summaryrefslogtreecommitdiff
path: root/crypto/openssl/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssl/ssl')
-rw-r--r--crypto/openssl/ssl/Makefile.save831
-rw-r--r--crypto/openssl/ssl/Makefile.ssl47
-rw-r--r--crypto/openssl/ssl/bio_ssl.c33
-rw-r--r--crypto/openssl/ssl/s23_clnt.c16
-rw-r--r--crypto/openssl/ssl/s23_lib.c17
-rw-r--r--crypto/openssl/ssl/s23_pkt.c2
-rw-r--r--crypto/openssl/ssl/s23_srvr.c135
-rw-r--r--crypto/openssl/ssl/s2_clnt.c77
-rw-r--r--crypto/openssl/ssl/s2_enc.c9
-rw-r--r--crypto/openssl/ssl/s2_lib.c100
-rw-r--r--crypto/openssl/ssl/s2_meth.c10
-rw-r--r--crypto/openssl/ssl/s2_pkt.c10
-rw-r--r--crypto/openssl/ssl/s2_srvr.c23
-rw-r--r--crypto/openssl/ssl/s3_both.c164
-rw-r--r--crypto/openssl/ssl/s3_clnt.c45
-rw-r--r--crypto/openssl/ssl/s3_enc.c18
-rw-r--r--crypto/openssl/ssl/s3_lib.c434
-rw-r--r--crypto/openssl/ssl/s3_pkt.c761
-rw-r--r--crypto/openssl/ssl/s3_srvr.c187
-rw-r--r--crypto/openssl/ssl/ssl.h123
-rw-r--r--crypto/openssl/ssl/ssl2.h4
-rw-r--r--crypto/openssl/ssl/ssl3.h95
-rw-r--r--crypto/openssl/ssl/ssl_asn1.c32
-rw-r--r--crypto/openssl/ssl/ssl_cert.c60
-rw-r--r--crypto/openssl/ssl/ssl_ciph.c826
-rw-r--r--crypto/openssl/ssl/ssl_err.c22
-rw-r--r--crypto/openssl/ssl/ssl_lib.c178
-rw-r--r--crypto/openssl/ssl/ssl_locl.h152
-rw-r--r--crypto/openssl/ssl/ssl_sess.c89
-rw-r--r--crypto/openssl/ssl/ssl_stat.c8
-rw-r--r--crypto/openssl/ssl/ssl_task.c2
-rw-r--r--crypto/openssl/ssl/ssl_txt.c7
-rw-r--r--crypto/openssl/ssl/ssltest.c492
-rw-r--r--crypto/openssl/ssl/t1_enc.c6
-rw-r--r--crypto/openssl/ssl/t1_lib.c14
-rw-r--r--crypto/openssl/ssl/tls1.h6
36 files changed, 3695 insertions, 1340 deletions
diff --git a/crypto/openssl/ssl/Makefile.save b/crypto/openssl/ssl/Makefile.save
new file mode 100644
index 000000000000..04ed4b3b814a
--- /dev/null
+++ b/crypto/openssl/ssl/Makefile.save
@@ -0,0 +1,831 @@
+#
+# SSLeay/ssl/Makefile
+#
+
+DIR= ssl
+TOP= ..
+CC= cc
+INCLUDES= -I../crypto -I../include
+CFLAG=-g
+INSTALL_PREFIX=
+OPENSSLDIR= /usr/local/ssl
+INSTALLTOP=/usr/local/ssl
+MAKE= make -f Makefile.ssl
+MAKEDEPEND= $(TOP)/util/domd $(TOP)
+MAKEFILE= Makefile.ssl
+AR= ar r
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile README ssl-lib.com install.com
+TEST=ssltest.c
+APPS=
+
+LIB=$(TOP)/libssl.a
+LIBSRC= \
+ s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
+ s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \
+ s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
+ t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
+ ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
+ ssl_ciph.c ssl_stat.c ssl_rsa.c \
+ ssl_asn1.c ssl_txt.c ssl_algs.c \
+ bio_ssl.c ssl_err.c
+LIBOBJ= \
+ s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
+ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
+ s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \
+ t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \
+ ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
+ ssl_ciph.o ssl_stat.o ssl_rsa.o \
+ ssl_asn1.o ssl_txt.o ssl_algs.o \
+ bio_ssl.o ssl_err.o
+
+SRC= $(LIBSRC)
+
+EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h
+HEADER= $(EXHEADER) ssl_locl.h
+
+ALL= $(GENERAL) $(SRC) $(HEADER)
+
+top:
+ (cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all: lib
+
+lib: $(LIBOBJ)
+ $(AR) $(LIB) $(LIBOBJ)
+ $(RANLIB) $(LIB)
+ @touch lib
+
+files:
+ $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+
+links:
+ @$(TOP)/util/point.sh Makefile.ssl Makefile
+ @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+ @$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
+ @$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
+
+install:
+ @for i in $(EXHEADER) ; \
+ do \
+ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+ done;
+
+tags:
+ ctags $(SRC)
+
+tests:
+
+lint:
+ lint -DLINT $(INCLUDES) $(SRC)>fluff
+
+depend:
+ $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+
+dclean:
+ $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+ mv -f Makefile.new $(MAKEFILE)
+
+clean:
+ rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
+
+bio_ssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+bio_ssl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+bio_ssl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+bio_ssl.o: ../include/openssl/crypto.h ../include/openssl/des.h
+bio_ssl.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+bio_ssl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+bio_ssl.o: ../include/openssl/evp.h ../include/openssl/idea.h
+bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+bio_ssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+bio_ssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+bio_ssl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+bio_ssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+bio_ssl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+bio_ssl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+bio_ssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+bio_ssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+bio_ssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+bio_ssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+bio_ssl.o: ../include/openssl/x509_vfy.h
+s23_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s23_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s23_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s23_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s23_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s23_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s23_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s23_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s23_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s23_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s23_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s23_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s23_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s23_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s23_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s23_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s23_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s2_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s2_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s2_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s2_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s2_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s2_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s2_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s2_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s2_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s2_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s2_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s2_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_both.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_both.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_both.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_both.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_both.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_both.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_both.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_both.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_both.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_both.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_both.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_both.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_both.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_both.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s3_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+s3_pkt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+s3_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s3_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s3_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+s3_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_algs.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_algs.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_algs.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_algs.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_algs.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_algs.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_algs.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_algs.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_algs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_algs.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_algs.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_algs.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_algs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_algs.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_algs.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_asn1.o: ../include/openssl/asn1.h ../include/openssl/asn1_mac.h
+ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_asn1.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_asn1.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_asn1.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ssl_asn1.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ssl_asn1.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_asn1.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_asn1.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_cert.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_cert.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_cert.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_cert.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_cert.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_cert.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
+ssl_cert.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_cert.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_cert.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_cert.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_cert.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_cert.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_cert.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_cert.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_cert.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_cert.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_cert.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_cert.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_cert.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_cert.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
+ssl_cert.o: ssl_locl.h
+ssl_ciph.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_ciph.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_ciph.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_ciph.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_ciph.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_ciph.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_ciph.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_ciph.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_ciph.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_ciph.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_ciph.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_ciph.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_ciph.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_ciph.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_ciph.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_ciph.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_ciph.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_err.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_err.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_err.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_err.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_err.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_err.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_err.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_err.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_err.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_err.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_err.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_err.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_err.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_err.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_err.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_err.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_err.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_err.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err.o: ../include/openssl/x509_vfy.h
+ssl_err2.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_err2.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_err2.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_err2.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_err2.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_err2.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_err2.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_err2.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_err2.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_err2.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_err2.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_err2.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_err2.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_err2.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_err2.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_err2.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_err2.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_err2.o: ../include/openssl/x509_vfy.h
+ssl_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_lib.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_lib.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ssl_lib.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ssl_lib.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_lib.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_lib.o: ../include/openssl/x509v3.h ssl_locl.h
+ssl_rsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_rsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_rsa.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_rsa.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_rsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_rsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_rsa.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_rsa.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_rsa.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_sess.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_sess.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_sess.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_sess.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_sess.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+ssl_sess.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_sess.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_sess.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_stat.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_stat.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_stat.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_stat.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_stat.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_stat.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_stat.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_stat.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_stat.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_stat.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_stat.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_stat.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_stat.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_stat.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_stat.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_stat.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_stat.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_txt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_txt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_txt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_txt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_txt.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_txt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ssl_txt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_txt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_txt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_txt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_txt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ssl_txt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ssl_txt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ssl_txt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ssl_txt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ssl_txt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+ssl_txt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+t1_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_clnt.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_enc.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+t1_enc.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+t1_enc.o: ../include/openssl/md2.h ../include/openssl/md5.h
+t1_enc.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+t1_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+t1_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+t1_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_enc.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_meth.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_meth.o: ../include/openssl/tls1.h ../include/openssl/x509.h
+t1_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+t1_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+t1_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+t1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+t1_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
+t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+t1_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+t1_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+t1_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+t1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+t1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+t1_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_srvr.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl
index 7f9c6ead8a8e..04ed4b3b814a 100644
--- a/crypto/openssl/ssl/Makefile.ssl
+++ b/crypto/openssl/ssl/Makefile.ssl
@@ -537,9 +537,10 @@ ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
ssl_cert.o: ../include/openssl/asn1.h ../include/openssl/bio.h
ssl_cert.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_cert.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_cert.o: ../include/openssl/des.h ../include/openssl/dh.h
-ssl_cert.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+ssl_cert.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_cert.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_cert.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_cert.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
ssl_cert.o: ../include/openssl/e_os2.h ../include/openssl/err.h
ssl_cert.o: ../include/openssl/evp.h ../include/openssl/idea.h
ssl_cert.o: ../include/openssl/lhash.h ../include/openssl/md2.h
@@ -554,7 +555,8 @@ ssl_cert.o: ../include/openssl/sha.h ../include/openssl/ssl.h
ssl_cert.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
ssl_cert.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_cert.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_cert.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
+ssl_cert.o: ssl_locl.h
ssl_ciph.o: ../include/openssl/asn1.h ../include/openssl/bio.h
ssl_ciph.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
ssl_ciph.o: ../include/openssl/buffer.h ../include/openssl/cast.h
@@ -619,24 +621,25 @@ ssl_err2.o: ../include/openssl/x509_vfy.h
ssl_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
ssl_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
-ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-ssl_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ssl_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
-ssl_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-ssl_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-ssl_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssl_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-ssl_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h
+ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ssl_lib.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_lib.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+ssl_lib.o: ../include/openssl/md2.h ../include/openssl/md5.h
+ssl_lib.o: ../include/openssl/mdc2.h ../include/openssl/objects.h
+ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_lib.o: ../include/openssl/stack.h ../include/openssl/tls1.h
+ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ssl_lib.o: ../include/openssl/x509v3.h ssl_locl.h
ssl_rsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
ssl_rsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
diff --git a/crypto/openssl/ssl/bio_ssl.c b/crypto/openssl/ssl/bio_ssl.c
index f62cde4e5d51..d73c41adcdc2 100644
--- a/crypto/openssl/ssl/bio_ssl.c
+++ b/crypto/openssl/ssl/bio_ssl.c
@@ -71,6 +71,7 @@ static int ssl_puts(BIO *h,char *str);
static long ssl_ctrl(BIO *h,int cmd,long arg1,char *arg2);
static int ssl_new(BIO *h);
static int ssl_free(BIO *data);
+static long ssl_callback_ctrl(BIO *h,int cmd,void (*fp)());
typedef struct bio_ssl_st
{
SSL *ssl; /* The ssl handle :-) */
@@ -92,6 +93,7 @@ static BIO_METHOD methods_sslp=
ssl_ctrl,
ssl_new,
ssl_free,
+ ssl_callback_ctrl,
};
BIO_METHOD *BIO_f_ssl(void)
@@ -444,7 +446,14 @@ static long ssl_ctrl(BIO *b, int cmd, long num, char *ptr)
ret=BIO_ctrl(ssl->rbio,cmd,num,ptr);
break;
case BIO_CTRL_SET_CALLBACK:
- SSL_set_info_callback(ssl,(void (*)())ptr);
+ {
+#if 0 /* FIXME: Should this be used? -- Richard Levitte */
+ BIOerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ ret = -1;
+#else
+ ret=0;
+#endif
+ }
break;
case BIO_CTRL_GET_CALLBACK:
{
@@ -461,6 +470,28 @@ static long ssl_ctrl(BIO *b, int cmd, long num, char *ptr)
return(ret);
}
+static long ssl_callback_ctrl(BIO *b, int cmd, void (*fp)())
+ {
+ SSL *ssl;
+ BIO_SSL *bs;
+ long ret=1;
+
+ bs=(BIO_SSL *)b->ptr;
+ ssl=bs->ssl;
+ switch (cmd)
+ {
+ case BIO_CTRL_SET_CALLBACK:
+ {
+ SSL_set_info_callback(ssl,fp);
+ }
+ break;
+ default:
+ ret=BIO_callback_ctrl(ssl->rbio,cmd,fp);
+ break;
+ }
+ return(ret);
+ }
+
static int ssl_puts(BIO *bp, char *str)
{
int n,ret;
diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
index 299d2ae5d28e..aaedf6a9bbcb 100644
--- a/crypto/openssl/ssl/s23_clnt.c
+++ b/crypto/openssl/ssl/s23_clnt.c
@@ -68,8 +68,10 @@ static int ssl23_client_hello(SSL *s);
static int ssl23_get_server_hello(SSL *s);
static SSL_METHOD *ssl23_get_client_method(int ver)
{
+#ifndef NO_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_client_method());
+#endif
if (ver == SSL3_VERSION)
return(SSLv3_client_method());
else if (ver == TLS1_VERSION)
@@ -102,7 +104,7 @@ int ssl23_connect(SSL *s)
int ret= -1;
int new_state,state;
- RAND_seed(&Time,sizeof(Time));
+ RAND_add(&Time,sizeof(Time),0);
ERR_clear_error();
clear_sys_error();
@@ -222,7 +224,7 @@ static int ssl23_client_hello(SSL *s)
#endif
p=s->s3->client_random;
- RAND_bytes(p,SSL3_RANDOM_SIZE);
+ RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE);
/* Do the message type and length last */
d= &(buf[2]);
@@ -283,7 +285,7 @@ static int ssl23_client_hello(SSL *s)
i=ch_len;
s2n(i,d);
memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE);
- RAND_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
+ RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i);
p+=i;
@@ -307,7 +309,7 @@ static int ssl23_get_server_hello(SSL *s)
{
char buf[8];
unsigned char *p;
- int i,ch_len;
+ int i;
int n;
n=ssl23_read_bytes(s,7);
@@ -320,9 +322,14 @@ static int ssl23_get_server_hello(SSL *s)
if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
(p[5] == 0x00) && (p[6] == 0x02))
{
+#ifdef NO_SSL2
+ SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ goto err;
+#else
/* we are talking sslv2 */
/* we need to clean up the SSLv3 setup and put in the
* sslv2 stuff. */
+ int ch_len;
if (s->options & SSL_OP_NO_SSLv2)
{
@@ -375,6 +382,7 @@ static int ssl23_get_server_hello(SSL *s)
s->method=SSLv2_client_method();
s->handshake_func=s->method->ssl_connect;
+#endif
}
else if ((p[0] == SSL3_RT_HANDSHAKE) &&
(p[1] == SSL3_VERSION_MAJOR) &&
diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c
index 822a3958372d..dded7a19c5a5 100644
--- a/crypto/openssl/ssl/s23_lib.c
+++ b/crypto/openssl/ssl/s23_lib.c
@@ -67,7 +67,7 @@ static int ssl23_write(SSL *s, const void *buf, int len);
static long ssl23_default_timeout(void );
static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p);
-char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT;
+const char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT;
static SSL_METHOD SSLv23_data= {
TLS1_VERSION,
@@ -92,6 +92,9 @@ static SSL_METHOD SSLv23_data= {
ssl_bad_method,
ssl23_default_timeout,
&ssl3_undef_enc_method,
+ ssl_undefined_function,
+ ssl3_callback_ctrl,
+ ssl3_ctx_callback_ctrl,
};
static long ssl23_default_timeout(void)
@@ -106,7 +109,11 @@ SSL_METHOD *sslv23_base_method(void)
static int ssl23_num_ciphers(void)
{
- return(ssl3_num_ciphers()+ssl2_num_ciphers());
+ return(ssl3_num_ciphers()
+#ifndef NO_SSL2
+ + ssl2_num_ciphers()
+#endif
+ );
}
static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
@@ -116,7 +123,11 @@ static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
if (u < uu)
return(ssl3_get_cipher(u));
else
+#ifndef NO_SSL2
return(ssl2_get_cipher(u-uu));
+#else
+ return(NULL);
+#endif
}
/* This function needs to check if the ciphers required are actually
@@ -132,8 +143,10 @@ static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
((unsigned long)p[1]<<8L)|(unsigned long)p[2];
c.id=id;
cp=ssl3_get_cipher_by_char(p);
+#ifndef NO_SSL2
if (cp == NULL)
cp=ssl2_get_cipher_by_char(p);
+#endif
return(cp);
}
diff --git a/crypto/openssl/ssl/s23_pkt.c b/crypto/openssl/ssl/s23_pkt.c
index 8370ea508c7e..f45e1ce3d806 100644
--- a/crypto/openssl/ssl/s23_pkt.c
+++ b/crypto/openssl/ssl/s23_pkt.c
@@ -89,7 +89,7 @@ int ssl23_write_bytes(SSL *s)
}
}
-/* only return when we have read 'n' bytes */
+/* return regularly only when we have read (at least) 'n' bytes */
int ssl23_read_bytes(SSL *s, int n)
{
unsigned char *p;
diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
index e4122f2d78df..6a3bbb10b953 100644
--- a/crypto/openssl/ssl/s23_srvr.c
+++ b/crypto/openssl/ssl/s23_srvr.c
@@ -67,8 +67,10 @@ static SSL_METHOD *ssl23_get_server_method(int ver);
int ssl23_get_client_hello(SSL *s);
static SSL_METHOD *ssl23_get_server_method(int ver)
{
+#ifndef NO_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_server_method());
+#endif
if (ver == SSL3_VERSION)
return(SSLv3_server_method());
else if (ver == TLS1_VERSION)
@@ -101,7 +103,7 @@ int ssl23_accept(SSL *s)
int ret= -1;
int new_state,state;
- RAND_seed(&Time,sizeof(Time));
+ RAND_add(&Time,sizeof(Time),0);
ERR_clear_error();
clear_sys_error();
@@ -186,23 +188,39 @@ end:
int ssl23_get_client_hello(SSL *s)
{
- char buf_space[8];
+ char buf_space[11]; /* Request this many bytes in initial read.
+ * We can detect SSL 3.0/TLS 1.0 Client Hellos
+ * ('type == 3') correctly only when the following
+ * is in a single record, which is not guaranteed by
+ * the protocol specification:
+ * Byte Content
+ * 0 type \
+ * 1/2 version > record header
+ * 3/4 length /
+ * 5 msg_type \
+ * 6-8 length > Client Hello message
+ * 9/10 client_version /
+ */
char *buf= &(buf_space[0]);
unsigned char *p,*d,*dd;
unsigned int i;
unsigned int csl,sil,cl;
- int n=0,j,tls1=0;
- int type=0,use_sslv2_strong=0;
+ int n=0,j;
+ int type=0;
int v[2];
+#ifndef NO_RSA
+ int use_sslv2_strong=0;
+#endif
- /* read the initial header */
- v[0]=v[1]=0;
if (s->state == SSL23_ST_SR_CLNT_HELLO_A)
{
+ /* read the initial header */
+ v[0]=v[1]=0;
+
if (!ssl3_setup_buffers(s)) goto err;
- n=ssl23_read_bytes(s,7);
- if (n != 7) return(n); /* n == -1 || n == 0 */
+ n=ssl23_read_bytes(s, sizeof buf_space);
+ if (n != sizeof buf_space) return(n); /* n == -1 || n == 0 */
p=s->packet;
@@ -210,7 +228,9 @@ int ssl23_get_client_hello(SSL *s)
if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO))
{
- /* SSLv2 header */
+ /*
+ * SSLv2 header
+ */
if ((p[3] == 0x00) && (p[4] == 0x02))
{
v[0]=p[3]; v[1]=p[4];
@@ -226,11 +246,14 @@ int ssl23_get_client_hello(SSL *s)
{
if (!(s->options & SSL_OP_NO_TLSv1))
{
- tls1=1;
+ s->version=TLS1_VERSION;
+ /* type=2; */ /* done later to survive restarts */
s->state=SSL23_ST_SR_CLNT_HELLO_B;
}
else if (!(s->options & SSL_OP_NO_SSLv3))
{
+ s->version=SSL3_VERSION;
+ /* type=2; */
s->state=SSL23_ST_SR_CLNT_HELLO_B;
}
else if (!(s->options & SSL_OP_NO_SSLv2))
@@ -239,12 +262,26 @@ int ssl23_get_client_hello(SSL *s)
}
}
else if (!(s->options & SSL_OP_NO_SSLv3))
+ {
+ s->version=SSL3_VERSION;
+ /* type=2; */
s->state=SSL23_ST_SR_CLNT_HELLO_B;
+ }
else if (!(s->options & SSL_OP_NO_SSLv2))
type=1;
if (s->options & SSL_OP_NON_EXPORT_FIRST)
+ /* Not only utterly confusing, but broken
+ * ('fractured programming'?) -- the details
+ * of this block nearly make it work
+ * as intended in this environment, but on one
+ * of the fine points (w.r.t. restarts) it fails.
+ * The obvious fix would be even more devastating
+ * to program structure; if you want the functionality,
+ * throw this away and implement it in a way
+ * that makes sense */
{
+#if 0
STACK_OF(SSL_CIPHER) *sk;
SSL_CIPHER *c;
int ne2,ne3;
@@ -294,27 +331,51 @@ int ssl23_get_client_hello(SSL *s)
goto next_bit;
}
}
+#else
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_OPTION);
+ goto err;
+#endif
}
}
}
else if ((p[0] == SSL3_RT_HANDSHAKE) &&
(p[1] == SSL3_VERSION_MAJOR) &&
- (p[5] == SSL3_MT_CLIENT_HELLO))
+ (p[5] == SSL3_MT_CLIENT_HELLO) &&
+ ((p[3] == 0 && p[4] < 5 /* silly record length? */)
+ || (p[9] == p[1])))
{
- v[0]=p[1]; v[1]=p[2];
- /* true SSLv3 or tls1 */
- if (p[2] >= TLS1_VERSION_MINOR)
+ /*
+ * SSLv3 or tls1 header
+ */
+
+ v[0]=p[1]; /* major version */
+ /* We must look at client_version inside the Client Hello message
+ * to get the correct minor version: */
+ v[1]=p[10];
+ /* However if we have only a pathologically small fragment of the
+ * Client Hello message, we simply use the version from the
+ * record header -- this is incorrect but unlikely to fail in
+ * practice */
+ if (p[3] == 0 && p[4] < 6)
+ v[1]=p[2];
+ if (v[1] >= TLS1_VERSION_MINOR)
{
if (!(s->options & SSL_OP_NO_TLSv1))
{
+ s->version=TLS1_VERSION;
type=3;
- tls1=1;
}
else if (!(s->options & SSL_OP_NO_SSLv3))
+ {
+ s->version=SSL3_VERSION;
type=3;
+ }
}
else if (!(s->options & SSL_OP_NO_SSLv3))
+ {
+ s->version=SSL3_VERSION;
type=3;
+ }
}
else if ((strncmp("GET ", (char *)p,4) == 0) ||
(strncmp("POST ",(char *)p,5) == 0) ||
@@ -331,12 +392,16 @@ int ssl23_get_client_hello(SSL *s)
}
}
-next_bit:
if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
{
- /* we have a SSLv3/TLSv1 in a SSLv2 header */
+ /* we have SSLv3/TLSv1 in an SSLv2 header
+ * (other cases skip this state) */
+
type=2;
p=s->packet;
+ v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
+ v[1] = p[4];
+
n=((p[0]&0x7f)<<8)|p[1];
if (n > (1024*4))
{
@@ -361,14 +426,11 @@ next_bit:
goto err;
}
- *(d++)=SSL3_VERSION_MAJOR;
- if (tls1)
- *(d++)=TLS1_VERSION_MINOR;
- else
- *(d++)=SSL3_VERSION_MINOR;
+ *(d++) = SSL3_VERSION_MAJOR; /* == v[0] */
+ *(d++) = v[1];
/* lets populate the random area */
- /* get the chalenge_length */
+ /* get the challenge_length */
i=(cl > SSL3_RANDOM_SIZE)?SSL3_RANDOM_SIZE:cl;
memset(d,0,SSL3_RANDOM_SIZE);
memcpy(&(d[SSL3_RANDOM_SIZE-i]),&(p[csl+sil]),i);
@@ -402,8 +464,15 @@ next_bit:
s->s3->tmp.message_size=i;
}
+ /* imaginary new state (for program structure): */
+ /* s->state = SSL23_SR_CLNT_HELLO_C */
+
if (type == 1)
{
+#ifdef NO_SSL2
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
+ goto err;
+#else
/* we are talking sslv2 */
/* we need to clean up the SSLv3/TLSv1 setup and put in the
* sslv2 stuff. */
@@ -431,7 +500,7 @@ next_bit:
else
s->s2->ssl2_rollback=1;
- /* setup the 5 bytes we have read so we get them from
+ /* setup the n bytes we have read so we get them from
* the sslv2 buffer */
s->rstate=SSL_ST_READ_HEADER;
s->packet_length=n;
@@ -442,11 +511,12 @@ next_bit:
s->method=SSLv2_server_method();
s->handshake_func=s->method->ssl_accept;
+#endif
}
if ((type == 2) || (type == 3))
{
- /* we have SSLv3/TLSv1 */
+ /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
if (!ssl_init_wbio_buffer(s,1)) goto err;
@@ -471,17 +541,13 @@ next_bit:
s->s3->rbuf.offset=0;
}
- if (tls1)
- {
- s->version=TLS1_VERSION;
- s->method=TLSv1_server_method();
- }
+ if (s->version == TLS1_VERSION)
+ s->method = TLSv1_server_method();
else
- {
- s->version=SSL3_VERSION;
- s->method=SSLv3_server_method();
- }
+ s->method = SSLv3_server_method();
+#if 0 /* ssl3_get_client_hello does this */
s->client_version=(v[0]<<8)|v[1];
+#endif
s->handshake_func=s->method->ssl_accept;
}
@@ -500,4 +566,3 @@ err:
if (buf != buf_space) Free(buf);
return(-1);
}
-
diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c
index 1fe8bd627dbe..6ff6a5136294 100644
--- a/crypto/openssl/ssl/s2_clnt.c
+++ b/crypto/openssl/ssl/s2_clnt.c
@@ -56,12 +56,12 @@
* [including the GNU Public Licence.]
