10Sstevel@tonic-gate /* ssl/s3_lib.c */
20Sstevel@tonic-gate /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
30Sstevel@tonic-gate * All rights reserved.
40Sstevel@tonic-gate *
50Sstevel@tonic-gate * This package is an SSL implementation written
60Sstevel@tonic-gate * by Eric Young (eay@cryptsoft.com).
70Sstevel@tonic-gate * The implementation was written so as to conform with Netscapes SSL.
80Sstevel@tonic-gate *
90Sstevel@tonic-gate * This library is free for commercial and non-commercial use as long as
100Sstevel@tonic-gate * the following conditions are aheared to. The following conditions
110Sstevel@tonic-gate * apply to all code found in this distribution, be it the RC4, RSA,
120Sstevel@tonic-gate * lhash, DES, etc., code; not just the SSL code. The SSL documentation
130Sstevel@tonic-gate * included with this distribution is covered by the same copyright terms
140Sstevel@tonic-gate * except that the holder is Tim Hudson (tjh@cryptsoft.com).
150Sstevel@tonic-gate *
160Sstevel@tonic-gate * Copyright remains Eric Young's, and as such any Copyright notices in
170Sstevel@tonic-gate * the code are not to be removed.
180Sstevel@tonic-gate * If this package is used in a product, Eric Young should be given attribution
190Sstevel@tonic-gate * as the author of the parts of the library used.
200Sstevel@tonic-gate * This can be in the form of a textual message at program startup or
210Sstevel@tonic-gate * in documentation (online or textual) provided with the package.
220Sstevel@tonic-gate *
230Sstevel@tonic-gate * Redistribution and use in source and binary forms, with or without
240Sstevel@tonic-gate * modification, are permitted provided that the following conditions
250Sstevel@tonic-gate * are met:
260Sstevel@tonic-gate * 1. Redistributions of source code must retain the copyright
270Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer.
280Sstevel@tonic-gate * 2. Redistributions in binary form must reproduce the above copyright
290Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer in the
300Sstevel@tonic-gate * documentation and/or other materials provided with the distribution.
310Sstevel@tonic-gate * 3. All advertising materials mentioning features or use of this software
320Sstevel@tonic-gate * must display the following acknowledgement:
330Sstevel@tonic-gate * "This product includes cryptographic software written by
340Sstevel@tonic-gate * Eric Young (eay@cryptsoft.com)"
350Sstevel@tonic-gate * The word 'cryptographic' can be left out if the rouines from the library
360Sstevel@tonic-gate * being used are not cryptographic related :-).
370Sstevel@tonic-gate * 4. If you include any Windows specific code (or a derivative thereof) from
380Sstevel@tonic-gate * the apps directory (application code) you must include an acknowledgement:
390Sstevel@tonic-gate * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
400Sstevel@tonic-gate *
410Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
420Sstevel@tonic-gate * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
430Sstevel@tonic-gate * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
440Sstevel@tonic-gate * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
450Sstevel@tonic-gate * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
460Sstevel@tonic-gate * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
470Sstevel@tonic-gate * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
480Sstevel@tonic-gate * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
490Sstevel@tonic-gate * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
500Sstevel@tonic-gate * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
510Sstevel@tonic-gate * SUCH DAMAGE.
520Sstevel@tonic-gate *
530Sstevel@tonic-gate * The licence and distribution terms for any publically available version or
540Sstevel@tonic-gate * derivative of this code cannot be changed. i.e. this code cannot simply be
550Sstevel@tonic-gate * copied and put under another distribution licence
560Sstevel@tonic-gate * [including the GNU Public Licence.]
570Sstevel@tonic-gate */
580Sstevel@tonic-gate /* ====================================================================
590Sstevel@tonic-gate * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
600Sstevel@tonic-gate *
610Sstevel@tonic-gate * Redistribution and use in source and binary forms, with or without
620Sstevel@tonic-gate * modification, are permitted provided that the following conditions
630Sstevel@tonic-gate * are met:
640Sstevel@tonic-gate *
650Sstevel@tonic-gate * 1. Redistributions of source code must retain the above copyright
660Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer.
670Sstevel@tonic-gate *
680Sstevel@tonic-gate * 2. Redistributions in binary form must reproduce the above copyright
690Sstevel@tonic-gate * notice, this list of conditions and the following disclaimer in
700Sstevel@tonic-gate * the documentation and/or other materials provided with the
710Sstevel@tonic-gate * distribution.
720Sstevel@tonic-gate *
730Sstevel@tonic-gate * 3. All advertising materials mentioning features or use of this
740Sstevel@tonic-gate * software must display the following acknowledgment:
750Sstevel@tonic-gate * "This product includes software developed by the OpenSSL Project
760Sstevel@tonic-gate * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
770Sstevel@tonic-gate *
780Sstevel@tonic-gate * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
790Sstevel@tonic-gate * endorse or promote products derived from this software without
800Sstevel@tonic-gate * prior written permission. For written permission, please contact
810Sstevel@tonic-gate * openssl-core@openssl.org.
820Sstevel@tonic-gate *
830Sstevel@tonic-gate * 5. Products derived from this software may not be called "OpenSSL"
840Sstevel@tonic-gate * nor may "OpenSSL" appear in their names without prior written
850Sstevel@tonic-gate * permission of the OpenSSL Project.
860Sstevel@tonic-gate *
870Sstevel@tonic-gate * 6. Redistributions of any form whatsoever must retain the following
880Sstevel@tonic-gate * acknowledgment:
890Sstevel@tonic-gate * "This product includes software developed by the OpenSSL Project
900Sstevel@tonic-gate * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
910Sstevel@tonic-gate *
920Sstevel@tonic-gate * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
930Sstevel@tonic-gate * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
940Sstevel@tonic-gate * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
950Sstevel@tonic-gate * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
960Sstevel@tonic-gate * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
970Sstevel@tonic-gate * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
980Sstevel@tonic-gate * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
990Sstevel@tonic-gate * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1000Sstevel@tonic-gate * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1010Sstevel@tonic-gate * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1020Sstevel@tonic-gate * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1030Sstevel@tonic-gate * OF THE POSSIBILITY OF SUCH DAMAGE.
1040Sstevel@tonic-gate * ====================================================================
1050Sstevel@tonic-gate *
1060Sstevel@tonic-gate * This product includes cryptographic software written by Eric Young
1070Sstevel@tonic-gate * (eay@cryptsoft.com). This product includes software written by Tim
1080Sstevel@tonic-gate * Hudson (tjh@cryptsoft.com).
1090Sstevel@tonic-gate *
1100Sstevel@tonic-gate */
111*2139Sjp161948 /* ====================================================================
112*2139Sjp161948 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113*2139Sjp161948 *
114*2139Sjp161948 * Portions of the attached software ("Contribution") are developed by
115*2139Sjp161948 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
116*2139Sjp161948 *
117*2139Sjp161948 * The Contribution is licensed pursuant to the OpenSSL open source
118*2139Sjp161948 * license provided above.
119*2139Sjp161948 *
120*2139Sjp161948 * ECC cipher suite support in OpenSSL originally written by
121*2139Sjp161948 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
122*2139Sjp161948 *
123*2139Sjp161948 */
1240Sstevel@tonic-gate
1250Sstevel@tonic-gate #include <stdio.h>
1260Sstevel@tonic-gate #include <openssl/objects.h>
1270Sstevel@tonic-gate #include "ssl_locl.h"
1280Sstevel@tonic-gate #include "kssl_lcl.h"
1290Sstevel@tonic-gate #include <openssl/md5.h>
130*2139Sjp161948 #ifndef OPENSSL_NO_DH
131*2139Sjp161948 #include <openssl/dh.h>
132*2139Sjp161948 #endif
133*2139Sjp161948 #include <openssl/pq_compat.h>
1340Sstevel@tonic-gate
1350Sstevel@tonic-gate const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
1360Sstevel@tonic-gate
1370Sstevel@tonic-gate #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
1380Sstevel@tonic-gate
139*2139Sjp161948 /* list of available SSLv3 ciphers (sorted by id) */
1400Sstevel@tonic-gate OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1410Sstevel@tonic-gate /* The RSA ciphers */
1420Sstevel@tonic-gate /* Cipher 01 */
1430Sstevel@tonic-gate {
1440Sstevel@tonic-gate 1,
1450Sstevel@tonic-gate SSL3_TXT_RSA_NULL_MD5,
1460Sstevel@tonic-gate SSL3_CK_RSA_NULL_MD5,
1470Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
1480Sstevel@tonic-gate SSL_NOT_EXP|SSL_STRONG_NONE,
1490Sstevel@tonic-gate 0,
1500Sstevel@tonic-gate 0,
1510Sstevel@tonic-gate 0,
1520Sstevel@tonic-gate SSL_ALL_CIPHERS,
1530Sstevel@tonic-gate SSL_ALL_STRENGTHS,
1540Sstevel@tonic-gate },
1550Sstevel@tonic-gate /* Cipher 02 */
1560Sstevel@tonic-gate {
1570Sstevel@tonic-gate 1,
1580Sstevel@tonic-gate SSL3_TXT_RSA_NULL_SHA,
1590Sstevel@tonic-gate SSL3_CK_RSA_NULL_SHA,
1600Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
1610Sstevel@tonic-gate SSL_NOT_EXP|SSL_STRONG_NONE,
1620Sstevel@tonic-gate 0,
1630Sstevel@tonic-gate 0,
1640Sstevel@tonic-gate 0,
1650Sstevel@tonic-gate SSL_ALL_CIPHERS,
1660Sstevel@tonic-gate SSL_ALL_STRENGTHS,
1670Sstevel@tonic-gate },
1680Sstevel@tonic-gate /* Cipher 03 */
1690Sstevel@tonic-gate {
1700Sstevel@tonic-gate 1,
1710Sstevel@tonic-gate SSL3_TXT_RSA_RC4_40_MD5,
1720Sstevel@tonic-gate SSL3_CK_RSA_RC4_40_MD5,
1730Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
1740Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
1750Sstevel@tonic-gate 0,
1760Sstevel@tonic-gate 40,
1770Sstevel@tonic-gate 128,
1780Sstevel@tonic-gate SSL_ALL_CIPHERS,
1790Sstevel@tonic-gate SSL_ALL_STRENGTHS,
1800Sstevel@tonic-gate },
1810Sstevel@tonic-gate /* Cipher 04 */
1820Sstevel@tonic-gate {
1830Sstevel@tonic-gate 1,
1840Sstevel@tonic-gate SSL3_TXT_RSA_RC4_128_MD5,
1850Sstevel@tonic-gate SSL3_CK_RSA_RC4_128_MD5,
1860Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3,
1870Sstevel@tonic-gate SSL_NOT_EXP|SSL_MEDIUM,
1880Sstevel@tonic-gate 0,
1890Sstevel@tonic-gate 128,
1900Sstevel@tonic-gate 128,
1910Sstevel@tonic-gate SSL_ALL_CIPHERS,
1920Sstevel@tonic-gate SSL_ALL_STRENGTHS,
1930Sstevel@tonic-gate },
1940Sstevel@tonic-gate /* Cipher 05 */
1950Sstevel@tonic-gate {
1960Sstevel@tonic-gate 1,
1970Sstevel@tonic-gate SSL3_TXT_RSA_RC4_128_SHA,
1980Sstevel@tonic-gate SSL3_CK_RSA_RC4_128_SHA,
1990Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3,
2000Sstevel@tonic-gate SSL_NOT_EXP|SSL_MEDIUM,
2010Sstevel@tonic-gate 0,
2020Sstevel@tonic-gate 128,
2030Sstevel@tonic-gate 128,
2040Sstevel@tonic-gate SSL_ALL_CIPHERS,
2050Sstevel@tonic-gate SSL_ALL_STRENGTHS,
2060Sstevel@tonic-gate },
2070Sstevel@tonic-gate /* Cipher 06 */
2080Sstevel@tonic-gate {
2090Sstevel@tonic-gate 1,
2100Sstevel@tonic-gate SSL3_TXT_RSA_RC2_40_MD5,
2110Sstevel@tonic-gate SSL3_CK_RSA_RC2_40_MD5,
2120Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3,
2130Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
2140Sstevel@tonic-gate 0,
2150Sstevel@tonic-gate 40,
2160Sstevel@tonic-gate 128,
2170Sstevel@tonic-gate SSL_ALL_CIPHERS,
2180Sstevel@tonic-gate SSL_ALL_STRENGTHS,
2190Sstevel@tonic-gate },
2200Sstevel@tonic-gate /* Cipher 07 */
2210Sstevel@tonic-gate #ifndef OPENSSL_NO_IDEA
2220Sstevel@tonic-gate {
2230Sstevel@tonic-gate 1,
2240Sstevel@tonic-gate SSL3_TXT_RSA_IDEA_128_SHA,
2250Sstevel@tonic-gate SSL3_CK_RSA_IDEA_128_SHA,
2260Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,
2270Sstevel@tonic-gate SSL_NOT_EXP|SSL_MEDIUM,
2280Sstevel@tonic-gate 0,
2290Sstevel@tonic-gate 128,
2300Sstevel@tonic-gate 128,
2310Sstevel@tonic-gate SSL_ALL_CIPHERS,
