diff --git a/lib/modules/SSL.pmod/cipher.pike b/lib/modules/SSL.pmod/cipher.pike
index 192893ba1f0b599a5c12d182150972c80e0df498..fe23f56e1505d9bbec3b1c210d66a35da2c1b6a0 100644
--- a/lib/modules/SSL.pmod/cipher.pike
+++ b/lib/modules/SSL.pmod/cipher.pike
@@ -1,4 +1,4 @@
-/* $Id: cipher.pike,v 1.11 1999/03/15 19:44:12 nisse Exp $
+/* $Id: cipher.pike,v 1.12 1999/05/22 23:08:58 mast Exp $
*
*/
@@ -279,17 +279,32 @@ array lookup(int suite)
switch(algorithms[1])
{
- case CIPHER_rc4:
+ case CIPHER_rc4_40:
res->bulk_cipher_algorithm = Crypto.rc4;
res->cipher_type = CIPHER_stream;
- res->is_exportable = 0;
+ res->is_exportable = 1;
res->key_material = 16;
res->iv_size = 0;
break;
- case CIPHER_rc4_40:
- res->bulk_cipher_algorithm = Crypto.rc4;
+ case CIPHER_des40:
+ res->bulk_cipher_algorithm = des;
+ res->cipher_type = CIPHER_block;
+ res->is_exportable = 1;
+ res->key_material = 8;
+ res->iv_size = 8;
+ break;
+ case CIPHER_null:
+ res->bulk_cipher_algorithm = 0;
res->cipher_type = CIPHER_stream;
res->is_exportable = 1;
+ res->key_material = 0;
+ res->iv_size = 0;
+ break;
+#ifndef WEAK_CRYPTO_40BIT
+ case CIPHER_rc4:
+ res->bulk_cipher_algorithm = Crypto.rc4;
+ res->cipher_type = CIPHER_stream;
+ res->is_exportable = 0;
res->key_material = 16;
res->iv_size = 0;
break;
@@ -307,13 +322,6 @@ array lookup(int suite)
res->key_material = 24;
res->iv_size = 8;
break;
- case CIPHER_des40:
- res->bulk_cipher_algorithm = des;
- res->cipher_type = CIPHER_block;
- res->is_exportable = 1;
- res->key_material = 8;
- res->iv_size = 8;
- break;
case CIPHER_idea:
res->bulk_cipher_algorithm = Crypto.idea_cbc;
res->cipher_type = CIPHER_block;
@@ -321,13 +329,7 @@ array lookup(int suite)
res->key_material = 16;
res->iv_size = 8;
break;
- case CIPHER_null:
- res->bulk_cipher_algorithm = 0;
- res->cipher_type = CIPHER_stream;
- res->is_exportable = 1;
- res->key_material = 0;
- res->iv_size = 0;
- break;
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
default:
return 0;
}
diff --git a/lib/modules/SSL.pmod/constants.pike b/lib/modules/SSL.pmod/constants.pike
index 9fc8614659d2e7edc80a0296ace72ccabf8c481b..c32c546f0b466d5e94ea20b7c73cb4fdd9576c4e 100644
--- a/lib/modules/SSL.pmod/constants.pike
+++ b/lib/modules/SSL.pmod/constants.pike
@@ -1,4 +1,4 @@
-/* $Id: constants.pike,v 1.6 1999/03/09 14:41:44 nisse Exp $
+/* $Id: constants.pike,v 1.7 1999/05/22 23:08:59 mast Exp $
*
*/
@@ -21,23 +21,28 @@ constant CIPHER_block = 1;
constant CIPHER_types = (< CIPHER_stream, CIPHER_block >);
constant CIPHER_null = 0;
-constant CIPHER_rc4 = 1;
constant CIPHER_rc4_40 = 2;
constant CIPHER_rc2 = 3;
+constant CIPHER_des40 = 6;
+#ifndef WEAK_CRYPTO_40BIT
+constant CIPHER_rc4 = 1;
constant CIPHER_des = 4;
constant CIPHER_3des = 5;
-constant CIPHER_des40 = 6;
constant CIPHER_fortezza = 7;
constant CIPHER_idea = 8;
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
constant CIPHER_algorithms = (< CIPHER_null,
