Keep cipher lists sorted in the source instead of sorting them at
authorNils Larsch <nils@openssl.org>
Thu, 25 Aug 2005 07:43:04 +0000 (07:43 +0000)
committerNils Larsch <nils@openssl.org>
Thu, 25 Aug 2005 07:43:04 +0000 (07:43 +0000)
runtime, thus removing the need for a lock. Add a test to ssltest
to verify that the cipher lists are sorted.

CHANGES
ssl/s2_lib.c
ssl/s3_lib.c
ssl/ssltest.c
test/Makefile

diff --git a/CHANGES b/CHANGES
index 5310571ec036b58a7e3d345b5c9b9990ad21c030..02e1fc1da56c472ed470bb524d0c179580ed7c56 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.8 and 0.9.8a  [XX xxx XXXX]
 
+  *) Keep cipherlists sorted in the source instead of sorting them at
+     runtime, thus removing the need for a lock.
+     [Nils Larsch]
+
   *) Avoid some small subgroup attacks in Diffie-Hellman.
      [Nick Mathewson and Ben Laurie]
 
index cec19673f59f24a170b8fba7c141c52c36acbda9..8dda67e8978e08ab43dea5eaeba7913cf080d2ff 100644 (file)
@@ -67,6 +67,7 @@ const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT;
 
 #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
 
+/* list of available SSLv2 ciphers (sorted by id) */
 OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
 /* NULL_WITH_MD5 v3 */
 #if 0
@@ -83,19 +84,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
        SSL_ALL_STRENGTHS,
        },
 #endif
-/* RC4_128_EXPORT40_WITH_MD5 */
-       {
-       1,
-       SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
-       SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
-       SSL_EXPORT|SSL_EXP40,
-       SSL2_CF_5_BYTE_ENC,
-       40,
-       128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
-       },
 /* RC4_128_WITH_MD5 */
        {
        1,
@@ -109,12 +97,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
-/* RC2_128_CBC_EXPORT40_WITH_MD5 */
+/* RC4_128_EXPORT40_WITH_MD5 */
        {
        1,
-       SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
-       SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-       SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
+       SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
+       SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
+       SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
        SSL_EXPORT|SSL_EXP40,
        SSL2_CF_5_BYTE_ENC,
        40,
@@ -135,6 +123,19 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
+/* RC2_128_CBC_EXPORT40_WITH_MD5 */
+       {
+       1,
+       SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
+       SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
+       SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
+       SSL_EXPORT|SSL_EXP40,
+       SSL2_CF_5_BYTE_ENC,
+       40,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
 /* IDEA_128_CBC_WITH_MD5 */
 #ifndef OPENSSL_NO_IDEA
        {
@@ -338,42 +339,21 @@ long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
  * available */
 SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
        {
-       static int init=1;
-       static SSL_CIPHER *sorted[SSL2_NUM_CIPHERS];
-       SSL_CIPHER c,*cp= &c,**cpp;
+       SSL_CIPHER c,*cp;
        unsigned long id;
        unsigned int i;
 
-       if (init)
-               {
-               CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-
-               if (init)
-                       {
-                       for (i=0; i<SSL2_NUM_CIPHERS; i++)
-                               sorted[i]= &(ssl2_ciphers[i]);
-
-                       qsort((char *)sorted,
-                               SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-                               FP_ICC ssl_cipher_ptr_id_cmp);
-
-                       init=0;
-                       }
-                       
-               CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-               }
-
        id=0x02000000L|((unsigned long)p[0]<<16L)|
                ((unsigned long)p[1]<<8L)|(unsigned long)p[2];
        c.id=id;
-       cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
-               (char *)sorted,
-               SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-               FP_ICC ssl_cipher_ptr_id_cmp);
-       if ((cpp == NULL) || !(*cpp)->valid)
-               return(NULL);
+       cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c,
+               (char *)ssl2_ciphers,
+               SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER),
+               FP_ICC ssl_cipher_id_cmp);
+       if ((cp == NULL) || (cp->valid == 0))
+               return NULL;
        else
-               return(*cpp);
+               return cp;
        }
 
 int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
index b531986f059d885bdf44ed7a807b7fbacaa69fdc..7363329aa51d9fe4a21e233a2ce65ede9cfc1595 100644 (file)
@@ -136,6 +136,7 @@ const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
 
 #define SSL3_NUM_CIPHERS       (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
 