2320Sstevel@tonic-gate SSL_ALL_STRENGTHS,
2330Sstevel@tonic-gate },
2340Sstevel@tonic-gate #endif
2350Sstevel@tonic-gate /* Cipher 08 */
2360Sstevel@tonic-gate {
2370Sstevel@tonic-gate 1,
2380Sstevel@tonic-gate SSL3_TXT_RSA_DES_40_CBC_SHA,
2390Sstevel@tonic-gate SSL3_CK_RSA_DES_40_CBC_SHA,
2400Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
2410Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
2420Sstevel@tonic-gate 0,
2430Sstevel@tonic-gate 40,
2440Sstevel@tonic-gate 56,
2450Sstevel@tonic-gate SSL_ALL_CIPHERS,
2460Sstevel@tonic-gate SSL_ALL_STRENGTHS,
2470Sstevel@tonic-gate },
2480Sstevel@tonic-gate /* Cipher 09 */
2490Sstevel@tonic-gate {
2500Sstevel@tonic-gate 1,
2510Sstevel@tonic-gate SSL3_TXT_RSA_DES_64_CBC_SHA,
2520Sstevel@tonic-gate SSL3_CK_RSA_DES_64_CBC_SHA,
2530Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3,
2540Sstevel@tonic-gate SSL_NOT_EXP|SSL_LOW,
2550Sstevel@tonic-gate 0,
2560Sstevel@tonic-gate 56,
2570Sstevel@tonic-gate 56,
2580Sstevel@tonic-gate SSL_ALL_CIPHERS,
2590Sstevel@tonic-gate SSL_ALL_STRENGTHS,
2600Sstevel@tonic-gate },
2610Sstevel@tonic-gate /* Cipher 0A */
2620Sstevel@tonic-gate {
2630Sstevel@tonic-gate 1,
2640Sstevel@tonic-gate SSL3_TXT_RSA_DES_192_CBC3_SHA,
2650Sstevel@tonic-gate SSL3_CK_RSA_DES_192_CBC3_SHA,
2660Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
2670Sstevel@tonic-gate SSL_NOT_EXP|SSL_HIGH,
2680Sstevel@tonic-gate 0,
2690Sstevel@tonic-gate 168,
2700Sstevel@tonic-gate 168,
2710Sstevel@tonic-gate SSL_ALL_CIPHERS,
2720Sstevel@tonic-gate SSL_ALL_STRENGTHS,
2730Sstevel@tonic-gate },
274*2139Sjp161948 /* The DH ciphers */
2750Sstevel@tonic-gate /* Cipher 0B */
2760Sstevel@tonic-gate {
2770Sstevel@tonic-gate 0,
2780Sstevel@tonic-gate SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
2790Sstevel@tonic-gate SSL3_CK_DH_DSS_DES_40_CBC_SHA,
2800Sstevel@tonic-gate SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
2810Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
2820Sstevel@tonic-gate 0,
2830Sstevel@tonic-gate 40,
2840Sstevel@tonic-gate 56,
2850Sstevel@tonic-gate SSL_ALL_CIPHERS,
2860Sstevel@tonic-gate SSL_ALL_STRENGTHS,
2870Sstevel@tonic-gate },
2880Sstevel@tonic-gate /* Cipher 0C */
2890Sstevel@tonic-gate {
2900Sstevel@tonic-gate 0,
2910Sstevel@tonic-gate SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
2920Sstevel@tonic-gate SSL3_CK_DH_DSS_DES_64_CBC_SHA,
2930Sstevel@tonic-gate SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
2940Sstevel@tonic-gate SSL_NOT_EXP|SSL_LOW,
2950Sstevel@tonic-gate 0,
2960Sstevel@tonic-gate 56,
2970Sstevel@tonic-gate 56,
2980Sstevel@tonic-gate SSL_ALL_CIPHERS,
2990Sstevel@tonic-gate SSL_ALL_STRENGTHS,
3000Sstevel@tonic-gate },
3010Sstevel@tonic-gate /* Cipher 0D */
3020Sstevel@tonic-gate {
3030Sstevel@tonic-gate 0,
3040Sstevel@tonic-gate SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
3050Sstevel@tonic-gate SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
3060Sstevel@tonic-gate SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
3070Sstevel@tonic-gate SSL_NOT_EXP|SSL_HIGH,
3080Sstevel@tonic-gate 0,
3090Sstevel@tonic-gate 168,
3100Sstevel@tonic-gate 168,
3110Sstevel@tonic-gate SSL_ALL_CIPHERS,
3120Sstevel@tonic-gate SSL_ALL_STRENGTHS,
3130Sstevel@tonic-gate },
3140Sstevel@tonic-gate /* Cipher 0E */
3150Sstevel@tonic-gate {
3160Sstevel@tonic-gate 0,
3170Sstevel@tonic-gate SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
3180Sstevel@tonic-gate SSL3_CK_DH_RSA_DES_40_CBC_SHA,
3190Sstevel@tonic-gate SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
3200Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
3210Sstevel@tonic-gate 0,
3220Sstevel@tonic-gate 40,
3230Sstevel@tonic-gate 56,
3240Sstevel@tonic-gate SSL_ALL_CIPHERS,
3250Sstevel@tonic-gate SSL_ALL_STRENGTHS,
3260Sstevel@tonic-gate },
3270Sstevel@tonic-gate /* Cipher 0F */
3280Sstevel@tonic-gate {
3290Sstevel@tonic-gate 0,
3300Sstevel@tonic-gate SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
3310Sstevel@tonic-gate SSL3_CK_DH_RSA_DES_64_CBC_SHA,
3320Sstevel@tonic-gate SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
3330Sstevel@tonic-gate SSL_NOT_EXP|SSL_LOW,
3340Sstevel@tonic-gate 0,
3350Sstevel@tonic-gate 56,
3360Sstevel@tonic-gate 56,
3370Sstevel@tonic-gate SSL_ALL_CIPHERS,
3380Sstevel@tonic-gate SSL_ALL_STRENGTHS,
3390Sstevel@tonic-gate },
3400Sstevel@tonic-gate /* Cipher 10 */
3410Sstevel@tonic-gate {
3420Sstevel@tonic-gate 0,
3430Sstevel@tonic-gate SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
3440Sstevel@tonic-gate SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
3450Sstevel@tonic-gate SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
3460Sstevel@tonic-gate SSL_NOT_EXP|SSL_HIGH,
3470Sstevel@tonic-gate 0,
3480Sstevel@tonic-gate 168,
3490Sstevel@tonic-gate 168,
3500Sstevel@tonic-gate SSL_ALL_CIPHERS,
3510Sstevel@tonic-gate SSL_ALL_STRENGTHS,
3520Sstevel@tonic-gate },
3530Sstevel@tonic-gate
3540Sstevel@tonic-gate /* The Ephemeral DH ciphers */
3550Sstevel@tonic-gate /* Cipher 11 */
3560Sstevel@tonic-gate {
3570Sstevel@tonic-gate 1,
3580Sstevel@tonic-gate SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
3590Sstevel@tonic-gate SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
3600Sstevel@tonic-gate SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
3610Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
3620Sstevel@tonic-gate 0,
3630Sstevel@tonic-gate 40,
3640Sstevel@tonic-gate 56,
3650Sstevel@tonic-gate SSL_ALL_CIPHERS,
3660Sstevel@tonic-gate SSL_ALL_STRENGTHS,
3670Sstevel@tonic-gate },
3680Sstevel@tonic-gate /* Cipher 12 */
3690Sstevel@tonic-gate {
3700Sstevel@tonic-gate 1,
3710Sstevel@tonic-gate SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
3720Sstevel@tonic-gate SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
3730Sstevel@tonic-gate SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3,
3740Sstevel@tonic-gate SSL_NOT_EXP|SSL_LOW,
3750Sstevel@tonic-gate 0,
3760Sstevel@tonic-gate 56,
3770Sstevel@tonic-gate 56,
3780Sstevel@tonic-gate SSL_ALL_CIPHERS,
3790Sstevel@tonic-gate SSL_ALL_STRENGTHS,
3800Sstevel@tonic-gate },
3810Sstevel@tonic-gate /* Cipher 13 */
3820Sstevel@tonic-gate {
3830Sstevel@tonic-gate 1,
3840Sstevel@tonic-gate SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
3850Sstevel@tonic-gate SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
3860Sstevel@tonic-gate SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
3870Sstevel@tonic-gate SSL_NOT_EXP|SSL_HIGH,
3880Sstevel@tonic-gate 0,
3890Sstevel@tonic-gate 168,
3900Sstevel@tonic-gate 168,
3910Sstevel@tonic-gate SSL_ALL_CIPHERS,
3920Sstevel@tonic-gate SSL_ALL_STRENGTHS,
3930Sstevel@tonic-gate },
3940Sstevel@tonic-gate /* Cipher 14 */
3950Sstevel@tonic-gate {
3960Sstevel@tonic-gate 1,
3970Sstevel@tonic-gate SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
3980Sstevel@tonic-gate SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
3990Sstevel@tonic-gate SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
4000Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
4010Sstevel@tonic-gate 0,
4020Sstevel@tonic-gate 40,
4030Sstevel@tonic-gate 56,
4040Sstevel@tonic-gate SSL_ALL_CIPHERS,
4050Sstevel@tonic-gate SSL_ALL_STRENGTHS,
4060Sstevel@tonic-gate },
4070Sstevel@tonic-gate /* Cipher 15 */
4080Sstevel@tonic-gate {
4090Sstevel@tonic-gate 1,
4100Sstevel@tonic-gate SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
4110Sstevel@tonic-gate SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
4120Sstevel@tonic-gate SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3,
4130Sstevel@tonic-gate SSL_NOT_EXP|SSL_LOW,
4140Sstevel@tonic-gate 0,
4150Sstevel@tonic-gate 56,
4160Sstevel@tonic-gate 56,
4170Sstevel@tonic-gate SSL_ALL_CIPHERS,
4180Sstevel@tonic-gate SSL_ALL_STRENGTHS,
4190Sstevel@tonic-gate },
4200Sstevel@tonic-gate /* Cipher 16 */
4210Sstevel@tonic-gate {
4220Sstevel@tonic-gate 1,
4230Sstevel@tonic-gate SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
4240Sstevel@tonic-gate SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
4250Sstevel@tonic-gate SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
4260Sstevel@tonic-gate SSL_NOT_EXP|SSL_HIGH,
4270Sstevel@tonic-gate 0,
4280Sstevel@tonic-gate 168,
4290Sstevel@tonic-gate 168,
4300Sstevel@tonic-gate SSL_ALL_CIPHERS,
4310Sstevel@tonic-gate SSL_ALL_STRENGTHS,
4320Sstevel@tonic-gate },
433*2139Sjp161948 /* Cipher 17 */
434*2139Sjp161948 {
435*2139Sjp161948 1,
436*2139Sjp161948 SSL3_TXT_ADH_RC4_40_MD5,
437*2139Sjp161948 SSL3_CK_ADH_RC4_40_MD5,
438*2139Sjp161948 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
439*2139Sjp161948 SSL_EXPORT|SSL_EXP40,
440*2139Sjp161948 0,
441*2139Sjp161948 40,
442*2139Sjp161948 128,
443*2139Sjp161948 SSL_ALL_CIPHERS,
444*2139Sjp161948 SSL_ALL_STRENGTHS,
445*2139Sjp161948 },
446*2139Sjp161948 /* Cipher 18 */
447*2139Sjp161948 {
448*2139Sjp161948 1,
449*2139Sjp161948 SSL3_TXT_ADH_RC4_128_MD5,
450*2139Sjp161948 SSL3_CK_ADH_RC4_128_MD5,
451*2139Sjp161948 SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
452*2139Sjp161948 SSL_NOT_EXP|SSL_MEDIUM,
453*2139Sjp161948 0,
454*2139Sjp161948 128,
455*2139Sjp161948 128,
456*2139Sjp161948 SSL_ALL_CIPHERS,
457*2139Sjp161948 SSL_ALL_STRENGTHS,
458*2139Sjp161948 },
459*2139Sjp161948 /* Cipher 19 */
460*2139Sjp161948 {
461*2139Sjp161948 1,
462*2139Sjp161948 SSL3_TXT_ADH_DES_40_CBC_SHA,
463*2139Sjp161948 SSL3_CK_ADH_DES_40_CBC_SHA,
464*2139Sjp161948 SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
465*2139Sjp161948 SSL_EXPORT|SSL_EXP40,
466*2139Sjp161948 0,
467*2139Sjp161948 40,
468*2139Sjp161948 128,
469*2139Sjp161948 SSL_ALL_CIPHERS,
470*2139Sjp161948 SSL_ALL_STRENGTHS,
471*2139Sjp161948 },
472*2139Sjp161948 /* Cipher 1A */
473*2139Sjp161948 {
474*2139Sjp161948 1,
475*2139Sjp161948 SSL3_TXT_ADH_DES_64_CBC_SHA,
476*2139Sjp161948 SSL3_CK_ADH_DES_64_CBC_SHA,
477*2139Sjp161948 SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3,
478*2139Sjp161948 SSL_NOT_EXP|SSL_LOW,
479*2139Sjp161948 0,
480*2139Sjp161948 56,
481*2139Sjp161948 56,
482*2139Sjp161948 SSL_ALL_CIPHERS,
483*2139Sjp161948 SSL_ALL_STRENGTHS,
484*2139Sjp161948 },
485*2139Sjp161948 /* Cipher 1B */
486*2139Sjp161948 {
487*2139Sjp161948 1,
488*2139Sjp161948 SSL3_TXT_ADH_DES_192_CBC_SHA,
489*2139Sjp161948 SSL3_CK_ADH_DES_192_CBC_SHA,
490*2139Sjp161948 SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
491*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
492*2139Sjp161948 0,
493*2139Sjp161948 168,
494*2139Sjp161948 168,
495*2139Sjp161948 SSL_ALL_CIPHERS,
496*2139Sjp161948 SSL_ALL_STRENGTHS,
497*2139Sjp161948 },
4980Sstevel@tonic-gate
4990Sstevel@tonic-gate /* Fortezza */
5000Sstevel@tonic-gate /* Cipher 1C */
5010Sstevel@tonic-gate {
5020Sstevel@tonic-gate 0,
5030Sstevel@tonic-gate SSL3_TXT_FZA_DMS_NULL_SHA,
5040Sstevel@tonic-gate SSL3_CK_FZA_DMS_NULL_SHA,
5050Sstevel@tonic-gate SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
5060Sstevel@tonic-gate SSL_NOT_EXP|SSL_STRONG_NONE,
5070Sstevel@tonic-gate 0,
5080Sstevel@tonic-gate 0,
5090Sstevel@tonic-gate 0,
5100Sstevel@tonic-gate SSL_ALL_CIPHERS,
5110Sstevel@tonic-gate SSL_ALL_STRENGTHS,
5120Sstevel@tonic-gate },
5130Sstevel@tonic-gate
5140Sstevel@tonic-gate /* Cipher 1D */
5150Sstevel@tonic-gate {
5160Sstevel@tonic-gate 0,
5170Sstevel@tonic-gate SSL3_TXT_FZA_DMS_FZA_SHA,
5180Sstevel@tonic-gate SSL3_CK_FZA_DMS_FZA_SHA,
5190Sstevel@tonic-gate SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
5200Sstevel@tonic-gate SSL_NOT_EXP|SSL_STRONG_NONE,
5210Sstevel@tonic-gate 0,
5220Sstevel@tonic-gate 0,
5230Sstevel@tonic-gate 0,
5240Sstevel@tonic-gate SSL_ALL_CIPHERS,
5250Sstevel@tonic-gate SSL_ALL_STRENGTHS,
5260Sstevel@tonic-gate },
5270Sstevel@tonic-gate
5280Sstevel@tonic-gate #if 0
5290Sstevel@tonic-gate /* Cipher 1E */
5300Sstevel@tonic-gate {
5310Sstevel@tonic-gate 0,
5320Sstevel@tonic-gate SSL3_TXT_FZA_DMS_RC4_SHA,
5330Sstevel@tonic-gate SSL3_CK_FZA_DMS_RC4_SHA,
5340Sstevel@tonic-gate SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3,
5350Sstevel@tonic-gate SSL_NOT_EXP|SSL_MEDIUM,
5360Sstevel@tonic-gate 0,
5370Sstevel@tonic-gate 128,
5380Sstevel@tonic-gate 128,
5390Sstevel@tonic-gate SSL_ALL_CIPHERS,
5400Sstevel@tonic-gate SSL_ALL_STRENGTHS,
5410Sstevel@tonic-gate },
5420Sstevel@tonic-gate #endif
5430Sstevel@tonic-gate
5440Sstevel@tonic-gate #ifndef OPENSSL_NO_KRB5
5450Sstevel@tonic-gate /* The Kerberos ciphers
5460Sstevel@tonic-gate ** 20000107 VRS: And the first shall be last,
5470Sstevel@tonic-gate ** in hopes of avoiding the lynx ssl renegotiation problem.