*/
-#ifndef NO_RSA
+#include "ssl_locl.h"
+#ifndef NO_SSL2
#include <stdio.h>
#include <openssl/rand.h>
#include <openssl/buffer.h>
#include <openssl/objects.h>
-#include "ssl_locl.h"
#include <openssl/evp.h>
static SSL_METHOD *ssl2_get_client_method(int ver);
@@ -108,7 +108,7 @@ int ssl2_connect(SSL *s)
void (*cb)()=NULL;
int new_state,state;
- RAND_seed(&l,sizeof(l));
+ RAND_add(&l,sizeof(l),0);
ERR_clear_error();
clear_sys_error();
@@ -245,7 +245,7 @@ int ssl2_connect(SSL *s)
/* ERR_clear_error();*/
/* If we want to cache session-ids in the client
- * and we sucessfully add the session-id to the
+ * and we successfully add the session-id to the
* cache, and there is a callback, then pass it out.
* 26/11/96 - eay - only add if not a re-used session.
*/
@@ -310,7 +310,13 @@ static int get_server_hello(SSL *s)
SSL_R_PEER_ERROR);
return(-1);
}
+#ifdef __APPLE_CC__
+ /* The Rhapsody 5.5 (a.k.a. MacOS X) compiler bug
+ * workaround. <appro@fy.chalmers.se> */
+ s->hit=(i=*(p++))?1:0;
+#else
s->hit=(*(p++))?1:0;
+#endif
s->s2->tmp.cert_type= *(p++);
n2s(p,i);
if (i < s->version) s->version=i;
@@ -362,7 +368,7 @@ static int get_server_hello(SSL *s)
*/
#endif
- /* we need to do this incase we were trying to reuse a
+ /* we need to do this in case we were trying to reuse a
* client session but others are already reusing it.
* If this was a new 'blank' session ID, the session-id
* length will still be 0 */
@@ -412,7 +418,7 @@ static int get_server_hello(SSL *s)
/* In theory we could have ciphers sent back that we
* don't want to use but that does not matter since we
- * will check against the list we origionally sent and
+ * will check against the list we originally sent and
* for performance reasons we should not bother to match
* the two lists up just to check. */
for (i=0; i<sk_SSL_CIPHER_num(cl); i++)
@@ -429,26 +435,28 @@ static int get_server_hello(SSL *s)
return(-1);
}
s->session->cipher=sk_SSL_CIPHER_value(cl,i);
- }
- if (s->session->peer != NULL)
- X509_free(s->session->peer);
-
-#if 0 /* What is all this meant to accomplish?? */
- /* hmmm, can we have the problem of the other session with this
- * cert, Free's it before we increment the reference count. */
- CRYPTO_w_lock(CRYPTO_LOCK_X509);
- s->session->peer=s->session->sess_cert->key->x509;
- /* Shouldn't do this: already locked */
- /*CRYPTO_add(&s->session->peer->references,1,CRYPTO_LOCK_X509);*/
- s->session->peer->references++;
- CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-#else
- s->session->peer = s->session->sess_cert->peer_key->x509;
- /* peer_key->x509 has been set by ssl2_set_certificate. */
- CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
-#endif
+ if (s->session->peer != NULL) /* can't happen*/
+ {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR);
+ return(-1);
+ }
+
+ s->session->peer = s->session->sess_cert->peer_key->x509;
+ /* peer_key->x509 has been set by ssl2_set_certificate. */
+ CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
+ }
+
+ if (s->session->peer != s->session->sess_cert->peer_key->x509)
+ /* can't happen */
+ {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR);
+ return(-1);
+ }
+
s->s2->conn_id_length=s->s2->tmp.conn_id_length;
memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
return(1);
@@ -509,7 +517,7 @@ static int client_hello(SSL *s)
s->s2->challenge_length=SSL2_CHALLENGE_LENGTH;
s2n(SSL2_CHALLENGE_LENGTH,p); /* challenge length */
/*challenge id data*/
- RAND_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH);
+ RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH);
memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH);
d+=SSL2_CHALLENGE_LENGTH;
@@ -551,12 +559,19 @@ static int client_master_key(SSL *s)
/* make key_arg data */
i=EVP_CIPHER_iv_length(c);
sess->key_arg_length=i;
- if (i > 0) RAND_bytes(sess->key_arg,i);
+ if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
/* make a master key */
i=EVP_CIPHER_key_length(c);
sess->master_key_length=i;
- if (i > 0) RAND_bytes(sess->master_key,i);
+ if (i > 0)
+ {
+ if (RAND_bytes(sess->master_key,i) <= 0)
+ {
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ return(-1);
+ }
+ }
if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC)
enc=8;
@@ -753,7 +768,7 @@ static int client_certificate(SSL *s)
{
/* this is not good. If things have failed it
* means there so something wrong with the key.
- * We will contiune with a 0 length signature
+ * We will continue with a 0 length signature
*/
}
memset(&ctx,0,sizeof(ctx));
@@ -968,4 +983,10 @@ end:
EVP_PKEY_free(pkey);
return(i);
}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
#endif
diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c
index 09835008a99d..a9458e7fa720 100644
--- a/crypto/openssl/ssl/s2_enc.c
+++ b/crypto/openssl/ssl/s2_enc.c
@@ -56,8 +56,9 @@
* [including the GNU Public Licence.]
*/
-#include <stdio.h>
#include "ssl_locl.h"
+#ifndef NO_SSL2
+#include <stdio.h>
int ssl2_enc_init(SSL *s, int client)
{
@@ -177,4 +178,10 @@ void ssl2_mac(SSL *s, unsigned char *md, int send)
EVP_DigestFinal(&c,md,NULL);
/* some would say I should zero the md context */
}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+#endif
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
index ff804d8e0d1b..5ddba23a0662 100644
--- a/crypto/openssl/ssl/s2_lib.c
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -56,12 +56,12 @@
* [including the GNU Public Licence.]
*/
-#ifndef NO_RSA
+#include "ssl_locl.h"
+#ifndef NO_SSL2
#include <stdio.h>
#include <openssl/rsa.h>
#include <openssl/objects.h>
#include <openssl/md5.h>
-#include "ssl_locl.h"
static long ssl2_default_timeout(void );
const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT;
@@ -75,9 +75,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
1,
SSL2_TXT_NULL_WITH_MD5,
SSL2_CK_NULL_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_EXP40|SSL_SSLV2,
+ SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2,
+ SSL_EXPORT|SSL_EXP40,
+ 0,
0,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
#endif
/* RC4_128_EXPORT40_WITH_MD5 */
@@ -85,63 +88,91 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
1,
SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP40|SSL_SSLV2,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
+ SSL_EXPORT|SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
+ 40,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* RC4_128_WITH_MD5 */
{
1,
SSL2_TXT_RC4_128_WITH_MD5,
SSL2_CK_RC4_128_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
+ SSL_NOT_EXP|SSL_MEDIUM,
0,
+ 128,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* RC2_128_CBC_EXPORT40_WITH_MD5 */
{
1,
SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP40|SSL_SSLV2,
+ SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
+ SSL_EXPORT|SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
+ 40,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* RC2_128_CBC_WITH_MD5 */
{
1,
SSL2_TXT_RC2_128_CBC_WITH_MD5,
SSL2_CK_RC2_128_CBC_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
+ SSL_NOT_EXP|SSL_MEDIUM,
0,
+ 128,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* IDEA_128_CBC_WITH_MD5 */
{
1,
SSL2_TXT_IDEA_128_CBC_WITH_MD5,
SSL2_CK_IDEA_128_CBC_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_SSLV2,
+ SSL_NOT_EXP|SSL_MEDIUM,
0,
+ 128,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* DES_64_CBC_WITH_MD5 */
{
1,
SSL2_TXT_DES_64_CBC_WITH_MD5,
SSL2_CK_DES_64_CBC_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_LOW,
+ SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_SSLV2,
+ SSL_NOT_EXP|SSL_LOW,
0,
+ 56,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* DES_192_EDE3_CBC_WITH_MD5 */
{
1,
SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
SSL2_CK_DES_192_EDE3_CBC_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_HIGH,
+ SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_SSLV2,
+ SSL_NOT_EXP|SSL_HIGH,
0,
+ 168,
+ 168,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* RC4_64_WITH_MD5 */
#if 1
@@ -149,9 +180,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
1,
SSL2_TXT_RC4_64_WITH_MD5,
SSL2_CK_RC4_64_WITH_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2|SSL_LOW,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
+ SSL_NOT_EXP|SSL_LOW,
SSL2_CF_8_BYTE_ENC,
+ 64,
+ 64,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
#endif
/* NULL SSLeay (testing) */
@@ -161,7 +196,11 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
SSL2_TXT_NULL,
SSL2_CK_NULL,
0,
+ 0,
+ 0,
+ 0,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
#endif
@@ -191,6 +230,9 @@ static SSL_METHOD SSLv2_data= {
ssl_bad_method,
ssl2_default_timeout,
&ssl3_undef_enc_method,
+ ssl_undefined_function,
+ ssl2_callback_ctrl, /* local */
+ ssl2_ctx_callback_ctrl, /* local */
};
static long ssl2_default_timeout(void)
@@ -223,14 +265,14 @@ int ssl2_pending(SSL *s)
int ssl2_new(SSL *s)
{
- SSL2_CTX *s2;
+ SSL2_STATE *s2;
- if ((s2=(SSL2_CTX *)Malloc(sizeof(SSL2_CTX))) == NULL) goto err;
- memset(s2,0,sizeof(SSL2_CTX));
+ if ((s2=Malloc(sizeof *s2)) == NULL) goto err;
+ memset(s2,0,sizeof *s2);
- if ((s2->rbuf=(unsigned char *)Malloc(
+ if ((s2->rbuf=Malloc(
SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
- if ((s2->wbuf=(unsigned char *)Malloc(
+ if ((s2->wbuf=Malloc(
SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
s->s2=s2;
@@ -248,7 +290,7 @@ err:
void ssl2_free(SSL *s)
{
- SSL2_CTX *s2;
+ SSL2_STATE *s2;
if(s == NULL)
return;
@@ -256,14 +298,14 @@ void ssl2_free(SSL *s)
s2=s->s2;
if (s2->rbuf != NULL) Free(s2->rbuf);
if (s2->wbuf != NULL) Free(s2->wbuf);
- memset(s2,0,sizeof(SSL2_CTX));
+ memset(s2,0,sizeof *s2);
Free(s2);
s->s2=NULL;
}
void ssl2_clear(SSL *s)
{
- SSL2_CTX *s2;
+ SSL2_STATE *s2;
unsigned char *rbuf,*wbuf;
s2=s->s2;
@@ -271,7 +313,7 @@ void ssl2_clear(SSL *s)
rbuf=s2->rbuf;
wbuf=s2->wbuf;
- memset(s2,0,sizeof(SSL2_CTX));
+ memset(s2,0,sizeof *s2);
s2->rbuf=rbuf;
s2->wbuf=wbuf;
@@ -296,11 +338,21 @@ long ssl2_ctrl(SSL *s, int cmd, long larg, char *parg)
return(ret);
}
+long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)())
+ {
+ return(0);
+ }
+
long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
{
return(0);
}
+long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+ {
+ return(0);
+ }
+
/* This function needs to check if the ciphers required are actually
* available */
SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
@@ -372,7 +424,7 @@ void ssl2_generate_key_material(SSL *s)
MD5_Init(&ctx);
MD5_Update(&ctx,s->session->master_key,s->session->master_key_length);
- MD5_Update(&ctx,(unsigned char *)&c,1);
+ MD5_Update(&ctx,&c,1);
c++;
MD5_Update(&ctx,s->s2->challenge,s->s2->challenge_length);
MD5_Update(&ctx,s->s2->conn_id,s->s2->conn_id_length);
@@ -421,4 +473,10 @@ int ssl2_shutdown(SSL *s)
s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
return(1);
}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
#endif
diff --git a/crypto/openssl/ssl/s2_meth.c b/crypto/openssl/ssl/s2_meth.c
index e2add164ddbe..deb9e1d6f36c 100644
--- a/crypto/openssl/ssl/s2_meth.c
+++ b/crypto/openssl/ssl/s2_meth.c
@@ -56,10 +56,10 @@
* [including the GNU Public Licence.]
*/
-#ifndef NO_RSA
+#include "ssl_locl.h"
+#ifndef NO_SSL2
#include <stdio.h>
#include <openssl/objects.h>
-#include "ssl_locl.h"
static SSL_METHOD *ssl2_get_method(int ver);
static SSL_METHOD *ssl2_get_method(int ver)
@@ -86,4 +86,10 @@ SSL_METHOD *SSLv2_method(void)
}
return(&SSLv2_data);
}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
#endif
diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c
index a1bb5bca4b80..56662f29facb 100644
--- a/crypto/openssl/ssl/s2_pkt.c
+++ b/crypto/openssl/ssl/s2_pkt.c
@@ -56,10 +56,11 @@
* [including the GNU Public Licence.]
*/
+#include "ssl_locl.h"
+#ifndef NO_SSL2
#include <stdio.h>
#include <errno.h>
#define USE_SOCKETS
-#include "ssl_locl.h"
static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend);
static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len);
@@ -638,3 +639,10 @@ static int ssl_mt_error(int n)
}
return(ret);
}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
+#endif
diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c
index 9aeedef55f62..332e28445118 100644
--- a/crypto/openssl/ssl/s2_srvr.c
+++ b/crypto/openssl/ssl/s2_srvr.c
@@ -56,12 +56,12 @@
* [including the GNU Public Licence.]
*/
-#ifndef NO_RSA
+#include "ssl_locl.h"
+#ifndef NO_SSL2
#include <stdio.h>
#include <openssl/bio.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
-#include "ssl_locl.h"
#include <openssl/evp.h>
static SSL_METHOD *ssl2_get_server_method(int ver);
@@ -109,7 +109,7 @@ int ssl2_accept(SSL *s)
void (*cb)()=NULL;
int new_state,state;
- RAND_seed(&l,sizeof(l));
+ RAND_add(&l,sizeof(l),0);
ERR_clear_error();
clear_sys_error();
@@ -415,7 +415,7 @@ static int get_client_master_key(SSL *s)
i=ek;
else
i=EVP_CIPHER_key_length(c);
- RAND_bytes(p,i);
+ RAND_pseudo_bytes(p,i);
}
#else
if (i < 0)
@@ -680,7 +680,7 @@ static int server_hello(SSL *s)
/* make and send conn_id */
s2n(SSL2_CONNECTION_ID_LENGTH,p); /* add conn_id length */
s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH;
- RAND_bytes(s->s2->conn_id,(int)s->s2->conn_id_length);
+ RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length);
memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH);
d+=SSL2_CONNECTION_ID_LENGTH;
@@ -689,7 +689,7 @@ static int server_hello(SSL *s)
s->init_off=0;
}
/* SSL2_ST_SEND_SERVER_HELLO_B */
- /* If we are using TCP/IP, the performace is bad if we do 2
+ /* If we are using TCP/IP, the performance is bad if we do 2
* writes without a read between them. This occurs when
* Session-id reuse is used, so I will put in a buffering module
*/
@@ -798,7 +798,7 @@ static int request_certificate(SSL *s)
p=(unsigned char *)s->init_buf->data;
*(p++)=SSL2_MT_REQUEST_CERTIFICATE;
*(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION;
- RAND_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+ RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B;
@@ -898,7 +898,7 @@ static int request_certificate(SSL *s)
EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
- buf2=(unsigned char *)Malloc((unsigned int)i);
+ buf2=Malloc((unsigned int)i);
if (buf2 == NULL)
{
SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
@@ -921,6 +921,7 @@ static int request_certificate(SSL *s)
X509_free(s->session->peer);
s->session->peer=x509;
CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509);
+ s->session->verify_result = s->verify_result;
ret=1;
goto end;
}
@@ -965,4 +966,10 @@ static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB);
return(i);
}
+#else /* !NO_SSL2 */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
#endif
diff --git a/crypto/openssl/ssl/s3_both.c b/crypto/openssl/ssl/s3_both.c
index f3f27715d571..03e0c38770b1 100644
--- a/crypto/openssl/ssl/s3_both.c
+++ b/crypto/openssl/ssl/s3_both.c
@@ -55,7 +55,61 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#include <string.h>
#include <stdio.h>
#include <openssl/buffer.h>
#include <openssl/rand.h>
@@ -64,8 +118,27 @@
#include <openssl/x509.h>
#include "ssl_locl.h"
-int ssl3_send_finished(SSL *s, int a, int b, unsigned char *sender,
- int slen)
+/* send s->init_buf in records of type 'type' */
+int ssl3_do_write(SSL *s, int type)
+ {
+ int ret;
+
+ ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
+ s->init_num);
+ if (ret < 0) return(-1);
+ if (type == SSL3_RT_HANDSHAKE)
+ /* should not be done for 'Hello Request's, but in that case
+ * we'll ignore the result anyway */
+ ssl3_finish_mac(s,(unsigned char *)&s->init_buf->data[s->init_off],ret);
+
+ if (ret == s->init_num)
+ return(1);
+ s->init_off+=ret;
+ s->init_num-=ret;
+ return(0);
+ }
+
+int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
{
unsigned char *p,*d;
int i;
@@ -79,7 +152,9 @@ int ssl3_send_finished(SSL *s, int a, int b, unsigned char *sender,
i=s->method->ssl3_enc->final_finish_mac(s,
&(s->s3->finish_dgst1),
&(s->s3->finish_dgst2),
- sender,slen,p);
+ sender,slen,s->s3->tmp.finish_md);
+ s->s3->tmp.finish_md_len = i;
+ memcpy(p, s->s3->tmp.finish_md, i);
p+=i;
l=i;
@@ -109,7 +184,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
unsigned char *p;
/* the mac has already been generated when we received the
- * change cipher spec message and is in s->s3->tmp.in_dgst[12]
+ * change cipher spec message and is in s->s3->tmp.peer_finish_md
*/
n=ssl3_get_message(s,
@@ -121,7 +196,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
if (!ok) return((int)n);
- /* If this occurs if we has missed a message */
+ /* If this occurs, we have missed a message */
if (!s->s3->change_cipher_spec)
{
al=SSL_AD_UNEXPECTED_MESSAGE;
@@ -130,9 +205,8 @@ int ssl3_get_finished(SSL *s, int a, int b)
}
s->s3->change_cipher_spec=0;
- p=(unsigned char *)s->init_buf->data;
-
- i=s->method->ssl3_enc->finish_mac_length;
+ p = (unsigned char *)s->init_buf->data;
+ i = s->s3->tmp.peer_finish_md_len;
if (i != n)
{
@@ -141,7 +215,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
goto f_err;
}
- if (memcmp( p, (char *)&(s->s3->tmp.finish_md[0]),i) != 0)
+ if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
{
al=SSL_AD_DECRYPT_ERROR;
SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
@@ -255,6 +329,11 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
return(l);
}
+/* Obtain handshake message of message type 'mt' (any if mt == -1),
+ * maximum acceptable body length 'max'.
+ * The first four bytes (msg_type and length) are read in state 'st1',
+ * the body is read in state 'stn'.
+ */
long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
{
unsigned char *p;
@@ -277,15 +356,38 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
p=(unsigned char *)s->init_buf->data;
- if (s->state == st1)
+ if (s->state == st1) /* s->init_num < 4 */
{
- i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
- 4-s->init_num);
- if (i < (4-s->init_num))
+ int skip_message;
+
+ do
{
- *ok=0;
- return(ssl3_part_read(s,i));
+ while (s->init_num < 4)
+ {
+ i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
+ 4 - s->init_num);
+ if (i <= 0)
+ {
+ s->rwstate=SSL_READING;
+ *ok = 0;
+ return i;
+ }
+ s->init_num+=i;
+ }
+
+ skip_message = 0;
+ if (!s->server)
+ if (p[0] == SSL3_MT_HELLO_REQUEST)
+ /* The server may always send 'Hello Request' messages --
+ * we are doing a handshake anyway now, so ignore them
+ * if their format is correct. Does not count for
+ * 'Finished' MAC. */
+ if (p[1] == 0 && p[2] == 0 &&p[3] == 0)
+ skip_message = 1;
}
+ while (skip_message);
+
+ /* s->init_num == 4 */
if ((mt >= 0) && (*p != mt))
{
@@ -293,6 +395,20 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
goto f_err;
}
+ if ((mt < 0) && (*p == SSL3_MT_CLIENT_HELLO) &&
+ (st1 == SSL3_ST_SR_CERT_A) &&
+ (stn == SSL3_ST_SR_CERT_B))
+ {
+ /* At this point we have got an MS SGC second client
+ * hello (maybe we should always allow the client to
+ * start a new handshake?). We need to restart the mac.
