Tree - source-git/openssl - CentOS Git server

source-git / openssl

Blame ssl/ssl_ciph.c

Blob History Raw

Packit Service	084de1	`/*`
Packit Service	084de1	`* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.`
Packit Service	084de1	`* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved`
Packit Service	084de1	`* Copyright 2005 Nokia. All rights reserved.`
Packit Service	084de1	`*`
Packit Service	084de1	`* Licensed under the OpenSSL license (the "License"). You may not use`
Packit Service	084de1	`* this file except in compliance with the License. You can obtain a copy`
Packit Service	084de1	`* in the file LICENSE in the source distribution or at`
Packit Service	084de1	`* https://www.openssl.org/source/license.html`
Packit Service	084de1	`*/`
Packit Service	084de1
Packit Service	084de1	`/* for secure_getenv */`
Packit Service	084de1	`#define _GNU_SOURCE`
Packit Service	084de1	`#include <stdio.h>`
Packit Service	084de1	`#include <ctype.h>`
Packit Service	084de1	`#include <openssl/objects.h>`
Packit Service	084de1	`#include <openssl/comp.h>`
Packit Service	084de1	`#include <openssl/engine.h>`
Packit Service	084de1	`#include <openssl/crypto.h>`
Packit Service	084de1	`#include <openssl/conf.h>`
Packit Service	084de1	`#include "internal/nelem.h"`
Packit Service	084de1	`#include "ssl_local.h"`
Packit Service	084de1	`#include "internal/thread_once.h"`
Packit Service	084de1	`#include "internal/cryptlib.h"`
Packit Service	084de1
Packit Service	084de1	`#define SSL_ENC_DES_IDX 0`
Packit Service	084de1	`#define SSL_ENC_3DES_IDX 1`
Packit Service	084de1	`#define SSL_ENC_RC4_IDX 2`
Packit Service	084de1	`#define SSL_ENC_RC2_IDX 3`
Packit Service	084de1	`#define SSL_ENC_IDEA_IDX 4`
Packit Service	084de1	`#define SSL_ENC_NULL_IDX 5`
Packit Service	084de1	`#define SSL_ENC_AES128_IDX 6`
Packit Service	084de1	`#define SSL_ENC_AES256_IDX 7`
Packit Service	084de1	`#define SSL_ENC_CAMELLIA128_IDX 8`
Packit Service	084de1	`#define SSL_ENC_CAMELLIA256_IDX 9`
Packit Service	084de1	`#define SSL_ENC_GOST89_IDX 10`
Packit Service	084de1	`#define SSL_ENC_SEED_IDX 11`
Packit Service	084de1	`#define SSL_ENC_AES128GCM_IDX 12`
Packit Service	084de1	`#define SSL_ENC_AES256GCM_IDX 13`
Packit Service	084de1	`#define SSL_ENC_AES128CCM_IDX 14`
Packit Service	084de1	`#define SSL_ENC_AES256CCM_IDX 15`
Packit Service	084de1	`#define SSL_ENC_AES128CCM8_IDX 16`
Packit Service	084de1	`#define SSL_ENC_AES256CCM8_IDX 17`
Packit Service	084de1	`#define SSL_ENC_GOST8912_IDX 18`
Packit Service	084de1	`#define SSL_ENC_CHACHA_IDX 19`
Packit Service	084de1	`#define SSL_ENC_ARIA128GCM_IDX 20`
Packit Service	084de1	`#define SSL_ENC_ARIA256GCM_IDX 21`
Packit Service	084de1	`#define SSL_ENC_NUM_IDX 22`
Packit Service	084de1
Packit Service	084de1	`/* NB: make sure indices in these tables match values above */`
Packit Service	084de1
Packit Service	084de1	`typedef struct {`
Packit Service	084de1	`uint32_t mask;`
Packit Service	084de1	`int nid;`
Packit Service	084de1	`} ssl_cipher_table;`
Packit Service	084de1
Packit Service	084de1	`/* Table of NIDs for each cipher */`
Packit Service	084de1	`static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {`
Packit Service	084de1	`{SSL_DES, NID_des_cbc}, /* SSL_ENC_DES_IDX 0 */`
Packit Service	084de1	`{SSL_3DES, NID_des_ede3_cbc}, /* SSL_ENC_3DES_IDX 1 */`
Packit Service	084de1	`{SSL_RC4, NID_rc4}, /* SSL_ENC_RC4_IDX 2 */`
Packit Service	084de1	`{SSL_RC2, NID_rc2_cbc}, /* SSL_ENC_RC2_IDX 3 */`
Packit Service	084de1	`{SSL_IDEA, NID_idea_cbc}, /* SSL_ENC_IDEA_IDX 4 */`
Packit Service	084de1	`{SSL_eNULL, NID_undef}, /* SSL_ENC_NULL_IDX 5 */`
Packit Service	084de1	`{SSL_AES128, NID_aes_128_cbc}, /* SSL_ENC_AES128_IDX 6 */`
Packit Service	084de1	`{SSL_AES256, NID_aes_256_cbc}, /* SSL_ENC_AES256_IDX 7 */`
Packit Service	084de1	`{SSL_CAMELLIA128, NID_camellia_128_cbc}, /* SSL_ENC_CAMELLIA128_IDX 8 */`
Packit Service	084de1	`{SSL_CAMELLIA256, NID_camellia_256_cbc}, /* SSL_ENC_CAMELLIA256_IDX 9 */`
Packit Service	084de1	`{SSL_eGOST2814789CNT, NID_gost89_cnt}, /* SSL_ENC_GOST89_IDX 10 */`
Packit Service	084de1	`{SSL_SEED, NID_seed_cbc}, /* SSL_ENC_SEED_IDX 11 */`
Packit Service	084de1	`{SSL_AES128GCM, NID_aes_128_gcm}, /* SSL_ENC_AES128GCM_IDX 12 */`
Packit Service	084de1	`{SSL_AES256GCM, NID_aes_256_gcm}, /* SSL_ENC_AES256GCM_IDX 13 */`
Packit Service	084de1	`{SSL_AES128CCM, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM_IDX 14 */`
Packit Service	084de1	`{SSL_AES256CCM, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM_IDX 15 */`
Packit Service	084de1	`{SSL_AES128CCM8, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM8_IDX 16 */`
Packit Service	084de1	`{SSL_AES256CCM8, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM8_IDX 17 */`
Packit Service	084de1	`{SSL_eGOST2814789CNT12, NID_gost89_cnt_12}, /* SSL_ENC_GOST8912_IDX 18 */`
Packit Service	084de1	`{SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */`
Packit Service	084de1	`{SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */`
Packit Service	084de1	`{SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */`
Packit Service	084de1	`};`
Packit Service	084de1
Packit Service	084de1	`static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];`
Packit Service	084de1
Packit Service	084de1	`#define SSL_COMP_NULL_IDX 0`
Packit Service	084de1	`#define SSL_COMP_ZLIB_IDX 1`
Packit Service	084de1	`#define SSL_COMP_NUM_IDX 2`
Packit Service	084de1
Packit Service	084de1	`static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;`
Packit Service	084de1
Packit Service	084de1	`#ifndef OPENSSL_NO_COMP`
Packit Service	084de1	`static CRYPTO_ONCE ssl_load_builtin_comp_once = CRYPTO_ONCE_STATIC_INIT;`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Constant SSL_MAX_DIGEST equal to size of digests array should be defined`
Packit Service	084de1	`* in the ssl_local.h`
Packit Service	084de1	`*/`
Packit Service	084de1
Packit Service	084de1	`#define SSL_MD_NUM_IDX SSL_MAX_DIGEST`
Packit Service	084de1
Packit Service	084de1	`/* NB: make sure indices in this table matches values above */`
Packit Service	084de1	`static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {`
Packit Service	084de1	`{SSL_MD5, NID_md5}, /* SSL_MD_MD5_IDX 0 */`
Packit Service	084de1	`{SSL_SHA1, NID_sha1}, /* SSL_MD_SHA1_IDX 1 */`
Packit Service	084de1	`{SSL_GOST94, NID_id_GostR3411_94}, /* SSL_MD_GOST94_IDX 2 */`
Packit Service	084de1	`{SSL_GOST89MAC, NID_id_Gost28147_89_MAC}, /* SSL_MD_GOST89MAC_IDX 3 */`
Packit Service	084de1	`{SSL_SHA256, NID_sha256}, /* SSL_MD_SHA256_IDX 4 */`
Packit Service	084de1	`{SSL_SHA384, NID_sha384}, /* SSL_MD_SHA384_IDX 5 */`
Packit Service	084de1	`{SSL_GOST12_256, NID_id_GostR3411_2012_256}, /* SSL_MD_GOST12_256_IDX 6 */`
Packit Service	084de1	`{SSL_GOST89MAC12, NID_gost_mac_12}, /* SSL_MD_GOST89MAC12_IDX 7 */`
Packit Service	084de1	`{SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */`
Packit Service	084de1	`{0, NID_md5_sha1}, /* SSL_MD_MD5_SHA1_IDX 9 */`
Packit Service	084de1	`{0, NID_sha224}, /* SSL_MD_SHA224_IDX 10 */`
Packit Service	084de1	`{0, NID_sha512} /* SSL_MD_SHA512_IDX 11 */`
Packit Service	084de1	`};`
Packit Service	084de1
Packit Service	084de1	`static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {`
Packit Service	084de1	`NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL`
Packit Service	084de1	`};`
Packit Service	084de1
Packit Service	084de1	`/* INDENT-OFF */`
Packit Service	084de1	`static const ssl_cipher_table ssl_cipher_table_kx[] = {`
Packit Service	084de1	`{SSL_kRSA, NID_kx_rsa},`
Packit Service	084de1	`{SSL_kECDHE, NID_kx_ecdhe},`
Packit Service	084de1	`{SSL_kDHE, NID_kx_dhe},`
Packit Service	084de1	`{SSL_kECDHEPSK, NID_kx_ecdhe_psk},`
Packit Service	084de1	`{SSL_kDHEPSK, NID_kx_dhe_psk},`
Packit Service	084de1	`{SSL_kRSAPSK, NID_kx_rsa_psk},`
Packit Service	084de1	`{SSL_kPSK, NID_kx_psk},`
Packit Service	084de1	`{SSL_kSRP, NID_kx_srp},`
Packit Service	084de1	`{SSL_kGOST, NID_kx_gost},`
Packit Service	084de1	`{SSL_kANY, NID_kx_any}`
Packit Service	084de1	`};`
Packit Service	084de1
Packit Service	084de1	`static const ssl_cipher_table ssl_cipher_table_auth[] = {`
Packit Service	084de1	`{SSL_aRSA, NID_auth_rsa},`
Packit Service	084de1	`{SSL_aECDSA, NID_auth_ecdsa},`
Packit Service	084de1	`{SSL_aPSK, NID_auth_psk},`
Packit Service	084de1	`{SSL_aDSS, NID_auth_dss},`
Packit Service	084de1	`{SSL_aGOST01, NID_auth_gost01},`
Packit Service	084de1	`{SSL_aGOST12, NID_auth_gost12},`
Packit Service	084de1	`{SSL_aSRP, NID_auth_srp},`
Packit Service	084de1	`{SSL_aNULL, NID_auth_null},`
Packit Service	084de1	`{SSL_aANY, NID_auth_any}`
Packit Service	084de1	`};`
Packit Service	084de1	`/* INDENT-ON */`
Packit Service	084de1
Packit Service	084de1	`/* Utility function for table lookup */`
Packit Service	084de1	`static int ssl_cipher_info_find(const ssl_cipher_table * table,`
Packit Service	084de1	`size_t table_cnt, uint32_t mask)`
Packit Service	084de1	`{`
Packit Service	084de1	`size_t i;`
Packit Service	084de1	`for (i = 0; i < table_cnt; i++, table++) {`
Packit Service	084de1	`if (table->mask == mask)`
Packit Service	084de1	`return (int)i;`
Packit Service	084de1	`}`
Packit Service	084de1	`return -1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#define ssl_cipher_info_lookup(table, x) \`
Packit Service	084de1	`ssl_cipher_info_find(table, OSSL_NELEM(table), x)`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* PKEY_TYPE for GOST89MAC is known in advance, but, because implementation`
Packit Service	084de1	`* is engine-provided, we'll fill it only if corresponding EVP_PKEY_METHOD is`
Packit Service	084de1	`* found`
Packit Service	084de1	`*/`
Packit Service	084de1	`static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {`
Packit Service	084de1	`/* MD5, SHA, GOST94, MAC89 */`
Packit Service	084de1	`EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,`
Packit Service	084de1	`/* SHA256, SHA384, GOST2012_256, MAC89-12 */`
Packit Service	084de1	`EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,`
Packit Service	084de1	`/* GOST2012_512 */`
Packit Service	084de1	`EVP_PKEY_HMAC,`
Packit Service	084de1	`/* MD5/SHA1, SHA224, SHA512 */`
Packit Service	084de1	`NID_undef, NID_undef, NID_undef`
Packit Service	084de1	`};`
Packit Service	084de1
Packit Service	084de1	`static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];`
Packit Service	084de1
Packit Service	084de1	`#define CIPHER_ADD 1`
Packit Service	084de1	`#define CIPHER_KILL 2`
Packit Service	084de1	`#define CIPHER_DEL 3`
Packit Service	084de1	`#define CIPHER_ORD 4`
Packit Service	084de1	`#define CIPHER_SPECIAL 5`
Packit Service	084de1	`/*`
Packit Service	084de1	`* Bump the ciphers to the top of the list.`
Packit Service	084de1	`* This rule isn't currently supported by the public cipherstring API.`
Packit Service	084de1	`*/`
Packit Service	084de1	`#define CIPHER_BUMP 6`
Packit Service	084de1
Packit Service	084de1	`typedef struct cipher_order_st {`
Packit Service	084de1	`const SSL_CIPHER *cipher;`
Packit Service	084de1	`int active;`
Packit Service	084de1	`int dead;`
Packit Service	084de1	`struct cipher_order_st next, prev;`
Packit Service	084de1	`} CIPHER_ORDER;`
Packit Service	084de1
Packit Service	084de1	`static const SSL_CIPHER cipher_aliases[] = {`
Packit Service	084de1	`/* "ALL" doesn't include eNULL (must be specifically enabled) */`
Packit Service	084de1	`{0, SSL_TXT_ALL, NULL, 0, 0, 0, ~SSL_eNULL},`
Packit Service	084de1	`/* "COMPLEMENTOFALL" */`
Packit Service	084de1	`{0, SSL_TXT_CMPALL, NULL, 0, 0, 0, SSL_eNULL},`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* "COMPLEMENTOFDEFAULT" (does not include ciphersuites not found in`
Packit Service	084de1	`* ALL!)`
Packit Service	084de1	`*/`
Packit Service	084de1	`{0, SSL_TXT_CMPDEF, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT},`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* key exchange aliases (some of those using only a single bit here`
Packit Service	084de1	`* combine multiple key exchange algs according to the RFCs, e.g. kDHE`
Packit Service	084de1	`* combines DHE_DSS and DHE_RSA)`
Packit Service	084de1	`*/`
Packit Service	084de1	`{0, SSL_TXT_kRSA, NULL, 0, SSL_kRSA},`
Packit Service	084de1
Packit Service	084de1	`{0, SSL_TXT_kEDH, NULL, 0, SSL_kDHE},`
Packit Service	084de1	`{0, SSL_TXT_kDHE, NULL, 0, SSL_kDHE},`
Packit Service	084de1	`{0, SSL_TXT_DH, NULL, 0, SSL_kDHE},`
Packit Service	084de1
Packit Service	084de1	`{0, SSL_TXT_kEECDH, NULL, 0, SSL_kECDHE},`
Packit Service	084de1	`{0, SSL_TXT_kECDHE, NULL, 0, SSL_kECDHE},`