5480Sstevel@tonic-gate */
5490Sstevel@tonic-gate /* Cipher 1E VRS */
5500Sstevel@tonic-gate {
5510Sstevel@tonic-gate 1,
5520Sstevel@tonic-gate SSL3_TXT_KRB5_DES_64_CBC_SHA,
5530Sstevel@tonic-gate SSL3_CK_KRB5_DES_64_CBC_SHA,
5540Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
5550Sstevel@tonic-gate SSL_NOT_EXP|SSL_LOW,
5560Sstevel@tonic-gate 0,
5570Sstevel@tonic-gate 56,
5580Sstevel@tonic-gate 56,
5590Sstevel@tonic-gate SSL_ALL_CIPHERS,
5600Sstevel@tonic-gate SSL_ALL_STRENGTHS,
5610Sstevel@tonic-gate },
5620Sstevel@tonic-gate
5630Sstevel@tonic-gate /* Cipher 1F VRS */
5640Sstevel@tonic-gate {
5650Sstevel@tonic-gate 1,
5660Sstevel@tonic-gate SSL3_TXT_KRB5_DES_192_CBC3_SHA,
5670Sstevel@tonic-gate SSL3_CK_KRB5_DES_192_CBC3_SHA,
5680Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3,
5690Sstevel@tonic-gate SSL_NOT_EXP|SSL_HIGH,
5700Sstevel@tonic-gate 0,
5710Sstevel@tonic-gate 112,
5720Sstevel@tonic-gate 168,
5730Sstevel@tonic-gate SSL_ALL_CIPHERS,
5740Sstevel@tonic-gate SSL_ALL_STRENGTHS,
5750Sstevel@tonic-gate },
5760Sstevel@tonic-gate
5770Sstevel@tonic-gate /* Cipher 20 VRS */
5780Sstevel@tonic-gate {
5790Sstevel@tonic-gate 1,
5800Sstevel@tonic-gate SSL3_TXT_KRB5_RC4_128_SHA,
5810Sstevel@tonic-gate SSL3_CK_KRB5_RC4_128_SHA,
5820Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3,
5830Sstevel@tonic-gate SSL_NOT_EXP|SSL_MEDIUM,
5840Sstevel@tonic-gate 0,
5850Sstevel@tonic-gate 128,
5860Sstevel@tonic-gate 128,
5870Sstevel@tonic-gate SSL_ALL_CIPHERS,
5880Sstevel@tonic-gate SSL_ALL_STRENGTHS,
5890Sstevel@tonic-gate },
5900Sstevel@tonic-gate
5910Sstevel@tonic-gate /* Cipher 21 VRS */
5920Sstevel@tonic-gate {
5930Sstevel@tonic-gate 1,
5940Sstevel@tonic-gate SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
5950Sstevel@tonic-gate SSL3_CK_KRB5_IDEA_128_CBC_SHA,
5960Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_SHA1 |SSL_SSLV3,
5970Sstevel@tonic-gate SSL_NOT_EXP|SSL_MEDIUM,
5980Sstevel@tonic-gate 0,
5990Sstevel@tonic-gate 128,
6000Sstevel@tonic-gate 128,
6010Sstevel@tonic-gate SSL_ALL_CIPHERS,
6020Sstevel@tonic-gate SSL_ALL_STRENGTHS,
6030Sstevel@tonic-gate },
6040Sstevel@tonic-gate
6050Sstevel@tonic-gate /* Cipher 22 VRS */
6060Sstevel@tonic-gate {
6070Sstevel@tonic-gate 1,
6080Sstevel@tonic-gate SSL3_TXT_KRB5_DES_64_CBC_MD5,
6090Sstevel@tonic-gate SSL3_CK_KRB5_DES_64_CBC_MD5,
6100Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3,
6110Sstevel@tonic-gate SSL_NOT_EXP|SSL_LOW,
6120Sstevel@tonic-gate 0,
6130Sstevel@tonic-gate 56,
6140Sstevel@tonic-gate 56,
6150Sstevel@tonic-gate SSL_ALL_CIPHERS,
6160Sstevel@tonic-gate SSL_ALL_STRENGTHS,
6170Sstevel@tonic-gate },
6180Sstevel@tonic-gate
6190Sstevel@tonic-gate /* Cipher 23 VRS */
6200Sstevel@tonic-gate {
6210Sstevel@tonic-gate 1,
6220Sstevel@tonic-gate SSL3_TXT_KRB5_DES_192_CBC3_MD5,
6230Sstevel@tonic-gate SSL3_CK_KRB5_DES_192_CBC3_MD5,
6240Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3,
6250Sstevel@tonic-gate SSL_NOT_EXP|SSL_HIGH,
6260Sstevel@tonic-gate 0,
6270Sstevel@tonic-gate 112,
6280Sstevel@tonic-gate 168,
6290Sstevel@tonic-gate SSL_ALL_CIPHERS,
6300Sstevel@tonic-gate SSL_ALL_STRENGTHS,
6310Sstevel@tonic-gate },
6320Sstevel@tonic-gate
6330Sstevel@tonic-gate /* Cipher 24 VRS */
6340Sstevel@tonic-gate {
6350Sstevel@tonic-gate 1,
6360Sstevel@tonic-gate SSL3_TXT_KRB5_RC4_128_MD5,
6370Sstevel@tonic-gate SSL3_CK_KRB5_RC4_128_MD5,
6380Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3,
6390Sstevel@tonic-gate SSL_NOT_EXP|SSL_MEDIUM,
6400Sstevel@tonic-gate 0,
6410Sstevel@tonic-gate 128,
6420Sstevel@tonic-gate 128,
6430Sstevel@tonic-gate SSL_ALL_CIPHERS,
6440Sstevel@tonic-gate SSL_ALL_STRENGTHS,
6450Sstevel@tonic-gate },
6460Sstevel@tonic-gate
6470Sstevel@tonic-gate /* Cipher 25 VRS */
6480Sstevel@tonic-gate {
6490Sstevel@tonic-gate 1,
6500Sstevel@tonic-gate SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
6510Sstevel@tonic-gate SSL3_CK_KRB5_IDEA_128_CBC_MD5,
6520Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_MD5 |SSL_SSLV3,
6530Sstevel@tonic-gate SSL_NOT_EXP|SSL_MEDIUM,
6540Sstevel@tonic-gate 0,
6550Sstevel@tonic-gate 128,
6560Sstevel@tonic-gate 128,
6570Sstevel@tonic-gate SSL_ALL_CIPHERS,
6580Sstevel@tonic-gate SSL_ALL_STRENGTHS,
6590Sstevel@tonic-gate },
6600Sstevel@tonic-gate
6610Sstevel@tonic-gate /* Cipher 26 VRS */
6620Sstevel@tonic-gate {
6630Sstevel@tonic-gate 1,
6640Sstevel@tonic-gate SSL3_TXT_KRB5_DES_40_CBC_SHA,
6650Sstevel@tonic-gate SSL3_CK_KRB5_DES_40_CBC_SHA,
6660Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
6670Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
6680Sstevel@tonic-gate 0,
6690Sstevel@tonic-gate 40,
6700Sstevel@tonic-gate 56,
6710Sstevel@tonic-gate SSL_ALL_CIPHERS,
6720Sstevel@tonic-gate SSL_ALL_STRENGTHS,
6730Sstevel@tonic-gate },
6740Sstevel@tonic-gate
6750Sstevel@tonic-gate /* Cipher 27 VRS */
6760Sstevel@tonic-gate {
6770Sstevel@tonic-gate 1,
6780Sstevel@tonic-gate SSL3_TXT_KRB5_RC2_40_CBC_SHA,
6790Sstevel@tonic-gate SSL3_CK_KRB5_RC2_40_CBC_SHA,
6800Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_SHA1 |SSL_SSLV3,
6810Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
6820Sstevel@tonic-gate 0,
6830Sstevel@tonic-gate 40,
6840Sstevel@tonic-gate 128,
6850Sstevel@tonic-gate SSL_ALL_CIPHERS,
6860Sstevel@tonic-gate SSL_ALL_STRENGTHS,
6870Sstevel@tonic-gate },
6880Sstevel@tonic-gate
6890Sstevel@tonic-gate /* Cipher 28 VRS */
6900Sstevel@tonic-gate {
6910Sstevel@tonic-gate 1,
6920Sstevel@tonic-gate SSL3_TXT_KRB5_RC4_40_SHA,
6930Sstevel@tonic-gate SSL3_CK_KRB5_RC4_40_SHA,
6940Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3,
6950Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
6960Sstevel@tonic-gate 0,
6970Sstevel@tonic-gate 128,
6980Sstevel@tonic-gate 128,
6990Sstevel@tonic-gate SSL_ALL_CIPHERS,
7000Sstevel@tonic-gate SSL_ALL_STRENGTHS,
7010Sstevel@tonic-gate },
7020Sstevel@tonic-gate
7030Sstevel@tonic-gate /* Cipher 29 VRS */
7040Sstevel@tonic-gate {
7050Sstevel@tonic-gate 1,
7060Sstevel@tonic-gate SSL3_TXT_KRB5_DES_40_CBC_MD5,
7070Sstevel@tonic-gate SSL3_CK_KRB5_DES_40_CBC_MD5,
7080Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3,
7090Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
7100Sstevel@tonic-gate 0,
7110Sstevel@tonic-gate 40,
7120Sstevel@tonic-gate 56,
7130Sstevel@tonic-gate SSL_ALL_CIPHERS,
7140Sstevel@tonic-gate SSL_ALL_STRENGTHS,
7150Sstevel@tonic-gate },
7160Sstevel@tonic-gate
7170Sstevel@tonic-gate /* Cipher 2A VRS */
7180Sstevel@tonic-gate {
7190Sstevel@tonic-gate 1,
7200Sstevel@tonic-gate SSL3_TXT_KRB5_RC2_40_CBC_MD5,
7210Sstevel@tonic-gate SSL3_CK_KRB5_RC2_40_CBC_MD5,
7220Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_MD5 |SSL_SSLV3,
7230Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
7240Sstevel@tonic-gate 0,
7250Sstevel@tonic-gate 40,
7260Sstevel@tonic-gate 128,
7270Sstevel@tonic-gate SSL_ALL_CIPHERS,
7280Sstevel@tonic-gate SSL_ALL_STRENGTHS,
7290Sstevel@tonic-gate },
7300Sstevel@tonic-gate
7310Sstevel@tonic-gate /* Cipher 2B VRS */
7320Sstevel@tonic-gate {
7330Sstevel@tonic-gate 1,
7340Sstevel@tonic-gate SSL3_TXT_KRB5_RC4_40_MD5,
7350Sstevel@tonic-gate SSL3_CK_KRB5_RC4_40_MD5,
7360Sstevel@tonic-gate SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3,
7370Sstevel@tonic-gate SSL_EXPORT|SSL_EXP40,
7380Sstevel@tonic-gate 0,
7390Sstevel@tonic-gate 128,
7400Sstevel@tonic-gate 128,
7410Sstevel@tonic-gate SSL_ALL_CIPHERS,
7420Sstevel@tonic-gate SSL_ALL_STRENGTHS,
7430Sstevel@tonic-gate },
7440Sstevel@tonic-gate #endif /* OPENSSL_NO_KRB5 */
745*2139Sjp161948 /* New AES ciphersuites */
7460Sstevel@tonic-gate
747*2139Sjp161948 /* Cipher 2F */
748*2139Sjp161948 {
749*2139Sjp161948 1,
750*2139Sjp161948 TLS1_TXT_RSA_WITH_AES_128_SHA,
751*2139Sjp161948 TLS1_CK_RSA_WITH_AES_128_SHA,
752*2139Sjp161948 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
753*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
754*2139Sjp161948 0,
755*2139Sjp161948 128,
756*2139Sjp161948 128,
757*2139Sjp161948 SSL_ALL_CIPHERS,
758*2139Sjp161948 SSL_ALL_STRENGTHS,
759*2139Sjp161948 },
760*2139Sjp161948 /* Cipher 30 */
761*2139Sjp161948 {
762*2139Sjp161948 0,
763*2139Sjp161948 TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
764*2139Sjp161948 TLS1_CK_DH_DSS_WITH_AES_128_SHA,
765*2139Sjp161948 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
766*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
767*2139Sjp161948 0,
768*2139Sjp161948 128,
769*2139Sjp161948 128,
770*2139Sjp161948 SSL_ALL_CIPHERS,
771*2139Sjp161948 SSL_ALL_STRENGTHS,
772*2139Sjp161948 },
773*2139Sjp161948 /* Cipher 31 */
774*2139Sjp161948 {
775*2139Sjp161948 0,
776*2139Sjp161948 TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
777*2139Sjp161948 TLS1_CK_DH_RSA_WITH_AES_128_SHA,
778*2139Sjp161948 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
779*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
780*2139Sjp161948 0,
781*2139Sjp161948 128,
782*2139Sjp161948 128,
783*2139Sjp161948 SSL_ALL_CIPHERS,
784*2139Sjp161948 SSL_ALL_STRENGTHS,
785*2139Sjp161948 },
786*2139Sjp161948 /* Cipher 32 */
787*2139Sjp161948 {
788*2139Sjp161948 1,
789*2139Sjp161948 TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
790*2139Sjp161948 TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
791*2139Sjp161948 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
792*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
793*2139Sjp161948 0,
794*2139Sjp161948 128,
795*2139Sjp161948 128,
796*2139Sjp161948 SSL_ALL_CIPHERS,
797*2139Sjp161948 SSL_ALL_STRENGTHS,
798*2139Sjp161948 },
799*2139Sjp161948 /* Cipher 33 */
800*2139Sjp161948 {
801*2139Sjp161948 1,
802*2139Sjp161948 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
803*2139Sjp161948 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
804*2139Sjp161948 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
805*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
806*2139Sjp161948 0,
807*2139Sjp161948 128,
808*2139Sjp161948 128,
809*2139Sjp161948 SSL_ALL_CIPHERS,
810*2139Sjp161948 SSL_ALL_STRENGTHS,
811*2139Sjp161948 },
812*2139Sjp161948 /* Cipher 34 */
813*2139Sjp161948 {
814*2139Sjp161948 1,
815*2139Sjp161948 TLS1_TXT_ADH_WITH_AES_128_SHA,
816*2139Sjp161948 TLS1_CK_ADH_WITH_AES_128_SHA,
817*2139Sjp161948 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
818*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
819*2139Sjp161948 0,
820*2139Sjp161948 128,
821*2139Sjp161948 128,
822*2139Sjp161948 SSL_ALL_CIPHERS,
823*2139Sjp161948 SSL_ALL_STRENGTHS,
824*2139Sjp161948 },
825*2139Sjp161948
826*2139Sjp161948 /* Cipher 35 */
827*2139Sjp161948 {
828*2139Sjp161948 1,
829*2139Sjp161948 TLS1_TXT_RSA_WITH_AES_256_SHA,
830*2139Sjp161948 TLS1_CK_RSA_WITH_AES_256_SHA,
831*2139Sjp161948 SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
832*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
833*2139Sjp161948 0,
834*2139Sjp161948 256,
835*2139Sjp161948 256,
836*2139Sjp161948 SSL_ALL_CIPHERS,
837*2139Sjp161948 SSL_ALL_STRENGTHS,
838*2139Sjp161948 },
839*2139Sjp161948 /* Cipher 36 */
840*2139Sjp161948 {
841*2139Sjp161948 0,
842*2139Sjp161948 TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
843*2139Sjp161948 TLS1_CK_DH_DSS_WITH_AES_256_SHA,