+ * Don't increment {num,total}_renegotiations because
+ * we have not completed the handshake. */
+ ssl3_init_finished_mac(s);
+ }
+
+ ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 4);
+
s->s3->tmp.message_type= *(p++);
n2l3(p,l);
@@ -316,17 +432,21 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
/* next state (stn) */
p=(unsigned char *)s->init_buf->data;
n=s->s3->tmp.message_size;
- if (n > 0)
+ while (n > 0)
{
i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n);
- if (i != (int)n)
+ if (i <= 0)
{
- *ok=0;
- return(ssl3_part_read(s,i));
+ s->rwstate=SSL_READING;
+ *ok = 0;
+ return i;
}
+ s->init_num += i;
+ n -= i;
}
+ ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num);
*ok=1;
- return(n);
+ return s->init_num;
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
err:
@@ -447,7 +567,7 @@ int ssl3_setup_buffers(SSL *s)
extra=SSL3_RT_MAX_EXTRA;
else
extra=0;
- if ((p=(unsigned char *)Malloc(SSL3_RT_MAX_PACKET_SIZE+extra))
+ if ((p=Malloc(SSL3_RT_MAX_PACKET_SIZE+extra))
== NULL)
goto err;
s->s3->rbuf.buf=p;
@@ -455,7 +575,7 @@ int ssl3_setup_buffers(SSL *s)
if (s->s3->wbuf.buf == NULL)
{
- if ((p=(unsigned char *)Malloc(SSL3_RT_MAX_PACKET_SIZE))
+ if ((p=Malloc(SSL3_RT_MAX_PACKET_SIZE))
== NULL)
goto err;
s->s3->wbuf.buf=p;
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index d3e6b4d1e58f..0c8f551f7362 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -110,7 +110,7 @@ int ssl3_connect(SSL *s)
int ret= -1;
int new_state,state,skip=0;;
- RAND_seed(&Time,sizeof(Time));
+ RAND_add(&Time,sizeof(Time),0);
ERR_clear_error();
clear_sys_error();
@@ -325,8 +325,8 @@ int ssl3_connect(SSL *s)
case SSL3_ST_CW_FINISHED_B:
ret=ssl3_send_finished(s,
SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
- s->method->ssl3_enc->client_finished,
- s->method->ssl3_enc->client_finished_len);
+ s->method->ssl3_enc->client_finished_label,
+ s->method->ssl3_enc->client_finished_label_len);
if (ret <= 0) goto end;
s->state=SSL3_ST_CW_FLUSH;
@@ -466,7 +466,7 @@ static int ssl3_client_hello(SSL *s)
p=s->s3->client_random;
Time=time(NULL); /* Time */
l2n(Time,p);
- RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+ RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
/* Do the message type and length last */
d=p= &(buf[4]);
@@ -772,6 +772,8 @@ static int ssl3_get_server_certificate(SSL *s)
s->session->sess_cert=sc;
sc->cert_chain=sk;
+ /* Inconsistency alert: cert_chain does include the peer's
+ * certificate, which we don't include in s3_srvr.c */
x=sk_X509_value(sk,0);
sk=NULL;
@@ -1053,15 +1055,15 @@ static int ssl3_get_key_exchange(SSL *s)
q+=i;
j+=i;
}
- i=RSA_public_decrypt((int)n,p,p,pkey->pkey.rsa,
- RSA_PKCS1_PADDING);
- if (i <= 0)
+ i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
+ pkey->pkey.rsa);
+ if (i < 0)
{
al=SSL_AD_DECRYPT_ERROR;
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
goto f_err;
}
- if ((j != i) || (memcmp(p,md_buf,i) != 0))
+ if (i == 0)
{
/* bad signature */
al=SSL_AD_DECRYPT_ERROR;
@@ -1225,7 +1227,7 @@ fclose(out);
if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
{
- /* If netscape tollerance is on, ignore errors */
+ /* If netscape tolerance is on, ignore errors */
if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
goto cont;
else
@@ -1258,7 +1260,7 @@ cont:
ERR_clear_error();
}
- /* we should setup a certficate to return.... */
+ /* we should setup a certificate to return.... */
s->s3->tmp.cert_req=1;
s->s3->tmp.ctype_num=ctype_num;
if (s->s3->tmp.ca_names != NULL)
@@ -1341,7 +1343,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
tmp_buf[0]=s->client_version>>8;
tmp_buf[1]=s->client_version&0xff;
- RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
+ if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
+ goto err;
s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
@@ -1460,7 +1463,7 @@ static int ssl3_send_client_verify(SSL *s)
unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
EVP_PKEY *pkey;
#ifndef NO_RSA
- int i=0;
+ unsigned u=0;
#endif
unsigned long n;
#ifndef NO_DSA
@@ -1481,17 +1484,15 @@ static int ssl3_send_client_verify(SSL *s)
{
s->method->ssl3_enc->cert_verify_mac(s,
&(s->s3->finish_dgst1),&(data[0]));
- i=RSA_private_encrypt(
- MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
- data,&(p[2]),pkey->pkey.rsa,
- RSA_PKCS1_PADDING);
- if (i <= 0)
+ if (RSA_sign(NID_md5_sha1, data,
+ MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
+ &(p[2]), &u, pkey->pkey.rsa) <= 0 )
{
SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
goto err;
}
- s2n(i,p);
- n=i+2;
+ s2n(u,p);
+ n=u+2;
}
else
#endif
@@ -1689,13 +1690,13 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
#endif
#endif
- if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP))
+ if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
{
#ifndef NO_RSA
if (algs & SSL_kRSA)
{
if (rsa == NULL
- || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs))
+ || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
goto f_err;
@@ -1707,7 +1708,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
if (dh == NULL
- || DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs))
+ || DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
goto f_err;
diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c
index 15d4af6dfbae..df4acab3d028 100644
--- a/crypto/openssl/ssl/s3_enc.c
+++ b/crypto/openssl/ssl/s3_enc.c
@@ -78,12 +78,8 @@ static unsigned char ssl3_pad_2[48]={
0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c };
-#ifndef NO_PROTO
static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
- unsigned char *sender, int len, unsigned char *p);
-#else
-static int ssl3_handshake_mac();
-#endif
+ const char *sender, int len, unsigned char *p);
static void ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
{
@@ -304,7 +300,7 @@ int ssl3_setup_key_block(SSL *s)
ssl3_cleanup_key_block(s);
- if ((p=(unsigned char *)Malloc(num)) == NULL)
+ if ((p=Malloc(num)) == NULL)
goto err;
s->s3->tmp.key_block_length=num;
@@ -416,7 +412,7 @@ int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx, unsigned char *p)
}
int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
- unsigned char *sender, int len, unsigned char *p)
+ const char *sender, int len, unsigned char *p)
{
int ret;
@@ -427,7 +423,7 @@ int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
}
static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
- unsigned char *sender, int len, unsigned char *p)
+ const char *sender, int len, unsigned char *p)
{
unsigned int ret;
int npad,n;
@@ -447,7 +443,7 @@ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
EVP_DigestUpdate(&ctx,ssl3_pad_1,npad);
EVP_DigestFinal(&ctx,md_buf,&i);
- EVP_DigestInit(&ctx,EVP_MD_CTX_type(&ctx));
+ EVP_DigestInit(&ctx,EVP_MD_CTX_md(&ctx));
EVP_DigestUpdate(&ctx,s->session->master_key,
s->session->master_key_length);
EVP_DigestUpdate(&ctx,ssl3_pad_2,npad);
@@ -575,11 +571,11 @@ int ssl3_alert_code(int code)
case SSL_AD_ACCESS_DENIED: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_DECODE_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_DECRYPT_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
- case SSL_AD_EXPORT_RESTRICION: return(SSL3_AD_HANDSHAKE_FAILURE);
+ case SSL_AD_EXPORT_RESTRICTION: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_PROTOCOL_VERSION: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_INSUFFICIENT_SECURITY:return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_INTERNAL_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
- case SSL_AD_USER_CANCLED: return(SSL3_AD_HANDSHAKE_FAILURE);
+ case SSL_AD_USER_CANCELLED: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_NO_RENEGOTIATION: return(-1); /* Don't send it :-) */
default: return(-1);
}
diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c
index aeff6b5c5bc6..7ada26cbb693 100644
--- a/crypto/openssl/ssl/s3_lib.c
+++ b/crypto/openssl/ssl/s3_lib.c
@@ -75,18 +75,26 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_RSA_NULL_MD5,
SSL3_CK_RSA_NULL_MD5,
- SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
+ SSL_NOT_EXP,
+ 0,
+ 0,
0,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 02 */
{
1,
SSL3_TXT_RSA_NULL_SHA,
SSL3_CK_RSA_NULL_SHA,
- SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP,
+ 0,
+ 0,
0,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* anon DH */
@@ -95,45 +103,65 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_ADH_RC4_40_MD5,
SSL3_CK_ADH_RC4_40_MD5,
- SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
0,
+ 40,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 18 */
{
1,
SSL3_TXT_ADH_RC4_128_MD5,
SSL3_CK_ADH_RC4_128_MD5,
- SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
+ SSL_NOT_EXP,
0,
+ 128,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 19 */
{
1,
SSL3_TXT_ADH_DES_40_CBC_SHA,
SSL3_CK_ADH_DES_40_CBC_SHA,
- SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_DES|SSL_SHA1|SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
0,
+ 40,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 1A */
{
1,
SSL3_TXT_ADH_DES_64_CBC_SHA,
SSL3_CK_ADH_DES_64_CBC_SHA,
- SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP,
0,
+ 56,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 1B */
{
1,
SSL3_TXT_ADH_DES_192_CBC_SHA,
SSL3_CK_ADH_DES_192_CBC_SHA,
- SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP,
0,
+ 168,
+ 168,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* RSA again */
@@ -142,72 +170,104 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_RSA_RC4_40_MD5,
SSL3_CK_RSA_RC4_40_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5 |SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
0,
+ 40,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 04 */
{
1,
SSL3_TXT_RSA_RC4_128_MD5,
SSL3_CK_RSA_RC4_128_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_MD5|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
0,
+ 128,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 05 */
{
1,
SSL3_TXT_RSA_RC4_128_SHA,
SSL3_CK_RSA_RC4_128_SHA,
- SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_RC4 |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
0,
+ 128,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 06 */
{
1,
SSL3_TXT_RSA_RC2_40_MD5,
SSL3_CK_RSA_RC2_40_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_EXP40|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_RC2 |SSL_MD5 |SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
0,
+ 40,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 07 */
{
1,
SSL3_TXT_RSA_IDEA_128_SHA,
SSL3_CK_RSA_IDEA_128_SHA,
- SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_MEDIUM,
+ SSL_kRSA|SSL_aRSA|SSL_IDEA |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
0,
+ 128,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 08 */
{
1,
SSL3_TXT_RSA_DES_40_CBC_SHA,
SSL3_CK_RSA_DES_40_CBC_SHA,
- SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+ SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
0,
+ 40,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 09 */
{
1,
SSL3_TXT_RSA_DES_64_CBC_SHA,
SSL3_CK_RSA_DES_64_CBC_SHA,
- SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+ SSL_kRSA|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_LOW,
0,
+ 56,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 0A */
{
1,
SSL3_TXT_RSA_DES_192_CBC3_SHA,
SSL3_CK_RSA_DES_192_CBC3_SHA,
- SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+ SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH,
0,
+ 168,
+ 168,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* The DH ciphers */
@@ -216,54 +276,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
0,
SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
SSL3_CK_DH_DSS_DES_40_CBC_SHA,
- SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+ SSL_kDHd |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
0,
+ 40,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 0C */
{
0,
SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
SSL3_CK_DH_DSS_DES_64_CBC_SHA,
- SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+ SSL_kDHd |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_LOW,
0,
+ 56,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 0D */
{
0,
SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
- SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+ SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH,
0,
+ 168,
+ 168,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 0E */
{
0,
SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
SSL3_CK_DH_RSA_DES_40_CBC_SHA,
- SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+ SSL_kDHr |SSL_aDH|SSL_DES|SSL_SHA1|SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
0,
+ 40,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 0F */
{
0,
SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
SSL3_CK_DH_RSA_DES_64_CBC_SHA,
- SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+ SSL_kDHr |SSL_aDH|SSL_DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_LOW,
0,
+ 56,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 10 */
{
0,
SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
- SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+ SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH,
0,
+ 168,
+ 168,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* The Ephemeral DH ciphers */
@@ -272,54 +356,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
- SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+ SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA1|SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
0,
+ 40,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 12 */
{
1,
SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
- SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+ SSL_kEDH|SSL_aDSS|SSL_DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_LOW,
0,
+ 56,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 13 */
{
1,
SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
- SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+ SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH,
0,
+ 168,
+ 168,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 14 */
{
1,
SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
- SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_EXP40|SSL_SSLV3,
+ SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1|SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
0,
+ 40,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 15 */
{
1,
SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
- SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_LOW,
+ SSL_kEDH|SSL_aRSA|SSL_DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_LOW,
0,
+ 56,
+ 56,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 16 */
{
1,
SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
- SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3|SSL_HIGH,
+ SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH,
0,
+ 168,
+ 168,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Fortezza */
@@ -328,9 +436,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
0,
SSL3_TXT_FZA_DMS_NULL_SHA,
SSL3_CK_FZA_DMS_NULL_SHA,
- SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP,
+ 0,
+ 0,
0,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 1D */
@@ -338,9 +450,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
0,
SSL3_TXT_FZA_DMS_FZA_SHA,
SSL3_CK_FZA_DMS_FZA_SHA,
- SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP,
+ 0,
+ 0,
0,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 1E */
@@ -348,9 +464,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
0,
SSL3_TXT_FZA_DMS_RC4_SHA,
SSL3_CK_FZA_DMS_RC4_SHA,
- SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_NOT_EXP|SSL_SSLV3,
+ SSL_kFZA|SSL_aFZA |SSL_RC4 |SSL_SHA1|SSL_SSLV3,
+ SSL_NOT_EXP,
0,
+ 128,
+ 128,
SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
@@ -360,54 +480,78 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP56|SSL_TLSV1,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_TLSV1,
+ SSL_EXPORT|SSL_EXP56,
0,
- SSL_ALL_CIPHERS
+ 56,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 61 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
- SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP56|SSL_TLSV1,
+ SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_TLSV1,
+ SSL_EXPORT|SSL_EXP56,
0,
- SSL_ALL_CIPHERS
+ 56,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 62 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
- SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+ SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
+ SSL_EXPORT|SSL_EXP56,
0,
- SSL_ALL_CIPHERS
+ 56,
+ 56,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 63 */
{
1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
- SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+ SSL_kEDH|SSL_aDSS|SSL_DES|SSL_SHA|SSL_TLSV1,
+ SSL_EXPORT|SSL_EXP56,
0,
- SSL_ALL_CIPHERS
+ 56,
+ 56,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 64 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
- SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+ SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
+ SSL_EXPORT|SSL_EXP56,
0,
- SSL_ALL_CIPHERS
+ 56,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 65 */
{
1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
- SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_EXP56|SSL_TLSV1,
+ SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
+ SSL_EXPORT|SSL_EXP56,
0,
- SSL_ALL_CIPHERS
+ 56,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
},
/* Cipher 66 */
{
@@ -415,8 +559,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA,
TLS1_CK_DHE_DSS_WITH_RC4_128_SHA,
SSL_kEDH|SSL_aDSS|SSL_RC4|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP,
0,
- SSL_ALL_CIPHERS
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS
},
#endif
@@ -460,6 +608,9 @@ static SSL_METHOD SSLv3_data= {
ssl_bad_method,
ssl3_default_timeout,
&SSLv3_enc_data,
+ ssl_undefined_function,
+ ssl3_callback_ctrl,
+ ssl3_ctx_callback_ctrl,
};
static long ssl3_default_timeout(void)
@@ -495,19 +646,12 @@ int ssl3_pending(SSL *s)
int ssl3_new(SSL *s)
{
- SSL3_CTX *s3;
+ SSL3_STATE *s3;
- if ((s3=(SSL3_CTX *)Malloc(sizeof(SSL3_CTX))) == NULL) goto err;
- memset(s3,0,sizeof(SSL3_CTX));
+ if ((s3=Malloc(sizeof *s3)) == NULL) goto err;
+ memset(s3,0,sizeof *s3);
s->s3=s3;
- /*
- s->s3->tmp.ca_names=NULL;
- s->s3->tmp.key_block=NULL;
- s->s3->tmp.key_block_length=0;
- s->s3->rbuf.buf=NULL;
- s->s3->wbuf.buf=NULL;
- */
s->method->ssl_clear(s);
return(1);
@@ -533,7 +677,7 @@ void ssl3_free(SSL *s)
#endif
if (s->s3->tmp.ca_names != NULL)
sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
- memset(s->s3,0,sizeof(SSL3_CTX));
+ memset(s->s3,0,sizeof *s->s3);
Free(s->s3);
s->s3=NULL;
}
@@ -551,11 +695,15 @@ void ssl3_clear(SSL *s)
Free(s->s3->rrec.comp);
s->s3->rrec.comp=NULL;
}
+#ifndef NO_DH
+ if (s->s3->tmp.dh != NULL)
+ DH_free(s->s3->tmp.dh);
+#endif
rp=s->s3->rbuf.buf;
wp=s->s3->wbuf.buf;
- memset(s->s3,0,sizeof(SSL3_CTX));
+ memset(s->s3,0,sizeof *s->s3);
if (rp != NULL) s->s3->rbuf.buf=rp;
if (wp != NULL) s->s3->wbuf.buf=wp;
@@ -623,14 +771,16 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
case SSL_CTRL_SET_TMP_RSA:
{
RSA *rsa = (RSA *)parg;
- if (rsa == NULL) {
+ if (rsa == NULL)
+ {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
return(ret);
- }
- if ((rsa = RSAPrivateKey_dup(rsa)) == NULL) {
+ }
+ if ((rsa = RSAPrivateKey_dup(rsa)) == NULL)
+ {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_RSA_LIB);
return(ret);
- }
+ }
if (s->cert->rsa_tmp != NULL)
RSA_free(s->cert->rsa_tmp);
s->cert->rsa_tmp = rsa;
@@ -638,26 +788,35 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
}
break;
case SSL_CTRL_SET_TMP_RSA_CB:
- s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))parg;
+ {
+ SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return(ret);
+ }
break;
#endif
#ifndef NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *dh = (DH *)parg;
- if (dh == NULL) {
+ if (dh == NULL)
+ {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
return(ret);
- }
- if ((dh = DHparams_dup(dh)) == NULL) {
+ }
+ if ((dh = DHparams_dup(dh)) == NULL)
+ {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
return(ret);
- }
- if (!DH_generate_key(dh)) {
- DH_free(dh);
- SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
- return(ret);
- }
+ }
+ if (!(s->options & SSL_OP_SINGLE_DH_USE))
+ {
+ if (!DH_generate_key(dh))
+ {
+ DH_free(dh);
+ SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
+ return(ret);
+ }
+ }
if (s->cert->dh_tmp != NULL)
DH_free(s->cert->dh_tmp);
s->cert->dh_tmp = dh;
@@ -665,7 +824,54 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
}
break;
case SSL_CTRL_SET_TMP_DH_CB:
- s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))parg;
+ {
+ SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return(ret);
+ }
+ break;
+#endif
+ default:
+ break;
+ }
+ return(ret);
+ }
+
+long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
+ {
+ int ret=0;
+
+#if !defined(NO_DSA) || !defined(NO_RSA)
+ if (
+#ifndef NO_RSA
+ cmd == SSL_CTRL_SET_TMP_RSA_CB ||
+#endif
+#ifndef NO_DSA
+ cmd == SSL_CTRL_SET_TMP_DH_CB ||
+#endif
+ 0)
+ {
+ if (!ssl_cert_inst(&s->cert))
+ {
+ SSLerr(SSL_F_SSL3_CALLBACK_CTRL, ERR_R_MALLOC_FAILURE);
+ return(0);
+ }
+ }
+#endif
+
+ switch (cmd)
+ {
+#ifndef NO_RSA
+ case SSL_CTRL_SET_TMP_RSA_CB:
+ {
+ s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
+ }
+ break;
+#endif
+#ifndef NO_DH
+ case SSL_CTRL_SET_TMP_DH_CB:
+ {
+ s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
+ }
break;
#endif
default:
@@ -721,34 +927,43 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
}
/* break; */
case SSL_CTRL_SET_TMP_RSA_CB:
- cert->rsa_tmp_cb=(RSA *(*)(SSL *, int, int))parg;
+ {
+ SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return(0);
+ }
break;
#endif
#ifndef NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *new=NULL,*dh;
- int rret=0;
dh=(DH *)parg;
- if ( ((new=DHparams_dup(dh)) == NULL) ||
- (!DH_generate_key(new)))
+ if ((new=DHparams_dup(dh)) == NULL)
{
SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
- if (new != NULL) DH_free(new);
+ return 0;
}
- else
+ if (!(ctx->options & SSL_OP_SINGLE_DH_USE))
{
- if (cert->dh_tmp != NULL)
- DH_free(cert->dh_tmp);
- cert->dh_tmp=new;
- rret=1;
+ if (!DH_generate_key(new))
+ {
+ SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB);
+ DH_free(new);
+ return 0;
+ }
}
- return(rret);
+ if (cert->dh_tmp != NULL)
+ DH_free(cert->dh_tmp);
+ cert->dh_tmp=new;
+ return 1;
}
/*break; */
case SSL_CTRL_SET_TMP_DH_CB:
- cert->dh_tmp_cb=(DH *(*)(SSL *, int, int))parg;
+ {
+ SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return(0);
+ }
break;
#endif
/* A Thawte special :-) */
@@ -767,6 +982,34 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
return(1);
}
+long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+ {
+ CERT *cert;
+
+ cert=ctx->cert;
+
+ switch (cmd)
+ {
+#ifndef NO_RSA
+ case SSL_CTRL_SET_TMP_RSA_CB:
+ {
+ cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
+ }
+ break;
+#endif
+#ifndef NO_DH
+ case SSL_CTRL_SET_TMP_DH_CB:
+ {
+ cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
+ }
+ break;
+#endif
+ default:
+ return(0);
+ }
+ return(1);
+ }
+
/* This function needs to check if the ciphers required are actually
* available */
SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
@@ -819,21 +1062,6 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
return(2);
}
-int ssl3_part_read(SSL *s, int i)
- {
- s->rwstate=SSL_READING;
-
- if (i < 0)
- {
- return(i);
- }
- else
- {
- s->init_num+=i;
- return(0);
- }
- }
-
SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
STACK_OF(SSL_CIPHER) *pref)
{
@@ -865,7 +1093,7 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
emask=cert->export_mask;
alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
- if (SSL_IS_EXPORT(c->algorithms))
+ if (SSL_C_IS_EXPORT(c))
{
ok=((alg & emask) == alg)?1:0;
#ifdef CIPHER_DEBUG
@@ -1034,8 +1262,12 @@ int ssl3_read(SSL *s, void *buf, int len)
ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
if ((ret == -1) && (s->s3->in_read_app_data == 0))
{
- ERR_get_error(); /* clear the error */
- s->s3->in_read_app_data=0;
+ /* ssl3_read_bytes decided to call s->handshake_func, which
+ * called ssl3_read_bytes to read handshake data.
+ * However, ssl3_read_bytes actually found application data
+ * and thinks that application data makes sense here (signalled
+ * by resetting 'in_read_app_data', strangely); so disable
+ * handshake processing and try to read application data again. */
s->in_handshake++;
ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
s->in_handshake--;
@@ -1092,7 +1324,7 @@ int ssl3_renegotiate_check(SSL *s)
{
/*
if we are the server, and we have sent a 'RENEGOTIATE' message, we
-need to go to SSL_ST_ACCEPT.
+need to go to SSL_ST_ACCEPT.
*/
/* SSL_ST_ACCEPT */
s->state=SSL_ST_RENEGOTIATE;
diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c
index 7893d03123df..eb965310d9b3 100644
--- a/crypto/openssl/ssl/s3_pkt.c
+++ b/crypto/openssl/ssl/s3_pkt.c
@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
#include <stdio.h>
#include <errno.h>
@@ -71,104 +124,98 @@ static int ssl3_get_record(SSL *s);
static int do_compress(SSL *ssl);
static int do_uncompress(SSL *ssl);
static int do_change_cipher_spec(SSL *ssl);
+
+/* used only by ssl3_get_record */
static int ssl3_read_n(SSL *s, int n, int max, int extend)
{
+ /* If extend == 0, obtain new n-byte packet; if extend == 1, increase
+ * packet by another n bytes.
+ * The packet will be in the sub-array of s->s3->rbuf.buf specified
+ * by s->packet and s->packet_length.
+ * (If s->read_ahead is set, 'max' bytes may be stored in rbuf
+ * [plus s->packet_length bytes if extend == 1].)
+ */
int i,off,newb;
- /* if there is stuff still in the buffer from a previous read,
- * and there is more than we want, take some. */
+ if (!extend)
+ {
+ /* start with empty packet ... */
+ if (s->s3->rbuf.left == 0)
+ s->s3->rbuf.offset = 0;
+ s->packet = s->s3->rbuf.buf + s->s3->rbuf.offset;
+ s->packet_length = 0;
+ /* ... now we can act as if 'extend' was set */
+ }
+
+ /* if there is enough in the buffer from a previous read, take some */
if (s->s3->rbuf.left >= (int)n)
{
- if (extend)
- s->packet_length+=n;
- else
- {
- s->packet= &(s->s3->rbuf.buf[s->s3->rbuf.offset]);
- s->packet_length=n;
- }
+ s->packet_length+=n;
s->s3->rbuf.left-=n;
s->s3->rbuf.offset+=n;
return(n);
}
/* else we need to read more data */
- if (!s->read_ahead) max=n;
- if (max > SSL3_RT_MAX_PACKET_SIZE)
- max=SSL3_RT_MAX_PACKET_SIZE;
-
- /* First check if there is some left or we want to extend */
- off=0;
- if ( (s->s3->rbuf.left != 0) ||
- ((s->packet_length != 0) && extend))
- {
- newb=s->s3->rbuf.left;
- if (extend)
- {
- /* Copy bytes back to the front of the buffer
- * Take the bytes already pointed to by 'packet'
- * and take the extra ones on the end. */
- off=s->packet_length;
- if (s->packet != s->s3->rbuf.buf)
- memcpy(s->s3->rbuf.buf,s->packet,newb+off);
- }
- else if (s->s3->rbuf.offset != 0)
- { /* so the data is not at the start of the buffer */
- memcpy(s->s3->rbuf.buf,
- &(s->s3->rbuf.buf[s->s3->rbuf.offset]),newb);
- s->s3->rbuf.offset=0;
- }
+ if (!s->read_ahead)
+ max=n;
- s->s3->rbuf.left=0;
+ {
+ /* avoid buffer overflow */
+ int max_max = SSL3_RT_MAX_PACKET_SIZE - s->packet_length;
+ if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
+ max_max += SSL3_RT_MAX_EXTRA;
+ if (max > max_max)
+ max = max_max;
+ }
+ if (n > max) /* does not happen */
+ {
+ SSLerr(SSL_F_SSL3_READ_N,SSL_R_INTERNAL_ERROR);
+ return -1;
}
- else
- newb=0;
- /* So we now have 'newb' bytes at the front of
- * s->s3->rbuf.buf and need to read some more in on the end
- * We start reading into the buffer at 's->s3->rbuf.offset'
- */
- s->packet=s->s3->rbuf.buf;
+ off = s->packet_length;
+ newb = s->s3->rbuf.left;
+ /* Move any available bytes to front of buffer:
+ * 'off' bytes already pointed to by 'packet',
+ * 'newb' extra ones at the end */
+ if (s->packet != s->s3->rbuf.buf)
+ {
+ /* off > 0 */
+ memmove(s->s3->rbuf.buf, s->packet, off+newb);
+ s->packet = s->s3->rbuf.buf;
+ }
while (newb < n)
{
+ /* Now we have off+newb bytes at the front of s->s3->rbuf.buf and need
+ * to read in more until we have off+n (up to off+max if possible) */
+
clear_sys_error();
if (s->rbio != NULL)
{
s->rwstate=SSL_READING;
- i=BIO_read(s->rbio,
- (char *)&(s->s3->rbuf.buf[off+newb]),
- max-newb);
+ i=BIO_read(s->rbio, &(s->s3->rbuf.buf[off+newb]), max-newb);
}
else
{
SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET);
- i= -1;
+ i = -1;
}
if (i <= 0)
{
- s->s3->rbuf.left+=newb;
+ s->s3->rbuf.left = newb;
return(i);
}
newb+=i;
}
- /* record used data read */
- if (newb > n)
- {
- s->s3->rbuf.offset=n+off;
- s->s3->rbuf.left=newb-n;
- }
- else
- {
- s->s3->rbuf.offset=0;
- s->s3->rbuf.left=0;
- }
-
- if (extend)
- s->packet_length+=n;
- else
- s->packet_length+=n;
+ /* done reading, now the book-keeping */
+ s->s3->rbuf.offset = off + n;
+ s->s3->rbuf.left = newb - n;
+ s->packet_length += n;
+ s->rwstate=SSL_NOTHING;
return(n);
}
@@ -176,15 +223,15 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
* It will return <= 0 if more data is needed, normally due to an error
* or non-blocking IO.
* When it finishes, one packet has been decoded and can be found in
- * ssl->s3->rrec.type - is the type of record
- * ssl->s3->rrec.data, - data
+ * ssl->s3->rrec.type - is the type of record
+ * ssl->s3->rrec.data, - data
* ssl->s3->rrec.length, - number of bytes
*/
+/* used only by ssl3_read_bytes */
static int ssl3_get_record(SSL *s)
{
int ssl_major,ssl_minor,al;
int n,i,ret= -1;
- SSL3_BUFFER *rb;
SSL3_RECORD *rr;
SSL_SESSION *sess;
unsigned char *p;
@@ -194,7 +241,6 @@ static int ssl3_get_record(SSL *s)
int clear=0,extra;
rr= &(s->s3->rrec);
- rb= &(s->s3->rbuf);
sess=s->session;
if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
@@ -253,27 +299,26 @@ again:
goto f_err;
}
- s->rstate=SSL_ST_READ_BODY;
+ /* now s->rstate == SSL_ST_READ_BODY */
}
- /* get and decode the data */
- if (s->rstate == SSL_ST_READ_BODY)
+ /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
+
+ if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
{
- if (rr->length > (s->packet_length-SSL3_RT_HEADER_LENGTH))
- {
- i=rr->length;
- /*-(s->packet_length-SSL3_RT_HEADER_LENGTH); */
- n=ssl3_read_n(s,i,i,1);
- if (n <= 0) return(n); /* error or non-blocking io */
- }
- s->rstate=SSL_ST_READ_HEADER;
+ /* now s->packet_length == SSL3_RT_HEADER_LENGTH */
+ i=rr->length;
+ n=ssl3_read_n(s,i,i,1);
+ if (n <= 0) return(n); /* error or non-blocking io */
+ /* now n == rr->length,
+ * and s->packet_length == SSL3_RT_HEADER_LENGTH + rr->length */
}
- /* At this point, we have the data in s->packet and there should be
- * s->packet_length bytes, we must not 'overrun' this buffer :-)
- * One of the following functions will copy the data from the
- * s->packet buffer */
+ s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
+ /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
+ * and we have that many bytes in s->packet
+ */
rr->input= &(s->packet[SSL3_RT_HEADER_LENGTH]);
/* ok, we can now read from 's->packet' data into 'rr'
@@ -283,13 +328,10 @@ again:
* When the data is 'copied' into the rr->data buffer,
* rr->input will be pointed at the new buffer */
- /* Set the state for the following operations */
- s->rstate=SSL_ST_READ_HEADER;
-
/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
* rr->length bytes of encrypted compressed stuff. */
- /* check is not needed I belive */
+ /* check is not needed I believe */
if (rr->length > (unsigned int)SSL3_RT_MAX_ENCRYPTED_LENGTH+extra)
{
al=SSL_AD_RECORD_OVERFLOW;
@@ -326,7 +368,7 @@ printf("\n");
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err;
}
- /* check MAC for rr->input' */
+ /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
if (rr->length < mac_size)
{
al=SSL_AD_DECODE_ERROR;
@@ -426,12 +468,12 @@ static int do_compress(SSL *ssl)
return(1);
}
-/* Call this to write data
+/* Call this to write data in records of type 'type'
* It will return <= 0 if not all data has been sent or non-blocking IO.