- CIPHER_rc4,
CIPHER_rc4_40,
CIPHER_rc2,
+ CIPHER_des40,
+#ifndef WEAK_CRYPTO_40BIT
+ CIPHER_rc4,
CIPHER_des,
CIPHER_3des,
- CIPHER_des40,
CIPHER_fortezza,
- CIPHER_idea >);
+ CIPHER_idea,
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
+ >);
constant HASH_md5 = 1;
constant HASH_sha = 2;
@@ -94,33 +99,35 @@ constant SSL_null_with_null_null = 0x0000;
constant SSL_rsa_with_null_md5 = 0x0001;
constant SSL_rsa_with_null_sha = 0x0002;
constant SSL_rsa_export_with_rc4_40_md5 = 0x0003;
+constant SSL_rsa_export_with_rc2_cbc_40_md5 = 0x0006;
+constant SSL_rsa_export_with_des40_cbc_sha = 0x0008;
+constant SSL_dh_dss_export_with_des40_cbc_sha = 0x000b;
+constant SSL_dh_rsa_export_with_des40_cbc_sha = 0x000e;
+constant SSL_dhe_dss_export_with_des40_cbc_sha = 0x0011;
+constant SSL_dhe_rsa_export_with_des40_cbc_sha = 0x0014;
+constant SSL_dh_anon_export_with_rc4_40_md5 = 0x0017;
+constant SSL_dh_anon_export_with_des40_cbc_sha = 0x0019;
+#ifndef WEAK_CRYPTO_40BIT
constant SSL_rsa_with_rc4_128_md5 = 0x0004;
constant SSL_rsa_with_rc4_128_sha = 0x0005;
-constant SSL_rsa_export_with_rc2_cbc_40_md5 = 0x0006;
constant SSL_rsa_with_idea_cbc_sha = 0x0007;
-constant SSL_rsa_export_with_des40_cbc_sha = 0x0008;
constant SSL_rsa_with_des_cbc_sha = 0x0009;
constant SSL_rsa_with_3des_ede_cbc_sha = 0x000a;
-constant SSL_dh_dss_export_with_des40_cbc_sha = 0x000b;
constant SSL_dh_dss_with_des_cbc_sha = 0x000c;
constant SSL_dh_dss_with_3des_ede_cbc_sha = 0x000d;
-constant SSL_dh_rsa_export_with_des40_cbc_sha = 0x000e;
constant SSL_dh_rsa_with_des_cbc_sha = 0x000f;
constant SSL_dh_rsa_with_3des_ede_cbc_sha = 0x0010;
-constant SSL_dhe_dss_export_with_des40_cbc_sha = 0x0011;
constant SSL_dhe_dss_with_des_cbc_sha = 0x0012;
constant SSL_dhe_dss_with_3des_ede_cbc_sha = 0x0013;
-constant SSL_dhe_rsa_export_with_des40_cbc_sha = 0x0014;
constant SSL_dhe_rsa_with_des_cbc_sha = 0x0015;
constant SSL_dhe_rsa_with_3des_ede_cbc_sha = 0x0016;
-constant SSL_dh_anon_export_with_rc4_40_md5 = 0x0017;
constant SSL_dh_anon_with_rc4_128_md5 = 0x0018;
-constant SSL_dh_anon_export_with_des40_cbc_sha = 0x0019;
constant SSL_dh_anon_with_des_cbc_sha = 0x001a;
constant SSL_dh_anon_with_3des_ede_cbc_sha = 0x001b;
constant SSL_fortezza_dms_with_null_sha = 0x001c;
constant SSL_fortezza_dms_with_fortezza_cbc_sha = 0x001d;
constant SSL_fortezza_dms_with_rc4_128_sha = 0x001e;
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
#if 0
/* Methods for signing any server_key_exchange message */
@@ -136,15 +143,17 @@ constant CIPHER_SUITES =
SSL_rsa_with_null_md5 : ({ KE_rsa, 0, HASH_md5 }),
SSL_rsa_with_null_sha : ({ KE_rsa, 0, HASH_sha }),
SSL_rsa_export_with_rc4_40_md5 : ({ KE_rsa, CIPHER_rc4_40, HASH_md5 }),
- SSL_rsa_with_rc4_128_sha : ({ KE_rsa, CIPHER_rc4, HASH_sha }),
- SSL_rsa_with_rc4_128_md5 : ({ KE_rsa, CIPHER_rc4, HASH_md5 }),
- SSL_rsa_with_idea_cbc_sha : ({ KE_rsa, CIPHER_idea, HASH_sha }),
- SSL_rsa_with_des_cbc_sha : ({ KE_rsa, CIPHER_des, HASH_sha }),