844*2139Sjp161948 SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
845*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
846*2139Sjp161948 0,
847*2139Sjp161948 256,
848*2139Sjp161948 256,
849*2139Sjp161948 SSL_ALL_CIPHERS,
850*2139Sjp161948 SSL_ALL_STRENGTHS,
851*2139Sjp161948 },
852*2139Sjp161948 /* Cipher 37 */
853*2139Sjp161948 {
854*2139Sjp161948 0,
855*2139Sjp161948 TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
856*2139Sjp161948 TLS1_CK_DH_RSA_WITH_AES_256_SHA,
857*2139Sjp161948 SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
858*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
859*2139Sjp161948 0,
860*2139Sjp161948 256,
861*2139Sjp161948 256,
862*2139Sjp161948 SSL_ALL_CIPHERS,
863*2139Sjp161948 SSL_ALL_STRENGTHS,
864*2139Sjp161948 },
865*2139Sjp161948 /* Cipher 38 */
866*2139Sjp161948 {
867*2139Sjp161948 1,
868*2139Sjp161948 TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
869*2139Sjp161948 TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
870*2139Sjp161948 SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
871*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
872*2139Sjp161948 0,
873*2139Sjp161948 256,
874*2139Sjp161948 256,
875*2139Sjp161948 SSL_ALL_CIPHERS,
876*2139Sjp161948 SSL_ALL_STRENGTHS,
877*2139Sjp161948 },
878*2139Sjp161948 /* Cipher 39 */
879*2139Sjp161948 {
880*2139Sjp161948 1,
881*2139Sjp161948 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
882*2139Sjp161948 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
883*2139Sjp161948 SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
884*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
885*2139Sjp161948 0,
886*2139Sjp161948 256,
887*2139Sjp161948 256,
888*2139Sjp161948 SSL_ALL_CIPHERS,
889*2139Sjp161948 SSL_ALL_STRENGTHS,
890*2139Sjp161948 },
891*2139Sjp161948 /* Cipher 3A */
892*2139Sjp161948 {
893*2139Sjp161948 1,
894*2139Sjp161948 TLS1_TXT_ADH_WITH_AES_256_SHA,
895*2139Sjp161948 TLS1_CK_ADH_WITH_AES_256_SHA,
896*2139Sjp161948 SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
897*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
898*2139Sjp161948 0,
899*2139Sjp161948 256,
900*2139Sjp161948 256,
901*2139Sjp161948 SSL_ALL_CIPHERS,
902*2139Sjp161948 SSL_ALL_STRENGTHS,
903*2139Sjp161948 },
904*2139Sjp161948 #ifndef OPENSSL_NO_ECDH
905*2139Sjp161948 /* Cipher 47 */
906*2139Sjp161948 {
907*2139Sjp161948 1,
908*2139Sjp161948 TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
909*2139Sjp161948 TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
910*2139Sjp161948 SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
911*2139Sjp161948 SSL_NOT_EXP,
912*2139Sjp161948 0,
913*2139Sjp161948 0,
914*2139Sjp161948 0,
915*2139Sjp161948 SSL_ALL_CIPHERS,
916*2139Sjp161948 SSL_ALL_STRENGTHS,
917*2139Sjp161948 },
918*2139Sjp161948
919*2139Sjp161948 /* Cipher 48 */
920*2139Sjp161948 {
921*2139Sjp161948 1,
922*2139Sjp161948 TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
923*2139Sjp161948 TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
924*2139Sjp161948 SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
925*2139Sjp161948 SSL_NOT_EXP,
926*2139Sjp161948 0,
927*2139Sjp161948 128,
928*2139Sjp161948 128,
929*2139Sjp161948 SSL_ALL_CIPHERS,
930*2139Sjp161948 SSL_ALL_STRENGTHS,
931*2139Sjp161948 },
932*2139Sjp161948
933*2139Sjp161948 /* Cipher 49 */
934*2139Sjp161948 {
935*2139Sjp161948 1,
936*2139Sjp161948 TLS1_TXT_ECDH_ECDSA_WITH_DES_CBC_SHA,
937*2139Sjp161948 TLS1_CK_ECDH_ECDSA_WITH_DES_CBC_SHA,
938*2139Sjp161948 SSL_kECDH|SSL_aECDSA|SSL_DES|SSL_SHA|SSL_TLSV1,
939*2139Sjp161948 SSL_NOT_EXP|SSL_LOW,
940*2139Sjp161948 0,
941*2139Sjp161948 56,
942*2139Sjp161948 56,
943*2139Sjp161948 SSL_ALL_CIPHERS,
944*2139Sjp161948 SSL_ALL_STRENGTHS,
945*2139Sjp161948 },
946*2139Sjp161948
947*2139Sjp161948 /* Cipher 4A */
948*2139Sjp161948 {
949*2139Sjp161948 1,
950*2139Sjp161948 TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
951*2139Sjp161948 TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
952*2139Sjp161948 SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
953*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
954*2139Sjp161948 0,
955*2139Sjp161948 168,
956*2139Sjp161948 168,
957*2139Sjp161948 SSL_ALL_CIPHERS,
958*2139Sjp161948 SSL_ALL_STRENGTHS,
959*2139Sjp161948 },
960*2139Sjp161948
961*2139Sjp161948 /* Cipher 4B */
962*2139Sjp161948 {
963*2139Sjp161948 1,
964*2139Sjp161948 TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
965*2139Sjp161948 TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
966*2139Sjp161948 SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
967*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
968*2139Sjp161948 0,
969*2139Sjp161948 128,
970*2139Sjp161948 128,
971*2139Sjp161948 SSL_ALL_CIPHERS,
972*2139Sjp161948 SSL_ALL_STRENGTHS,
973*2139Sjp161948 },
974*2139Sjp161948
975*2139Sjp161948 /* Cipher 4C */
976*2139Sjp161948 {
977*2139Sjp161948 1,
978*2139Sjp161948 TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
979*2139Sjp161948 TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
980*2139Sjp161948 SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
981*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
982*2139Sjp161948 0,
983*2139Sjp161948 256,
984*2139Sjp161948 256,
985*2139Sjp161948 SSL_ALL_CIPHERS,
986*2139Sjp161948 SSL_ALL_STRENGTHS,
987*2139Sjp161948 },
988*2139Sjp161948
989*2139Sjp161948 /* Cipher 4D */
990*2139Sjp161948 {
991*2139Sjp161948 1,
992*2139Sjp161948 TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
993*2139Sjp161948 TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
994*2139Sjp161948 SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
995*2139Sjp161948 SSL_NOT_EXP,
996*2139Sjp161948 0,
997*2139Sjp161948 0,
998*2139Sjp161948 0,
999*2139Sjp161948 SSL_ALL_CIPHERS,
1000*2139Sjp161948 SSL_ALL_STRENGTHS,
1001*2139Sjp161948 },
1002*2139Sjp161948
1003*2139Sjp161948 /* Cipher 4E */
1004*2139Sjp161948 {
1005*2139Sjp161948 1,
1006*2139Sjp161948 TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
1007*2139Sjp161948 TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
1008*2139Sjp161948 SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
1009*2139Sjp161948 SSL_NOT_EXP,
1010*2139Sjp161948 0,
1011*2139Sjp161948 128,
1012*2139Sjp161948 128,
1013*2139Sjp161948 SSL_ALL_CIPHERS,
1014*2139Sjp161948 SSL_ALL_STRENGTHS,
1015*2139Sjp161948 },
1016*2139Sjp161948
1017*2139Sjp161948 /* Cipher 4F */
1018*2139Sjp161948 {
1019*2139Sjp161948 1,
1020*2139Sjp161948 TLS1_TXT_ECDH_RSA_WITH_DES_CBC_SHA,
1021*2139Sjp161948 TLS1_CK_ECDH_RSA_WITH_DES_CBC_SHA,
1022*2139Sjp161948 SSL_kECDH|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
1023*2139Sjp161948 SSL_NOT_EXP|SSL_LOW,
1024*2139Sjp161948 0,
1025*2139Sjp161948 56,
1026*2139Sjp161948 56,
1027*2139Sjp161948 SSL_ALL_CIPHERS,
1028*2139Sjp161948 SSL_ALL_STRENGTHS,
1029*2139Sjp161948 },
1030*2139Sjp161948
1031*2139Sjp161948 /* Cipher 50 */
1032*2139Sjp161948 {
1033*2139Sjp161948 1,
1034*2139Sjp161948 TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
1035*2139Sjp161948 TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
1036*2139Sjp161948 SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
1037*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
1038*2139Sjp161948 0,
1039*2139Sjp161948 168,
1040*2139Sjp161948 168,
1041*2139Sjp161948 SSL_ALL_CIPHERS,
1042*2139Sjp161948 SSL_ALL_STRENGTHS,
1043*2139Sjp161948 },
1044*2139Sjp161948
1045*2139Sjp161948 /* Cipher 51 */
1046*2139Sjp161948 {
1047*2139Sjp161948 1,
1048*2139Sjp161948 TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
1049*2139Sjp161948 TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
1050*2139Sjp161948 SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1051*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
1052*2139Sjp161948 0,
1053*2139Sjp161948 128,
1054*2139Sjp161948 128,
1055*2139Sjp161948 SSL_ALL_CIPHERS,
1056*2139Sjp161948 SSL_ALL_STRENGTHS,
1057*2139Sjp161948 },
1058*2139Sjp161948
1059*2139Sjp161948 /* Cipher 52 */
1060*2139Sjp161948 {
1061*2139Sjp161948 1,
1062*2139Sjp161948 TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
1063*2139Sjp161948 TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
1064*2139Sjp161948 SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1065*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
1066*2139Sjp161948 0,
1067*2139Sjp161948 256,
1068*2139Sjp161948 256,
1069*2139Sjp161948 SSL_ALL_CIPHERS,
1070*2139Sjp161948 SSL_ALL_STRENGTHS,
1071*2139Sjp161948 },
1072*2139Sjp161948
1073*2139Sjp161948 /* Cipher 53 */
1074*2139Sjp161948 {
1075*2139Sjp161948 1,
1076*2139Sjp161948 TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_40_SHA,
1077*2139Sjp161948 TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_40_SHA,
1078*2139Sjp161948 SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
1079*2139Sjp161948 SSL_EXPORT|SSL_EXP40,
1080*2139Sjp161948 0,
1081*2139Sjp161948 40,
1082*2139Sjp161948 128,
1083*2139Sjp161948 SSL_ALL_CIPHERS,
1084*2139Sjp161948 SSL_ALL_STRENGTHS,
1085*2139Sjp161948 },
1086*2139Sjp161948
1087*2139Sjp161948 /* Cipher 54 */
1088*2139Sjp161948 {
1089*2139Sjp161948 1,
1090*2139Sjp161948 TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_56_SHA,
1091*2139Sjp161948 TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_56_SHA,
1092*2139Sjp161948 SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
1093*2139Sjp161948 SSL_EXPORT|SSL_EXP56,
1094*2139Sjp161948 0,
1095*2139Sjp161948 56,
1096*2139Sjp161948 128,
1097*2139Sjp161948 SSL_ALL_CIPHERS,
1098*2139Sjp161948 SSL_ALL_STRENGTHS,
1099*2139Sjp161948 },
1100*2139Sjp161948
1101*2139Sjp161948 /* Cipher 55 */
1102*2139Sjp161948 {
1103*2139Sjp161948 1,
1104*2139Sjp161948 TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
1105*2139Sjp161948 TLS1_CK_ECDH_anon_WITH_NULL_SHA,
1106*2139Sjp161948 SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1,
1107*2139Sjp161948 SSL_NOT_EXP,
1108*2139Sjp161948 0,
1109*2139Sjp161948 0,
1110*2139Sjp161948 0,
1111*2139Sjp161948 SSL_ALL_CIPHERS,
1112*2139Sjp161948 SSL_ALL_STRENGTHS,
1113*2139Sjp161948 },
1114*2139Sjp161948
1115*2139Sjp161948 /* Cipher 56 */
1116*2139Sjp161948 {
1117*2139Sjp161948 1,
1118*2139Sjp161948 TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
1119*2139Sjp161948 TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
1120*2139Sjp161948 SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
1121*2139Sjp161948 SSL_NOT_EXP,
1122*2139Sjp161948 0,
1123*2139Sjp161948 128,
1124*2139Sjp161948 128,
1125*2139Sjp161948 SSL_ALL_CIPHERS,
1126*2139Sjp161948 SSL_ALL_STRENGTHS,
1127*2139Sjp161948 },
1128*2139Sjp161948
1129*2139Sjp161948 /* Cipher 57 */
1130*2139Sjp161948 {
1131*2139Sjp161948 1,
1132*2139Sjp161948 TLS1_TXT_ECDH_anon_WITH_DES_CBC_SHA,
1133*2139Sjp161948 TLS1_CK_ECDH_anon_WITH_DES_CBC_SHA,
1134*2139Sjp161948 SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1,
1135*2139Sjp161948 SSL_NOT_EXP|SSL_LOW,
1136*2139Sjp161948 0,
1137*2139Sjp161948 56,
1138*2139Sjp161948 56,
1139*2139Sjp161948 SSL_ALL_CIPHERS,
1140*2139Sjp161948 SSL_ALL_STRENGTHS,
1141*2139Sjp161948 },
1142*2139Sjp161948
1143*2139Sjp161948 /* Cipher 58 */
1144*2139Sjp161948 {
1145*2139Sjp161948 1,
