Index: stable/9/crypto/openssl/crypto/bio/b_print.c =================================================================== --- stable/9/crypto/openssl/crypto/bio/b_print.c (revision 296461) +++ stable/9/crypto/openssl/crypto/bio/b_print.c (revision 296462) @@ -1,816 +1,866 @@ /* crypto/bio/b_print.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* disable assert() unless BIO_DEBUG has been defined */ #ifndef BIO_DEBUG # ifndef NDEBUG # define NDEBUG # endif #endif /* * Stolen from tjh's ssl/ssl_trc.c stuff. */ #include #include #include #include #include #include "cryptlib.h" #ifndef NO_SYS_TYPES_H # include #endif #include /* To get BN_LLONG properly defined */ #include #if defined(BN_LLONG) || defined(SIXTY_FOUR_BIT) # ifndef HAVE_LONG_LONG # define HAVE_LONG_LONG 1 # endif #endif /***************************************************************************/ /* * Copyright Patrick Powell 1995 * This code is based on code written by Patrick Powell * It may be used for any purpose as long as this notice remains intact * on all source code distributions. */ /*- * This code contains numerious changes and enhancements which were * made by lots of contributors over the last years to Patrick Powell's * original code: * * o Patrick Powell (1995) * o Brandon Long (1996, for Mutt) * o Thomas Roessler (1998, for Mutt) * o Michael Elkins (1998, for Mutt) * o Andrew Tridgell (1998, for Samba) * o Luke Mewburn (1999, for LukemFTP) * o Ralf S. Engelschall (1999, for Pth) * o ... (for OpenSSL) */ #ifdef HAVE_LONG_DOUBLE # define LDOUBLE long double #else # define LDOUBLE double #endif #if HAVE_LONG_LONG # if defined(OPENSSL_SYS_WIN32) && !defined(__GNUC__) # define LLONG __int64 # else # define LLONG long long # endif #else -# define LLONG long -#endif - -static void fmtstr(char **, char **, size_t *, size_t *, - const char *, int, int, int); -static void fmtint(char **, char **, size_t *, size_t *, - LLONG, int, int, int, int); -static void fmtfp(char **, char **, size_t *, size_t *, - LDOUBLE, int, int, int); -static void doapr_outch(char **, char **, size_t *, size_t *, int); -static void _dopr(char **sbuffer, char **buffer, - size_t *maxlen, size_t *retlen, int *truncated, - const char *format, va_list args); - +# define LLONG long +#endif + +static int fmtstr(char **, char **, size_t *, size_t *, + const char *, int, int, int); +static int fmtint(char **, char **, size_t *, size_t *, + LLONG, int, int, int, int); +static int fmtfp(char **, char **, size_t *, size_t *, + LDOUBLE, int, int, int); +static int doapr_outch(char **, char **, size_t *, size_t *, int); +static int _dopr(char **sbuffer, char **buffer, + size_t *maxlen, size_t *retlen, int *truncated, + const char *format, va_list args); + /* format read states */ #define DP_S_DEFAULT 0 #define DP_S_FLAGS 1 #define DP_S_MIN 2 #define DP_S_DOT 3 #define DP_S_MAX 4 #define DP_S_MOD 5 #define DP_S_CONV 6 #define DP_S_DONE 7 /* format flags - Bits */ #define DP_F_MINUS (1 << 0) #define DP_F_PLUS (1 << 1) #define DP_F_SPACE (1 << 2) #define DP_F_NUM (1 << 3) #define DP_F_ZERO (1 << 4) #define DP_F_UP (1 << 5) #define DP_F_UNSIGNED (1 << 6) /* conversion flags */ #define DP_C_SHORT 1 #define DP_C_LONG 2 #define DP_C_LDOUBLE 3 #define DP_C_LLONG 4 /* some handy macros */ -#define char_to_int(p) (p - '0') -#define OSSL_MAX(p,q) ((p >= q) ? p : q) - -static void -_dopr(char **sbuffer, - char **buffer, - size_t *maxlen, +#define char_to_int(p) (p - '0') +#define OSSL_MAX(p,q) ((p >= q) ? p : q) + +static int +_dopr(char **sbuffer, + char **buffer, + size_t *maxlen, size_t *retlen, int *truncated, const char *format, va_list args) { char ch; LLONG value; LDOUBLE fvalue; char *strvalue; int min; int max; int state; int flags; int cflags; size_t currlen; state = DP_S_DEFAULT; flags = currlen = cflags = min = 0; max = -1; ch = *format++; while (state != DP_S_DONE) { if (ch == '\0' || (buffer == NULL && currlen >= *maxlen)) state = DP_S_DONE; switch (state) { case DP_S_DEFAULT: - if (ch == '%') - state = DP_S_FLAGS; - else - doapr_outch(sbuffer, buffer, &currlen, maxlen, ch); - ch = *format++; - break; - case DP_S_FLAGS: + if (ch == '%') + state = DP_S_FLAGS; + else + if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch)) + return 0; + ch = *format++; + break; + case DP_S_FLAGS: switch (ch) { case '-': flags |= DP_F_MINUS; ch = *format++; break; case '+': flags |= DP_F_PLUS; ch = *format++; break; case ' ': flags |= DP_F_SPACE; ch = *format++; break; case '#': flags |= DP_F_NUM; ch = *format++; break; case '0': flags |= DP_F_ZERO; ch = *format++; break; default: state = DP_S_MIN; break; } break; case DP_S_MIN: if (isdigit((unsigned char)ch)) { min = 10 * min + char_to_int(ch); ch = *format++; } else if (ch == '*') { min = va_arg(args, int); ch = *format++; state = DP_S_DOT; } else state = DP_S_DOT; break; case DP_S_DOT: if (ch == '.') { state = DP_S_MAX; ch = *format++; } else state = DP_S_MOD; break; case DP_S_MAX: if (isdigit((unsigned char)ch)) { if (max < 0) max = 0; max = 10 * max + char_to_int(ch); ch = *format++; } else if (ch == '*') { max = va_arg(args, int); ch = *format++; state = DP_S_MOD; } else state = DP_S_MOD; break; case DP_S_MOD: switch (ch) { case 'h': cflags = DP_C_SHORT; ch = *format++; break; case 'l': if (*format == 'l') { cflags = DP_C_LLONG; format++; } else cflags = DP_C_LONG; ch = *format++; break; case 'q': cflags = DP_C_LLONG; ch = *format++; break; case 'L': cflags = DP_C_LDOUBLE; ch = *format++; break; default: break; } state = DP_S_CONV; break; case DP_S_CONV: switch (ch) { case 'd': case 'i': switch (cflags) { case DP_C_SHORT: value = (short int)va_arg(args, int); break; case DP_C_LONG: value = va_arg(args, long int); break; case DP_C_LLONG: value = va_arg(args, LLONG); break; default: - value = va_arg(args, int); - break; - } - fmtint(sbuffer, buffer, &currlen, maxlen, - value, 10, min, max, flags); - break; - case 'X': - flags |= DP_F_UP; + value = va_arg(args, int); + break; + } + if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min, + max, flags)) + return 0; + break; + case 'X': + flags |= DP_F_UP; /* FALLTHROUGH */ case 'x': case 'o': case 'u': flags |= DP_F_UNSIGNED; switch (cflags) { case DP_C_SHORT: value = (unsigned short int)va_arg(args, unsigned int); break; case DP_C_LONG: value = (LLONG) va_arg(args, unsigned long int); break; case DP_C_LLONG: value = va_arg(args, unsigned LLONG); break; default: - value = (LLONG) va_arg(args, unsigned int); - break; - } - fmtint(sbuffer, buffer, &currlen, maxlen, value, - ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), - min, max, flags); - break; - case 'f': - if (cflags == DP_C_LDOUBLE) - fvalue = va_arg(args, LDOUBLE); - else - fvalue = va_arg(args, double); - fmtfp(sbuffer, buffer, &currlen, maxlen, - fvalue, min, max, flags); - break; - case 'E': - flags |= DP_F_UP; + value = (LLONG) va_arg(args, unsigned int); + break; + } + if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, + ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), + min, max, flags)) + return 0; + break; + case 'f': + if (cflags == DP_C_LDOUBLE) + fvalue = va_arg(args, LDOUBLE); + else + fvalue = va_arg(args, double); + if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max, + flags)) + return 0; + break; + case 'E': + flags |= DP_F_UP; case 'e': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); else fvalue = va_arg(args, double); break; case 'G': flags |= DP_F_UP; case 'g': if (cflags == DP_C_LDOUBLE) fvalue = va_arg(args, LDOUBLE); else - fvalue = va_arg(args, double); - break; - case 'c': - doapr_outch(sbuffer, buffer, &currlen, maxlen, - va_arg(args, int)); - break; - case 's': - strvalue = va_arg(args, char *); + fvalue = va_arg(args, double); + break; + case 'c': + if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, + va_arg(args, int))) + return 0; + break; + case 's': + strvalue = va_arg(args, char *); if (max < 0) { if (buffer) max = INT_MAX; - else - max = *maxlen; - } - fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, - flags, min, max); - break; - case 'p': - value = (long)va_arg(args, void *); - fmtint(sbuffer, buffer, &currlen, maxlen, - value, 16, min, max, flags | DP_F_NUM); - break; - case 'n': /* XXX */ - if (cflags == DP_C_SHORT) { + else + max = *maxlen; + } + if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, + flags, min, max)) + return 0; + break; + case 'p': + value = (long)va_arg(args, void *); + if (!fmtint(sbuffer, buffer, &currlen, maxlen, + value, 16, min, max, flags | DP_F_NUM)) + return 0; + break; + case 'n': /* XXX */ + if (cflags == DP_C_SHORT) { short int *num; num = va_arg(args, short int *); *num = currlen; } else if (cflags == DP_C_LONG) { /* XXX */ long int *num; num = va_arg(args, long int *); *num = (long int)currlen; } else if (cflags == DP_C_LLONG) { /* XXX */ LLONG *num; num = va_arg(args, LLONG *); *num = (LLONG) currlen; } else { int *num; num = va_arg(args, int *); *num = currlen; - } - break; - case '%': - doapr_outch(sbuffer, buffer, &currlen, maxlen, ch); - break; - case 'w': - /* not supported yet, treat as next char */ + } + break; + case '%': + if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch)) + return 0; + break; + case 'w': + /* not supported yet, treat as next char */ ch = *format++; break; default: /* unknown, skip */ break; } ch = *format++; state = DP_S_DEFAULT; flags = cflags = min = 0; max = -1; break; case DP_S_DONE: break; default: break; } } - *truncated = (currlen > *maxlen - 1); - if (*truncated) - currlen = *maxlen - 1; - doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'); - *retlen = currlen - 1; - return; -} - -static void -fmtstr(char **sbuffer, - char **buffer, - size_t *currlen, - size_t *maxlen, const char *value, int flags, int min, int max) -{ - int padlen, strln; - int cnt = 0; - - if (value == 0) - value = ""; - for (strln = 0; value[strln]; ++strln) ; - padlen = min - strln; - if (padlen < 0) - padlen = 0; - if (flags & DP_F_MINUS) - padlen = -padlen; - - while ((padlen > 0) && (cnt < max)) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - --padlen; - ++cnt; - } - while (*value && (cnt < max)) { - doapr_outch(sbuffer, buffer, currlen, maxlen, *value++); - ++cnt; - } - while ((padlen < 0) && (cnt < max)) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - ++padlen; - ++cnt; - } -} - -static void -fmtint(char **sbuffer, - char **buffer, - size_t *currlen, + *truncated = (currlen > *maxlen - 1); + if (*truncated) + currlen = *maxlen - 1; + if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0')) + return 0; + *retlen = currlen - 1; + return 1; +} + +static int +fmtstr(char **sbuffer, + char **buffer, + size_t *currlen, + size_t *maxlen, const char *value, int flags, int min, int max) +{ + int padlen; + size_t strln; + int cnt = 0; + + if (value == 0) + value = ""; + + strln = strlen(value); + if (strln > INT_MAX) + strln = INT_MAX; + + padlen = min - strln; + if (min < 0 || padlen < 0) + padlen = 0; + if (flags & DP_F_MINUS) + padlen = -padlen; + + while ((padlen > 0) && (cnt < max)) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + --padlen; + ++cnt; + } + while (*value && (cnt < max)) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++)) + return 0; + ++cnt; + } + while ((padlen < 0) && (cnt < max)) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + ++padlen; + ++cnt; + } + return 1; +} + +static int +fmtint(char **sbuffer, + char **buffer, + size_t *currlen, size_t *maxlen, LLONG value, int base, int min, int max, int flags) { int signvalue = 0; const char *prefix = ""; unsigned LLONG uvalue; char convert[DECIMAL_SIZE(value) + 3]; int place = 0; int spadlen = 0; int zpadlen = 0; int caps = 0; if (max < 0) max = 0; uvalue = value; if (!(flags & DP_F_UNSIGNED)) { if (value < 0) { signvalue = '-'; uvalue = -value; } else if (flags & DP_F_PLUS) signvalue = '+'; else if (flags & DP_F_SPACE) signvalue = ' '; } if (flags & DP_F_NUM) { if (base == 8) prefix = "0"; if (base == 16) prefix = "0x"; } if (flags & DP_F_UP) caps = 1; do { convert[place++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef") [uvalue % (unsigned)base]; uvalue = (uvalue / (unsigned)base); } while (uvalue && (place < (int)sizeof(convert))); if (place == sizeof(convert)) place--; convert[place] = 0; zpadlen = max - place; spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix); if (zpadlen < 0) zpadlen = 0; if (spadlen < 0) spadlen = 0; if (flags & DP_F_ZERO) { zpadlen = OSSL_MAX(zpadlen, spadlen); spadlen = 0; } if (flags & DP_F_MINUS) spadlen = -spadlen; - - /* spaces */ - while (spadlen > 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - --spadlen; - } - - /* sign */ - if (signvalue) - doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); - - /* prefix */ - while (*prefix) { - doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix); - prefix++; - } - - /* zeros */ - if (zpadlen > 0) { - while (zpadlen > 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); - --zpadlen; - } - } - /* digits */ - while (place > 0) - doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]); - - /* left justified spaces */ - while (spadlen < 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - ++spadlen; - } - return; -} - -static LDOUBLE abs_val(LDOUBLE value) + + /* spaces */ + while (spadlen > 0) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + --spadlen; + } + + /* sign */ + if (signvalue) + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) + return 0; + + /* prefix */ + while (*prefix) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix)) + return 0; + prefix++; + } + + /* zeros */ + if (zpadlen > 0) { + while (zpadlen > 0) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) + return 0; + --zpadlen; + } + } + /* digits */ + while (place > 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place])) + return 0; + } + + /* left justified spaces */ + while (spadlen < 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + ++spadlen; + } + return 1; +} + +static LDOUBLE abs_val(LDOUBLE value) { LDOUBLE result = value; if (value < 0) result = -value; return result; } static LDOUBLE pow_10(int in_exp) { LDOUBLE result = 1; while (in_exp) { result *= 10; in_exp--; } return result; } static long roundv(LDOUBLE value) { long intpart; intpart = (long)value; value = value - intpart; if (value >= 0.5) intpart++; - return intpart; -} - -static void -fmtfp(char **sbuffer, - char **buffer, - size_t *currlen, + return intpart; +} + +static int +fmtfp(char **sbuffer, + char **buffer, + size_t *currlen, size_t *maxlen, LDOUBLE fvalue, int min, int max, int flags) { int signvalue = 0; LDOUBLE ufvalue; char iconvert[20]; char fconvert[20]; int iplace = 0; int fplace = 0; int padlen = 0; int zpadlen = 0; int caps = 0; long intpart; long fracpart; long max10; if (max < 0) max = 6; ufvalue = abs_val(fvalue); if (fvalue < 0) signvalue = '-'; else if (flags & DP_F_PLUS) signvalue = '+'; else if (flags & DP_F_SPACE) signvalue = ' '; intpart = (long)ufvalue; /* * sorry, we only support 9 digits past the decimal because of our * conversion method */ if (max > 9) max = 9; /* * we "cheat" by converting the fractional part to integer by multiplying * by a factor of 10 */ max10 = roundv(pow_10(max)); fracpart = roundv(pow_10(max) * (ufvalue - intpart)); if (fracpart >= max10) { intpart++; fracpart -= max10; } /* convert integer part */ do { iconvert[iplace++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")[intpart % 10]; intpart = (intpart / 10); } while (intpart && (iplace < (int)sizeof(iconvert))); if (iplace == sizeof iconvert) iplace--; iconvert[iplace] = 0; /* convert fractional part */ do { fconvert[fplace++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef")[fracpart % 10]; fracpart = (fracpart / 10); } while (fplace < max); if (fplace == sizeof fconvert) fplace--; fconvert[fplace] = 0; /* -1 for decimal point, another -1 if we are printing a sign */ padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); zpadlen = max - fplace; if (zpadlen < 0) zpadlen = 0; if (padlen < 0) padlen = 0; if (flags & DP_F_MINUS) padlen = -padlen; - - if ((flags & DP_F_ZERO) && (padlen > 0)) { - if (signvalue) { - doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); - --padlen; - signvalue = 0; - } - while (padlen > 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); - --padlen; - } - } - while (padlen > 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - --padlen; - } - if (signvalue) - doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); - - while (iplace > 0) - doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]); - - /* - * Decimal point. This should probably use locale to find the correct - * char to print out. - */ - if (max > 0 || (flags & DP_F_NUM)) { - doapr_outch(sbuffer, buffer, currlen, maxlen, '.'); - - while (fplace > 0) - doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]); - } - while (zpadlen > 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); - --zpadlen; - } - - while (padlen < 0) { - doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); - ++padlen; - } -} - -static void -doapr_outch(char **sbuffer, - char **buffer, size_t *currlen, size_t *maxlen, int c) -{ - /* If we haven't at least one buffer, someone has doe a big booboo */ - assert(*sbuffer != NULL || buffer != NULL); - - if (buffer) { - while (*currlen >= *maxlen) { - if (*buffer == NULL) { - if (*maxlen == 0) - *maxlen = 1024; - *buffer = OPENSSL_malloc(*maxlen); - if (*currlen > 0) { - assert(*sbuffer != NULL); - memcpy(*buffer, *sbuffer, *currlen); - } - *sbuffer = NULL; - } else { - *maxlen += 1024; - *buffer = OPENSSL_realloc(*buffer, *maxlen); - } - } - /* What to do if *buffer is NULL? */ - assert(*sbuffer != NULL || *buffer != NULL); - } - - if (*currlen < *maxlen) { - if (*sbuffer) + + if ((flags & DP_F_ZERO) && (padlen > 0)) { + if (signvalue) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) + return 0; + --padlen; + signvalue = 0; + } + while (padlen > 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) + return 0; + --padlen; + } + } + while (padlen > 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + --padlen; + } + if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) + return 0; + + while (iplace > 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace])) + return 0; + } + + /* + * Decimal point. This should probably use locale to find the correct + * char to print out. + */ + if (max > 0 || (flags & DP_F_NUM)) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.')) + return 0; + + while (fplace > 0) { + if(!doapr_outch(sbuffer, buffer, currlen, maxlen, + fconvert[--fplace])) + return 0; + } + } + while (zpadlen > 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) + return 0; + --zpadlen; + } + + while (padlen < 0) { + if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) + return 0; + ++padlen; + } + return 1; +} + +#define BUFFER_INC 1024 + +static int +doapr_outch(char **sbuffer, + char **buffer, size_t *currlen, size_t *maxlen, int c) +{ + /* If we haven't at least one buffer, someone has doe a big booboo */ + assert(*sbuffer != NULL || buffer != NULL); + + /* |currlen| must always be <= |*maxlen| */ + assert(*currlen <= *maxlen); + + if (buffer && *currlen == *maxlen) { + if (*maxlen > INT_MAX - BUFFER_INC) + return 0; + + *maxlen += BUFFER_INC; + if (*buffer == NULL) { + *buffer = OPENSSL_malloc(*maxlen); + if (*buffer == NULL) + return 0; + if (*currlen > 0) { + assert(*sbuffer != NULL); + memcpy(*buffer, *sbuffer, *currlen); + } + *sbuffer = NULL; + } else { + char *tmpbuf; + tmpbuf = OPENSSL_realloc(*buffer, *maxlen); + if (tmpbuf == NULL) + return 0; + *buffer = tmpbuf; + } + } + + if (*currlen < *maxlen) { + if (*sbuffer) (*sbuffer)[(*currlen)++] = (char)c; else - (*buffer)[(*currlen)++] = (char)c; - } + (*buffer)[(*currlen)++] = (char)c; + } + + return 1; +} + +/***************************************************************************/ - return; -} - -/***************************************************************************/ - int BIO_printf(BIO *bio, const char *format, ...) { va_list args; int ret; va_start(args, format); ret = BIO_vprintf(bio, format, args); va_end(args); return (ret); } int BIO_vprintf(BIO *bio, const char *format, va_list args) { int ret; size_t retlen; char hugebuf[1024 * 2]; /* Was previously 10k, which is unreasonable * in small-stack environments, like threads * or DOS programs. */ char *hugebufp = hugebuf; size_t hugebufsize = sizeof(hugebuf); char *dynbuf = NULL; int ignored; - - dynbuf = NULL; - CRYPTO_push_info("doapr()"); - _dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, args); - if (dynbuf) { - ret = BIO_write(bio, dynbuf, (int)retlen); - OPENSSL_free(dynbuf); + + dynbuf = NULL; + CRYPTO_push_info("doapr()"); + if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, + args)) { + OPENSSL_free(dynbuf); + return -1; + } + if (dynbuf) { + ret = BIO_write(bio, dynbuf, (int)retlen); + OPENSSL_free(dynbuf); } else { ret = BIO_write(bio, hugebuf, (int)retlen); } CRYPTO_pop_info(); return (ret); } /* * As snprintf is not available everywhere, we provide our own * implementation. This function has nothing to do with BIOs, but it's * closely related to BIO_printf, and we need *some* name prefix ... (XXX the * function should be renamed, but to what?) */ int BIO_snprintf(char *buf, size_t n, const char *format, ...) { va_list args; int ret; va_start(args, format); ret = BIO_vsnprintf(buf, n, format, args); va_end(args); return (ret); } int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) { - size_t retlen; - int