*/
-int ssl3_write_bytes(SSL *s, int type, const void *_buf, int len)
+int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
{
- const unsigned char *buf=_buf;
+ const unsigned char *buf=buf_;
unsigned int tot,n,nw;
int i;
@@ -457,7 +499,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *_buf, int len)
nw=SSL3_RT_MAX_PLAIN_LENGTH;
else
nw=n;
-
+
i=do_ssl3_write(s,type,&(buf[tot]),nw);
if (i <= 0)
{
@@ -465,9 +507,6 @@ int ssl3_write_bytes(SSL *s, int type, const void *_buf, int len)
return(i);
}
- if (type == SSL3_RT_HANDSHAKE)
- ssl3_finish_mac(s,&(buf[tot]),i);
-
if ((i == (int)n) ||
(type == SSL3_RT_APPLICATION_DATA &&
(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
@@ -503,8 +542,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
/* if it went, fall through and send more stuff */
}
- if (len <= 0) return(len);
-
+ if (len == 0) return(len);
+
wr= &(s->s3->wrec);
wb= &(s->s3->wbuf);
sess=s->session;
@@ -527,11 +566,11 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
*(p++)=(s->version>>8);
*(p++)=s->version&0xff;
-
+
/* record where we are to write out packet length */
plen=p;
p+=2;
-
+
/* lets setup the record stuff. */
wr->data=p;
wr->length=(int)len;
@@ -638,19 +677,75 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
}
}
+/* Return up to 'len' payload bytes received in 'type' records.
+ * 'type' is one of the following:
+ *
+ * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
+ * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
+ * - 0 (during a shutdown, no data has to be returned)
+ *
+ * If we don't have stored data to work from, read a SSL/TLS record first
+ * (possibly multiple records if we still don't have anything to return).
+ *
+ * This function must handle any surprises the peer may have for us, such as
+ * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
+ * a surprise, but handled as if it were), or renegotiation requests.
+ * Also if record payloads contain fragments too small to process, we store
+ * them until there is enough for the respective protocol (the record protocol
+ * may use arbitrary fragmentation and even interleaving):
+ * Change cipher spec protocol
+ * just 1 byte needed, no need for keeping anything stored
+ * Alert protocol
+ * 2 bytes needed (AlertLevel, AlertDescription)
+ * Handshake protocol
+ * 4 bytes needed (HandshakeType, uint24 length) -- we just have
+ * to detect unexpected Client Hello and Hello Request messages
+ * here, anything else is handled by higher layers
+ * Application data protocol
+ * none of our business
+ */
int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
{
- int al,i,j,n,ret;
+ int al,i,j,ret;
+ unsigned int n;
SSL3_RECORD *rr;
void (*cb)()=NULL;
- BIO *bio;
- if (s->s3->rbuf.buf == NULL) /* Not initialize yet */
+ if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
if (!ssl3_setup_buffers(s))
return(-1);
+ if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type)
+ {
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR);
+ return -1;
+ }
+
+ if ((type == SSL3_RT_HANDSHAKE) && (s->s3->handshake_fragment_len > 0))
+ /* (partially) satisfy request from storage */
+ {
+ unsigned char *src = s->s3->handshake_fragment;
+ unsigned char *dst = buf;
+ unsigned int k;
+
+ n = 0;
+ while ((len > 0) && (s->s3->handshake_fragment_len > 0))
+ {
+ *dst++ = *src++;
+ len--; s->s3->handshake_fragment_len--;
+ n++;
+ }
+ /* move any remaining fragment bytes: */
+ for (k = 0; k < s->s3->handshake_fragment_len; k++)
+ s->s3->handshake_fragment[k] = *src++;
+ return n;
+ }
+
+ /* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
+
if (!s->in_handshake && SSL_in_init(s))
{
+ /* type == SSL3_RT_APPLICATION_DATA */
i=s->handshake_func(s);
if (i < 0) return(i);
if (i == 0)
@@ -662,11 +757,11 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
start:
s->rwstate=SSL_NOTHING;
- /* s->s3->rrec.type - is the type of record
- * s->s3->rrec.data, - data
- * s->s3->rrec.off, - ofset into 'data' for next read
- * s->s3->rrec.length, - number of bytes. */
- rr= &(s->s3->rrec);
+ /* s->s3->rrec.type - is the type of record
+ * s->s3->rrec.data, - data
+ * s->s3->rrec.off, - offset into 'data' for next read
+ * s->s3->rrec.length, - number of bytes. */
+ rr = &(s->s3->rrec);
/* get new packet */
if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
@@ -677,7 +772,9 @@ start:
/* we now have a packet which can be read and processed */
- if (s->s3->change_cipher_spec && (rr->type != SSL3_RT_HANDSHAKE))
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+ * reset by ssl3_get_finished */
+ && (rr->type != SSL3_RT_HANDSHAKE))
{
al=SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
@@ -692,16 +789,98 @@ start:
return(0);
}
- /* Check for an incoming 'Client Request' message */
- if ((rr->type == SSL3_RT_HANDSHAKE) && (rr->length == 4) &&
- (rr->data[0] == SSL3_MT_CLIENT_REQUEST) &&
+
+ if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
+ {
+ /* make sure that we are not getting application data when we
+ * are doing a handshake for the first time */
+ if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
+ (s->enc_read_ctx == NULL))
+ {
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
+ goto f_err;
+ }
+
+ if (len <= 0) return(len);
+
+ if ((unsigned int)len > rr->length)
+ n = rr->length;
+ else
+ n = (unsigned int)len;
+
+ memcpy(buf,&(rr->data[rr->off]),n);
+ rr->length-=n;
+ rr->off+=n;
+ if (rr->length == 0)
+ {
+ s->rstate=SSL_ST_READ_HEADER;
+ rr->off=0;
+ }
+ return(n);
+ }
+
+
+ /* If we get here, then type != rr->type; if we have a handshake
+ * message, then it was unexpected (Hello Request or Client Hello). */
+
+ /* In case of record types for which we have 'fragment' storage,
+ * fill that so that we can process the data at a fixed place.
+ */
+ {
+ unsigned int dest_maxlen = 0;
+ unsigned char *dest = NULL;
+ unsigned int *dest_len = NULL;
+
+ if (rr->type == SSL3_RT_HANDSHAKE)
+ {
+ dest_maxlen = sizeof s->s3->handshake_fragment;
+ dest = s->s3->handshake_fragment;
+ dest_len = &s->s3->handshake_fragment_len;
+ }
+ else if (rr->type == SSL3_RT_ALERT)
+ {
+ dest_maxlen = sizeof s->s3->alert_fragment;
+ dest = s->s3->alert_fragment;
+ dest_len = &s->s3->alert_fragment_len;
+ }
+
+ if (dest_maxlen > 0)
+ {
+ n = dest_maxlen - *dest_len; /* available space in 'dest' */
+ if (rr->length < n)
+ n = rr->length; /* available bytes */
+
+ /* now move 'n' bytes: */
+ while (n-- > 0)
+ {
+ dest[(*dest_len)++] = rr->data[rr->off++];
+ rr->length--;
+ }
+
+ if (*dest_len < dest_maxlen)
+ goto start; /* fragment was too small */
+ }
+ }
+
+ /* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
+ * s->s3->alert_fragment_len == 2 iff rr->type == SSL3_RT_ALERT.
+ * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
+
+ /* If we are a client, check for an incoming 'Hello Request': */
+ if ((!s->server) &&
+ (s->s3->handshake_fragment_len >= 4) &&
+ (s->s3->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
(s->session != NULL) && (s->session->cipher != NULL))
{
- if ((rr->data[1] != 0) || (rr->data[2] != 0) ||
- (rr->data[3] != 0))
+ s->s3->handshake_fragment_len = 0;
+
+ if ((s->s3->handshake_fragment[1] != 0) ||
+ (s->s3->handshake_fragment[2] != 0) ||
+ (s->s3->handshake_fragment[3] != 0))
{
al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CLIENT_REQUEST);
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
goto err;
}
@@ -712,220 +891,209 @@ start:
ssl3_renegotiate(s);
if (ssl3_renegotiate_check(s))
{
- n=s->handshake_func(s);
- if (n < 0) return(n);
- if (n == 0)
+ i=s->handshake_func(s);
+ if (i < 0) return(i);
+ if (i == 0)
{
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
return(-1);
}
+
+ if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+ {
+ BIO *bio;
+ /* In the case where we try to read application data
+ * the first time, but we trigger an SSL handshake, we
+ * return -1 with the retry option set. I do this
+ * otherwise renegotiation can cause nasty problems
+ * in the blocking world */ /* ? */
+ s->rwstate=SSL_READING;
+ bio=SSL_get_rbio(s);
+ BIO_clear_retry_flags(bio);
+ BIO_set_retry_read(bio);
+ return(-1);
+ }
}
}
- rr->length=0;
-/* ZZZ */ goto start;
+ /* we either finished a handshake or ignored the request,
+ * now try again to obtain the (application) data we were asked for */
+ goto start;
}
- /* if it is not the type we want, or we have shutdown and want
- * the peer shutdown */
- if ((rr->type != type) || (s->shutdown & SSL_SENT_SHUTDOWN))
+ if (s->s3->alert_fragment_len >= 2)
{
- if (rr->type == SSL3_RT_ALERT)
- {
- if ((rr->length != 2) || (rr->off != 0))
- {
- al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_ALERT_RECORD);
- goto f_err;
- }
+ int alert_level = s->s3->alert_fragment[0];
+ int alert_descr = s->s3->alert_fragment[1];
- i=rr->data[0];
- n=rr->data[1];
+ s->s3->alert_fragment_len = 0;
- /* clear from buffer */
- rr->length=0;
-
- if (s->info_callback != NULL)
- cb=s->info_callback;
- else if (s->ctx->info_callback != NULL)
- cb=s->ctx->info_callback;
+ if (s->info_callback != NULL)
+ cb=s->info_callback;
+ else if (s->ctx->info_callback != NULL)
+ cb=s->ctx->info_callback;
- if (cb != NULL)
- {
- j=(i<<8)|n;
- cb(s,SSL_CB_READ_ALERT,j);
- }
+ if (cb != NULL)
+ {
+ j = (alert_level << 8) | alert_descr;
+ cb(s, SSL_CB_READ_ALERT, j);
+ }
- if (i == 1)
- {
- s->s3->warn_alert=n;
- if (n == SSL_AD_CLOSE_NOTIFY)
- {
- s->shutdown|=SSL_RECEIVED_SHUTDOWN;
- return(0);
- }
- }
- else if (i == 2)
+ if (alert_level == 1) /* warning */
+ {
+ s->s3->warn_alert = alert_descr;
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY)
{
- char tmp[16];
-
- s->rwstate=SSL_NOTHING;
- s->s3->fatal_alert=n;
- SSLerr(SSL_F_SSL3_READ_BYTES,
- SSL_AD_REASON_OFFSET+n);
- sprintf(tmp,"%d",n);
- ERR_add_error_data(2,"SSL alert number ",tmp);
- s->shutdown|=SSL_RECEIVED_SHUTDOWN;
- SSL_CTX_remove_session(s->ctx,s->session);
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return(0);
}
- else
- {
- al=SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
- goto f_err;
- }
-
- rr->length=0;
- goto start;
}
-
- if (s->shutdown & SSL_SENT_SHUTDOWN)
+ else if (alert_level == 2) /* fatal */
{
+ char tmp[16];
+
s->rwstate=SSL_NOTHING;
- rr->length=0;
+ s->s3->fatal_alert = alert_descr;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
+ sprintf(tmp,"%d",alert_descr);
+ ERR_add_error_data(2,"SSL alert number ",tmp);
+ s->shutdown|=SSL_RECEIVED_SHUTDOWN;
+ SSL_CTX_remove_session(s->ctx,s->session);
return(0);
}
-
- if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
+ else
{
- if ( (rr->length != 1) || (rr->off != 0) ||
- (rr->data[0] != SSL3_MT_CCS))
- {
- i=SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
- goto err;
- }
+ al=SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
+ goto f_err;
+ }
- rr->length=0;
- s->s3->change_cipher_spec=1;
- if (!do_change_cipher_spec(s))
- goto err;
- else
- goto start;
+ goto start;
+ }
+
+ if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
+ {
+ s->rwstate=SSL_NOTHING;
+ rr->length=0;
+ return(0);
+ }
+
+ if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
+ {
+ /* 'Change Cipher Spec' is just a single byte, so we know
+ * exactly what the record payload has to look like */
+ if ( (rr->length != 1) || (rr->off != 0) ||
+ (rr->data[0] != SSL3_MT_CCS))
+ {
+ i=SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+ goto err;
}
- /* else we have a handshake */
- if ((rr->type == SSL3_RT_HANDSHAKE) &&
- !s->in_handshake)
+ rr->length=0;
+ s->s3->change_cipher_spec=1;
+ if (!do_change_cipher_spec(s))
+ goto err;
+ else
+ goto start;
+ }
+
+ /* Unexpected handshake message (Client Hello, or protocol violation) */
+ if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
+ {
+ if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
+ !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
{
- if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
- !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
- {
- s->state=SSL_ST_BEFORE|(s->server)
- ?SSL_ST_ACCEPT
- :SSL_ST_CONNECT;
- s->new_session=1;
- }
- n=s->handshake_func(s);
- if (n < 0) return(n);
- if (n == 0)
- {
- SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
- return(-1);
- }
+#if 0 /* worked only because C operator preferences are not as expected (and
+ * because this is not really needed for clients except for detecting
+ * protocol violations): */
+ s->state=SSL_ST_BEFORE|(s->server)
+ ?SSL_ST_ACCEPT
+ :SSL_ST_CONNECT;
+#else
+ s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
+#endif
+ s->new_session=1;
+ }
+ i=s->handshake_func(s);
+ if (i < 0) return(i);
+ if (i == 0)
+ {
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+ return(-1);
+ }
+ if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+ {
+ BIO *bio;
/* In the case where we try to read application data
* the first time, but we trigger an SSL handshake, we
* return -1 with the retry option set. I do this
* otherwise renegotiation can cause nasty problems
- * in the non-blocking world */
-
+ * in the blocking world */ /* ? */
s->rwstate=SSL_READING;
bio=SSL_get_rbio(s);
BIO_clear_retry_flags(bio);
BIO_set_retry_read(bio);
return(-1);
}
+ goto start;
+ }
- switch (rr->type)
- {
- default:
+ switch (rr->type)
+ {
+ default:
#ifndef NO_TLS
- /* TLS just ignores unknown message types */
- if (s->version == TLS1_VERSION)
- {
- goto start;
- }
+ /* TLS just ignores unknown message types */
+ if (s->version == TLS1_VERSION)
+ {
+ goto start;
+ }
#endif
- case SSL3_RT_CHANGE_CIPHER_SPEC:
- case SSL3_RT_ALERT:
- case SSL3_RT_HANDSHAKE:
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+ goto f_err;
+ case SSL3_RT_CHANGE_CIPHER_SPEC:
+ case SSL3_RT_ALERT:
+ case SSL3_RT_HANDSHAKE:
+ /* we already handled all of these, with the possible exception
+ * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
+ * should not happen when type != rr->type */
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_INTERNAL_ERROR);
+ goto f_err;
+ case SSL3_RT_APPLICATION_DATA:
+ /* At this point, we were expecting handshake data,
+ * but have application data. If the library was
+ * running inside ssl3_read() (i.e. in_read_app_data
+ * is set) and it makes sense to read application data
+ * at this point (session renegotiation not yet started),
+ * we will indulge it.
+ */
+ if (s->s3->in_read_app_data &&
+ (s->s3->total_renegotiations != 0) &&
+ ((
+ (s->state & SSL_ST_CONNECT) &&
+ (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
+ (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
+ ) || (
+ (s->state & SSL_ST_ACCEPT) &&
+ (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
+ (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
+ )
+ ))
+ {
+ s->s3->in_read_app_data=0;
+ return(-1);
+ }
+ else
+ {
al=SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
goto f_err;
- case SSL3_RT_APPLICATION_DATA:
- /* At this point, we were expecting something else,
- * but have application data. What we do is set the
- * error, and return -1. On the way out, if the
- * library was running inside ssl3_read() and it makes
- * sense to read application data at this point, we
- * will indulge it. This will mostly happen during
- * session renegotiation.
- */
- if (s->s3->in_read_app_data &&
- (s->s3->total_renegotiations != 0) &&
- ((
- (s->state & SSL_ST_CONNECT) &&
- (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
- (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
- ) || (
- (s->state & SSL_ST_ACCEPT) &&
- (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
- (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
- )
- ))
- {
- s->s3->in_read_app_data=0;
- return(-1);
- }
- else
- {
- al=SSL_AD_UNEXPECTED_MESSAGE;
- SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
- goto f_err;
- }
}
}
+ /* not reached */
- /* make sure that we are not getting application data when we
- * are doing a handshake for the first time */
- if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
- (s->enc_read_ctx == NULL))
- {
- al=SSL_AD_UNEXPECTED_MESSAGE;
- SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
- goto f_err;
- }
-
- if (len <= 0) return(len);
-
- if ((unsigned int)len > rr->length)
- n=rr->length;
- else
- n=len;
-
- memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
- rr->length-=n;
- rr->off+=n;
- if (rr->length <= 0)
- {
- s->rstate=SSL_ST_READ_HEADER;
- rr->off=0;
- }
-
- if (type == SSL3_RT_HANDSHAKE)
- ssl3_finish_mac(s,buf,n);
- return(n);
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
err:
@@ -935,7 +1103,7 @@ err:
static int do_change_cipher_spec(SSL *s)
{
int i;
- unsigned char *sender;
+ const char *sender;
int slen;
if (s->state & SSL_ST_ACCEPT)
@@ -957,37 +1125,23 @@ static int do_change_cipher_spec(SSL *s)
* the finished message */
if (s->state & SSL_ST_CONNECT)
{
- sender=s->method->ssl3_enc->server_finished;
- slen=s->method->ssl3_enc->server_finished_len;
+ sender=s->method->ssl3_enc->server_finished_label;
+ slen=s->method->ssl3_enc->server_finished_label_len;
}
else
{
- sender=s->method->ssl3_enc->client_finished;
- slen=s->method->ssl3_enc->client_finished_len;
+ sender=s->method->ssl3_enc->client_finished_label;
+ slen=s->method->ssl3_enc->client_finished_label_len;
}
- s->method->ssl3_enc->final_finish_mac(s,
+ s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
&(s->s3->finish_dgst1),
&(s->s3->finish_dgst2),
- sender,slen,&(s->s3->tmp.finish_md[0]));
+ sender,slen,s->s3->tmp.peer_finish_md);
return(1);
}
-int ssl3_do_write(SSL *s, int type)
- {
- int ret;
-
- ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
- s->init_num);
- if (ret == s->init_num)
- return(1);
- if (ret < 0) return(-1);
- s->init_off+=ret;
- s->init_num-=ret;
- return(0);
- }
-
void ssl3_send_alert(SSL *s, int level, int desc)
{
/* Map tls/ssl alert value to correct one */
@@ -1029,7 +1183,7 @@ int ssl3_dispatch_alert(SSL *s)
cb=s->info_callback;
else if (s->ctx->info_callback != NULL)
cb=s->ctx->info_callback;
-
+
if (cb != NULL)
{
j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
@@ -1038,4 +1192,3 @@ int ssl3_dispatch_alert(SSL *s)
}
return(i);
}
-
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index e003d8835746..e23ca20bd310 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -57,6 +57,8 @@
*/
#define REUSE_CIPHER_BUG
+#define NETSCAPE_HANG_BUG
+
#include <stdio.h>
#include <openssl/buffer.h>
@@ -70,13 +72,14 @@
static SSL_METHOD *ssl3_get_server_method(int ver);
static int ssl3_get_client_hello(SSL *s);
+static int ssl3_check_client_hello(SSL *s);
static int ssl3_send_server_hello(SSL *s);
static int ssl3_send_server_key_exchange(SSL *s);
static int ssl3_send_certificate_request(SSL *s);
static int ssl3_send_server_done(SSL *s);
-static int ssl3_get_cert_verify(SSL *s);
static int ssl3_get_client_key_exchange(SSL *s);
static int ssl3_get_client_certificate(SSL *s);
+static int ssl3_get_cert_verify(SSL *s);
static int ssl3_send_hello_request(SSL *s);
static SSL_METHOD *ssl3_get_server_method(int ver)
@@ -112,7 +115,7 @@ int ssl3_accept(SSL *s)
int ret= -1;
int new_state,state,skip=0;
- RAND_seed(&Time,sizeof(Time));
+ RAND_add(&Time,sizeof(Time),0);
ERR_clear_error();
clear_sys_error();
@@ -151,7 +154,6 @@ int ssl3_accept(SSL *s)
if ((s->version>>8) != 3)
abort();
- /* s->version=SSL3_VERSION; */
s->type=SSL_ST_ACCEPT;
if (s->init_buf == NULL)
@@ -184,8 +186,8 @@ int ssl3_accept(SSL *s)
if (s->state != SSL_ST_RENEGOTIATE)
{
- s->state=SSL3_ST_SR_CLNT_HELLO_A;
ssl3_init_finished_mac(s);
+ s->state=SSL3_ST_SR_CLNT_HELLO_A;
s->ctx->stats.sess_accept++;
}
else
@@ -268,8 +270,8 @@ int ssl3_accept(SSL *s)
|| (l & (SSL_DH|SSL_kFZA))
|| ((l & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
- || (SSL_IS_EXPORT(l)
- && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_EXPORT_PKEYLENGTH(l)
+ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
+ && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
)
)
)
@@ -287,9 +289,19 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SW_CERT_REQ_A:
case SSL3_ST_SW_CERT_REQ_B:
- if (!(s->verify_mode & SSL_VERIFY_PEER) ||
+ if (/* don't request cert unless asked for it: */
+ !(s->verify_mode & SSL_VERIFY_PEER) ||
+ /* if SSL_VERIFY_CLIENT_ONCE is set,
+ * don't request cert during re-negotiation: */
((s->session->peer != NULL) &&
- (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
+ (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
+ /* never request cert in anonymous ciphersuites
+ * (see section "Certificate request" in SSL 3 drafts
+ * and in RFC 2246): */
+ ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
+ /* ... except when the application insists on verification
+ * (against the specs, but s3_clnt.c accepts this for SSL 3) */
+ !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
{
/* no cert request */
skip=1;
@@ -301,7 +313,12 @@ int ssl3_accept(SSL *s)
s->s3->tmp.cert_request=1;
ret=ssl3_send_certificate_request(s);
if (ret <= 0) goto end;
+#ifndef NETSCAPE_HANG_BUG
s->state=SSL3_ST_SW_SRVR_DONE_A;
+#else
+ s->state=SSL3_ST_SW_FLUSH;
+ s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
+#endif
s->init_num=0;
}
break;
@@ -331,12 +348,20 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SR_CERT_A:
case SSL3_ST_SR_CERT_B:
- /* could be sent for a DH cert, even if we
- * have not asked for it :-) */
- ret=ssl3_get_client_certificate(s);
- if (ret <= 0) goto end;
- s->init_num=0;
- s->state=SSL3_ST_SR_KEY_EXCH_A;
+ /* Check for second client hello (MS SGC) */
+ ret = ssl3_check_client_hello(s);
+ if (ret <= 0)
+ goto end;
+ if (ret == 2)
+ s->state = SSL3_ST_SR_CLNT_HELLO_C;
+ else {
+ /* could be sent for a DH cert, even if we
+ * have not asked for it :-) */
+ ret=ssl3_get_client_certificate(s);
+ if (ret <= 0) goto end;
+ s->init_num=0;
+ s->state=SSL3_ST_SR_KEY_EXCH_A;
+ }
break;
case SSL3_ST_SR_KEY_EXCH_A:
@@ -350,10 +375,10 @@ int ssl3_accept(SSL *s)
* a client cert, it can be verified */
s->method->ssl3_enc->cert_verify_mac(s,
&(s->s3->finish_dgst1),
- &(s->s3->tmp.finish_md[0]));
+ &(s->s3->tmp.cert_verify_md[0]));
s->method->ssl3_enc->cert_verify_mac(s,
&(s->s3->finish_dgst2),
- &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]));
+ &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
break;
@@ -407,8 +432,8 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SW_FINISHED_B:
ret=ssl3_send_finished(s,
SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
- s->method->ssl3_enc->server_finished,
- s->method->ssl3_enc->server_finished_len);
+ s->method->ssl3_enc->server_finished_label,
+ s->method->ssl3_enc->server_finished_label_len);
if (ret <= 0) goto end;
s->state=SSL3_ST_SW_FLUSH;
if (s->hit)
@@ -485,7 +510,7 @@ static int ssl3_send_hello_request(SSL *s)
if (s->state == SSL3_ST_SW_HELLO_REQ_A)
{
p=(unsigned char *)s->init_buf->data;
- *(p++)=SSL3_MT_CLIENT_REQUEST;
+ *(p++)=SSL3_MT_HELLO_REQUEST;
*(p++)=0;
*(p++)=0;
*(p++)=0;
@@ -500,6 +525,37 @@ static int ssl3_send_hello_request(SSL *s)
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
}
+static int ssl3_check_client_hello(SSL *s)
+ {
+ int ok;
+ long n;
+
+ n=ssl3_get_message(s,
+ SSL3_ST_SR_CERT_A,
+ SSL3_ST_SR_CERT_B,
+ -1,
+ SSL3_RT_MAX_PLAIN_LENGTH,
+ &ok);
+ if (!ok) return((int)n);
+ s->s3->tmp.reuse_message = 1;
+ if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
+ {
+ /* Throw away what we have done so far in the current handshake,
+ * which will now be aborted. (A full SSL_clear would be too much.)
+ * I hope that tmp.dh is the only thing that may need to be cleared
+ * when a handshake is not completed ... */
+#ifndef NO_DH
+ if (s->s3->tmp.dh != NULL)
+ {
+ DH_free(s->s3->tmp.dh);
+ s->s3->tmp.dh = NULL;
+ }
+#endif
+ return 2;
+ }
+ return 1;
+}
+
static int ssl3_get_client_hello(SSL *s)
{
int i,j,ok,al,ret= -1;
@@ -531,10 +587,9 @@ static int ssl3_get_client_hello(SSL *s)
if (!ok) return((int)n);
d=p=(unsigned char *)s->init_buf->data;
- /* The version number has already been checked in ssl3_get_message.