1146*2139Sjp161948 TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
1147*2139Sjp161948 TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
1148*2139Sjp161948 SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1,
1149*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
1150*2139Sjp161948 0,
1151*2139Sjp161948 168,
1152*2139Sjp161948 168,
1153*2139Sjp161948 SSL_ALL_CIPHERS,
1154*2139Sjp161948 SSL_ALL_STRENGTHS,
1155*2139Sjp161948 },
1156*2139Sjp161948
1157*2139Sjp161948 /* Cipher 59 */
1158*2139Sjp161948 {
1159*2139Sjp161948 1,
1160*2139Sjp161948 TLS1_TXT_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA,
1161*2139Sjp161948 TLS1_CK_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA,
1162*2139Sjp161948 SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1,
1163*2139Sjp161948 SSL_EXPORT|SSL_EXP40,
1164*2139Sjp161948 0,
1165*2139Sjp161948 40,
1166*2139Sjp161948 56,
1167*2139Sjp161948 SSL_ALL_CIPHERS,
1168*2139Sjp161948 SSL_ALL_STRENGTHS,
1169*2139Sjp161948 },
1170*2139Sjp161948
1171*2139Sjp161948 /* Cipher 5A */
1172*2139Sjp161948 {
1173*2139Sjp161948 1,
1174*2139Sjp161948 TLS1_TXT_ECDH_anon_EXPORT_WITH_RC4_40_SHA,
1175*2139Sjp161948 TLS1_CK_ECDH_anon_EXPORT_WITH_RC4_40_SHA,
1176*2139Sjp161948 SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
1177*2139Sjp161948 SSL_EXPORT|SSL_EXP40,
1178*2139Sjp161948 0,
1179*2139Sjp161948 40,
1180*2139Sjp161948 128,
1181*2139Sjp161948 SSL_ALL_CIPHERS,
1182*2139Sjp161948 SSL_ALL_STRENGTHS,
1183*2139Sjp161948 },
1184*2139Sjp161948 /* Cipher 5B */
1185*2139Sjp161948 /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4B for this */
1186*2139Sjp161948 {
1187*2139Sjp161948 1,
1188*2139Sjp161948 TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
1189*2139Sjp161948 TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
1190*2139Sjp161948 SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
1191*2139Sjp161948 SSL_EXPORT|SSL_EXP40,
1192*2139Sjp161948 0,
1193*2139Sjp161948 40,
1194*2139Sjp161948 128,
1195*2139Sjp161948 SSL_ALL_CIPHERS,
1196*2139Sjp161948 SSL_ALL_STRENGTHS,
1197*2139Sjp161948 },
1198*2139Sjp161948
1199*2139Sjp161948 /* Cipher 5C */
1200*2139Sjp161948 /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4C for this */
1201*2139Sjp161948 {
1202*2139Sjp161948 1,
1203*2139Sjp161948 TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
1204*2139Sjp161948 TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
1205*2139Sjp161948 SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
1206*2139Sjp161948 SSL_EXPORT|SSL_EXP56,
1207*2139Sjp161948 0,
1208*2139Sjp161948 56,
1209*2139Sjp161948 128,
1210*2139Sjp161948 SSL_ALL_CIPHERS,
1211*2139Sjp161948 SSL_ALL_STRENGTHS,
1212*2139Sjp161948 },
1213*2139Sjp161948
1214*2139Sjp161948 #endif /* OPENSSL_NO_ECDH */
12150Sstevel@tonic-gate
12160Sstevel@tonic-gate #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
12170Sstevel@tonic-gate /* New TLS Export CipherSuites */
12180Sstevel@tonic-gate /* Cipher 60 */
12190Sstevel@tonic-gate {
12200Sstevel@tonic-gate 1,
12210Sstevel@tonic-gate TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
12220Sstevel@tonic-gate TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
12230Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
12240Sstevel@tonic-gate SSL_EXPORT|SSL_EXP56,
12250Sstevel@tonic-gate 0,
12260Sstevel@tonic-gate 56,
12270Sstevel@tonic-gate 128,
12280Sstevel@tonic-gate SSL_ALL_CIPHERS,
12290Sstevel@tonic-gate SSL_ALL_STRENGTHS,
12300Sstevel@tonic-gate },
12310Sstevel@tonic-gate /* Cipher 61 */
12320Sstevel@tonic-gate {
12330Sstevel@tonic-gate 1,
12340Sstevel@tonic-gate TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
12350Sstevel@tonic-gate TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
12360Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
12370Sstevel@tonic-gate SSL_EXPORT|SSL_EXP56,
12380Sstevel@tonic-gate 0,
12390Sstevel@tonic-gate 56,
12400Sstevel@tonic-gate 128,
12410Sstevel@tonic-gate SSL_ALL_CIPHERS,
12420Sstevel@tonic-gate SSL_ALL_STRENGTHS,
12430Sstevel@tonic-gate },
12440Sstevel@tonic-gate /* Cipher 62 */
12450Sstevel@tonic-gate {
12460Sstevel@tonic-gate 1,
12470Sstevel@tonic-gate TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
12480Sstevel@tonic-gate TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
12490Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
12500Sstevel@tonic-gate SSL_EXPORT|SSL_EXP56,
12510Sstevel@tonic-gate 0,
12520Sstevel@tonic-gate 56,
12530Sstevel@tonic-gate 56,
12540Sstevel@tonic-gate SSL_ALL_CIPHERS,
12550Sstevel@tonic-gate SSL_ALL_STRENGTHS,
12560Sstevel@tonic-gate },
12570Sstevel@tonic-gate /* Cipher 63 */
12580Sstevel@tonic-gate {
12590Sstevel@tonic-gate 1,
12600Sstevel@tonic-gate TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
12610Sstevel@tonic-gate TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
12620Sstevel@tonic-gate SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
12630Sstevel@tonic-gate SSL_EXPORT|SSL_EXP56,
12640Sstevel@tonic-gate 0,
12650Sstevel@tonic-gate 56,
12660Sstevel@tonic-gate 56,
12670Sstevel@tonic-gate SSL_ALL_CIPHERS,
12680Sstevel@tonic-gate SSL_ALL_STRENGTHS,
12690Sstevel@tonic-gate },
12700Sstevel@tonic-gate /* Cipher 64 */
12710Sstevel@tonic-gate {
12720Sstevel@tonic-gate 1,
12730Sstevel@tonic-gate TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
12740Sstevel@tonic-gate TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
12750Sstevel@tonic-gate SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
12760Sstevel@tonic-gate SSL_EXPORT|SSL_EXP56,
12770Sstevel@tonic-gate 0,
12780Sstevel@tonic-gate 56,
12790Sstevel@tonic-gate 128,
12800Sstevel@tonic-gate SSL_ALL_CIPHERS,
12810Sstevel@tonic-gate SSL_ALL_STRENGTHS,
12820Sstevel@tonic-gate },
12830Sstevel@tonic-gate /* Cipher 65 */
12840Sstevel@tonic-gate {
12850Sstevel@tonic-gate 1,
12860Sstevel@tonic-gate TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
12870Sstevel@tonic-gate TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
12880Sstevel@tonic-gate SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
12890Sstevel@tonic-gate SSL_EXPORT|SSL_EXP56,
12900Sstevel@tonic-gate 0,
12910Sstevel@tonic-gate 56,
12920Sstevel@tonic-gate 128,
12930Sstevel@tonic-gate SSL_ALL_CIPHERS,
12940Sstevel@tonic-gate SSL_ALL_STRENGTHS,
12950Sstevel@tonic-gate },
12960Sstevel@tonic-gate /* Cipher 66 */
12970Sstevel@tonic-gate {
12980Sstevel@tonic-gate 1,
12990Sstevel@tonic-gate TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
13000Sstevel@tonic-gate TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
13010Sstevel@tonic-gate SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
13020Sstevel@tonic-gate SSL_NOT_EXP|SSL_MEDIUM,
13030Sstevel@tonic-gate 0,
13040Sstevel@tonic-gate 128,
13050Sstevel@tonic-gate 128,
13060Sstevel@tonic-gate SSL_ALL_CIPHERS,
13070Sstevel@tonic-gate SSL_ALL_STRENGTHS
13080Sstevel@tonic-gate },
13090Sstevel@tonic-gate #endif
13100Sstevel@tonic-gate
1311*2139Sjp161948 #ifndef OPENSSL_NO_ECDH
1312*2139Sjp161948 /* Cipher 77 XXX: ECC ciphersuites offering forward secrecy
1313*2139Sjp161948 * are not yet specified in the ECC/TLS draft but our code
1314*2139Sjp161948 * allows them to be implemented very easily. To add such
1315*2139Sjp161948 * a cipher suite, one needs to add two constant definitions
1316*2139Sjp161948 * to tls1.h and a new structure in this file as shown below. We
1317*2139Sjp161948 * illustrate the process for the made-up cipher
1318*2139Sjp161948 * ECDHE-ECDSA-AES128-SHA.
1319*2139Sjp161948 */
13200Sstevel@tonic-gate {
1321*2139Sjp161948 1,
1322*2139Sjp161948 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
1323*2139Sjp161948 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
1324*2139Sjp161948 SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1325*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
1326*2139Sjp161948 0,
1327*2139Sjp161948 128,
1328*2139Sjp161948 128,
1329*2139Sjp161948 SSL_ALL_CIPHERS,
1330*2139Sjp161948 SSL_ALL_STRENGTHS,
1331*2139Sjp161948 },
13320Sstevel@tonic-gate
1333*2139Sjp161948 /* Cipher 78 XXX: Another made-up ECC cipher suite that
1334*2139Sjp161948 * offers forward secrecy (ECDHE-RSA-AES128-SHA).
1335*2139Sjp161948 */
13360Sstevel@tonic-gate {
1337*2139Sjp161948 1,
1338*2139Sjp161948 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1339*2139Sjp161948 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
1340*2139Sjp161948 SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
1341*2139Sjp161948 SSL_NOT_EXP|SSL_HIGH,
1342*2139Sjp161948 0,
1343*2139Sjp161948 128,
1344*2139Sjp161948 128,
1345*2139Sjp161948 SSL_ALL_CIPHERS,
1346*2139Sjp161948 SSL_ALL_STRENGTHS,
1347*2139Sjp161948 },
1348*2139Sjp161948 #endif /* !OPENSSL_NO_ECDH */
13490Sstevel@tonic-gate
13500Sstevel@tonic-gate /* end of list */
13510Sstevel@tonic-gate };
13520Sstevel@tonic-gate
1353*2139Sjp161948 SSL3_ENC_METHOD SSLv3_enc_data={
13540Sstevel@tonic-gate ssl3_enc,
13550Sstevel@tonic-gate ssl3_mac,
13560Sstevel@tonic-gate ssl3_setup_key_block,
13570Sstevel@tonic-gate ssl3_generate_master_secret,
13580Sstevel@tonic-gate ssl3_change_cipher_state,
13590Sstevel@tonic-gate ssl3_final_finish_mac,
13600Sstevel@tonic-gate MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
13610Sstevel@tonic-gate ssl3_cert_verify_mac,
13620Sstevel@tonic-gate SSL3_MD_CLIENT_FINISHED_CONST,4,
13630Sstevel@tonic-gate SSL3_MD_SERVER_FINISHED_CONST,4,
13640Sstevel@tonic-gate ssl3_alert_code,
13650Sstevel@tonic-gate };
13660Sstevel@tonic-gate
ssl3_default_timeout(void)1367*2139Sjp161948 long ssl3_default_timeout(void)
13680Sstevel@tonic-gate {
13690Sstevel@tonic-gate /* 2 hours, the 24 hours mentioned in the SSLv3 spec
13700Sstevel@tonic-gate * is way too long for http, the cache would over fill */
13710Sstevel@tonic-gate return(60*60*2);
13720Sstevel@tonic-gate }
13730Sstevel@tonic-gate
IMPLEMENT_ssl3_meth_func(sslv3_base_method,ssl_undefined_function,ssl_undefined_function,ssl_bad_method)1374*2139Sjp161948 IMPLEMENT_ssl3_meth_func(sslv3_base_method,
1375*2139Sjp161948 ssl_undefined_function,
1376*2139Sjp161948 ssl_undefined_function,
1377*2139Sjp161948 ssl_bad_method)
13780Sstevel@tonic-gate
13790Sstevel@tonic-gate int ssl3_num_ciphers(void)
13800Sstevel@tonic-gate {
13810Sstevel@tonic-gate return(SSL3_NUM_CIPHERS);
13820Sstevel@tonic-gate }
13830Sstevel@tonic-gate
ssl3_get_cipher(unsigned int u)13840Sstevel@tonic-gate SSL_CIPHER *ssl3_get_cipher(unsigned int u)
13850Sstevel@tonic-gate {
13860Sstevel@tonic-gate if (u < SSL3_NUM_CIPHERS)
13870Sstevel@tonic-gate return(&(ssl3_ciphers[SSL3_NUM_CIPHERS-1-u]));
13880Sstevel@tonic-gate else
13890Sstevel@tonic-gate return(NULL);
13900Sstevel@tonic-gate }
13910Sstevel@tonic-gate
ssl3_pending(const SSL * s)1392*2139Sjp161948 int ssl3_pending(const SSL *s)
13930Sstevel@tonic-gate {
13940Sstevel@tonic-gate if (s->rstate == SSL_ST_READ_BODY)
13950Sstevel@tonic-gate return 0;
13960Sstevel@tonic-gate
13970Sstevel@tonic-gate return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
13980Sstevel@tonic-gate }
13990Sstevel@tonic-gate
ssl3_new(SSL * s)14000Sstevel@tonic-gate int ssl3_new(SSL *s)
14010Sstevel@tonic-gate {
14020Sstevel@tonic-gate SSL3_STATE *s3;