truncated; - - _dopr(&buf, NULL, &n, &retlen, &truncated, format, args); - - if (truncated) - /* + size_t retlen; + int truncated; + + if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args)) + return -1; + + if (truncated) + /* * In case of truncation, return -1 like traditional snprintf. * (Current drafts for ISO/IEC 9899 say snprintf should return the * number of characters that would have been written, had the buffer * been large enough.) */ return -1; else return (retlen <= INT_MAX) ? (int)retlen : -1; } Index: stable/9/crypto/openssl/crypto/bn/bn.h =================================================================== --- stable/9/crypto/openssl/crypto/bn/bn.h (revision 296461) +++ stable/9/crypto/openssl/crypto/bn/bn.h (revision 296462) @@ -1,917 +1,927 @@ /* crypto/bn/bn.h */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * * Portions of the attached software ("Contribution") are developed by * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. * * The Contribution is licensed pursuant to the Eric Young open source * license provided above. * * The binary polynomial arithmetic software is originally written by * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. * */ -#ifndef HEADER_BN_H -# define HEADER_BN_H - -# include -# ifndef OPENSSL_NO_FP_API -# include /* FILE */ +#ifndef HEADER_BN_H +# define HEADER_BN_H + +# include +# include +# ifndef OPENSSL_NO_FP_API +# include /* FILE */ # endif # include #ifdef __cplusplus extern "C" { #endif /* * These preprocessor symbols control various aspects of the bignum headers * and library code. They're not defined by any "normal" configuration, as * they are intended for development and testing purposes. NB: defining all * three can be useful for debugging application code as well as openssl * itself. BN_DEBUG - turn on various debugging alterations to the bignum * code BN_DEBUG_RAND - uses random poisoning of unused words to trip up * mismanagement of bignum internals. You must also define BN_DEBUG. */ /* #define BN_DEBUG */ /* #define BN_DEBUG_RAND */ # define BN_MUL_COMBA # define BN_SQR_COMBA # define BN_RECURSION /* * This next option uses the C libraries (2 word)/(1 word) function. If it is * not defined, I use my C version (which is slower). The reason for this * flag is that when the particular C compiler library routine is used, and * the library is linked with a different compiler, the library is missing. * This mostly happens when the library is built with gcc and then linked * using normal cc. This would be a common occurrence because gcc normally * produces code that is 2 times faster than system compilers for the big * number stuff. For machines with only one compiler (or shared libraries), * this should be on. Again this in only really a problem on machines using * "long long's", are 32bit, and are not using my assembler code. */ # if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || \ defined(OPENSSL_SYS_WIN32) || defined(linux) # ifndef BN_DIV2W # define BN_DIV2W # endif # endif /* * assuming long is 64bit - this is the DEC Alpha unsigned long long is only * 64 bits :-(, don't define BN_LLONG for the DEC Alpha */ # ifdef SIXTY_FOUR_BIT_LONG # define BN_ULLONG unsigned long long # define BN_ULONG unsigned long # define BN_LONG long # define BN_BITS 128 # define BN_BYTES 8 # define BN_BITS2 64 # define BN_BITS4 32 # define BN_MASK (0xffffffffffffffffffffffffffffffffLL) # define BN_MASK2 (0xffffffffffffffffL) # define BN_MASK2l (0xffffffffL) # define BN_MASK2h (0xffffffff00000000L) # define BN_MASK2h1 (0xffffffff80000000L) # define BN_TBIT (0x8000000000000000L) # define BN_DEC_CONV (10000000000000000000UL) # define BN_DEC_FMT1 "%lu" # define BN_DEC_FMT2 "%019lu" # define BN_DEC_NUM 19 # endif /* * This is where the long long data type is 64 bits, but long is 32. For * machines where there are 64bit registers, this is the mode to use. IRIX, * on R4000 and above should use this mode, along with the relevant assembler * code :-). Do NOT define BN_LLONG. */ # ifdef SIXTY_FOUR_BIT # undef BN_LLONG # undef BN_ULLONG # define BN_ULONG unsigned long long # define BN_LONG long long # define BN_BITS 128 # define BN_BYTES 8 # define BN_BITS2 64 # define BN_BITS4 32 # define BN_MASK2 (0xffffffffffffffffLL) # define BN_MASK2l (0xffffffffL) # define BN_MASK2h (0xffffffff00000000LL) # define BN_MASK2h1 (0xffffffff80000000LL) # define BN_TBIT (0x8000000000000000LL) # define BN_DEC_CONV (10000000000000000000ULL) # define BN_DEC_FMT1 "%llu" # define BN_DEC_FMT2 "%019llu" # define BN_DEC_NUM 19 # endif # ifdef THIRTY_TWO_BIT # ifdef BN_LLONG # if defined(OPENSSL_SYS_WIN32) && !defined(__GNUC__) # define BN_ULLONG unsigned __int64 # else # define BN_ULLONG unsigned long long # endif # endif # define BN_ULONG unsigned long # define BN_LONG long # define BN_BITS 64 # define BN_BYTES 4 # define BN_BITS2 32 # define BN_BITS4 16 # ifdef OPENSSL_SYS_WIN32 /* VC++ doesn't like the LL suffix */ # define BN_MASK (0xffffffffffffffffL) # else # define BN_MASK (0xffffffffffffffffLL) # endif # define BN_MASK2 (0xffffffffL) # define BN_MASK2l (0xffff) # define BN_MASK2h1 (0xffff8000L) # define BN_MASK2h (0xffff0000L) # define BN_TBIT (0x80000000L) # define BN_DEC_CONV (1000000000L) # define BN_DEC_FMT1 "%lu" # define BN_DEC_FMT2 "%09lu" # define BN_DEC_NUM 9 # endif # ifdef SIXTEEN_BIT # ifndef BN_DIV2W # define BN_DIV2W # endif # define BN_ULLONG unsigned long # define BN_ULONG unsigned short # define BN_LONG short # define BN_BITS 32 # define BN_BYTES 2 # define BN_BITS2 16 # define BN_BITS4 8 # define BN_MASK (0xffffffff) # define BN_MASK2 (0xffff) # define BN_MASK2l (0xff) # define BN_MASK2h1 (0xff80) # define BN_MASK2h (0xff00) # define BN_TBIT (0x8000) # define BN_DEC_CONV (100000) # define BN_DEC_FMT1 "%u" # define BN_DEC_FMT2 "%05u" # define BN_DEC_NUM 5 # endif # ifdef EIGHT_BIT # ifndef BN_DIV2W # define BN_DIV2W # endif # define BN_ULLONG unsigned short # define BN_ULONG unsigned char # define BN_LONG char # define BN_BITS 16 # define BN_BYTES 1 # define BN_BITS2 8 # define BN_BITS4 4 # define BN_MASK (0xffff) # define BN_MASK2 (0xff) # define BN_MASK2l (0xf) # define BN_MASK2h1 (0xf8) # define BN_MASK2h (0xf0) # define BN_TBIT (0x80) # define BN_DEC_CONV (100) # define BN_DEC_FMT1 "%u" # define BN_DEC_FMT2 "%02u" # define BN_DEC_NUM 2 # endif # define BN_DEFAULT_BITS 1280 # define BN_FLG_MALLOCED 0x01 # define BN_FLG_STATIC_DATA 0x02 /* * avoid leaking exponent information through timing, * BN_mod_exp_mont() will call BN_mod_exp_mont_consttime, * BN_div() will call BN_div_no_branch, * BN_mod_inverse() will call BN_mod_inverse_no_branch. */ # define BN_FLG_CONSTTIME 0x04 # ifdef OPENSSL_NO_DEPRECATED /* deprecated name for the flag */ # define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* * avoid leaking exponent information through timings * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */ # endif # ifndef OPENSSL_NO_DEPRECATED # define BN_FLG_FREE 0x8000 /* used for debuging */ # endif # define BN_set_flags(b,n) ((b)->flags|=(n)) # define BN_get_flags(b,n) ((b)->flags&(n)) /* * get a clone of a BIGNUM with changed flags, for *temporary* use only (the * two BIGNUMs cannot not be used in parallel!) */ # define BN_with_flags(dest,b,n) ((dest)->d=(b)->d, \ (dest)->top=(b)->top, \ (dest)->dmax=(b)->dmax, \ (dest)->neg=(b)->neg, \ (dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \ | ((b)->flags & ~BN_FLG_MALLOCED) \ | BN_FLG_STATIC_DATA \ | (n))) /* Already declared in ossl_typ.h */ # if 0 typedef struct bignum_st BIGNUM; /* Used for temp variables (declaration hidden in bn_lcl.h) */ typedef struct bignum_ctx BN_CTX; typedef struct bn_blinding_st BN_BLINDING; typedef struct bn_mont_ctx_st BN_MONT_CTX; typedef struct bn_recp_ctx_st BN_RECP_CTX; typedef struct bn_gencb_st BN_GENCB; # endif struct bignum_st { BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit * chunks. */ int top; /* Index of last used d +1. */ /* The next are internal book keeping for bn_expand. */ int dmax; /* Size of the d array. */ int neg; /* one if the number is negative */ int flags; }; /* Used for montgomery multiplication */ struct bn_mont_ctx_st { int ri; /* number of bits in R */ BIGNUM RR; /* used to convert to montgomery form */ BIGNUM N; /* The modulus */ BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1 (Ni is only * stored for bignum algorithm) */ # if 0 /* OpenSSL 0.9.9 preview: */ BN_ULONG n0[2]; /* least significant word(s) of Ni */ # else BN_ULONG n0; /* least significant word of Ni */ # endif int flags; }; /* * Used for reciprocal division/mod functions It cannot be shared between * threads */ struct bn_recp_ctx_st { BIGNUM N; /* the divisor */ BIGNUM Nr; /* the reciprocal */ int num_bits; int shift; int flags; }; /* Used for slow "generation" functions. */ struct bn_gencb_st { unsigned int ver; /* To handle binary (in)compatibility */ void *arg; /* callback-specific data */ union { /* if(ver==1) - handles old style callbacks */ void (*cb_1) (int, int, void *); /* if(ver==2) - new callback style */ int (*cb_2) (int, int, BN_GENCB *); } cb; }; /* Wrapper function to make using BN_GENCB easier, */ int BN_GENCB_call(BN_GENCB *cb, int a, int b); /* Macro to populate a BN_GENCB structure with an "old"-style callback */ # define BN_GENCB_set_old(gencb, callback, cb_arg) { \ BN_GENCB *tmp_gencb = (gencb); \ tmp_gencb->ver = 1; \ tmp_gencb->arg = (cb_arg); \ tmp_gencb->cb.cb_1 = (callback); } /* Macro to populate a BN_GENCB structure with a "new"-style callback */ # define BN_GENCB_set(gencb, callback, cb_arg) { \ BN_GENCB *tmp_gencb = (gencb); \ tmp_gencb->ver = 2; \ tmp_gencb->arg = (cb_arg); \ tmp_gencb->cb.cb_2 = (callback); } # define BN_prime_checks 0 /* default: select number of iterations based * on the size of the number */ /* * number of Miller-Rabin iterations for an error rate of less than 2^-80 for * random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook of * Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; * original paper: Damgaard, Landrock, Pomerance: Average case error * estimates for the strong probable prime test. -- Math. Comp. 61 (1993) * 177-194) */ # define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \ (b) >= 850 ? 3 : \ (b) >= 650 ? 4 : \ (b) >= 550 ? 5 : \ (b) >= 450 ? 6 : \ (b) >= 400 ? 7 : \ (b) >= 350 ? 8 : \ (b) >= 300 ? 9 : \ (b) >= 250 ? 12 : \ (b) >= 200 ? 15 : \ (b) >= 150 ? 18 : \ /* b >= 100 */ 27) # define BN_num_bytes(a) ((BN_num_bits(a)+7)/8) /* Note that BN_abs_is_word didn't work reliably for w == 0 until 0.9.8 */ # define BN_abs_is_word(a,w) ((((a)->top == 1) && ((a)->d[0] == (BN_ULONG)(w))) || \ (((w) == 0) && ((a)->top == 0))) # define BN_is_zero(a) ((a)->top == 0) # define BN_is_one(a) (BN_abs_is_word((a),1) && !(a)->neg) # define BN_is_word(a,w) (BN_abs_is_word((a),(w)) && (!(w) || !(a)->neg)) # define BN_is_odd(a) (((a)->top > 0) && ((a)->d[0] & 1)) # define BN_one(a) (BN_set_word((a),1)) # define BN_zero_ex(a) \ do { \ BIGNUM *_tmp_bn = (a); \ _tmp_bn->top = 0; \ _tmp_bn->neg = 0; \ } while(0) # ifdef OPENSSL_NO_DEPRECATED # define BN_zero(a) BN_zero_ex(a) # else # define BN_zero(a) (BN_set_word((a),0)) # endif const BIGNUM *BN_value_one(void); char *BN_options(void); BN_CTX *BN_CTX_new(void); # ifndef OPENSSL_NO_DEPRECATED void BN_CTX_init(BN_CTX *c); # endif void BN_CTX_free(BN_CTX *c); void BN_CTX_start(BN_CTX *ctx); BIGNUM *BN_CTX_get(BN_CTX *ctx); void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_rand_range(BIGNUM *rnd, const BIGNUM *range); int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); void BN_init(BIGNUM *); void BN_clear_free(BIGNUM *a); BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b); void BN_swap(BIGNUM *a, BIGNUM *b); BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret); int BN_bn2bin(const BIGNUM *a, unsigned char *to); BIGNUM *BN_mpi2bn(const unsigned char *s, int len, BIGNUM *ret); int BN_bn2mpi(const BIGNUM *a, unsigned char *to); int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); /** BN_set_negative sets sign of a BIGNUM * \param b pointer to the BIGNUM object * \param n 0 if the BIGNUM b should be positive and a value != 0 otherwise */ void BN_set_negative(BIGNUM *b, int n); /** BN_is_negative returns 1 if the BIGNUM is negative * \param a pointer to the BIGNUM object * \return 1 if a < 0 and 0 otherwise */ # define BN_is_negative(a) ((a)->neg != 0) int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx); # define BN_mod(rem,m,d,ctx) BN_div(NULL,(rem),(m),(d),(ctx)) int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx); int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m); int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx); int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m); BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w); BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w); int BN_mul_word(BIGNUM *a, BN_ULONG w); int BN_add_word(BIGNUM *a, BN_ULONG w); int BN_sub_word(BIGNUM *a, BN_ULONG w); int BN_set_word(BIGNUM *a, BN_ULONG w); BN_ULONG BN_get_word(const BIGNUM *a); int BN_cmp(const BIGNUM *a, const BIGNUM *b); void BN_free(BIGNUM *a); int BN_is_bit_set(const BIGNUM *a, int n); int BN_lshift(BIGNUM *r, const BIGNUM *a, int n); int BN_lshift1(BIGNUM *r, const BIGNUM *a); int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx); int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont); int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p1, const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx); int BN_mask_bits(BIGNUM *a, int n); # ifndef OPENSSL_NO_FP_API int BN_print_fp(FILE *fp, const BIGNUM *a); # endif # ifdef HEADER_BIO_H int BN_print(BIO *fp, const BIGNUM *a); # else int BN_print(void *fp, const BIGNUM *a); # endif int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx); int BN_rshift(BIGNUM *r, const BIGNUM *a, int n); int BN_rshift1(BIGNUM *r, const BIGNUM *a); void BN_clear(BIGNUM *a); BIGNUM *BN_dup(const BIGNUM *a); int BN_ucmp(const BIGNUM *a, const BIGNUM *b); int BN_set_bit(BIGNUM *a, int n); int BN_clear_bit(BIGNUM *a, int n); char *BN_bn2hex(const BIGNUM *a); char *BN_bn2dec(const BIGNUM *a); int BN_hex2bn(BIGNUM **a, const char *str); int BN_dec2bn(BIGNUM **a, const char *str); int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); /* returns * -2 for * error */ BIGNUM *BN_mod_inverse(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); BIGNUM *BN_mod_sqrt(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords); /* Deprecated versions */ # ifndef OPENSSL_NO_DEPRECATED BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, void (*callback) (int, int, void *), void *cb_arg); int BN_is_prime(const BIGNUM *p, int nchecks, void (*callback) (int, int, void *), BN_CTX *ctx, void *cb_arg); int BN_is_prime_fasttest(const BIGNUM *p, int nchecks, void (*callback) (int, int, void *), BN_CTX *ctx, void *cb_arg, int do_trial_division); # endif /* !defined(OPENSSL_NO_DEPRECATED) */ /* Newer versions */ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb); int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb); int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb); int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx); int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb); int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, BIGNUM *Xp1, BIGNUM *Xp2, const BIGNUM *Xp, const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb); BN_MONT_CTX *BN_MONT_CTX_new(void); void BN_MONT_CTX_init(BN_MONT_CTX *ctx); int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_MONT_CTX *mont, BN_CTX *ctx); # define BN_to_montgomery(r,a,mont,ctx) BN_mod_mul_montgomery(\ (r),(a),&((mont)->RR),(mont),(ctx)) int BN_from_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx); void BN_MONT_CTX_free(BN_MONT_CTX *mont); int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx); BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from); BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, const BIGNUM *mod, BN_CTX *ctx); /* BN_BLINDING flags */ # define BN_BLINDING_NO_UPDATE 0x00000001 # define BN_BLINDING_NO_RECREATE 0x00000002 BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod); void BN_BLINDING_free(BN_BLINDING *b); int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx); int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *); int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *); unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx); # ifndef OPENSSL_NO_DEPRECATED void BN_set_params(int mul, int high, int low, int mont); int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */ # endif void BN_RECP_CTX_init(BN_RECP_CTX *recp); BN_RECP_CTX *BN_RECP_CTX_new(void); void BN_RECP_CTX_free(BN_RECP_CTX *recp); int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *rdiv, BN_CTX *ctx); int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y, BN_RECP_CTX *recp, BN_CTX *ctx); int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx); int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, BN_RECP_CTX *recp, BN_CTX *ctx); /* * Functions for arithmetic over binary polynomials represented by BIGNUMs. * The BIGNUM::neg property of BIGNUMs representing binary polynomials is * ignored. Note that input arguments are not const so that their bit arrays * can be expanded to the appropriate size if needed. */ /* * r = a + b */ int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); # define BN_GF2m_sub(r, a, b) BN_GF2m_add(r, a, b) /* * r=a mod p */ int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p); /* r = (a * b) mod p */ int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx); /* r = (a * a) mod p */ int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); /* r = (1 / b) mod p */ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx); /* r = (a / b) mod p */ int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx); /* r = (a ^ b) mod p */ int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, BN_CTX *ctx); /* r = sqrt(a) mod p */ int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); /* r^2 + r = a mod p */ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); # define BN_GF2m_cmp(a, b) BN_ucmp((a), (b)) /*- * Some functions allow for representation of the irreducible polynomials * as an unsigned int[], say p. The irreducible f(t) is then of the form: * t^p[0] + t^p[1] + ... + t^p[k] * where m = p[0] > p[1] > ... > p[k] = 0. */ /* r = a mod p */ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[]); /* r = (a * b) mod p */ int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx); /* r = (a * a) mod p */ int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx); /* r = (1 / b) mod p */ int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx); /* r = (a / b) mod p */ int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx); /* r = (a ^ b) mod p */ int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const unsigned int p[], BN_CTX *ctx); /* r = sqrt(a) mod p */ int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx); /* r^2 + r = a mod p */ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_CTX *ctx); int BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max); int BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a); /* * faster mod functions for the 'NIST primes' 0 <= a < p^2 */ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); const BIGNUM *BN_get0_nist_prime_192(void); const BIGNUM *BN_get0_nist_prime_224(void); const BIGNUM *BN_get0_nist_prime_256(void); const BIGNUM *BN_get0_nist_prime_384(void); const BIGNUM *BN_get0_nist_prime_521(void); - -/* library internal functions */ - -# define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\ - (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2)) -# define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words))) -BIGNUM *bn_expand2(BIGNUM *a, int words); -# ifndef OPENSSL_NO_DEPRECATED + +/* library internal functions */ + +# define bn_expand(a,bits) \ + ( \ + bits > (INT_MAX - BN_BITS2 + 1) ? \ + NULL \ + : \ + (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \ + (a) \ + : \ + bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \ + ) + +# define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words))) +BIGNUM *bn_expand2(BIGNUM *a, int words); +# ifndef OPENSSL_NO_DEPRECATED BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */ # endif /*- * Bignum consistency macros * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from * bignum data after direct manipulations on the data. There is also an * "internal" macro, bn_check_top(), for verifying that there are no leading * zeroes. Unfortunately, some auditing is required due to the fact that * bn_fix_top() has become an overabused duct-tape because bignum data is * occasionally passed around in an inconsistent state. So the following * changes have been made to sort this out; * - bn_fix_top()s implementation has been moved to bn_correct_top() * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and * bn_check_top() is as before. * - if BN_DEBUG *is* defined; * - bn_check_top() tries to pollute unused words even if the bignum 'top' is * consistent. (ed: only if BN_DEBUG_RAND is defined) * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything. * The idea is to have debug builds flag up inconsistent bignums when they * occur. If that occurs in a bn_fix_top(), we examine the code in question; if * the use of bn_fix_top() was appropriate (ie. it follows directly after code * that manipulates the bignum) it is converted to bn_correct_top(), and if it * was not appropriate, we convert it permanently to bn_check_top() and track * down the cause of the bug. Eventually, no internal code should be using the * bn_fix_top() macro. External applications and libraries should try this with * their own code too, both in terms of building against the openssl headers * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it * defined. This not only improves external code, it provides more test * coverage for openssl's own code. */ # ifdef BN_DEBUG /* We only need assert() when debugging */ # include # ifdef BN_DEBUG_RAND /* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */ # ifndef RAND_pseudo_bytes int RAND_pseudo_bytes(unsigned char *buf, int num); # define BN_DEBUG_TRIX # endif # define bn_pollute(a) \ do { \ const BIGNUM *_bnum1 = (a); \ if(_bnum1->top < _bnum1->dmax) { \ unsigned char _tmp_char; \ /* We cast away const without the compiler knowing, any \ * *genuinely* constant variables that aren't mutable \ * wouldn't be constructed with top!