Packit Service	084de1	`{0, SSL_TXT_ECDH, NULL, 0, SSL_kECDHE},`
Packit Service	084de1
Packit Service	084de1	`{0, SSL_TXT_kPSK, NULL, 0, SSL_kPSK},`
Packit Service	084de1	`{0, SSL_TXT_kRSAPSK, NULL, 0, SSL_kRSAPSK},`
Packit Service	084de1	`{0, SSL_TXT_kECDHEPSK, NULL, 0, SSL_kECDHEPSK},`
Packit Service	084de1	`{0, SSL_TXT_kDHEPSK, NULL, 0, SSL_kDHEPSK},`
Packit Service	084de1	`{0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP},`
Packit Service	084de1	`{0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST},`
Packit Service	084de1
Packit Service	084de1	`/* server authentication aliases */`
Packit Service	084de1	`{0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA},`
Packit Service	084de1	`{0, SSL_TXT_aDSS, NULL, 0, 0, SSL_aDSS},`
Packit Service	084de1	`{0, SSL_TXT_DSS, NULL, 0, 0, SSL_aDSS},`
Packit Service	084de1	`{0, SSL_TXT_aNULL, NULL, 0, 0, SSL_aNULL},`
Packit Service	084de1	`{0, SSL_TXT_aECDSA, NULL, 0, 0, SSL_aECDSA},`
Packit Service	084de1	`{0, SSL_TXT_ECDSA, NULL, 0, 0, SSL_aECDSA},`
Packit Service	084de1	`{0, SSL_TXT_aPSK, NULL, 0, 0, SSL_aPSK},`
Packit Service	084de1	`{0, SSL_TXT_aGOST01, NULL, 0, 0, SSL_aGOST01},`
Packit Service	084de1	`{0, SSL_TXT_aGOST12, NULL, 0, 0, SSL_aGOST12},`
Packit Service	084de1	`{0, SSL_TXT_aGOST, NULL, 0, 0, SSL_aGOST01 \| SSL_aGOST12},`
Packit Service	084de1	`{0, SSL_TXT_aSRP, NULL, 0, 0, SSL_aSRP},`
Packit Service	084de1
Packit Service	084de1	`/* aliases combining key exchange and server authentication */`
Packit Service	084de1	`{0, SSL_TXT_EDH, NULL, 0, SSL_kDHE, ~SSL_aNULL},`
Packit Service	084de1	`{0, SSL_TXT_DHE, NULL, 0, SSL_kDHE, ~SSL_aNULL},`
Packit Service	084de1	`{0, SSL_TXT_EECDH, NULL, 0, SSL_kECDHE, ~SSL_aNULL},`
Packit Service	084de1	`{0, SSL_TXT_ECDHE, NULL, 0, SSL_kECDHE, ~SSL_aNULL},`
Packit Service	084de1	`{0, SSL_TXT_NULL, NULL, 0, 0, 0, SSL_eNULL},`
Packit Service	084de1	`{0, SSL_TXT_RSA, NULL, 0, SSL_kRSA, SSL_aRSA},`
Packit Service	084de1	`{0, SSL_TXT_ADH, NULL, 0, SSL_kDHE, SSL_aNULL},`
Packit Service	084de1	`{0, SSL_TXT_AECDH, NULL, 0, SSL_kECDHE, SSL_aNULL},`
Packit Service	084de1	`{0, SSL_TXT_PSK, NULL, 0, SSL_PSK},`
Packit Service	084de1	`{0, SSL_TXT_SRP, NULL, 0, SSL_kSRP},`
Packit Service	084de1
Packit Service	084de1	`/* symmetric encryption aliases */`
Packit Service	084de1	`{0, SSL_TXT_3DES, NULL, 0, 0, 0, SSL_3DES},`
Packit Service	084de1	`{0, SSL_TXT_RC4, NULL, 0, 0, 0, SSL_RC4},`
Packit Service	084de1	`{0, SSL_TXT_RC2, NULL, 0, 0, 0, SSL_RC2},`
Packit Service	084de1	`{0, SSL_TXT_IDEA, NULL, 0, 0, 0, SSL_IDEA},`
Packit Service	084de1	`{0, SSL_TXT_SEED, NULL, 0, 0, 0, SSL_SEED},`
Packit Service	084de1	`{0, SSL_TXT_eNULL, NULL, 0, 0, 0, SSL_eNULL},`
Packit Service	084de1	`{0, SSL_TXT_GOST, NULL, 0, 0, 0, SSL_eGOST2814789CNT \| SSL_eGOST2814789CNT12},`
Packit Service	084de1	`{0, SSL_TXT_AES128, NULL, 0, 0, 0,`
Packit Service	084de1	`SSL_AES128 \| SSL_AES128GCM \| SSL_AES128CCM \| SSL_AES128CCM8},`
Packit Service	084de1	`{0, SSL_TXT_AES256, NULL, 0, 0, 0,`
Packit Service	084de1	`SSL_AES256 \| SSL_AES256GCM \| SSL_AES256CCM \| SSL_AES256CCM8},`
Packit Service	084de1	`{0, SSL_TXT_AES, NULL, 0, 0, 0, SSL_AES},`
Packit Service	084de1	`{0, SSL_TXT_AES_GCM, NULL, 0, 0, 0, SSL_AES128GCM \| SSL_AES256GCM},`
Packit Service	084de1	`{0, SSL_TXT_AES_CCM, NULL, 0, 0, 0,`
Packit Service	084de1	`SSL_AES128CCM \| SSL_AES256CCM \| SSL_AES128CCM8 \| SSL_AES256CCM8},`
Packit Service	084de1	`{0, SSL_TXT_AES_CCM_8, NULL, 0, 0, 0, SSL_AES128CCM8 \| SSL_AES256CCM8},`
Packit Service	084de1	`{0, SSL_TXT_CAMELLIA128, NULL, 0, 0, 0, SSL_CAMELLIA128},`
Packit Service	084de1	`{0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256},`
Packit Service	084de1	`{0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA},`
Packit Service	084de1	`{0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20},`
Packit Service	084de1
Packit Service	084de1	`{0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA},`
Packit Service	084de1	`{0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM \| SSL_ARIA256GCM},`
Packit Service	084de1	`{0, SSL_TXT_ARIA128, NULL, 0, 0, 0, SSL_ARIA128GCM},`
Packit Service	084de1	`{0, SSL_TXT_ARIA256, NULL, 0, 0, 0, SSL_ARIA256GCM},`
Packit Service	084de1
Packit Service	084de1	`/* MAC aliases */`
Packit Service	084de1	`{0, SSL_TXT_MD5, NULL, 0, 0, 0, 0, SSL_MD5},`
Packit Service	084de1	`{0, SSL_TXT_SHA1, NULL, 0, 0, 0, 0, SSL_SHA1},`
Packit Service	084de1	`{0, SSL_TXT_SHA, NULL, 0, 0, 0, 0, SSL_SHA1},`
Packit Service	084de1	`{0, SSL_TXT_GOST94, NULL, 0, 0, 0, 0, SSL_GOST94},`
Packit Service	084de1	`{0, SSL_TXT_GOST89MAC, NULL, 0, 0, 0, 0, SSL_GOST89MAC \| SSL_GOST89MAC12},`
Packit Service	084de1	`{0, SSL_TXT_SHA256, NULL, 0, 0, 0, 0, SSL_SHA256},`
Packit Service	084de1	`{0, SSL_TXT_SHA384, NULL, 0, 0, 0, 0, SSL_SHA384},`
Packit Service	084de1	`{0, SSL_TXT_GOST12, NULL, 0, 0, 0, 0, SSL_GOST12_256},`
Packit Service	084de1
Packit Service	084de1	`/* protocol version aliases */`
Packit Service	084de1	`{0, SSL_TXT_SSLV3, NULL, 0, 0, 0, 0, 0, SSL3_VERSION},`
Packit Service	084de1	`{0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},`
Packit Service	084de1	`{0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},`
Packit Service	084de1	`{0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},`
Packit Service	084de1
Packit Service	084de1	`/* strength classes */`
Packit Service	084de1	`{0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},`
Packit Service	084de1	`{0, SSL_TXT_MEDIUM, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_MEDIUM},`
Packit Service	084de1	`{0, SSL_TXT_HIGH, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_HIGH},`
Packit Service	084de1	`/* FIPS 140-2 approved ciphersuite */`
Packit Service	084de1	`{0, SSL_TXT_FIPS, NULL, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, SSL_FIPS},`
Packit Service	084de1
Packit Service	084de1	`/* "EDH-" aliases to "DHE-" labels (for backward compatibility) */`
Packit Service	084de1	`{0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, NULL, 0,`
Packit Service	084de1	`SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH \| SSL_FIPS},`
Packit Service	084de1	`{0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, NULL, 0,`
Packit Service	084de1	`SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH \| SSL_FIPS},`
Packit Service	084de1
Packit Service	084de1	`};`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Search for public key algorithm with given name and return its pkey_id if`
Packit Service	084de1	`* it is available. Otherwise return 0`
Packit Service	084de1	`*/`
Packit Service	084de1	`#ifdef OPENSSL_NO_ENGINE`
Packit Service	084de1
Packit Service	084de1	`static int get_optional_pkey_id(const char *pkey_name)`
Packit Service	084de1	`{`
Packit Service	084de1	`const EVP_PKEY_ASN1_METHOD *ameth;`
Packit Service	084de1	`int pkey_id = 0;`
Packit Service	084de1	`ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1);`
Packit Service	084de1	`if (ameth && EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL,`
Packit Service	084de1	`ameth) > 0)`
Packit Service	084de1	`return pkey_id;`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#else`
Packit Service	084de1
Packit Service	084de1	`static int get_optional_pkey_id(const char *pkey_name)`
Packit Service	084de1	`{`
Packit Service	084de1	`const EVP_PKEY_ASN1_METHOD *ameth;`
Packit Service	084de1	`ENGINE *tmpeng = NULL;`
Packit Service	084de1	`int pkey_id = 0;`
Packit Service	084de1	`ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1);`
Packit Service	084de1	`if (ameth) {`
Packit Service	084de1	`if (EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL,`
Packit Service	084de1	`ameth) <= 0)`
Packit Service	084de1	`pkey_id = 0;`
Packit Service	084de1	`}`
Packit Service	084de1	`ENGINE_finish(tmpeng);`
Packit Service	084de1	`return pkey_id;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`/* masks of disabled algorithms */`
Packit Service	084de1	`static uint32_t disabled_enc_mask;`
Packit Service	084de1	`static uint32_t disabled_mac_mask;`
Packit Service	084de1	`static uint32_t disabled_mkey_mask;`
Packit Service	084de1	`static uint32_t disabled_auth_mask;`
Packit Service	084de1
Packit Service	084de1	`int ssl_load_ciphers(void)`
Packit Service	084de1	`{`
Packit Service	084de1	`size_t i;`
Packit Service	084de1	`const ssl_cipher_table *t;`
Packit Service	084de1
Packit Service	084de1	`disabled_enc_mask = 0;`
Packit Service	084de1	`ssl_sort_cipher_list();`
Packit Service	084de1	`for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) {`
Packit Service	084de1	`if (t->nid == NID_undef) {`
Packit Service	084de1	`ssl_cipher_methods[i] = NULL;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`const EVP_CIPHER *cipher = EVP_get_cipherbynid(t->nid);`
Packit Service	084de1	`ssl_cipher_methods[i] = cipher;`
Packit Service	084de1	`if (cipher == NULL)`
Packit Service	084de1	`disabled_enc_mask \|= t->mask;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1	`disabled_mac_mask = 0;`
Packit Service	084de1	`for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) {`
Packit Service	084de1	`const EVP_MD *md = EVP_get_digestbynid(t->nid);`
Packit Service	084de1	`ssl_digest_methods[i] = md;`
Packit Service	084de1	`if (md == NULL) {`
Packit Service	084de1	`disabled_mac_mask \|= t->mask;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`int tmpsize = EVP_MD_size(md);`
Packit Service	084de1	`if (!ossl_assert(tmpsize >= 0))`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`ssl_mac_secret_size[i] = tmpsize;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1	`/* Make sure we can access MD5 and SHA1 */`
Packit Service	084de1	`if (!FIPS_mode() && !ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL))`
Packit Service	084de1	`return 0;`
Packit Service	084de1
Packit Service	084de1	`disabled_mkey_mask = 0;`
Packit Service	084de1	`disabled_auth_mask = 0;`
Packit Service	084de1
Packit Service	084de1	`#ifdef OPENSSL_NO_RSA`
Packit Service	084de1	`disabled_mkey_mask \|= SSL_kRSA \| SSL_kRSAPSK;`
Packit Service	084de1	`disabled_auth_mask \|= SSL_aRSA;`
Packit Service	084de1	`#endif`
Packit Service	084de1	`#ifdef OPENSSL_NO_DSA`
Packit Service	084de1	`disabled_auth_mask \|= SSL_aDSS;`
Packit Service	084de1	`#endif`
Packit Service	084de1	`#ifdef OPENSSL_NO_DH`
Packit Service	084de1	`disabled_mkey_mask \|= SSL_kDHE \| SSL_kDHEPSK;`
Packit Service	084de1	`#endif`
Packit Service	084de1	`#ifdef OPENSSL_NO_EC`
Packit Service	084de1	`disabled_mkey_mask \|= SSL_kECDHE \| SSL_kECDHEPSK;`
Packit Service	084de1	`disabled_auth_mask \|= SSL_aECDSA;`
Packit Service	084de1	`#endif`
Packit Service	084de1	`#ifdef OPENSSL_NO_PSK`
Packit Service	084de1	`disabled_mkey_mask \|= SSL_PSK;`
Packit Service	084de1	`disabled_auth_mask \|= SSL_aPSK;`
Packit Service	084de1	`#endif`
Packit Service	084de1	`#ifdef OPENSSL_NO_SRP`
Packit Service	084de1	`disabled_mkey_mask \|= SSL_kSRP;`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Check for presence of GOST 34.10 algorithms, and if they are not`
Packit Service	084de1	`* present, disable appropriate auth and key exchange`
Packit Service	084de1	`*/`
Packit Service	084de1	`ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");`
Packit Service	084de1	`if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX])`
Packit Service	084de1	`ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;`
Packit Service	084de1	`else`
Packit Service	084de1	`disabled_mac_mask \|= SSL_GOST89MAC;`
Packit Service	084de1
Packit Service	084de1	`ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] =`
Packit Service	084de1	`get_optional_pkey_id("gost-mac-12");`
Packit Service	084de1	`if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX])`
Packit Service	084de1	`ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;`
Packit Service	084de1	`else`
Packit Service	084de1	`disabled_mac_mask \|= SSL_GOST89MAC12;`
Packit Service	084de1
Packit Service	084de1	`if (!get_optional_pkey_id("gost2001"))`
Packit Service	084de1	`disabled_auth_mask \|= SSL_aGOST01 \| SSL_aGOST12;`
Packit Service	084de1	`if (!get_optional_pkey_id("gost2012_256"))`
Packit Service	084de1	`disabled_auth_mask \|= SSL_aGOST12;`
Packit Service	084de1	`if (!get_optional_pkey_id("gost2012_512"))`
Packit Service	084de1	`disabled_auth_mask \|= SSL_aGOST12;`
Packit Service	084de1	`/*`
Packit Service	084de1	`* Disable GOST key exchange if no GOST signature algs are available *`
Packit Service	084de1	`*/`
Packit Service	084de1	`if ((disabled_auth_mask & (SSL_aGOST01 \| SSL_aGOST12)) ==`
Packit Service	084de1	`(SSL_aGOST01 \| SSL_aGOST12))`