14030Sstevel@tonic-gate
14040Sstevel@tonic-gate if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
14050Sstevel@tonic-gate memset(s3,0,sizeof *s3);
14060Sstevel@tonic-gate EVP_MD_CTX_init(&s3->finish_dgst1);
14070Sstevel@tonic-gate EVP_MD_CTX_init(&s3->finish_dgst2);
1408*2139Sjp161948 pq_64bit_init(&(s3->rrec.seq_num));
1409*2139Sjp161948 pq_64bit_init(&(s3->wrec.seq_num));
14100Sstevel@tonic-gate
14110Sstevel@tonic-gate s->s3=s3;
14120Sstevel@tonic-gate
14130Sstevel@tonic-gate s->method->ssl_clear(s);
14140Sstevel@tonic-gate return(1);
14150Sstevel@tonic-gate err:
14160Sstevel@tonic-gate return(0);
14170Sstevel@tonic-gate }
14180Sstevel@tonic-gate
ssl3_free(SSL * s)14190Sstevel@tonic-gate void ssl3_free(SSL *s)
14200Sstevel@tonic-gate {
14210Sstevel@tonic-gate if(s == NULL)
14220Sstevel@tonic-gate return;
14230Sstevel@tonic-gate
14240Sstevel@tonic-gate ssl3_cleanup_key_block(s);
14250Sstevel@tonic-gate if (s->s3->rbuf.buf != NULL)
14260Sstevel@tonic-gate OPENSSL_free(s->s3->rbuf.buf);
14270Sstevel@tonic-gate if (s->s3->wbuf.buf != NULL)
14280Sstevel@tonic-gate OPENSSL_free(s->s3->wbuf.buf);
14290Sstevel@tonic-gate if (s->s3->rrec.comp != NULL)
14300Sstevel@tonic-gate OPENSSL_free(s->s3->rrec.comp);
14310Sstevel@tonic-gate #ifndef OPENSSL_NO_DH
14320Sstevel@tonic-gate if (s->s3->tmp.dh != NULL)
14330Sstevel@tonic-gate DH_free(s->s3->tmp.dh);
14340Sstevel@tonic-gate #endif
1435*2139Sjp161948 #ifndef OPENSSL_NO_ECDH
1436*2139Sjp161948 if (s->s3->tmp.ecdh != NULL)
1437*2139Sjp161948 EC_KEY_free(s->s3->tmp.ecdh);
1438*2139Sjp161948 #endif
1439*2139Sjp161948
14400Sstevel@tonic-gate if (s->s3->tmp.ca_names != NULL)
14410Sstevel@tonic-gate sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
14420Sstevel@tonic-gate EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
14430Sstevel@tonic-gate EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
1444*2139Sjp161948 pq_64bit_free(&(s->s3->rrec.seq_num));
1445*2139Sjp161948 pq_64bit_free(&(s->s3->wrec.seq_num));
1446*2139Sjp161948
14470Sstevel@tonic-gate OPENSSL_cleanse(s->s3,sizeof *s->s3);
14480Sstevel@tonic-gate OPENSSL_free(s->s3);
14490Sstevel@tonic-gate s->s3=NULL;
14500Sstevel@tonic-gate }
14510Sstevel@tonic-gate
ssl3_clear(SSL * s)14520Sstevel@tonic-gate void ssl3_clear(SSL *s)
14530Sstevel@tonic-gate {
14540Sstevel@tonic-gate unsigned char *rp,*wp;
14550Sstevel@tonic-gate size_t rlen, wlen;
14560Sstevel@tonic-gate
14570Sstevel@tonic-gate ssl3_cleanup_key_block(s);
14580Sstevel@tonic-gate if (s->s3->tmp.ca_names != NULL)
14590Sstevel@tonic-gate sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
14600Sstevel@tonic-gate
14610Sstevel@tonic-gate if (s->s3->rrec.comp != NULL)
14620Sstevel@tonic-gate {
14630Sstevel@tonic-gate OPENSSL_free(s->s3->rrec.comp);
14640Sstevel@tonic-gate s->s3->rrec.comp=NULL;
14650Sstevel@tonic-gate }
14660Sstevel@tonic-gate #ifndef OPENSSL_NO_DH
14670Sstevel@tonic-gate if (s->s3->tmp.dh != NULL)
14680Sstevel@tonic-gate DH_free(s->s3->tmp.dh);
14690Sstevel@tonic-gate #endif
1470*2139Sjp161948 #ifndef OPENSSL_NO_ECDH
1471*2139Sjp161948 if (s->s3->tmp.ecdh != NULL)
1472*2139Sjp161948 EC_KEY_free(s->s3->tmp.ecdh);
1473*2139Sjp161948 #endif
14740Sstevel@tonic-gate
14750Sstevel@tonic-gate rp = s->s3->rbuf.buf;
14760Sstevel@tonic-gate wp = s->s3->wbuf.buf;
14770Sstevel@tonic-gate rlen = s->s3->rbuf.len;
14780Sstevel@tonic-gate wlen = s->s3->wbuf.len;
14790Sstevel@tonic-gate
14800Sstevel@tonic-gate EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
14810Sstevel@tonic-gate EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
14820Sstevel@tonic-gate
14830Sstevel@tonic-gate memset(s->s3,0,sizeof *s->s3);
14840Sstevel@tonic-gate s->s3->rbuf.buf = rp;
14850Sstevel@tonic-gate s->s3->wbuf.buf = wp;
14860Sstevel@tonic-gate s->s3->rbuf.len = rlen;
14870Sstevel@tonic-gate s->s3->wbuf.len = wlen;
14880Sstevel@tonic-gate
14890Sstevel@tonic-gate ssl_free_wbio_buffer(s);
14900Sstevel@tonic-gate
14910Sstevel@tonic-gate s->packet_length=0;
14920Sstevel@tonic-gate s->s3->renegotiate=0;
14930Sstevel@tonic-gate s->s3->total_renegotiations=0;
14940Sstevel@tonic-gate s->s3->num_renegotiations=0;
14950Sstevel@tonic-gate s->s3->in_read_app_data=0;
14960Sstevel@tonic-gate s->version=SSL3_VERSION;
14970Sstevel@tonic-gate }
14980Sstevel@tonic-gate
ssl3_ctrl(SSL * s,int cmd,long larg,void * parg)14990Sstevel@tonic-gate long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
15000Sstevel@tonic-gate {
15010Sstevel@tonic-gate int ret=0;
15020Sstevel@tonic-gate
15030Sstevel@tonic-gate #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
15040Sstevel@tonic-gate if (
15050Sstevel@tonic-gate #ifndef OPENSSL_NO_RSA
15060Sstevel@tonic-gate cmd == SSL_CTRL_SET_TMP_RSA ||
15070Sstevel@tonic-gate cmd == SSL_CTRL_SET_TMP_RSA_CB ||
15080Sstevel@tonic-gate #endif
15090Sstevel@tonic-gate #ifndef OPENSSL_NO_DSA
15100Sstevel@tonic-gate cmd == SSL_CTRL_SET_TMP_DH ||
15110Sstevel@tonic-gate cmd == SSL_CTRL_SET_TMP_DH_CB ||
15120Sstevel@tonic-gate #endif
15130Sstevel@tonic-gate 0)
15140Sstevel@tonic-gate {
15150Sstevel@tonic-gate if (!ssl_cert_inst(&s->cert))
15160Sstevel@tonic-gate {
15170Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
15180Sstevel@tonic-gate return(0);
15190Sstevel@tonic-gate }
15200Sstevel@tonic-gate }
15210Sstevel@tonic-gate #endif
15220Sstevel@tonic-gate
15230Sstevel@tonic-gate switch (cmd)
15240Sstevel@tonic-gate {
15250Sstevel@tonic-gate case SSL_CTRL_GET_SESSION_REUSED:
15260Sstevel@tonic-gate ret=s->hit;
15270Sstevel@tonic-gate break;
15280Sstevel@tonic-gate case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
15290Sstevel@tonic-gate break;
15300Sstevel@tonic-gate case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
15310Sstevel@tonic-gate ret=s->s3->num_renegotiations;
15320Sstevel@tonic-gate break;
15330Sstevel@tonic-gate case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
15340Sstevel@tonic-gate ret=s->s3->num_renegotiations;
15350Sstevel@tonic-gate s->s3->num_renegotiations=0;
15360Sstevel@tonic-gate break;
15370Sstevel@tonic-gate case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
15380Sstevel@tonic-gate ret=s->s3->total_renegotiations;
15390Sstevel@tonic-gate break;
15400Sstevel@tonic-gate case SSL_CTRL_GET_FLAGS:
15410Sstevel@tonic-gate ret=(int)(s->s3->flags);
15420Sstevel@tonic-gate break;
15430Sstevel@tonic-gate #ifndef OPENSSL_NO_RSA
15440Sstevel@tonic-gate case SSL_CTRL_NEED_TMP_RSA:
15450Sstevel@tonic-gate if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
15460Sstevel@tonic-gate ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
15470Sstevel@tonic-gate (EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8))))
15480Sstevel@tonic-gate ret = 1;
15490Sstevel@tonic-gate break;
15500Sstevel@tonic-gate case SSL_CTRL_SET_TMP_RSA:
15510Sstevel@tonic-gate {
15520Sstevel@tonic-gate RSA *rsa = (RSA *)parg;
15530Sstevel@tonic-gate if (rsa == NULL)
15540Sstevel@tonic-gate {
15550Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
15560Sstevel@tonic-gate return(ret);
15570Sstevel@tonic-gate }
15580Sstevel@tonic-gate if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
15590Sstevel@tonic-gate {
15600Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB);
15610Sstevel@tonic-gate return(ret);
15620Sstevel@tonic-gate }
15630Sstevel@tonic-gate if (s->cert->rsa_tmp != NULL)
15640Sstevel@tonic-gate RSA_free(s->cert->rsa_tmp);
15650Sstevel@tonic-gate s->cert->rsa_tmp = rsa;
15660Sstevel@tonic-gate ret = 1;
15670Sstevel@tonic-gate }
15680Sstevel@tonic-gate break;
15690Sstevel@tonic-gate case SSL_CTRL_SET_TMP_RSA_CB:
15700Sstevel@tonic-gate {
15710Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
15720Sstevel@tonic-gate return(ret);
15730Sstevel@tonic-gate }
15740Sstevel@tonic-gate break;
15750Sstevel@tonic-gate #endif
15760Sstevel@tonic-gate #ifndef OPENSSL_NO_DH
15770Sstevel@tonic-gate case SSL_CTRL_SET_TMP_DH:
15780Sstevel@tonic-gate {
15790Sstevel@tonic-gate DH *dh = (DH *)parg;
15800Sstevel@tonic-gate if (dh == NULL)
15810Sstevel@tonic-gate {
15820Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
15830Sstevel@tonic-gate return(ret);
15840Sstevel@tonic-gate }
15850Sstevel@tonic-gate if ((dh = DHparams_dup(dh)) == NULL)
15860Sstevel@tonic-gate {
15870Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
15880Sstevel@tonic-gate return(ret);
15890Sstevel@tonic-gate }
15900Sstevel@tonic-gate if (!(s->options & SSL_OP_SINGLE_DH_USE))
15910Sstevel@tonic-gate {
15920Sstevel@tonic-gate if (!DH_generate_key(dh))
15930Sstevel@tonic-gate {
15940Sstevel@tonic-gate DH_free(dh);
15950Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
15960Sstevel@tonic-gate return(ret);
15970Sstevel@tonic-gate }
15980Sstevel@tonic-gate }
15990Sstevel@tonic-gate if (s->cert->dh_tmp != NULL)
16000Sstevel@tonic-gate DH_free(s->cert->dh_tmp);
16010Sstevel@tonic-gate s->cert->dh_tmp = dh;
16020Sstevel@tonic-gate ret = 1;
16030Sstevel@tonic-gate }
16040Sstevel@tonic-gate break;
16050Sstevel@tonic-gate case SSL_CTRL_SET_TMP_DH_CB:
16060Sstevel@tonic-gate {
16070Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
16080Sstevel@tonic-gate return(ret);
16090Sstevel@tonic-gate }
16100Sstevel@tonic-gate break;
16110Sstevel@tonic-gate #endif
1612*2139Sjp161948 #ifndef OPENSSL_NO_ECDH
1613*2139Sjp161948 case SSL_CTRL_SET_TMP_ECDH:
1614*2139Sjp161948 {
1615*2139Sjp161948 EC_KEY *ecdh = NULL;
1616*2139Sjp161948
1617*2139Sjp161948 if (parg == NULL)
1618*2139Sjp161948 {
1619*2139Sjp161948 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
1620*2139Sjp161948 return(ret);
1621*2139Sjp161948 }
1622*2139Sjp161948 if (!EC_KEY_up_ref((EC_KEY *)parg))
1623*2139Sjp161948 {
1624*2139Sjp161948 SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB);
1625*2139Sjp161948 return(ret);
1626*2139Sjp161948 }
1627*2139Sjp161948 ecdh = (EC_KEY *)parg;
1628*2139Sjp161948 if (!(s->options & SSL_OP_SINGLE_ECDH_USE))
1629*2139Sjp161948 {
1630*2139Sjp161948 if (!EC_KEY_generate_key(ecdh))
1631*2139Sjp161948 {
1632*2139Sjp161948 EC_KEY_free(ecdh);
1633*2139Sjp161948 SSLerr(SSL_F_SSL3_CTRL,ERR_R_ECDH_LIB);
1634*2139Sjp161948 return(ret);
1635*2139Sjp161948 }
1636*2139Sjp161948 }
1637*2139Sjp161948 if (s->cert->ecdh_tmp != NULL)
1638*2139Sjp161948 EC_KEY_free(s->cert->ecdh_tmp);
1639*2139Sjp161948 s->cert->ecdh_tmp = ecdh;
1640*2139Sjp161948 ret = 1;
1641*2139Sjp161948 }
1642*2139Sjp161948 break;
1643*2139Sjp161948 case SSL_CTRL_SET_TMP_ECDH_CB:
1644*2139Sjp161948 {
1645*2139Sjp161948 SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1646*2139Sjp161948 return(ret);
1647*2139Sjp161948 }
1648*2139Sjp161948 break;
1649*2139Sjp161948 #endif /* !OPENSSL_NO_ECDH */
16500Sstevel@tonic-gate default:
16510Sstevel@tonic-gate break;
16520Sstevel@tonic-gate }
16530Sstevel@tonic-gate return(ret);
16540Sstevel@tonic-gate }
16550Sstevel@tonic-gate
ssl3_callback_ctrl(SSL * s,int cmd,void (* fp)(void))1656*2139Sjp161948 long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void))
16570Sstevel@tonic-gate {
16580Sstevel@tonic-gate int ret=0;
16590Sstevel@tonic-gate
16600Sstevel@tonic-gate #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
16610Sstevel@tonic-gate if (
16620Sstevel@tonic-gate #ifndef OPENSSL_NO_RSA