=dmax. */ \ BN_ULONG *_not_const; \ memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \ RAND_pseudo_bytes(&_tmp_char, 1); \ memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \ (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \ } \ } while(0) # ifdef BN_DEBUG_TRIX # undef RAND_pseudo_bytes # endif # else # define bn_pollute(a) # endif # define bn_check_top(a) \ do { \ const BIGNUM *_bnum2 = (a); \ if (_bnum2 != NULL) { \ assert((_bnum2->top == 0) || \ (_bnum2->d[_bnum2->top - 1] != 0)); \ bn_pollute(_bnum2); \ } \ } while(0) # define bn_fix_top(a) bn_check_top(a) # define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2) # define bn_wcheck_size(bn, words) \ do { \ const BIGNUM *_bnum2 = (bn); \ assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \ } while(0) # else /* !BN_DEBUG */ # define bn_pollute(a) # define bn_check_top(a) # define bn_fix_top(a) bn_correct_top(a) # define bn_check_size(bn, bits) # define bn_wcheck_size(bn, words) # endif # define bn_correct_top(a) \ { \ BN_ULONG *ftl; \ if ((a)->top > 0) \ { \ for (ftl= &((a)->d[(a)->top-1]); (a)->top > 0; (a)->top--) \ if (*(ftl--)) break; \ } \ bn_pollute(a); \ } BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num); BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d); BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num); BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num); /* Primes from RFC 2409 */ BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn); /* Primes from RFC 3526 */ BIGNUM *get_rfc3526_prime_1536(BIGNUM *bn); BIGNUM *get_rfc3526_prime_2048(BIGNUM *bn); BIGNUM *get_rfc3526_prime_3072(BIGNUM *bn); BIGNUM *get_rfc3526_prime_4096(BIGNUM *bn); BIGNUM *get_rfc3526_prime_6144(BIGNUM *bn); BIGNUM *get_rfc3526_prime_8192(BIGNUM *bn); int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom); /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ void ERR_load_BN_strings(void); /* Error codes for the BN functions. */ /* Function codes. */ # define BN_F_BNRAND 127 # define BN_F_BN_BLINDING_CONVERT_EX 100 # define BN_F_BN_BLINDING_CREATE_PARAM 128 # define BN_F_BN_BLINDING_INVERT_EX 101 # define BN_F_BN_BLINDING_NEW 102 # define BN_F_BN_BLINDING_UPDATE 103 # define BN_F_BN_BN2DEC 104 # define BN_F_BN_BN2HEX 105 # define BN_F_BN_CTX_GET 116 # define BN_F_BN_CTX_NEW 106 # define BN_F_BN_CTX_START 129 # define BN_F_BN_DIV 107 # define BN_F_BN_DIV_NO_BRANCH 138 # define BN_F_BN_DIV_RECP 130 # define BN_F_BN_EXP 123 # define BN_F_BN_EXPAND2 108 # define BN_F_BN_EXPAND_INTERNAL 120 # define BN_F_BN_GF2M_MOD 131 # define BN_F_BN_GF2M_MOD_EXP 132 # define BN_F_BN_GF2M_MOD_MUL 133 # define BN_F_BN_GF2M_MOD_SOLVE_QUAD 134 # define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR 135 # define BN_F_BN_GF2M_MOD_SQR 136 # define BN_F_BN_GF2M_MOD_SQRT 137 # define BN_F_BN_LSHIFT 145 # define BN_F_BN_MOD_EXP2_MONT 118 # define BN_F_BN_MOD_EXP_MONT 109 # define BN_F_BN_MOD_EXP_MONT_CONSTTIME 124 # define BN_F_BN_MOD_EXP_MONT_WORD 117 # define BN_F_BN_MOD_EXP_RECP 125 # define BN_F_BN_MOD_EXP_SIMPLE 126 # define BN_F_BN_MOD_INVERSE 110 # define BN_F_BN_MOD_INVERSE_NO_BRANCH 139 # define BN_F_BN_MOD_LSHIFT_QUICK 119 # define BN_F_BN_MOD_MUL_RECIPROCAL 111 # define BN_F_BN_MOD_SQRT 121 # define BN_F_BN_MPI2BN 112 # define BN_F_BN_NEW 113 # define BN_F_BN_RAND 114 # define BN_F_BN_RAND_RANGE 122 # define BN_F_BN_RSHIFT 146 # define BN_F_BN_USUB 115 /* Reason codes. */ # define BN_R_ARG2_LT_ARG3 100 # define BN_R_BAD_RECIPROCAL 101 # define BN_R_BIGNUM_TOO_LONG 114 # define BN_R_BITS_TOO_SMALL 118 # define BN_R_CALLED_WITH_EVEN_MODULUS 102 # define BN_R_DIV_BY_ZERO 103 # define BN_R_ENCODING_ERROR 104 # define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105 # define BN_R_INPUT_NOT_REDUCED 110 # define BN_R_INVALID_LENGTH 106 # define BN_R_INVALID_RANGE 115 # define BN_R_INVALID_SHIFT 119 # define BN_R_NOT_A_SQUARE 111 # define BN_R_NOT_INITIALIZED 107 # define BN_R_NO_INVERSE 108 # define BN_R_NO_SOLUTION 116 # define BN_R_P_IS_NOT_PRIME 112 # define BN_R_TOO_MANY_ITERATIONS 113 # define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109 #ifdef __cplusplus } #endif #endif Index: stable/9/crypto/openssl/crypto/bn/bn_exp.c =================================================================== --- stable/9/crypto/openssl/crypto/bn/bn_exp.c (revision 296461) +++ stable/9/crypto/openssl/crypto/bn/bn_exp.c (revision 296462) @@ -1,1007 +1,1046 @@ /* crypto/bn/bn_exp.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * - */ - -#include "cryptlib.h" -#include "bn_lcl.h" - -/* maximum precomputation table size for *variable* sliding windows */ + */ + +#include "cryptlib.h" +#include "constant_time_locl.h" +#include "bn_lcl.h" + +/* maximum precomputation table size for *variable* sliding windows */ #define TABLE_SIZE 32 /* this one works - simple but works */ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { int i, bits, ret = 0; BIGNUM *v, *rr; if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ BNerr(BN_F_BN_EXP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return -1; } BN_CTX_start(ctx); if ((r == a) || (r == p)) rr = BN_CTX_get(ctx); else rr = r; v = BN_CTX_get(ctx); if (rr == NULL || v == NULL) goto err; if (BN_copy(v, a) == NULL) goto err; bits = BN_num_bits(p); if (BN_is_odd(p)) { if (BN_copy(rr, a) == NULL) goto err; } else { if (!BN_one(rr)) goto err; } for (i = 1; i < bits; i++) { if (!BN_sqr(v, v, ctx)) goto err; if (BN_is_bit_set(p, i)) { if (!BN_mul(rr, rr, v, ctx)) goto err; } } ret = 1; err: if (r != rr) BN_copy(r, rr); BN_CTX_end(ctx); bn_check_top(r); return (ret); } int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx) { int ret; bn_check_top(a); bn_check_top(p); bn_check_top(m); /*- * For even modulus m = 2^k*m_odd, it might make sense to compute * a^p mod m_odd and a^p mod 2^k separately (with Montgomery * exponentiation for the odd part), using appropriate exponent * reductions, and combine the results using the CRT. * * For now, we use Montgomery only if the modulus is odd; otherwise, * exponentiation using the reciprocal-based quick remaindering * algorithm is used. * * (Timing obtained with expspeed.c [computations a^p mod m * where a, p, m are of the same length: 256, 512, 1024, 2048, * 4096, 8192 bits], compared to the running time of the * standard algorithm: * * BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration] * 55 .. 77 % [UltraSparc processor, but * debug-solaris-sparcv8-gcc conf.] * * BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration] * 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc] * * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont * at 2048 and more bits, but at 512 and 1024 bits, it was * slower even than the standard algorithm! * * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations] * should be obtained when the new Montgomery reduction code * has been integrated into OpenSSL.) */ #define MONT_MUL_MOD #define MONT_EXP_WORD #define RECP_MUL_MOD #ifdef MONT_MUL_MOD /* * I have finally been able to take out this pre-condition of the top bit * being set. It was caused by an error in BN_div with negatives. There * was also another problem when for a^b%m a >= m. eay 07-May-97 */ /* if ((m->d[m->top-1]&BN_TBIT) && BN_is_odd(m)) */ if (BN_is_odd(m)) { # ifdef MONT_EXP_WORD if (a->top == 1 && !a->neg && (BN_get_flags(p, BN_FLG_CONSTTIME) == 0)) { BN_ULONG A = a->d[0]; ret = BN_mod_exp_mont_word(r, A, p, m, ctx, NULL); } else # endif ret = BN_mod_exp_mont(r, a, p, m, ctx, NULL); } else #endif #ifdef RECP_MUL_MOD { ret = BN_mod_exp_recp(r, a, p, m, ctx); } #else { ret = BN_mod_exp_simple(r, a, p, m, ctx); } #endif bn_check_top(r); return (ret); } int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx) { int i, j, bits, ret = 0, wstart, wend, window, wvalue; int start = 1; BIGNUM *aa; /* Table of variables obtained from 'ctx' */ BIGNUM *val[TABLE_SIZE]; BN_RECP_CTX recp; if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ BNerr(BN_F_BN_MOD_EXP_RECP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return -1; } bits = BN_num_bits(p); if (bits == 0) { ret = BN_one(r); return ret; } BN_CTX_start(ctx); aa = BN_CTX_get(ctx); val[0] = BN_CTX_get(ctx); if (!aa || !val[0]) goto err; BN_RECP_CTX_init(&recp); if (m->neg) { /* ignore sign of 'm' */ if (!BN_copy(aa, m)) goto err; aa->neg = 0; if (BN_RECP_CTX_set(&recp, aa, ctx) <= 0) goto err; } else { if (BN_RECP_CTX_set(&recp, m, ctx) <= 0) goto err; } if (!BN_nnmod(val[0], a, m, ctx)) goto err; /* 1 */ if (BN_is_zero(val[0])) { BN_zero(r); ret = 1; goto err; } window = BN_window_bits_for_exponent_size(bits); if (window > 1) { if (!BN_mod_mul_reciprocal(aa, val[0], val[0], &recp, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || !BN_mod_mul_reciprocal(val[i], val[i - 1], aa, &recp, ctx)) goto err; } } start = 1; /* This is used to avoid multiplication etc * when there is only the value '1' in the * buffer. */ wvalue = 0; /* The 'value' of the window */ wstart = bits - 1; /* The top bit of the window */ wend = 0; /* The bottom bit of the window */ if (!BN_one(r)) goto err; for (;;) { if (BN_is_bit_set(p, wstart) == 0) { if (!start) if (!BN_mod_mul_reciprocal(r, r, r, &recp, ctx)) goto err; if (wstart == 0) break; wstart--; continue; } /* * We now have wstart on a 'set' bit, we now need to work out how bit * a window to do. To do this we need to scan forward until the last * set bit before the end of the window */ j = wstart; wvalue = 1; wend = 0; for (i = 1; i < window; i++) { if (wstart - i < 0) break; if (BN_is_bit_set(p, wstart - i)) { wvalue <<= (i - wend); wvalue |= 1; wend = i; } } /* wend is the size of the current window */ j = wend + 1; /* add the 'bytes above' */ if (!start) for (i = 0; i < j; i++) { if (!BN_mod_mul_reciprocal(r, r, r, &recp, ctx)) goto err; } /* wvalue will be an odd number < 2^window */ if (!BN_mod_mul_reciprocal(r, r, val[wvalue >> 1], &recp, ctx)) goto err; /* move the 'window' down further */ wstart -= wend + 1; wvalue = 0; start = 0; if (wstart < 0) break; } ret = 1; err: BN_CTX_end(ctx); BN_RECP_CTX_free(&recp); bn_check_top(r); return (ret); } int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { int i, j, bits, ret = 0, wstart, wend, window, wvalue; int start = 1; BIGNUM *d, *r; const BIGNUM *aa; /* Table of variables obtained from 'ctx' */ BIGNUM *val[TABLE_SIZE]; BN_MONT_CTX *mont = NULL; if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); } bn_check_top(a); bn_check_top(p); bn_check_top(m); if (!BN_is_odd(m)) { BNerr(BN_F_BN_MOD_EXP_MONT, BN_R_CALLED_WITH_EVEN_MODULUS); return (0); } bits = BN_num_bits(p); if (bits == 0) { ret = BN_one(rr); return ret; } BN_CTX_start(ctx); d = BN_CTX_get(ctx); r = BN_CTX_get(ctx); val[0] = BN_CTX_get(ctx); if (!d || !r || !val[0]) goto err; /* * If this is not done, things will break in the montgomery part */ if (in_mont != NULL) mont = in_mont; else { if ((mont = BN_MONT_CTX_new()) == NULL) goto err; if (!BN_MONT_CTX_set(mont, m, ctx)) goto err; } if (a->neg || BN_ucmp(a, m) >= 0) { if (!BN_nnmod(val[0], a, m, ctx)) goto err; aa = val[0]; } else aa = a; if (BN_is_zero(aa)) { BN_zero(rr); ret = 1; goto err; } if (!BN_to_montgomery(val[0], aa, mont, ctx)) goto err; /* 1 */ window = BN_window_bits_for_exponent_size(bits); if (window > 1) { if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || !BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx)) goto err; } } start = 1; /* This is used to avoid multiplication etc * when there is only the value '1' in the * buffer. */ wvalue = 0; /* The 'value' of the window */ wstart = bits - 1; /* The top bit of the window */ wend = 0; /* The bottom bit of the window */ if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) goto err; for (;;) { if (BN_is_bit_set(p, wstart) == 0) { if (!start) { if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) goto err; } if (wstart == 0) break; wstart--; continue; } /* * We now have wstart on a 'set' bit, we now need to work out how bit * a window to do. To do this we need to scan forward until the last * set bit before the end of the window */ j = wstart; wvalue = 1; wend = 0; for (i = 1; i < window; i++) { if (wstart - i < 0) break; if (BN_is_bit_set(p, wstart - i)) { wvalue <<= (i - wend); wvalue |= 1; wend = i; } } /* wend is the size of the current window */ j = wend + 1; /* add the 'bytes above' */ if (!start) for (i = 0; i < j; i++) { if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) goto err; } /* wvalue will be an odd number < 2^window */ if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) goto err; /* move the 'window' down further */ wstart -= wend + 1; wvalue = 0; start = 0; if (wstart < 0) break; } if (!BN_from_montgomery(rr, r, mont, ctx)) goto err; ret = 1; err: if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont); BN_CTX_end(ctx); bn_check_top(rr); return (ret); } /* * BN_mod_exp_mont_consttime() stores the precomputed powers in a specific * layout so that accessing any of these table values shows the same access * pattern as far as cache lines are concerned. The following functions are * used to transfer a BIGNUM from/to that table. */ - -static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, - unsigned char *buf, int idx, - int width) -{ - size_t i, j; - - if (bn_wexpand(b, top) == NULL) - return 0; + +static int MOD_EXP_CTIME_COPY_TO_PREBUF(BIGNUM *b, int top, + unsigned char *buf, int idx, + int window) +{ + int i, j; + int width = 1 << window; + BN_ULONG *table = (BN_ULONG *)buf; + + if (bn_wexpand(b, top) == NULL) + return 0; while (b->top < top) { - b->d[b->top++] = 0; - } - - for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) { - buf[j] = ((unsigned char *)b->d)[i]; - } - - bn_correct_top(b); + b->d[b->top++] = 0; + } + + for (i = 0, j = idx; i < top; i++, j += width) { + table[j] = b->d[i]; + } + + bn_correct_top(b); return 1; } - -static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, - unsigned char *buf, int idx, - int width) -{ - size_t i, j; - - if (bn_wexpand(b, top) == NULL) - return 0; - - for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) { - ((unsigned char *)b->d)[i] = buf[j]; - } - - b->top = top; + +static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, + unsigned char *buf, int idx, + int window) +{ + int i, j; + int width = 1 << window; + volatile BN_ULONG *table = (volatile BN_ULONG *)buf; + + if (bn_wexpand(b, top) == NULL) + return 0; + + if (window <= 3) { + for (i = 0; i < top; i++, table += width) { + BN_ULONG acc = 0; + + for (j = 0; j < width; j++) { + acc |= table[j] & + ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); + } + + b->d[i] = acc; + } + } else { + int xstride = 1 << (window - 2); + BN_ULONG y0, y1, y2, y3; + + i = idx >> (window - 2); /* equivalent of idx / xstride */ + idx &= xstride - 1; /* equivalent of idx % xstride */ + + y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1); + y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1); + y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1); + y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1); + + for (i = 0; i < top; i++, table += width) { + BN_ULONG acc = 0; + + for (j = 0; j < xstride; j++) { + acc |= ( (table[j + 0 * xstride] & y0) | + (table[j + 1 * xstride] & y1) | + (table[j + 2 * xstride] & y2) | + (table[j + 3 * xstride] & y3) ) + & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); + } + + b->d[i] = acc; + } + } + + b->top = top; bn_correct_top(b); return 1; } /* * Given a pointer value, compute the next address that is a cache line * multiple. */ #define MOD_EXP_CTIME_ALIGN(x_) \ ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((BN_ULONG)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK)))) /* * This variant of BN_mod_exp_mont() uses fixed windows and the special * precomputation memory layout to limit data-dependency to a minimum to * protect secret exponents (cf. the hyper-threading timing attacks pointed * out by Colin Percival, * http://www.daemong-consideredperthreading-considered-harmful/) */ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { int i, bits, ret = 0, idx, window, wvalue; int top; BIGNUM *r; const BIGNUM *aa; BN_MONT_CTX *mont = NULL; int numPowers; unsigned char *powerbufFree = NULL; int powerbufLen = 0; unsigned char *powerbuf = NULL; BIGNUM *computeTemp = NULL, *am = NULL; bn_check_top(a); bn_check_top(p); bn_check_top(m); top = m->top; if (!(m->d[0] & 1)) { BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS); return (0); } bits = BN_num_bits(p); if (bits == 0) { ret = BN_one(rr); return ret; } /* Initialize BIGNUM context and allocate intermediate result */ BN_CTX_start(ctx); r = BN_CTX_get(ctx); if (r == NULL) goto err; /* * Allocate a montgomery context if it was not supplied by the caller. If * this is not done, things will break in the montgomery part. */ if (in_mont != NULL) mont = in_mont; else { if ((mont = BN_MONT_CTX_new()) == NULL) goto err; if (!BN_MONT_CTX_set(mont, m, ctx)) goto err; } /* Get the window size to use with size of p. */ window = BN_window_bits_for_ctime_exponent_size(bits); /* * Allocate a buffer large enough to hold all of the pre-computed powers * of a. */ numPowers = 1 << window; powerbufLen = sizeof(m->d[0]) * top * numPowers; if ((powerbufFree = (unsigned char *)OPENSSL_malloc(powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL) goto err; powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree); memset(powerbuf, 0, powerbufLen); /* * Initialize the intermediate result. Do this early to save double * conversion, once each for a^0 and intermediate result. - */ - if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, numPowers)) - goto err; - - /* Initialize computeTemp as a^1 with montgomery precalcs */ + */ + if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) + goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(r, top, powerbuf, 0, window)) + goto err; + + /* Initialize computeTemp as a^1 with montgomery precalcs */ computeTemp = BN_CTX_get(ctx); am = BN_CTX_get(ctx); if (computeTemp == NULL || am == NULL) goto err; if (a->neg || BN_ucmp(a, m) >= 0) { if (!BN_mod(am, a, m, ctx)) goto err; aa = am; } else aa = a; if (!BN_to_montgomery(am, aa, mont, ctx)) - goto err; - if (!BN_copy(computeTemp, am)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, numPowers)) - goto err; - - /* + goto err; + if (!BN_copy(computeTemp, am)) + goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(am, top, powerbuf, 1, window)) + goto err; + + /* * If the window size is greater than 1, then calculate * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1) (even powers * could instead be computed as (a^(i/2))^2 to use the slight performance * advantage of sqr over mul). */ if (window > 1) { for (i = 2; i < numPowers; i++) { /* Calculate a^i = a^(i-1) * a */ - if (!BN_mod_mul_montgomery - (computeTemp, am, computeTemp, mont, ctx)) - goto err; - if (!MOD_EXP_CTIME_COPY_TO_PREBUF - (computeTemp, top, powerbuf, i, numPowers)) - goto err; - } - } + if (!BN_mod_mul_montgomery + (computeTemp, am, computeTemp, mont, ctx)) + goto err; + if (!MOD_EXP_CTIME_COPY_TO_PREBUF(computeTemp, top, powerbuf, i, + window)) + goto err; + } + } /* * Adjust the number of bits up to a multiple of the window size. If the * exponent length is not a multiple of the window size, then this pads * the most significant bits with zeros to normalize the scanning loop to * there's no special cases. * NOTE: Making the window size a power of * two less than the native * word size ensures that the padded bits * won't go past the last * word in the internal BIGNUM structure. Going * past the end will * still produce the correct result, but causes a * different branch * to be taken in the BN_is_bit_set function. */ bits = ((bits + window - 1) / window) * window; idx = bits - 1; /* The top bit of the window */ /* * Scan the exponent one window at a time starting from the most * significant bits. */ while (idx >= 0) { wvalue = 0; /* The 'value' of the window */ /* Scan the window, squaring the result as we go */ for (i = 0; i < window; i++, idx--) { if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) goto err; wvalue = (wvalue << 1) + BN_is_bit_set(p, idx); } /* * Fetch the appropriate pre-computed value from the pre-buf */ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF (computeTemp, top, powerbuf, wvalue, numPowers)) goto err; /* Multiply the result into the intermediate result */ if (!BN_mod_mul_montgomery(r, r, computeTemp, mont, ctx)) goto err; } /* Convert the final result from montgomery to standard format */ if (!BN_from_montgomery(rr, r, mont, ctx)) goto err; ret = 1; err: if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont); if (powerbuf != NULL) { OPENSSL_cleanse(powerbuf, powerbufLen); OPENSSL_free(powerbufFree); } if (am != NULL) BN_clear(am); if (computeTemp != NULL) BN_clear(computeTemp); BN_CTX_end(ctx); return (ret); } int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) { BN_MONT_CTX *mont = NULL; int b, bits, ret = 0; int r_is_one; BN_ULONG w, next_w; BIGNUM *d, *r, *t; BIGNUM *swap_tmp; #define BN_MOD_MUL_WORD(r, w, m) \ (BN_mul_word(r, (w)) && \ (/* BN_ucmp(r, (m)) < 0 ? 