From 06ab81f9f7b055a4456798cb9ef3266160438a08 Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Sun, 21 Feb 1999 20:03:24 +0000 Subject: [PATCH] Add support for new TLS export ciphersuites. --- CHANGES | 6 ++++ ssl/s23_srvr.c | 2 +- ssl/s2_clnt.c | 2 +- ssl/s2_lib.c | 16 ++++----- ssl/s2_srvr.c | 2 +- ssl/s3_clnt.c | 10 +++--- ssl/s3_enc.c | 9 +++-- ssl/s3_lib.c | 91 +++++++++++++++++++++++++++++++++----------------- ssl/s3_srvr.c | 26 +++++++-------- ssl/ssl.h | 15 +++++---- ssl/ssl_ciph.c | 38 +++++++++++---------- ssl/ssl_lib.c | 14 ++++---- ssl/ssl_locl.h | 21 +++++++++--- ssl/ssl_sess.c | 4 +-- ssl/t1_enc.c | 15 ++++----- ssl/tls1.h | 8 +++++ 16 files changed, 168 insertions(+), 111 deletions(-) diff --git a/CHANGES b/CHANGES index f46f964fce..000f671598 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,12 @@ Changes between 0.9.1c and 0.9.2 + *) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5, + TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and + TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher + Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt. + [Ben Laurie] + *) Add preliminary config info for new extension code. [Steve Henson] diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index d1f49e5ac3..a4d0f1c90f 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -290,7 +290,7 @@ SSL *s; for (j=0; jalgorithms & SSL_EXP)) + if (!SSL_C_IS_EXPORT(c)) { if ((c->id>>24L) == 2L) ne2=1; diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index bbac33cf36..33112eeb3f 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -568,7 +568,7 @@ SSL *s; if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) enc=8; - else if (sess->cipher->algorithms & SSL_EXP) + else if (SSL_C_IS_EXPORT(sess->cipher)) enc=5; else enc=i; diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c index 12b8458a58..282d8bd71e 100644 --- a/ssl/s2_lib.c +++ b/ssl/s2_lib.c @@ -78,7 +78,7 @@ SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_NULL_WITH_MD5, SSL2_CK_NULL_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_EXP|SSL_SSLV2, + SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_EXP40|SSL_SSLV2, 0, SSL_ALL_CIPHERS, }, @@ -88,7 +88,7 @@ SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_RC4_128_EXPORT40_WITH_MD5, SSL2_CK_RC4_128_EXPORT40_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP|SSL_SSLV2, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP40|SSL_SSLV2, SSL2_CF_5_BYTE_ENC, SSL_ALL_CIPHERS, }, @@ -97,7 +97,7 @@ SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_RC4_128_WITH_MD5, SSL2_CK_RC4_128_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|_SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM, 0, SSL_ALL_CIPHERS, }, @@ -106,7 +106,7 @@ SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5, SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP|SSL_SSLV2, + SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP40|SSL_SSLV2, SSL2_CF_5_BYTE_ENC, SSL_ALL_CIPHERS, }, @@ -115,7 +115,7 @@ SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_RC2_128_CBC_WITH_MD5, SSL2_CK_RC2_128_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM, + SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|_SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM, 0, SSL_ALL_CIPHERS, }, @@ -124,7 +124,7 @@ SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_IDEA_128_CBC_WITH_MD5, SSL2_CK_IDEA_128_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM, + SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|_SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM, 0, SSL_ALL_CIPHERS, }, @@ -133,7 +133,7 @@ SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_DES_64_CBC_WITH_MD5, SSL2_CK_DES_64_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_LOW, + SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|_SSL_NOT_EXP|SSL_SSLV2|SSL_LOW, 0, SSL_ALL_CIPHERS, }, @@ -142,7 +142,7 @@ SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5, SSL2_CK_DES_192_EDE3_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_HIGH, + SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|_SSL_NOT_EXP|SSL_SSLV2|SSL_HIGH, 0, SSL_ALL_CIPHERS, }, diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 814e38f480..73c19af807 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -401,7 +401,7 @@ SSL *s; &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]), (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); - export=(s->session->cipher->algorithms & SSL_EXP)?1:0; + export=SSL_C_IS_EXPORT(s->session->cipher); if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) { diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index b2649ed998..cb63a9f7ce 