16630Sstevel@tonic-gate cmd == SSL_CTRL_SET_TMP_RSA_CB ||
16640Sstevel@tonic-gate #endif
16650Sstevel@tonic-gate #ifndef OPENSSL_NO_DSA
16660Sstevel@tonic-gate cmd == SSL_CTRL_SET_TMP_DH_CB ||
16670Sstevel@tonic-gate #endif
16680Sstevel@tonic-gate 0)
16690Sstevel@tonic-gate {
16700Sstevel@tonic-gate if (!ssl_cert_inst(&s->cert))
16710Sstevel@tonic-gate {
16720Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
16730Sstevel@tonic-gate return(0);
16740Sstevel@tonic-gate }
16750Sstevel@tonic-gate }
16760Sstevel@tonic-gate #endif
16770Sstevel@tonic-gate
16780Sstevel@tonic-gate switch (cmd)
16790Sstevel@tonic-gate {
16800Sstevel@tonic-gate #ifndef OPENSSL_NO_RSA
16810Sstevel@tonic-gate case SSL_CTRL_SET_TMP_RSA_CB:
16820Sstevel@tonic-gate {
16830Sstevel@tonic-gate s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
16840Sstevel@tonic-gate }
16850Sstevel@tonic-gate break;
16860Sstevel@tonic-gate #endif
16870Sstevel@tonic-gate #ifndef OPENSSL_NO_DH
16880Sstevel@tonic-gate case SSL_CTRL_SET_TMP_DH_CB:
16890Sstevel@tonic-gate {
16900Sstevel@tonic-gate s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
16910Sstevel@tonic-gate }
16920Sstevel@tonic-gate break;
16930Sstevel@tonic-gate #endif
1694*2139Sjp161948 #ifndef OPENSSL_NO_ECDH
1695*2139Sjp161948 case SSL_CTRL_SET_TMP_ECDH_CB:
1696*2139Sjp161948 {
1697*2139Sjp161948 s->cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
1698*2139Sjp161948 }
1699*2139Sjp161948 break;
1700*2139Sjp161948 #endif
17010Sstevel@tonic-gate default:
17020Sstevel@tonic-gate break;
17030Sstevel@tonic-gate }
17040Sstevel@tonic-gate return(ret);
17050Sstevel@tonic-gate }
17060Sstevel@tonic-gate
ssl3_ctx_ctrl(SSL_CTX * ctx,int cmd,long larg,void * parg)17070Sstevel@tonic-gate long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
17080Sstevel@tonic-gate {
17090Sstevel@tonic-gate CERT *cert;
17100Sstevel@tonic-gate
17110Sstevel@tonic-gate cert=ctx->cert;
17120Sstevel@tonic-gate
17130Sstevel@tonic-gate switch (cmd)
17140Sstevel@tonic-gate {
17150Sstevel@tonic-gate #ifndef OPENSSL_NO_RSA
17160Sstevel@tonic-gate case SSL_CTRL_NEED_TMP_RSA:
17170Sstevel@tonic-gate if ( (cert->rsa_tmp == NULL) &&
17180Sstevel@tonic-gate ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
17190Sstevel@tonic-gate (EVP_PKEY_size(cert->pkeys[SSL_PKEY_RSA_ENC].privatekey) > (512/8)))
17200Sstevel@tonic-gate )
17210Sstevel@tonic-gate return(1);
17220Sstevel@tonic-gate else
17230Sstevel@tonic-gate return(0);
17240Sstevel@tonic-gate /* break; */
17250Sstevel@tonic-gate case SSL_CTRL_SET_TMP_RSA:
17260Sstevel@tonic-gate {
17270Sstevel@tonic-gate RSA *rsa;
17280Sstevel@tonic-gate int i;
17290Sstevel@tonic-gate
17300Sstevel@tonic-gate rsa=(RSA *)parg;
17310Sstevel@tonic-gate i=1;
17320Sstevel@tonic-gate if (rsa == NULL)
17330Sstevel@tonic-gate i=0;
17340Sstevel@tonic-gate else
17350Sstevel@tonic-gate {
17360Sstevel@tonic-gate if ((rsa=RSAPrivateKey_dup(rsa)) == NULL)
17370Sstevel@tonic-gate i=0;
17380Sstevel@tonic-gate }
17390Sstevel@tonic-gate if (!i)
17400Sstevel@tonic-gate {
17410Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_RSA_LIB);
17420Sstevel@tonic-gate return(0);
17430Sstevel@tonic-gate }
17440Sstevel@tonic-gate else
17450Sstevel@tonic-gate {
17460Sstevel@tonic-gate if (cert->rsa_tmp != NULL)
17470Sstevel@tonic-gate RSA_free(cert->rsa_tmp);
17480Sstevel@tonic-gate cert->rsa_tmp=rsa;
17490Sstevel@tonic-gate return(1);
17500Sstevel@tonic-gate }
17510Sstevel@tonic-gate }
17520Sstevel@tonic-gate /* break; */
17530Sstevel@tonic-gate case SSL_CTRL_SET_TMP_RSA_CB:
17540Sstevel@tonic-gate {
17550Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
17560Sstevel@tonic-gate return(0);
17570Sstevel@tonic-gate }
17580Sstevel@tonic-gate break;
17590Sstevel@tonic-gate #endif
17600Sstevel@tonic-gate #ifndef OPENSSL_NO_DH
17610Sstevel@tonic-gate case SSL_CTRL_SET_TMP_DH:
17620Sstevel@tonic-gate {
17630Sstevel@tonic-gate DH *new=NULL,*dh;
17640Sstevel@tonic-gate
17650Sstevel@tonic-gate dh=(DH *)parg;
17660Sstevel@tonic-gate if ((new=DHparams_dup(dh)) == NULL)
17670Sstevel@tonic-gate {
17680Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
17690Sstevel@tonic-gate return 0;
17700Sstevel@tonic-gate }
17710Sstevel@tonic-gate if (!(ctx->options & SSL_OP_SINGLE_DH_USE))
17720Sstevel@tonic-gate {
17730Sstevel@tonic-gate if (!DH_generate_key(new))
17740Sstevel@tonic-gate {
17750Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
17760Sstevel@tonic-gate DH_free(new);
17770Sstevel@tonic-gate return 0;
17780Sstevel@tonic-gate }
17790Sstevel@tonic-gate }
17800Sstevel@tonic-gate if (cert->dh_tmp != NULL)
17810Sstevel@tonic-gate DH_free(cert->dh_tmp);
17820Sstevel@tonic-gate cert->dh_tmp=new;
17830Sstevel@tonic-gate return 1;
17840Sstevel@tonic-gate }
17850Sstevel@tonic-gate /*break; */
17860Sstevel@tonic-gate case SSL_CTRL_SET_TMP_DH_CB:
17870Sstevel@tonic-gate {
17880Sstevel@tonic-gate SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
17890Sstevel@tonic-gate return(0);
17900Sstevel@tonic-gate }
17910Sstevel@tonic-gate break;
17920Sstevel@tonic-gate #endif
1793*2139Sjp161948 #ifndef OPENSSL_NO_ECDH
1794*2139Sjp161948 case SSL_CTRL_SET_TMP_ECDH:
1795*2139Sjp161948 {
1796*2139Sjp161948 EC_KEY *ecdh = NULL;
1797*2139Sjp161948
1798*2139Sjp161948 if (parg == NULL)
1799*2139Sjp161948 {
1800*2139Sjp161948 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB);
1801*2139Sjp161948 return 0;
1802*2139Sjp161948 }
1803*2139Sjp161948 ecdh = EC_KEY_dup((EC_KEY *)parg);
1804*2139Sjp161948 if (ecdh == NULL)
1805*2139Sjp161948 {
1806*2139Sjp161948 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_EC_LIB);
1807*2139Sjp161948 return 0;
1808*2139Sjp161948 }
1809*2139Sjp161948 if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE))
1810*2139Sjp161948 {
1811*2139Sjp161948 if (!EC_KEY_generate_key(ecdh))
1812*2139Sjp161948 {
1813*2139Sjp161948 EC_KEY_free(ecdh);
1814*2139Sjp161948 SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_ECDH_LIB);
1815*2139Sjp161948 return 0;
1816*2139Sjp161948 }
1817*2139Sjp161948 }
1818*2139Sjp161948
1819*2139Sjp161948 if (cert->ecdh_tmp != NULL)
1820*2139Sjp161948 {
1821*2139Sjp161948 EC_KEY_free(cert->ecdh_tmp);
1822*2139Sjp161948 }
1823*2139Sjp161948 cert->ecdh_tmp = ecdh;
1824*2139Sjp161948 return 1;
1825*2139Sjp161948 }
1826*2139Sjp161948 /* break; */
1827*2139Sjp161948 case SSL_CTRL_SET_TMP_ECDH_CB:
1828*2139Sjp161948 {
1829*2139Sjp161948 SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
1830*2139Sjp161948 return(0);
1831*2139Sjp161948 }
1832*2139Sjp161948 break;
1833*2139Sjp161948 #endif /* !OPENSSL_NO_ECDH */
18340Sstevel@tonic-gate /* A Thawte special :-) */
18350Sstevel@tonic-gate case SSL_CTRL_EXTRA_CHAIN_CERT:
18360Sstevel@tonic-gate if (ctx->extra_certs == NULL)
18370Sstevel@tonic-gate {
18380Sstevel@tonic-gate if ((ctx->extra_certs=sk_X509_new_null()) == NULL)
18390Sstevel@tonic-gate return(0);
18400Sstevel@tonic-gate }
18410Sstevel@tonic-gate sk_X509_push(ctx->extra_certs,(X509 *)parg);
18420Sstevel@tonic-gate break;
18430Sstevel@tonic-gate
18440Sstevel@tonic-gate default:
18450Sstevel@tonic-gate return(0);
18460Sstevel@tonic-gate }
18470Sstevel@tonic-gate return(1);
18480Sstevel@tonic-gate }
18490Sstevel@tonic-gate
ssl3_ctx_callback_ctrl(SSL_CTX * ctx,int cmd,void (* fp)(void))1850*2139Sjp161948 long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
18510Sstevel@tonic-gate {
18520Sstevel@tonic-gate CERT *cert;
18530Sstevel@tonic-gate
18540Sstevel@tonic-gate cert=ctx->cert;
18550Sstevel@tonic-gate
18560Sstevel@tonic-gate switch (cmd)
18570Sstevel@tonic-gate {
18580Sstevel@tonic-gate #ifndef OPENSSL_NO_RSA
18590Sstevel@tonic-gate case SSL_CTRL_SET_TMP_RSA_CB:
18600Sstevel@tonic-gate {
18610Sstevel@tonic-gate cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
18620Sstevel@tonic-gate }
18630Sstevel@tonic-gate break;
18640Sstevel@tonic-gate #endif
18650Sstevel@tonic-gate #ifndef OPENSSL_NO_DH
18660Sstevel@tonic-gate case SSL_CTRL_SET_TMP_DH_CB:
18670Sstevel@tonic-gate {
18680Sstevel@tonic-gate cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
18690Sstevel@tonic-gate }
18700Sstevel@tonic-gate break;
18710Sstevel@tonic-gate #endif
1872*2139Sjp161948 #ifndef OPENSSL_NO_ECDH
1873*2139Sjp161948 case SSL_CTRL_SET_TMP_ECDH_CB:
1874*2139Sjp161948 {
1875*2139Sjp161948 cert->ecdh_tmp_cb = (EC_KEY *(*)(SSL *, int, int))fp;
1876*2139Sjp161948 }
1877*2139Sjp161948 break;
1878*2139Sjp161948 #endif
18790Sstevel@tonic-gate default:
18800Sstevel@tonic-gate return(0);
18810Sstevel@tonic-gate }
18820Sstevel@tonic-gate return(1);
18830Sstevel@tonic-gate }
18840Sstevel@tonic-gate
18850Sstevel@tonic-gate /* This function needs to check if the ciphers required are actually
18860Sstevel@tonic-gate * available */
ssl3_get_cipher_by_char(const unsigned char * p)18870Sstevel@tonic-gate SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
18880Sstevel@tonic-gate {
1889*2139Sjp161948 SSL_CIPHER c,*cp;
18900Sstevel@tonic-gate unsigned long id;
18910Sstevel@tonic-gate
18920Sstevel@tonic-gate id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
18930Sstevel@tonic-gate c.id=id;
1894*2139Sjp161948 cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c,
1895*2139Sjp161948 (char *)ssl3_ciphers,
1896*2139Sjp161948 SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER),
1897*2139Sjp161948 FP_ICC ssl_cipher_id_cmp);
1898*2139Sjp161948 if (cp == NULL || cp->valid == 0)
1899*2139Sjp161948 return NULL;
19000Sstevel@tonic-gate else
1901*2139Sjp161948 return cp;
19020Sstevel@tonic-gate }
19030Sstevel@tonic-gate
ssl3_put_cipher_by_char(const SSL_CIPHER * c,unsigned char * p)19040Sstevel@tonic-gate int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
19050Sstevel@tonic-gate {
19060Sstevel@tonic-gate long l;
19070Sstevel@tonic-gate
19080Sstevel@tonic-gate if (p != NULL)
19090Sstevel@tonic-gate {
19100Sstevel@tonic-gate l=c->id;
19110Sstevel@tonic-gate if ((l & 0xff000000) != 0x03000000) return(0);
19120Sstevel@tonic-gate p[0]=((unsigned char)(l>> 8L))&0xFF;
19130Sstevel@tonic-gate p[1]=((unsigned char)(l ))&0xFF;
19140Sstevel@tonic-gate }
19150Sstevel@tonic-gate return(2);
19160Sstevel@tonic-gate }
19170Sstevel@tonic-gate
ssl3_choose_cipher(SSL * s,STACK_OF (SSL_CIPHER)* clnt,STACK_OF (SSL_CIPHER)* srvr)19180Sstevel@tonic-gate SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
19190Sstevel@tonic-gate STACK_OF(SSL_CIPHER) *srvr)
19200Sstevel@tonic-gate {
19210Sstevel@tonic-gate SSL_CIPHER *c,*ret=NULL;
19220Sstevel@tonic-gate STACK_OF(SSL_CIPHER) *prio, *allow;
19230Sstevel@tonic-gate int i,j,ok;
19240Sstevel@tonic-gate CERT *cert;
19250Sstevel@tonic-gate unsigned long alg,mask,emask;
19260Sstevel@tonic-gate
19270Sstevel@tonic-gate /* Let's see which ciphers we can support */
19280Sstevel@tonic-gate cert=s->cert;
19290Sstevel@tonic-gate
19300Sstevel@tonic-gate #if 0
19310Sstevel@tonic-gate /* Do not set the compare functions, because this may lead to a
19320Sstevel@tonic-gate * reordering by "id". We want to keep the original ordering.
19330Sstevel@tonic-gate * We may pay a price in performance during sk_SSL_CIPHER_find(),
19340Sstevel@tonic-gate * but would have to pay with the price of sk_SSL_CIPHER_dup().