- SSL_rsa_with_3des_ede_cbc_sha : ({ KE_rsa, CIPHER_3des, HASH_sha }),
SSL_dhe_dss_export_with_des40_cbc_sha :
({ KE_dhe_dss, CIPHER_des40, HASH_sha }),
- SSL_dhe_dss_with_des_cbc_sha : ({ KE_dhe_dss, CIPHER_des, HASH_sha }),
- SSL_dhe_dss_with_3des_ede_cbc_sha : ({ KE_dhe_dss, CIPHER_3des, HASH_sha })
+#ifndef WEAK_CRYPTO_40BIT
+ SSL_rsa_with_rc4_128_sha : ({ KE_rsa, CIPHER_rc4, HASH_sha }),
+ SSL_rsa_with_rc4_128_md5 : ({ KE_rsa, CIPHER_rc4, HASH_md5 }),
+ SSL_rsa_with_idea_cbc_sha : ({ KE_rsa, CIPHER_idea, HASH_sha }),
+ SSL_rsa_with_des_cbc_sha : ({ KE_rsa, CIPHER_des, HASH_sha }),
+ SSL_rsa_with_3des_ede_cbc_sha : ({ KE_rsa, CIPHER_3des, HASH_sha }),
+ SSL_dhe_dss_with_des_cbc_sha : ({ KE_dhe_dss, CIPHER_des, HASH_sha }),
+ SSL_dhe_dss_with_3des_ede_cbc_sha : ({ KE_dhe_dss, CIPHER_3des, HASH_sha }),
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
]);
constant HANDSHAKE_hello_v2 = -1; /* Backwards compatibility */
diff --git a/lib/modules/SSL.pmod/context.pike b/lib/modules/SSL.pmod/context.pike
index c39db06b155467ec1862141761a947ec73626d0f..e8081f371928fa8117262bbbddfea4da39cb8f54 100644
--- a/lib/modules/SSL.pmod/context.pike
+++ b/lib/modules/SSL.pmod/context.pike
@@ -1,4 +1,4 @@
-/* $Id: context.pike,v 1.8 1999/03/09 14:55:40 nisse Exp $
+/* $Id: context.pike,v 1.9 1999/05/22 23:09:00 mast Exp $
*
* Keeps track of global data for an SSL server,
* such as preferred encryption algorithms and session cache.
@@ -37,16 +37,18 @@ void rsa_mode()
#ifdef SSL3_DEBUG
werror("SSL.context: rsa_mode()\n");
#endif
- preferred_suites =
- ({ SSL_rsa_with_idea_cbc_sha,
- SSL_rsa_with_rc4_128_sha,
- SSL_rsa_with_rc4_128_md5,
- SSL_rsa_with_3des_ede_cbc_sha,
- SSL_rsa_with_des_cbc_sha,
- SSL_rsa_export_with_rc4_40_md5,
- SSL_rsa_with_null_sha,
- SSL_rsa_with_null_md5
- });
+ preferred_suites = ({
+#ifndef WEAK_CRYPTO_40BIT
+ SSL_rsa_with_idea_cbc_sha,
+ SSL_rsa_with_rc4_128_sha,
+ SSL_rsa_with_rc4_128_md5,
+ SSL_rsa_with_3des_ede_cbc_sha,
+ SSL_rsa_with_des_cbc_sha,
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
+ SSL_rsa_export_with_rc4_40_md5,
+ SSL_rsa_with_null_sha,
+ SSL_rsa_with_null_md5,
+ });
}
void dhe_dss_mode()
@@ -54,25 +56,13 @@ void dhe_dss_mode()
#ifdef SSL3_DEBUG
werror("SSL.context: dhe_dss_mode()\n");
#endif
- preferred_suites =
- ({ SSL_dhe_dss_with_3des_ede_cbc_sha,
- SSL_dhe_dss_with_des_cbc_sha,
- SSL_dhe_dss_export_with_des40_cbc_sha,
- });
-}
-
-void export_mode()
-{
-#ifdef SSL3_DEBUG
- werror("SSL.context: export_mode()\n");
-#endif
-
- preferred_suites &=
- ({ SSL_rsa_export_with_rc4_40_md5,
- SSL_rsa_with_null_sha,
- SSL_rsa_with_null_md5,
- SSL_dhe_dss_export_with_des40_cbc_sha
- });
+ preferred_suites = ({
+#ifndef WEAK_CRYPTO_40BIT
+ SSL_dhe_dss_with_3des_ede_cbc_sha,
+ SSL_dhe_dss_with_des_cbc_sha,
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
+ SSL_dhe_dss_export_with_des40_cbc_sha,
+ });
}