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1689,12 +1689,13 @@ SSL *s; #endif #endif - if ((algs & SSL_EXP) && !has_bits(i,EVP_PKT_EXP)) + if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP)) { #ifndef NO_RSA if (algs & SSL_kRSA) { - if ((rsa == NULL) || (RSA_size(rsa) > 512)) + if (rsa == NULL + || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); goto f_err; @@ -1704,8 +1705,9 @@ SSL *s; #endif #ifndef NO_DH if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) - { - if ((dh == NULL) || (DH_size(dh) > 512)) + { + if (dh == NULL + || DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); goto f_err; diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index a655e12bec..d79d9272d6 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -141,7 +141,7 @@ int which; MD5_CTX md; int exp,n,i,j,k,cl; - exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0; + exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; if (s->s3->tmp.new_compression == NULL) @@ -213,7 +213,8 @@ int which; p=s->s3->tmp.key_block; i=EVP_MD_size(m); cl=EVP_CIPHER_key_length(c); - j=exp ? (cl < 5 ? cl : 5) : cl; + j=exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || @@ -283,7 +284,7 @@ SSL *s; unsigned char *p; EVP_CIPHER *c; EVP_MD *hash; - int num,exp; + int num; SSL_COMP *comp; if (s->s3->tmp.key_block_length != 0) @@ -299,8 +300,6 @@ SSL *s; s->s3->tmp.new_hash=hash; s->s3->tmp.new_compression=comp; - exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0; - num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); num*=2; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index c64b760a44..ffea4b5d72 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -77,7 +77,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_NULL_MD5, SSL3_CK_RSA_NULL_MD5, - SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|_SSL_NOT_EXP|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -86,7 +86,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, - SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -97,7 +97,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_ADH_RC4_40_MD5, SSL3_CK_ADH_RC4_40_MD5, - SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3, + SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -106,7 +106,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, - SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3, + SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5|_SSL_NOT_EXP|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -115,7 +115,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_ADH_DES_40_CBC_SHA, SSL3_CK_ADH_DES_40_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -124,7 +124,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_ADH_DES_64_CBC_SHA, SSL3_CK_ADH_DES_64_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3, + SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -133,7 +133,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_ADH_DES_192_CBC_SHA, SSL3_CK_ADH_DES_192_CBC_SHA, - SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3, + SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -144,7 +144,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_RC4_40_MD5, SSL3_CK_RSA_RC4_40_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -153,7 +153,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM, + SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|_SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM, 0, SSL_ALL_CIPHERS, }, @@ -162,7 +162,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, - SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM, + SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM, 0, SSL_ALL_CIPHERS, }, @@ -171,7 +171,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_RC2_40_MD5, SSL3_CK_RSA_RC2_40_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -180,7 +180,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_IDEA_128_SHA, SSL3_CK_RSA_IDEA_128_SHA, - SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM, + SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM, 0, SSL_ALL_CIPHERS, }, @@ -189,7 +189,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_DES_40_CBC_SHA, SSL3_CK_RSA_DES_40_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -198,7 +198,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_DES_64_CBC_SHA, SSL3_CK_RSA_DES_64_CBC_SHA, - SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW, + SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_LOW, 0, SSL_ALL_CIPHERS, }, @@ -207,7 +207,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, - SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH, + SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH, 0, SSL_ALL_CIPHERS, }, @@ -218,7 +218,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_DH_DSS_DES_40_CBC_SHA, SSL3_CK_DH_DSS_DES_40_CBC_SHA, - SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -227,7 +227,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_DH_DSS_DES_64_CBC_SHA, SSL3_CK_DH_DSS_DES_64_CBC_SHA, - SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW, + SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_LOW, 0, SSL_ALL_CIPHERS, }, @@ -236,7 +236,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, SSL3_CK_DH_DSS_DES_192_CBC3_SHA, - SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH, + SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH, 0, SSL_ALL_CIPHERS, }, @@ -245,7 +245,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_DH_RSA_DES_40_CBC_SHA, SSL3_CK_DH_RSA_DES_40_CBC_SHA, - SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -254,7 +254,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_DH_RSA_DES_64_CBC_SHA, SSL3_CK_DH_RSA_DES_64_CBC_SHA, - SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW, + SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_LOW, 0, SSL_ALL_CIPHERS, }, @@ -263,7 +263,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, SSL3_CK_DH_RSA_DES_192_CBC3_SHA, - SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH, + SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH, 0, SSL_ALL_CIPHERS, }, @@ -274,7 +274,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, SSL3_CK_EDH_DSS_DES_40_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -283,7 +283,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, SSL3_CK_EDH_DSS_DES_64_CBC_SHA, - SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW, + SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_LOW, 0, SSL_ALL_CIPHERS, }, @@ -292,7 +292,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, - SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH, + SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH, 0, SSL_ALL_CIPHERS, }, @@ -301,7 +301,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, SSL3_CK_EDH_RSA_DES_40_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3, + SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -310,7 +310,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, SSL3_CK_EDH_RSA_DES_64_CBC_SHA, - SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW, + SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_LOW, 0, SSL_ALL_CIPHERS, }, @@ -319,7 +319,7 @@ SSL_CIPHER ssl3_ciphers[]={ 1, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, - SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH, + SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH, 0, SSL_ALL_CIPHERS, }, @@ -330,7 +330,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_FZA_DMS_NULL_SHA, SSL3_CK_FZA_DMS_NULL_SHA, - SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3, + SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -340,7 +340,7 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_FZA_DMS_FZA_SHA, SSL3_CK_FZA_DMS_FZA_SHA, - SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3, + SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, @@ -350,11 +350,40 @@ SSL_CIPHER ssl3_ciphers[]={ 0, SSL3_TXT_FZA_DMS_RC4_SHA, SSL3_CK_FZA_DMS_RC4_SHA, - SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3, + SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3, 0, SSL_ALL_CIPHERS, }, + /* New TLS Export CipherSuites */ + /* Cipher 60 */ + { + 1, + TLS1_TXT_RSA_EXPORT56_WITH_RC4_56_MD5, + TLS1_CK_RSA_EXPORT56_WITH_RC4_56_MD5, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 61 */ + { + 1, + TLS1_TXT_RSA_EXPORT56_WITH_RC2_CBC_56_MD5, + TLS1_CK_RSA_EXPORT56_WITH_RC2_CBC_56_MD5, + SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* Cipher 62 */ + { + 1, + TLS1_TXT_RSA_EXPORT56_WITH_DES_CBC_SHA, + TLS1_CK_RSA_EXPORT56_WITH_DES_CBC_SHA, + SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1, + 0, + SSL_ALL_CIPHERS + }, + /* end of list */ }; @@ -733,7 +762,7 @@ STACK *have,*pref; { c=(SSL_CIPHER *)sk_value(have,i); alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); - if (alg & SSL_EXPORT) + if (SSL_IS_EXPORT(alg)) { ok=((alg & emask) == alg)?1:0; #ifdef CIPHER_DEBUG diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index a4c0744488..233de6ca90 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -309,16 +309,16 @@ SSL *s; /* only send if a DH key exchange, fortezza or * RSA but we have a sign only certificate */ - if ( s->s3->tmp.use_rsa_tmp || - (l & (SSL_DH|SSL_kFZA)) || - ((l & SSL_kRSA) && - ((ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)|| - ((l & SSL_EXPORT) && - (EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > 512) - ) - ) + if (s->s3->tmp.use_rsa_tmp + || (l & (SSL_DH|SSL_kFZA)) + || ((l & SSL_kRSA) + && (ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL + || (SSL_IS_EXPORT(l) + && EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l) + ) + ) + ) ) - ) { ret=ssl3_send_server_key_exchange(s); if (ret <= 0) goto end; @@ -777,7 +777,7 @@ SSL *s; c=(SSL_CIPHER *)sk_value(sk,i); if (c->algorithms & SSL_eNULL) nc=c; - if (c->algorithms & SSL_EXP) + if (SSL_C_IS_EXPORT(c)) ec=c; } if (nc != NULL) @@ -945,8 +945,7 @@ SSL *s; if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL)) { rsa=s->ctx->default_cert->rsa_tmp_cb(s, - !