19350Sstevel@tonic-gate */
19360Sstevel@tonic-gate sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
19370Sstevel@tonic-gate sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
19380Sstevel@tonic-gate #endif
19390Sstevel@tonic-gate
19400Sstevel@tonic-gate #ifdef CIPHER_DEBUG
19410Sstevel@tonic-gate printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr);
19420Sstevel@tonic-gate for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
19430Sstevel@tonic-gate {
19440Sstevel@tonic-gate c=sk_SSL_CIPHER_value(srvr,i);
19450Sstevel@tonic-gate printf("%p:%s\n",c,c->name);
19460Sstevel@tonic-gate }
19470Sstevel@tonic-gate printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt);
19480Sstevel@tonic-gate for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
19490Sstevel@tonic-gate {
19500Sstevel@tonic-gate c=sk_SSL_CIPHER_value(clnt,i);
19510Sstevel@tonic-gate printf("%p:%s\n",c,c->name);
19520Sstevel@tonic-gate }
19530Sstevel@tonic-gate #endif
19540Sstevel@tonic-gate
19550Sstevel@tonic-gate if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
19560Sstevel@tonic-gate {
19570Sstevel@tonic-gate prio = srvr;
19580Sstevel@tonic-gate allow = clnt;
19590Sstevel@tonic-gate }
19600Sstevel@tonic-gate else
19610Sstevel@tonic-gate {
19620Sstevel@tonic-gate prio = clnt;
19630Sstevel@tonic-gate allow = srvr;
19640Sstevel@tonic-gate }
19650Sstevel@tonic-gate
19660Sstevel@tonic-gate for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
19670Sstevel@tonic-gate {
19680Sstevel@tonic-gate c=sk_SSL_CIPHER_value(prio,i);
19690Sstevel@tonic-gate
19700Sstevel@tonic-gate ssl_set_cert_masks(cert,c);
19710Sstevel@tonic-gate mask=cert->mask;
19720Sstevel@tonic-gate emask=cert->export_mask;
19730Sstevel@tonic-gate
19740Sstevel@tonic-gate #ifdef KSSL_DEBUG
19750Sstevel@tonic-gate printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);
19760Sstevel@tonic-gate #endif /* KSSL_DEBUG */
19770Sstevel@tonic-gate
19780Sstevel@tonic-gate alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
19790Sstevel@tonic-gate #ifndef OPENSSL_NO_KRB5
19800Sstevel@tonic-gate if (alg & SSL_KRB5)
19810Sstevel@tonic-gate {
19820Sstevel@tonic-gate if ( !kssl_keytab_is_available(s->kssl_ctx) )
19830Sstevel@tonic-gate continue;
19840Sstevel@tonic-gate }
19850Sstevel@tonic-gate #endif /* OPENSSL_NO_KRB5 */
19860Sstevel@tonic-gate if (SSL_C_IS_EXPORT(c))
19870Sstevel@tonic-gate {
19880Sstevel@tonic-gate ok=((alg & emask) == alg)?1:0;
19890Sstevel@tonic-gate #ifdef CIPHER_DEBUG
19900Sstevel@tonic-gate printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask,
19910Sstevel@tonic-gate c,c->name);
19920Sstevel@tonic-gate #endif
19930Sstevel@tonic-gate }
19940Sstevel@tonic-gate else
19950Sstevel@tonic-gate {
19960Sstevel@tonic-gate ok=((alg & mask) == alg)?1:0;
19970Sstevel@tonic-gate #ifdef CIPHER_DEBUG
19980Sstevel@tonic-gate printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c,
19990Sstevel@tonic-gate c->name);
20000Sstevel@tonic-gate #endif
20010Sstevel@tonic-gate }
20020Sstevel@tonic-gate
20030Sstevel@tonic-gate if (!ok) continue;
20040Sstevel@tonic-gate j=sk_SSL_CIPHER_find(allow,c);
20050Sstevel@tonic-gate if (j >= 0)
20060Sstevel@tonic-gate {
20070Sstevel@tonic-gate ret=sk_SSL_CIPHER_value(allow,j);
20080Sstevel@tonic-gate break;
20090Sstevel@tonic-gate }
20100Sstevel@tonic-gate }
20110Sstevel@tonic-gate return(ret);
20120Sstevel@tonic-gate }
20130Sstevel@tonic-gate
ssl3_get_req_cert_type(SSL * s,unsigned char * p)20140Sstevel@tonic-gate int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
20150Sstevel@tonic-gate {
20160Sstevel@tonic-gate int ret=0;
20170Sstevel@tonic-gate unsigned long alg;
20180Sstevel@tonic-gate
20190Sstevel@tonic-gate alg=s->s3->tmp.new_cipher->algorithms;
20200Sstevel@tonic-gate
20210Sstevel@tonic-gate #ifndef OPENSSL_NO_DH
20220Sstevel@tonic-gate if (alg & (SSL_kDHr|SSL_kEDH))
20230Sstevel@tonic-gate {
20240Sstevel@tonic-gate # ifndef OPENSSL_NO_RSA
20250Sstevel@tonic-gate p[ret++]=SSL3_CT_RSA_FIXED_DH;
20260Sstevel@tonic-gate # endif
20270Sstevel@tonic-gate # ifndef OPENSSL_NO_DSA
20280Sstevel@tonic-gate p[ret++]=SSL3_CT_DSS_FIXED_DH;
20290Sstevel@tonic-gate # endif
20300Sstevel@tonic-gate }
20310Sstevel@tonic-gate if ((s->version == SSL3_VERSION) &&
20320Sstevel@tonic-gate (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
20330Sstevel@tonic-gate {
20340Sstevel@tonic-gate # ifndef OPENSSL_NO_RSA
20350Sstevel@tonic-gate p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
20360Sstevel@tonic-gate # endif
20370Sstevel@tonic-gate # ifndef OPENSSL_NO_DSA
20380Sstevel@tonic-gate p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
20390Sstevel@tonic-gate # endif
20400Sstevel@tonic-gate }
20410Sstevel@tonic-gate #endif /* !OPENSSL_NO_DH */
20420Sstevel@tonic-gate #ifndef OPENSSL_NO_RSA
20430Sstevel@tonic-gate p[ret++]=SSL3_CT_RSA_SIGN;
20440Sstevel@tonic-gate #endif
20450Sstevel@tonic-gate #ifndef OPENSSL_NO_DSA
20460Sstevel@tonic-gate p[ret++]=SSL3_CT_DSS_SIGN;
20470Sstevel@tonic-gate #endif
2048*2139Sjp161948 #ifndef OPENSSL_NO_ECDH
2049*2139Sjp161948 /* We should ask for fixed ECDH certificates only
2050*2139Sjp161948 * for SSL_kECDH (and not SSL_kECDHE)
2051*2139Sjp161948 */
2052*2139Sjp161948 if ((alg & SSL_kECDH) && (s->version >= TLS1_VERSION))
2053*2139Sjp161948 {
2054*2139Sjp161948 p[ret++]=TLS_CT_RSA_FIXED_ECDH;
2055*2139Sjp161948 p[ret++]=TLS_CT_ECDSA_FIXED_ECDH;
2056*2139Sjp161948 }
2057*2139Sjp161948 #endif
2058*2139Sjp161948
2059*2139Sjp161948 #ifndef OPENSSL_NO_ECDSA
2060*2139Sjp161948 /* ECDSA certs can be used with RSA cipher suites as well
2061*2139Sjp161948 * so we don't need to check for SSL_kECDH or SSL_kECDHE
2062*2139Sjp161948 */
2063*2139Sjp161948 if (s->version >= TLS1_VERSION)
2064*2139Sjp161948 {
2065*2139Sjp161948 p[ret++]=TLS_CT_ECDSA_SIGN;
2066*2139Sjp161948 }
2067*2139Sjp161948 #endif
20680Sstevel@tonic-gate return(ret);
20690Sstevel@tonic-gate }
20700Sstevel@tonic-gate
ssl3_shutdown(SSL * s)20710Sstevel@tonic-gate int ssl3_shutdown(SSL *s)
20720Sstevel@tonic-gate {
20730Sstevel@tonic-gate
20740Sstevel@tonic-gate /* Don't do anything much if we have not done the handshake or
20750Sstevel@tonic-gate * we don't want to send messages :-) */
20760Sstevel@tonic-gate if ((s->quiet_shutdown) || (s->state == SSL_ST_BEFORE))
20770Sstevel@tonic-gate {
20780Sstevel@tonic-gate s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
20790Sstevel@tonic-gate return(1);
20800Sstevel@tonic-gate }
20810Sstevel@tonic-gate
20820Sstevel@tonic-gate if (!(s->shutdown & SSL_SENT_SHUTDOWN))
20830Sstevel@tonic-gate {
20840Sstevel@tonic-gate s->shutdown|=SSL_SENT_SHUTDOWN;
20850Sstevel@tonic-gate #if 1
20860Sstevel@tonic-gate ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_CLOSE_NOTIFY);
20870Sstevel@tonic-gate #endif
20880Sstevel@tonic-gate /* our shutdown alert has been sent now, and if it still needs
20890Sstevel@tonic-gate * to be written, s->s3->alert_dispatch will be true */
20900Sstevel@tonic-gate }
20910Sstevel@tonic-gate else if (s->s3->alert_dispatch)
20920Sstevel@tonic-gate {
20930Sstevel@tonic-gate /* resend it if not sent */
20940Sstevel@tonic-gate #if 1
2095*2139Sjp161948 s->method->ssl_dispatch_alert(s);
20960Sstevel@tonic-gate #endif
20970Sstevel@tonic-gate }
20980Sstevel@tonic-gate else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
20990Sstevel@tonic-gate {
21000Sstevel@tonic-gate /* If we are waiting for a close from our peer, we are closed */
2101*2139Sjp161948 s->method->ssl_read_bytes(s,0,NULL,0,0);
21020Sstevel@tonic-gate }
21030Sstevel@tonic-gate
21040Sstevel@tonic-gate if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
21050Sstevel@tonic-gate !s->s3->alert_dispatch)
21060Sstevel@tonic-gate return(1);
21070Sstevel@tonic-gate else
21080Sstevel@tonic-gate return(0);
21090Sstevel@tonic-gate }
21100Sstevel@tonic-gate
ssl3_write(SSL * s,const void * buf,int len)21110Sstevel@tonic-gate int ssl3_write(SSL *s, const void *buf, int len)
21120Sstevel@tonic-gate {
21130Sstevel@tonic-gate int ret,n;
21140Sstevel@tonic-gate
21150Sstevel@tonic-gate #if 0
21160Sstevel@tonic-gate if (s->shutdown & SSL_SEND_SHUTDOWN)
21170Sstevel@tonic-gate {
21180Sstevel@tonic-gate s->rwstate=SSL_NOTHING;
21190Sstevel@tonic-gate return(0);
21200Sstevel@tonic-gate }
21210Sstevel@tonic-gate #endif
21220Sstevel@tonic-gate clear_sys_error();
21230Sstevel@tonic-gate if (s->s3->renegotiate) ssl3_renegotiate_check(s);
21240Sstevel@tonic-gate
21250Sstevel@tonic-gate /* This is an experimental flag that sends the
21260Sstevel@tonic-gate * last handshake message in the same packet as the first
21270Sstevel@tonic-gate * use data - used to see if it helps the TCP protocol during
21280Sstevel@tonic-gate * session-id reuse */
21290Sstevel@tonic-gate /* The second test is because the buffer may have been removed */
21300Sstevel@tonic-gate if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio))
21310Sstevel@tonic-gate {
21320Sstevel@tonic-gate /* First time through, we write into the buffer */
21330Sstevel@tonic-gate if (s->s3->delay_buf_pop_ret == 0)
21340Sstevel@tonic-gate {
21350Sstevel@tonic-gate ret=ssl3_write_bytes(s,SSL3_RT_APPLICATION_DATA,
21360Sstevel@tonic-gate buf,len);
21370Sstevel@tonic-gate if (ret <= 0) return(ret);
21380Sstevel@tonic-gate
21390Sstevel@tonic-gate s->s3->delay_buf_pop_ret=ret;
21400Sstevel@tonic-gate }
21410Sstevel@tonic-gate
21420Sstevel@tonic-gate s->rwstate=SSL_WRITING;
21430Sstevel@tonic-gate n=BIO_flush(s->wbio);
21440Sstevel@tonic-gate if (n <= 0) return(n);
21450Sstevel@tonic-gate s->rwstate=SSL_NOTHING;
21460Sstevel@tonic-gate
21470Sstevel@tonic-gate /* We have flushed the buffer, so remove it */
21480Sstevel@tonic-gate ssl_free_wbio_buffer(s);
21490Sstevel@tonic-gate s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
21500Sstevel@tonic-gate
21510Sstevel@tonic-gate ret=s->s3->delay_buf_pop_ret;
21520Sstevel@tonic-gate s->s3->delay_buf_pop_ret=0;
21530Sstevel@tonic-gate }
21540Sstevel@tonic-gate else
21550Sstevel@tonic-gate {
2156*2139Sjp161948 ret=s->method->ssl_write_bytes(s,SSL3_RT_APPLICATION_DATA,
2157*2139Sjp161948 buf,len);
21580Sstevel@tonic-gate if (ret <= 0) return(ret);
21590Sstevel@tonic-gate }
21600Sstevel@tonic-gate
21610Sstevel@tonic-gate return(ret);
21620Sstevel@tonic-gate }
21630Sstevel@tonic-gate
ssl3_read_internal(SSL * s,void * buf,int len,int peek)21640Sstevel@tonic-gate static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
21650Sstevel@tonic-gate {
21660Sstevel@tonic-gate int ret;
21670Sstevel@tonic-gate
21680Sstevel@tonic-gate clear_sys_error();
21690Sstevel@tonic-gate if (s->s3->renegotiate) ssl3_renegotiate_check(s);
21700Sstevel@tonic-gate s->s3->in_read_app_data=1;
2171*2139Sjp161948 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
21720Sstevel@tonic-gate if ((ret == -1) && (s->s3->in_read_app_data == 2))
21730Sstevel@tonic-gate {
21740Sstevel@tonic-gate /* ssl3_read_bytes decided to call s->handshake_func, which
21750Sstevel@tonic-gate * called ssl3_read_bytes to read handshake data.
21760Sstevel@tonic-gate * However, ssl3_read_bytes actually found application data
21770Sstevel@tonic-gate * and thinks that application data makes sense here; so disable
21780Sstevel@tonic-gate * handshake processing and try to read application data again. */
21790Sstevel@tonic-gate s->in_handshake++;
2180*2139Sjp161948 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
21810Sstevel@tonic-gate s->in_handshake--;
21820Sstevel@tonic-gate }
21830Sstevel@tonic-gate else
21840Sstevel@tonic-gate s->s3->in_read_app_data=0;
21850Sstevel@tonic-gate
21860Sstevel@tonic-gate return(ret);
21870Sstevel@tonic-gate }
21880Sstevel@tonic-gate
ssl3_read(SSL * s,void * buf,int len)21890Sstevel@tonic-gate int ssl3_read(SSL *s, void *buf, int len)
21900Sstevel@tonic-gate {
21910Sstevel@tonic-gate return ssl3_read_internal(s, buf, len, 0);
21920Sstevel@tonic-gate }
21930Sstevel@tonic-gate
ssl3_peek(SSL * s,void * buf,int len)21940Sstevel@tonic-gate int ssl3_peek(SSL *s, void *buf, int len)
21950Sstevel@tonic-gate {
21960Sstevel@tonic-gate return ssl3_read_internal(s, buf, len, 1);
21970Sstevel@tonic-gate }
21980Sstevel@tonic-gate
ssl3_renegotiate(SSL * s)21990Sstevel@tonic-gate int ssl3_renegotiate(SSL *s)
22000Sstevel@tonic-gate {
22010Sstevel@tonic-gate if (s->handshake_func == NULL)
22020Sstevel@tonic-gate return(1);
22030Sstevel@tonic-gate
22040Sstevel@tonic-gate if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
22050Sstevel@tonic-gate return(0);
22060Sstevel@tonic-gate
22070Sstevel@tonic-gate s->s3->renegotiate=1;
22080Sstevel@tonic-gate return(1);
22090Sstevel@tonic-gate }
22100Sstevel@tonic-gate
ssl3_renegotiate_check(SSL * s)22110Sstevel@tonic-gate int ssl3_renegotiate_check(SSL *s)
22120Sstevel@tonic-gate {
22130Sstevel@tonic-gate int ret=0;
22140Sstevel@tonic-gate
22150Sstevel@tonic-gate if (s->s3->renegotiate)
22160Sstevel@tonic-gate {
22170Sstevel@tonic-gate if ( (s->s3->rbuf.left == 0) &&
22180Sstevel@tonic-gate (s->s3->wbuf.left == 0) &&
22190Sstevel@tonic-gate !SSL_in_init(s))
22200Sstevel@tonic-gate {
22210Sstevel@tonic-gate /*
22220Sstevel@tonic-gate if we are the server, and we have sent a 'RENEGOTIATE' message, we
22230Sstevel@tonic-gate need to go to SSL_ST_ACCEPT.
22240Sstevel@tonic-gate */
22250Sstevel@tonic-gate /* SSL_ST_ACCEPT */
22260Sstevel@tonic-gate s->state=SSL_ST_RENEGOTIATE;
22270Sstevel@tonic-gate s->s3->renegotiate=0;
22280Sstevel@tonic-gate s->s3->num_renegotiations++;
22290Sstevel@tonic-gate s->s3->total_renegotiations++;
22300Sstevel@tonic-gate ret=1;
22310Sstevel@tonic-gate }
22320Sstevel@tonic-gate }
22330Sstevel@tonic-gate return(ret);
22340Sstevel@tonic-gate }
22350Sstevel@tonic-gate
2236