array(int) preferred_compressors =
diff --git a/lib/modules/SSL.pmod/handshake.pike b/lib/modules/SSL.pmod/handshake.pike
index 6d984e62a7c705a5ed43169959dd8c8e6a71483a..113b04c225f226bdd9a1049a037cd842b8cc6728 100644
--- a/lib/modules/SSL.pmod/handshake.pike
+++ b/lib/modules/SSL.pmod/handshake.pike
@@ -1,4 +1,4 @@
-/* $Id: handshake.pike,v 1.14 1999/03/15 19:48:59 nisse Exp $
+/* $Id: handshake.pike,v 1.15 1999/05/22 23:09:01 mast Exp $
*
*/
@@ -90,9 +90,14 @@ object server_key_exchange_packet()
switch (session->ke_method)
{
case KE_rsa:
+#ifdef WEAK_CRYPTO_40BIT
+ temp_key = context->short_rsa;
+#endif /* WEAK_CRYPTO_40BIT (magic comment) */
+#ifndef WEAK_CRYPTO_40BIT
temp_key = (session->cipher_spec->is_exportable
? context->short_rsa
: context->long_rsa);
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
if (temp_key)
{
/* Send a ServerKeyExchange message. */
diff --git a/lib/modules/SSL.pmod/session.pike b/lib/modules/SSL.pmod/session.pike
index 6172babb20fb533461633b4912d44daf285f998a..2a5fdfaf3f9a84c50d230e2f3a6eb2cd1c5758b8 100644
--- a/lib/modules/SSL.pmod/session.pike
+++ b/lib/modules/SSL.pmod/session.pike
@@ -1,4 +1,4 @@
-/* $Id: session.pike,v 1.9 1999/03/19 14:12:14 nisse Exp $
+/* $Id: session.pike,v 1.10 1999/05/22 23:09:02 mast Exp $
*
*/
@@ -40,11 +40,17 @@ void set_compression_method(int compr)
string generate_key_block(string client_random, string server_random)
{
- int required = 2 * (cipher_spec->is_exportable
- ? (5 + cipher_spec->hash_size)
- : ( cipher_spec->key_material +
- cipher_spec->hash_size +
- cipher_spec->iv_size));
+ int required = 2 * (
+#ifndef WEAK_CRYPTO_40BIT
+ cipher_spec->is_exportable ?
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
+ (5 + cipher_spec->hash_size)
+#ifndef WEAK_CRYPTO_40BIT
+ : ( cipher_spec->key_material +
+ cipher_spec->hash_size +
+ cipher_spec->iv_size)
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
+ );
object sha = mac_sha();
object md5 = mac_md5();
int i = 0;
@@ -80,7 +86,9 @@ array generate_keys(string client_random, string server_random)
/* server_write_MAC_secret */
keys[1] = key_data->get_fix_string(cipher_spec->hash_size);
+#ifndef WEAK_CRYPTO_40BIT
if (cipher_spec->is_exportable)
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
{
object md5 = mac_md5()->hash_raw;
@@ -95,7 +103,9 @@ array generate_keys(string client_random, string server_random)
keys[4] = md5(client_random + server_random)[..cipher_spec->iv_size-1];
keys[5] = md5(server_random + client_random)[..cipher_spec->iv_size-1];
}
- } else {
+ }
+#ifndef WEAK_CRYPTO_40BIT
+ else {
keys[2] = key_data->get_fix_string(cipher_spec->key_material);
keys[3] = key_data->get_fix_string(cipher_spec->key_material);
if (cipher_spec->iv_size)
@@ -104,6 +114,7 @@ array generate_keys(string client_random, string server_random)
keys[5] = key_data->get_fix_string(cipher_spec->iv_size);
}
}
+#endif /* !WEAK_CRYPTO_40BIT (magic comment) */
return keys;
}