Add support for new TLS export ciphersuites.
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index d1f49e5..a4d0f1c 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -290,7 +290,7 @@
for (j=0; j<sk_num(sk); j++)
{
c=(SSL_CIPHER *)sk_value(sk,j);
- if (!(c->algorithms & SSL_EXP))
+ if (!SSL_C_IS_EXPORT(c))
{
if ((c->id>>24L) == 2L)
ne2=1;
diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index bbac33c..33112ee 100644
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -568,7 +568,7 @@
if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
enc=8;
- else if (sess->cipher->algorithms & SSL_EXP)
+ else if (SSL_C_IS_EXPORT(sess->cipher))
enc=5;
else
enc=i;
diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index 12b8458..282d8bd 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -78,7 +78,7 @@
1,
SSL2_TXT_NULL_WITH_MD5,
SSL2_CK_NULL_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_EXP|SSL_SSLV2,
+ SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_EXP40|SSL_SSLV2,
0,
SSL_ALL_CIPHERS,
},
@@ -88,7 +88,7 @@
1,
SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP|SSL_SSLV2,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP40|SSL_SSLV2,
SSL2_CF_5_BYTE_ENC,
SSL_ALL_CIPHERS,
},
@@ -97,7 +97,7 @@
1,
SSL2_TXT_RC4_128_WITH_MD5,
SSL2_CK_RC4_128_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|_SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
0,
SSL_ALL_CIPHERS,
},
@@ -106,7 +106,7 @@
1,
SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP|SSL_SSLV2,
+ SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP40|SSL_SSLV2,
SSL2_CF_5_BYTE_ENC,
SSL_ALL_CIPHERS,
},
@@ -115,7 +115,7 @@
1,
SSL2_TXT_RC2_128_CBC_WITH_MD5,
SSL2_CK_RC2_128_CBC_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|_SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
0,
SSL_ALL_CIPHERS,
},
@@ -124,7 +124,7 @@
1,
SSL2_TXT_IDEA_128_CBC_WITH_MD5,
SSL2_CK_IDEA_128_CBC_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|_SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
0,
SSL_ALL_CIPHERS,
},
@@ -133,7 +133,7 @@
1,
SSL2_TXT_DES_64_CBC_WITH_MD5,
SSL2_CK_DES_64_CBC_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_LOW,
+ SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|_SSL_NOT_EXP|SSL_SSLV2|SSL_LOW,
0,
SSL_ALL_CIPHERS,
},
@@ -142,7 +142,7 @@
1,
SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
SSL2_CK_DES_192_EDE3_CBC_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_HIGH,
+ SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|_SSL_NOT_EXP|SSL_SSLV2|SSL_HIGH,
0,
SSL_ALL_CIPHERS,
},
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index 814e38f..73c19af 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -401,7 +401,7 @@
&(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
(s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
- export=(s->session->cipher->algorithms & SSL_EXP)?1:0;
+ export=SSL_C_IS_EXPORT(s->session->cipher);
if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))
{
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index b2649ed..cb63a9f 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1689,12 +1689,13 @@
#endif
#endif
- if ((algs & SSL_EXP) && !has_bits(i,EVP_PKT_EXP))
+ if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP))
{
#ifndef NO_RSA
if (algs & SSL_kRSA)
{
- if ((rsa == NULL) || (RSA_size(rsa) > 512))
+ if (rsa == NULL
+ || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
goto f_err;
@@ -1704,8 +1705,9 @@
#endif
#ifndef NO_DH
if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
- {
- if ((dh == NULL) || (DH_size(dh) > 512))
+ {
+ if (dh == NULL
+ || DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