(s->s3->tmp.new_cipher->algorithms - &SSL_NOT_EXP)); + !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)); CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); cert->rsa_tmp=rsa; } @@ -968,8 +967,7 @@ SSL *s; dhp=cert->dh_tmp; if ((dhp == NULL) && (cert->dh_tmp_cb != NULL)) dhp=cert->dh_tmp_cb(s, - !(s->s3->tmp.new_cipher->algorithms - &SSL_NOT_EXP)); + !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)); if (dhp == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; diff --git a/ssl/ssl.h b/ssl/ssl.h index e6a1327ce3..4947e28eed 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -132,8 +132,9 @@ extern "C" { #define SSL_TXT_MD5 "MD5" #define SSL_TXT_SHA1 "SHA1" #define SSL_TXT_SHA "SHA" -#define SSL_TXT_EXP "EXP" +#define SSL_TXT_EXP40 "EXP" #define SSL_TXT_EXPORT "EXPORT" +#define SSL_TXT_EXP56 "EXP56" #define SSL_TXT_SSLV2 "SSLv2" #define SSL_TXT_SSLV3 "SSLv3" #define SSL_TXT_TLSV1 "TLSv1" @@ -988,18 +989,18 @@ int SSL_state(SSL *ssl); void SSL_set_verify_result(SSL *ssl,long v); long SSL_get_verify_result(SSL *ssl); -int SSL_set_ex_data(SSL *ssl,int idx,char *data); -char *SSL_get_ex_data(SSL *ssl,int idx); +int SSL_set_ex_data(SSL *ssl,int idx,void *data); +void *SSL_get_ex_data(SSL *ssl,int idx); int SSL_get_ex_new_index(long argl, char *argp, int (*new_func)(), int (*dup_func)(), void (*free_func)()); -int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,char *data); -char *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx); +int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data); +void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx); int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(), int (*dup_func)(), void (*free_func)()); -int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,char *data); -char *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx); +int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data); +void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx); int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(), int (*dup_func)(), void (*free_func)()); diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 30501cb700..2bea76cffe 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -144,14 +144,15 @@ static SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_ADH, 0,SSL_ADH, 0,SSL_AUTH_MASK|SSL_MKEY_MASK}, {0,SSL_TXT_FZA, 0,SSL_FZA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK}, - {0,SSL_TXT_EXP, 0,SSL_EXP, 0,SSL_EXP_MASK}, - {0,SSL_TXT_EXPORT,0,SSL_EXPORT,0,SSL_EXP_MASK}, - {0,SSL_TXT_SSLV2,0,SSL_SSLV2,0,SSL_SSL_MASK}, - {0,SSL_TXT_SSLV3,0,SSL_SSLV3,0,SSL_SSL_MASK}, - {0,SSL_TXT_TLSV1,0,SSL_SSLV3,0,SSL_SSL_MASK}, - {0,SSL_TXT_LOW, 0,SSL_LOW,0,SSL_STRONG_MASK}, + {0,SSL_TXT_EXP40, 0,SSL_EXP40, 0,_SSL_EXP_MASK}, + {0,SSL_TXT_EXPORT,0,SSL_EXP40, 0,_SSL_EXP_MASK}, + {0,SSL_TXT_EXP56, 0,SSL_EXP56, 0,_SSL_EXP_MASK}, + {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,SSL_SSL_MASK}, + {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,SSL_SSL_MASK}, + {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,SSL_SSL_MASK}, + {0,SSL_TXT_LOW, 0,SSL_LOW, 0,SSL_STRONG_MASK}, {0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK}, - {0,SSL_TXT_HIGH, 0,SSL_HIGH,0,SSL_STRONG_MASK}, + {0,SSL_TXT_HIGH, 0,SSL_HIGH, 0,SSL_STRONG_MASK}, }; static int init_ciphers=1; @@ -615,7 +616,7 @@ SSL_CIPHER *cipher; char *buf; int len; { - int export; + int _export,pkl,kl; char *ver,*exp; char *kx,*au,*enc,*mac; unsigned long alg,alg2; @@ -624,8 +625,10 @@ int len; alg=cipher->algorithms; alg2=cipher->algorithm2; - export=(alg&SSL_EXP)?1:0; - exp=(export)?" export":""; + _export=SSL_IS_EXPORT(alg); + pkl=SSL_EXPORT_PKEYLENGTH(alg); + kl=SSL_EXPORT_KEYLENGTH(alg); + exp=_export?" export":""; if (alg & SSL_SSLV2) ver="SSLv2"; @@ -637,7 +640,7 @@ int len; switch (alg&SSL_MKEY_MASK) { case SSL_kRSA: - kx=(export)?"RSA(512)":"RSA"; + kx=_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA"; break; case SSL_kDHr: kx="DH/RSA"; @@ -649,7 +652,7 @@ int len; kx="Fortezza"; break; case SSL_kEDH: - kx=(export)?"DH(512)":"DH"; + kx=_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH"; break; default: kx="unknown"; @@ -678,16 +681,17 @@ int len; switch (alg&SSL_ENC_MASK) { case SSL_DES: - enc=export?"DES(40)":"DES(56)"; + enc=(_export && kl == 5)?"DES(40)":"DES(56)"; break; case SSL_3DES: enc="3DES(168)"; break; case SSL_RC4: - enc=export?"RC4(40)":((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); + enc=_export?