+/* list of available SSLv3 ciphers (sorted by id) */
 OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 /* The RSA ciphers */
 /* Cipher 01 */
@@ -164,75 +165,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
-
-/* anon DH */
-/* Cipher 17 */
-       {
-       1,
-       SSL3_TXT_ADH_RC4_40_MD5,
-       SSL3_CK_ADH_RC4_40_MD5,
-       SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
-       SSL_EXPORT|SSL_EXP40,
-       0,
-       40,
-       128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
-       },
-/* Cipher 18 */
-       {
-       1,
-       SSL3_TXT_ADH_RC4_128_MD5,
-       SSL3_CK_ADH_RC4_128_MD5,
-       SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
-       SSL_NOT_EXP|SSL_MEDIUM,
-       0,
-       128,
-       128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
-       },
-/* Cipher 19 */
-       {
-       1,
-       SSL3_TXT_ADH_DES_40_CBC_SHA,
-       SSL3_CK_ADH_DES_40_CBC_SHA,
-       SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
-       SSL_EXPORT|SSL_EXP40,
-       0,
-       40,
-       128,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
-       },
-/* Cipher 1A */
-       {
-       1,
-       SSL3_TXT_ADH_DES_64_CBC_SHA,
-       SSL3_CK_ADH_DES_64_CBC_SHA,
-       SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP|SSL_LOW,
-       0,
-       56,
-       56,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
-       },
-/* Cipher 1B */
-       {
-       1,
-       SSL3_TXT_ADH_DES_192_CBC_SHA,
-       SSL3_CK_ADH_DES_192_CBC_SHA,
-       SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
-       0,
-       168,
-       168,
-       SSL_ALL_CIPHERS,
-       SSL_ALL_STRENGTHS,
-       },
-
-/* RSA again */
 /* Cipher 03 */
        {
        1,
@@ -339,8 +271,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
-
-/*  The DH ciphers */
+/* The DH ciphers */
 /* Cipher 0B */
        {
        0,
@@ -499,6 +430,71 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_ALL_CIPHERS,
        SSL_ALL_STRENGTHS,
        },
+/* Cipher 17 */
+       {
+       1,
+       SSL3_TXT_ADH_RC4_40_MD5,
+       SSL3_CK_ADH_RC4_40_MD5,
+       SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+       SSL_EXPORT|SSL_EXP40,
+       0,
+       40,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 18 */
+       {
+       1,
+       SSL3_TXT_ADH_RC4_128_MD5,
+       SSL3_CK_ADH_RC4_128_MD5,
+       SSL_kEDH |SSL_aNULL|SSL_RC4  |SSL_MD5 |SSL_SSLV3,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 19 */
+       {
+       1,
+       SSL3_TXT_ADH_DES_40_CBC_SHA,
+       SSL3_CK_ADH_DES_40_CBC_SHA,
+       SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
+       SSL_EXPORT|SSL_EXP40,
+       0,
+       40,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 1A */
+       {
+       1,
+       SSL3_TXT_ADH_DES_64_CBC_SHA,
+       SSL3_CK_ADH_DES_64_CBC_SHA,
+       SSL_kEDH |SSL_aNULL|SSL_DES  |SSL_SHA1|SSL_SSLV3,
+       SSL_NOT_EXP|SSL_LOW,
+       0,
+       56,
+       56,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 1B */
+       {
+       1,
+       SSL3_TXT_ADH_DES_192_CBC_SHA,
+       SSL3_CK_ADH_DES_192_CBC_SHA,
+       SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       168,
+       168,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
 
 /* Fortezza */
 /* Cipher 1C */
@@ -746,262 +742,165 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_ALL_STRENGTHS,
        },
 #endif /* OPENSSL_NO_KRB5 */
+/* New AES ciphersuites */
 
+/* Cipher 2F */
+       {
+       1,
+       TLS1_TXT_RSA_WITH_AES_128_SHA,
+       TLS1_CK_RSA_WITH_AES_128_SHA,
+       SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 30 */
+       {
+       0,
+       TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
+       TLS1_CK_DH_DSS_WITH_AES_128_SHA,
+       SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 31 */
+       {
+       0,
+       TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
+       TLS1_CK_DH_RSA_WITH_AES_128_SHA,
+       SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 32 */
+       {
+       1,
+       TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
+       TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
+       SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 33 */
+       {
+       1,
+       TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
+       TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
+       SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 34 */
+       {
+       1,
+       TLS1_TXT_ADH_WITH_AES_128_SHA,
+       TLS1_CK_ADH_WITH_AES_128_SHA,
+       SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_NOT_EXP|SSL_MEDIUM,
+       0,
+       128,
+       128,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
 