Packit Service	084de1	`disabled_mkey_mask \|= SSL_kGOST;`
Packit Service	084de1
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#ifndef OPENSSL_NO_COMP`
Packit Service	084de1
Packit Service	084de1	`static int sk_comp_cmp(const SSL_COMP const a, const SSL_COMP const b)`
Packit Service	084de1	`{`
Packit Service	084de1	`return ((a)->id - (b)->id);`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`DEFINE_RUN_ONCE_STATIC(do_load_builtin_compressions)`
Packit Service	084de1	`{`
Packit Service	084de1	`SSL_COMP *comp = NULL;`
Packit Service	084de1	`COMP_METHOD *method = COMP_zlib();`
Packit Service	084de1
Packit Service	084de1	`CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);`
Packit Service	084de1	`ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);`
Packit Service	084de1
Packit Service	084de1	`if (COMP_get_type(method) != NID_undef && ssl_comp_methods != NULL) {`
Packit Service	084de1	`comp = OPENSSL_malloc(sizeof(*comp));`
Packit Service	084de1	`if (comp != NULL) {`
Packit Service	084de1	`comp->method = method;`
Packit Service	084de1	`comp->id = SSL_COMP_ZLIB_IDX;`
Packit Service	084de1	`comp->name = COMP_get_name(method);`
Packit Service	084de1	`sk_SSL_COMP_push(ssl_comp_methods, comp);`
Packit Service	084de1	`sk_SSL_COMP_sort(ssl_comp_methods);`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1	`CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static int load_builtin_compressions(void)`
Packit Service	084de1	`{`
Packit Service	084de1	`return RUN_ONCE(&ssl_load_builtin_comp_once, do_load_builtin_compressions);`
Packit Service	084de1	`}`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,`
Packit Service	084de1	`const EVP_MD *md, int mac_pkey_type,`
Packit Service	084de1	`size_t mac_secret_size, SSL_COMP *comp, int use_etm)`
Packit Service	084de1	`{`
Packit Service	084de1	`int i;`
Packit Service	084de1	`const SSL_CIPHER *c;`
Packit Service	084de1
Packit Service	084de1	`c = s->cipher;`
Packit Service	084de1	`if (c == NULL)`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`if (comp != NULL) {`
Packit Service	084de1	`SSL_COMP ctmp;`
Packit Service	084de1	`#ifndef OPENSSL_NO_COMP`
Packit Service	084de1	`if (!load_builtin_compressions()) {`
Packit Service	084de1	`/*`
Packit Service	084de1	`* Currently don't care, since a failure only means that`
Packit Service	084de1	`* ssl_comp_methods is NULL, which is perfectly OK`
Packit Service	084de1	`*/`
Packit Service	084de1	`}`
Packit Service	084de1	`#endif`
Packit Service	084de1	`*comp = NULL;`
Packit Service	084de1	`ctmp.id = s->compress_meth;`
Packit Service	084de1	`if (ssl_comp_methods != NULL) {`
Packit Service	084de1	`i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);`
Packit Service	084de1	`*comp = sk_SSL_COMP_value(ssl_comp_methods, i);`
Packit Service	084de1	`}`
Packit Service	084de1	`/* If were only interested in comp then return success */`
Packit Service	084de1	`if ((enc == NULL) && (md == NULL))`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if ((enc == NULL) \|\| (md == NULL))`
Packit Service	084de1	`return 0;`
Packit Service	084de1
Packit Service	084de1	`i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);`
Packit Service	084de1
Packit Service	084de1	`if (i == -1) {`
Packit Service	084de1	`*enc = NULL;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`if (i == SSL_ENC_NULL_IDX)`
Packit Service	084de1	`*enc = EVP_enc_null();`
Packit Service	084de1	`else`
Packit Service	084de1	`*enc = ssl_cipher_methods[i];`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);`
Packit Service	084de1	`if (i == -1) {`
Packit Service	084de1	`*md = NULL;`
Packit Service	084de1	`if (mac_pkey_type != NULL)`
Packit Service	084de1	`*mac_pkey_type = NID_undef;`
Packit Service	084de1	`if (mac_secret_size != NULL)`
Packit Service	084de1	`*mac_secret_size = 0;`
Packit Service	084de1	`if (c->algorithm_mac == SSL_AEAD)`
Packit Service	084de1	`mac_pkey_type = NULL;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`*md = ssl_digest_methods[i];`
Packit Service	084de1	`if (mac_pkey_type != NULL)`
Packit Service	084de1	`*mac_pkey_type = ssl_mac_pkey_id[i];`
Packit Service	084de1	`if (mac_secret_size != NULL)`
Packit Service	084de1	`*mac_secret_size = ssl_mac_secret_size[i];`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if ((*enc != NULL) &&`
Packit Service	084de1	`(md != NULL \|\| (EVP_CIPHER_flags(enc) & EVP_CIPH_FLAG_AEAD_CIPHER))`
Packit Service	084de1	`&& (!mac_pkey_type \|\| *mac_pkey_type != NID_undef)) {`
Packit Service	084de1	`const EVP_CIPHER *evp;`
Packit Service	084de1
Packit Service	084de1	`if (use_etm)`
Packit Service	084de1	`return 1;`
Packit Service	084de1
Packit Service	084de1	`if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR \|\|`
Packit Service	084de1	`s->ssl_version < TLS1_VERSION)`
Packit Service	084de1	`return 1;`
Packit Service	084de1
Packit Service	084de1	`if (FIPS_mode())`
Packit Service	084de1	`return 1;`
Packit Service	084de1
Packit Service	084de1	`if (c->algorithm_enc == SSL_RC4 &&`
Packit Service	084de1	`c->algorithm_mac == SSL_MD5 &&`
Packit Service	084de1	`(evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))`
Packit Service	084de1	`enc = evp, md = NULL;`
Packit Service	084de1	`else if (c->algorithm_enc == SSL_AES128 &&`
Packit Service	084de1	`c->algorithm_mac == SSL_SHA1 &&`
Packit Service	084de1	`(evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))`
Packit Service	084de1	`enc = evp, md = NULL;`
Packit Service	084de1	`else if (c->algorithm_enc == SSL_AES256 &&`
Packit Service	084de1	`c->algorithm_mac == SSL_SHA1 &&`
Packit Service	084de1	`(evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))`
Packit Service	084de1	`enc = evp, md = NULL;`
Packit Service	084de1	`else if (c->algorithm_enc == SSL_AES128 &&`
Packit Service	084de1	`c->algorithm_mac == SSL_SHA256 &&`
Packit Service	084de1	`(evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA256")))`
Packit Service	084de1	`enc = evp, md = NULL;`
Packit Service	084de1	`else if (c->algorithm_enc == SSL_AES256 &&`
Packit Service	084de1	`c->algorithm_mac == SSL_SHA256 &&`
Packit Service	084de1	`(evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256")))`
Packit Service	084de1	`enc = evp, md = NULL;`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`const EVP_MD *ssl_md(int idx)`
Packit Service	084de1	`{`
Packit Service	084de1	`idx &= SSL_HANDSHAKE_MAC_MASK;`
Packit Service	084de1	`if (idx < 0 \|\| idx >= SSL_MD_NUM_IDX)`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`return ssl_digest_methods[idx];`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`const EVP_MD ssl_handshake_md(SSL s)`
Packit Service	084de1	`{`
Packit Service	084de1	`return ssl_md(ssl_get_algorithm2(s));`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`const EVP_MD ssl_prf_md(SSL s)`
Packit Service	084de1	`{`
Packit Service	084de1	`return ssl_md(ssl_get_algorithm2(s) >> TLS1_PRF_DGST_SHIFT);`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#define ITEM_SEP(a) \`
Packit Service	084de1	`(((a) == ':') \|\| ((a) == ' ') \|\| ((a) == ';') \|\| ((a) == ','))`
Packit Service	084de1
Packit Service	084de1	`static void ll_append_tail(CIPHER_ORDER *head, CIPHER_ORDER curr,`
Packit Service	084de1	`CIPHER_ORDER **tail)`
Packit Service	084de1	`{`
Packit Service	084de1	`if (curr == *tail)`
Packit Service	084de1	`return;`
Packit Service	084de1	`if (curr == *head)`
Packit Service	084de1	`*head = curr->next;`
Packit Service	084de1	`if (curr->prev != NULL)`
Packit Service	084de1	`curr->prev->next = curr->next;`
Packit Service	084de1	`if (curr->next != NULL)`
Packit Service	084de1	`curr->next->prev = curr->prev;`
Packit Service	084de1	`(*tail)->next = curr;`
Packit Service	084de1	`curr->prev = *tail;`
Packit Service	084de1	`curr->next = NULL;`
Packit Service	084de1	`*tail = curr;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static void ll_append_head(CIPHER_ORDER *head, CIPHER_ORDER curr,`
Packit Service	084de1	`CIPHER_ORDER **tail)`
Packit Service	084de1	`{`
Packit Service	084de1	`if (curr == *head)`
Packit Service	084de1	`return;`
Packit Service	084de1	`if (curr == *tail)`
Packit Service	084de1	`*tail = curr->prev;`
Packit Service	084de1	`if (curr->next != NULL)`
Packit Service	084de1	`curr->next->prev = curr->prev;`
Packit Service	084de1	`if (curr->prev != NULL)`
Packit Service	084de1	`curr->prev->next = curr->next;`
Packit Service	084de1	`(*head)->prev = curr;`
Packit Service	084de1	`curr->next = *head;`
Packit Service	084de1	`curr->prev = NULL;`
Packit Service	084de1	`*head = curr;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,`
Packit Service	084de1	`int num_of_ciphers,`
Packit Service	084de1	`uint32_t disabled_mkey,`
Packit Service	084de1	`uint32_t disabled_auth,`
Packit Service	084de1	`uint32_t disabled_enc,`
Packit Service	084de1	`uint32_t disabled_mac,`
Packit Service	084de1	`CIPHER_ORDER *co_list,`
Packit Service	084de1	`CIPHER_ORDER **head_p,`
Packit Service	084de1	`CIPHER_ORDER **tail_p)`
Packit Service	084de1	`{`
Packit Service	084de1	`int i, co_list_num;`
Packit Service	084de1	`const SSL_CIPHER *c;`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* We have num_of_ciphers descriptions compiled in, depending on the`
Packit Service	084de1	`* method selected (SSLv3, TLSv1 etc).`
Packit Service	084de1	`* These will later be sorted in a linked list with at most num`
Packit Service	084de1	`* entries.`
Packit Service	084de1	`*/`
Packit Service	084de1
Packit Service	084de1	`/* Get the initial list of ciphers */`
Packit Service	084de1	`co_list_num = 0; /* actual count of ciphers */`
Packit Service	084de1	`for (i = 0; i < num_of_ciphers; i++) {`
Packit Service	084de1	`c = ssl_method->get_cipher(i);`
Packit Service	084de1	`/* drop those that use any of that is not available */`
Packit Service	084de1	`if (c == NULL \|\| !c->valid)`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if (FIPS_mode() && !(c->algo_strength & SSL_FIPS))`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if ((c->algorithm_mkey & disabled_mkey) \|\|`
Packit Service	084de1	`(c->algorithm_auth & disabled_auth) \|\|`
Packit Service	084de1	`(c->algorithm_enc & disabled_enc) \|\|`
Packit Service	084de1	`(c->algorithm_mac & disabled_mac))`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) == 0) &&`
Packit Service	084de1	`c->min_tls == 0)`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) != 0) &&`
Packit Service	084de1	`c->min_dtls == 0)`
Packit Service	084de1	`continue;`
Packit Service	084de1
Packit Service	084de1	`co_list[co_list_num].cipher = c;`
Packit Service	084de1	`co_list[co_list_num].next = NULL;`
Packit Service	084de1	`co_list[co_list_num].prev = NULL;`
Packit Service	084de1	`co_list[co_list_num].active = 0;`
Packit Service	084de1	`co_list_num++;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Prepare linked list from list entries`
Packit Service	084de1	`*/`
Packit Service	084de1	`if (co_list_num > 0) {`
Packit Service	084de1	`co_list[0].prev = NULL;`
Packit Service	084de1
Packit Service	084de1	`if (co_list_num > 1) {`
Packit Service	084de1	`co_list[0].next = &co_list[1];`
Packit Service	084de1
Packit Service	084de1	`for (i = 1; i < co_list_num - 1; i++) {`
Packit Service	084de1	`co_list[i].prev = &co_list[i - 1];`
Packit Service	084de1	`co_list[i].next = &co_list[i + 1];`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`co_list[co_list_num - 1].next = NULL;`
Packit Service	084de1
Packit Service	084de1	`*head_p = &co_list[0];`
Packit Service	084de1	`*tail_p = &co_list[co_list_num - 1];`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,`
Packit Service	084de1	`int num_of_group_aliases,`
Packit Service	084de1	`uint32_t disabled_mkey,`
Packit Service	084de1	`uint32_t disabled_auth,`
Packit Service	084de1	`uint32_t disabled_enc,`
Packit Service	084de1	`uint32_t disabled_mac,`
Packit Service	084de1	`CIPHER_ORDER *head)`
Packit Service	084de1	`{`
Packit Service	084de1	`CIPHER_ORDER *ciph_curr;`
Packit Service	084de1	`const SSL_CIPHER **ca_curr;`
Packit Service	084de1	`int i;`
Packit Service	084de1	`uint32_t mask_mkey = ~disabled_mkey;`
Packit Service	084de1	`uint32_t mask_auth = ~disabled_auth;`
Packit Service	084de1	`uint32_t mask_enc = ~disabled_enc;`
Packit Service	084de1	`uint32_t mask_mac = ~disabled_mac;`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* First, add the real ciphers as already collected`
Packit Service	084de1	`*/`
Packit Service	084de1	`ciph_curr = head;`
Packit Service	084de1	`ca_curr = ca_list;`
Packit Service	084de1	`while (ciph_curr != NULL) {`