- * I a native TLSv1/SSLv3 method, the match must be correct except
- * perhaps for the first message */
-/* s->client_version=(((int)p[0])<<8)|(int)p[1]; */
+ /* use version from inside client hello, not from record header
+ * (may differ: see RFC 2246, Appendix E, second paragraph) */
+ s->client_version=(((int)p[0])<<8)|(int)p[1];
p+=2;
/* load the client random */
@@ -754,7 +809,7 @@ static int ssl3_get_client_hello(SSL *s)
* compression - basically ignored right now
* ssl version is set - sslv3
* s->session - The ssl session has been setup.
- * s->hit - sesson reuse flag
+ * s->hit - session reuse flag
* s->tmp.new_cipher - the new cipher to use.
*/
@@ -782,7 +837,7 @@ static int ssl3_send_server_hello(SSL *s)
p=s->s3->server_random;
Time=time(NULL); /* Time */
l2n(Time,p);
- RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+ RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
/* Do the message type and length last */
d=p= &(buf[4]);
@@ -866,9 +921,10 @@ static int ssl3_send_server_key_exchange(SSL *s)
int j,num;
RSA *rsa;
unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
+ unsigned int u;
#endif
#ifndef NO_DH
- DH *dh,*dhp;
+ DH *dh=NULL,*dhp;
#endif
EVP_PKEY *pkey;
unsigned char *p,*d;
@@ -899,6 +955,12 @@ static int ssl3_send_server_key_exchange(SSL *s)
rsa=s->cert->rsa_tmp_cb(s,
SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
+ if(rsa == NULL)
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
+ goto f_err;
+ }
CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
cert->rsa_tmp=rsa;
}
@@ -928,6 +990,14 @@ static int ssl3_send_server_key_exchange(SSL *s)
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
goto f_err;
}
+
+ if (s->s3->tmp.dh != NULL)
+ {
+ DH_free(dh);
+ SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_INTERNAL_ERROR);
+ goto err;
+ }
+
if ((dh=DHparams_dup(dhp)) == NULL)
{
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
@@ -1027,15 +1097,14 @@ static int ssl3_send_server_key_exchange(SSL *s)
q+=i;
j+=i;
}
- i=RSA_private_encrypt(j,md_buf,&(p[2]),
- pkey->pkey.rsa,RSA_PKCS1_PADDING);
- if (i <= 0)
+ if (RSA_sign(NID_md5_sha1, md_buf, j,
+ &(p[2]), &u, pkey->pkey.rsa) <= 0)
{
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
goto err;
}
- s2n(i,p);
- n+=i+2;
+ s2n(u,p);
+ n+=u+2;
}
else
#endif
@@ -1075,7 +1144,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
s->init_off=0;
}
- /* SSL3_ST_SW_KEY_EXCH_B */
+ s->state = SSL3_ST_SW_KEY_EXCH_B;
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
@@ -1152,6 +1221,17 @@ static int ssl3_send_certificate_request(SSL *s)
s->init_num=n+4;
s->init_off=0;
+#ifdef NETSCAPE_HANG_BUG
+ p=(unsigned char *)s->init_buf->data + s->init_num;
+
+ /* do the header */
+ *(p++)=SSL3_MT_SERVER_DONE;
+ *(p++)=0;
+ *(p++)=0;
+ *(p++)=0;
+ s->init_num += 4;
+#endif
+
}
/* SSL3_ST_SW_CERT_REQ_B */
@@ -1239,31 +1319,6 @@ static int ssl3_get_client_key_exchange(SSL *s)
i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
-#if 1
- /* If a bad decrypt, use a random master key */
- if ((i != SSL_MAX_MASTER_KEY_LENGTH) ||
- ((p[0] != (s->client_version>>8)) ||
- (p[1] != (s->client_version & 0xff))))
- {
- int bad=1;
-
- if ((i == SSL_MAX_MASTER_KEY_LENGTH) &&
- (p[0] == (s->version>>8)) &&
- (p[1] == 0))
- {
- if (s->options & SSL_OP_TLS_ROLLBACK_BUG)
- bad=0;
- }
- if (bad)
- {
- p[0]=(s->version>>8);
- p[1]=(s->version & 0xff);
- RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2);
- i=SSL_MAX_MASTER_KEY_LENGTH;
- }
- /* else, an SSLeay bug, ssl only server, tls client */
- }
-#else
if (i != SSL_MAX_MASTER_KEY_LENGTH)
{
al=SSL_AD_DECODE_ERROR;
@@ -1271,13 +1326,12 @@ static int ssl3_get_client_key_exchange(SSL *s)
goto f_err;
}
- if ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff)))
+ if ((p[0] != (s->client_version>>8)) || (p[1] != (s->client_version & 0xff)))
{
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
goto f_err;
}
-#endif
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
@@ -1450,16 +1504,16 @@ static int ssl3_get_cert_verify(SSL *s)
#ifndef NO_RSA
if (pkey->type == EVP_PKEY_RSA)
{
- i=RSA_public_decrypt(i,p,p,pkey->pkey.rsa,RSA_PKCS1_PADDING);
+ i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
+ MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, p, i,
+ pkey->pkey.rsa);
if (i < 0)
{
al=SSL_AD_DECRYPT_ERROR;
SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_DECRYPT);
goto f_err;
}
- if ((i != (MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH)) ||
- memcmp(&(s->s3->tmp.finish_md[0]),p,
- MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH))
+ if (i == 0)
{
al=SSL_AD_DECRYPT_ERROR;
SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_BAD_RSA_SIGNATURE);
@@ -1472,7 +1526,7 @@ static int ssl3_get_cert_verify(SSL *s)
if (pkey->type == EVP_PKEY_DSA)
{
j=DSA_verify(pkey->save_type,
- &(s->s3->tmp.finish_md[MD5_DIGEST_LENGTH]),
+ &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]),
SHA_DIGEST_LENGTH,p,i,pkey->pkey.dsa);
if (j <= 0)
{
@@ -1532,7 +1586,7 @@ static int ssl3_get_client_certificate(SSL *s)
al=SSL_AD_HANDSHAKE_FAILURE;
goto f_err;
}
- /* If tls asked for a client cert we must return a 0 list */
+ /* If tls asked for a client cert, the client must return a 0 list */
if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
@@ -1628,6 +1682,7 @@ static int ssl3_get_client_certificate(SSL *s)
if (s->session->peer != NULL) /* This should not be needed */
X509_free(s->session->peer);
s->session->peer=sk_X509_shift(sk);
+ s->session->verify_result = s->verify_result;
/* With the current implementation, sess_cert will always be NULL
* when we arrive here. */
@@ -1643,6 +1698,8 @@ static int ssl3_get_client_certificate(SSL *s)
if (s->session->sess_cert->cert_chain != NULL)
sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
s->session->sess_cert->cert_chain=sk;
+ /* Inconsistency alert: cert_chain does *not* include the
+ * peer's own certificate, while we do include it in s3_clnt.c */
sk=NULL;
diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h
index fbe4f667fa13..bb846f491c46 100644
--- a/crypto/openssl/ssl/ssl.h
+++ b/crypto/openssl/ssl/ssl.h
@@ -123,8 +123,9 @@ extern "C" {
#define SSL_TXT_MD5 "MD5"
#define SSL_TXT_SHA1 "SHA1"
#define SSL_TXT_SHA "SHA"
-#define SSL_TXT_EXP40 "EXP"
+#define SSL_TXT_EXP "EXP"
#define SSL_TXT_EXPORT "EXPORT"
+#define SSL_TXT_EXP40 "EXPORT40"
#define SSL_TXT_EXP56 "EXPORT56"
#define SSL_TXT_SSLV2 "SSLv2"
#define SSL_TXT_SSLV3 "SSLv3"
@@ -133,12 +134,7 @@ extern "C" {
/* 'DEFAULT' at the start of the cipher list insert the following string
* in addition to this being the default cipher string */
-#ifndef NO_RSA
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
-#else
-#define SSL_ALLOW_ADH
-#define SSL_DEFAULT_CIPHER_LIST "HIGH:MEDIUM:LOW:ADH+3DES:ADH+RC4:ADH+DES:+EXP"
-#endif
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
#define SSL_SENT_SHUTDOWN 1
@@ -151,6 +147,10 @@ extern "C" {
#include <openssl/pem.h>
#include <openssl/x509.h>
+#if (defined(NO_RSA) || defined(NO_MD5)) && !defined(NO_SSL2)
+#define NO_SSL2
+#endif
+
#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
@@ -166,8 +166,12 @@ typedef struct ssl_cipher_st
const char *name; /* text name */
unsigned long id; /* id, 4 bytes, first is version */
unsigned long algorithms; /* what ciphers are used */
+ unsigned long algo_strength; /* strength and export flags */
unsigned long algorithm2; /* Extra flags */
+ int strength_bits; /* Number of bits really used */
+ int alg_bits; /* Number of bits for algorithm */
unsigned long mask; /* used for matching */
+ unsigned long mask_strength; /* also used for matching */
} SSL_CIPHER;
DECLARE_STACK_OF(SSL_CIPHER)
@@ -201,6 +205,8 @@ typedef struct ssl_method_st
long (*get_timeout)(void);
struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
int (*ssl_version)();
+ long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)());
+ long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)());
} SSL_METHOD;
/* Lets make this into an ASN.1 type structure as follows
@@ -215,7 +221,8 @@ typedef struct ssl_method_st
* Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
* Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate
* Session_ID_context [ 4 ] EXPLICIT OCTET_STRING, -- the Session ID context
- * Compression [5] IMPLICIT ASN1_OBJECT -- compression OID XXXXX
+ * Verify_result [ 5 ] EXPLICIT INTEGER -- X509_V_... code for `Peer'
+ * Compression [6] IMPLICIT ASN1_OBJECT -- compression OID XXXXX
* }
* Look in ssl/ssl_asn1.c for more details
* I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
@@ -249,6 +256,9 @@ typedef struct ssl_session_st
* (the latter is not enough as sess_cert is not retained
* in the external representation of sessions, see ssl_asn1.c). */
X509 *peer;
+ /* when app_verify_callback accepts a session where the peer's certificate
+ * is not ok, we must remember the error for session reuse: */
+ long verify_result; /* only for servers */
int references;
long timeout;
@@ -291,6 +301,7 @@ typedef struct ssl_session_st
#define SSL_OP_PKCS1_CHECK_1 0x08000000L
#define SSL_OP_PKCS1_CHECK_2 0x10000000L
#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
+/* SSL_OP_NON_EXPORT_FIRST looks utterly broken .. */
#define SSL_OP_NON_EXPORT_FIRST 0x40000000L
#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L
#define SSL_OP_ALL 0x000FFFFFL
@@ -355,9 +366,9 @@ struct ssl_ctx_st
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
struct x509_store_st /* X509_STORE */ *cert_store;
- struct lhash_st /* LHASH */ *sessions; /* a set of SSL_SESSION's */
+ struct lhash_st /* LHASH */ *sessions; /* a set of SSL_SESSIONs */
/* Most session-ids that will be cached, default is
- * SSL_SESSION_CACHE_SIZE_DEFAULT. 0 is unlimited. */
+ * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited. */
unsigned long session_cache_size;
struct ssl_session_st *session_cache_head;
struct ssl_session_st *session_cache_tail;
@@ -380,9 +391,8 @@ struct ssl_ctx_st
* SSL_SESSION_free() when it has finished using it. Otherwise,
* on 0, it means the callback has finished with it.
* If remove_session_cb is not null, it will be called when
- * a session-id is removed from the cache. Again, a return
- * of 0 mens that SSLeay should not SSL_SESSION_free() since
- * the application is doing something with it. */
+ * a session-id is removed from the cache. After the call,
+ * OpenSSL will SSL_SESSION_free() it. */
int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess);
void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
@@ -424,6 +434,9 @@ struct ssl_ctx_st
/**/ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
/**/ int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
+ int purpose; /* Purpose setting */
+ int trust; /* Trust setting */
+
/* Default password callback. */
/**/ pem_password_cb *default_passwd_callback;
@@ -433,7 +446,7 @@ struct ssl_ctx_st
/* get client cert callback */
/**/ int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
- /* what we put in client requests */
+ /* what we put in client cert requests */
STACK_OF(X509_NAME) *client_CA;
/**/ int quiet_shutdown;
@@ -458,6 +471,7 @@ struct ssl_ctx_st
* defined, this will still get called. */
#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
+ struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
#define SSL_CTX_sess_number(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
#define SSL_CTX_sess_connect(ctx) \
@@ -564,17 +578,21 @@ struct ssl_st
unsigned char *packet;
unsigned int packet_length;
- struct ssl2_ctx_st *s2; /* SSLv2 variables */
- struct ssl3_ctx_st *s3; /* SSLv3 variables */
+ struct ssl2_state_st *s2; /* SSLv2 variables */
+ struct ssl3_state_st *s3; /* SSLv3 variables */
- int read_ahead; /* Read as many input bytes as possible */
+ int read_ahead; /* Read as many input bytes as possible
+ * (for non-blocking reads) */
int hit; /* reusing a previous session */
+ int purpose; /* Purpose setting */
+ int trust; /* Trust setting */
+
/* crypto */
STACK_OF(SSL_CIPHER) *cipher_list;
STACK_OF(SSL_CIPHER) *cipher_list_by_id;
- /* These are the ones being used, the ones is SSL_SESSION are
+ /* These are the ones being used, the ones in SSL_SESSION are
* the ones to be 'copied' into these ones */
EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
@@ -634,7 +652,7 @@ struct ssl_st
unsigned long mode; /* API behaviour */
int first_packet;
int client_version; /* what was passed, used for
- * SSLv3/TLS rolback check */
+ * SSLv3/TLS rollback check */
};
#include <openssl/ssl2.h>
@@ -642,7 +660,7 @@ struct ssl_st
#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
#include <openssl/ssl23.h>
-/* compatablity */
+/* compatibility */
#define SSL_set_app_data(s,arg) (SSL_set_ex_data(s,0,(char *)arg))
#define SSL_get_app_data(s) (SSL_get_ex_data(s,0))
#define SSL_SESSION_set_app_data(s,a) (SSL_SESSION_set_ex_data(s,0,(char *)a))
@@ -651,7 +669,7 @@ struct ssl_st
#define SSL_CTX_set_app_data(ctx,arg) (SSL_CTX_set_ex_data(ctx,0,(char *)arg))
/* The following are the possible values for ssl->state are are
- * used to indicate where we are upto in the SSL connection establishment.
+ * used to indicate where we are up to in the SSL connection establishment.
* The macros that follow are about the only things you should need to use
* and even then, only when using non-blocking IO.
* It can also be useful to work out where you were when the connection
@@ -693,6 +711,13 @@ struct ssl_st
#define SSL_ST_READ_BODY 0xF1
#define SSL_ST_READ_DONE 0xF2
+/* Obtain latest Finished message
+ * -- that we sent (SSL_get_finished)
+ * -- that we expected from peer (SSL_get_peer_finished).
+ * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
+size_t SSL_get_finished(SSL *s, void *buf, size_t count);
+size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
+
/* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
* are 'ored' with SSL_VERIFY_PEER if they are desired */
#define SSL_VERIFY_NONE 0x00
@@ -700,9 +725,10 @@ struct ssl_st
#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
#define SSL_VERIFY_CLIENT_ONCE 0x04
+#define OpenSSL_add_ssl_algorithms() SSL_library_init()
#define SSLeay_add_ssl_algorithms() SSL_library_init()
-/* this is for backward compatablility */
+/* this is for backward compatibility */
#if 0 /* NEW_SSLEAY */
#define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c)
#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
@@ -710,7 +736,7 @@ struct ssl_st
#define SSL_remove_session(a,b) SSL_CTX_remove_session((a),(b))
#define SSL_flush_sessions(a,b) SSL_CTX_flush_sessions((a),(b))
#endif
-/* More backward compatablity */
+/* More backward compatibility */
#define SSL_get_cipher(s) \
SSL_CIPHER_get_name(SSL_get_current_cipher(s))
#define SSL_get_cipher_bits(s,np) \
@@ -762,11 +788,11 @@ struct ssl_st
#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED /* fatal */
#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR /* fatal */
#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR
-#define SSL_AD_EXPORT_RESTRICION TLS1_AD_EXPORT_RESTRICION/* fatal */
+#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION/* fatal */
#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION /* fatal */
#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY/* fatal */
#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR /* fatal */
-#define SSL_AD_USER_CANCLED TLS1_AD_USER_CANCLED
+#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED
#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION
#define SSL_ERROR_NONE 0
@@ -867,7 +893,7 @@ void BIO_ssl_shutdown(BIO *ssl_bio);
#endif
-int SSL_CTX_set_cipher_list(SSL_CTX *,char *str);
+int SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
void SSL_CTX_free(SSL_CTX *);
long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
@@ -899,7 +925,7 @@ void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
BIO * SSL_get_rbio(SSL *s);
BIO * SSL_get_wbio(SSL *s);
#endif
-int SSL_set_cipher_list(SSL *s, char *str);
+int SSL_set_cipher_list(SSL *s, const char *str);
void SSL_set_read_ahead(SSL *s, int yes);
int SSL_get_verify_mode(SSL *s);
int SSL_get_verify_depth(SSL *s);
@@ -998,6 +1024,12 @@ int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
SSL * SSL_new(SSL_CTX *ctx);
int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
unsigned int sid_ctx_len);
+
+int SSL_CTX_set_purpose(SSL_CTX *s, int purpose);
+int SSL_set_purpose(SSL *s, int purpose);
+int SSL_CTX_set_trust(SSL_CTX *s, int trust);
+int SSL_set_trust(SSL *s, int trust);
+
void SSL_free(SSL *ssl);
int SSL_accept(SSL *ssl);
int SSL_connect(SSL *ssl);
@@ -1005,10 +1037,12 @@ int SSL_read(SSL *ssl,char *buf,int num);
int SSL_peek(SSL *ssl,char *buf,int num);
int SSL_write(SSL *ssl,const char *buf,int num);
long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
+long SSL_callback_ctrl(SSL *, int, void (*)());
long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg);
+long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
int SSL_get_error(SSL *s,int ret_code);
-char * SSL_get_version(SSL *s);
+const char *SSL_get_version(SSL *s);
/* This sets the 'default' SSL version that SSL_new() will create */
int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
@@ -1074,7 +1108,9 @@ int SSL_version(SSL *ssl);
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath);
+#define SSL_get0_session SSL_get_session /* just peek at pointer */
SSL_SESSION *SSL_get_session(SSL *ssl);
+SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
void SSL_set_info_callback(SSL *ssl,void (*cb)());
void (*SSL_get_info_callback(SSL *ssl))();
@@ -1085,18 +1121,18 @@ long SSL_get_verify_result(SSL *ssl);
int SSL_set_ex_data(SSL *ssl,int idx,void *data);
void *SSL_get_ex_data(SSL *ssl,int idx);
-int SSL_get_ex_new_index(long argl, char *argp, int (*new_func)(),
- int (*dup_func)(), void (*free_func)());
+int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
-int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(),
- int (*dup_func)(), void (*free_func)());
+int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
-int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(),
- int (*dup_func)(), void (*free_func)());
+int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
int SSL_get_ex_data_X509_STORE_CTX_idx(void );
@@ -1178,6 +1214,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_F_SSL2_SET_CERTIFICATE 126
#define SSL_F_SSL2_WRITE 127
#define SSL_F_SSL3_ACCEPT 128
+#define SSL_F_SSL3_CALLBACK_CTRL 233
#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
#define SSL_F_SSL3_CLIENT_HELLO 131
@@ -1219,13 +1256,18 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_F_SSL_CERT_INSTANTIATE 214
#define SSL_F_SSL_CERT_NEW 162
#define SSL_F_SSL_CHECK_PRIVATE_KEY 163
+#define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230
+#define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
#define SSL_F_SSL_CLEAR 164
#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165
#define SSL_F_SSL_CREATE_CIPHER_LIST 166
+#define SSL_F_SSL_CTRL 232
#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
#define SSL_F_SSL_CTX_NEW 169
+#define SSL_F_SSL_CTX_SET_PURPOSE 226
#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
+#define SSL_F_SSL_CTX_SET_TRUST 229
#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220
@@ -1253,9 +1295,11 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_F_SSL_SET_CERT 191
#define SSL_F_SSL_SET_FD 192
#define SSL_F_SSL_SET_PKEY 193
+#define SSL_F_SSL_SET_PURPOSE 227
#define SSL_F_SSL_SET_RFD 194
#define SSL_F_SSL_SET_SESSION 195
#define SSL_F_SSL_SET_SESSION_ID_CONTEXT 218
+#define SSL_F_SSL_SET_TRUST 228
#define SSL_F_SSL_SET_WFD 196
#define SSL_F_SSL_SHUTDOWN 224
#define SSL_F_SSL_UNDEFINED_FUNCTION 197
@@ -1282,7 +1326,6 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_R_BAD_AUTHENTICATION_TYPE 102
#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
#define SSL_R_BAD_CHECKSUM 104
-#define SSL_R_BAD_CLIENT_REQUEST 105
#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
#define SSL_R_BAD_DECOMPRESSION 107
#define SSL_R_BAD_DH_G_LENGTH 108
@@ -1290,6 +1333,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_R_BAD_DH_P_LENGTH 110
#define SSL_R_BAD_DIGEST_LENGTH 111
#define SSL_R_BAD_DSA_SIGNATURE 112
+#define SSL_R_BAD_HELLO_REQUEST 105
#define SSL_R_BAD_LENGTH 271
#define SSL_R_BAD_MAC_DECODE 113
#define SSL_R_BAD_MESSAGE_TYPE 114
@@ -1329,6 +1373,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
#define SSL_R_DIGEST_CHECK_FAILED 149
#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
+#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 1092
#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
@@ -1337,6 +1382,9 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_INTERNAL_ERROR 157
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
+#define SSL_R_INVALID_COMMAND 280
+#define SSL_R_INVALID_PURPOSE 278
+#define SSL_R_INVALID_TRUST 279
#define SSL_R_LENGTH_MISMATCH 159
#define SSL_R_LENGTH_TOO_SHORT 160
#define SSL_R_LIBRARY_BUG 274
@@ -1429,14 +1477,14 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
-#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICION 1060
+#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022
#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048
-#define SSL_R_TLSV1_ALERT_USER_CANCLED 1090
+#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
@@ -1464,6 +1512,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_R_UNKNOWN_STATE 255
#define SSL_R_UNSUPPORTED_CIPHER 256
#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
+#define SSL_R_UNSUPPORTED_OPTION 1091
#define SSL_R_UNSUPPORTED_PROTOCOL 258
#define SSL_R_UNSUPPORTED_SSL_VERSION 259
#define SSL_R_WRITE_BIO_NOT_SET 260
diff --git a/crypto/openssl/ssl/ssl2.h b/crypto/openssl/ssl/ssl2.h
index d7f24ac1b4e8..01d41c88c57f 100644
--- a/crypto/openssl/ssl/ssl2.h
+++ b/crypto/openssl/ssl/ssl2.h
@@ -151,7 +151,7 @@ extern "C" {
#define CERT char
#endif
-typedef struct ssl2_ctx_st
+typedef struct ssl2_state_st
{
int three_byte_header;
int clear_text; /* clear text */
@@ -214,7 +214,7 @@ typedef struct ssl2_ctx_st
unsigned int clen;
unsigned int rlen;
} tmp;
- } SSL2_CTX;
+ } SSL2_STATE;
/* SSLv2 */
/* client */
diff --git a/crypto/openssl/ssl/ssl3.h b/crypto/openssl/ssl/ssl3.h
index 2a9714fc19b5..f616763830e3 100644
--- a/crypto/openssl/ssl/ssl3.h
+++ b/crypto/openssl/ssl/ssl3.h
@@ -158,24 +158,8 @@ extern "C" {
#define SSL3_RT_MAX_PACKET_SIZE (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
#define SSL3_RT_MAX_DATA_SIZE (1024*1024)
-/* the states that a SSL3_RECORD can be in
- * For SSL_read it goes
- * rbuf->ENCODED -> read
- * ENCODED -> we need to decode everything - call decode_record
- */
-
-#define SSL3_RS_BLANK 1
-#define SSL3_RS_DATA
-
-#define SSL3_RS_ENCODED 2
-#define SSL3_RS_READ_MORE 3
-#define SSL3_RS_WRITE_MORE
-#define SSL3_RS_PLAIN 3
-#define SSL3_RS_PART_READ 4
-#define SSL3_RS_PART_WRITE 5
-
-#define SSL3_MD_CLIENT_FINISHED_CONST {0x43,0x4C,0x4E,0x54}
-#define SSL3_MD_SERVER_FINISHED_CONST {0x53,0x52,0x56,0x52}
+#define SSL3_MD_CLIENT_FINISHED_CONST "\x43\x4C\x4E\x54"
+#define SSL3_MD_SERVER_FINISHED_CONST "\x53\x52\x56\x52"
#define SSL3_VERSION 0x0300
#define SSL3_VERSION_MAJOR 0x03
@@ -204,22 +188,20 @@ extern "C" {
typedef struct ssl3_record_st
{
-/*r */ int type; /* type of record */
-/* */ /*int state;*/ /* any data in it? */
-/*rw*/ unsigned int length; /* How many bytes available */
-/*r */ unsigned int off; /* read/write offset into 'buf' */
-/*rw*/ unsigned char *data; /* pointer to the record data */
-/*rw*/ unsigned char *input; /* where the decode bytes are */
-/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
+/*r */ int type; /* type of record */
+/*rw*/ unsigned int length; /* How many bytes available */
+/*r */ unsigned int off; /* read/write offset into 'buf' */
+/*rw*/ unsigned char *data; /* pointer to the record data */
+/*rw*/ unsigned char *input; /* where the decode bytes are */
+/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
} SSL3_RECORD;
typedef struct ssl3_buffer_st
{
-/*r */ int total; /* used in non-blocking writes */
-/*r */ int wanted; /* how many more bytes we need */
-/*rw*/ int left; /* how many bytes left */
-/*rw*/ int offset; /* where to 'copy from' */
-/*rw*/ unsigned char *buf; /* SSL3_RT_MAX_PACKET_SIZE bytes */
+ unsigned char *buf; /* SSL3_RT_MAX_PACKET_SIZE bytes (more if
+ * SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER is set) */
+ int offset; /* where to 'copy from' */
+ int left; /* how many bytes left */
} SSL3_BUFFER;
#define SSL3_CT_RSA_SIGN 1
@@ -236,34 +218,7 @@ typedef struct ssl3_buffer_st
#define SSL3_FLAGS_POP_BUFFER 0x0004
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
-#if 0
-#define AD_CLOSE_NOTIFY 0
-#define AD_UNEXPECTED_MESSAGE 1
-#define AD_BAD_RECORD_MAC 2
-#define AD_DECRYPTION_FAILED 3
-#define AD_RECORD_OVERFLOW 4
-#define AD_DECOMPRESSION_FAILURE 5 /* fatal */
-#define AD_HANDSHAKE_FAILURE 6 /* fatal */
-#define AD_NO_CERTIFICATE 7 /* Not under TLS */
-#define AD_BAD_CERTIFICATE 8
-#define AD_UNSUPPORTED_CERTIFICATE 9
-#define AD_CERTIFICATE_REVOKED 10
-#define AD_CERTIFICATE_EXPIRED 11
-#define AD_CERTIFICATE_UNKNOWN 12
-#define AD_ILLEGAL_PARAMETER 13 /* fatal */
-#define AD_UNKNOWN_CA 14 /* fatal */
-#define AD_ACCESS_DENIED 15 /* fatal */
-#define AD_DECODE_ERROR 16 /* fatal */
-#define AD_DECRYPT_ERROR 17
-#define AD_EXPORT_RESTRICION 18 /* fatal */
-#define AD_PROTOCOL_VERSION 19 /* fatal */
-#define AD_INSUFFICIENT_SECURITY 20 /* fatal */
-#define AD_INTERNAL_ERROR 21 /* fatal */
-#define AD_USER_CANCLED 22
-#define AD_NO_RENEGOTIATION 23
-#endif
-
-typedef struct ssl3_ctx_st
+typedef struct ssl3_state_st
{
long flags;
int delay_buf_pop_ret;
@@ -278,10 +233,16 @@ typedef struct ssl3_ctx_st
SSL3_BUFFER rbuf; /* read IO goes into here */
SSL3_BUFFER wbuf; /* write IO goes into here */
+
SSL3_RECORD rrec; /* each decoded record goes in here */
SSL3_RECORD wrec; /* goes out from here */
- /* Used by ssl3_read_n to point
- * to input data packet */
+
+ /* storage for Alert/Handshake protocol data received but not
+ * yet processed by ssl3_read_bytes: */
+ unsigned char alert_fragment[2];
+ unsigned int alert_fragment_len;
+ unsigned char handshake_fragment[4];
+ unsigned int handshake_fragment_len;
/* partial write - check the numbers match */
unsigned int wnum; /* number of bytes sent so far */
@@ -300,7 +261,7 @@ typedef struct ssl3_ctx_st
int warn_alert;
int fatal_alert;
- /* we alow one fatal and one warning alert to be outstanding,
+ /* we allow one fatal and one warning alert to be outstanding,
* send close alert via the warning alert */
int alert_dispatch;
unsigned char send_alert[2];
@@ -314,8 +275,14 @@ typedef struct ssl3_ctx_st
int in_read_app_data;
struct {
- /* Actually only needs to be 16+20 for SSLv3 and 12 for TLS */
+ /* actually only needs to be 16+20 */
+ unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
+
+ /* actually only need to be 16+20 for SSLv3 and 12 for TLS */
unsigned char finish_md[EVP_MAX_MD_SIZE*2];
+ int finish_md_len;
+ unsigned char peer_finish_md[EVP_MAX_MD_SIZE*2];
+ int peer_finish_md_len;
unsigned long message_size;
int message_type;
@@ -351,7 +318,7 @@ typedef struct ssl3_ctx_st
int cert_request;
} tmp;
- } SSL3_CTX;
+ } SSL3_STATE;
/* SSLv3 */
/*client */
@@ -429,7 +396,7 @@ typedef struct ssl3_ctx_st
#define SSL3_ST_SW_FINISHED_A (0x1E0|SSL_ST_ACCEPT)
#define SSL3_ST_SW_FINISHED_B (0x1E1|SSL_ST_ACCEPT)
-#define SSL3_MT_CLIENT_REQUEST 0
+#define SSL3_MT_HELLO_REQUEST 0
#define SSL3_MT_CLIENT_HELLO 1
#define SSL3_MT_SERVER_HELLO 2
#define SSL3_MT_CERTIFICATE 11
diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c
index 0f6a0884e4af..e77cdddfd3f8 100644
--- a/crypto/openssl/ssl/ssl_asn1.c
+++ b/crypto/openssl/ssl/ssl_asn1.c
@@ -60,6 +60,7 @@
#include <stdlib.h>
#include <openssl/asn1_mac.h>
#include <openssl/objects.h>
+#include <openssl/x509.h>
#include "ssl_locl.h"
typedef struct ssl_session_asn1_st
@@ -73,14 +74,15 @@ typedef struct ssl_session_asn1_st
ASN1_OCTET_STRING key_arg;
ASN1_INTEGER time;
ASN1_INTEGER timeout;
+ ASN1_INTEGER verify_result;
} SSL_SESSION_ASN1;
int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
{
#define LSIZE2 (sizeof(long)*2)
- int v1=0,v2=0,v3=0,v4=0;
+ int v1=0,v2=0,v3=0,v4=0,v5=0;
unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
- unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2];
+ unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
long l;
SSL_SESSION_ASN1 a;
M_ASN1_I2D_vars(in);
@@ -89,7 +91,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
return(0);
/* Note that I cheat in the following 2 assignments. I know
- * that if the ASN1_INTERGER passed to ASN1_INTEGER_set
+ * that if the ASN1_INTEGER passed to ASN1_INTEGER_set
* is > sizeof(long)+1, the buffer will not be re-Malloc()ed.