(kl == 5 ? "RC4(40)" : "RC4(56)") + :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)"); break; case SSL_RC2: - enc=export?"RC2(40)":"RC2(128)"; + enc=_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)"; break; case SSL_IDEA: enc="IDEA(128)"; @@ -770,9 +774,9 @@ int *alg_bits; a=EVP_CIPHER_key_length(enc)*8; - if (c->algorithms & SSL_EXP) + if (SSL_C_IS_EXPORT(c)) { - ret=40; + ret=SSL_C_EXPORT_KEYLENGTH(c)*8; } else { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 2019a400ff..862a555efa 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1236,13 +1236,13 @@ SSL *s; { unsigned long alg,mask,kalg; CERT *c; - int i,export; + int i,_export; c=s->cert; ssl_set_cert_masks(c); alg=s->s3->tmp.new_cipher->algorithms; - export=(alg & SSL_EXPORT)?1:0; - mask=(export)?c->export_mask:c->mask; + _export=SSL_IS_EXPORT(alg); + mask=_export?c->export_mask:c->mask; kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); if (kalg & SSL_kDHr) @@ -1822,12 +1822,12 @@ void (*free_func)(); int SSL_set_ex_data(s,idx,arg) SSL *s; int idx; -char *arg; +void *arg; { return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); } -char *SSL_get_ex_data(s,idx) +void *SSL_get_ex_data(s,idx) SSL *s; int idx; { @@ -1849,12 +1849,12 @@ void (*free_func)(); int SSL_CTX_set_ex_data(s,idx,arg) SSL_CTX *s; int idx; -char *arg; +void *arg; { return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); } -char *SSL_CTX_get_ex_data(s,idx) +void *SSL_CTX_get_ex_data(s,idx) SSL_CTX *s; int idx; { diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 1a907514d9..8c39d69712 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -191,14 +191,25 @@ #define SSL_SHA1 0x00040000L #define SSL_SHA (SSL_SHA1) -#define SSL_EXP_MASK 0x00300000L -#define SSL_EXP 0x00100000L -#define SSL_NOT_EXP 0x00200000L -#define SSL_EXPORT SSL_EXP +#define _SSL_EXP_MASK 0x00300000L +#define SSL_EXP40 0x00100000L +#define _SSL_NOT_EXP 0x00200000L +#define SSL_EXP56 0x00300000L +#define SSL_IS_EXPORT(a) ((a)&SSL_EXP40) +#define SSL_IS_EXPORT56(a) (((a)&_SSL_EXP_MASK) == SSL_EXP56) +#define SSL_IS_EXPORT40(a) (((a)&_SSL_EXP_MASK) == SSL_EXP40) +#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algorithms) +#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algorithms) +#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algorithms) +#define SSL_EXPORT_KEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 5 : 7) +#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024) +#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithms) +#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algorithms) #define SSL_SSL_MASK 0x00c00000L #define SSL_SSLV2 0x00400000L #define SSL_SSLV3 0x00800000L +#define SSL_TLSV1 SSL_SSLV3 /* for now */ #define SSL_STRONG_MASK 0x07000000L #define SSL_LOW 0x01000000L @@ -208,7 +219,7 @@ /* we have used 0fffffff - 4 bits left to go */ #define SSL_ALL 0xffffffffL #define SSL_ALL_CIPHERS (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\ - SSL_MAC_MASK|SSL_EXP_MASK) + SSL_MAC_MASK|_SSL_EXP_MASK) /* Mostly for SSLv3 */ #define SSL_PKEY_RSA_ENC 0 diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index adaab3545f..2403b066cb 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -94,12 +94,12 @@ void (*free_func)(); int SSL_SESSION_set_ex_data(s,idx,arg) SSL_SESSION *s; int idx; -char *arg; +void *arg; { return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); } -char *SSL_SESSION_get_ex_data(s,idx) +void *SSL_SESSION_get_ex_data(s,idx) SSL_SESSION *s; int idx; { diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index f228295bba..0f5cbd326a 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -178,9 +178,9 @@ int which; EVP_CIPHER *c; SSL_COMP *comp; EVP_MD *m; - int exp,n,i,j,k,exp_label_len,cl; + int _exp,n,i,j,k,exp_label_len,cl; - exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0; + _exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; comp=s->s3->tmp.new_compression; @@ -247,7 +247,8 @@ int which; p=s->s3->tmp.key_block; i=EVP_MD_size(m); cl=EVP_CIPHER_key_length(c); - j=exp ? (cl < 5 ? cl : 5) : cl; + j=_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); er1= &(s->s3->client_random[0]); @@ -284,7 +285,7 @@ int which; printf("which = %04X\nmac key=",which); { int z; for (z=0; z