Packit Service	084de1	`*ca_curr = ciph_curr->cipher;`
Packit Service	084de1	`ca_curr++;`
Packit Service	084de1	`ciph_curr = ciph_curr->next;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Now we add the available ones from the cipher_aliases[] table.`
Packit Service	084de1	`* They represent either one or more algorithms, some of which`
Packit Service	084de1	`* in any affected category must be supported (set in enabled_mask),`
Packit Service	084de1	`* or represent a cipher strength value (will be added in any case because algorithms=0).`
Packit Service	084de1	`*/`
Packit Service	084de1	`for (i = 0; i < num_of_group_aliases; i++) {`
Packit Service	084de1	`uint32_t algorithm_mkey = cipher_aliases[i].algorithm_mkey;`
Packit Service	084de1	`uint32_t algorithm_auth = cipher_aliases[i].algorithm_auth;`
Packit Service	084de1	`uint32_t algorithm_enc = cipher_aliases[i].algorithm_enc;`
Packit Service	084de1	`uint32_t algorithm_mac = cipher_aliases[i].algorithm_mac;`
Packit Service	084de1
Packit Service	084de1	`if (algorithm_mkey)`
Packit Service	084de1	`if ((algorithm_mkey & mask_mkey) == 0)`
Packit Service	084de1	`continue;`
Packit Service	084de1
Packit Service	084de1	`if (algorithm_auth)`
Packit Service	084de1	`if ((algorithm_auth & mask_auth) == 0)`
Packit Service	084de1	`continue;`
Packit Service	084de1
Packit Service	084de1	`if (algorithm_enc)`
Packit Service	084de1	`if ((algorithm_enc & mask_enc) == 0)`
Packit Service	084de1	`continue;`
Packit Service	084de1
Packit Service	084de1	`if (algorithm_mac)`
Packit Service	084de1	`if ((algorithm_mac & mask_mac) == 0)`
Packit Service	084de1	`continue;`
Packit Service	084de1
Packit Service	084de1	`ca_curr = (SSL_CIPHER )(cipher_aliases + i);`
Packit Service	084de1	`ca_curr++;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`ca_curr = NULL; / end of list */`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,`
Packit Service	084de1	`uint32_t alg_auth, uint32_t alg_enc,`
Packit Service	084de1	`uint32_t alg_mac, int min_tls,`
Packit Service	084de1	`uint32_t algo_strength, int rule,`
Packit Service	084de1	`int32_t strength_bits, CIPHER_ORDER **head_p,`
Packit Service	084de1	`CIPHER_ORDER **tail_p)`
Packit Service	084de1	`{`
Packit Service	084de1	`CIPHER_ORDER head, tail, curr, next, *last;`
Packit Service	084de1	`const SSL_CIPHER *cp;`
Packit Service	084de1	`int reverse = 0;`
Packit Service	084de1
Packit Service	084de1	`#ifdef CIPHER_DEBUG`
Packit Service	084de1	`fprintf(stderr,`
Packit Service	084de1	`"Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",`
Packit Service	084de1	`rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,`
Packit Service	084de1	`algo_strength, strength_bits);`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`if (rule == CIPHER_DEL \|\| rule == CIPHER_BUMP)`
Packit Service	084de1	`reverse = 1; /* needed to maintain sorting between currently`
Packit Service	084de1	`* deleted ciphers */`
Packit Service	084de1
Packit Service	084de1	`head = *head_p;`
Packit Service	084de1	`tail = *tail_p;`
Packit Service	084de1
Packit Service	084de1	`if (reverse) {`
Packit Service	084de1	`next = tail;`
Packit Service	084de1	`last = head;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`next = head;`
Packit Service	084de1	`last = tail;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`curr = NULL;`
Packit Service	084de1	`for (;;) {`
Packit Service	084de1	`if (curr == last)`
Packit Service	084de1	`break;`
Packit Service	084de1
Packit Service	084de1	`curr = next;`
Packit Service	084de1
Packit Service	084de1	`if (curr == NULL)`
Packit Service	084de1	`break;`
Packit Service	084de1
Packit Service	084de1	`next = reverse ? curr->prev : curr->next;`
Packit Service	084de1
Packit Service	084de1	`cp = curr->cipher;`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Selection criteria is either the value of strength_bits`
Packit Service	084de1	`* or the algorithms used.`
Packit Service	084de1	`*/`
Packit Service	084de1	`if (strength_bits >= 0) {`
Packit Service	084de1	`if (strength_bits != cp->strength_bits)`
Packit Service	084de1	`continue;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`#ifdef CIPHER_DEBUG`
Packit Service	084de1	`fprintf(stderr,`
Packit Service	084de1	`"\nName: %s:\nAlgo = %08x/%08x/%08x/%08x/%08x Algo_strength = %08x\n",`
Packit Service	084de1	`cp->name, cp->algorithm_mkey, cp->algorithm_auth,`
Packit Service	084de1	`cp->algorithm_enc, cp->algorithm_mac, cp->min_tls,`
Packit Service	084de1	`cp->algo_strength);`
Packit Service	084de1	`#endif`
Packit Service	084de1	`if (cipher_id != 0 && (cipher_id != cp->id))`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if (alg_auth && !(alg_auth & cp->algorithm_auth))`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if (alg_enc && !(alg_enc & cp->algorithm_enc))`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if (alg_mac && !(alg_mac & cp->algorithm_mac))`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if (min_tls && (min_tls != cp->min_tls))`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if ((algo_strength & SSL_STRONG_MASK)`
Packit Service	084de1	`&& !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))`
Packit Service	084de1	`continue;`
Packit Service	084de1	`if ((algo_strength & SSL_DEFAULT_MASK)`
Packit Service	084de1	`&& !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength))`
Packit Service	084de1	`continue;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#ifdef CIPHER_DEBUG`
Packit Service	084de1	`fprintf(stderr, "Action = %d\n", rule);`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`/* add the cipher if it has not been added yet. */`
Packit Service	084de1	`if (rule == CIPHER_ADD) {`
Packit Service	084de1	`/* reverse == 0 */`
Packit Service	084de1	`if (!curr->active) {`
Packit Service	084de1	`ll_append_tail(&head, curr, &tail);`
Packit Service	084de1	`curr->active = 1;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1	`/* Move the added cipher to this location */`
Packit Service	084de1	`else if (rule == CIPHER_ORD) {`
Packit Service	084de1	`/* reverse == 0 */`
Packit Service	084de1	`if (curr->active) {`
Packit Service	084de1	`ll_append_tail(&head, curr, &tail);`
Packit Service	084de1	`}`
Packit Service	084de1	`} else if (rule == CIPHER_DEL) {`
Packit Service	084de1	`/* reverse == 1 */`
Packit Service	084de1	`if (curr->active) {`
Packit Service	084de1	`/*`
Packit Service	084de1	`* most recently deleted ciphersuites get best positions for`
Packit Service	084de1	`* any future CIPHER_ADD (note that the CIPHER_DEL loop works`
Packit Service	084de1	`* in reverse to maintain the order)`
Packit Service	084de1	`*/`
Packit Service	084de1	`ll_append_head(&head, curr, &tail);`
Packit Service	084de1	`curr->active = 0;`
Packit Service	084de1	`}`
Packit Service	084de1	`} else if (rule == CIPHER_BUMP) {`
Packit Service	084de1	`if (curr->active)`
Packit Service	084de1	`ll_append_head(&head, curr, &tail);`
Packit Service	084de1	`} else if (rule == CIPHER_KILL) {`
Packit Service	084de1	`/* reverse == 0 */`
Packit Service	084de1	`if (head == curr)`
Packit Service	084de1	`head = curr->next;`
Packit Service	084de1	`else`
Packit Service	084de1	`curr->prev->next = curr->next;`
Packit Service	084de1	`if (tail == curr)`
Packit Service	084de1	`tail = curr->prev;`
Packit Service	084de1	`curr->active = 0;`
Packit Service	084de1	`if (curr->next != NULL)`
Packit Service	084de1	`curr->next->prev = curr->prev;`
Packit Service	084de1	`if (curr->prev != NULL)`
Packit Service	084de1	`curr->prev->next = curr->next;`
Packit Service	084de1	`curr->next = NULL;`
Packit Service	084de1	`curr->prev = NULL;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`*head_p = head;`
Packit Service	084de1	`*tail_p = tail;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,`
Packit Service	084de1	`CIPHER_ORDER **tail_p)`
Packit Service	084de1	`{`
Packit Service	084de1	`int32_t max_strength_bits;`
Packit Service	084de1	`int i, *number_uses;`
Packit Service	084de1	`CIPHER_ORDER *curr;`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* This routine sorts the ciphers with descending strength. The sorting`
Packit Service	084de1	`* must keep the pre-sorted sequence, so we apply the normal sorting`
Packit Service	084de1	`* routine as '+' movement to the end of the list.`
Packit Service	084de1	`*/`
Packit Service	084de1	`max_strength_bits = 0;`
Packit Service	084de1	`curr = *head_p;`
Packit Service	084de1	`while (curr != NULL) {`
Packit Service	084de1	`if (curr->active && (curr->cipher->strength_bits > max_strength_bits))`
Packit Service	084de1	`max_strength_bits = curr->cipher->strength_bits;`
Packit Service	084de1	`curr = curr->next;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`number_uses = OPENSSL_zalloc(sizeof(int) * (max_strength_bits + 1));`
Packit Service	084de1	`if (number_uses == NULL) {`
Packit Service	084de1	`SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT, ERR_R_MALLOC_FAILURE);`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Now find the strength_bits values actually used`
Packit Service	084de1	`*/`
Packit Service	084de1	`curr = *head_p;`
Packit Service	084de1	`while (curr != NULL) {`
Packit Service	084de1	`if (curr->active)`
Packit Service	084de1	`number_uses[curr->cipher->strength_bits]++;`
Packit Service	084de1	`curr = curr->next;`
Packit Service	084de1	`}`
Packit Service	084de1	`/*`
Packit Service	084de1	`* Go through the list of used strength_bits values in descending`
Packit Service	084de1	`* order.`
Packit Service	084de1	`*/`
Packit Service	084de1	`for (i = max_strength_bits; i >= 0; i--)`
Packit Service	084de1	`if (number_uses[i] > 0)`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,`
Packit Service	084de1	`tail_p);`
Packit Service	084de1
Packit Service	084de1	`OPENSSL_free(number_uses);`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static int ssl_cipher_process_rulestr(const char *rule_str,`
Packit Service	084de1	`CIPHER_ORDER **head_p,`
Packit Service	084de1	`CIPHER_ORDER **tail_p,`
Packit Service	084de1	`const SSL_CIPHER *ca_list, CERT c)`
Packit Service	084de1	`{`
Packit Service	084de1	`uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;`
Packit Service	084de1	`int min_tls;`
Packit Service	084de1	`const char l, buf;`
Packit Service	084de1	`int j, multi, found, rule, retval, ok, buflen;`
Packit Service	084de1	`uint32_t cipher_id = 0;`
Packit Service	084de1	`char ch;`
Packit Service	084de1
Packit Service	084de1	`retval = 1;`
Packit Service	084de1	`l = rule_str;`
Packit Service	084de1	`for ( ; ; ) {`
Packit Service	084de1	`ch = *l;`
Packit Service	084de1
Packit Service	084de1	`if (ch == '\0')`
Packit Service	084de1	`break; /* done */`
Packit Service	084de1	`if (ch == '-') {`
Packit Service	084de1	`rule = CIPHER_DEL;`
Packit Service	084de1	`l++;`
Packit Service	084de1	`} else if (ch == '+') {`
Packit Service	084de1	`rule = CIPHER_ORD;`
Packit Service	084de1	`l++;`
Packit Service	084de1	`} else if (ch == '!') {`
Packit Service	084de1	`rule = CIPHER_KILL;`
Packit Service	084de1	`l++;`
Packit Service	084de1	`} else if (ch == '@') {`
Packit Service	084de1	`rule = CIPHER_SPECIAL;`
Packit Service	084de1	`l++;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`rule = CIPHER_ADD;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (ITEM_SEP(ch)) {`
Packit Service	084de1	`l++;`
Packit Service	084de1	`continue;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`alg_mkey = 0;`
Packit Service	084de1	`alg_auth = 0;`
Packit Service	084de1	`alg_enc = 0;`
Packit Service	084de1	`alg_mac = 0;`
Packit Service	084de1	`min_tls = 0;`
Packit Service	084de1	`algo_strength = 0;`
Packit Service	084de1
Packit Service	084de1	`for (;;) {`
Packit Service	084de1	`ch = *l;`
Packit Service	084de1	`buf = l;`
Packit Service	084de1	`buflen = 0;`
Packit Service	084de1	`#ifndef CHARSET_EBCDIC`
Packit Service	084de1	`while (((ch >= 'A') && (ch <= 'Z')) \|\|`
Packit Service	084de1	`((ch >= '0') && (ch <= '9')) \|\|`
Packit Service	084de1	`((ch >= 'a') && (ch <= 'z')) \|\|`
Packit Service	084de1	`(ch == '-') \|\| (ch == '.') \|\| (ch == '='))`
Packit Service	084de1	`#else`
Packit Service	084de1	`while (isalnum((unsigned char)ch) \|\| (ch == '-') \|\| (ch == '.')`
Packit Service	084de1	`\|\| (ch == '='))`
Packit Service	084de1	`#endif`
Packit Service	084de1	`{`
Packit Service	084de1	`ch = *(++l);`
Packit Service	084de1	`buflen++;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (buflen == 0) {`
Packit Service	084de1	`/*`
Packit Service	084de1	`* We hit something we cannot deal with,`
Packit Service	084de1	`* it is no command or separator nor`