1 :*/ \ (BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1)))) /* * BN_MOD_MUL_WORD is only used with 'w' large, so the BN_ucmp test is * probably more overhead than always using BN_mod (which uses BN_copy if * a similar test returns true). */ /* * We can use BN_mod and do not need BN_nnmod because our accumulator is * never negative (the result of BN_mod does not depend on the sign of * the modulus). */ #define BN_TO_MONTGOMERY_WORD(r, w, mont) \ (BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx)) if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ BNerr(BN_F_BN_MOD_EXP_MONT_WORD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return -1; } bn_check_top(p); bn_check_top(m); if (!BN_is_odd(m)) { BNerr(BN_F_BN_MOD_EXP_MONT_WORD, BN_R_CALLED_WITH_EVEN_MODULUS); return (0); } if (m->top == 1) a %= m->d[0]; /* make sure that 'a' is reduced */ bits = BN_num_bits(p); if (bits == 0) { /* x**0 mod 1 is still zero. */ if (BN_is_one(m)) { ret = 1; BN_zero(rr); } else ret = BN_one(rr); return ret; } if (a == 0) { BN_zero(rr); ret = 1; return ret; } BN_CTX_start(ctx); d = BN_CTX_get(ctx); r = BN_CTX_get(ctx); t = BN_CTX_get(ctx); if (d == NULL || r == NULL || t == NULL) goto err; if (in_mont != NULL) mont = in_mont; else { if ((mont = BN_MONT_CTX_new()) == NULL) goto err; if (!BN_MONT_CTX_set(mont, m, ctx)) goto err; } r_is_one = 1; /* except for Montgomery factor */ /* bits-1 >= 0 */ /* The result is accumulated in the product r*w. */ w = a; /* bit 'bits-1' of 'p' is always set */ for (b = bits - 2; b >= 0; b--) { /* First, square r*w. */ next_w = w * w; if ((next_w / w) != w) { /* overflow */ if (r_is_one) { if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) goto err; r_is_one = 0; } else { if (!BN_MOD_MUL_WORD(r, w, m)) goto err; } next_w = 1; } w = next_w; if (!r_is_one) { if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) goto err; } /* Second, multiply r*w by 'a' if exponent bit is set. */ if (BN_is_bit_set(p, b)) { next_w = w * a; if ((next_w / a) != w) { /* overflow */ if (r_is_one) { if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) goto err; r_is_one = 0; } else { if (!BN_MOD_MUL_WORD(r, w, m)) goto err; } next_w = a; } w = next_w; } } /* Finally, set r:=r*w. */ if (w != 1) { if (r_is_one) { if (!BN_TO_MONTGOMERY_WORD(r, w, mont)) goto err; r_is_one = 0; } else { if (!BN_MOD_MUL_WORD(r, w, m)) goto err; } } if (r_is_one) { /* can happen only if a == 1 */ if (!BN_one(rr)) goto err; } else { if (!BN_from_montgomery(rr, r, mont, ctx)) goto err; } ret = 1; err: if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont); BN_CTX_end(ctx); bn_check_top(rr); return (ret); } /* The old fallback, simple version :-) */ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx) { int i, j, bits, ret = 0, wstart, wend, window, wvalue; int start = 1; BIGNUM *d; /* Table of variables obtained from 'ctx' */ BIGNUM *val[TABLE_SIZE]; if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ BNerr(BN_F_BN_MOD_EXP_SIMPLE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return -1; } bits = BN_num_bits(p); if (bits == 0) { ret = BN_one(r); return ret; } BN_CTX_start(ctx); d = BN_CTX_get(ctx); val[0] = BN_CTX_get(ctx); if (!d || !val[0]) goto err; if (!BN_nnmod(val[0], a, m, ctx)) goto err; /* 1 */ if (BN_is_zero(val[0])) { BN_zero(r); ret = 1; goto err; } window = BN_window_bits_for_exponent_size(bits); if (window > 1) { if (!BN_mod_mul(d, val[0], val[0], m, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || !BN_mod_mul(val[i], val[i - 1], d, m, ctx)) goto err; } } start = 1; /* This is used to avoid multiplication etc * when there is only the value '1' in the * buffer. */ wvalue = 0; /* The 'value' of the window */ wstart = bits - 1; /* The top bit of the window */ wend = 0; /* The bottom bit of the window */ if (!BN_one(r)) goto err; for (;;) { if (BN_is_bit_set(p, wstart) == 0) { if (!start) if (!BN_mod_mul(r, r, r, m, ctx)) goto err; if (wstart == 0) break; wstart--; continue; } /* * We now have wstart on a 'set' bit, we now need to work out how bit * a window to do. To do this we need to scan forward until the last * set bit before the end of the window */ j = wstart; wvalue = 1; wend = 0; for (i = 1; i < window; i++) { if (wstart - i < 0) break; if (BN_is_bit_set(p, wstart - i)) { wvalue <<= (i - wend); wvalue |= 1; wend = i; } } /* wend is the size of the current window */ j = wend + 1; /* add the 'bytes above' */ if (!start) for (i = 0; i < j; i++) { if (!BN_mod_mul(r, r, r, m, ctx)) goto err; } /* wvalue will be an odd number < 2^window */ if (!BN_mod_mul(r, r, val[wvalue >> 1], m, ctx)) goto err; /* move the 'window' down further */ wstart -= wend + 1; wvalue = 0; start = 0; if (wstart < 0) break; } ret = 1; err: BN_CTX_end(ctx); bn_check_top(r); return (ret); } Index: stable/9/crypto/openssl/crypto/bn/bn_print.c =================================================================== --- stable/9/crypto/openssl/crypto/bn/bn_print.c (revision 296461) +++ stable/9/crypto/openssl/crypto/bn/bn_print.c (revision 296462) @@ -1,352 +1,361 @@ /* crypto/bn/bn_print.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ + +#include +#include +#include +#include "cryptlib.h" +#include +#include "bn_lcl.h" -#include -#include -#include "cryptlib.h" -#include -#include "bn_lcl.h" - static const char Hex[] = "0123456789ABCDEF"; /* Must 'OPENSSL_free' the returned data */ char *BN_bn2hex(const BIGNUM *a) { int i, j, v, z = 0; char *buf; char *p; if (a->neg && BN_is_zero(a)) { /* "-0" == 3 bytes including NULL terminator */ buf = OPENSSL_malloc(3); } else { buf = OPENSSL_malloc(a->top * BN_BYTES * 2 + 2); } if (buf == NULL) { BNerr(BN_F_BN_BN2HEX, ERR_R_MALLOC_FAILURE); goto err; } p = buf; if (a->neg) *(p++) = '-'; if (BN_is_zero(a)) *(p++) = '0'; for (i = a->top - 1; i >= 0; i--) { for (j = BN_BITS2 - 8; j >= 0; j -= 8) { /* strip leading zeros */ v = ((int)(a->d[i] >> (long)j)) & 0xff; if (z || (v != 0)) { *(p++) = Hex[v >> 4]; *(p++) = Hex[v & 0x0f]; z = 1; } } } *p = '\0'; err: return (buf); } /* Must 'OPENSSL_free' the returned data */ char *BN_bn2dec(const BIGNUM *a) { int i = 0, num, ok = 0; char *buf = NULL; char *p; BIGNUM *t = NULL; BN_ULONG *bn_data = NULL, *lp; /*- * get an upper bound for the length of the decimal integer * num <= (BN_num_bits(a) + 1) * log(2) * <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1 (rounding error) * <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1 */ i = BN_num_bits(a) * 3; num = (i / 10 + i / 1000 + 1) + 1; bn_data = (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); buf = (char *)OPENSSL_malloc(num + 3); if ((buf == NULL) || (bn_data == NULL)) { BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); goto err; } if ((t = BN_dup(a)) == NULL) goto err; #define BUF_REMAIN (num+3 - (size_t)(p - buf)) p = buf; lp = bn_data; if (BN_is_zero(t)) { *(p++) = '0'; *(p++) = '\0'; } else { if (BN_is_negative(t)) *p++ = '-'; i = 0; while (!BN_is_zero(t)) { *lp = BN_div_word(t, BN_DEC_CONV); lp++; } lp--; /* * We now have a series of blocks, BN_DEC_NUM chars in length, where * the last one needs truncation. The blocks need to be reversed in * order. */ BIO_snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp); while (*p) p++; while (lp != bn_data) { lp--; BIO_snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp); while (*p) p++; } } ok = 1; err: if (bn_data != NULL) OPENSSL_free(bn_data); if (t != NULL) BN_free(t); if (!ok && buf) { OPENSSL_free(buf); buf = NULL; } return (buf); } int BN_hex2bn(BIGNUM **bn, const char *a) { BIGNUM *ret = NULL; BN_ULONG l = 0; int neg = 0, h, m, i, j, k, c; int num; if ((a == NULL) || (*a == '\0')) return (0); if (*a == '-') { neg = 1; - a++; - } + a++; + } + + for (i = 0; i <= (INT_MAX/4) && isxdigit((unsigned char)a[i]); i++) + continue; + + if (i > INT_MAX/4) + goto err; + + num = i + neg; + if (bn == NULL) + return (num); - for (i = 0; isxdigit((unsigned char)a[i]); i++) ; - - num = i + neg; - if (bn == NULL) - return (num); - /* a is the start of the hex digits, and it is 'i' long */ if (*bn == NULL) { if ((ret = BN_new()) == NULL) return (0); } else { ret = *bn; - BN_zero(ret); - } - - /* i is the number of hex digests; */ - if (bn_expand(ret, i * 4) == NULL) - goto err; - + BN_zero(ret); + } + + /* i is the number of hex digits */ + if (bn_expand(ret, i * 4) == NULL) + goto err; + j = i; /* least significant 'hex' */ m = 0; h = 0; while (j > 0) { m = ((BN_BYTES * 2) <= j) ? (BN_BYTES * 2) : j; l = 0; for (;;) { c = a[j - m]; if ((c >= '0') && (c <= '9')) k = c - '0'; else if ((c >= 'a') && (c <= 'f')) k = c - 'a' + 10; else if ((c >= 'A') && (c <= 'F')) k = c - 'A' + 10; else k = 0; /* paranoia */ l = (l << 4) | k; if (--m <= 0) { ret->d[h++] = l; break; } } j -= (BN_BYTES * 2); } ret->top = h; bn_correct_top(ret); ret->neg = neg; *bn = ret; bn_check_top(ret); return (num); err: if (*bn == NULL) BN_free(ret); return (0); } int BN_dec2bn(BIGNUM **bn, const char *a) { BIGNUM *ret = NULL; BN_ULONG l = 0; int neg = 0, i, j; int num; if ((a == NULL) || (*a == '\0')) return (0); if (*a == '-') { neg = 1; - a++; - } + a++; + } + + for (i = 0; i <= (INT_MAX/4) && isdigit((unsigned char)a[i]); i++) + continue; + + if (i > INT_MAX/4) + goto err; + + num = i + neg; + if (bn == NULL) + return (num); - for (i = 0; isdigit((unsigned char)a[i]); i++) ; - - num = i + neg; - if (bn == NULL) - return (num); - /* * a is the start of the digits, and it is 'i' long. We chop it into * BN_DEC_NUM digits at a time */ if (*bn == NULL) { if ((ret = BN_new()) == NULL) return (0); } else { ret = *bn; - BN_zero(ret); - } - - /* i is the number of digests, a bit of an over expand; */ - if (bn_expand(ret, i * 4) == NULL) - goto err; - + BN_zero(ret); + } + + /* i is the number of digits, a bit of an over expand */ + if (bn_expand(ret, i * 4) == NULL) + goto err; + j = BN_DEC_NUM - (i % BN_DEC_NUM); if (j == BN_DEC_NUM) j = 0; l = 0; while (*a) { l *= 10; l += *a - '0'; a++; if (++j == BN_DEC_NUM) { BN_mul_word(ret, BN_DEC_CONV); BN_add_word(ret, l); l = 0; j = 0; } } ret->neg = neg; bn_correct_top(ret); *bn = ret; bn_check_top(ret); return (num); err: if (*bn == NULL) BN_free(ret); return (0); } #ifndef OPENSSL_NO_BIO # ifndef OPENSSL_NO_FP_API int BN_print_fp(FILE *fp, const BIGNUM *a) { BIO *b; int ret; if ((b = BIO_new(BIO_s_file())) == NULL) return (0); BIO_set_fp(b, fp, BIO_NOCLOSE); ret = BN_print(b, a); BIO_free(b); return (ret); } # endif int BN_print(BIO *bp, const BIGNUM *a) { int i, j, v, z = 0; int ret = 0; if ((a->neg) && (BIO_write(bp, "-", 1) != 1)) goto end; if (BN_is_zero(a) && (BIO_write(bp, "0", 1) != 1)) goto end; for (i = a->top - 1; i >= 0; i--) { for (j = BN_BITS2 - 4; j >= 0; j -= 4) { /* strip leading zeros */ v = ((int)(a->d[i] >> (long)j)) & 0x0f; if (z || (v != 0)) { if (BIO_write(bp, &(Hex[v]), 1) != 1) goto end; z = 1; } } } ret = 1; end: return (ret); } #endif Index: stable/9/crypto/openssl/doc/apps/ciphers.pod =================================================================== --- stable/9/crypto/openssl/doc/apps/ciphers.pod (revision 296461) +++ stable/9/crypto/openssl/doc/apps/ciphers.pod (revision 296462) @@ -1,434 +1,434 @@ =pod =head1 NAME ciphers - SSL cipher display and cipher list tool. =head1 SYNOPSIS B B [B<-v>] [B<-ssl2>] [B<-ssl3>] [B<-tls1>] [B] =head1 DESCRIPTION The B command converts OpenSSL cipher lists into ordered SSL cipher preference lists. It can be used as a test tool to determine the appropriate cipherlist. =head1 COMMAND OPTIONS =over 4 =item B<-v> verbose option. List ciphers with a complete description of protocol version (SSLv2 or SSLv3; the latter includes TLS), key exchange, authentication, encryption and mac algorithms used along with any key size restrictions and whether the algorithm is classed as an "export" cipher. Note that without the B<-v> option, ciphers may seem to appear twice in a cipher list; this is when similar ciphers are available for SSL v2 and for SSL v3/TLS v1. =item B<-ssl3> only include SSL v3 ciphers. =item B<-ssl2> only include SSL v2 ciphers. =item B<-tls1> only include TLS v1 ciphers. =item B<-h>, B<-?> print a brief usage message. =item B a cipher list to convert to a cipher preference list. If it is not included then the default cipher list will be used. The format is described below. =back =head1 CIPHER LIST FORMAT The cipher list consists of one or more I separated by colons. Commas or spaces are also acceptable separators but colons are normally used. The actual cipher string can take several different forms. It can consist of a single cipher suite such as B. It can represent a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. For example B represents all ciphers suites using the digest algorithm SHA1 and B represents all SSL v3 algorithms. Lists of cipher suites can be combined in a single cipher string using the B<+> character. This is used as a logical B operation. For example B represents all cipher suites containing the SHA1 B the DES algorithms. Each cipher string can be optionally preceded by the characters B, B<-> or B<+>. If B is used then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are explicitly stated. If B<-> is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later options. If B<+> is used then the ciphers are moved to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones. If none of these characters is present then the string is just interpreted as a list of ciphers to be appended to the current preference list. If the list includes any ciphers already present they will be ignored: that is they will not moved to the end of the list. Additionally the cipher string B<@STRENGTH> can be used at any point to sort the current cipher list in order of encryption algorithm key length. =head1 CIPHER STRINGS The following is a list of all permitted cipher strings and their meanings. =over 4 =item B the default cipher list. This is determined at compile time and is normally B. This must be the first cipher string specified. =item B the ciphers included in B, but not enabled by default. Currently this is B. Note that this rule does not cover B, which is not included by B (use B if necessary). =item B all ciphers suites except the B ciphers which must be explicitly enabled. =item B the cipher suites not enabled by B, currently being B. =item B "high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys. =item B "medium" encryption cipher suites, currently some of those using 128 bit encryption. =item B "low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites. =item B, B export encryption algorithms. Including 40 and 56 bits algorithms. =item B 40 bit export encryption algorithms =item B 56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of 56 bit export ciphers is empty unless OpenSSL has been explicitly configured with support for experimental ciphers. =item B, B the "NULL" ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are disabled unless explicitly included. =item B the cipher suites offering no authentication. This is currently the anonymous DH algorithms. These cipher suites are vulnerable to a "man in the middle" attack and so their use is normally discouraged. =item B, B cipher suites using RSA key exchange. =item B cipher suites using ephemeral DH key agreement. =item B, B cipher suites using DH key agreement and DH certificates signed by CAs with RSA and DSS keys respectively. Not implemented. =item B cipher suites using RSA authentication, i.e. the certificates carry RSA keys. =item B, B cipher suites using DSS authentication, i.e. the certificates carry DSS keys. =item B cipher suites effectively using DH authentication, i.e. the certificates carry DH keys. Not implemented. =item B, B, B, B ciphers suites using FORTEZZA key exchange, authentication, encryption or all FORTEZZA algorithms. Not implemented. =item B, B, B TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. =item B cipher suites using DH, including anonymous DH. =item B anonymous DH cipher suites. =item B cipher suites using AES. =item B cipher suites using Camellia. =item B<3DES> cipher suites using triple DES. =item B cipher suites using DES (not triple DES). =item B cipher suites using RC4. =item B cipher suites using RC2. =item B cipher suites using IDEA. =item B cipher suites using SEED. =item B cipher suites using MD5. =item B, B cipher suites using SHA1. =back =head1 CIPHER SUITE NAMES The following lists give the SSL or TLS cipher suites names from the relevant specification and their OpenSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, e.g. DES-CBC3-SHA. In these cases, RSA authentication is used. =head2 SSL v3.0 cipher suites. SSL_RSA_WITH_NULL_MD5 NULL-MD5 SSL_RSA_WITH_NULL_SHA NULL-SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 SSL_RSA_WITH_RC4_128_MD5 RC4-MD5 SSL_RSA_WITH_RC4_128_SHA RC4-SHA SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 SSL_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA SSL_RSA_WITH_DES_CBC_SHA DES-CBC-SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented. SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. SSL_DH_RSA_WITH_DES_CBC_SHA Not implemented. SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA SSL_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA SSL_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 SSL_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA SSL_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. =head2 TLS v1.0 cipher suites. TLS_RSA_WITH_NULL_MD5 NULL-MD5 TLS_RSA_WITH_NULL_SHA NULL-SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP-RC4-MD5 TLS_RSA_WITH_RC4_128_MD5 RC4-MD5 TLS_RSA_WITH_RC4_128_SHA RC4-SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP-RC2-CBC-MD5 TLS_RSA_WITH_IDEA_CBC_SHA IDEA-CBC-SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-DES-CBC-SHA TLS_RSA_WITH_DES_CBC_SHA DES-CBC-SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented. TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-DSS-DES-CBC-SHA TLS_DHE_DSS_WITH_DES_CBC_SHA EDH-DSS-CBC-SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH-DSS-DES-CBC3-SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP-EDH-RSA-DES-CBC-SHA TLS_DHE_RSA_WITH_DES_CBC_SHA EDH-RSA-DES-CBC-SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH-RSA-DES-CBC3-SHA TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP-ADH-RC4-MD5 TLS_DH_anon_WITH_RC4_128_MD5 ADH-RC4-MD5 TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP-ADH-DES-CBC-SHA TLS_DH_anon_WITH_DES_CBC_SHA ADH-DES-CBC-SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH-DES-CBC3-SHA =head2 AES ciphersuites from RFC3268, extending TLS v1.0 TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA TLS_DH_DSS_WITH_AES_128_CBC_SHA Not implemented. TLS_DH_DSS_WITH_AES_256_CBC_SHA Not implemented. TLS_DH_RSA_WITH_AES_128_CBC_SHA Not implemented. TLS_DH_RSA_WITH_AES_256_CBC_SHA Not implemented. TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE-RSA-AES128-SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE-RSA-AES256-SHA TLS_DH_anon_WITH_AES_128_CBC_SHA ADH-AES128-SHA TLS_DH_anon_WITH_AES_256_CBC_SHA ADH-AES256-SHA =head2 Camellia ciphersuites from RFC4132, extending TLS v1.0 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256-SHA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA Not implemented. TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA Not implemented. TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA Not implemented. TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA Not implemented. TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE-DSS-CAMELLIA128-SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE-DSS-CAMELLIA256-SHA TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE-RSA-CAMELLIA128-SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE-RSA-CAMELLIA256-SHA TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH-CAMELLIA128-SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH-CAMELLIA256-SHA =head2 SEED ciphersuites from RFC4162, extending TLS v1.0 TLS_RSA_WITH_SEED_CBC_SHA SEED-SHA TLS_DH_DSS_WITH_SEED_CBC_SHA Not implemented. TLS_DH_RSA_WITH_SEED_CBC_SHA Not implemented. TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE-DSS-SEED-SHA TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE-RSA-SEED-SHA TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA =head2 Additional Export 1024 and other cipher suites Note: these ciphers can also be used in SSL v3. TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DES-CBC-SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024-RC4-SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024-DHE-DSS-DES-CBC-SHA TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA -=head2 SSL v2.0 cipher suites. - - SSL_CK_RC4_128_WITH_MD5 RC4-MD5 - SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5 - SSL_CK_RC2_128_CBC_WITH_MD5 RC2-MD5 - SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP-RC2-MD5 - SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 - SSL_CK_DES_64_CBC_WITH_MD5 DES-CBC-MD5 - SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 - -=head1 NOTES +=head2 SSL v2.0 cipher suites. + + SSL_CK_RC4_128_WITH_MD5 RC4-MD5 + SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. + SSL_CK_RC2_128_CBC_WITH_MD5 RC2-CBC-MD5 + SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. + SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA-CBC-MD5 + SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. + SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES-CBC3-MD5 + +=head1 NOTES The non-ephemeral DH modes are currently unimplemented in OpenSSL because there is no support for DH certificates. Some compiled versions of OpenSSL may not include all the ciphers listed here because some ciphers were excluded at compile time. =head1 EXAMPLES Verbose listing of all OpenSSL ciphers including NULL ciphers: openssl ciphers -v 'ALL:eNULL' Include all ciphers except NULL and anonymous DH then sort by strength: openssl ciphers -v 'ALL:!ADH:@STRENGTH' Include only 3DES ciphers and then place RSA ciphers last: openssl ciphers -v '3DES:+RSA' Include all RC4 ciphers but leave out those without authentication: openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' Include all chiphers with RSA authentication but leave out ciphers without encryption. openssl ciphers -v 'RSA:!COMPLEMENTOFALL' =head1 SEE ALSO L, L, L =head1 HISTORY The B and B selection options were added in version 0.9.7. =cut Index: stable/9/crypto/openssl/ssl/s2_lib.c =================================================================== --- stable/9/crypto/openssl/ssl/s2_lib.c (revision 296461) +++ stable/9/crypto/openssl/ssl/s2_lib.c (revision 296462) @@ -1,488 +1,500 @@ /* ssl/s2_lib.