goto f_err;
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index a655e12..d79d927 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -141,7 +141,7 @@
MD5_CTX md;
int exp,n,i,j,k,cl;
- exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0;
+ exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
c=s->s3->tmp.new_sym_enc;
m=s->s3->tmp.new_hash;
if (s->s3->tmp.new_compression == NULL)
@@ -213,7 +213,8 @@
p=s->s3->tmp.key_block;
i=EVP_MD_size(m);
cl=EVP_CIPHER_key_length(c);
- j=exp ? (cl < 5 ? cl : 5) : cl;
+ j=exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
+ cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
k=EVP_CIPHER_iv_length(c);
if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
@@ -283,7 +284,7 @@
unsigned char *p;
EVP_CIPHER *c;
EVP_MD *hash;
- int num,exp;
+ int num;
SSL_COMP *comp;
if (s->s3->tmp.key_block_length != 0)
@@ -299,8 +300,6 @@
s->s3->tmp.new_hash=hash;
s->s3->tmp.new_compression=comp;
- exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0;
-
num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
num*=2;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index c64b760..ffea4b5 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -77,7 +77,7 @@
1,
SSL3_TXT_RSA_NULL_MD5,
SSL3_CK_RSA_NULL_MD5,
- SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|_SSL_NOT_EXP|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -86,7 +86,7 @@
1,
SSL3_TXT_RSA_NULL_SHA,
SSL3_CK_RSA_NULL_SHA,
- SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -97,7 +97,7 @@
1,
SSL3_TXT_ADH_RC4_40_MD5,
SSL3_CK_ADH_RC4_40_MD5,
- SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -106,7 +106,7 @@
1,
SSL3_TXT_ADH_RC4_128_MD5,
SSL3_CK_ADH_RC4_128_MD5,
- SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5|_SSL_NOT_EXP|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -115,7 +115,7 @@
1,
SSL3_TXT_ADH_DES_40_CBC_SHA,
SSL3_CK_ADH_DES_40_CBC_SHA,
- SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -124,7 +124,7 @@
1,
SSL3_TXT_ADH_DES_64_CBC_SHA,
SSL3_CK_ADH_DES_64_CBC_SHA,
- SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -133,7 +133,7 @@
1,
SSL3_TXT_ADH_DES_192_CBC_SHA,
SSL3_CK_ADH_DES_192_CBC_SHA,
- SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -144,7 +144,7 @@
1,
SSL3_TXT_RSA_RC4_40_MD5,
SSL3_CK_RSA_RC4_40_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -153,7 +153,7 @@
1,
SSL3_TXT_RSA_RC4_128_MD5,
SSL3_CK_RSA_RC4_128_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|_SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
0,
SSL_ALL_CIPHERS,
},
@@ -162,7 +162,7 @@
1,
SSL3_TXT_RSA_RC4_128_SHA,
SSL3_CK_RSA_RC4_128_SHA,
- SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
0,
SSL_ALL_CIPHERS,
},
@@ -171,7 +171,7 @@
1,
SSL3_TXT_RSA_RC2_40_MD5,
SSL3_CK_RSA_RC2_40_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -180,7 +180,7 @@
1,
SSL3_TXT_RSA_IDEA_128_SHA,
SSL3_CK_RSA_IDEA_128_SHA,
- SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
0,
SSL_ALL_CIPHERS,
},
@@ -189,7 +189,7 @@
1,
SSL3_TXT_RSA_DES_40_CBC_SHA,
SSL3_CK_RSA_DES_40_CBC_SHA,
- SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -198,7 +198,7 @@
1,
SSL3_TXT_RSA_DES_64_CBC_SHA,
SSL3_CK_RSA_DES_64_CBC_SHA,
- SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+ SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
0,
SSL_ALL_CIPHERS,
},
@@ -207,7 +207,7 @@
1,
SSL3_TXT_RSA_DES_192_CBC3_SHA,
SSL3_CK_RSA_DES_192_CBC3_SHA,
- SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+ SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
0,
SSL_ALL_CIPHERS,
},
@@ -218,7 +218,7 @@
0,
SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
SSL3_CK_DH_DSS_DES_40_CBC_SHA,
- SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -227,7 +227,7 @@
0,
SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
SSL3_CK_DH_DSS_DES_64_CBC_SHA,
- SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+ SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
0,
SSL_ALL_CIPHERS,
},
@@ -236,7 +236,7 @@
0,
SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
- SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+ SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
0,
SSL_ALL_CIPHERS,
},
@@ -245,7 +245,7 @@
0,
SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
SSL3_CK_DH_RSA_DES_40_CBC_SHA,
- SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -254,7 +254,7 @@
0,
SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
SSL3_CK_DH_RSA_DES_64_CBC_SHA,
- SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+ SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
0,
SSL_ALL_CIPHERS,
},
@@ -263,7 +263,7 @@
0,
SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
- SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+ SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
0,
SSL_ALL_CIPHERS,
},
@@ -274,7 +274,7 @@
1,
SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
- SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -283,7 +283,7 @@
1,
SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
- SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+ SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
0,
SSL_ALL_CIPHERS,
},
@@ -292,7 +292,7 @@
1,
SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
- SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+ SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
0,
SSL_ALL_CIPHERS,
},
@@ -301,7 +301,7 @@
1,
SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
- SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP|SSL_SSLV3,
+ SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -310,7 +310,7 @@
1,
SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
- SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+ SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
0,
SSL_ALL_CIPHERS,
},
@@ -319,7 +319,7 @@
1,
SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
- SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+ SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
0,
SSL_ALL_CIPHERS,
},
@@ -330,7 +330,7 @@
0,
SSL3_TXT_FZA_DMS_NULL_SHA,
SSL3_CK_FZA_DMS_NULL_SHA,
- SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -340,7 +340,7 @@
0,
SSL3_TXT_FZA_DMS_FZA_SHA,
SSL3_CK_FZA_DMS_FZA_SHA,
- SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
@@ -350,11 +350,40 @@
0,
SSL3_TXT_FZA_DMS_RC4_SHA,
SSL3_CK_FZA_DMS_RC4_SHA,
- SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|_SSL_NOT_EXP|SSL_SSLV3,
0,
SSL_ALL_CIPHERS,
},
+ /* New TLS Export CipherSuites */
+ /* Cipher 60 */
+ {
+ 1,
+ TLS1_TXT_RSA_EXPORT56_WITH_RC4_56_MD5,
+ TLS1_CK_RSA_EXPORT56_WITH_RC4_56_MD5,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP56|SSL_TLSV1,
+ 0,
+ SSL_ALL_CIPHERS
+ },
+ /* Cipher 61 */
+ {
+ 1,
+ TLS1_TXT_RSA_EXPORT56_WITH_RC2_CBC_56_MD5,
+ TLS1_CK_RSA_EXPORT56_WITH_RC2_CBC_56_MD5,
+ SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP56|SSL_TLSV1,
+ 0,
+ SSL_ALL_CIPHERS
+ },
+ /* Cipher 62 */
+ {
+ 1,
+ TLS1_TXT_RSA_EXPORT56_WITH_DES_CBC_SHA,
+ TLS1_CK_RSA_EXPORT56_WITH_DES_CBC_SHA,
+ SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+ 0,
+ SSL_ALL_CIPHERS
+ },
+
/* end of list */
};
@@ -733,7 +762,7 @@
{
c=(SSL_CIPHER *)sk_value(have,i);
alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
- if (alg & SSL_EXPORT)
+ if (SSL_IS_EXPORT(alg))
{
ok=((alg & emask) == alg)?1:0;
#ifdef CIPHER_DEBUG