Packit Service	084de1	`* alphanumeric, so we call this an error.`
Packit Service	084de1	`*/`
Packit Service	084de1	`SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);`
Packit Service	084de1	`retval = found = 0;`
Packit Service	084de1	`l++;`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (rule == CIPHER_SPECIAL) {`
Packit Service	084de1	`found = 0; /* unused -- avoid compiler warning */`
Packit Service	084de1	`break; /* special treatment */`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/* check for multi-part specification */`
Packit Service	084de1	`if (ch == '+') {`
Packit Service	084de1	`multi = 1;`
Packit Service	084de1	`l++;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`multi = 0;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Now search for the cipher alias in the ca_list. Be careful`
Packit Service	084de1	`* with the strncmp, because the "buflen" limitation`
Packit Service	084de1	`* will make the rule "ADH:SOME" and the cipher`
Packit Service	084de1	`* "ADH-MY-CIPHER" look like a match for buflen=3.`
Packit Service	084de1	`* So additionally check whether the cipher name found`
Packit Service	084de1	`* has the correct length. We can save a strlen() call:`
Packit Service	084de1	`* just checking for the '\0' at the right place is`
Packit Service	084de1	`* sufficient, we have to strncmp() anyway. (We cannot`
Packit Service	084de1	`* use strcmp(), because buf is not '\0' terminated.)`
Packit Service	084de1	`*/`
Packit Service	084de1	`j = found = 0;`
Packit Service	084de1	`cipher_id = 0;`
Packit Service	084de1	`while (ca_list[j]) {`
Packit Service	084de1	`if (strncmp(buf, ca_list[j]->name, buflen) == 0`
Packit Service	084de1	`&& (ca_list[j]->name[buflen] == '\0')) {`
Packit Service	084de1	`found = 1;`
Packit Service	084de1	`break;`
Packit Service	084de1	`} else`
Packit Service	084de1	`j++;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (!found)`
Packit Service	084de1	`break; /* ignore this entry */`
Packit Service	084de1
Packit Service	084de1	`if (ca_list[j]->algorithm_mkey) {`
Packit Service	084de1	`if (alg_mkey) {`
Packit Service	084de1	`alg_mkey &= ca_list[j]->algorithm_mkey;`
Packit Service	084de1	`if (!alg_mkey) {`
Packit Service	084de1	`found = 0;`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1	`} else {`
Packit Service	084de1	`alg_mkey = ca_list[j]->algorithm_mkey;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (ca_list[j]->algorithm_auth) {`
Packit Service	084de1	`if (alg_auth) {`
Packit Service	084de1	`alg_auth &= ca_list[j]->algorithm_auth;`
Packit Service	084de1	`if (!alg_auth) {`
Packit Service	084de1	`found = 0;`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1	`} else {`
Packit Service	084de1	`alg_auth = ca_list[j]->algorithm_auth;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (ca_list[j]->algorithm_enc) {`
Packit Service	084de1	`if (alg_enc) {`
Packit Service	084de1	`alg_enc &= ca_list[j]->algorithm_enc;`
Packit Service	084de1	`if (!alg_enc) {`
Packit Service	084de1	`found = 0;`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1	`} else {`
Packit Service	084de1	`alg_enc = ca_list[j]->algorithm_enc;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (ca_list[j]->algorithm_mac) {`
Packit Service	084de1	`if (alg_mac) {`
Packit Service	084de1	`alg_mac &= ca_list[j]->algorithm_mac;`
Packit Service	084de1	`if (!alg_mac) {`
Packit Service	084de1	`found = 0;`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1	`} else {`
Packit Service	084de1	`alg_mac = ca_list[j]->algorithm_mac;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {`
Packit Service	084de1	`if (algo_strength & SSL_STRONG_MASK) {`
Packit Service	084de1	`algo_strength &=`
Packit Service	084de1	`(ca_list[j]->algo_strength & SSL_STRONG_MASK) \|`
Packit Service	084de1	`~SSL_STRONG_MASK;`
Packit Service	084de1	`if (!(algo_strength & SSL_STRONG_MASK)) {`
Packit Service	084de1	`found = 0;`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1	`} else {`
Packit Service	084de1	`algo_strength = ca_list[j]->algo_strength & SSL_STRONG_MASK;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {`
Packit Service	084de1	`if (algo_strength & SSL_DEFAULT_MASK) {`
Packit Service	084de1	`algo_strength &=`
Packit Service	084de1	`(ca_list[j]->algo_strength & SSL_DEFAULT_MASK) \|`
Packit Service	084de1	`~SSL_DEFAULT_MASK;`
Packit Service	084de1	`if (!(algo_strength & SSL_DEFAULT_MASK)) {`
Packit Service	084de1	`found = 0;`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1	`} else {`
Packit Service	084de1	`algo_strength \|=`
Packit Service	084de1	`ca_list[j]->algo_strength & SSL_DEFAULT_MASK;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (ca_list[j]->valid) {`
Packit Service	084de1	`/*`
Packit Service	084de1	`* explicit ciphersuite found; its protocol version does not`
Packit Service	084de1	`* become part of the search pattern!`
Packit Service	084de1	`*/`
Packit Service	084de1
Packit Service	084de1	`cipher_id = ca_list[j]->id;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`/*`
Packit Service	084de1	`* not an explicit ciphersuite; only in this case, the`
Packit Service	084de1	`* protocol version is considered part of the search pattern`
Packit Service	084de1	`*/`
Packit Service	084de1
Packit Service	084de1	`if (ca_list[j]->min_tls) {`
Packit Service	084de1	`if (min_tls != 0 && min_tls != ca_list[j]->min_tls) {`
Packit Service	084de1	`found = 0;`
Packit Service	084de1	`break;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`min_tls = ca_list[j]->min_tls;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (!multi)`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Ok, we have the rule, now apply it`
Packit Service	084de1	`*/`
Packit Service	084de1	`if (rule == CIPHER_SPECIAL) { /* special command */`
Packit Service	084de1	`ok = 0;`
Packit Service	084de1	`if ((buflen == 8) && strncmp(buf, "STRENGTH", 8) == 0) {`
Packit Service	084de1	`ok = ssl_cipher_strength_sort(head_p, tail_p);`
Packit Service	084de1	`} else if (buflen == 10 && strncmp(buf, "SECLEVEL=", 9) == 0) {`
Packit Service	084de1	`int level = buf[9] - '0';`
Packit Service	084de1	`if (level < 0 \|\| level > 5) {`
Packit Service	084de1	`SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,`
Packit Service	084de1	`SSL_R_INVALID_COMMAND);`
Packit Service	084de1	`} else {`
Packit Service	084de1	`c->sec_level = level;`
Packit Service	084de1	`ok = 1;`
Packit Service	084de1	`}`
Packit Service	084de1	`} else {`
Packit Service	084de1	`SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);`
Packit Service	084de1	`}`
Packit Service	084de1	`if (ok == 0)`
Packit Service	084de1	`retval = 0;`
Packit Service	084de1	`/*`
Packit Service	084de1	`* We do not support any "multi" options`
Packit Service	084de1	`* together with "@", so throw away the`
Packit Service	084de1	`* rest of the command, if any left, until`
Packit Service	084de1	`* end or ':' is found.`
Packit Service	084de1	`*/`
Packit Service	084de1	`while ((l != '\0') && !ITEM_SEP(l))`
Packit Service	084de1	`l++;`
Packit Service	084de1	`} else if (found) {`
Packit Service	084de1	`ssl_cipher_apply_rule(cipher_id,`
Packit Service	084de1	`alg_mkey, alg_auth, alg_enc, alg_mac,`
Packit Service	084de1	`min_tls, algo_strength, rule, -1, head_p,`
Packit Service	084de1	`tail_p);`
Packit Service	084de1	`} else {`
Packit Service	084de1	`while ((l != '\0') && !ITEM_SEP(l))`
Packit Service	084de1	`l++;`
Packit Service	084de1	`}`
Packit Service	084de1	`if (*l == '\0')`
Packit Service	084de1	`break; /* done */`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`return retval;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#ifndef OPENSSL_NO_EC`
Packit Service	084de1	`static int check_suiteb_cipher_list(const SSL_METHOD meth, CERT c,`
Packit Service	084de1	`const char **prule_str)`
Packit Service	084de1	`{`
Packit Service	084de1	`unsigned int suiteb_flags = 0, suiteb_comb2 = 0;`
Packit Service	084de1	`if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) {`
Packit Service	084de1	`suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;`
Packit Service	084de1	`} else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) {`
Packit Service	084de1	`suiteb_comb2 = 1;`
Packit Service	084de1	`suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;`
Packit Service	084de1	`} else if (strncmp(*prule_str, "SUITEB128", 9) == 0) {`
Packit Service	084de1	`suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;`
Packit Service	084de1	`} else if (strncmp(*prule_str, "SUITEB192", 9) == 0) {`
Packit Service	084de1	`suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (suiteb_flags) {`
Packit Service	084de1	`c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS;`
Packit Service	084de1	`c->cert_flags \|= suiteb_flags;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`suiteb_flags = c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (!suiteb_flags)`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`/* Check version: if TLS 1.2 ciphers allowed we can use Suite B */`
Packit Service	084de1
Packit Service	084de1	`if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)) {`
Packit Service	084de1	`SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,`
Packit Service	084de1	`SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE);`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`
Packit Service	084de1	`# ifndef OPENSSL_NO_EC`
Packit Service	084de1	`switch (suiteb_flags) {`
Packit Service	084de1	`case SSL_CERT_FLAG_SUITEB_128_LOS:`
Packit Service	084de1	`if (suiteb_comb2)`
Packit Service	084de1	`*prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";`
Packit Service	084de1	`else`
Packit Service	084de1	`*prule_str =`
Packit Service	084de1	`"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:`
Packit Service	084de1	`*prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_CERT_FLAG_SUITEB_192_LOS:`
Packit Service	084de1	`*prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`# else`
Packit Service	084de1	`SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE);`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`# endif`
Packit Service	084de1	`}`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`static int ciphersuite_cb(const char elem, int len, void arg)`
Packit Service	084de1	`{`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) ciphersuites = (STACK_OF(SSL_CIPHER) )arg;`
Packit Service	084de1	`const SSL_CIPHER *cipher;`
Packit Service	084de1	`/* Arbitrary sized temp buffer for the cipher name. Should be big enough */`
Packit Service	084de1	`char name[80];`
Packit Service	084de1
Packit Service	084de1	`if (len > (int)(sizeof(name) - 1)) {`
Packit Service	084de1	`SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH);`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`memcpy(name, elem, len);`
Packit Service	084de1	`name[len] = '\0';`
Packit Service	084de1
Packit Service	084de1	`cipher = ssl3_get_cipher_by_std_name(name);`
Packit Service	084de1	`if (cipher == NULL) {`
Packit Service	084de1	`SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH);`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) {`
Packit Service	084de1	`SSLerr(SSL_F_CIPHERSUITE_CB, ERR_R_INTERNAL_ERROR);`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) *currciphers, const char str)`
Packit Service	084de1	`{`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null();`
Packit Service	084de1
Packit Service	084de1	`if (newciphers == NULL)`
Packit Service	084de1	`return 0;`
Packit Service	084de1
Packit Service	084de1	`/* Parse the list. We explicitly allow an empty list */`
Packit Service	084de1	`if (*str != '\0'`
Packit Service	084de1	`&& !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) {`
Packit Service	084de1	`sk_SSL_CIPHER_free(newciphers);`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`
Packit Service	084de1	`sk_SSL_CIPHER_free(*currciphers);`
Packit Service	084de1	`*currciphers = newciphers;`
Packit Service	084de1
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id,`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) *cipherstack)`
Packit Service	084de1	`{`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);`
Packit Service	084de1
Packit Service	084de1	`if (tmp_cipher_list == NULL) {`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`sk_SSL_CIPHER_free(*cipher_list_by_id);`
Packit Service	084de1	`*cipher_list_by_id = tmp_cipher_list;`
Packit Service	084de1
Packit Service	084de1	`(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);`
Packit Service	084de1	`sk_SSL_CIPHER_sort(*cipher_list_by_id);`
Packit Service	084de1