* This is a bit evil but makes things simple, no dynamic allocation
* to clean up :-) */
@@ -156,6 +158,14 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
ASN1_INTEGER_set(&(a.timeout),in->timeout);
}
+ if (in->verify_result != X509_V_OK)
+ {
+ a.verify_result.length=LSIZE2;
+ a.verify_result.type=V_ASN1_INTEGER;
+ a.verify_result.data=ibuf5;
+ ASN1_INTEGER_set(&a.verify_result,in->verify_result);
+ }
+
M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING);
@@ -170,6 +180,8 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
if (in->peer != NULL)
M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
+ if (in->verify_result != X509_V_OK)
+ M_ASN1_I2D_len_EXP_opt(&(a.verify_result),i2d_ASN1_INTEGER,5,v5);
M_ASN1_I2D_seq_total();
@@ -188,7 +200,8 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
v4);
-
+ if (in->verify_result != X509_V_OK)
+ M_ASN1_I2D_put_EXP_opt(&a.verify_result,i2d_ASN1_INTEGER,5,v5);
M_ASN1_I2D_finish();
}
@@ -322,6 +335,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
else
ret->sid_ctx_length=0;
+ ai.length=0;
+ M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,5);
+ if (ai.data != NULL)
+ {
+ ret->verify_result=ASN1_INTEGER_get(aip);
+ Free(ai.data); ai.data=NULL; ai.length=0;
+ }
+ else
+ ret->verify_result=X509_V_OK;
+
M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
}
-
diff --git a/crypto/openssl/ssl/ssl_cert.c b/crypto/openssl/ssl/ssl_cert.c
index 6d2511f76c27..0596b7c5b865 100644
--- a/crypto/openssl/ssl/ssl_cert.c
+++ b/crypto/openssl/ssl/ssl_cert.c
@@ -105,17 +105,26 @@
*/
#include <stdio.h>
-#include <sys/types.h>
-#if !defined(WIN32) && !defined(VSM) && !defined(NeXT)
+
+#include "openssl/e_os.h"
+
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+
+#if !defined(WIN32) && !defined(VSM) && !defined(NeXT) && !defined(MAC_OS_pre_X)
#include <dirent.h>
#endif
+
#ifdef NeXT
#include <sys/dir.h>
#define dirent direct
#endif
+
#include <openssl/objects.h>
#include <openssl/bio.h>
#include <openssl/pem.h>
+#include <openssl/x509v3.h>
#include "ssl_locl.h"
int SSL_get_ex_data_X509_STORE_CTX_idx(void)
@@ -182,16 +191,33 @@ CERT *ssl_cert_dup(CERT *cert)
#ifndef NO_DH
if (cert->dh_tmp != NULL)
{
- /* DH parameters don't have a reference count (and cannot
- * reasonably be shared anyway, as the secret exponent may
- * be created just when it is needed -- earlier library
- * versions did not pay attention to this) */
+ /* DH parameters don't have a reference count */
ret->dh_tmp = DHparams_dup(cert->dh_tmp);
if (ret->dh_tmp == NULL)
{
- SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_DH_LIB);
+ SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_DH_LIB);
goto err;
}
+ if (cert->dh_tmp->priv_key)
+ {
+ BIGNUM *b = BN_dup(cert->dh_tmp->priv_key);
+ if (!b)
+ {
+ SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
+ goto err;
+ }
+ ret->dh_tmp->priv_key = b;
+ }
+ if (cert->dh_tmp->pub_key)
+ {
+ BIGNUM *b = BN_dup(cert->dh_tmp->pub_key);
+ if (!b)
+ {
+ SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_BN_LIB);
+ goto err;
+ }
+ ret->dh_tmp->pub_key = b;
+ }
}
ret->dh_tmp_cb = cert->dh_tmp_cb;
#endif
@@ -422,8 +448,16 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
if (SSL_get_verify_depth(s) >= 0)
X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
- X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),
- (char *)s);
+ X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
+ /* We need to set the verify purpose. The purpose can be determined by
+ * the context: if its a server it will verify SSL client certificates
+ * or vice versa.
+ */
+
+ if(s->server) i = X509_PURPOSE_SSL_CLIENT;
+ else i = X509_PURPOSE_SSL_SERVER;
+
+ X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
if (s->ctx->app_verify_callback != NULL)
i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
@@ -534,7 +568,7 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x)
return(add_client_CA(&(ctx->client_CA),x));
}
-static int name_cmp(X509_NAME **a,X509_NAME **b)
+static int xname_cmp(X509_NAME **a,X509_NAME **b)
{
return(X509_NAME_cmp(*a,*b));
}
@@ -556,7 +590,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
STACK_OF(X509_NAME) *ret,*sk;
ret=sk_X509_NAME_new(NULL);
- sk=sk_X509_NAME_new(name_cmp);
+ sk=sk_X509_NAME_new(xname_cmp);
in=BIO_new(BIO_s_file_internal());
@@ -617,7 +651,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
int ret=1;
int (*oldcmp)(X509_NAME **a, X509_NAME **b);
- oldcmp=sk_X509_NAME_set_cmp_func(stack,name_cmp);
+ oldcmp=sk_X509_NAME_set_cmp_func(stack,xname_cmp);
in=BIO_new(BIO_s_file_internal());
@@ -671,6 +705,7 @@ err:
#ifndef WIN32
#ifndef VMS /* XXXX This may be fixed in the future */
+#ifndef MAC_OS_pre_X
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *dir)
@@ -714,3 +749,4 @@ err:
#endif
#endif
+#endif
diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c
index 4c2989c47a30..7436a50ad14d 100644
--- a/crypto/openssl/ssl/ssl_ciph.c
+++ b/crypto/openssl/ssl/ssl_ciph.c
@@ -83,24 +83,11 @@ static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX]={
NULL,NULL,
};
-typedef struct cipher_sort_st
- {
- SSL_CIPHER *cipher;
- int pref;
- } CIPHER_SORT;
-
#define CIPHER_ADD 1
#define CIPHER_KILL 2
#define CIPHER_DEL 3
#define CIPHER_ORD 4
-
-typedef struct cipher_choice_st
- {
- int type;
- unsigned long algorithms;
- unsigned long mask;
- long top;
- } CIPHER_CHOICE;
+#define CIPHER_SPECIAL 5
typedef struct cipher_order_st
{
@@ -110,59 +97,55 @@ typedef struct cipher_order_st
struct cipher_order_st *next,*prev;
} CIPHER_ORDER;
-static SSL_CIPHER cipher_aliases[]={
+static const SSL_CIPHER cipher_aliases[]={
/* Don't include eNULL unless specifically enabled */
- {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, 0,SSL_ALL}, /* must be first */
- {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,SSL_MKEY_MASK},
- {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,SSL_MKEY_MASK},
- {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,SSL_MKEY_MASK},
- {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,SSL_MKEY_MASK},
- {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,SSL_MKEY_MASK},
- {0,SSL_TXT_DH, 0,SSL_DH, 0,SSL_MKEY_MASK},
- {0,SSL_TXT_EDH, 0,SSL_EDH, 0,SSL_MKEY_MASK|SSL_AUTH_MASK},
-
- {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,SSL_AUTH_MASK},
- {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,SSL_AUTH_MASK},
- {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,SSL_AUTH_MASK},
- {0,SSL_TXT_aNULL,0,SSL_aNULL,0,SSL_AUTH_MASK},
- {0,SSL_TXT_aDH, 0,SSL_aDH, 0,SSL_AUTH_MASK},
- {0,SSL_TXT_DSS, 0,SSL_DSS, 0,SSL_AUTH_MASK},
-
- {0,SSL_TXT_DES, 0,SSL_DES, 0,SSL_ENC_MASK},
- {0,SSL_TXT_3DES,0,SSL_3DES, 0,SSL_ENC_MASK},
- {0,SSL_TXT_RC4, 0,SSL_RC4, 0,SSL_ENC_MASK},
- {0,SSL_TXT_RC2, 0,SSL_RC2, 0,SSL_ENC_MASK},
- {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,SSL_ENC_MASK},
- {0,SSL_TXT_eNULL,0,SSL_eNULL,0,SSL_ENC_MASK},
- {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,SSL_ENC_MASK},
-
- {0,SSL_TXT_MD5, 0,SSL_MD5, 0,SSL_MAC_MASK},
- {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,SSL_MAC_MASK},
- {0,SSL_TXT_SHA, 0,SSL_SHA, 0,SSL_MAC_MASK},
-
- {0,SSL_TXT_NULL,0,SSL_NULL, 0,SSL_ENC_MASK},
- {0,SSL_TXT_RSA, 0,SSL_RSA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK},
- {0,SSL_TXT_ADH, 0,SSL_ADH, 0,SSL_AUTH_MASK|SSL_MKEY_MASK},
- {0,SSL_TXT_FZA, 0,SSL_FZA, 0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK},
-
- {0,SSL_TXT_EXP40, 0,SSL_EXP40, 0,SSL_EXP_MASK},
- {0,SSL_TXT_EXPORT,0,SSL_EXP40, 0,SSL_EXP_MASK},
- {0,SSL_TXT_EXP56, 0,SSL_EXP56, 0,SSL_EXP_MASK},
- {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,SSL_SSL_MASK},
- {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,SSL_SSL_MASK},
- {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,SSL_SSL_MASK},
- {0,SSL_TXT_LOW, 0,SSL_LOW, 0,SSL_STRONG_MASK},
- {0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK},
- {0,SSL_TXT_HIGH, 0,SSL_HIGH, 0,SSL_STRONG_MASK},
+ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
+ {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kEDH,0,SSL_kEDH, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_kFZA,0,SSL_kFZA, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0},
+ {0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
+
+ {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aNULL,0,SSL_aNULL,0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aDH, 0,SSL_aDH, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_DSS, 0,SSL_DSS, 0,0,0,0,SSL_AUTH_MASK,0},
+
+ {0,SSL_TXT_DES, 0,SSL_DES, 0,0,0,0,SSL_ENC_MASK,0},
+ {0,SSL_TXT_3DES,0,SSL_3DES, 0,0,0,0,SSL_ENC_MASK,0},
+ {0,SSL_TXT_RC4, 0,SSL_RC4, 0,0,0,0,SSL_ENC_MASK,0},
+ {0,SSL_TXT_RC2, 0,SSL_RC2, 0,0,0,0,SSL_ENC_MASK,0},
+ {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0},
+ {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
+ {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0},
+
+ {0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0},
+ {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0},
+ {0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0},
+
+ {0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0},
+ {0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
+ {0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
+ {0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
+
+ {0,SSL_TXT_SSLV2, 0,SSL_SSLV2, 0,0,0,0,SSL_SSL_MASK,0},
+ {0,SSL_TXT_SSLV3, 0,SSL_SSLV3, 0,0,0,0,SSL_SSL_MASK,0},
+ {0,SSL_TXT_TLSV1, 0,SSL_TLSV1, 0,0,0,0,SSL_SSL_MASK,0},
+
+ {0,SSL_TXT_EXP ,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
+ {0,SSL_TXT_EXPORT,0, 0,SSL_EXPORT, 0,0,0,0,SSL_EXP_MASK},
+ {0,SSL_TXT_EXP40, 0, 0, SSL_EXP40, 0,0,0,0,SSL_STRONG_MASK},
+ {0,SSL_TXT_EXP56, 0, 0, SSL_EXP56, 0,0,0,0,SSL_STRONG_MASK},
+ {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
+ {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
+ {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
};
static int init_ciphers=1;
-static void load_ciphers();
-
-static int cmp_by_name(SSL_CIPHER **a, SSL_CIPHER **b)
- {
- return(strcmp((*a)->name,(*b)->name));
- }
static void load_ciphers(void)
{
@@ -294,170 +277,320 @@ static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
*tail=curr;
}
-STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
- STACK_OF(SSL_CIPHER) **cipher_list,
- STACK_OF(SSL_CIPHER) **cipher_list_by_id,
- char *str)
+static unsigned long ssl_cipher_get_disabled(void)
{
- SSL_CIPHER *c;
- char *l;
- STACK_OF(SSL_CIPHER) *ret=NULL,*ok=NULL;
-#define CL_BUF 40
- char buf[CL_BUF];
- char *tmp_str=NULL;
- unsigned long mask,algorithms,ma;
- char *start;
- int i,j,k,num=0,ch,multi;
- unsigned long al;
- STACK *ca_list=NULL;
- int current_x,num_x;
- CIPHER_CHOICE *ops=NULL;
- CIPHER_ORDER *list=NULL,*head=NULL,*tail=NULL,*curr,*tail2,*curr2;
- int list_num;
- int type;
- SSL_CIPHER c_tmp,*cp;
-
- if (str == NULL) return(NULL);
-
- if (strncmp(str,"DEFAULT",7) == 0)
- {
- i=strlen(str)+2+strlen(SSL_DEFAULT_CIPHER_LIST);
- if ((tmp_str=Malloc(i)) == NULL)
- {
- SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
- goto err;
- }
- strcpy(tmp_str,SSL_DEFAULT_CIPHER_LIST);
- strcat(tmp_str,":");
- strcat(tmp_str,&(str[7]));
- str=tmp_str;
- }
- if (init_ciphers) load_ciphers();
-
- num=ssl_method->num_ciphers();
-
- if ((ret=sk_SSL_CIPHER_new(NULL)) == NULL) goto err;
- if ((ca_list=(STACK *)sk_new(cmp_by_name)) == NULL) goto err;
+ unsigned long mask;
- mask =SSL_kFZA;
+ mask = SSL_kFZA;
#ifdef NO_RSA
- mask|=SSL_aRSA|SSL_kRSA;
+ mask |= SSL_aRSA|SSL_kRSA;
#endif
#ifdef NO_DSA
- mask|=SSL_aDSS;
+ mask |= SSL_aDSS;
#endif
#ifdef NO_DH
- mask|=SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
+ mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
#endif
#ifdef SSL_FORBID_ENULL
- mask|=SSL_eNULL;
+ mask |= SSL_eNULL;
#endif
- mask|=(ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL)?SSL_DES :0;
- mask|=(ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL)?SSL_3DES:0;
- mask|=(ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL)?SSL_RC4 :0;
- mask|=(ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL)?SSL_RC2 :0;
- mask|=(ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL)?SSL_IDEA:0;
- mask|=(ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL)?SSL_eFZA:0;
+ mask |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES :0;
+ mask |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES:0;
+ mask |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 :0;
+ mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
+ mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
+ mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
+
+ mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
+ mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
- mask|=(ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL)?SSL_MD5 :0;
- mask|=(ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL)?SSL_SHA1:0;
+ return(mask);
+ }
+
+static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
+ int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list,
+ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
+ {
+ int i, list_num;
+ SSL_CIPHER *c;
- if ((list=(CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER)*num)) == NULL)
- goto err;
+ /*
+ * We have num_of_ciphers descriptions compiled in, depending on the
+ * method selected (SSLv2 and/or SSLv3, TLSv1 etc).
+ * These will later be sorted in a linked list with at most num
+ * entries.
+ */
/* Get the initial list of ciphers */
- list_num=0;
- for (i=0; i<num; i++)
+ list_num = 0; /* actual count of ciphers */
+ for (i = 0; i < num_of_ciphers; i++)
{
- c=ssl_method->get_cipher((unsigned int)i);
+ c = ssl_method->get_cipher(i);
/* drop those that use any of that is not available */
if ((c != NULL) && c->valid && !(c->algorithms & mask))
{
- list[list_num].cipher=c;
- list[list_num].next=NULL;
- list[list_num].prev=NULL;
- list[list_num].active=0;
+ list[list_num].cipher = c;
+ list[list_num].next = NULL;
+ list[list_num].prev = NULL;
+ list[list_num].active = 0;
list_num++;
+ /*
if (!sk_push(ca_list,(char *)c)) goto err;
+ */
}
}
-
- for (i=1; i<list_num-1; i++)
+
+ /*
+ * Prepare linked list from list entries
+ */
+ for (i = 1; i < list_num - 1; i++)
{
- list[i].prev= &(list[i-1]);
- list[i].next= &(list[i+1]);
+ list[i].prev = &(list[i-1]);
+ list[i].next = &(list[i+1]);
}
if (list_num > 0)
{
- head= &(list[0]);
- head->prev=NULL;
- head->next= &(list[1]);
- tail= &(list[list_num-1]);
- tail->prev= &(list[list_num-2]);
- tail->next=NULL;
+ (*head_p) = &(list[0]);
+ (*head_p)->prev = NULL;
+ (*head_p)->next = &(list[1]);
+ (*tail_p) = &(list[list_num - 1]);
+ (*tail_p)->prev = &(list[list_num - 2]);
+ (*tail_p)->next = NULL;
}
+ }
- /* special case */
- cipher_aliases[0].algorithms &= ~mask;
+static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
+ int num_of_group_aliases, unsigned long mask,
+ CIPHER_ORDER *head)
+ {
+ CIPHER_ORDER *ciph_curr;
+ SSL_CIPHER **ca_curr;
+ int i;
- /* get the aliases */
- k=sizeof(cipher_aliases)/sizeof(SSL_CIPHER);
- for (j=0; j<k; j++)
+ /*
+ * First, add the real ciphers as already collected
+ */
+ ciph_curr = head;
+ ca_curr = ca_list;
+ while (ciph_curr != NULL)
{
- al=cipher_aliases[j].algorithms;
- /* Drop those that are not relevent */
- if ((al & mask) == al) continue;
- if (!sk_push(ca_list,(char *)&(cipher_aliases[j]))) goto err;
+ *ca_curr = ciph_curr->cipher;
+ ca_curr++;
+ ciph_curr = ciph_curr->next;
}
- /* ca_list now holds a 'stack' of SSL_CIPHERS, some real, some
- * 'aliases' */
+ /*
+ * Now we add the available ones from the cipher_aliases[] table.
+ * They represent either an algorithm, that must be fully
+ * supported (not match any bit in mask) or represent a cipher
+ * strength value (will be added in any case because algorithms=0).
+ */
+ for (i = 0; i < num_of_group_aliases; i++)
+ {
+ if ((i == 0) || /* always fetch "ALL" */
+ !(cipher_aliases[i].algorithms & mask))
+ {
+ *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
+ ca_curr++;
+ }
+ }
- /* how many parameters are there? */
- num=1;
- for (l=str; *l; l++)
- if (ITEM_SEP(*l))
- num++;
- ops=(CIPHER_CHOICE *)Malloc(sizeof(CIPHER_CHOICE)*num);
- if (ops == NULL) goto err;
- memset(ops,0,sizeof(CIPHER_CHOICE)*num);
+ *ca_curr = NULL; /* end of list */
+ }
+
+static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
+ unsigned long algo_strength, unsigned long mask_strength,
+ int rule, int strength_bits, CIPHER_ORDER *list,
+ CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
+ {
+ CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2;
+ SSL_CIPHER *cp;
+ unsigned long ma, ma_s;
- /* we now parse the input string and create our operations */
- l=str;
- i=0;
- current_x=0;
+#ifdef CIPHER_DEBUG
+ printf("Applying rule %d with %08lx %08lx %08lx %08lx (%d)\n",
+ rule, algorithms, mask, algo_strength, mask_strength,
+ strength_bits);
+#endif
+ curr = head = *head_p;
+ curr2 = head;
+ tail2 = tail = *tail_p;
for (;;)
{
- ch= *l;
+ if ((curr == NULL) || (curr == tail2)) break;
+ curr = curr2;
+ curr2 = curr->next;
+
+ cp = curr->cipher;
+
+ /*
+ * Selection criteria is either the number of strength_bits
+ * or the algorithm used.
+ */
+ if (strength_bits == -1)
+ {
+ ma = mask & cp->algorithms;
+ ma_s = mask_strength & cp->algo_strength;
+
+#ifdef CIPHER_DEBUG
+ printf("\nName: %s:\nAlgo = %08lx Algo_strength = %08lx\nMask = %08lx Mask_strength %08lx\n", cp->name, cp->algorithms, cp->algo_strength, mask, mask_strength);
+ printf("ma = %08lx ma_s %08lx, ma&algo=%08lx, ma_s&algos=%08lx\n", ma, ma_s, ma&algorithms, ma_s&algo_strength);
+#endif
+ /*
+ * Select: if none of the mask bit was met from the
+ * cipher or not all of the bits were met, the
+ * selection does not apply.
+ */
+ if (((ma == 0) && (ma_s == 0)) ||
+ ((ma & algorithms) != ma) ||
+ ((ma_s & algo_strength) != ma_s))
+ continue; /* does not apply */
+ }
+ else if (strength_bits != cp->strength_bits)
+ continue; /* does not apply */
+
+#ifdef CIPHER_DEBUG
+ printf("Action = %d\n", rule);
+#endif
+
+ /* add the cipher if it has not been added yet. */
+ if (rule == CIPHER_ADD)
+ {
+ if (!curr->active)
+ {
+ ll_append_tail(&head, curr, &tail);
+ curr->active = 1;
+ }
+ }
+ /* Move the added cipher to this location */
+ else if (rule == CIPHER_ORD)
+ {
+ if (curr->active)
+ {
+ ll_append_tail(&head, curr, &tail);
+ }
+ }
+ else if (rule == CIPHER_DEL)
+ curr->active = 0;
+ else if (rule == CIPHER_KILL)
+ {
+ if (head == curr)
+ head = curr->next;
+ else
+ curr->prev->next = curr->next;
+ if (tail == curr)
+ tail = curr->prev;
+ curr->active = 0;
+ if (curr->next != NULL)
+ curr->next->prev = curr->prev;
+ if (curr->prev != NULL)
+ curr->prev->next = curr->next;
+ curr->next = NULL;
+ curr->prev = NULL;
+ }
+ }
+
+ *head_p = head;
+ *tail_p = tail;
+ }
+
+static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p,
+ CIPHER_ORDER **tail_p)
+ {
+ int max_strength_bits, i, *number_uses;
+ CIPHER_ORDER *curr;
+
+ /*
+ * This routine sorts the ciphers with descending strength. The sorting
+ * must keep the pre-sorted sequence, so we apply the normal sorting
+ * routine as '+' movement to the end of the list.