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index a4c0744..233de6c 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -309,16 +309,16 @@
/* only send if a DH key exchange, fortezza or
* RSA but we have a sign only certificate */
- if ( s->s3->tmp.use_rsa_tmp ||
- (l & (SSL_DH|SSL_kFZA)) ||
- ((l & SSL_kRSA) &&
- ((ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL)||
- ((l & SSL_EXPORT) &&
- (EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > 512)
- )
- )
+ if (s->s3->tmp.use_rsa_tmp
+ || (l & (SSL_DH|SSL_kFZA))
+ || ((l & SSL_kRSA)
+ && (ct->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
+ || (SSL_IS_EXPORT(l)
+ && EVP_PKEY_size(ct->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l)
+ )
+ )
+ )
)
- )
{
ret=ssl3_send_server_key_exchange(s);
if (ret <= 0) goto end;
@@ -777,7 +777,7 @@
c=(SSL_CIPHER *)sk_value(sk,i);
if (c->algorithms & SSL_eNULL)
nc=c;
- if (c->algorithms & SSL_EXP)
+ if (SSL_C_IS_EXPORT(c))
ec=c;
}
if (nc != NULL)
@@ -945,8 +945,7 @@
if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
{
rsa=s->ctx->default_cert->rsa_tmp_cb(s,
- !(s->s3->tmp.new_cipher->algorithms
- &SSL_NOT_EXP));
+ !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher));
CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
cert->rsa_tmp=rsa;
}
@@ -968,8 +967,7 @@
dhp=cert->dh_tmp;
if ((dhp == NULL) && (cert->dh_tmp_cb != NULL))
dhp=cert->dh_tmp_cb(s,
- !(s->s3->tmp.new_cipher->algorithms
- &SSL_NOT_EXP));
+ !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher));
if (dhp == NULL)
{
al=SSL_AD_HANDSHAKE_FAILURE;
diff --git a/ssl/ssl.h b/ssl/ssl.h
index e6a1327..4947e28 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -132,8 +132,9 @@
#define SSL_TXT_MD5 "MD5"
#define SSL_TXT_SHA1 "SHA1"
#define SSL_TXT_SHA "SHA"
-#define SSL_TXT_EXP "EXP"
+#define SSL_TXT_EXP40 "EXP"
#define SSL_TXT_EXPORT "EXPORT"
+#define SSL_TXT_EXP56 "EXP56"
#define SSL_TXT_SSLV2 "SSLv2"
#define SSL_TXT_SSLV3 "SSLv3"
#define SSL_TXT_TLSV1 "TLSv1"
@@ -988,18 +989,18 @@
void SSL_set_verify_result(SSL *ssl,long v);
long SSL_get_verify_result(SSL *ssl);
-int SSL_set_ex_data(SSL *ssl,int idx,char *data);
-char *SSL_get_ex_data(SSL *ssl,int idx);
+int SSL_set_ex_data(SSL *ssl,int idx,void *data);
+void *SSL_get_ex_data(SSL *ssl,int idx);
int SSL_get_ex_new_index(long argl, char *argp, int (*new_func)(),
int (*dup_func)(), void (*free_func)());
-int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,char *data);
-char *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
+int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
+void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(),
int (*dup_func)(), void (*free_func)());
-int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,char *data);
-char *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
+int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
+void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
int (*dup_func)(), void (*free_func)());
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 30501cb..2bea76c 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -144,14 +144,15 @@
{0,SSL_TXT_ADH, 0,SSL_ADH, 0,SSL_AUTH_MASK|SSL_MKEY_MASK},
{0,SSL_TXT_FZA, 0,SSL_FZA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK},
- {0,SSL_TXT_EXP, 0,SSL_EXP, 0,SSL_EXP_MASK},
- {0,SSL_TXT_EXPORT,0,SSL_EXPORT,0,SSL_EXP_MASK},
- {0,SSL_TXT_SSLV2,0,SSL_SSLV2,0,SSL_SSL_MASK},
- {0,SSL_TXT_SSLV3,0,SSL_SSLV3,0,SSL_SSL_MASK},
- {0,SSL_TXT_TLSV1,0,SSL_SSLV3,0,SSL_SSL_MASK},
- {0,SSL_TXT_LOW, 0,SSL_LOW,0,SSL_STRONG_MASK},
+ {0,SSL_TXT_EXP40, 0,SSL_EXP40, 0,_SSL_EXP_MASK},
+ {0,SSL_TXT_EXPORT,0,SSL_EXP40, 0,_SSL_EXP_MASK},
