + multi = 0; /* * Now search for the cipher alias in the ca_list. Be careful @@ -1202,126 +1181,121 @@ static int ssl_cipher_process_rulestr(const char *rule_str, */ j = found = 0; cipher_id = 0; - while (ca_list[j]) - { + while (ca_list[j]) { if (!strncmp(buf, ca_list[j]->name, buflen) && - (ca_list[j]->name[buflen] == '\0')) - { + (ca_list[j]->name[buflen] == '\0')) { found = 1; break; - } - else + } else j++; - } + } if (!found) break; /* ignore this entry */ - if (ca_list[j]->algorithm_mkey) - { - if (alg_mkey) - { + if (ca_list[j]->algorithm_mkey) { + if (alg_mkey) { alg_mkey &= ca_list[j]->algorithm_mkey; - if (!alg_mkey) { found = 0; break; } + if (!alg_mkey) { + found = 0; + break; } - else + } else alg_mkey = ca_list[j]->algorithm_mkey; - } + } - if (ca_list[j]->algorithm_auth) - { - if (alg_auth) - { + if (ca_list[j]->algorithm_auth) { + if (alg_auth) { alg_auth &= ca_list[j]->algorithm_auth; - if (!alg_auth) { found = 0; break; } + if (!alg_auth) { + found = 0; + break; } - else + } else alg_auth = ca_list[j]->algorithm_auth; - } - - if (ca_list[j]->algorithm_enc) - { - if (alg_enc) - { + } + + if (ca_list[j]->algorithm_enc) { + if (alg_enc) { alg_enc &= ca_list[j]->algorithm_enc; - if (!alg_enc) { found = 0; break; } + if (!alg_enc) { + found = 0; + break; } - else + } else alg_enc = ca_list[j]->algorithm_enc; - } - - if (ca_list[j]->algorithm_mac) - { - if (alg_mac) - { + } + + if (ca_list[j]->algorithm_mac) { + if (alg_mac) { alg_mac &= ca_list[j]->algorithm_mac; - if (!alg_mac) { found = 0; break; } + if (!alg_mac) { + found = 0; + break; } - else + } else alg_mac = ca_list[j]->algorithm_mac; - } - - if (ca_list[j]->algo_strength & SSL_EXP_MASK) - { - if (algo_strength & SSL_EXP_MASK) - { + } + + if (ca_list[j]->algo_strength & SSL_EXP_MASK) { + if (algo_strength & SSL_EXP_MASK) { algo_strength &= (ca_list[j]->algo_strength & SSL_EXP_MASK) | ~SSL_EXP_MASK; - if (!(algo_strength & SSL_EXP_MASK)) { found = 0; break; } + if (!(algo_strength & SSL_EXP_MASK)) { + found = 0; + break; } - else + } else algo_strength |= ca_list[j]->algo_strength & SSL_EXP_MASK; - } + } - if (ca_list[j]->algo_strength & SSL_STRONG_MASK) - { - if (algo_strength & SSL_STRONG_MASK) - { + if (ca_list[j]->algo_strength & SSL_STRONG_MASK) { + if (algo_strength & SSL_STRONG_MASK) { algo_strength &= (ca_list[j]->algo_strength & SSL_STRONG_MASK) | ~SSL_STRONG_MASK; - if (!(algo_strength & SSL_STRONG_MASK)) { found = 0; break; } + if (!(algo_strength & SSL_STRONG_MASK)) { + found = 0; + break; } - else + } else algo_strength |= ca_list[j]->algo_strength & SSL_STRONG_MASK; - } - - if (ca_list[j]->valid) - { + } + + if (ca_list[j]->valid) { /* explicit ciphersuite found; its protocol version * does not become part of the search pattern!*/ cipher_id = ca_list[j]->id; - } - else - { + } else { /* not an explicit ciphersuite; only in this case, the * protocol version is considered part of the search pattern */ - if (ca_list[j]->algorithm_ssl) - { - if (alg_ssl) - { + if (ca_list[j]->algorithm_ssl) { + if (alg_ssl) { alg_ssl &= ca_list[j]->algorithm_ssl; - if (!alg_ssl) { found = 0; break; } + if (!alg_ssl) { + found = 0; + break; } - else + } else alg_ssl = ca_list[j]->algorithm_ssl; - } } - - if (!multi) break; } + if (!multi) + break; + } + /* * Ok, we have the rule, now apply it */ if (rule == CIPHER_SPECIAL) - { /* special command */ + { /* special command */ ok = 0; if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) - ok = ssl_cipher_strength_sort(head_p, tail_p); + ok = ssl_cipher_strength_sort(head_p, tail_p); else SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, - SSL_R_INVALID_COMMAND); + SSL_R_INVALID_COMMAND); if (ok == 0) retval = 0; /* @@ -1331,30 +1305,27 @@ static int ssl_cipher_process_rulestr(const char *rule_str, * end or ':' is found. */ while ((*l != '\0') && !ITEM_SEP(*l)) - l++; - } - else if (found) - { + l++; + } else if (found) { ssl_cipher_apply_rule(cipher_id, - alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, - rule, -1, head_p, tail_p); - } - else - { + alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, + rule, -1, head_p, tail_p); + } else { while ((*l != '\0') && !ITEM_SEP(*l)) - l++; - } + l++; + } if (*l == '\0') break; /* done */ } - return(retval); - } + return (retval); +} -STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, - STACK_OF(SSL_CIPHER) **cipher_list, - STACK_OF(SSL_CIPHER) **cipher_list_by_id, - const char *rule_str) - { +STACK_OF(SSL_CIPHER) +*ssl_create_cipher_list(const SSL_METHOD *ssl_method, +STACK_OF(SSL_CIPHER) **cipher_list, + STACK_OF(SSL_CIPHER) **cipher_list_by_id, +const char *rule_str) +{ int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; @@ -1384,15 +1355,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); #endif /* KSSL_DEBUG */ co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); - if (co_list == NULL) - { - SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); + if (co_list == NULL) { + SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ - } + } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, - disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl, - co_list, &head, &tail); + disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl, + co_list, &head, &tail); /* Now arrange all ciphers by preference: */ @@ -1419,19 +1389,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, ssl_cipher_apply_rule(0, 0, SSL_aECDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); /* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); */ ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); - ssl_cipher_apply_rule(0, SSL_kPSK, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); - ssl_cipher_apply_rule(0, SSL_kKRB5, 0,0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); + ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); + ssl_cipher_apply_rule(0, SSL_kKRB5, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); /* RC4 is sort-of broken -- move the the end */ ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail); /* Now sort by symmetric encryption strength. The above ordering remains * in force within each class */ - if (!ssl_cipher_strength_sort(&head, &tail)) - { + if (!ssl_cipher_strength_sort(&head, &tail)) { OPENSSL_free(co_list); return NULL; - } + } /* Now disable everything (maintaining the ordering!) */ ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); @@ -1448,15 +1417,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER); num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); - if (ca_list == NULL) - { + if (ca_list == NULL) { OPENSSL_free(co_list); - SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ - } + } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, - disabled_mkey, disabled_auth, disabled_enc, - disabled_mac, disabled_ssl, head); + disabled_mkey, disabled_auth, disabled_enc, + disabled_mac, disabled_ssl, head); /* * If the rule_string begins with DEFAULT, apply the default rule @@ -1464,14 +1432,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ ok = 1; rule_p = rule_str; - if (strncmp(rule_str,"DEFAULT",7) == 0) - { + if (strncmp(rule_str, "DEFAULT", 7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - &head, &tail, ca_list); + &head, &tail, ca_list); rule_p += 7; if (*rule_p == ':') rule_p++; - } + } if (ok && (strlen(rule_p) > 0)) ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list); @@ -1479,65 +1446,63 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, OPENSSL_free((void *)ca_list); /* Not needed anymore */ if (!ok) - { /* Rule processing failure */ + { /* Rule processing failure */ OPENSSL_free(co_list); - return(NULL); - } - + return (NULL); + } + /* * Allocate new "cipherstack" for the result, return with error * if we cannot get one. */ - if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) - { + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { OPENSSL_free(co_list); - return(NULL); - } + return (NULL); + } /* * The cipher selection for the list is done. The ciphers are added * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ - for (curr = head; curr != NULL; curr = curr->next) - { + for (curr = head; curr != NULL; curr = curr->next) { #ifdef OPENSSL_FIPS if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) #else if (curr->active) #endif - { + { sk_SSL_CIPHER_push(cipherstack, curr->cipher); #ifdef CIPHER_DEBUG - printf("<%s>\n",curr->cipher->name); + printf("<%s>\n", curr->cipher->name); #endif - } } + } OPENSSL_free(co_list); /* Not needed any longer */ tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); - if (tmp_cipher_list == NULL) - { + if (tmp_cipher_list == NULL) { sk_SSL_CIPHER_free(cipherstack); return NULL; - } + } if (*cipher_list != NULL) sk_SSL_CIPHER_free(*cipher_list); *cipher_list = cipherstack; if (*cipher_list_by_id != NULL) sk_SSL_CIPHER_free(*cipher_list_by_id); *cipher_list_by_id = tmp_cipher_list; - (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp); + (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp); sk_SSL_CIPHER_sort(*cipher_list_by_id); - return(cipherstack); - } + return (cipherstack); +} -char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) - { - int is_export,pkl,kl; - const char *ver,*exp_str; - const char *kx,*au,*enc,*mac; - unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2; +char +*SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) +{ + int is_export, pkl, kl; + const char *ver, *exp_str; + const char *kx, *au, *enc, *mac; + unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, alg2; #ifdef KSSL_DEBUG static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n"; #else @@ -1550,13 +1515,13 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) alg_mac = cipher->algorithm_mac; alg_ssl = cipher->algorithm_ssl; - alg2=cipher->algorithm2; + alg2 = cipher->algorithm2; + + is_export = SSL_C_IS_EXPORT(cipher); + pkl = SSL_C_EXPORT_PKEYLENGTH(cipher); + kl = SSL_C_EXPORT_KEYLENGTH(cipher); + exp_str = is_export?" export":""; - is_export=SSL_C_IS_EXPORT(cipher); - pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); - kl=SSL_C_EXPORT_KEYLENGTH(cipher); - exp_str=is_export?" export":""; - if (alg_ssl & SSL_SSLV2) ver="SSLv2"; else if (alg_ssl & SSL_SSLV3) @@ -1566,10 +1531,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) else ver="unknown"; - switch (alg_mkey) - { + switch (alg_mkey) { case SSL_kRSA: - kx=is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA"; + kx = is_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA"; break; case SSL_kDHr: kx="DH/RSA"; @@ -1577,11 +1541,11 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kDHd: kx="DH/DSS"; break; - case SSL_kKRB5: + case SSL_kKRB5: kx="KRB5"; break; case SSL_kEDH: - kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; + kx = is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; break; case SSL_kECDHr: kx="ECDH/RSA"; @@ -1600,10 +1564,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) break; default: kx="unknown"; - } + } - switch (alg_auth) - { + switch (alg_auth) { case SSL_aRSA: au="RSA"; break; @@ -1613,10 +1576,10 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aDH: au="DH"; break; - case SSL_aKRB5: + case SSL_aKRB5: au="KRB5"; break; - case SSL_aECDH: + case SSL_aECDH: au="ECDH"; break; case SSL_aNULL: @@ -1631,22 +1594,21 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) default: au="unknown"; break; - } + } - switch (alg_enc) - { + switch (alg_enc) { case SSL_DES: - enc=(is_export && kl == 5)?"DES(40)":"DES(56)"; + enc = (is_export && kl == 5)?"DES(40)":"DES(56)"; break; case SSL_3DES: enc="3DES(168)"; break; case SSL_RC4: - enc=is_export?(kl == 5 ? "RC4(40)" : "RC4(56)") - :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); + enc = is_export?(kl == 5 ? "RC4(40)" : "RC4(56)") + :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); break; case SSL_RC2: - enc=is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; + enc = is_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; break; case SSL_IDEA: enc="IDEA(128)"; @@ -1678,10 +1640,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) default: enc="unknown"; break; - } + } - switch (alg_mac) - { + switch (alg_mac) { case SSL_MD5: mac="MD5"; break; @@ -1700,108 +1661,119 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) default: mac="unknown"; break; - } + } - if (buf == NULL) - { - len=128; - buf=OPENSSL_malloc(len); - if (buf == NULL) return("OPENSSL_malloc Error"); - } - else if (len < 128) - return("Buffer too small"); + if (buf == NULL) { + len = 128; + buf = OPENSSL_malloc(len); + if (buf == NULL) + return("OPENSSL_malloc Error"); + } else if (len < 128) + return("Buffer too small"); #ifdef KSSL_DEBUG - BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str,alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl); + BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac, exp_str, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl); #else - BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str); + BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac, exp_str); #endif /* KSSL_DEBUG */ - return(buf); - } + return (buf); +} -char *SSL_CIPHER_get_version(const SSL_CIPHER *c) - { +char +*SSL_CIPHER_get_version(const SSL_CIPHER *c) +{ int i; - if (c == NULL) return("(NONE)"); - i=(int)(c->id>>24L); + if (c == NULL) + return("(NONE)"); + i = (int)(c->id >> 24L); if (i == 3) return("TLSv1/SSLv3"); else if (i == 2) return("SSLv2"); else return("unknown"); - } +} /* return the actual cipher being used */ -const char *SSL_CIPHER_get_name(const SSL_CIPHER *c) - { +const char +*SSL_CIPHER_get_name(const SSL_CIPHER *c) +{ if (c != NULL) - return(c->name); + return (c->name); return("(NONE)"); - } +} /* number of bits for symmetric cipher */ -int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) - { - int ret=0; +int +SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) +{ + int ret = 0; - if (c != NULL) - { - if (alg_bits != NULL) *alg_bits = c->alg_bits; + if (c != NULL) { + if (alg_bits != NULL) + *alg_bits = c->alg_bits; ret = c->strength_bits; - } - return(ret); } + return (ret); +} -unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c) - { +unsigned long +SSL_CIPHER_get_id(const SSL_CIPHER *c) +{ return c->id; - } +} -SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) - { +SSL_COMP +*ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) +{ SSL_COMP *ctmp; - int i,nn; + int i, nn; - if ((n == 0) || (sk == NULL)) return(NULL); - nn=sk_SSL_COMP_num(sk); - for (i=0; i<nn; i++) - { - ctmp=sk_SSL_COMP_value(sk,i); + if ((n == 0) + || (sk == NULL)) return (NULL); + nn = sk_SSL_COMP_num(sk); + for (i = 0; i < nn; i++) { + ctmp = sk_SSL_COMP_value(sk, i); if (ctmp->id == n) - return(ctmp); - } - return(NULL); + return (ctmp); } + return (NULL); +} #ifdef OPENSSL_NO_COMP -void *SSL_COMP_get_compression_methods(void) - { +void +*SSL_COMP_get_compression_methods(void) +{ return NULL; - } -int SSL_COMP_add_compression_method(int id, void *cm) - { +} + +int +SSL_COMP_add_compression_method(int id, void *cm) +{ return 1; - } +} -const char *SSL_COMP_get_name(const void *comp) - { +const char +*SSL_COMP_get_name(const void *comp) +{ return NULL; - } +} #else -STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) - { +STACK_OF(SSL_COMP) +*SSL_COMP_get_compression_methods(void) +{ load_builtin_compressions(); - return(ssl_comp_methods); - } + return (ssl_comp_methods); +} -int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) - { +int +SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) +{ SSL_COMP *comp; - if (cm == NULL || cm->type == NID_undef) - return 1; + if (cm == NULL || cm->type == NID_undef) + return 1; /* According to draft-ietf-tls-compression-04.txt, the compression number ranges should be the following: @@ -1809,45 +1781,40 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) 0 to 63: methods defined by the IETF 64 to 192: external party methods assigned by IANA 193 to 255: reserved for private use */ - if (id < 193 || id > 255) - { - SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE); + if (id < 193 || id > 255) { + SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE); return 0; - } + } MemCheck_off(); - comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); - comp->id=id; - comp->method=cm; + comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + comp->id = id; + comp->method = cm; load_builtin_compressions(); if (ssl_comp_methods - && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0) - { + && sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) { OPENSSL_free(comp); MemCheck_on(); - SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,SSL_R_DUPLICATE_COMPRESSION_ID); - return(1); - } - else if ((ssl_comp_methods == NULL) - || !sk_SSL_COMP_push(ssl_comp_methods,comp)) - { + SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, SSL_R_DUPLICATE_COMPRESSION_ID); + return (1); + } else if ((ssl_comp_methods == NULL) + || !sk_SSL_COMP_push(ssl_comp_methods, comp)) { OPENSSL_free(comp); MemCheck_on(); - SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); - return(1); - } - else - { + SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE); + return (1); + } else { MemCheck_on(); - return(0); - } + return (0); } +} -const char *SSL_COMP_get_name(const COMP_METHOD *comp) - { +const char +*SSL_COMP_get_name(const COMP_METHOD *comp) +{ if (comp) return comp->name; return NULL; - } +} #endif |