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 # include # include # include # include const char ssl2_version_str[] = "SSLv2" OPENSSL_VERSION_PTEXT; # define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER)) /* list of available SSLv2 ciphers (sorted by id) */ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[] = { /* NULL_WITH_MD5 v3 */ # if 0 { 1, SSL2_TXT_NULL_WITH_MD5, SSL2_CK_NULL_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_eNULL | SSL_MD5 | SSL_SSLV2, SSL_EXPORT | SSL_EXP40 | SSL_STRONG_NONE, 0, 0, 0, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, # endif /* RC4_128_WITH_MD5 */ { 1, SSL2_TXT_RC4_128_WITH_MD5, SSL2_CK_RC4_128_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_RC4 | SSL_MD5 | SSL_SSLV2, SSL_NOT_EXP | SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* RC4_128_EXPORT40_WITH_MD5 */ - { - 1, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +# if 0 +/* RC4_128_EXPORT40_WITH_MD5 */ + { + 1, SSL2_TXT_RC4_128_EXPORT40_WITH_MD5, SSL2_CK_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_RC4 | SSL_MD5 | SSL_SSLV2, SSL_EXPORT | SSL_EXP40, SSL2_CF_5_BYTE_ENC, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* RC2_128_CBC_WITH_MD5 */ - { - 1, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +# endif + +/* RC2_128_CBC_WITH_MD5 */ + { + 1, SSL2_TXT_RC2_128_CBC_WITH_MD5, SSL2_CK_RC2_128_CBC_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_RC2 | SSL_MD5 | SSL_SSLV2, SSL_NOT_EXP | SSL_MEDIUM, 0, 128, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* RC2_128_CBC_EXPORT40_WITH_MD5 */ - { - 1, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +# if 0 +/* RC2_128_CBC_EXPORT40_WITH_MD5 */ + { + 1, SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5, SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_RC2 | SSL_MD5 | SSL_SSLV2, SSL_EXPORT | SSL_EXP40, SSL2_CF_5_BYTE_ENC, 40, 128, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* IDEA_128_CBC_WITH_MD5 */ -# ifndef OPENSSL_NO_IDEA - { + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +# endif + +/* IDEA_128_CBC_WITH_MD5 */ +# ifndef OPENSSL_NO_IDEA + { 1, SSL2_TXT_IDEA_128_CBC_WITH_MD5, SSL2_CK_IDEA_128_CBC_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_IDEA | SSL_MD5 | SSL_SSLV2, SSL_NOT_EXP | SSL_MEDIUM, 0, 128, 128, SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -# endif -/* DES_64_CBC_WITH_MD5 */ - { - 1, + SSL_ALL_STRENGTHS, + }, +# endif + +# if 0 +/* DES_64_CBC_WITH_MD5 */ + { + 1, SSL2_TXT_DES_64_CBC_WITH_MD5, SSL2_CK_DES_64_CBC_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_DES | SSL_MD5 | SSL_SSLV2, SSL_NOT_EXP | SSL_LOW, 0, 56, 56, - SSL_ALL_CIPHERS, - SSL_ALL_STRENGTHS, - }, -/* DES_192_EDE3_CBC_WITH_MD5 */ - { - 1, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +# endif + +/* DES_192_EDE3_CBC_WITH_MD5 */ + { + 1, SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5, SSL2_CK_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_3DES | SSL_MD5 | SSL_SSLV2, SSL_NOT_EXP | SSL_HIGH, 0, 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, /* RC4_64_WITH_MD5 */ # if 0 { 1, SSL2_TXT_RC4_64_WITH_MD5, SSL2_CK_RC4_64_WITH_MD5, SSL_kRSA | SSL_aRSA | SSL_RC4 | SSL_MD5 | SSL_SSLV2, SSL_NOT_EXP | SSL_LOW, SSL2_CF_8_BYTE_ENC, 64, 64, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, # endif /* NULL SSLeay (testing) */ # if 0 { 0, SSL2_TXT_NULL, SSL2_CK_NULL, 0, SSL_STRONG_NONE, 0, 0, 0, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, # endif /* end of list :-) */ }; long ssl2_default_timeout(void) { return (300); } IMPLEMENT_ssl2_meth_func(sslv2_base_method, ssl_undefined_function, ssl_undefined_function, ssl_bad_method) int ssl2_num_ciphers(void) { return (SSL2_NUM_CIPHERS); } SSL_CIPHER *ssl2_get_cipher(unsigned int u) { if (u < SSL2_NUM_CIPHERS) return (&(ssl2_ciphers[SSL2_NUM_CIPHERS - 1 - u])); else return (NULL); } int ssl2_pending(const SSL *s) { return SSL_in_init(s) ? 0 : s->s2->ract_data_length; } int ssl2_new(SSL *s) { SSL2_STATE *s2; if ((s2 = OPENSSL_malloc(sizeof *s2)) == NULL) goto err; memset(s2, 0, sizeof *s2); # if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2 # error "assertion failed" # endif if ((s2->rbuf = OPENSSL_malloc(SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2)) == NULL) goto err; /* * wbuf needs one byte more because when using two-byte headers, we leave * the first byte unused in do_ssl_write (s2_pkt.c) */ if ((s2->wbuf = OPENSSL_malloc(SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 3)) == NULL) goto err; s->s2 = s2; ssl2_clear(s); return (1); err: if (s2 != NULL) { if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf); if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf); OPENSSL_free(s2); } return (0); } void ssl2_free(SSL *s) { SSL2_STATE *s2; if (s == NULL) return; s2 = s->s2; if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf); if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf); OPENSSL_cleanse(s2, sizeof *s2); OPENSSL_free(s2); s->s2 = NULL; } void ssl2_clear(SSL *s) { SSL2_STATE *s2; unsigned char *rbuf, *wbuf; s2 = s->s2; rbuf = s2->rbuf; wbuf = s2->wbuf; memset(s2, 0, sizeof *s2); s2->rbuf = rbuf; s2->wbuf = wbuf; s2->clear_text = 1; s->packet = s2->rbuf; s->version = SSL2_VERSION; s->packet_length = 0; } long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg) { int ret = 0; switch (cmd) { case SSL_CTRL_GET_SESSION_REUSED: ret = s->hit; break; case SSL_CTRL_CHECK_PROTO_VERSION: return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg); default: break; } return (ret); } long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) { return (0); } long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { return (0); } long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { return (0); } /* * This function needs to check if the ciphers required are actually * available */ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p) { SSL_CIPHER c, *cp; unsigned long id; id = 0x02000000L | ((unsigned long)p[0] << 16L) | ((unsigned long)p[1] << 8L) | (unsigned long)p[2]; c.id = id; cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c, (char *)ssl2_ciphers, SSL2_NUM_CIPHERS, sizeof(SSL_CIPHER), FP_ICC ssl_cipher_id_cmp); if ((cp == NULL) || (cp->valid == 0)) return NULL; else return cp; } int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) { long l; if (p != NULL) { l = c->id; if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return (0); p[0] = ((unsigned char)(l >> 16L)) & 0xFF; p[1] = ((unsigned char)(l >> 8L)) & 0xFF; p[2] = ((unsigned char)(l)) & 0xFF; } return (3); } int ssl2_generate_key_material(SSL *s) { unsigned int i; EVP_MD_CTX ctx; unsigned char *km; unsigned char c = '0'; const EVP_MD *md5; md5 = EVP_md5(); # ifdef CHARSET_EBCDIC c = os_toascii['0']; /* Must be an ASCII '0', not EBCDIC '0', see * SSLv2 docu */ # endif EVP_MD_CTX_init(&ctx); km = s->s2->key_material; if (s->session->master_key_length < 0 || s->session->master_key_length > (int)sizeof(s->session->master_key)) { SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR); return 0; } for (i = 0; i < s->s2->key_material_length; i += EVP_MD_size(md5)) { if (((km - s->s2->key_material) + EVP_MD_size(md5)) > (int)sizeof(s->s2->key_material)) { /* * EVP_DigestFinal_ex() below would write beyond buffer */ SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR); return 0; } EVP_DigestInit_ex(&ctx, md5, NULL); OPENSSL_assert(s->session->master_key_length >= 0 && s->session->master_key_length <= (int)sizeof(s->session->master_key)); EVP_DigestUpdate(&ctx, s->session->master_key, s->session->master_key_length); EVP_DigestUpdate(&ctx, &c, 1); c++; EVP_DigestUpdate(&ctx, s->s2->challenge, s->s2->challenge_length); EVP_DigestUpdate(&ctx, s->s2->conn_id, s->s2->conn_id_length); EVP_DigestFinal_ex(&ctx, km, NULL); km += EVP_MD_size(md5); } EVP_MD_CTX_cleanup(&ctx); return 1; } void ssl2_return_error(SSL *s, int err) { if (!s->error) { s->error = 3; s->error_code = err; ssl2_write_error(s); } } void ssl2_write_error(SSL *s) { unsigned char buf[3]; int i, error; buf[0] = SSL2_MT_ERROR; buf[1] = (s->error_code >> 8) & 0xff; buf[2] = (s->error_code) & 0xff; /* state=s->rwstate;*/ error = s->error; /* number of bytes left to write */ s->error = 0; OPENSSL_assert(error >= 0 && error <= (int)sizeof(buf)); i = ssl2_write(s, &(buf[3 - error]), error); /* if (i == error) s->rwstate=state; */ if (i < 0) s->error = error; else { s->error = error - i; if (s->error == 0) if (s->msg_callback) { /* ERROR */ s->msg_callback(1, s->version, 0, buf, 3, s, s->msg_callback_arg); } } } int ssl2_shutdown(SSL *s) { s->shutdown = (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); return (1); } #else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy = &dummy; # endif #endif Index: stable/9/crypto/openssl/ssl/ssl_lib.c =================================================================== --- stable/9/crypto/openssl/ssl/ssl_lib.c (revision 296461) +++ stable/9/crypto/openssl/ssl/ssl_lib.c (revision 296462) @@ -1,2772 +1,2779 @@ /* * ! \file ssl/ssl_lib.c \brief Version independent SSL functions. */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * ECC cipher suite support in OpenSSL originally developed by * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ #ifdef REF_CHECK # include #endif #include #include "ssl_locl.h" #include "kssl_lcl.h" #include #include #include #include #include #ifndef OPENSSL_NO_DH # include #endif #ifndef OPENSSL_NO_ENGINE # include #endif const char *SSL_version_str = OPENSSL_VERSION_TEXT; SSL3_ENC_METHOD ssl3_undef_enc_method = { /* * evil casts, but these functions are only called if there's a library * bug */ (int (*)(SSL *, int))ssl_undefined_function, (int (*)(SSL *, unsigned char *, int))ssl_undefined_function, ssl_undefined_function, (int (*)(SSL *, unsigned char *, unsigned char *, int)) ssl_undefined_function, (int (*)(SSL *, int))ssl_undefined_function, (int (*) (SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char *, int, unsigned char *))ssl_undefined_function, 0, /* finish_mac_length */ (int (*)(SSL *, EVP_MD_CTX *, unsigned char *))ssl_undefined_function, NULL, /* client_finished_label */ 0, /* client_finished_label_len */ NULL, /* server_finished_label */ 0, /* server_finished_label_len */ (int (*)(int))ssl_undefined_function }; int SSL_clear(SSL *s) { if (s->method == NULL) { SSLerr(SSL_F_SSL_CLEAR, SSL_R_NO_METHOD_SPECIFIED); return (0); } if (ssl_clear_bad_session(s)) { SSL_SESSION_free(s->session); s->session = NULL; } s->error = 0; s->hit = 0; s->shutdown = 0; #if 0 /* * Disabled since version 1.10 of this file (early return not * needed because SSL_clear is not called when doing renegotiation) */ /* * This is set if we are doing dynamic renegotiation so keep * the old cipher. It is sort of a SSL_clear_lite :-) */ if (s->new_session) return (1); #else if (s->new_session) { SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR); return 0; } #endif s->type = 0; s->state = SSL_ST_BEFORE | ((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); s->version = s->method->version; s->client_version = s->version; s->rwstate = SSL_NOTHING; s->rstate = SSL_ST_READ_HEADER; #if 0 s->read_ahead = s->ctx->read_ahead; #endif if (s->init_buf != NULL) { BUF_MEM_free(s->init_buf); s->init_buf = NULL; } ssl_clear_cipher_ctx(s); s->first_packet = 0; #if 1 /* * Check to see if we were changed into a different method, if so, revert * back if we are not doing session-id reuse. */ if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) { s->method->ssl_free(s); s->method = s->ctx->method; if (!s->method->ssl_new(s)) return (0); } else #endif s->method->ssl_clear(s); return (1); } /** Used to change an SSL_CTXs default SSL method type */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, SSL_METHOD *meth) { STACK_OF(SSL_CIPHER) *sk; ctx->method = meth; sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), &(ctx->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return (0); } return (1); } SSL *SSL_new(SSL_CTX *ctx) { SSL *s; if (ctx == NULL) { SSLerr(SSL_F_SSL_NEW, SSL_R_NULL_SSL_CTX); return (NULL); } if (ctx->method == NULL) { SSLerr(SSL_F_SSL_NEW, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION); return (NULL); } s = (SSL *)OPENSSL_malloc(sizeof(SSL)); if (s == NULL) goto err; memset(s, 0, sizeof(SSL)); #ifndef OPENSSL_NO_KRB5 s->kssl_ctx = kssl_ctx_new(); #endif /* OPENSSL_NO_KRB5 */ s->options = ctx->options; s->mode = ctx->mode; s->max_cert_list = ctx->max_cert_list; if (ctx->cert != NULL) { /* * Earlier library versions used to copy the pointer to the CERT, not * its contents; only when setting new parameters for the per-SSL * copy, ssl_cert_new would be called (and the direct reference to * the per-SSL_CTX settings would be lost, but those still were * indirectly accessed for various purposes, and for that reason they * used to be known as s->ctx->default_cert). Now we don't look at the * SSL_CTX's CERT after having duplicated it once. */ s->cert = ssl_cert_dup(ctx->cert); if (s->cert == NULL) goto err; } else s->cert = NULL; /* Cannot really happen (see SSL_CTX_new) */ s->read_ahead = ctx->read_ahead; s->msg_callback = ctx->msg_callback; s->msg_callback_arg = ctx->msg_callback_arg; s->verify_mode = ctx->verify_mode; #if 0 s->verify_depth = ctx->verify_depth; #endif s->sid_ctx_length = ctx->sid_ctx_length; OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); s->verify_callback = ctx->default_verify_callback; s->generate_session_id = ctx->generate_session_id; s->param = X509_VERIFY_PARAM_new(); if (!s->param) goto err; X509_VERIFY_PARAM_inherit(s->param, ctx->param); #if 0 s->purpose = ctx->purpose; s->trust = ctx->trust; #endif s->quiet_shutdown = ctx->quiet_shutdown; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->ctx = ctx; #ifndef OPENSSL_NO_TLSEXT s->tlsext_debug_cb = 0; s->tlsext_debug_arg = NULL; s->tlsext_ticket_expected = 0; s->tlsext_status_type = -1; s->tlsext_status_expected = 0; s->tlsext_ocsp_ids = NULL; s->tlsext_ocsp_exts = NULL; s->tlsext_ocsp_resp = NULL; s->tlsext_ocsp_resplen = -1; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->initial_ctx = ctx; #endif s->verify_result = X509_V_OK; s->method = ctx->method; if (!s->method->ssl_new(s)) goto err; s->references = 1; s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1; SSL_clear(s); CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); return (s); err: if (s != NULL) { if (s->cert != NULL) ssl_cert_free(s->cert); if (s->ctx != NULL) SSL_CTX_free(s->ctx); /* decrement reference count */ OPENSSL_free(s); } SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, unsigned int sid_ctx_len) { if (sid_ctx_len > sizeof ctx->sid_ctx) { SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; } ctx->sid_ctx_length = sid_ctx_len; memcpy(ctx->sid_ctx, sid_ctx, sid_ctx_len); return 1; } int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, unsigned int sid_ctx_len) { if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { SSLerr(SSL_F_SSL_SET_SESSION_ID_CONTEXT, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; } ssl->sid_ctx_length = sid_ctx_len; memcpy(ssl->sid_ctx, sid_ctx, sid_ctx_len); return 1; } int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); ctx->generate_session_id = cb; CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); return 1; } int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); ssl->generate_session_id = cb; CRYPTO_w_unlock(CRYPTO_LOCK_SSL); return 1; } int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, unsigned int id_len) { /* * A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how * we can "construct" a session to give us the desired check - ie. to * find if there's a session in the hash table that would conflict with * any new session built out of this id/id_len and the ssl_version in use * by this SSL. */ SSL_SESSION r, *p; if (id_len > sizeof r.session_id) return 0; r.ssl_version = ssl->version; r.session_id_length = id_len; memcpy(r.session_id, id, id_len); /* * NB: SSLv2 always uses a fixed 16-byte session ID, so even if a * callback is calling us to check the uniqueness of a shorter ID, it * must be compared as a padded-out ID because that is what it will be * converted to when the callback has finished choosing it. */ if ((r.ssl_version == SSL2_VERSION) && (id_len < SSL2_SSL_SESSION_ID_LENGTH)) { memset(r.session_id + id_len, 0, SSL2_SSL_SESSION_ID_LENGTH - id_len); r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH; } CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r); CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); return (p != NULL); } int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) { return X509_VERIFY_PARAM_set_purpose(s->param, purpose); } int SSL_set_purpose(SSL *s, int purpose) { return X509_VERIFY_PARAM_set_purpose(s->param, purpose); } int SSL_CTX_set_trust(SSL_CTX *s, int trust) { return X509_VERIFY_PARAM_set_trust(s->param, trust); } int SSL_set_trust(SSL *s, int trust) { return X509_VERIFY_PARAM_set_trust(s->param, trust); } void SSL_free(SSL *s) { int i; if (s == NULL) return; i = CRYPTO_add(&s->references, -1, CRYPTO_LOCK_SSL); #ifdef REF_PRINT REF_PRINT("SSL", s); #endif if (i > 0) return; #ifdef REF_CHECK if (i < 0) { fprintf(stderr, "SSL_free, bad reference count\n"); abort(); /* ok */ } #endif if (s->param) X509_VERIFY_PARAM_free(s->param); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); if (s->bbio != NULL) { /* If the buffering BIO is in place, pop it off */ if (s->bbio == s->wbio) { s->wbio = BIO_pop(s->wbio); } BIO_free(s->bbio); s->bbio = NULL; } if (s->rbio != NULL) BIO_free_all(s->rbio); if ((s->wbio != NULL) && (s->wbio != s->rbio)) BIO_free_all(s->wbio); if (s->init_buf != NULL) BUF_MEM_free(s->init_buf); /* add extra stuff */ if (s->cipher_list != NULL) sk_SSL_CIPHER_free(s->cipher_list); if (s->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(s->cipher_list_by_id); /* Make the next call work :-) */ if (s->session != NULL) { ssl_clear_bad_session(s); SSL_SESSION_free(s->session); } ssl_clear_cipher_ctx(s); if (s->cert != NULL) ssl_cert_free(s->cert); /* Free up if allocated */ #ifndef OPENSSL_NO_TLSEXT if (s->tlsext_hostname) OPENSSL_free(s->tlsext_hostname); if (s->initial_ctx) SSL_CTX_free(s->initial_ctx); if (s->tlsext_ocsp_exts) sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); if (s->tlsext_ocsp_ids) sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); if (s->tlsext_ocsp_resp) OPENSSL_free(s->tlsext_ocsp_resp); #endif if (s->client_CA != NULL) sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); if (s->method != NULL) s->method->ssl_free(s); if (s->ctx) SSL_CTX_free(s->ctx); #ifndef OPENSSL_NO_KRB5 if (s->kssl_ctx != NULL) kssl_ctx_free(s->kssl_ctx); #endif /* OPENSSL_NO_KRB5 */ OPENSSL_free(s); } void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio) { /* * If the output buffering BIO is still in place, remove it */ if (s->bbio != NULL) { if (s->wbio == s->bbio) { s->wbio = s->wbio->next_bio; s->bbio->next_bio = NULL; } } if ((s->rbio != NULL) && (s->rbio != rbio)) BIO_free_all(s->rbio); if ((s->wbio != NULL) && (s->wbio != wbio) && (s->rbio != s->wbio)) BIO_free_all(s->wbio); s->rbio = rbio; s->wbio = wbio; } BIO *SSL_get_rbio(const SSL *s) { return (s->rbio); } BIO *SSL_get_wbio(const SSL *s) { return (s->wbio); } int SSL_get_fd(const SSL *s) { return (SSL_get_rfd(s)); } int SSL_get_rfd(const SSL *s) { int ret = -1; BIO *b, *r; b = SSL_get_rbio(s); r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); if (r != NULL) BIO_get_fd(r, &ret); return (ret); } int SSL_get_wfd(const SSL *s) { int ret = -1; BIO *b, *r; b = SSL_get_wbio(s); r = BIO_find_type(b, BIO_TYPE_DESCRIPTOR); if (r != NULL) BIO_get_fd(r, &ret); return (ret); } #ifndef OPENSSL_NO_SOCK int SSL_set_fd(SSL *s, int fd) { int ret = 0; BIO *bio = NULL; bio = BIO_new(BIO_s_socket()); if (bio == NULL) { SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB); goto err; } BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set_bio(s, bio, bio); ret = 1; err: return (ret); } int SSL_set_wfd(SSL *s, int fd) { int ret = 0; BIO *bio = NULL; if ((s->rbio == NULL) || (BIO_method_type(s->rbio) != BIO_TYPE_SOCKET) || ((int)BIO_get_fd(s->rbio, NULL) != fd)) { bio = BIO_new(BIO_s_socket()); if (bio == NULL) { SSLerr(SSL_F_SSL_SET_WFD, ERR_R_BUF_LIB); goto err; } BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set_bio(s, SSL_get_rbio(s), bio); } else SSL_set_bio(s, SSL_get_rbio(s), SSL_get_rbio(s)); ret = 1; err: return (ret); } int SSL_set_rfd(SSL *s, int fd) { int ret = 0; BIO *bio = NULL; if ((s->wbio == NULL) || (BIO_method_type(s->wbio) != BIO_TYPE_SOCKET) || ((int)BIO_get_fd(s->wbio, NULL) != fd)) { bio = BIO_new(BIO_s_socket()); if (bio == NULL) { SSLerr(SSL_F_SSL_SET_RFD, ERR_R_BUF_LIB); goto err; } BIO_set_fd(bio, fd, BIO_NOCLOSE); SSL_set_bio(s, bio, SSL_get_wbio(s)); } else SSL_set_bio(s, SSL_get_wbio(s), SSL_get_wbio(s)); ret = 1; err: return (ret); } #endif /* return length of latest Finished message we sent, copy to 'buf' */ size_t SSL_get_finished(const SSL *s, void *buf, size_t count) { size_t ret = 0; if (s->s3 != NULL) { ret = s->s3->tmp.finish_md_len; if (count > ret) count = ret; memcpy(buf, s->s3->tmp.finish_md, count); } return ret; } /* return length of latest Finished message we expected, copy to 'buf' */ size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) { size_t ret = 0; if (s->s3 != NULL) { ret = s->s3->tmp.peer_finish_md_len; if (count > ret) count = ret; memcpy(buf, s->s3->tmp.peer_finish_md, count); } return ret; } int SSL_get_verify_mode(const SSL *s) { return (s->verify_mode); } int SSL_get_verify_depth(const SSL *s) { return X509_VERIFY_PARAM_get_depth(s->param); } int (*SSL_get_verify_callback(const SSL *s)) (int, X509_STORE_CTX *) { return (s->verify_callback); } int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) { return (ctx->verify_mode); } int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) { return X509_VERIFY_PARAM_get_depth(ctx->param); } int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx)) (int, X509_STORE_CTX *) { return (ctx->default_verify_callback); } void SSL_set_verify(SSL *s, int mode, int (*callback) (int ok, X509_STORE_CTX *ctx)) { s->verify_mode = mode; if (callback != NULL) s->verify_callback = callback; } void SSL_set_verify_depth(SSL *s, int depth) { X509_VERIFY_PARAM_set_depth(s->param, depth); } void SSL_set_read_ahead(SSL *s, int yes) { s->read_ahead = yes; } int SSL_get_read_ahead(const SSL *s) { return (s->read_ahead); } int SSL_pending(const SSL *s) { /* * SSL_pending cannot work properly if read-ahead is enabled * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is * impossible to fix since SSL_pending cannot report errors that may be * observed while scanning the new data. (Note that SSL_pending() is * often used as a boolean value, so we'd better not return -1.) */ return (s->method->ssl_pending(s)); } X509 *SSL_get_peer_certificate(const SSL *s) { X509 *r; if ((s == NULL) || (s->session == NULL)) r = NULL; else r = s->session->peer; if (r == NULL) return (r); CRYPTO_add(&r->references, 1, CRYPTO_LOCK_X509); return (r); } STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) { STACK_OF(X509) *r; if ((s == NULL) || (s->session == NULL) || (s->session->sess_cert == NULL)) r = NULL; else r = s->session->sess_cert->cert_chain; /* * If we are a client, cert_chain includes the peer's own certificate; if * we are a server, it does not. */ return (r); } /* * Now in theory, since the calling process own 't' it should be safe to * modify. We need to be able to read f without being hassled */ void SSL_copy_session_id(SSL *t, const SSL *f) { CERT *tmp; /* Do we need to to SSL locking? */ SSL_set_session(t, SSL_get_session(f)); /* * what if we are setup as SSLv2 but want to talk SSLv3 or vice-versa */ if (t->method != f->method) { t->method->ssl_free(t); /* cleanup current */ t->method = f->method; /* change method */ t->method->ssl_new(t); /* setup new */ } tmp = t->cert; if (f->cert != NULL) { CRYPTO_add(&f->cert->references, 1, CRYPTO_LOCK_SSL_CERT); t->cert = f->cert; } else t->cert = NULL; if (tmp != NULL) ssl_cert_free(tmp); SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length); } /* Fix this so it checks all the valid key/cert options */ int SSL_CTX_check_private_key(const SSL_CTX *ctx) { if ((ctx == NULL) || (ctx->cert == NULL) || (ctx->cert->key->x509 == NULL)) { SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); return (0); } if (ctx->cert->key->privatekey == NULL) { SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); return (0); } return (X509_check_private_key (ctx->cert->key->x509, ctx->cert->key->privatekey)); } /* Fix this function so that it takes an optional type parameter */ int SSL_check_private_key(const SSL *ssl) { if (ssl == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, ERR_R_PASSED_NULL_PARAMETER); return (0); } if (ssl->cert == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); return 0; } if (ssl->cert->key->x509 == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED); return (0); } if (ssl->cert->key->privatekey == NULL) { SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_PRIVATE_KEY_ASSIGNED); return (0); } return (X509_check_private_key(ssl->cert->key->x509, ssl->cert->key->privatekey)); } int SSL_accept(SSL *s) { if (s->handshake_func == 0) /* Not properly initialized yet */ SSL_set_accept_state(s); return (s->method->ssl_accept(s)); } int SSL_connect(SSL *s) { if (s->handshake_func == 0) /* Not properly initialized yet */ SSL_set_connect_state(s); return (s->method->ssl_connect(s)); } long SSL_get_default_timeout(const SSL *s) { return (s->method->get_timeout()); } int SSL_read(SSL *s, void *buf, int num) { if (s->handshake_func == 0) { SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); return -1; } if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { s->rwstate = SSL_NOTHING; return (0); } return (s->method->ssl_read(s, buf, num)); } int SSL_peek(SSL *s, void *buf, int num) { if (s->handshake_func == 0) { SSLerr(SSL_F_SSL_PEEK, SSL_R_UNINITIALIZED); return -1; } if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { return (0); } return (s->method->ssl_peek(s, buf, num)); } int SSL_write(SSL *s, const void *buf, int num) { if (s->handshake_func == 0) { SSLerr(SSL_F_SSL_WRITE, SSL_R_UNINITIALIZED); return -1; } if (s->shutdown & SSL_SENT_SHUTDOWN) { s->rwstate = SSL_NOTHING; SSLerr(SSL_F_SSL_WRITE, SSL_R_PROTOCOL_IS_SHUTDOWN); return (-1); } return (s->method->ssl_write(s, buf, num)); } int SSL_shutdown(SSL *s) { /* * Note that this function behaves differently from what one might * expect. Return values are 0 for no success (yet), 1 for success; but * calling it once is usually not enough, even if blocking I/O is used * (see ssl3_shutdown). */ if (s->handshake_func == 0) { SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_UNINITIALIZED); return -1; } if ((s != NULL) && !SSL_in_init(s)) return (s->method->ssl_shutdown(s)); else return (1); } int SSL_renegotiate(SSL *s) { if (s->new_session == 0) { s->new_session = 1; } return (s->method->ssl_renegotiate(s)); } int SSL_renegotiate_pending(SSL *s) { /* * becomes true when negotiation is requested; false again once a * handshake has finished */ return (s->new_session != 0); } long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) { long l; switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: return (s->read_ahead); case SSL_CTRL_SET_READ_AHEAD: l = s->read_ahead; s->read_ahead = larg; return (l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: s->msg_callback_arg = parg; return 1; case SSL_CTRL_OPTIONS: return (s->options |= larg); case SSL_CTRL_CLEAR_OPTIONS: return (s->options &= ~larg); case SSL_CTRL_MODE: return (s->mode |= larg); case SSL_CTRL_CLEAR_MODE: return (s->mode &= ~larg); case SSL_CTRL_GET_MAX_CERT_LIST: return (s->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: l = s->max_cert_list; s->max_cert_list = larg; return (l); case SSL_CTRL_SET_MTU: #ifndef OPENSSL_NO_DTLS1 if (larg < (long)dtls1_min_mtu()) return 0; #endif if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) { s->d1->mtu = larg; return larg; } return 0; case SSL_CTRL_GET_RI_SUPPORT: if (s->s3) return s->s3->send_connection_binding; else return 0; default: return (s->method->ssl_ctrl(s, cmd, larg, parg)); } } long SSL_callback_ctrl(SSL *s, int cmd, void (*fp) (void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: s->msg_callback = (void (*) (int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); return 1; default: return (s->method->ssl_callback_ctrl(s, cmd, fp)); } } struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx) { return ctx->sessions; } long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { long l; switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: return (ctx->read_ahead); case SSL_CTRL_SET_READ_AHEAD: l = ctx->read_ahead; ctx->read_ahead = larg; return (l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: ctx->msg_callback_arg = parg; return 1; case SSL_CTRL_GET_MAX_CERT_LIST: return (ctx->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: l = ctx->max_cert_list; ctx->max_cert_list = larg; return (l); case SSL_CTRL_SET_SESS_CACHE_SIZE: l = ctx->session_cache_size; ctx->session_cache_size = larg; return (l); case SSL_CTRL_GET_SESS_CACHE_SIZE: return (ctx->session_cache_size); case SSL_CTRL_SET_SESS_CACHE_MODE: l = ctx->session_cache_mode; ctx->session_cache_mode = larg; return (l); case SSL_CTRL_GET_SESS_CACHE_MODE: return (ctx->session_cache_mode); case SSL_CTRL_SESS_NUMBER: return (ctx->sessions->num_items); case SSL_CTRL_SESS_CONNECT: return (ctx->stats.sess_connect); case SSL_CTRL_SESS_CONNECT_GOOD: return (ctx->stats.sess_connect_good); case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: return (ctx->stats.sess_connect_renegotiate); case SSL_CTRL_SESS_ACCEPT: return (ctx->stats.sess_accept); case SSL_CTRL_SESS_ACCEPT_GOOD: return (ctx->stats.sess_accept_good); case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: return (ctx->stats.sess_accept_renegotiate); case SSL_CTRL_SESS_HIT: return (ctx->stats.sess_hit); case SSL_CTRL_SESS_CB_HIT: return (ctx->stats.sess_cb_hit); case SSL_CTRL_SESS_MISSES: return (ctx->stats.sess_miss); case SSL_CTRL_SESS_TIMEOUTS: return (ctx->stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: return (ctx->stats.sess_cache_full); case SSL_CTRL_OPTIONS: return (ctx->options |= larg); case SSL_CTRL_CLEAR_OPTIONS: return (ctx->options &= ~larg); case SSL_CTRL_MODE: return (ctx->mode |= larg); case SSL_CTRL_CLEAR_MODE: return (ctx->mode &= ~larg); default: return (ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg)); } } long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: ctx->msg_callback = (void (*) (int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); return 1; default: return (ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp)); } } int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) { long l; l = a->id - b->id; if (l == 0L) return (0); else return ((l > 0) ? 1 : -1); } int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, const SSL_CIPHER *const *bp) { long l; l = (*ap)->id - (*bp)->id; if (l == 0L) return (0); else return ((l > 0) ? 1 : -1); } /** return a STACK of the ciphers available for the SSL and in order of * preference */ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) { if (s != NULL) { if (s->cipher_list != NULL) { return (s->cipher_list); } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { return (s->ctx->cipher_list); } } return (NULL); } /** return a STACK of the ciphers available for the SSL and in order of * algorithm id */ STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) { if (s != NULL) { if (s->cipher_list_by_id != NULL) { return (s->cipher_list_by_id); } else if ((s->ctx != NULL) && (s->ctx->cipher_list_by_id != NULL)) { return (s->ctx->cipher_list_by_id); } } return (NULL); } /** The old interface to get the same thing as SSL_get_ciphers() */ const char *SSL_get_cipher_list(const SSL *s, int n) { SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; if (s == NULL) return (NULL); sk = SSL_get_ciphers(s); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) return (NULL); c = sk_SSL_CIPHER_value(sk, n); if (c == NULL) return (NULL); return (c->name); } /** specify the ciphers to be used by default by the SSL_CTX */ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { STACK_OF(SSL_CIPHER) *sk; sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, &ctx->cipher_list_by_id, str); /* * ssl_create_cipher_list may return an empty stack if it was unable to * find a cipher matching the given rule string (for example if the rule * string specifies a cipher which has been disabled). This is not an * error as far as ssl_create_cipher_list is concerned, and hence * ctx->cipher_list and ctx->cipher_list_by_id has been updated. */ if (sk == NULL) return 0; else if (sk_SSL_CIPHER_num(sk) == 0) { SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); return 0; } return 1; } /** specify the ciphers to be used by the SSL */ int SSL_set_cipher_list(SSL *s, const char *str) { STACK_OF(SSL_CIPHER) *sk; sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, &s->cipher_list_by_id, str); /* see comment in SSL_CTX_set_cipher_list */ if (sk == NULL) return 0; else if (sk_SSL_CIPHER_num(sk) == 0) { SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH); return 0; } return 1; } /* works well for SSLv2, not so good for SSLv3 */ char *SSL_get_shared_ciphers(const SSL *s, char *buf, int len) { char *p; STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; int i; if ((s->session == NULL) || (s->session->ciphers == NULL) || (len < 2)) return (NULL); p = buf; sk = s->session->ciphers; if (sk_SSL_CIPHER_num(sk) == 0) return NULL; for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { int n; c = sk_SSL_CIPHER_value(sk, i); n = strlen(c->name); if (n + 1 > len) { if (p != buf) --p; *p = '\0'; return buf; } strcpy(p, c->name); p += n; *(p++) = ':'; len -= n + 1; } p[-1] = '\0'; return (buf); } int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p, int (*put_cb) (const SSL_CIPHER *, unsigned char *)) { int i, j = 0; SSL_CIPHER *c; unsigned char *q; #ifndef OPENSSL_NO_KRB5 int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx); #endif /* OPENSSL_NO_KRB5 */ if (sk == NULL) return (0); q = p; if (put_cb == NULL) put_cb = s->method->put_cipher_by_char; for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { c = sk_SSL_CIPHER_value(sk, i); #ifndef OPENSSL_NO_KRB5 if ((c->algorithms & SSL_KRB5) && nokrb5) continue; #endif /* OPENSSL_NO_KRB5 */ j = put_cb(c, p); p += j; } /* * If p == q, no ciphers; caller indicates an error. Otherwise, add * applicable SCSVs. */ if (p != q) { if (!s->new_session) { static SSL_CIPHER scsv = { 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, }; j = put_cb(&scsv, p); p += j; #ifdef OPENSSL_RI_DEBUG fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); #endif } if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { static SSL_CIPHER scsv = { 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, }; j = put_cb(&scsv, p); p += j; } } return (p - q); } STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num, STACK_OF(SSL_CIPHER) **skp) { SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; int i, n; if (s->s3) s->s3->send_connection_binding = 0; n = ssl_put_cipher_by_char(s, NULL, NULL); if (n == 0 || (num % n) != 0) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); return (NULL); } if ((skp == NULL) || (*skp == NULL)) sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */ else { sk = *skp; sk_SSL_CIPHER_zero(sk); } for (i = 0; i < num; i += n) { /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ if (s->s3 && (n != 3 || !p[0]) && (p[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && (p[n - 1] == (SSL3_CK_SCSV & 0xff))) { /* SCSV fatal if renegotiating */ if (s->new_session) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); goto err; } s->s3->send_connection_binding = 1; p += n; #ifdef OPENSSL_RI_DEBUG fprintf(stderr, "SCSV received by server\n"); #endif continue; } /* Check for TLS_FALLBACK_SCSV */ if ((n != 3 || !p[0]) && (p[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && (p[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) { /* * The SCSV indicates that the client previously tried a higher * version. Fail if the current version is an unexpected * downgrade. */ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_INAPPROPRIATE_FALLBACK); if (s->s3) ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INAPPROPRIATE_FALLBACK); goto err; } p += n; continue; } c = ssl_get_cipher_by_char(s, p); p += n; if (c != NULL) { if (!sk_SSL_CIPHER_push(sk, c)) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); goto err; } } } if (skp != NULL) *skp = sk; return (sk); err: if ((skp == NULL) || (*skp == NULL)) sk_SSL_CIPHER_free(sk); return (NULL); } #ifndef OPENSSL_NO_TLSEXT /** return a servername extension value if provided in Client Hello, or NULL. * So far, only host_name types are defined (RFC 3546). */ const char *SSL_get_servername(const SSL *s, const int type) { if (type != TLSEXT_NAMETYPE_host_name) return NULL; return s->session && !s->tlsext_hostname ? s->session->tlsext_hostname : s->tlsext_hostname; } int SSL_get_servername_type(const SSL *s) { if (s->session && (!s->tlsext_hostname ? s->session-> tlsext_hostname : s->tlsext_hostname)) return TLSEXT_NAMETYPE_host_name; return -1; } #endif unsigned long SSL_SESSION_hash(const SSL_SESSION *a) { unsigned long l; l = (unsigned long) ((unsigned int)a->session_id[0]) | ((unsigned int)a->session_id[1] << 8L) | ((unsigned long)a->session_id[2] << 16L) | ((unsigned long)a->session_id[3] << 24L); return (l); } /* * NB: If this function (or indeed the hash function which uses a sort of * coarser function than this one) is changed, ensure * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on * being able to construct an SSL_SESSION that will collide with any existing * session with a matching session ID. */ int SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { if (a->ssl_version != b->ssl_version) return (1); if (a->session_id_length != b->session_id_length) return (1); return (memcmp(a->session_id, b->session_id, a->session_id_length)); } /* * These wrapper functions should remain rather than redeclaring * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each * variable. The reason is that the functions aren't static, they're exposed * via ssl.h. */ static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *) static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *) SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) { SSL_CTX *ret = NULL; if (meth == NULL) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_NULL_SSL_METHOD_PASSED); return (NULL); } #ifdef OPENSSL_FIPS if (FIPS_mode() && (meth->version < TLS1_VERSION)) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); return NULL; } #endif if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; } ret = (SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); if (ret == NULL) goto err; memset(ret, 0, sizeof(SSL_CTX)); ret->method = meth; ret->cert_store = NULL; ret->session_cache_mode = SSL_SESS_CACHE_SERVER; ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; ret->session_cache_head = NULL; ret->session_cache_tail = NULL; /* We take the system default */ ret->session_timeout = meth->get_timeout(); ret->new_session_cb = 0; ret->remove_session_cb = 0; ret->get_session_cb = 0; ret->generate_session_id = 0; memset((char *)&ret->stats, 0, sizeof(ret->stats)); ret->references = 1; ret->quiet_shutdown = 0; /* ret->cipher=NULL;*/ /*- ret->s2->challenge=NULL; ret->master_key=NULL; ret->key_arg=NULL; ret->s2->conn_id=NULL; */ ret->info_callback = NULL; ret->app_verify_callback = 0; ret->app_verify_arg = NULL; ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; ret->read_ahead = 0; ret->msg_callback = 0; ret->msg_callback_arg = NULL; ret->verify_mode = SSL_VERIFY_NONE; #if 0 ret->verify_depth = -1; /* Don't impose a limit (but x509_lu.c does) */ #endif ret->sid_ctx_length = 0; ret->default_verify_callback = NULL; if ((ret->cert = ssl_cert_new()) == NULL) goto err; ret->default_passwd_callback = 0; ret->default_passwd_callback_userdata = NULL; ret->client_cert_cb = 0; ret->app_gen_cookie_cb = 0; ret->app_verify_cookie_cb = 0; ret->sessions = lh_new(LHASH_HASH_FN(SSL_SESSION_hash), LHASH_COMP_FN(SSL_SESSION_cmp)); if (ret->sessions == NULL) goto err; ret->cert_store = X509_STORE_new(); if (ret->cert_store == NULL) goto err; ssl_create_cipher_list(ret->method, &ret->cipher_list, &ret->cipher_list_by_id, meth->version == SSL2_VERSION ? "SSLv2" : SSL_DEFAULT_CIPHER_LIST); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; } ret->param = X509_VERIFY_PARAM_new(); if (!ret->param) goto err; if ((ret->rsa_md5 = EVP_get_digestbyname("ssl2-md5")) == NULL) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES); goto err2; } if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); goto err2; } if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); goto err2; } if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) goto err; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); ret->extra_certs = NULL; /* No compression for DTLS */ if (meth->version != DTLS1_VERSION) ret->comp_methods = SSL_COMP_get_compression_methods(); #ifndef OPENSSL_NO_TLSEXT ret->tlsext_servername_callback = 0; ret->tlsext_servername_arg = NULL; /* Setup RFC4507 ticket keys */ if ((RAND_pseudo_bytes(ret->tlsext_tick_key_name, 16) <= 0) || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) ret->options |= SSL_OP_NO_TICKET; ret->tlsext_status_cb = 0; ret->tlsext_status_arg = NULL; #endif #ifndef OPENSSL_NO_ENGINE ret->client_cert_engine = NULL; # ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO # define eng_strx(x) #x # define eng_str(x) eng_strx(x) /* Use specific client engine automatically... ignore errors */ { ENGINE *eng; eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); if (!eng) { ERR_clear_error(); ENGINE_load_builtin_engines(); eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); } if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng)) ERR_clear_error(); } # endif #endif /* * Default is to connect to non-RI servers. When RI is more widely * deployed might change this. - */ - ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; - - return (ret); - err: - SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); + */ + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + + /* + * Disable SSLv2 by default, callers that want to enable SSLv2 will have to + * explicitly clear this option via either of SSL_CTX_clear_options() or + * SSL_clear_options(). + */ + ret->options |= SSL_OP_NO_SSLv2; + + return (ret); + err: + SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); err2: if (ret != NULL) SSL_CTX_free(ret); return (NULL); } #if 0 static void SSL_COMP_free(SSL_COMP *comp) { OPENSSL_free(comp); } #endif void SSL_CTX_free(SSL_CTX *a) { int i; if (a == NULL) return; i = CRYPTO_add(&a->references, -1, CRYPTO_LOCK_SSL_CTX); #ifdef REF_PRINT REF_PRINT("SSL_CTX", a); #endif if (i > 0) return; #ifdef REF_CHECK if (i < 0) { fprintf(stderr, "SSL_CTX_free, bad reference count\n"); abort(); /* ok */ } #endif if (a->param) X509_VERIFY_PARAM_free(a->param); /* * Free internal session cache. However: the remove_cb() may reference * the ex_data of SSL_CTX, thus the ex_data store can only be removed * after the sessions were flushed. * As the ex_data handling routines might also touch the session cache, * the most secure solution seems to be: empty (flush) the cache, then * free ex_data, then finally free the cache. * (See ticket [openssl.org #212].) */ if (a->sessions != NULL) SSL_CTX_flush_sessions(a, 0); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); if (a->sessions != NULL) lh_free(a->sessions); if (a->cert_store != NULL) X509_STORE_free(a->cert_store); if (a->cipher_list != NULL) sk_SSL_CIPHER_free(a->cipher_list); if (a->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(a->cipher_list_by_id); if (a->cert != NULL) ssl_cert_free(a->cert); if (a->client_CA != NULL) sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); if (a->extra_certs != NULL) sk_X509_pop_free(a->extra_certs, X509_free); #if 0 /* This should never be done, since it * removes a global database */ if (a->comp_methods != NULL) sk_SSL_COMP_pop_free(a->comp_methods, SSL_COMP_free); #else a->comp_methods = NULL; #endif #ifndef OPENSSL_NO_ENGINE if (a->client_cert_engine) ENGINE_finish(a->client_cert_engine); #endif OPENSSL_free(a); } void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) { ctx->default_passwd_callback = cb; } void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) { ctx->default_passwd_callback_userdata = u; } void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb) (X509_STORE_CTX *, void *), void *arg) { ctx->app_verify_callback = cb; ctx->app_verify_arg = arg; } void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb) (int, X509_STORE_CTX *)) { ctx->verify_mode = mode; ctx->default_verify_callback = cb; } void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) { X509_VERIFY_PARAM_set_depth(ctx->param, depth); } void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) { CERT_PKEY *cpk; int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign; int rsa_enc_export, dh_rsa_export, dh_dsa_export; int rsa_tmp_export, dh_tmp_export, kl; unsigned long mask, emask; int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; #ifndef OPENSSL_NO_ECDH int have_ecdh_tmp; #endif X509 *x = NULL; EVP_PKEY *ecc_pkey = NULL; int signature_nid = 0; if (c == NULL) return; kl = SSL_C_EXPORT_PKEYLENGTH(cipher); #ifndef OPENSSL_NO_RSA rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); rsa_tmp_export = (c->rsa_tmp_cb != NULL || (rsa_tmp && RSA_size(c->rsa_tmp) * 8 <= kl)); #else rsa_tmp = rsa_tmp_export = 0; #endif #ifndef OPENSSL_NO_DH dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); dh_tmp_export = (c->dh_tmp_cb != NULL || (dh_tmp && DH_size(c->dh_tmp) * 8 <= kl)); #else dh_tmp = dh_tmp_export = 0; #endif #ifndef OPENSSL_NO_ECDH have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); #endif cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); cpk = &(c->pkeys[SSL_PKEY_DH_RSA]); dh_rsa = (cpk->x509 != NULL && cpk->privatekey != NULL); dh_rsa_export = (dh_rsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); cpk = &(c->pkeys[SSL_PKEY_DH_DSA]); /* FIX THIS EAY EAY EAY */ dh_dsa = (cpk->x509 != NULL && cpk->privatekey != NULL); dh_dsa_export = (dh_dsa && EVP_PKEY_size(cpk->privatekey) * 8 <= kl); cpk = &(c->pkeys[SSL_PKEY_ECC]); have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); mask = 0; emask = 0; #ifdef CIPHER_DEBUG printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", rsa_tmp, rsa_tmp_export, dh_tmp, rsa_enc, rsa_enc_export, rsa_sign, dsa_sign, dh_rsa, dh_dsa); #endif if (rsa_enc || (rsa_tmp && rsa_sign)) mask |= SSL_kRSA; if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) emask |= SSL_kRSA; #if 0 /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */ if ((dh_tmp || dh_rsa || dh_dsa) && (rsa_enc || rsa_sign || dsa_sign)) mask |= SSL_kEDH; if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) && (rsa_enc || rsa_sign || dsa_sign)) emask |= SSL_kEDH; #endif if (dh_tmp_export) emask |= SSL_kEDH; if (dh_tmp) mask |= SSL_kEDH; if (dh_rsa) mask |= SSL_kDHr; if (dh_rsa_export) emask |= SSL_kDHr; if (dh_dsa) mask |= SSL_kDHd; if (dh_dsa_export) emask |= SSL_kDHd; if (rsa_enc || rsa_sign) { mask |= SSL_aRSA; emask |= SSL_aRSA; } if (dsa_sign) { mask |= SSL_aDSS; emask |= SSL_aDSS; } mask |= SSL_aNULL; emask |= SSL_aNULL; #ifndef OPENSSL_NO_KRB5 mask |= SSL_kKRB5 | SSL_aKRB5; emask |= SSL_kKRB5 | SSL_aKRB5; #endif /* * An ECC certificate may be usable for ECDH and/or ECDSA cipher suites * depending on the key usage extension. */ if (have_ecc_cert) { /* This call populates extension flags (ex_flags) */ x = (c->pkeys[SSL_PKEY_ECC]).x509; X509_check_purpose(x, -1, 0); ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; ecc_pkey = X509_get_pubkey(x); ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0; EVP_PKEY_free(ecc_pkey); if ((x->sig_alg) && (x->sig_alg->algorithm)) signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); #ifndef OPENSSL_NO_ECDH if (ecdh_ok) { if ((signature_nid == NID_md5WithRSAEncryption) || (signature_nid == NID_md4WithRSAEncryption) || (signature_nid == NID_md2WithRSAEncryption)) { mask |= SSL_kECDH | SSL_aRSA; if (ecc_pkey_size <= 163) emask |= SSL_kECDH | SSL_aRSA; } if (signature_nid == NID_ecdsa_with_SHA1) { mask |= SSL_kECDH | SSL_aECDSA; if (ecc_pkey_size <= 163) emask |= SSL_kECDH | SSL_aECDSA; } } #endif #ifndef OPENSSL_NO_ECDSA if (ecdsa_ok) { mask |= SSL_aECDSA; emask |= SSL_aECDSA; } #endif } #ifndef OPENSSL_NO_ECDH if (have_ecdh_tmp) { mask |= SSL_kECDHE; emask |= SSL_kECDHE; } #endif c->mask = mask; c->export_mask = emask; c->valid = 1; } /* This handy macro borrowed from crypto/x509v3/v3_purp.c */ #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs) { unsigned long alg = cs->algorithms; EVP_PKEY *pkey = NULL; int keysize = 0; int signature_nid = 0; if (SSL_C_IS_EXPORT(cs)) { /* ECDH key length in export ciphers must be <= 163 bits */ pkey = X509_get_pubkey(x); if (pkey == NULL) return 0; keysize = EVP_PKEY_bits(pkey); EVP_PKEY_free(pkey); if (keysize > 163) return 0; } /* This call populates the ex_flags field correctly */ X509_check_purpose(x, -1, 0); if ((x->sig_alg) && (x->sig_alg->algorithm)) signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); if (alg & SSL_kECDH) { /* key usage, if present, must allow key agreement */ if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) { return 0; } if (alg & SSL_aECDSA) { /* signature alg must be ECDSA */ if (signature_nid != NID_ecdsa_with_SHA1) { return 0; } } if (alg & SSL_aRSA) { /* signature alg must be RSA */ if ((signature_nid != NID_md5WithRSAEncryption) && (signature_nid != NID_md4WithRSAEncryption) && (signature_nid != NID_md2WithRSAEncryption)) { return 0; } } } else if (alg & SSL_aECDSA) { /* key usage, if present, must allow signing */ if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) { return 0; } } return 1; /* all checks are ok */ } /* THIS NEEDS CLEANING UP */ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) { unsigned long alg, kalg; CERT *c; int i; c = s->cert; ssl_set_cert_masks(c, s->s3->tmp.new_cipher); alg = s->s3->tmp.new_cipher->algorithms; kalg = alg & (SSL_MKEY_MASK | SSL_AUTH_MASK); if (kalg & SSL_kECDH) { /* * we don't need to look at SSL_kECDHE since no certificate is * needed for anon ECDH and for authenticated ECDHE, the check for * the auth algorithm will set i correctly NOTE: For ECDH-RSA, we * need an ECC not an RSA cert but for ECDHE-RSA we need an RSA cert. * Placing the checks for SSL_kECDH before RSA checks ensures the * correct cert is chosen. */ i = SSL_PKEY_ECC; } else if (kalg & SSL_aECDSA) { i = SSL_PKEY_ECC; } else if (kalg & SSL_kDHr) i = SSL_PKEY_DH_RSA; else if (kalg & SSL_kDHd) i = SSL_PKEY_DH_DSA; else if (kalg & SSL_aDSS) i = SSL_PKEY_DSA_SIGN; else if (kalg & SSL_aRSA) { if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) i = SSL_PKEY_RSA_SIGN; else i = SSL_PKEY_RSA_ENC; } else if (kalg & SSL_aKRB5) { /* VRS something else here? */ return (NULL); } else { /* if (kalg & SSL_aNULL) */ SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY, ERR_R_INTERNAL_ERROR); return (NULL); } return c->pkeys + i; } X509 *ssl_get_server_send_cert(const SSL *s) { CERT_PKEY *cpk; cpk = ssl_get_server_send_pkey(s); if (!cpk) return NULL; return cpk->x509; } EVP_PKEY *ssl_get_sign_pkey(SSL *s, SSL_CIPHER *cipher) { unsigned long alg; CERT *c; alg = cipher->algorithms; c = s->cert; if ((alg & SSL_aDSS) && (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) return (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey); else if (alg & SSL_aRSA) { if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) return (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey); else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) return (c->pkeys[SSL_PKEY_RSA_ENC].privatekey); else return (NULL); } else if ((alg & SSL_aECDSA) && (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) return (c->pkeys[SSL_PKEY_ECC].privatekey); else { /* if (alg & SSL_aNULL) */ SSLerr(SSL_F_SSL_GET_SIGN_PKEY, ERR_R_INTERNAL_ERROR); return (NULL); } } void ssl_update_cache(SSL *s, int mode) { int i; /* * If the session_id_length is 0, we are not supposed to cache it, and it * would be rather hard to do anyway :-) */ if (s->session->session_id_length == 0) return; i = s->ctx->session_cache_mode; if ((i & mode) && (!s->hit) && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) || SSL_CTX_add_session(s->ctx, s->session)) && (s->ctx->new_session_cb != NULL)) { CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION); if (!s->ctx->new_session_cb(s, s->session)) SSL_SESSION_free(s->session); } /* auto flush every 255 connections */ if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) { if ((((mode & SSL_SESS_CACHE_CLIENT) ? s->ctx->stats.sess_connect_good : s->ctx->stats.sess_accept_good) & 0xff) == 0xff) { SSL_CTX_flush_sessions(s->ctx, (unsigned long)time(NULL)); } } } SSL_METHOD *SSL_get_ssl_method(SSL *s) { return (s->method); } int SSL_set_ssl_method(SSL *s, SSL_METHOD *meth) { int conn = -1; int ret = 1; if (s->method != meth) { if (s->handshake_func != NULL) conn = (s->handshake_func == s->method->ssl_connect); if (s->method->version == meth->version) s->method = meth; else { s->method->ssl_free(s); s->method = meth; ret = s->method->ssl_new(s); } if (conn == 1) s->handshake_func = meth->ssl_connect; else if (conn == 0) s->handshake_func = meth->ssl_accept; } return (ret); } int SSL_get_error(const SSL *s, int i) { int reason; unsigned long l; BIO *bio; if (i > 0) return (SSL_ERROR_NONE); /* * Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, * where we do encode the error */ if ((l = ERR_peek_error()) != 0) { if (ERR_GET_LIB(l) == ERR_LIB_SYS) return (SSL_ERROR_SYSCALL); else return (SSL_ERROR_SSL); } if ((i < 0) && SSL_want_read(s)) { bio = SSL_get_rbio(s); if (BIO_should_read(bio)) return (SSL_ERROR_WANT_READ); else if (BIO_should_write(bio)) /* * This one doesn't make too much sense ... We never try to write * to the rbio, and an application program where rbio and wbio * are separate couldn't even know what it should wait for. * However if we ever set s->rwstate incorrectly (so that we have * SSL_want_read(s) instead of SSL_want_write(s)) and rbio and * wbio *are* the same, this test works around that bug; so it * might be safer to keep it. */ return (SSL_ERROR_WANT_WRITE); else if (BIO_should_io_special(bio)) { reason = BIO_get_retry_reason(bio); if (reason == BIO_RR_CONNECT) return (SSL_ERROR_WANT_CONNECT); else if (reason == BIO_RR_ACCEPT) return (SSL_ERROR_WANT_ACCEPT); else return (SSL_ERROR_SYSCALL); /* unknown */ } } if ((i < 0) && SSL_want_write(s)) { bio = SSL_get_wbio(s); if (BIO_should_write(bio)) return (SSL_ERROR_WANT_WRITE); else if (BIO_should_read(bio)) /* * See above (SSL_want_read(s) with BIO_should_write(bio)) */ return (SSL_ERROR_WANT_READ); else if (BIO_should_io_special(bio)) { reason = BIO_get_retry_reason(bio); if (reason == BIO_RR_CONNECT) return (SSL_ERROR_WANT_CONNECT); else if (reason == BIO_RR_ACCEPT) return (SSL_ERROR_WANT_ACCEPT); else return (SSL_ERROR_SYSCALL); } } if ((i < 0) && SSL_want_x509_lookup(s)) { return (SSL_ERROR_WANT_X509_LOOKUP); } if (i == 0) { if (s->version == SSL2_VERSION) { /* assume it is the socket being closed */ return (SSL_ERROR_ZERO_RETURN); } else { if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) return (SSL_ERROR_ZERO_RETURN); } } return (SSL_ERROR_SYSCALL); } int SSL_do_handshake(SSL *s) { int ret = 1; if (s->handshake_func == NULL) { SSLerr(SSL_F_SSL_DO_HANDSHAKE, SSL_R_CONNECTION_TYPE_NOT_SET); return (-1); } s->method->ssl_renegotiate_check(s); if (SSL_in_init(s) || SSL_in_before(s)) { ret = s->handshake_func(s); } return (ret); } /* * For the next 2 functions, SSL_clear() sets shutdown and so one of these * calls will reset it */ void SSL_set_accept_state(SSL *s) { s->server = 1; s->shutdown = 0; s->state = SSL_ST_ACCEPT | SSL_ST_BEFORE; s->handshake_func = s->method->ssl_accept; /* clear the current cipher */ ssl_clear_cipher_ctx(s); } void SSL_set_connect_state(SSL *s) { s->server = 0; s->shutdown = 0; s->state = SSL_ST_CONNECT | SSL_ST_BEFORE; s->handshake_func = s->method->ssl_connect; /* clear the current cipher */ ssl_clear_cipher_ctx(s); } int ssl_undefined_function(SSL *s) { SSLerr(SSL_F_SSL_UNDEFINED_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); } int ssl_undefined_void_function(void) { SSLerr(SSL_F_SSL_UNDEFINED_VOID_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); } int ssl_undefined_const_function(const SSL *s) { SSLerr(SSL_F_SSL_UNDEFINED_CONST_FUNCTION, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (0); } SSL_METHOD *ssl_bad_method(int ver) { SSLerr(SSL_F_SSL_BAD_METHOD, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return (NULL); } const char *SSL_get_version(const SSL *s) { if (s->version == TLS1_VERSION) return ("TLSv1"); else if (s->version == SSL3_VERSION) return ("SSLv3"); else if (s->version == SSL2_VERSION) return ("SSLv2"); else return ("unknown"); } SSL *SSL_dup(SSL *s) { STACK_OF(X509_NAME) *sk; X509_NAME *xn; SSL *ret; int i; if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL) return (NULL); ret->version = s->version; ret->type = s->type; ret->method = s->method; if (s->session != NULL) { /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ SSL_copy_session_id(ret, s); } else { /* * No session has been established yet, so we have to expect that * s->cert or ret->cert will be changed later -- they should not both * point to the same object, and thus we can't use * SSL_copy_session_id. */ ret->method->ssl_free(ret); ret->method = s->method; ret->method->ssl_new(ret); if (s->cert != NULL) { if (ret->cert != NULL) { ssl_cert_free(ret->cert); } ret->cert = ssl_cert_dup(s->cert); if (ret->cert == NULL) goto err; } SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length); } ret->options = s->options; ret->mode = s->mode; SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); ret->msg_callback = s->msg_callback; ret->msg_callback_arg = s->msg_callback_arg; SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s)); SSL_set_verify_depth(ret, SSL_get_verify_depth(s)); ret->generate_session_id = s->generate_session_id; SSL_set_info_callback(ret, SSL_get_info_callback(s)); ret->debug = s->debug; /* copy app data, a little dangerous perhaps */ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) goto err; /* setup rbio, and wbio */ if (s->rbio != NULL) { if (!BIO_dup_state(s->rbio, (char *)&ret->rbio)) goto err; } if (s->wbio != NULL) { if (s->wbio != s->rbio) { if (!BIO_dup_state(s->wbio, (char *)&ret->wbio)) goto err; } else ret->wbio = ret->rbio; } ret->rwstate = s->rwstate; ret->in_handshake = s->in_handshake; ret->handshake_func = s->handshake_func; ret->server = s->server; ret->new_session = s->new_session; ret->quiet_shutdown = s->quiet_shutdown; ret->shutdown = s->shutdown; ret->state = s->state; /* SSL_dup does not really work at any state, * though */ ret->rstate = s->rstate; ret->init_num = 0; /* would have to copy ret->init_buf, * ret->init_msg, ret->init_num, * ret->init_off */ ret->hit = s->hit; X509_VERIFY_PARAM_inherit(ret->param, s->param); /* dup the cipher_list and cipher_list_by_id stacks */ if (s->cipher_list != NULL) { if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) goto err; } if (s->cipher_list_by_id != NULL) if ((ret->cipher_list_by_id = sk_SSL_CIPHER_dup(s->cipher_list_by_id)) == NULL) goto err; /* Dup the client_CA list */ if (s->client_CA != NULL) { if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; ret->client_CA = sk; for (i = 0; i < sk_X509_NAME_num(sk); i++) { xn = sk_X509_NAME_value(sk, i); if (sk_X509_NAME_set(sk, i, X509_NAME_dup(xn)) == NULL) { X509_NAME_free(xn); goto err; } } } if (0) { err: if (ret != NULL) SSL_free(ret); ret = NULL; } return (ret); } void ssl_clear_cipher_ctx(SSL *s) { if (s->enc_read_ctx != NULL) { EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); OPENSSL_free(s->enc_read_ctx); s->enc_read_ctx = NULL; } if (s->enc_write_ctx != NULL) { EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); OPENSSL_free(s->enc_write_ctx); s->enc_write_ctx = NULL; } #ifndef OPENSSL_NO_COMP if (s->expand != NULL) { COMP_CTX_free(s->expand); s->expand = NULL; } if (s->compress != NULL) { COMP_CTX_free(s->compress); s->compress = NULL; } #endif } /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { if (s->cert != NULL) return (s->cert->key->x509); else return (NULL); } /* Fix this function so that it takes an optional type parameter */ EVP_PKEY *SSL_get_privatekey(SSL *s) { if (s->cert != NULL) return (s->cert->key->privatekey); else return (NULL); } SSL_CIPHER *SSL_get_current_cipher(const SSL *s) { if ((s->session != NULL) && (s->session->cipher != NULL)) return (s->session->cipher); return (NULL); } #ifdef OPENSSL_NO_COMP const void *SSL_get_current_compression(SSL *s) { return NULL; } const void *SSL_get_current_expansion(SSL *s) { return NULL; } #else const COMP_METHOD *SSL_get_current_compression(SSL *s) { if (s->compress != NULL) return (s->compress->meth); return (NULL); } const COMP_METHOD *SSL_get_current_expansion(SSL *s) { if (s->expand != NULL) return (s->expand->meth); return (NULL); } #endif int ssl_init_wbio_buffer(SSL *s, int push) { BIO *bbio; if (s->bbio == NULL) { bbio = BIO_new(BIO_f_buffer()); if (bbio == NULL) return (0); s->bbio = bbio; } else { bbio = s->bbio; if (s->bbio == s->wbio) s->wbio = BIO_pop(s->wbio); } (void)BIO_reset(bbio); /* if (!BIO_set_write_buffer_size(bbio,16*1024)) */ if (!BIO_set_read_buffer_size(bbio, 1)) { SSLerr(SSL_F_SSL_INIT_WBIO_BUFFER, ERR_R_BUF_LIB); return (0); } if (push) { if (s->wbio != bbio) s->wbio = BIO_push(bbio, s->wbio); } else { if (s->wbio == bbio) s->wbio = BIO_pop(bbio); } return (1); } void ssl_free_wbio_buffer(SSL *s) { if (s->bbio == NULL) return; if (s->bbio == s->wbio) { /* remove buffering */ s->wbio = BIO_pop(s->wbio); #ifdef REF_CHECK /* not the usual REF_CHECK, but this avoids * adding one more preprocessor symbol */ assert(s->wbio != NULL); #endif } BIO_free(s->bbio); s->bbio = NULL; } void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) { ctx->quiet_shutdown = mode; } int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { return (ctx->quiet_shutdown); } void SSL_set_quiet_shutdown(SSL *s, int mode) { s->quiet_shutdown = mode; } int SSL_get_quiet_shutdown(const SSL *s) { return (s->quiet_shutdown); } void SSL_set_shutdown(SSL *s, int mode) { s->shutdown = mode; } int SSL_get_shutdown(const SSL *s) { return (s->shutdown); } int SSL_version(const SSL *s) { return (s->version); } SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return (ssl->ctx); } SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { if (ssl->ctx == ctx) return ssl->ctx; #ifndef OPENSSL_NO_TLSEXT if (ctx == NULL) ctx = ssl->initial_ctx; #endif if (ssl->cert != NULL) ssl_cert_free(ssl->cert); ssl->cert = ssl_cert_dup(ctx->cert); CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); if (ssl->ctx != NULL) SSL_CTX_free(ssl->ctx); /* decrement reference count */ ssl->ctx = ctx; return (ssl->ctx); } #ifndef OPENSSL_NO_STDIO int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) { return (X509_STORE_set_default_paths(ctx->cert_store)); } int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) { return (X509_STORE_load_locations(ctx->cert_store, CAfile, CApath)); } #endif void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val)) { ssl->info_callback = cb; } /* * One compiler (Diab DCC) doesn't like argument names in returned function * pointer. */ void (*SSL_get_info_callback(const SSL *ssl)) (const SSL * /* ssl */ , int /* type */ , int /* val */ ) { return ssl->info_callback; } int SSL_state(const SSL *ssl) { return (ssl->state); } void SSL_set_verify_result(SSL *ssl, long arg) { ssl->verify_result = arg; } long SSL_get_verify_result(const SSL *ssl) { return (ssl->verify_result); } int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, new_func, dup_func, free_func); } int SSL_set_ex_data(SSL *s, int idx, void *arg) { return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); } void *SSL_get_ex_data(const SSL *s, int idx) { return (CRYPTO_get_ex_data(&s->ex_data, idx)); } int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, new_func, dup_func, free_func); } int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) { return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); } void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) { return (CRYPTO_get_ex_data(&s->ex_data, idx)); } int ssl_ok(SSL *s) { return (1); } X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) { return (ctx->cert_store); } void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) { if (ctx->cert_store != NULL) X509_STORE_free(ctx->cert_store); ctx->cert_store = store; } int SSL_want(const SSL *s) { return (s->rwstate); } /** * \brief Set the callback for generating temporary RSA keys. * \param ctx the SSL context. * \param cb the callback */ #ifndef OPENSSL_NO_RSA void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb) (SSL *ssl, int is_export, int keylength)) { SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_RSA_CB, (void (*)(void))cb); } void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb) (SSL *ssl, int is_export, int keylength)) { SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB, (void (*)(void))cb); } #endif #ifdef DOXYGEN /** * \brief The RSA temporary key callback function. * \param ssl the SSL session. * \param is_export \c TRUE if the temp RSA key is for an export ciphersuite. * \param keylength if \c is_export is \c TRUE, then \c keylength is the size * of the required key in bits. * \return the temporary RSA key. * \sa SSL_CTX_set_tmp_rsa_callback, SSL_set_tmp_rsa_callback */ RSA *cb(SSL *ssl, int is_export, int keylength) { } #endif /** * \brief Set the callback for generating temporary DH keys. * \param ctx the SSL context. * \param dh the callback */ #ifndef OPENSSL_NO_DH void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh) (SSL *ssl, int is_export, int keylength)) { SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); } void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh) (SSL *ssl, int is_export, int keylength)) { SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh); } #endif #ifndef OPENSSL_NO_ECDH void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx, EC_KEY *(*ecdh) (SSL *ssl, int is_export, int keylength)) { SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB, (void (*)(void))ecdh); } void SSL_set_tmp_ecdh_callback(SSL *ssl, EC_KEY *(*ecdh) (SSL *ssl, int is_export, int keylength)) { SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB, (void (*)(void))ecdh); } #endif void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb) (int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) { SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); } void SSL_set_msg_callback(SSL *ssl, void (*cb) (int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) { SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); } #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) # include "../crypto/bio/bss_file.c" #endif IMPLEMENT_STACK_OF(SSL_CIPHER) IMPLEMENT_STACK_OF(SSL_COMP) Index: stable/9/secure/usr.bin/openssl/man/ciphers.1 =================================================================== --- stable/9/secure/usr.bin/openssl/man/ciphers.1 (revision 296461) +++ stable/9/secure/usr.bin/openssl/man/ciphers.1 (revision 296462) @@ -1,531 +1,531 @@ .\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{ . if \nF \{ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "CIPHERS 1" .TH CIPHERS 1 "2015-12-03" "0.9.8zh" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" ciphers \- SSL cipher display and cipher list tool. .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBciphers\fR [\fB\-v\fR] [\fB\-ssl2\fR] [\fB\-ssl3\fR] [\fB\-tls1\fR] [\fBcipherlist\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBcipherlist\fR command converts OpenSSL cipher lists into ordered \&\s-1SSL\s0 cipher preference lists. It can be used as a test tool to determine the appropriate cipherlist. .SH "COMMAND OPTIONS" .IX Header "COMMAND OPTIONS" .IP "\fB\-v\fR" 4 .IX Item "-v" verbose option. List ciphers with a complete description of protocol version (SSLv2 or SSLv3; the latter includes \s-1TLS\s0), key exchange, authentication, encryption and mac algorithms used along with any key size restrictions and whether the algorithm is classed as an \*(L"export\*(R" cipher. Note that without the \fB\-v\fR option, ciphers may seem to appear twice in a cipher list; this is when similar ciphers are available for \&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1. .IP "\fB\-ssl3\fR" 4 .IX Item "-ssl3" only include \s-1SSL\s0 v3 ciphers. .IP "\fB\-ssl2\fR" 4 .IX Item "-ssl2" only include \s-1SSL\s0 v2 ciphers. .IP "\fB\-tls1\fR" 4 .IX Item "-tls1" only include \s-1TLS\s0 v1 ciphers. .IP "\fB\-h\fR, \fB\-?\fR" 4 .IX Item "-h, -?" print a brief usage message. .IP "\fBcipherlist\fR" 4 .IX Item "cipherlist" a cipher list to convert to a cipher preference list. If it is not included then the default cipher list will be used. The format is described below. .SH "CIPHER LIST FORMAT" .IX Header "CIPHER LIST FORMAT" The cipher list consists of one or more \fIcipher strings\fR separated by colons. Commas or spaces are also acceptable separators but colons are normally used. .PP The actual cipher string can take several different forms. .PP It can consist of a single cipher suite such as \fB\s-1RC4\-SHA\s0\fR. .PP It can represent a list of cipher suites containing a certain algorithm, or cipher suites of a certain type. For example \fB\s-1SHA1\s0\fR represents all ciphers suites using the digest algorithm \s-1SHA1\s0 and \fBSSLv3\fR represents all \s-1SSL\s0 v3 algorithms. .PP Lists of cipher suites can be combined in a single cipher string using the \&\fB+\fR character. This is used as a logical \fBand\fR operation. For example \&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1 \s0\fBand\fR the \s-1DES\s0 algorithms. .PP Each cipher string can be optionally preceded by the characters \fB!\fR, \&\fB\-\fR or \fB+\fR. .PP If \fB!\fR is used then the ciphers are permanently deleted from the list. The ciphers deleted can never reappear in the list even if they are explicitly stated. .PP If \fB\-\fR is used then the ciphers are deleted from the list, but some or all of the ciphers can be added again by later options. .PP If \fB+\fR is used then the ciphers are moved to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones. .PP If none of these characters is present then the string is just interpreted as a list of ciphers to be appended to the current preference list. If the list includes any ciphers already present they will be ignored: that is they will not moved to the end of the list. .PP Additionally the cipher string \fB\f(CB@STRENGTH\fB\fR can be used at any point to sort the current cipher list in order of encryption algorithm key length. .SH "CIPHER STRINGS" .IX Header "CIPHER STRINGS" The following is a list of all permitted cipher strings and their meanings. .IP "\fB\s-1DEFAULT\s0\fR" 4 .IX Item "DEFAULT" the default cipher list. This is determined at compile time and is normally \&\fB\s-1ALL:\s0!EXPORT:!aNULL:!eNULL:!SSLv2:@STRENGTH\fR. This must be the first cipher string specified. .IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4 .IX Item "COMPLEMENTOFDEFAULT" the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently this is \fB\s-1ADH\s0\fR. Note that this rule does not cover \fBeNULL\fR, which is not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary). .IP "\fB\s-1ALL\s0\fR" 4 .IX Item "ALL" all ciphers suites except the \fBeNULL\fR ciphers which must be explicitly enabled. .IP "\fB\s-1COMPLEMENTOFALL\s0\fR" 4 .IX Item "COMPLEMENTOFALL" the cipher suites not enabled by \fB\s-1ALL\s0\fR, currently being \fBeNULL\fR. .IP "\fB\s-1HIGH\s0\fR" 4 .IX Item "HIGH" \&\*(L"high\*(R" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128\-bit keys. .IP "\fB\s-1MEDIUM\s0\fR" 4 .IX Item "MEDIUM" \&\*(L"medium\*(R" encryption cipher suites, currently some of those using 128 bit encryption. .IP "\fB\s-1LOW\s0\fR" 4 .IX Item "LOW" \&\*(L"low\*(R" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but excluding export cipher suites. .IP "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4 .IX Item "EXP, EXPORT" export encryption algorithms. Including 40 and 56 bits algorithms. .IP "\fB\s-1EXPORT40\s0\fR" 4 .IX Item "EXPORT40" 40 bit export encryption algorithms .IP "\fB\s-1EXPORT56\s0\fR" 4 .IX Item "EXPORT56" 56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of 56 bit export ciphers is empty unless OpenSSL has been explicitly configured with support for experimental ciphers. .IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4 .IX Item "eNULL, NULL" the \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are disabled unless explicitly included. .IP "\fBaNULL\fR" 4 .IX Item "aNULL" the cipher suites offering no authentication. This is currently the anonymous \&\s-1DH\s0 algorithms. These cipher suites are vulnerable to a \*(L"man in the middle\*(R" attack and so their use is normally discouraged. .IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4 .IX Item "kRSA, RSA" cipher suites using \s-1RSA\s0 key exchange. .IP "\fBkEDH\fR" 4 .IX Item "kEDH" cipher suites using ephemeral \s-1DH\s0 key agreement. .IP "\fBkDHr\fR, \fBkDHd\fR" 4 .IX Item "kDHr, kDHd" cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0 and \s-1DSS\s0 keys respectively. Not implemented. .IP "\fBaRSA\fR" 4 .IX Item "aRSA" cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys. .IP "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4 .IX Item "aDSS, DSS" cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys. .IP "\fBaDH\fR" 4 .IX Item "aDH" cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry \&\s-1DH\s0 keys. Not implemented. .IP "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4 .IX Item "kFZA, aFZA, eFZA, FZA" ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all \&\s-1FORTEZZA\s0 algorithms. Not implemented. .IP "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4 .IX Item "TLSv1, SSLv3, SSLv2" \&\s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively. .IP "\fB\s-1DH\s0\fR" 4 .IX Item "DH" cipher suites using \s-1DH,\s0 including anonymous \s-1DH.\s0 .IP "\fB\s-1ADH\s0\fR" 4 .IX Item "ADH" anonymous \s-1DH\s0 cipher suites. .IP "\fB\s-1AES\s0\fR" 4 .IX Item "AES" cipher suites using \s-1AES.\s0 .IP "\fB\s-1CAMELLIA\s0\fR" 4 .IX Item "CAMELLIA" cipher suites using Camellia. .IP "\fB3DES\fR" 4 .IX Item "3DES" cipher suites using triple \s-1DES.\s0 .IP "\fB\s-1DES\s0\fR" 4 .IX Item "DES" cipher suites using \s-1DES \s0(not triple \s-1DES\s0). .IP "\fB\s-1RC4\s0\fR" 4 .IX Item "RC4" cipher suites using \s-1RC4.\s0 .IP "\fB\s-1RC2\s0\fR" 4 .IX Item "RC2" cipher suites using \s-1RC2.\s0 .IP "\fB\s-1IDEA\s0\fR" 4 .IX Item "IDEA" cipher suites using \s-1IDEA.\s0 .IP "\fB\s-1SEED\s0\fR" 4 .IX Item "SEED" cipher suites using \s-1SEED.\s0 .IP "\fB\s-1MD5\s0\fR" 4 .IX Item "MD5" cipher suites using \s-1MD5.\s0 .IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4 .IX Item "SHA1, SHA" cipher suites using \s-1SHA1.\s0 .SH "CIPHER SUITE NAMES" .IX Header "CIPHER SUITE NAMES" The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the relevant specification and their OpenSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. .SS "\s-1SSL\s0 v3.0 cipher suites." .IX Subsection "SSL v3.0 cipher suites." .Vb 10 \& SSL_RSA_WITH_NULL_MD5 NULL\-MD5 \& SSL_RSA_WITH_NULL_SHA NULL\-SHA \& SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP\-RC4\-MD5 \& SSL_RSA_WITH_RC4_128_MD5 RC4\-MD5 \& SSL_RSA_WITH_RC4_128_SHA RC4\-SHA \& SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP\-RC2\-CBC\-MD5 \& SSL_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA \& SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-DES\-CBC\-SHA \& SSL_RSA_WITH_DES_CBC_SHA DES\-CBC\-SHA \& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA \& \& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. \& SSL_DH_DSS_WITH_DES_CBC_SHA Not implemented. \& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. \& SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. \& SSL_DH_RSA_WITH_DES_CBC_SHA Not implemented. \& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. \& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-DSS\-DES\-CBC\-SHA \& SSL_DHE_DSS_WITH_DES_CBC_SHA EDH\-DSS\-CBC\-SHA \& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA \& SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-RSA\-DES\-CBC\-SHA \& SSL_DHE_RSA_WITH_DES_CBC_SHA EDH\-RSA\-DES\-CBC\-SHA \& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA \& \& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP\-ADH\-RC4\-MD5 \& SSL_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 \& SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP\-ADH\-DES\-CBC\-SHA \& SSL_DH_anon_WITH_DES_CBC_SHA ADH\-DES\-CBC\-SHA \& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA \& \& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. \& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. \& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. .Ve .SS "\s-1TLS\s0 v1.0 cipher suites." .IX Subsection "TLS v1.0 cipher suites." .Vb 10 \& TLS_RSA_WITH_NULL_MD5 NULL\-MD5 \& TLS_RSA_WITH_NULL_SHA NULL\-SHA \& TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP\-RC4\-MD5 \& TLS_RSA_WITH_RC4_128_MD5 RC4\-MD5 \& TLS_RSA_WITH_RC4_128_SHA RC4\-SHA \& TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP\-RC2\-CBC\-MD5 \& TLS_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA \& TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-DES\-CBC\-SHA \& TLS_RSA_WITH_DES_CBC_SHA DES\-CBC\-SHA \& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA \& \& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. \& TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. \& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. \& TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. \& TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented. \& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. \& TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-DSS\-DES\-CBC\-SHA \& TLS_DHE_DSS_WITH_DES_CBC_SHA EDH\-DSS\-CBC\-SHA \& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA \& TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-RSA\-DES\-CBC\-SHA \& TLS_DHE_RSA_WITH_DES_CBC_SHA EDH\-RSA\-DES\-CBC\-SHA \& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA \& \& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP\-ADH\-RC4\-MD5 \& TLS_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 \& TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP\-ADH\-DES\-CBC\-SHA \& TLS_DH_anon_WITH_DES_CBC_SHA ADH\-DES\-CBC\-SHA \& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA .Ve .SS "\s-1AES\s0 ciphersuites from \s-1RFC3268,\s0 extending \s-1TLS\s0 v1.0" .IX Subsection "AES ciphersuites from RFC3268, extending TLS v1.0" .Vb 2 \& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA \& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA \& \& TLS_DH_DSS_WITH_AES_128_CBC_SHA Not implemented. \& TLS_DH_DSS_WITH_AES_256_CBC_SHA Not implemented. \& TLS_DH_RSA_WITH_AES_128_CBC_SHA Not implemented. \& TLS_DH_RSA_WITH_AES_256_CBC_SHA Not implemented. \& \& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE\-DSS\-AES128\-SHA \& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE\-DSS\-AES256\-SHA \& TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE\-RSA\-AES128\-SHA \& TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE\-RSA\-AES256\-SHA \& \& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH\-AES128\-SHA \& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH\-AES256\-SHA .Ve .SS "Camellia ciphersuites from \s-1RFC4132,\s0 extending \s-1TLS\s0 v1.0" .IX Subsection "Camellia ciphersuites from RFC4132, extending TLS v1.0" .Vb 2 \& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA \& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA \& \& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA Not implemented. \& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA Not implemented. \& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA Not implemented. \& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA Not implemented. \& \& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE\-DSS\-CAMELLIA128\-SHA \& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE\-DSS\-CAMELLIA256\-SHA \& TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE\-RSA\-CAMELLIA128\-SHA \& TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE\-RSA\-CAMELLIA256\-SHA \& \& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH\-CAMELLIA128\-SHA \& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH\-CAMELLIA256\-SHA .Ve .SS "\s-1SEED\s0 ciphersuites from \s-1RFC4162,\s0 extending \s-1TLS\s0 v1.0" .IX Subsection "SEED ciphersuites from RFC4162, extending TLS v1.0" .Vb 1 \& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA \& \& TLS_DH_DSS_WITH_SEED_CBC_SHA Not implemented. \& TLS_DH_RSA_WITH_SEED_CBC_SHA Not implemented. \& \& TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE\-DSS\-SEED\-SHA \& TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE\-RSA\-SEED\-SHA \& \& TLS_DH_anon_WITH_SEED_CBC_SHA ADH\-SEED\-SHA .Ve .SS "Additional Export 1024 and other cipher suites" .IX Subsection "Additional Export 1024 and other cipher suites" Note: these ciphers can also be used in \s-1SSL\s0 v3. .PP .Vb 5 \& TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024\-DES\-CBC\-SHA \& TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024\-RC4\-SHA \& TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024\-DHE\-DSS\-DES\-CBC\-SHA \& TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024\-DHE\-DSS\-RC4\-SHA \& TLS_DHE_DSS_WITH_RC4_128_SHA DHE\-DSS\-RC4\-SHA .Ve .SS "\s-1SSL\s0 v2.0 cipher suites." -.IX Subsection "SSL v2.0 cipher suites." -.Vb 7 -\& SSL_CK_RC4_128_WITH_MD5 RC4\-MD5 -\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP\-RC4\-MD5 -\& SSL_CK_RC2_128_CBC_WITH_MD5 RC2\-MD5 -\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 EXP\-RC2\-MD5 -\& SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA\-CBC\-MD5 -\& SSL_CK_DES_64_CBC_WITH_MD5 DES\-CBC\-MD5 -\& SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES\-CBC3\-MD5 -.Ve -.SH "NOTES" +.IX Subsection "SSL v2.0 cipher suites." +.Vb 7 +\& SSL_CK_RC4_128_WITH_MD5 RC4\-MD5 +\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. +\& SSL_CK_RC2_128_CBC_WITH_MD5 RC2\-CBC\-MD5 +\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. +\& SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA\-CBC\-MD5 +\& SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. +\& SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES\-CBC3\-MD5 +.Ve +.SH "NOTES" .IX Header "NOTES" The non-ephemeral \s-1DH\s0 modes are currently unimplemented in OpenSSL because there is no support for \s-1DH\s0 certificates. .PP Some compiled versions of OpenSSL may not include all the ciphers listed here because some ciphers were excluded at compile time. .SH "EXAMPLES" .IX Header "EXAMPLES" Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers: .PP .Vb 1 \& openssl ciphers \-v \*(AqALL:eNULL\*(Aq .Ve .PP Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by strength: .PP .Vb 1 \& openssl ciphers \-v \*(AqALL:!ADH:@STRENGTH\*(Aq .Ve .PP Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last: .PP .Vb 1 \& openssl ciphers \-v \*(Aq3DES:+RSA\*(Aq .Ve .PP Include all \s-1RC4\s0 ciphers but leave out those without authentication: .PP .Vb 1 \& openssl ciphers \-v \*(AqRC4:!COMPLEMENTOFDEFAULT\*(Aq .Ve .PP Include all chiphers with \s-1RSA\s0 authentication but leave out ciphers without encryption. .PP .Vb 1 \& openssl ciphers \-v \*(AqRSA:!COMPLEMENTOFALL\*(Aq .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIssl\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options were added in version 0.9.7.