+ */
+ max_strength_bits = 0;
+ curr = *head_p;
+ while (curr != NULL)
+ {
+ if (curr->active &&
+ (curr->cipher->strength_bits > max_strength_bits))
+ max_strength_bits = curr->cipher->strength_bits;
+ curr = curr->next;
+ }
+
+ number_uses = Malloc((max_strength_bits + 1) * sizeof(int));
+ if (!number_uses)
+ {
+ SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT,ERR_R_MALLOC_FAILURE);
+ return(0);
+ }
+ memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
+
+ /*
+ * Now find the strength_bits values actually used
+ */
+ curr = *head_p;
+ while (curr != NULL)
+ {
+ if (curr->active)
+ number_uses[curr->cipher->strength_bits]++;
+ curr = curr->next;
+ }
+ /*
+ * Go through the list of used strength_bits values in descending
+ * order.
+ */
+ for (i = max_strength_bits; i >= 0; i--)
+ if (number_uses[i] > 0)
+ ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
+ list, head_p, tail_p);
+
+ Free(number_uses);
+ return(1);
+ }
+
+static int ssl_cipher_process_rulestr(const char *rule_str,
+ CIPHER_ORDER *list, CIPHER_ORDER **head_p,
+ CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list)
+ {
+ unsigned long algorithms, mask, algo_strength, mask_strength;
+ const char *l, *start, *buf;
+ int j, multi, found, rule, retval, ok, buflen;
+ char ch;
- if (ch == '\0') break;
+ retval = 1;
+ l = rule_str;
+ for (;;)
+ {
+ ch = *l;
+ if (ch == '\0')
+ break; /* done */
if (ch == '-')
- { j=CIPHER_DEL; l++; }
+ { rule = CIPHER_DEL; l++; }
else if (ch == '+')
- { j=CIPHER_ORD; l++; }
+ { rule = CIPHER_ORD; l++; }
else if (ch == '!')
- { j=CIPHER_KILL; l++; }
- else
- { j=CIPHER_ADD; }
+ { rule = CIPHER_KILL; l++; }
+ else if (ch == '@')
+ { rule = CIPHER_SPECIAL; l++; }
+ else
+ { rule = CIPHER_ADD; }
if (ITEM_SEP(ch))
{
l++;
continue;
}
- ops[current_x].type=j;
- ops[current_x].algorithms=0;
- ops[current_x].mask=0;
+
+ algorithms = mask = algo_strength = mask_strength = 0;
start=l;
for (;;)
{
- ch= *l;
- i=0;
+ ch = *l;
+ buf = l;
+ buflen = 0;
#ifndef CHARSET_EBCDIC
while ( ((ch >= 'A') && (ch <= 'Z')) ||
((ch >= '0') && (ch <= '9')) ||
@@ -467,12 +600,29 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
while ( isalnum(ch) || (ch == '-'))
#endif
{
- buf[i]=ch;
- ch= *(++l);
- i++;
- if (i >= (CL_BUF-2)) break;
+ ch = *(++l);
+ buflen++;
}
- buf[i]='\0';
+
+ if (buflen == 0)
+ {
+ /*
+ * We hit something we cannot deal with,
+ * it is no command or separator nor
+ * alphanumeric, so we call this an error.
+ */
+ SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+ SSL_R_INVALID_COMMAND);
+ retval = found = 0;
+ l++;
+ break;
+ }
+
+ if (rule == CIPHER_SPECIAL)
+ {
+ found = 0; /* unused -- avoid compiler warning */
+ break; /* special treatment */
+ }
/* check for multi-part specification */
if (ch == '+')
@@ -483,133 +633,237 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *ssl_method,
else
multi=0;
- c_tmp.name=buf;
- j=sk_find(ca_list,(char *)&c_tmp);
- if (j < 0)
- goto end_loop;
+ /*
+ * Now search for the cipher alias in the ca_list. Be careful
+ * with the strncmp, because the "buflen" limitation
+ * will make the rule "ADH:SOME" and the cipher
+ * "ADH-MY-CIPHER" look like a match for buflen=3.
+ * So additionally check whether the cipher name found
+ * has the correct length. We can save a strlen() call:
+ * just checking for the '\0' at the right place is
+ * sufficient, we have to strncmp() anyway.
+ */
+ j = found = 0;
+ while (ca_list[j])
+ {
+ if ((ca_list[j]->name[buflen] == '\0') &&
+ !strncmp(buf, ca_list[j]->name, buflen))
+ {
+ found = 1;
+ break;
+ }
+ else
+ j++;
+ }
+ if (!found)
+ break; /* ignore this entry */
+
+ algorithms |= ca_list[j]->algorithms;
+ mask |= ca_list[j]->mask;
+ algo_strength |= ca_list[j]->algo_strength;
+ mask_strength |= ca_list[j]->mask_strength;
- cp=(SSL_CIPHER *)sk_value(ca_list,j);
- ops[current_x].algorithms|=cp->algorithms;
- /* We add the SSL_SSL_MASK so we can match the
- * SSLv2 and SSLv3 versions of RC4-MD5 */
- ops[current_x].mask|=cp->mask;
if (!multi) break;
}
- current_x++;
- if (ch == '\0') break;
-end_loop:
- /* Make sure we scan until the next valid start point */
- while ((*l != '\0') && ITEM_SEP(*l))
- l++;
+
+ /*
+ * Ok, we have the rule, now apply it
+ */
+ if (rule == CIPHER_SPECIAL)
+ { /* special command */
+ ok = 0;
+ if ((buflen == 8) &&
+ !strncmp(buf, "STRENGTH", 8))
+ ok = ssl_cipher_strength_sort(list,
+ head_p, tail_p);
+ else
+ SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
+ SSL_R_INVALID_COMMAND);
+ if (ok == 0)
+ retval = 0;
+ /*
+ * We do not support any "multi" options
+ * together with "@", so throw away the
+ * rest of the command, if any left, until
+ * end or ':' is found.
+ */
+ while ((*l != '\0') && ITEM_SEP(*l))
+ l++;
+ }
+ else if (found)
+ {
+ ssl_cipher_apply_rule(algorithms, mask,
+ algo_strength, mask_strength, rule, -1,
+ list, head_p, tail_p);
+ }
+ else
+ {
+ while ((*l != '\0') && ITEM_SEP(*l))
+ l++;
+ }
+ if (*l == '\0') break; /* done */
}
- num_x=current_x;
- current_x=0;
+ return(retval);
+ }
+
+STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+ STACK_OF(SSL_CIPHER) **cipher_list,
+ STACK_OF(SSL_CIPHER) **cipher_list_by_id,
+ const char *rule_str)
+ {
+ int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
+ unsigned long disabled_mask;
+ STACK_OF(SSL_CIPHER) *cipherstack;
+ const char *rule_p;
+ CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr;
+ SSL_CIPHER **ca_list = NULL;
+
+ /*
+ * Return with error if nothing to do.
+ */
+ if (rule_str == NULL) return(NULL);
+
+ if (init_ciphers) load_ciphers();
+
+ /*
+ * To reduce the work to do we only want to process the compiled
+ * in algorithms, so we first get the mask of disabled ciphers.
+ */
+ disabled_mask = ssl_cipher_get_disabled();
+
+ /*
+ * Now we have to collect the available ciphers from the compiled
+ * in ciphers. We cannot get more than the number compiled in, so
+ * it is used for allocation.
+ */
+ num_of_ciphers = ssl_method->num_ciphers();
+ list = (CIPHER_ORDER *)Malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
+ if (list == NULL)
+ {
+ SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+ return(NULL); /* Failure */
+ }
- /* We will now process the list of ciphers, once for each category, to
- * decide what we should do with it. */
- for (j=0; j<num_x; j++)
+ ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
+ list, &head, &tail);
+
+ /*
+ * We also need cipher aliases for selecting based on the rule_str.
+ * There might be two types of entries in the rule_str: 1) names
+ * of ciphers themselves 2) aliases for groups of ciphers.
+ * For 1) we need the available ciphers and for 2) the cipher
+ * groups of cipher_aliases added together in one list (otherwise
+ * we would be happy with just the cipher_aliases table).
+ */
+ num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
+ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
+ ca_list =
+ (SSL_CIPHER **)Malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
+ if (ca_list == NULL)
+ {
+ Free(list);
+ SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+ return(NULL); /* Failure */
+ }
+ ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask,
+ head);
+
+ /*
+ * If the rule_string begins with DEFAULT, apply the default rule
+ * before using the (possibly available) additional rules.
+ */
+ ok = 1;
+ rule_p = rule_str;
+ if (strncmp(rule_str,"DEFAULT",7) == 0)
{
- algorithms=ops[j].algorithms;
- type=ops[j].type;
- mask=ops[j].mask;
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
+ list, &head, &tail, ca_list);
+ rule_p += 7;
+ if (*rule_p == ':')
+ rule_p++;
+ }
- curr=head;
- curr2=head;
- tail2=tail;
- for (;;)
- {
- if ((curr == NULL) || (curr == tail2)) break;
- curr=curr2;
- curr2=curr->next;
+ if (ok && (strlen(rule_p) > 0))
+ ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail,
+ ca_list);
- cp=curr->cipher;
- ma=mask & cp->algorithms;
- if ((ma == 0) || ((ma & algorithms) != ma))
- {
- /* does not apply */
- continue;
- }
+ Free(ca_list); /* Not needed anymore */
- /* add the cipher if it has not been added yet. */
- if (type == CIPHER_ADD)
- {
- if (!curr->active)
- {
- ll_append_tail(&head,curr,&tail);
- curr->active=1;
- }
- }
- /* Move the added cipher to this location */
- else if (type == CIPHER_ORD)
- {
- if (curr->active)
- {
- ll_append_tail(&head,curr,&tail);
- }
- }
- else if (type == CIPHER_DEL)
- curr->active=0;
- if (type == CIPHER_KILL)
- {
- if (head == curr)
- head=curr->next;
- else
- curr->prev->next=curr->next;
- if (tail == curr)
- tail=curr->prev;
- curr->active=0;
- if (curr->next != NULL)
- curr->next->prev=curr->prev;
- if (curr->prev != NULL)
- curr->prev->next=curr->next;
- curr->next=NULL;
- curr->prev=NULL;
- }
- }
+ if (!ok)
+ { /* Rule processing failure */
+ Free(list);
+ return(NULL);
+ }
+ /*
+ * Allocate new "cipherstack" for the result, return with error
+ * if we cannot get one.
+ */
+ if ((cipherstack = sk_SSL_CIPHER_new(NULL)) == NULL)
+ {
+ Free(list);
+ return(NULL);
}
- for (curr=head; curr != NULL; curr=curr->next)
+ /*
+ * The cipher selection for the list is done. The ciphers are added
+ * to the resulting precedence to the STACK_OF(SSL_CIPHER).
+ */
+ for (curr = head; curr != NULL; curr = curr->next)
{
if (curr->active)
{
- sk_SSL_CIPHER_push(ret,curr->cipher);
+ sk_SSL_CIPHER_push(cipherstack, curr->cipher);
#ifdef CIPHER_DEBUG
printf("<%s>\n",curr->cipher->name);
#endif
}
}
-
+ Free(list); /* Not needed any longer */
+
+ /*
+ * The following passage is a little bit odd. If pointer variables
+ * were supplied to hold STACK_OF(SSL_CIPHER) return information,
+ * the old memory pointed to is free()ed. Then, however, the
+ * cipher_list entry will be assigned just a copy of the returned
+ * cipher stack. For cipher_list_by_id a copy of the cipher stack
+ * will be created. See next comment...
+ */
if (cipher_list != NULL)
{
if (*cipher_list != NULL)
sk_SSL_CIPHER_free(*cipher_list);
- *cipher_list=ret;
+ *cipher_list = cipherstack;
}
if (cipher_list_by_id != NULL)
{
if (*cipher_list_by_id != NULL)
sk_SSL_CIPHER_free(*cipher_list_by_id);
- *cipher_list_by_id=sk_SSL_CIPHER_dup(ret);
+ *cipher_list_by_id = sk_SSL_CIPHER_dup(cipherstack);
}
+ /*
+ * Now it is getting really strange. If something failed during
+ * the previous pointer assignment or if one of the pointers was
+ * not requested, the error condition is met. That might be
+ * discussable. The strange thing is however that in this case
+ * the memory "ret" pointed to is "free()ed" and hence the pointer
+ * cipher_list becomes wild. The memory reserved for
+ * cipher_list_by_id however is not "free()ed" and stays intact.
+ */
if ( (cipher_list_by_id == NULL) ||
(*cipher_list_by_id == NULL) ||
(cipher_list == NULL) ||
(*cipher_list == NULL))
- goto err;
+ {
+ sk_SSL_CIPHER_free(cipherstack);
+ return(NULL);
+ }
+
sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,ssl_cipher_ptr_id_cmp);
- ok=ret;
- ret=NULL;
-err:
- if (tmp_str) Free(tmp_str);
- if (ops != NULL) Free(ops);
- if (ret != NULL) sk_SSL_CIPHER_free(ret);
- if (ca_list != NULL) sk_free(ca_list);
- if (list != NULL) Free(list);
- return(ok);
+ return(cipherstack);
}
char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
@@ -617,15 +871,16 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
int is_export,pkl,kl;
char *ver,*exp;
char *kx,*au,*enc,*mac;
- unsigned long alg,alg2;
+ unsigned long alg,alg2,alg_s;
static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
alg=cipher->algorithms;
+ alg_s=cipher->algo_strength;
alg2=cipher->algorithm2;
- is_export=SSL_IS_EXPORT(alg);
- pkl=SSL_EXPORT_PKEYLENGTH(alg);
- kl=SSL_EXPORT_KEYLENGTH(alg);
+ is_export=SSL_C_IS_EXPORT(cipher);
+ pkl=SSL_C_EXPORT_PKEYLENGTH(cipher);
+ kl=SSL_C_EXPORT_KEYLENGTH(cipher);
exp=is_export?" export":"";
if (alg & SSL_SSLV2)
@@ -752,37 +1007,16 @@ const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
return("(NONE)");
}
-/* number of bits for symetric cipher */
+/* number of bits for symmetric cipher */
int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits)
{
- int ret=0,a=0;
- const EVP_CIPHER *enc;
- const EVP_MD *md;
- SSL_SESSION ss;
+ int ret=0;
if (c != NULL)
{
- ss.cipher=c;
- if (!ssl_cipher_get_evp(&ss,&enc,&md,NULL))
- return(0);
-
- a=EVP_CIPHER_key_length(enc)*8;
-
- if (SSL_C_IS_EXPORT(c))
- {
- ret=SSL_C_EXPORT_KEYLENGTH(c)*8;
- }
- else
- {
- if (c->algorithm2 & SSL2_CF_8_BYTE_ENC)
- ret=64;
- else
- ret=a;
- }
+ if (alg_bits != NULL) *alg_bits = c->alg_bits;
+ ret = c->strength_bits;
}
-
- if (alg_bits != NULL) *alg_bits=a;
-
return(ret);
}
diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c
index 3ddc805b5370..642c3f93e7bc 100644
--- a/crypto/openssl/ssl/ssl_err.c
+++ b/crypto/openssl/ssl/ssl_err.c
@@ -54,7 +54,8 @@
*/
/* NOTE: this file was auto generated by the mkerr.pl script: any changes
- * made to it will be overwritten when the script next updates this file.
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
*/
#include <stdio.h>
@@ -94,6 +95,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"},
{ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"},
{ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"},
+{ERR_PACK(0,SSL_F_SSL3_CALLBACK_CTRL,0), "SSL3_CALLBACK_CTRL"},
{ERR_PACK(0,SSL_F_SSL3_CHANGE_CIPHER_STATE,0), "SSL3_CHANGE_CIPHER_STATE"},
{ERR_PACK(0,SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,0), "SSL3_CHECK_CERT_AND_ALGORITHM"},
{ERR_PACK(0,SSL_F_SSL3_CLIENT_HELLO,0), "SSL3_CLIENT_HELLO"},
@@ -135,13 +137,18 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL_CERT_INSTANTIATE,0), "SSL_CERT_INSTANTIATE"},
{ERR_PACK(0,SSL_F_SSL_CERT_NEW,0), "SSL_CERT_NEW"},
{ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0), "SSL_check_private_key"},
+{ERR_PACK(0,SSL_F_SSL_CIPHER_PROCESS_RULESTR,0), "SSL_CIPHER_PROCESS_RULESTR"},
+{ERR_PACK(0,SSL_F_SSL_CIPHER_STRENGTH_SORT,0), "SSL_CIPHER_STRENGTH_SORT"},
{ERR_PACK(0,SSL_F_SSL_CLEAR,0), "SSL_clear"},
{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0), "SSL_COMP_add_compression_method"},
{ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0), "SSL_CREATE_CIPHER_LIST"},
+{ERR_PACK(0,SSL_F_SSL_CTRL,0), "SSL_ctrl"},
{ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0), "SSL_CTX_check_private_key"},
{ERR_PACK(0,SSL_F_SSL_CTX_NEW,0), "SSL_CTX_new"},
+{ERR_PACK(0,SSL_F_SSL_CTX_SET_PURPOSE,0), "SSL_CTX_set_purpose"},
{ERR_PACK(0,SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,0), "SSL_CTX_set_session_id_context"},
{ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0), "SSL_CTX_set_ssl_version"},
+{ERR_PACK(0,SSL_F_SSL_CTX_SET_TRUST,0), "SSL_CTX_set_trust"},
{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE,0), "SSL_CTX_use_certificate"},
{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1,0), "SSL_CTX_use_certificate_ASN1"},
{ERR_PACK(0,SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,0), "SSL_CTX_use_certificate_chain_file"},
@@ -169,9 +176,11 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL_SET_CERT,0), "SSL_SET_CERT"},
{ERR_PACK(0,SSL_F_SSL_SET_FD,0), "SSL_set_fd"},
{ERR_PACK(0,SSL_F_SSL_SET_PKEY,0), "SSL_SET_PKEY"},
+{ERR_PACK(0,SSL_F_SSL_SET_PURPOSE,0), "SSL_set_purpose"},
{ERR_PACK(0,SSL_F_SSL_SET_RFD,0), "SSL_set_rfd"},
{ERR_PACK(0,SSL_F_SSL_SET_SESSION,0), "SSL_set_session"},
{ERR_PACK(0,SSL_F_SSL_SET_SESSION_ID_CONTEXT,0), "SSL_set_session_id_context"},
+{ERR_PACK(0,SSL_F_SSL_SET_TRUST,0), "SSL_set_trust"},
{ERR_PACK(0,SSL_F_SSL_SET_WFD,0), "SSL_set_wfd"},
{ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0), "SSL_shutdown"},
{ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0), "SSL_UNDEFINED_FUNCTION"},
@@ -201,7 +210,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_BAD_AUTHENTICATION_TYPE ,"bad authentication type"},
{SSL_R_BAD_CHANGE_CIPHER_SPEC ,"bad change cipher spec"},
{SSL_R_BAD_CHECKSUM ,"bad checksum"},
-{SSL_R_BAD_CLIENT_REQUEST ,"bad client request"},
{SSL_R_BAD_DATA_RETURNED_BY_CALLBACK ,"bad data returned by callback"},
{SSL_R_BAD_DECOMPRESSION ,"bad decompression"},
{SSL_R_BAD_DH_G_LENGTH ,"bad dh g length"},
@@ -209,6 +217,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_BAD_DH_P_LENGTH ,"bad dh p length"},
{SSL_R_BAD_DIGEST_LENGTH ,"bad digest length"},
{SSL_R_BAD_DSA_SIGNATURE ,"bad dsa signature"},
+{SSL_R_BAD_HELLO_REQUEST ,"bad hello request"},
{SSL_R_BAD_LENGTH ,"bad length"},
{SSL_R_BAD_MAC_DECODE ,"bad mac decode"},
{SSL_R_BAD_MESSAGE_TYPE ,"bad message type"},
@@ -248,6 +257,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG ,"dh public value length is wrong"},
{SSL_R_DIGEST_CHECK_FAILED ,"digest check failed"},
{SSL_R_ENCRYPTED_LENGTH_TOO_LONG ,"encrypted length too long"},
+{SSL_R_ERROR_GENERATING_TMP_RSA_KEY ,"error generating tmp rsa key"},
{SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST ,"error in received cipher list"},
{SSL_R_EXCESSIVE_MESSAGE_SIZE ,"excessive message size"},
{SSL_R_EXTRA_DATA_IN_MESSAGE ,"extra data in message"},
@@ -256,6 +266,9 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_HTTP_REQUEST ,"http request"},
{SSL_R_INTERNAL_ERROR ,"internal error"},
{SSL_R_INVALID_CHALLENGE_LENGTH ,"invalid challenge length"},
+{SSL_R_INVALID_COMMAND ,"invalid command"},
+{SSL_R_INVALID_PURPOSE ,"invalid purpose"},
+{SSL_R_INVALID_TRUST ,"invalid trust"},
{SSL_R_LENGTH_MISMATCH ,"length mismatch"},
{SSL_R_LENGTH_TOO_SHORT ,"length too short"},
{SSL_R_LIBRARY_BUG ,"library bug"},
@@ -348,14 +361,14 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_TLSV1_ALERT_DECODE_ERROR ,"tlsv1 alert decode error"},
{SSL_R_TLSV1_ALERT_DECRYPTION_FAILED ,"tlsv1 alert decryption failed"},
{SSL_R_TLSV1_ALERT_DECRYPT_ERROR ,"tlsv1 alert decrypt error"},
-{SSL_R_TLSV1_ALERT_EXPORT_RESTRICION ,"tlsv1 alert export restricion"},
+{SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION ,"tlsv1 alert export restriction"},
{SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY ,"tlsv1 alert insufficient security"},
{SSL_R_TLSV1_ALERT_INTERNAL_ERROR ,"tlsv1 alert internal error"},
{SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ,"tlsv1 alert no renegotiation"},
{SSL_R_TLSV1_ALERT_PROTOCOL_VERSION ,"tlsv1 alert protocol version"},
{SSL_R_TLSV1_ALERT_RECORD_OVERFLOW ,"tlsv1 alert record overflow"},
{SSL_R_TLSV1_ALERT_UNKNOWN_CA ,"tlsv1 alert unknown ca"},
-{SSL_R_TLSV1_ALERT_USER_CANCLED ,"tlsv1 alert user cancled"},
+{SSL_R_TLSV1_ALERT_USER_CANCELLED ,"tlsv1 alert user cancelled"},
{SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER,"tls client cert req with anon cipher"},
{SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST,"tls peer did not respond with certificate list"},
{SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG,"tls rsa encrypted value length is wrong"},
@@ -383,6 +396,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_UNKNOWN_STATE ,"unknown state"},
{SSL_R_UNSUPPORTED_CIPHER ,"unsupported cipher"},
{SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM ,"unsupported compression algorithm"},
+{SSL_R_UNSUPPORTED_OPTION ,"unsupported option"},
{SSL_R_UNSUPPORTED_PROTOCOL ,"unsupported protocol"},
{SSL_R_UNSUPPORTED_SSL_VERSION ,"unsupported ssl version"},
{SSL_R_WRITE_BIO_NOT_SET ,"write bio not set"},
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index e192fc4cac3a..c515c41b4e75 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -61,22 +61,24 @@
#include <stdio.h>
#include <openssl/objects.h>
#include <openssl/lhash.h>
+#include <openssl/x509v3.h>
#include "ssl_locl.h"
-char *SSL_version_str=OPENSSL_VERSION_TEXT;
+const char *SSL_version_str=OPENSSL_VERSION_TEXT;
-static STACK *ssl_meth=NULL;
-static STACK *ssl_ctx_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL;
static int ssl_meth_num=0;
static int ssl_ctx_meth_num=0;
OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
+ /* evil casts, but these functions are only called if there's a library bug */
+ (int (*)(SSL *,int))ssl_undefined_function,
+ (int (*)(SSL *, unsigned char *, int))ssl_undefined_function,
ssl_undefined_function,
- ssl_undefined_function,
- ssl_undefined_function,
- ssl_undefined_function,
- ssl_undefined_function,
- ssl_undefined_function,
+ (int (*)(SSL *, unsigned char *, unsigned char *, int))ssl_undefined_function,
+ (int (*)(SSL*, int))ssl_undefined_function,
+ (int (*)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char*, int, unsigned char *))ssl_undefined_function
};
int SSL_clear(SSL *s)
@@ -93,10 +95,17 @@ int SSL_clear(SSL *s)
s->hit=0;
s->shutdown=0;
-#if 0
+#if 0 /* Disabled since version 1.10 of this file (early return not
+ * needed because SSL_clear is not called when doing renegotiation) */
/* This is set if we are doing dynamic renegotiation so keep
* the old cipher. It is sort of a SSL_clear_lite :-) */
if (s->new_session) return(1);
+#else
+ if (s->new_session)
+ {
+ SSLerr(SSL_F_SSL_CLEAR,SSL_R_INTERNAL_ERROR);
+ return 0;
+ }
#endif
state=s->state; /* Keep to check if we throw away the session-id */
@@ -201,6 +210,8 @@ SSL *SSL_new(SSL_CTX *ctx)
s->verify_mode=ctx->verify_mode;
s->verify_depth=ctx->verify_depth;
s->verify_callback=ctx->default_verify_callback;
+ s->purpose = ctx->purpose;
+ s->trust = ctx->trust;
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
s->ctx=ctx;
@@ -218,7 +229,7 @@ SSL *SSL_new(SSL_CTX *ctx)
s->mode=ctx->mode;
SSL_clear(s);
- CRYPTO_new_ex_data(ssl_meth,(char *)s,&s->ex_data);
+ CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data);
return(s);
err:
@@ -262,6 +273,46 @@ int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
return 1;
}
+int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
+{
+ if(X509_PURPOSE_get_by_id(purpose) == -1) {
+ SSLerr(SSL_F_SSL_CTX_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
+ return 0;
+ }
+ s->purpose = purpose;
+ return 1;
+}
+
+int SSL_set_purpose(SSL *s, int purpose)
+{
+ if(X509_PURPOSE_get_by_id(purpose) == -1) {
+ SSLerr(SSL_F_SSL_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
+ return 0;
+ }
+ s->purpose = purpose;
+ return 1;
+}
+
+int SSL_CTX_set_trust(SSL_CTX *s, int trust)
+{
+ if(X509_TRUST_get_by_id(trust) == -1) {
+ SSLerr(SSL_F_SSL_CTX_SET_TRUST, SSL_R_INVALID_TRUST);
+ return 0;
+ }
+ s->trust = trust;
+ return 1;
+}
+
+int SSL_set_trust(SSL *s, int trust)
+{
+ if(X509_TRUST_get_by_id(trust) == -1) {
+ SSLerr(SSL_F_SSL_SET_TRUST, SSL_R_INVALID_TRUST);
+ return 0;
+ }
+ s->trust = trust;
+ return 1;
+}
+
void SSL_free(SSL *s)
{
int i;
@@ -324,7 +375,7 @@ void SSL_free(SSL *s)
if (s->method != NULL) s->method->ssl_free(s);
- Free((char *)s);
+ Free(s);
}
void SSL_set_bio(SSL *s,BIO *rbio,BIO *wbio)
@@ -433,6 +484,38 @@ err:
}
#endif
+
+/* return length of latest Finished message we sent, copy to 'buf' */
+size_t SSL_get_finished(SSL *s, void *buf, size_t count)
+ {
+ size_t ret = 0;
+
+ if (s->s3 != NULL)
+ {
+ ret = s->s3->tmp.finish_md_len;
+ if (count > ret)
+ count = ret;
+ memcpy(buf, s->s3->tmp.finish_md, count);
+ }
+ return ret;
+ }
+
+/* return length of latest Finished message we expected, copy to 'buf' */
+size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count)
+ {
+ size_t ret = 0;
+
+ if (s->s3 != NULL)
+ {
+ ret = s->s3->tmp.peer_finish_md_len;
+ if (count > ret)
+ count = ret;
+ memcpy(buf, s->s3->tmp.peer_finish_md, count);
+ }
+ return ret;
+ }
+
+
int SSL_get_verify_mode(SSL *s)
{
return(s->verify_mode);
@@ -516,6 +599,9 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s)
else
r=s->session->sess_cert->cert_chain;
+ /* If we are a client, cert_chain includes the peer's own
+ * certificate; if we are a server, it does not. */
+
return(r);
}
@@ -706,6 +792,20 @@ long SSL_ctrl(SSL *s,int cmd,long larg,char *parg)
}
}
+long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
+ {
+ switch(cmd)
+ {
+ default:
+ return(s->method->ssl_callback_ctrl(s,cmd,fp));
+ }
+ }
+
+struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx)
+ {
+ return ctx->sessions;
+ }
+
long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg)
{
long l;
@@ -765,6 +865,15 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg)
}
}
+long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
+ {
+ switch(cmd)
+ {
+ default:
+ return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
+ }
+ }
+
int ssl_cipher_id_cmp(SSL_CIPHER *a,SSL_CIPHER *b)
{
long l;
@@ -834,8 +943,8 @@ const char *SSL_get_cipher_list(SSL *s,int n)
return(c->name);
}
-/** specify the ciphers to be used by defaut by the SSL_CTX */
-int SSL_CTX_set_cipher_list(SSL_CTX *ctx,char *str)
+/** specify the ciphers to be used by default by the SSL_CTX */
+int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
{
STACK_OF(SSL_CIPHER) *sk;
@@ -846,7 +955,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx,char *str)
}
/** specify the ciphers to be used by the SSL */
-int SSL_set_cipher_list(SSL *s,char *str)
+int SSL_set_cipher_list(SSL *s,const char *str)
{
STACK_OF(SSL_CIPHER) *sk;
@@ -1127,7 +1236,7 @@ void SSL_CTX_free(SSL_CTX *a)
sk_X509_pop_free(a->extra_certs,X509_free);
if (a->comp_methods != NULL)
sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
- Free((char *)a);
+ Free(a);
}
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb)
@@ -1254,10 +1363,8 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
emask|=SSL_aDSS;
}
-#ifdef SSL_ALLOW_ADH
mask|=SSL_aNULL;
emask|=SSL_aNULL;
-#endif
c->mask=mask;
c->export_mask=emask;
@@ -1274,7 +1381,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
c=s->cert;
ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
alg=s->s3->tmp.new_cipher->algorithms;
- is_export=SSL_IS_EXPORT(alg);
+ is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
mask=is_export?c->export_mask:c->mask;
kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
@@ -1527,7 +1634,7 @@ SSL_METHOD *ssl_bad_method(int ver)
return(NULL);
}
-char *SSL_get_version(SSL *s)
+const char *SSL_get_version(SSL *s)
{
if (s->version == TLS1_VERSION)
return("TLSv1");
@@ -1831,8 +1938,8 @@ long SSL_get_verify_result(SSL *ssl)
return(ssl->verify_result);
}
-int SSL_get_ex_new_index(long argl,char *argp,int (*new_func)(),
- int (*dup_func)(),void (*free_func)())
+int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
{
ssl_meth_num++;
return(CRYPTO_get_ex_new_index(ssl_meth_num-1,
@@ -1849,8 +1956,8 @@ void *SSL_get_ex_data(SSL *s,int idx)
return(CRYPTO_get_ex_data(&s->ex_data,idx));
}
-int SSL_CTX_get_ex_new_index(long argl,char *argp,int (*new_func)(),
- int (*dup_func)(),void (*free_func)())
+int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
{
ssl_ctx_meth_num++;
return(CRYPTO_get_ex_new_index(ssl_ctx_meth_num-1,
@@ -1899,13 +2006,16 @@ int SSL_want(SSL *s)
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
int is_export,
int keylength))
- { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); }
-#endif
+ {
+ SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+ }
-#ifndef NO_RSA
-void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,int is_export,
- int keylength))
- { SSL_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); }
+void SSL_set_tmp_rsa_callback(SSL *ssl,RSA *(*cb)(SSL *ssl,
+ int is_export,
+ int keylength))
+ {
+ SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_RSA_CB,(void (*)())cb);
+ }
#endif
#ifdef DOXYGEN
@@ -1932,11 +2042,15 @@ RSA *cb(SSL *ssl,int is_export,int keylength)
#ifndef NO_DH
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
int keylength))
- { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh); }
+ {
+ SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+ }
void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
- int keylength))
- { SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh); }
+ int keylength))
+ {
+ SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+ }
#endif
#if defined(_WINDLL) && defined(WIN16)
diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h
index 0bfd57db3267..9a52bab254ab 100644
--- a/crypto/openssl/ssl/ssl_locl.h
+++ b/crypto/openssl/ssl/ssl_locl.h
@@ -155,6 +155,19 @@
#define DEC32(a) ((a)=((a)-1)&0xffffffffL)
#define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
+/*
+ * Define the Bitmasks for SSL_CIPHER.algorithms.