+ {0,SSL_TXT_EXP56, 0,SSL_EXP56, 0,_SSL_EXP_MASK},
+ {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,SSL_SSL_MASK},
+ {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,SSL_SSL_MASK},
+ {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,SSL_SSL_MASK},
+ {0,SSL_TXT_LOW, 0,SSL_LOW, 0,SSL_STRONG_MASK},
{0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK},
- {0,SSL_TXT_HIGH, 0,SSL_HIGH,0,SSL_STRONG_MASK},
+ {0,SSL_TXT_HIGH, 0,SSL_HIGH, 0,SSL_STRONG_MASK},
};
static int init_ciphers=1;
@@ -615,7 +616,7 @@
char *buf;
int len;
{
- int export;
+ int _export,pkl,kl;
char *ver,*exp;
char *kx,*au,*enc,*mac;
unsigned long alg,alg2;
@@ -624,8 +625,10 @@
alg=cipher->algorithms;
alg2=cipher->algorithm2;
- export=(alg&SSL_EXP)?1:0;
- exp=(export)?" export":"";
+ _export=SSL_IS_EXPORT(alg);
+ pkl=SSL_EXPORT_PKEYLENGTH(alg);
+ kl=SSL_EXPORT_KEYLENGTH(alg);
+ exp=_export?" export":"";
if (alg & SSL_SSLV2)
ver="SSLv2";
@@ -637,7 +640,7 @@
switch (alg&SSL_MKEY_MASK)
{
case SSL_kRSA:
- kx=(export)?"RSA(512)":"RSA";
+ kx=_export?(pkl == 512 ? "RSA(512)" : "RSA(1024)"):"RSA";
break;
case SSL_kDHr:
kx="DH/RSA";
@@ -649,7 +652,7 @@
kx="Fortezza";
break;
case SSL_kEDH:
- kx=(export)?"DH(512)":"DH";
+ kx=_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
break;
default:
kx="unknown";
@@ -678,16 +681,17 @@
switch (alg&SSL_ENC_MASK)
{
case SSL_DES:
- enc=export?"DES(40)":"DES(56)";
+ enc=(_export && kl == 5)?"DES(40)":"DES(56)";
break;
case SSL_3DES:
enc="3DES(168)";
break;
case SSL_RC4:
- enc=export?"RC4(40)":((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
+ enc=_export?(kl == 5 ? "RC4(40)" : "RC4(56)")
+ :((alg2&SSL2_CF_8_BYTE_ENC)?"RC4(64)":"RC4(128)");
break;
case SSL_RC2:
- enc=export?"RC2(40)":"RC2(128)";
+ enc=_export?(kl == 5 ? "RC2(40)" : "RC2(56)"):"RC2(128)";
break;
case SSL_IDEA:
enc="IDEA(128)";
@@ -770,9 +774,9 @@
a=EVP_CIPHER_key_length(enc)*8;
- if (c->algorithms & SSL_EXP)
+ if (SSL_C_IS_EXPORT(c))
{
- ret=40;
+ ret=SSL_C_EXPORT_KEYLENGTH(c)*8;
}
else
{
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 2019a40..862a555 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1236,13 +1236,13 @@
{
unsigned long alg,mask,kalg;
CERT *c;
- int i,export;
+ int i,_export;
c=s->cert;
ssl_set_cert_masks(c);
alg=s->s3->tmp.new_cipher->algorithms;
- export=(alg & SSL_EXPORT)?1:0;
- mask=(export)?c->export_mask:c->mask;
+ _export=SSL_IS_EXPORT(alg);
+ mask=_export?c->export_mask:c->mask;
kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
if (kalg & SSL_kDHr)
@@ -1822,12 +1822,12 @@
int SSL_set_ex_data(s,idx,arg)
SSL *s;
int idx;
-char *arg;
+void *arg;
{
return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
}
-char *SSL_get_ex_data(s,idx)
+void *SSL_get_ex_data(s,idx)
SSL *s;
int idx;
{
@@ -1849,12 +1849,12 @@
int SSL_CTX_set_ex_data(s,idx,arg)
SSL_CTX *s;
int idx;
-char *arg;
+void *arg;
{
return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
}
-char *SSL_CTX_get_ex_data(s,idx)
+void *SSL_CTX_get_ex_data(s,idx)
SSL_CTX *s;
int idx;
{
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 1a90751..8c39d69 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -191,14 +191,25 @@
#define SSL_SHA1 0x00040000L
#define SSL_SHA (SSL_SHA1)
-#define SSL_EXP_MASK 0x00300000L
-#define SSL_EXP 0x00100000L
-#define SSL_NOT_EXP 0x00200000L
-#define SSL_EXPORT SSL_EXP
+#define _SSL_EXP_MASK 0x00300000L
+#define SSL_EXP40 0x00100000L
+#define _SSL_NOT_EXP 0x00200000L
+#define SSL_EXP56 0x00300000L
+#define SSL_IS_EXPORT(a) ((a)&SSL_EXP40)
+#define SSL_IS_EXPORT56(a) (((a)&_SSL_EXP_MASK) == SSL_EXP56)
+#define SSL_IS_EXPORT40(a) (((a)&_SSL_EXP_MASK) == SSL_EXP40)
+#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algorithms)