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static int update_cipher_list(STACK_OF(SSL_CIPHER) **cipher_list,`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) **cipher_list_by_id,`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) *tls13_ciphersuites)`
Packit Service	084de1	`{`
Packit Service	084de1	`int i;`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) tmp_cipher_list = sk_SSL_CIPHER_dup(cipher_list);`
Packit Service	084de1
Packit Service	084de1	`if (tmp_cipher_list == NULL)`
Packit Service	084de1	`return 0;`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Delete any existing TLSv1.3 ciphersuites. These are always first in the`
Packit Service	084de1	`* list.`
Packit Service	084de1	`*/`
Packit Service	084de1	`while (sk_SSL_CIPHER_num(tmp_cipher_list) > 0`
Packit Service	084de1	`&& sk_SSL_CIPHER_value(tmp_cipher_list, 0)->min_tls`
Packit Service	084de1	`== TLS1_3_VERSION)`
Packit Service	084de1	`sk_SSL_CIPHER_delete(tmp_cipher_list, 0);`
Packit Service	084de1
Packit Service	084de1	`/* Insert the new TLSv1.3 ciphersuites */`
Packit Service	084de1	`for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++)`
Packit Service	084de1	`sk_SSL_CIPHER_insert(tmp_cipher_list,`
Packit Service	084de1	`sk_SSL_CIPHER_value(tls13_ciphersuites, i), i);`
Packit Service	084de1
Packit Service	084de1	`if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list))`
Packit Service	084de1	`return 0;`
Packit Service	084de1
Packit Service	084de1	`sk_SSL_CIPHER_free(*cipher_list);`
Packit Service	084de1	`*cipher_list = tmp_cipher_list;`
Packit Service	084de1
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int SSL_CTX_set_ciphersuites(SSL_CTX ctx, const char str)`
Packit Service	084de1	`{`
Packit Service	084de1	`int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);`
Packit Service	084de1
Packit Service	084de1	`if (ret && ctx->cipher_list != NULL)`
Packit Service	084de1	`return update_cipher_list(&ctx->cipher_list, &ctx->cipher_list_by_id,`
Packit Service	084de1	`ctx->tls13_ciphersuites);`
Packit Service	084de1
Packit Service	084de1	`return ret;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int SSL_set_ciphersuites(SSL s, const char str)`
Packit Service	084de1	`{`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) *cipher_list;`
Packit Service	084de1	`int ret = set_ciphersuites(&(s->tls13_ciphersuites), str);`
Packit Service	084de1
Packit Service	084de1	`if (s->cipher_list == NULL) {`
Packit Service	084de1	`if ((cipher_list = SSL_get_ciphers(s)) != NULL)`
Packit Service	084de1	`s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);`
Packit Service	084de1	`}`
Packit Service	084de1	`if (ret && s->cipher_list != NULL)`
Packit Service	084de1	`return update_cipher_list(&s->cipher_list, &s->cipher_list_by_id,`
Packit Service	084de1	`s->tls13_ciphersuites);`
Packit Service	084de1
Packit Service	084de1	`return ret;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#ifdef SYSTEM_CIPHERS_FILE`
Packit Service	084de1	`static char load_system_str(const char suffix)`
Packit Service	084de1	`{`
Packit Service	084de1	`FILE *fp;`
Packit Service	084de1	`char buf[1024];`
Packit Service	084de1	`char *new_rules;`
Packit Service	084de1	`const char *ciphers_path;`
Packit Service	084de1	`unsigned len, slen;`
Packit Service	084de1
Packit Service	084de1	`if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)`
Packit Service	084de1	`ciphers_path = SYSTEM_CIPHERS_FILE;`
Packit Service	084de1	`fp = fopen(ciphers_path, "r");`
Packit Service	084de1	`if (fp == NULL \|\| fgets(buf, sizeof(buf), fp) == NULL) {`
Packit Service	084de1	`/* cannot open or file is empty */`
Packit Service	084de1	`snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (fp)`
Packit Service	084de1	`fclose(fp);`
Packit Service	084de1
Packit Service	084de1	`slen = strlen(suffix);`
Packit Service	084de1	`len = strlen(buf);`
Packit Service	084de1
Packit Service	084de1	`if (buf[len - 1] == '\n') {`
Packit Service	084de1	`len--;`
Packit Service	084de1	`buf[len] = 0;`
Packit Service	084de1	`}`
Packit Service	084de1	`if (buf[len - 1] == '\r') {`
Packit Service	084de1	`len--;`
Packit Service	084de1	`buf[len] = 0;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`new_rules = OPENSSL_malloc(len + slen + 1);`
Packit Service	084de1	`if (new_rules == 0)`
Packit Service	084de1	`return NULL;`
Packit Service	084de1
Packit Service	084de1	`memcpy(new_rules, buf, len);`
Packit Service	084de1	`if (slen > 0) {`
Packit Service	084de1	`memcpy(&new_rules[len], suffix, slen);`
Packit Service	084de1	`len += slen;`
Packit Service	084de1	`}`
Packit Service	084de1	`new_rules[len] = 0;`
Packit Service	084de1
Packit Service	084de1	`return new_rules;`
Packit Service	084de1	`}`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`STACK_OF(SSL_CIPHER) ssl_create_cipher_list(const SSL_METHOD ssl_method,`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) *tls13_ciphersuites,`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) **cipher_list,`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) **cipher_list_by_id,`
Packit Service	084de1	`const char *rule_str,`
Packit Service	084de1	`CERT *c)`
Packit Service	084de1	`{`
Packit Service	084de1	`int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;`
Packit Service	084de1	`uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;`
Packit Service	084de1	`STACK_OF(SSL_CIPHER) *cipherstack;`
Packit Service	084de1	`const char *rule_p;`
Packit Service	084de1	`CIPHER_ORDER co_list = NULL, head = NULL, tail = NULL, curr;`
Packit Service	084de1	`const SSL_CIPHER **ca_list = NULL;`
Packit Service	084de1	`#ifdef SYSTEM_CIPHERS_FILE`
Packit Service	084de1	`char *new_rules = NULL;`
Packit Service	084de1
Packit Service	084de1	`if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {`
Packit Service	084de1	`char *p = rule_str + 14;`
Packit Service	084de1
Packit Service	084de1	`new_rules = load_system_str(p);`
Packit Service	084de1	`rule_str = new_rules;`
Packit Service	084de1	`}`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Return with error if nothing to do.`
Packit Service	084de1	`*/`
Packit Service	084de1	`if (rule_str == NULL \|\| cipher_list == NULL \|\| cipher_list_by_id == NULL)`
Packit Service	084de1	`goto err;`
Packit Service	084de1	`#ifndef OPENSSL_NO_EC`
Packit Service	084de1	`if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))`
Packit Service	084de1	`goto err;`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* To reduce the work to do we only want to process the compiled`
Packit Service	084de1	`* in algorithms, so we first get the mask of disabled ciphers.`
Packit Service	084de1	`*/`
Packit Service	084de1
Packit Service	084de1	`disabled_mkey = disabled_mkey_mask;`
Packit Service	084de1	`disabled_auth = disabled_auth_mask;`
Packit Service	084de1	`disabled_enc = disabled_enc_mask;`
Packit Service	084de1	`disabled_mac = disabled_mac_mask;`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Now we have to collect the available ciphers from the compiled`
Packit Service	084de1	`* in ciphers. We cannot get more than the number compiled in, so`
Packit Service	084de1	`* it is used for allocation.`
Packit Service	084de1	`*/`
Packit Service	084de1	`num_of_ciphers = ssl_method->num_ciphers();`
Packit Service	084de1
Packit Service	084de1	`co_list = OPENSSL_malloc(sizeof(co_list) num_of_ciphers);`
Packit Service	084de1	`if (co_list == NULL) {`
Packit Service	084de1	`SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);`
Packit Service	084de1	`goto err;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,`
Packit Service	084de1	`disabled_mkey, disabled_auth, disabled_enc,`
Packit Service	084de1	`disabled_mac, co_list, &head, &tail);`
Packit Service	084de1
Packit Service	084de1	`/* Now arrange all ciphers by preference. */`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Everything else being equal, prefer ephemeral ECDH over other key`
Packit Service	084de1	`* exchange mechanisms.`
Packit Service	084de1	`* For consistency, prefer ECDSA over RSA (though this only matters if the`
Packit Service	084de1	`* server has both certificates, and is using the DEFAULT, or a client`
Packit Service	084de1	`* preference).`
Packit Service	084de1	`*/`
Packit Service	084de1	`ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,`
Packit Service	084de1	`-1, &head, &tail);`
Packit Service	084de1	`ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,`
Packit Service	084de1	`&tail);`
Packit Service	084de1	`ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,`
Packit Service	084de1	`&tail);`
Packit Service	084de1
Packit Service	084de1	`/* Within each strength group, we prefer GCM over CHACHA... */`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,`
Packit Service	084de1	`&head, &tail);`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,`
Packit Service	084de1	`&head, &tail);`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* ...and generally, our preferred cipher is AES.`
Packit Service	084de1	`* Note that AEADs will be bumped to take preference after sorting by`
Packit Service	084de1	`* strength.`
Packit Service	084de1	`*/`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,`
Packit Service	084de1	`-1, &head, &tail);`
Packit Service	084de1
Packit Service	084de1	`/* Temporarily enable everything else for sorting */`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);`
Packit Service	084de1
Packit Service	084de1	`/* Low priority for MD5 */`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,`
Packit Service	084de1	`&tail);`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Move anonymous ciphers to the end. Usually, these will remain`
Packit Service	084de1	`* disabled. (For applications that allow them, they aren't too bad, but`
Packit Service	084de1	`* we prefer authenticated ciphers.)`
Packit Service	084de1	`*/`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,`
Packit Service	084de1	`&tail);`
Packit Service	084de1
Packit Service	084de1	`ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,`
Packit Service	084de1	`&tail);`
Packit Service	084de1	`ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,`
Packit Service	084de1	`&tail);`
Packit Service	084de1
Packit Service	084de1	`/* RC4 is sort-of broken -- move to the end */`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,`
Packit Service	084de1	`&tail);`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Now sort by symmetric encryption strength. The above ordering remains`
Packit Service	084de1	`* in force within each class`
Packit Service	084de1	`*/`
Packit Service	084de1	`if (!ssl_cipher_strength_sort(&head, &tail)) {`
Packit Service	084de1	`goto err;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.`
Packit Service	084de1	`* TODO(openssl-team): is there an easier way to accomplish all this?`
Packit Service	084de1	`*/`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,`
Packit Service	084de1	`&head, &tail);`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Irrespective of strength, enforce the following order:`
Packit Service	084de1	`* (EC)DHE + AEAD > (EC)DHE > rest of AEAD > rest.`
Packit Service	084de1	`* Within each group, ciphers remain sorted by strength and previous`
Packit Service	084de1	`* preference, i.e.,`
Packit Service	084de1	`* 1) ECDHE > DHE`
Packit Service	084de1	`* 2) GCM > CHACHA`
Packit Service	084de1	`* 3) AES > rest`
Packit Service	084de1	`* 4) TLS 1.2 > legacy`
Packit Service	084de1	`*`
Packit Service	084de1	`* Because we now bump ciphers to the top of the list, we proceed in`
Packit Service	084de1	`* reverse order of preference.`
Packit Service	084de1	`*/`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,`
Packit Service	084de1	`&head, &tail);`
Packit Service	084de1	`ssl_cipher_apply_rule(0, SSL_kDHE \| SSL_kECDHE, 0, 0, 0, 0, 0,`
Packit Service	084de1	`CIPHER_BUMP, -1, &head, &tail);`
Packit Service	084de1	`ssl_cipher_apply_rule(0, SSL_kDHE \| SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,`
Packit Service	084de1	`CIPHER_BUMP, -1, &head, &tail);`
Packit Service	084de1
Packit Service	084de1	`/* Now disable everything (maintaining the ordering!) */`
Packit Service	084de1	`ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* We also need cipher aliases for selecting based on the rule_str.`
Packit Service	084de1	`* There might be two types of entries in the rule_str: 1) names`
Packit Service	084de1	`* of ciphers themselves 2) aliases for groups of ciphers.`
Packit Service	084de1	`* For 1) we need the available ciphers and for 2) the cipher`