-#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
-       /* New TLS Export CipherSuites */
-       /* Cipher 60 */
-           {
-           1,
-           TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
-           TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
-           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 61 */
-           {
-           1,
-           TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-           TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-           SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 62 */
-           {
-           1,
-           TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-           TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           56,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 63 */
-           {
-           1,
-           TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-           TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-           SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           56,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 64 */
-           {
-           1,
-           TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
-           TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
-           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 65 */
-           {
-           1,
-           TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-           TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-           SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
-           SSL_EXPORT|SSL_EXP56,
-           0,
-           56,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 66 */
-           {
-           1,
-           TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
-           TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
-           SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_MEDIUM,
-           0,
-           128,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS
-           },
-#endif
-       /* New AES ciphersuites */
-
-       /* Cipher 2F */
-           {
-           1,
-           TLS1_TXT_RSA_WITH_AES_128_SHA,
-           TLS1_CK_RSA_WITH_AES_128_SHA,
-           SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-           SSL_NOT_EXP|SSL_MEDIUM,
-           0,
-           128,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 30 */
-           {
-           0,
-           TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
-           TLS1_CK_DH_DSS_WITH_AES_128_SHA,
-           SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_MEDIUM,
-           0,
-           128,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 31 */
-           {
-           0,
-           TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
-           TLS1_CK_DH_RSA_WITH_AES_128_SHA,
-           SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_MEDIUM,
-           0,
-           128,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 32 */
-           {
-           1,
-           TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
-           TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
-           SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_MEDIUM,
-           0,
-           128,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 33 */
-           {
-           1,
-           TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
-           TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
-           SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_MEDIUM,
-           0,
-           128,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 34 */
-           {
-           1,
-           TLS1_TXT_ADH_WITH_AES_128_SHA,
-           TLS1_CK_ADH_WITH_AES_128_SHA,
-           SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_MEDIUM,
-           0,
-           128,
-           128,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-
-       /* Cipher 35 */
-           {
-           1,
-           TLS1_TXT_RSA_WITH_AES_256_SHA,
-           TLS1_CK_RSA_WITH_AES_256_SHA,
-           SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-           SSL_NOT_EXP|SSL_HIGH,
-           0,
-           256,
-           256,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 36 */
-           {
-           0,
-           TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
-           TLS1_CK_DH_DSS_WITH_AES_256_SHA,
-           SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_HIGH,
-           0,
-           256,
-           256,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 37 */
-           {
-           0,
-           TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
-           TLS1_CK_DH_RSA_WITH_AES_256_SHA,
-           SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_HIGH,
-           0,
-           256,
-           256,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 38 */
-           {
-           1,
-           TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
-           TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
-           SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_HIGH,
-           0,
-           256,
-           256,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-       /* Cipher 39 */
-           {
-           1,
-           TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
-           TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
-           SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_HIGH,
-           0,
-           256,
-           256,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
+/* Cipher 35 */
+       {
+       1,
+       TLS1_TXT_RSA_WITH_AES_256_SHA,
+       TLS1_CK_RSA_WITH_AES_256_SHA,
+       SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 36 */
+       {
+       0,
+       TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
+       TLS1_CK_DH_DSS_WITH_AES_256_SHA,
+       SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 37 */
+       {
+       0,
+       TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
+       TLS1_CK_DH_RSA_WITH_AES_256_SHA,
+       SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 38 */
+       {
+       1,
+       TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
+       TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
+       SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
+/* Cipher 39 */
+       {
+       1,
+       TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
+       TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
+       SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
        /* Cipher 3A */
-           {
-           1,
-           TLS1_TXT_ADH_WITH_AES_256_SHA,
-           TLS1_CK_ADH_WITH_AES_256_SHA,
-           SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-           SSL_NOT_EXP|SSL_HIGH,
-           0,
-           256,
-           256,
-           SSL_ALL_CIPHERS,
-           SSL_ALL_STRENGTHS,
-           },
-
+       {
+       1,
+       TLS1_TXT_ADH_WITH_AES_256_SHA,
+       TLS1_CK_ADH_WITH_AES_256_SHA,
+       SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+       SSL_NOT_EXP|SSL_HIGH,
+       0,
+       256,
+       256,
+       SSL_ALL_CIPHERS,
+       SSL_ALL_STRENGTHS,
+       },
 #ifndef OPENSSL_NO_ECDH
        /* Cipher 47 */
            {
@@ -1087,36 +986,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_STRENGTHS,
             },
 