+#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algorithms)
+#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algorithms)
+#define SSL_EXPORT_KEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 5 : 7)
+#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
+#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithms)
+#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algorithms)
#define SSL_SSL_MASK 0x00c00000L
#define SSL_SSLV2 0x00400000L
#define SSL_SSLV3 0x00800000L
+#define SSL_TLSV1 SSL_SSLV3 /* for now */
#define SSL_STRONG_MASK 0x07000000L
#define SSL_LOW 0x01000000L
@@ -208,7 +219,7 @@
/* we have used 0fffffff - 4 bits left to go */
#define SSL_ALL 0xffffffffL
#define SSL_ALL_CIPHERS (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
- SSL_MAC_MASK|SSL_EXP_MASK)
+ SSL_MAC_MASK|_SSL_EXP_MASK)
/* Mostly for SSLv3 */
#define SSL_PKEY_RSA_ENC 0
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index adaab35..2403b06 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -94,12 +94,12 @@
int SSL_SESSION_set_ex_data(s,idx,arg)
SSL_SESSION *s;
int idx;
-char *arg;
+void *arg;
{
return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
}
-char *SSL_SESSION_get_ex_data(s,idx)
+void *SSL_SESSION_get_ex_data(s,idx)
SSL_SESSION *s;
int idx;
{
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index f228295..0f5cbd3 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -178,9 +178,9 @@
EVP_CIPHER *c;
SSL_COMP *comp;
EVP_MD *m;
- int exp,n,i,j,k,exp_label_len,cl;
+ int _exp,n,i,j,k,exp_label_len,cl;
- exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0;
+ _exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
c=s->s3->tmp.new_sym_enc;
m=s->s3->tmp.new_hash;
comp=s->s3->tmp.new_compression;
@@ -247,7 +247,8 @@
p=s->s3->tmp.key_block;
i=EVP_MD_size(m);
cl=EVP_CIPHER_key_length(c);
- j=exp ? (cl < 5 ? cl : 5) : cl;
+ j=_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
+ cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
k=EVP_CIPHER_iv_length(c);
er1= &(s->s3->client_random[0]);
@@ -284,7 +285,7 @@
printf("which = %04X\nmac key=",which);
{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
#endif
- if (exp)
+ if (_exp)
{
/* In here I set both the read and write key/iv to the
* same value since only the correct one will be used :-).
@@ -297,7 +298,7 @@
memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
p+=SSL3_RANDOM_SIZE;
tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j,
- tmp1,tmp2,EVP_CIPHER_key_length(c));
+ tmp1,tmp2,EVP_CIPHER_key_length(c));
key=tmp1;
if (k > 0)
@@ -347,7 +348,7 @@
unsigned char *p1,*p2;
EVP_CIPHER *c;
EVP_MD *hash;
- int num,exp;
+ int num;
SSL_COMP *comp;
if (s->s3->tmp.key_block_length != 0)
@@ -362,8 +363,6 @@
s->s3->tmp.new_sym_enc=c;
s->s3->tmp.new_hash=hash;
- exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0;
-
num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
num*=2;
diff --git a/ssl/tls1.h b/ssl/tls1.h
index 6097861..8d47ae5 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -82,6 +82,14 @@
#define TLS1_AD_USER_CANCLED 90
#define TLS1_AD_NO_RENEGOTIATION 100
+#define TLS1_CK_RSA_EXPORT56_WITH_RC4_56_MD5 0x03000060
+#define TLS1_CK_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 0x03000061
+#define TLS1_CK_RSA_EXPORT56_WITH_DES_CBC_SHA 0x03000062
+
+#define TLS1_TXT_RSA_EXPORT56_WITH_RC4_56_MD5 "EXP56-RC4-MD5"
+#define TLS1_TXT_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 "EXP56-RC2-CBC-MD5"
+#define TLS1_TXT_RSA_EXPORT56_WITH_DES_CBC_SHA "EXP56-DES-CBC-SHA"
+
#define TLS_CT_RSA_SIGN 1
#define TLS_CT_DSS_SIGN 2
#define TLS_CT_RSA_FIXED_DH 3