Packit Service	084de1	`* groups of cipher_aliases added together in one list (otherwise`
Packit Service	084de1	`* we would be happy with just the cipher_aliases table).`
Packit Service	084de1	`*/`
Packit Service	084de1	`num_of_group_aliases = OSSL_NELEM(cipher_aliases);`
Packit Service	084de1	`num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;`
Packit Service	084de1	`ca_list = OPENSSL_malloc(sizeof(ca_list) num_of_alias_max);`
Packit Service	084de1	`if (ca_list == NULL) {`
Packit Service	084de1	`SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);`
Packit Service	084de1	`goto err;`
Packit Service	084de1	`}`
Packit Service	084de1	`ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,`
Packit Service	084de1	`disabled_mkey, disabled_auth, disabled_enc,`
Packit Service	084de1	`disabled_mac, head);`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* If the rule_string begins with DEFAULT, apply the default rule`
Packit Service	084de1	`* before using the (possibly available) additional rules.`
Packit Service	084de1	`*/`
Packit Service	084de1	`ok = 1;`
Packit Service	084de1	`rule_p = rule_str;`
Packit Service	084de1	`if (strncmp(rule_str, "DEFAULT", 7) == 0) {`
Packit Service	084de1	`ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,`
Packit Service	084de1	`&head, &tail, ca_list, c);`
Packit Service	084de1	`rule_p += 7;`
Packit Service	084de1	`if (*rule_p == ':')`
Packit Service	084de1	`rule_p++;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`if (ok && (strlen(rule_p) > 0))`
Packit Service	084de1	`ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c);`
Packit Service	084de1
Packit Service	084de1	`OPENSSL_free(ca_list); /* Not needed anymore */`
Packit Service	084de1
Packit Service	084de1	`if (!ok) { /* Rule processing failure */`
Packit Service	084de1	`goto err;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Allocate new "cipherstack" for the result, return with error`
Packit Service	084de1	`* if we cannot get one.`
Packit Service	084de1	`*/`
Packit Service	084de1	`if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {`
Packit Service	084de1	`goto err;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#ifdef SYSTEM_CIPHERS_FILE`
Packit Service	084de1	`OPENSSL_free(new_rules); /* Not needed anymore */`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`/* Add TLSv1.3 ciphers first - we always prefer those if possible */`
Packit Service	084de1	`for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {`
Packit Service	084de1	`if (!sk_SSL_CIPHER_push(cipherstack,`
Packit Service	084de1	`sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {`
Packit Service	084de1	`OPENSSL_free(co_list);`
Packit Service	084de1	`sk_SSL_CIPHER_free(cipherstack);`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* The cipher selection for the list is done. The ciphers are added`
Packit Service	084de1	`* to the resulting precedence to the STACK_OF(SSL_CIPHER).`
Packit Service	084de1	`*/`
Packit Service	084de1	`for (curr = head; curr != NULL; curr = curr->next) {`
Packit Service	084de1	`if (curr->active`
Packit Service	084de1	`&& (!FIPS_mode() \|\| curr->cipher->algo_strength & SSL_FIPS)) {`
Packit Service	084de1	`if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {`
Packit Service	084de1	`OPENSSL_free(co_list);`
Packit Service	084de1	`sk_SSL_CIPHER_free(cipherstack);`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`}`
Packit Service	084de1	`#ifdef CIPHER_DEBUG`
Packit Service	084de1	`fprintf(stderr, "<%s>\n", curr->cipher->name);`
Packit Service	084de1	`#endif`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1	`OPENSSL_free(co_list); /* Not needed any longer */`
Packit Service	084de1
Packit Service	084de1	`if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {`
Packit Service	084de1	`sk_SSL_CIPHER_free(cipherstack);`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`}`
Packit Service	084de1	`sk_SSL_CIPHER_free(*cipher_list);`
Packit Service	084de1	`*cipher_list = cipherstack;`
Packit Service	084de1
Packit Service	084de1	`return cipherstack;`
Packit Service	084de1
Packit Service	084de1	`err:`
Packit Service	084de1	`OPENSSL_free(co_list);`
Packit Service	084de1	`#ifdef SYSTEM_CIPHERS_FILE`
Packit Service	084de1	`OPENSSL_free(new_rules);`
Packit Service	084de1	`#endif`
Packit Service	084de1	`return NULL;`
Packit Service	084de1
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`char SSL_CIPHER_description(const SSL_CIPHER cipher, char *buf, int len)`
Packit Service	084de1	`{`
Packit Service	084de1	`const char *ver;`
Packit Service	084de1	`const char kx, au, enc, mac;`
Packit Service	084de1	`uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;`
Packit Service	084de1	`static const char *format = "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";`
Packit Service	084de1
Packit Service	084de1	`if (buf == NULL) {`
Packit Service	084de1	`len = 128;`
Packit Service	084de1	`if ((buf = OPENSSL_malloc(len)) == NULL) {`
Packit Service	084de1	`SSLerr(SSL_F_SSL_CIPHER_DESCRIPTION, ERR_R_MALLOC_FAILURE);`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`}`
Packit Service	084de1	`} else if (len < 128) {`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`alg_mkey = cipher->algorithm_mkey;`
Packit Service	084de1	`alg_auth = cipher->algorithm_auth;`
Packit Service	084de1	`alg_enc = cipher->algorithm_enc;`
Packit Service	084de1	`alg_mac = cipher->algorithm_mac;`
Packit Service	084de1
Packit Service	084de1	`ver = ssl_protocol_to_string(cipher->min_tls);`
Packit Service	084de1
Packit Service	084de1	`switch (alg_mkey) {`
Packit Service	084de1	`case SSL_kRSA:`
Packit Service	084de1	`kx = "RSA";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_kDHE:`
Packit Service	084de1	`kx = "DH";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_kECDHE:`
Packit Service	084de1	`kx = "ECDH";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_kPSK:`
Packit Service	084de1	`kx = "PSK";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_kRSAPSK:`
Packit Service	084de1	`kx = "RSAPSK";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_kECDHEPSK:`
Packit Service	084de1	`kx = "ECDHEPSK";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_kDHEPSK:`
Packit Service	084de1	`kx = "DHEPSK";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_kSRP:`
Packit Service	084de1	`kx = "SRP";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_kGOST:`
Packit Service	084de1	`kx = "GOST";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_kANY:`
Packit Service	084de1	`kx = "any";`
Packit Service	084de1	`break;`
Packit Service	084de1	`default:`
Packit Service	084de1	`kx = "unknown";`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`switch (alg_auth) {`
Packit Service	084de1	`case SSL_aRSA:`
Packit Service	084de1	`au = "RSA";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_aDSS:`
Packit Service	084de1	`au = "DSS";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_aNULL:`
Packit Service	084de1	`au = "None";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_aECDSA:`
Packit Service	084de1	`au = "ECDSA";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_aPSK:`
Packit Service	084de1	`au = "PSK";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_aSRP:`
Packit Service	084de1	`au = "SRP";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_aGOST01:`
Packit Service	084de1	`au = "GOST01";`
Packit Service	084de1	`break;`
Packit Service	084de1	`/* New GOST ciphersuites have both SSL_aGOST12 and SSL_aGOST01 bits */`
Packit Service	084de1	`case (SSL_aGOST12 \| SSL_aGOST01):`
Packit Service	084de1	`au = "GOST12";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_aANY:`
Packit Service	084de1	`au = "any";`
Packit Service	084de1	`break;`
Packit Service	084de1	`default:`
Packit Service	084de1	`au = "unknown";`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`switch (alg_enc) {`
Packit Service	084de1	`case SSL_DES:`
Packit Service	084de1	`enc = "DES(56)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_3DES:`
Packit Service	084de1	`enc = "3DES(168)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_RC4:`
Packit Service	084de1	`enc = "RC4(128)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_RC2:`
Packit Service	084de1	`enc = "RC2(128)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_IDEA:`
Packit Service	084de1	`enc = "IDEA(128)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_eNULL:`
Packit Service	084de1	`enc = "None";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_AES128:`
Packit Service	084de1	`enc = "AES(128)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_AES256:`
Packit Service	084de1	`enc = "AES(256)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_AES128GCM:`
Packit Service	084de1	`enc = "AESGCM(128)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_AES256GCM:`
Packit Service	084de1	`enc = "AESGCM(256)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_AES128CCM:`
Packit Service	084de1	`enc = "AESCCM(128)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_AES256CCM:`
Packit Service	084de1	`enc = "AESCCM(256)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_AES128CCM8:`
Packit Service	084de1	`enc = "AESCCM8(128)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_AES256CCM8:`
Packit Service	084de1	`enc = "AESCCM8(256)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_CAMELLIA128:`
Packit Service	084de1	`enc = "Camellia(128)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_CAMELLIA256:`
Packit Service	084de1	`enc = "Camellia(256)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_ARIA128GCM:`
Packit Service	084de1	`enc = "ARIAGCM(128)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_ARIA256GCM:`
Packit Service	084de1	`enc = "ARIAGCM(256)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_SEED:`
Packit Service	084de1	`enc = "SEED(128)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_eGOST2814789CNT:`
Packit Service	084de1	`case SSL_eGOST2814789CNT12:`
Packit Service	084de1	`enc = "GOST89(256)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_CHACHA20POLY1305:`
Packit Service	084de1	`enc = "CHACHA20/POLY1305(256)";`
Packit Service	084de1	`break;`
Packit Service	084de1	`default:`
Packit Service	084de1	`enc = "unknown";`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`switch (alg_mac) {`
Packit Service	084de1	`case SSL_MD5:`
Packit Service	084de1	`mac = "MD5";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_SHA1:`
Packit Service	084de1	`mac = "SHA1";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_SHA256:`
Packit Service	084de1	`mac = "SHA256";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_SHA384:`
Packit Service	084de1	`mac = "SHA384";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_AEAD:`
Packit Service	084de1	`mac = "AEAD";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_GOST89MAC:`
Packit Service	084de1	`case SSL_GOST89MAC12:`
Packit Service	084de1	`mac = "GOST89";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_GOST94:`
Packit Service	084de1	`mac = "GOST94";`
Packit Service	084de1	`break;`
Packit Service	084de1	`case SSL_GOST12_256:`
Packit Service	084de1	`case SSL_GOST12_512:`
Packit Service	084de1	`mac = "GOST2012";`
Packit Service	084de1	`break;`
Packit Service	084de1	`default:`
Packit Service	084de1	`mac = "unknown";`
Packit Service	084de1	`break;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac);`
Packit Service	084de1
Packit Service	084de1	`return buf;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`const char SSL_CIPHER_get_version(const SSL_CIPHER c)`
Packit Service	084de1	`{`
Packit Service	084de1	`if (c == NULL)`
Packit Service	084de1	`return "(NONE)";`
Packit Service	084de1
Packit Service	084de1	`/*`
Packit Service	084de1	`* Backwards-compatibility crutch. In almost all contexts we report TLS`
Packit Service	084de1	`* 1.0 as "TLSv1", but for ciphers we report "TLSv1.0".`
Packit Service	084de1	`*/`
Packit Service	084de1	`if (c->min_tls == TLS1_VERSION)`
Packit Service	084de1	`return "TLSv1.0";`
Packit Service	084de1	`return ssl_protocol_to_string(c->min_tls);`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/* return the actual cipher being used */`
Packit Service	084de1	`const char SSL_CIPHER_get_name(const SSL_CIPHER c)`
Packit Service	084de1	`{`
Packit Service	084de1	`if (c != NULL)`
Packit Service	084de1	`return c->name;`
Packit Service	084de1	`return "(NONE)";`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/* return the actual cipher being used in RFC standard name */`
Packit Service	084de1	`const char SSL_CIPHER_standard_name(const SSL_CIPHER c)`