-       /* Cipher 5B */
-       /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4B for this */
-           {
-            1,
-            TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
-            TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
-            SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP40,
-            0,
-            40,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-
-       /* Cipher 5C */
-       /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4C for this */
-           {
-            1,
-            TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
-            TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
-            SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
-            SSL_EXPORT|SSL_EXP56,
-            0,
-            56,
-            128,
-            SSL_ALL_CIPHERS,
-            SSL_ALL_STRENGTHS,
-            },
-
        /* Cipher 4D */
            {
             1,
@@ -1312,7 +1181,134 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_CIPHERS,
             SSL_ALL_STRENGTHS,
             },
+       /* Cipher 5B */
+       /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4B for this */
+           {
+            1,
+            TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
+            TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
+            SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+            SSL_EXPORT|SSL_EXP40,
+            0,
+            40,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+       /* Cipher 5C */
+       /* XXX NOTE: The ECC/TLS draft has a bug and reuses 4C for this */
+           {
+            1,
+            TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
+            TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
+            SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+            SSL_EXPORT|SSL_EXP56,
+            0,
+            56,
+            128,
+            SSL_ALL_CIPHERS,
+            SSL_ALL_STRENGTHS,
+            },
+
+#endif /* OPENSSL_NO_ECDH */
+
+#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
+       /* New TLS Export CipherSuites */
+       /* Cipher 60 */
+           {
+           1,
+           TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
+           TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
+           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
+           SSL_EXPORT|SSL_EXP56,
+           0,
+           56,
+           128,
+           SSL_ALL_CIPHERS,
+           SSL_ALL_STRENGTHS,
+           },
+       /* Cipher 61 */
+           {
+           1,
+           TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+           TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
+           SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
+           SSL_EXPORT|SSL_EXP56,
+           0,
+           56,
+           128,
+           SSL_ALL_CIPHERS,
+           SSL_ALL_STRENGTHS,
+           },
+       /* Cipher 62 */
+           {
+           1,
+           TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+           TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
+           SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
+           SSL_EXPORT|SSL_EXP56,
+           0,
+           56,
+           56,
+           SSL_ALL_CIPHERS,
+           SSL_ALL_STRENGTHS,
+           },
+       /* Cipher 63 */
+           {
+           1,
+           TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+           TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
+           SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
+           SSL_EXPORT|SSL_EXP56,
+           0,
+           56,
+           56,
+           SSL_ALL_CIPHERS,
+           SSL_ALL_STRENGTHS,
+           },
+       /* Cipher 64 */
+           {
+           1,
+           TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
+           TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
+           SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+           SSL_EXPORT|SSL_EXP56,
+           0,
+           56,
+           128,
+           SSL_ALL_CIPHERS,
+           SSL_ALL_STRENGTHS,
+           },
+       /* Cipher 65 */
+           {
+           1,
+           TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+           TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
+           SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
+           SSL_EXPORT|SSL_EXP56,
+           0,
+           56,
+           128,
+           SSL_ALL_CIPHERS,
+           SSL_ALL_STRENGTHS,
+           },
+       /* Cipher 66 */
+           {
+           1,
+           TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
+           TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
+           SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
+           SSL_NOT_EXP|SSL_MEDIUM,
+           0,
+           128,
+           128,
+           SSL_ALL_CIPHERS,
+           SSL_ALL_STRENGTHS
+           },
+#endif
 
+#ifndef OPENSSL_NO_ECDH
        /* Cipher 77 XXX: ECC ciphersuites offering forward secrecy
         * are not yet specified in the ECC/TLS draft but our code
         * allows them to be implemented very easily. To add such
@@ -1349,7 +1345,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
             SSL_ALL_CIPHERS,
             SSL_ALL_STRENGTHS,
             },
-
 #endif /* !OPENSSL_NO_ECDH */
 
 /* end of list */
@@ -1891,41 +1886,20 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
  * available */
 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
        {
-       static int init=1;
-       static SSL_CIPHER *sorted[SSL3_NUM_CIPHERS];
-       SSL_CIPHER c,*cp= &c,**cpp;
+       SSL_CIPHER c,*cp;
        unsigned long id;
        unsigned int i;
 
-       if (init)
-               {
-               CRYPTO_w_lock(CRYPTO_LOCK_SSL);
-
-               if (init)
-                       {
-                       for (i=0; i<SSL3_NUM_CIPHERS; i++)
-                               sorted[i]= &(ssl3_ciphers[i]);
-
-                       qsort(sorted,
-                               SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-                               FP_ICC ssl_cipher_ptr_id_cmp);
-
-                       init=0;
-                       }
-               
-               CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-               }
-
        id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
        c.id=id;
-       cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
-               (char *)sorted,
-               SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-               FP_ICC ssl_cipher_ptr_id_cmp);
-       if ((cpp == NULL) || !(*cpp)->valid)
-               return(NULL);
+       cp = (SSL_CIPHER *)OBJ_bsearch((char *)&c,
+               (char *)ssl3_ciphers,
+               SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER),
+               FP_ICC ssl_cipher_id_cmp);
+       if (cp == NULL || cp->valid == 0)
+               return NULL;
        else
-               return(*cpp);
+               return cp;
        }
 