Packit Service	084de1	`{`
Packit Service	084de1	`if (c != NULL)`
Packit Service	084de1	`return c->stdname;`
Packit Service	084de1	`return "(NONE)";`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/* return the OpenSSL name based on given RFC standard name */`
Packit Service	084de1	`const char OPENSSL_cipher_name(const char stdname)`
Packit Service	084de1	`{`
Packit Service	084de1	`const SSL_CIPHER *c;`
Packit Service	084de1
Packit Service	084de1	`if (stdname == NULL)`
Packit Service	084de1	`return "(NONE)";`
Packit Service	084de1	`c = ssl3_get_cipher_by_std_name(stdname);`
Packit Service	084de1	`return SSL_CIPHER_get_name(c);`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`/* number of bits for symmetric cipher */`
Packit Service	084de1	`int SSL_CIPHER_get_bits(const SSL_CIPHER c, int alg_bits)`
Packit Service	084de1	`{`
Packit Service	084de1	`int ret = 0;`
Packit Service	084de1
Packit Service	084de1	`if (c != NULL) {`
Packit Service	084de1	`if (alg_bits != NULL)`
Packit Service	084de1	`*alg_bits = (int)c->alg_bits;`
Packit Service	084de1	`ret = (int)c->strength_bits;`
Packit Service	084de1	`}`
Packit Service	084de1	`return ret;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c)`
Packit Service	084de1	`{`
Packit Service	084de1	`return c->id;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c)`
Packit Service	084de1	`{`
Packit Service	084de1	`return c->id & 0xFFFF;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`SSL_COMP ssl3_comp_find(STACK_OF(SSL_COMP) sk, int n)`
Packit Service	084de1	`{`
Packit Service	084de1	`SSL_COMP *ctmp;`
Packit Service	084de1	`int i, nn;`
Packit Service	084de1
Packit Service	084de1	`if ((n == 0) \|\| (sk == NULL))`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`nn = sk_SSL_COMP_num(sk);`
Packit Service	084de1	`for (i = 0; i < nn; i++) {`
Packit Service	084de1	`ctmp = sk_SSL_COMP_value(sk, i);`
Packit Service	084de1	`if (ctmp->id == n)`
Packit Service	084de1	`return ctmp;`
Packit Service	084de1	`}`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#ifdef OPENSSL_NO_COMP`
Packit Service	084de1	`STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)`
Packit Service	084de1	`{`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)`
Packit Service	084de1	`*meths)`
Packit Service	084de1	`{`
Packit Service	084de1	`return meths;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)`
Packit Service	084de1	`{`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`#else`
Packit Service	084de1	`STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)`
Packit Service	084de1	`{`
Packit Service	084de1	`load_builtin_compressions();`
Packit Service	084de1	`return ssl_comp_methods;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)`
Packit Service	084de1	`*meths)`
Packit Service	084de1	`{`
Packit Service	084de1	`STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;`
Packit Service	084de1	`ssl_comp_methods = meths;`
Packit Service	084de1	`return old_meths;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`static void cmeth_free(SSL_COMP *cm)`
Packit Service	084de1	`{`
Packit Service	084de1	`OPENSSL_free(cm);`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`void ssl_comp_free_compression_methods_int(void)`
Packit Service	084de1	`{`
Packit Service	084de1	`STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;`
Packit Service	084de1	`ssl_comp_methods = NULL;`
Packit Service	084de1	`sk_SSL_COMP_pop_free(old_meths, cmeth_free);`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)`
Packit Service	084de1	`{`
Packit Service	084de1	`SSL_COMP *comp;`
Packit Service	084de1
Packit Service	084de1	`if (cm == NULL \|\| COMP_get_type(cm) == NID_undef)`
Packit Service	084de1	`return 1;`
Packit Service	084de1
Packit Service	084de1	`/*-`
Packit Service	084de1	`* According to draft-ietf-tls-compression-04.txt, the`
Packit Service	084de1	`* compression number ranges should be the following:`
Packit Service	084de1	`*`
Packit Service	084de1	`* 0 to 63: methods defined by the IETF`
Packit Service	084de1	`* 64 to 192: external party methods assigned by IANA`
Packit Service	084de1	`* 193 to 255: reserved for private use`
Packit Service	084de1	`*/`
Packit Service	084de1	`if (id < 193 \|\| id > 255) {`
Packit Service	084de1	`SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,`
Packit Service	084de1	`SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);`
Packit Service	084de1	`comp = OPENSSL_malloc(sizeof(*comp));`
Packit Service	084de1	`if (comp == NULL) {`
Packit Service	084de1	`CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);`
Packit Service	084de1	`SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE);`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`comp->id = id;`
Packit Service	084de1	`comp->method = cm;`
Packit Service	084de1	`load_builtin_compressions();`
Packit Service	084de1	`if (ssl_comp_methods && sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) {`
Packit Service	084de1	`OPENSSL_free(comp);`
Packit Service	084de1	`CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);`
Packit Service	084de1	`SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,`
Packit Service	084de1	`SSL_R_DUPLICATE_COMPRESSION_ID);`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1	`if (ssl_comp_methods == NULL \|\| !sk_SSL_COMP_push(ssl_comp_methods, comp)) {`
Packit Service	084de1	`OPENSSL_free(comp);`
Packit Service	084de1	`CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);`
Packit Service	084de1	`SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE);`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1	`CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`
Packit Service	084de1	`#endif`
Packit Service	084de1
Packit Service	084de1	`const char SSL_COMP_get_name(const COMP_METHOD comp)`
Packit Service	084de1	`{`
Packit Service	084de1	`#ifndef OPENSSL_NO_COMP`
Packit Service	084de1	`return comp ? COMP_get_name(comp) : NULL;`
Packit Service	084de1	`#else`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`#endif`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`const char SSL_COMP_get0_name(const SSL_COMP comp)`
Packit Service	084de1	`{`
Packit Service	084de1	`#ifndef OPENSSL_NO_COMP`
Packit Service	084de1	`return comp->name;`
Packit Service	084de1	`#else`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`#endif`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int SSL_COMP_get_id(const SSL_COMP *comp)`
Packit Service	084de1	`{`
Packit Service	084de1	`#ifndef OPENSSL_NO_COMP`
Packit Service	084de1	`return comp->id;`
Packit Service	084de1	`#else`
Packit Service	084de1	`return -1;`
Packit Service	084de1	`#endif`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`const SSL_CIPHER ssl_get_cipher_by_char(SSL ssl, const unsigned char *ptr,`
Packit Service	084de1	`int all)`
Packit Service	084de1	`{`
Packit Service	084de1	`const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);`
Packit Service	084de1
Packit Service	084de1	`if (c == NULL \|\| (!all && c->valid == 0))`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`return c;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`const SSL_CIPHER SSL_CIPHER_find(SSL ssl, const unsigned char *ptr)`
Packit Service	084de1	`{`
Packit Service	084de1	`return ssl->method->get_cipher_by_char(ptr);`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)`
Packit Service	084de1	`{`
Packit Service	084de1	`int i;`
Packit Service	084de1	`if (c == NULL)`
Packit Service	084de1	`return NID_undef;`
Packit Service	084de1	`i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);`
Packit Service	084de1	`if (i == -1)`
Packit Service	084de1	`return NID_undef;`
Packit Service	084de1	`return ssl_cipher_table_cipher[i].nid;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)`
Packit Service	084de1	`{`
Packit Service	084de1	`int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);`
Packit Service	084de1
Packit Service	084de1	`if (i == -1)`
Packit Service	084de1	`return NID_undef;`
Packit Service	084de1	`return ssl_cipher_table_mac[i].nid;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)`
Packit Service	084de1	`{`
Packit Service	084de1	`int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey);`
Packit Service	084de1
Packit Service	084de1	`if (i == -1)`
Packit Service	084de1	`return NID_undef;`
Packit Service	084de1	`return ssl_cipher_table_kx[i].nid;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)`
Packit Service	084de1	`{`
Packit Service	084de1	`int i = ssl_cipher_info_lookup(ssl_cipher_table_auth, c->algorithm_auth);`
Packit Service	084de1
Packit Service	084de1	`if (i == -1)`
Packit Service	084de1	`return NID_undef;`
Packit Service	084de1	`return ssl_cipher_table_auth[i].nid;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`const EVP_MD SSL_CIPHER_get_handshake_digest(const SSL_CIPHER c)`
Packit Service	084de1	`{`
Packit Service	084de1	`int idx = c->algorithm2 & SSL_HANDSHAKE_MAC_MASK;`
Packit Service	084de1
Packit Service	084de1	`if (idx < 0 \|\| idx >= SSL_MD_NUM_IDX)`
Packit Service	084de1	`return NULL;`
Packit Service	084de1	`return ssl_digest_methods[idx];`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int SSL_CIPHER_is_aead(const SSL_CIPHER *c)`
Packit Service	084de1	`{`
Packit Service	084de1	`return (c->algorithm_mac & SSL_AEAD) ? 1 : 0;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int ssl_cipher_get_overhead(const SSL_CIPHER c, size_t mac_overhead,`
Packit Service	084de1	`size_t int_overhead, size_t blocksize,`
Packit Service	084de1	`size_t *ext_overhead)`
Packit Service	084de1	`{`
Packit Service	084de1	`size_t mac = 0, in = 0, blk = 0, out = 0;`
Packit Service	084de1
Packit Service	084de1	`/* Some hard-coded numbers for the CCM/Poly1305 MAC overhead`
Packit Service	084de1	`* because there are no handy #defines for those. */`
Packit Service	084de1	`if (c->algorithm_enc & (SSL_AESGCM \| SSL_ARIAGCM)) {`
Packit Service	084de1	`out = EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;`
Packit Service	084de1	`} else if (c->algorithm_enc & (SSL_AES128CCM \| SSL_AES256CCM)) {`
Packit Service	084de1	`out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16;`
Packit Service	084de1	`} else if (c->algorithm_enc & (SSL_AES128CCM8 \| SSL_AES256CCM8)) {`
Packit Service	084de1	`out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8;`
Packit Service	084de1	`} else if (c->algorithm_enc & SSL_CHACHA20POLY1305) {`
Packit Service	084de1	`out = 16;`
Packit Service	084de1	`} else if (c->algorithm_mac & SSL_AEAD) {`
Packit Service	084de1	`/* We're supposed to have handled all the AEAD modes above */`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`} else {`
Packit Service	084de1	`/* Non-AEAD modes. Calculate MAC/cipher overhead separately */`
Packit Service	084de1	`int digest_nid = SSL_CIPHER_get_digest_nid(c);`
Packit Service	084de1	`const EVP_MD *e_md = EVP_get_digestbynid(digest_nid);`
Packit Service	084de1
Packit Service	084de1	`if (e_md == NULL)`
Packit Service	084de1	`return 0;`
Packit Service	084de1
Packit Service	084de1	`mac = EVP_MD_size(e_md);`
Packit Service	084de1	`if (c->algorithm_enc != SSL_eNULL) {`
Packit Service	084de1	`int cipher_nid = SSL_CIPHER_get_cipher_nid(c);`
Packit Service	084de1	`const EVP_CIPHER *e_ciph = EVP_get_cipherbynid(cipher_nid);`
Packit Service	084de1
Packit Service	084de1	`/* If it wasn't AEAD or SSL_eNULL, we expect it to be a`
Packit Service	084de1	`known CBC cipher. */`
Packit Service	084de1	`if (e_ciph == NULL \|\|`
Packit Service	084de1	`EVP_CIPHER_mode(e_ciph) != EVP_CIPH_CBC_MODE)`
Packit Service	084de1	`return 0;`
Packit Service	084de1
Packit Service	084de1	`in = 1; /* padding length byte */`
Packit Service	084de1	`out = EVP_CIPHER_iv_length(e_ciph);`
Packit Service	084de1	`blk = EVP_CIPHER_block_size(e_ciph);`
Packit Service	084de1	`}`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`*mac_overhead = mac;`
Packit Service	084de1	`*int_overhead = in;`
Packit Service	084de1	`*blocksize = blk;`
Packit Service	084de1	`*ext_overhead = out;`
Packit Service	084de1
Packit Service	084de1	`return 1;`
Packit Service	084de1	`}`
Packit Service	084de1
Packit Service	084de1	`int ssl_cert_is_disabled(size_t idx)`
Packit Service	084de1	`{`
Packit Service	084de1	`const SSL_CERT_LOOKUP *cl = ssl_cert_lookup_by_idx(idx);`
Packit Service	084de1
Packit Service	084de1	`if (cl == NULL \|\| (cl->amask & disabled_auth_mask) != 0)`
Packit Service	084de1	`return 1;`
Packit Service	084de1	`return 0;`
Packit Service	084de1	`}`

source-git / openssl

Source Code

Blame ssl/ssl_ciph.c