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
index 8c04e7434d3fcf59c7bc8fa5630a63beea5e9024..c77dc86673b48c12d7b2fd4d102f263d74391034 100644 (file)
@@ -224,6 +224,7 @@ static const char rnd_seed[] = "string to make the random number generator think
 
 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
+static int do_test_cipherlist(void);
 static void sv_usage(void)
        {
        fprintf(stderr,"usage: ssltest [args ...]\n");
@@ -272,6 +273,7 @@ static void sv_usage(void)
                       "                 Use \"openssl ecparam -list_curves\" for all names\n"  \
                       "                 (default is sect163r2).\n");
 #endif
+       fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
        }
 
 static void print_details(SSL *c_ssl, const char *prefix)
@@ -381,6 +383,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
                }
        }
 
+
 int main(int argc, char *argv[])
        {
        char *CApath=NULL,*CAfile=NULL;
@@ -419,6 +422,7 @@ int main(int argc, char *argv[])
        int comp = 0;
        COMP_METHOD *cm = NULL;
        STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+       int test_cipherlist = 0;
 
        verbose = 0;
        debug = 0;
@@ -594,6 +598,10 @@ int main(int argc, char *argv[])
                        {
                        app_verify_arg.allow_proxy_certs = 1;
                        }
+               else if (strcmp(*argv,"-test_cipherlist") == 0)
+                       {
+                       test_cipherlist = 1;
+                       }
                else
                        {
                        fprintf(stderr,"unknown option %s\n",*argv);
@@ -610,6 +618,15 @@ bad:
                goto end;
                }
 
+       if (test_cipherlist == 1)
+               {
+               /* ensure that the cipher list are correctly sorted and exit */
+               if (do_test_cipherlist() == 0)
+                       EXIT(1);
+               ret = 0;
+               goto end;
+               }
+
        if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
                {
                fprintf(stderr, "This case cannot work.  Use -f to perform "
@@ -2213,4 +2230,57 @@ static DH *get_dh1024dsa()
        dh->length = 160;
        return(dh);
        }
+
+static int do_test_cipherlist(void)
+       {
+       int i = 0;
+       const SSL_METHOD *meth;
+       SSL_CIPHER *ci, *tci = NULL;
+
+       fprintf(stderr, "testing SSLv2 cipher list order: ");
+       meth = SSLv2_method();
+       while ((ci = meth->get_cipher(i++)) != NULL)
+               {
+               if (tci != NULL)
+                       if (ci->id >= tci->id)
+                               {
+                               fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+                               return 0;
+                               }
+               tci = ci;
+               }
+       fprintf(stderr, "ok\n");
+
+       fprintf(stderr, "testing SSLv3 cipher list order: ");
+       meth = SSLv3_method();
+       tci = NULL;
+       while ((ci = meth->get_cipher(i++)) != NULL)
+               {
+               if (tci != NULL)
+                       if (ci->id >= tci->id)
+                               {
+                               fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+                               return 0;
+                               }
+               tci = ci;
+               }
+       fprintf(stderr, "ok\n");
+
+       fprintf(stderr, "testing TLSv1 cipher list order: ");
+       meth = TLSv1_method();
+       tci = NULL;
+       while ((ci = meth->get_cipher(i++)) != NULL)
+               {
+               if (tci != NULL)
+                       if (ci->id >= tci->id)
+                               {
+                               fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+                               return 0;
+                               }
+               tci = ci;
+               }
+       fprintf(stderr, "ok\n");
+
+       return 1;
+       }
 #endif
index f74856956306af9c8f7515758a0d3c32b10c8a21..c7c9abcc431a446ad8244527b19d3be71604e357 100644 (file)
@@ -265,6 +265,7 @@ test_engine:
 test_ssl: keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \
                intP1.ss intP2.ss
        @echo "test SSL protocol"
+       ../util/shlib_wrap.sh ./$(SSLTEST) -test_cipherlist
        @sh ./testssl keyU.ss certU.ss certCA.ss
        @sh ./testsslproxy keyP1.ss certP1.ss intP1.ss
        @sh ./testsslproxy keyP2.ss certP2.ss intP2.ss