+ * This bits are used packed as dense as possible. If new methods/ciphers
+ * etc will be added, the bits a likely to change, so this information
+ * is for internal library use only, even though SSL_CIPHER.algorithms
+ * can be publicly accessed.
+ * Use the according functions for cipher management instead.
+ *
+ * The bit mask handling in the selection and sorting scheme in
+ * ssl_create_cipher_list() has only limited capabilities, reflecting
+ * that the different entities within are mutually exclusive:
+ * ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
+ */
#define SSL_MKEY_MASK 0x0000001FL
#define SSL_kRSA 0x00000001L /* RSA key exchange */
#define SSL_kDHr 0x00000002L /* DH cert RSA CA cert */
@@ -191,36 +204,75 @@
#define SSL_SHA1 0x00040000L
#define SSL_SHA (SSL_SHA1)
-#define SSL_EXP_MASK 0x00300000L
-#define SSL_EXP40 0x00100000L
-#define SSL_NOT_EXP 0x00200000L
-#define SSL_EXP56 0x00300000L
-#define SSL_IS_EXPORT(a) ((a)&SSL_EXP40)
-#define SSL_IS_EXPORT56(a) (((a)&SSL_EXP_MASK) == SSL_EXP56)
-#define SSL_IS_EXPORT40(a) (((a)&SSL_EXP_MASK) == SSL_EXP40)
-#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algorithms)
-#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algorithms)
-#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algorithms)
-#define SSL_EXPORT_KEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 5 : \
+#define SSL_SSL_MASK 0x00180000L
+#define SSL_SSLV2 0x00080000L
+#define SSL_SSLV3 0x00100000L
+#define SSL_TLSV1 SSL_SSLV3 /* for now */
+
+/* we have used 001fffff - 11 bits left to go */
+
+/*
+ * Export and cipher strength information. For each cipher we have to decide
+ * whether it is exportable or not. This information is likely to change
+ * over time, since the export control rules are no static technical issue.
+ *
+ * Independent of the export flag the cipher strength is sorted into classes.
+ * SSL_EXP40 was denoting the 40bit US export limit of past times, which now
+ * is at 56bit (SSL_EXP56). If the exportable cipher class is going to change
+ * again (eg. to 64bit) the use of "SSL_EXP*" becomes blurred even more,
+ * since SSL_EXP64 could be similar to SSL_LOW.
+ * For this reason SSL_MICRO and SSL_MINI macros are included to widen the
+ * namespace of SSL_LOW-SSL_HIGH to lower values. As development of speed
+ * and ciphers goes, another extension to SSL_SUPER and/or SSL_ULTRA would
+ * be possible.
+ */
+#define SSL_EXP_MASK 0x00000003L
+#define SSL_NOT_EXP 0x00000001L
+#define SSL_EXPORT 0x00000002L
+
+#define SSL_STRONG_MASK 0x0000007cL
+#define SSL_EXP40 0x00000004L
+#define SSL_MICRO (SSL_EXP40)
+#define SSL_EXP56 0x00000008L
+#define SSL_MINI (SSL_EXP56)
+#define SSL_LOW 0x00000010L
+#define SSL_MEDIUM 0x00000020L
+#define SSL_HIGH 0x00000040L
+
+/* we have used 0000007f - 25 bits left to go */
+
+/*
+ * Macros to check the export status and cipher strength for export ciphers.
+ * Even though the macros for EXPORT and EXPORT40/56 have similar names,
+ * their meaning is different:
+ * *_EXPORT macros check the 'exportable' status.
+ * *_EXPORT40/56 macros are used to check whether a certain cipher strength
+ * is given.
+ * Since the SSL_IS_EXPORT* and SSL_EXPORT* macros depend on the correct
+ * algorithm structure element to be passed (algorithms, algo_strength) and no
+ * typechecking can be done as they are all of type unsigned long, their
+ * direct usage is discouraged.
+ * Use the SSL_C_* macros instead.
+ */
+#define SSL_IS_EXPORT(a) ((a)&SSL_EXPORT)
+#define SSL_IS_EXPORT56(a) ((a)&SSL_EXP56)
+#define SSL_IS_EXPORT40(a) ((a)&SSL_EXP40)
+#define SSL_C_IS_EXPORT(c) SSL_IS_EXPORT((c)->algo_strength)
+#define SSL_C_IS_EXPORT56(c) SSL_IS_EXPORT56((c)->algo_strength)
+#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
+
+#define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \
((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
-#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithms)
-#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algorithms)
-
-#define SSL_SSL_MASK 0x00c00000L
-#define SSL_SSLV2 0x00400000L
-#define SSL_SSLV3 0x00800000L
-#define SSL_TLSV1 SSL_SSLV3 /* for now */
+#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithms, \
+ (c)->algo_strength)
+#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
-#define SSL_STRONG_MASK 0x07000000L
-#define SSL_LOW 0x01000000L
-#define SSL_MEDIUM 0x02000000L
-#define SSL_HIGH 0x04000000L
-/* we have used 0fffffff - 4 bits left to go */
#define SSL_ALL 0xffffffffL
#define SSL_ALL_CIPHERS (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
- SSL_MAC_MASK|SSL_EXP_MASK)
+ SSL_MAC_MASK)
+#define SSL_ALL_STRENGTHS (SSL_EXP_MASK|SSL_STRONG_MASK)
/* Mostly for SSLv3 */
#define SSL_PKEY_RSA_ENC 0
@@ -254,9 +306,9 @@ typedef struct cert_st
{
/* Current active set */
CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array
- * Probably it would make more sense to store
- * an index, not a pointer. */
-
+ * Probably it would make more sense to store
+ * an index, not a pointer. */
+
/* The following masks are for the key and auth
* algorithms that are supported by the certs below */
int valid;
@@ -319,28 +371,28 @@ typedef struct sess_cert_st
/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff
* It is a bit of a mess of functions, but hell, think of it as
- * an opaque strucute :-) */
+ * an opaque structure :-) */
typedef struct ssl3_enc_method
{
- int (*enc)();
- int (*mac)();
- int (*setup_key_block)();
- int (*generate_master_secret)();
- int (*change_cipher_state)();
- int (*final_finish_mac)();
+ int (*enc)(SSL *, int);
+ int (*mac)(SSL *, unsigned char *, int);
+ int (*setup_key_block)(SSL *);
+ int (*generate_master_secret)(SSL *, unsigned char *, unsigned char *, int);
+ int (*change_cipher_state)(SSL *, int);
+ int (*final_finish_mac)(SSL *, EVP_MD_CTX *, EVP_MD_CTX *, const char *, int, unsigned char *);
int finish_mac_length;
- int (*cert_verify_mac)();
- unsigned char client_finished[20];
- int client_finished_len;
- unsigned char server_finished[20];
- int server_finished_len;
- int (*alert_value)();
+ int (*cert_verify_mac)(SSL *, EVP_MD_CTX *, unsigned char *);
+ const char *client_finished_label;
+ int client_finished_label_len;
+ const char *server_finished_label;
+ int server_finished_label_len;
+ int (*alert_value)(int);
} SSL3_ENC_METHOD;
/* Used for holding the relevant compression methods loaded into SSL_CTX */
typedef struct ssl3_comp_st
{
- int comp_id; /* The identifer byte for this compression type */
+ int comp_id; /* The identifier byte for this compression type */
char *name; /* Text name used for the compression type */
COMP_METHOD *method; /* The method :-) */
} SSL3_COMP;
@@ -376,10 +428,10 @@ int ssl_cipher_ptr_id_cmp(SSL_CIPHER **ap,SSL_CIPHER **bp);
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
STACK_OF(SSL_CIPHER) **skp);
int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p);
-STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_METHOD *meth,
+STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
STACK_OF(SSL_CIPHER) **pref,
STACK_OF(SSL_CIPHER) **sorted,
- char *str);
+ const char *rule_str);
void ssl_update_cache(SSL *s, int mode);
int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md,
SSL_COMP **comp);
@@ -416,6 +468,8 @@ int ssl2_shutdown(SSL *s);
void ssl2_clear(SSL *s);
long ssl2_ctrl(SSL *s,int cmd, long larg, char *parg);
long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
+long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
+long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
int ssl2_pending(SSL *s);
SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
@@ -433,17 +487,16 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out,
unsigned char *p, int len);
int ssl3_get_req_cert_type(SSL *s,unsigned char *p);
long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok);
-int ssl3_send_finished(SSL *s, int a, int b, unsigned char *sender,int slen);
+int ssl3_send_finished(SSL *s, int a, int b, const char *sender,int slen);
int ssl3_num_ciphers(void);
SSL_CIPHER *ssl3_get_cipher(unsigned int u);
int ssl3_renegotiate(SSL *ssl);
int ssl3_renegotiate_check(SSL *ssl);
int ssl3_dispatch_alert(SSL *s);
int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len);
-int ssl3_part_read(SSL *s, int i);
int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
-int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1,EVP_MD_CTX *ctx2,
- unsigned char *sender, int slen,unsigned char *p);
+int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
+ const char *sender, int slen,unsigned char *p);
int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
int ssl3_enc(SSL *s, int send_data);
@@ -463,6 +516,8 @@ int ssl3_shutdown(SSL *s);
void ssl3_clear(SSL *s);
long ssl3_ctrl(SSL *s,int cmd, long larg, char *parg);
long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
+long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
+long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
int ssl3_pending(SSL *s);
int ssl23_accept(SSL *s);
@@ -474,6 +529,7 @@ int tls1_new(SSL *s);
void tls1_free(SSL *s);
void tls1_clear(SSL *s);
long tls1_ctrl(SSL *s,int cmd, long larg, char *parg);
+long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)());
SSL_METHOD *tlsv1_base_method(void );
int ssl_init_wbio_buffer(SSL *s, int push);
@@ -483,7 +539,7 @@ int tls1_change_cipher_state(SSL *s, int which);
int tls1_setup_key_block(SSL *s);
int tls1_enc(SSL *s, int snd);
int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
- unsigned char *str, int slen, unsigned char *p);
+ const char *str, int slen, unsigned char *p);
int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in, unsigned char *p);
int tls1_mac(SSL *ssl, unsigned char *md, int snd);
int tls1_generate_master_secret(SSL *s, unsigned char *out,
diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c
index 681499f08aa6..9e01f7275321 100644
--- a/crypto/openssl/ssl/ssl_sess.c
+++ b/crypto/openssl/ssl/ssl_sess.c
@@ -65,15 +65,31 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
static int ssl_session_num=0;
-static STACK *ssl_session_meth=NULL;
+static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_session_meth=NULL;
SSL_SESSION *SSL_get_session(SSL *ssl)
+/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
{
return(ssl->session);
}
-int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func)(),
- int (*dup_func)(), void (*free_func)())
+SSL_SESSION *SSL_get1_session(SSL *ssl)
+/* variant of SSL_get_session: caller really gets something */
+ {
+ SSL_SESSION *sess;
+ /* Need to lock this all up rather than just use CRYPTO_add so that
+ * somebody doesn't free ssl->session between when we check it's
+ * non-null and when we up the reference count. */
+ CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION);
+ sess = ssl->session;
+ if(sess)
+ sess->references++;
+ CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION);
+ return(sess);
+ }
+
+int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
{
ssl_session_num++;
return(CRYPTO_get_ex_new_index(ssl_session_num-1,
@@ -103,13 +119,14 @@ SSL_SESSION *SSL_SESSION_new(void)
}
memset(ss,0,sizeof(SSL_SESSION));
+ ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
ss->references=1;
ss->timeout=60*5+4; /* 5 minute timeout by default */
ss->time=time(NULL);
ss->prev=NULL;
ss->next=NULL;
ss->compress_meth=0;
- CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
+ CRYPTO_new_ex_data(ssl_session_meth,ss,&ss->ex_data);
return(ss);
}
@@ -161,15 +178,20 @@ int ssl_get_new_session(SSL *s, int session)
{
SSL_SESSION *r;
- RAND_bytes(ss->session_id,ss->session_id_length);
+ RAND_pseudo_bytes(ss->session_id,ss->session_id_length);
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
- r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,
- (char *)ss);
+ r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions, ss);
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
if (r == NULL) break;
/* else - woops a session_id match */
- /* XXX should also check external cache!
- * (But the probability of a collision is negligible, anyway...) */
+ /* XXX We should also check the external cache --
+ * but the probability of a collision is negligible, and
+ * we could not prevent the concurrent creation of sessions
+ * with identical IDs since we currently don't have means
+ * to atomically check whether a session ID already exists
+ * and make a reservation for it if it does not
+ * (this problem applies to the internal cache as well).
+ */
}
}
else
@@ -181,6 +203,7 @@ int ssl_get_new_session(SSL *s, int session)
ss->sid_ctx_length=s->sid_ctx_length;
s->session=ss;
ss->ssl_version=s->version;
+ ss->verify_result = X509_V_OK;
return(1);
}
@@ -192,7 +215,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
SSL_SESSION *ret=NULL,data;
int fatal = 0;
- /* conn_init();*/
data.ssl_version=s->version;
data.session_id_length=len;
if (len > SSL_MAX_SSL_SESSION_ID_LENGTH)
@@ -202,7 +224,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
{
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
- ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,(char *)&data);
+ ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,&data);
if (ret != NULL)
/* don't allow other threads to steal it: */
CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
@@ -311,6 +333,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
if (s->session != NULL)
SSL_SESSION_free(s->session);
s->session=ret;
+ s->verify_result = s->session->verify_result;
return(1);
err:
@@ -327,27 +350,47 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
int ret=0;
SSL_SESSION *s;
- /* conn_init(); */
+ /* add just 1 reference count for the SSL_CTX's session cache
+ * even though it has two ways of access: each session is in a
+ * doubly linked list and an lhash */
CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION);
+ /* if session c is in already in cache, we take back the increment later */
CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
- s=(SSL_SESSION *)lh_insert(ctx->sessions,(char *)c);
+ s=(SSL_SESSION *)lh_insert(ctx->sessions,c);
- /* Put on the end of the queue unless it is already in the cache */
+ /* s != NULL iff we already had a session with the given PID.
+ * In this case, s == c should hold (then we did not really modify
+ * ctx->sessions), or we're in trouble. */
+ if (s != NULL && s != c)
+ {
+ /* We *are* in trouble ... */
+ SSL_SESSION_list_remove(ctx,s);
+ SSL_SESSION_free(s);
+ /* ... so pretend the other session did not exist in cache
+ * (we cannot handle two SSL_SESSION structures with identical
+ * session ID in the same cache, which could happen e.g. when
+ * two threads concurrently obtain the same session from an external
+ * cache) */
+ s = NULL;
+ }
+
+ /* Put at the head of the queue unless it is already in the cache */
if (s == NULL)
SSL_SESSION_list_add(ctx,c);
- /* If the same session if is being 're-added', Free the old
- * one when the last person stops using it.
- * This will also work if it is alread in the cache.
- * The references will go up and then down :-) */
if (s != NULL)
{
- SSL_SESSION_free(s);
+ /* existing cache entry -- decrement previously incremented reference
+ * count because it already takes into account the cache */
+
+ SSL_SESSION_free(s); /* s == c */
ret=0;
}
else
{
+ /* new cache entry -- remove old ones if cache has become too large */
+
ret=1;
if (SSL_CTX_sess_get_cache_size(ctx) > 0)
@@ -380,7 +423,7 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck)
if ((c != NULL) && (c->session_id_length != 0))
{
if(lck) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
- r=(SSL_SESSION *)lh_delete(ctx->sessions,(char *)c);
+ r=(SSL_SESSION *)lh_delete(ctx->sessions,c);
if (r != NULL)
{
ret=1;
@@ -422,7 +465,7 @@ void SSL_SESSION_free(SSL_SESSION *ss)
}
#endif
- CRYPTO_free_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data);
+ CRYPTO_free_ex_data(ssl_session_meth,ss,&ss->ex_data);
memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
@@ -541,7 +584,7 @@ static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
{
/* The reason we don't call SSL_CTX_remove_session() is to
* save on locking overhead */
- lh_delete(p->cache,(char *)s);
+ lh_delete(p->cache,s);
SSL_SESSION_list_remove(p->ctx,s);
s->not_resumable=1;
if (p->ctx->remove_session_cb != NULL)
@@ -562,7 +605,7 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
i=tp.cache->down_load;
tp.cache->down_load=0;
- lh_doall_arg(tp.cache,(void (*)())timeout,(char *)&tp);
+ lh_doall_arg(tp.cache,(void (*)())timeout,&tp);
tp.cache->down_load=i;
CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
}
diff --git a/crypto/openssl/ssl/ssl_stat.c b/crypto/openssl/ssl/ssl_stat.c
index 3eca4ee6017a..8e12461f3b8c 100644
--- a/crypto/openssl/ssl/ssl_stat.c
+++ b/crypto/openssl/ssl/ssl_stat.c
@@ -183,7 +183,7 @@ case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
#endif
#if !defined(NO_SSL2) && !defined(NO_SSL3)
-/* SSLv2/v3 compatablitity states */
+/* SSLv2/v3 compatibility states */
/* client */
case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break;
case SSL23_ST_CW_CLNT_HELLO_B: str="SSLv2/v3 write client hello B"; break;
@@ -331,7 +331,7 @@ case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break;
#endif
#if !defined(NO_SSL2) && !defined(NO_SSL3)
-/* SSLv2/v3 compatablitity states */
+/* SSLv2/v3 compatibility states */
/* client */
case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break;
case SSL23_ST_CW_CLNT_HELLO_B: str="23WCHB"; break;
@@ -402,7 +402,7 @@ char *SSL_alert_desc_string_long(int value)
str="close notify";
break;
case SSL3_AD_UNEXPECTED_MESSAGE:
- str="unexected_message";
+ str="unexpected_message";
break;
case SSL3_AD_BAD_RECORD_MAC:
str="bad record mac";
@@ -429,7 +429,7 @@ char *SSL_alert_desc_string_long(int value)
str="certificate expired";
break;
case SSL3_AD_CERTIFICATE_UNKNOWN:
- str="certifcate unknown";
+ str="certificate unknown";
break;
case SSL3_AD_ILLEGAL_PARAMETER:
str="illegal parameter";
diff --git a/crypto/openssl/ssl/ssl_task.c b/crypto/openssl/ssl/ssl_task.c
index 321e35c83ba6..cac701a798b4 100644
--- a/crypto/openssl/ssl/ssl_task.c
+++ b/crypto/openssl/ssl/ssl_task.c
@@ -226,7 +226,7 @@ int main ( int argc, char **argv )
printf("cipher list: %s\n", cipher ? cipher : "{undefined}" );
SSL_load_error_strings();
- SSLeay_add_all_algorithms();
+ OpenSSL_add_all_algorithms();
/* DRM, this was the original, but there is no such thing as SSLv2()
s_ctx=SSL_CTX_new(SSLv2());
diff --git a/crypto/openssl/ssl/ssl_txt.c b/crypto/openssl/ssl/ssl_txt.c
index ca67a98d896a..c07d95757676 100644
--- a/crypto/openssl/ssl/ssl_txt.c
+++ b/crypto/openssl/ssl/ssl_txt.c
@@ -112,7 +112,7 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
sprintf(str,"%02X",x->session_id[i]);
if (BIO_puts(bp,str) <= 0) goto err;
}
- if (BIO_puts(bp,"\nSession-ID-ctx: ") <= 0) goto err;
+ if (BIO_puts(bp,"\n Session-ID-ctx: ") <= 0) goto err;
for (i=0; i<x->sid_ctx_length; i++)
{
sprintf(str,"%02X",x->sid_ctx[i]);
@@ -163,6 +163,11 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
if (BIO_puts(bp,str) <= 0) goto err;
}
if (BIO_puts(bp,"\n") <= 0) goto err;
+
+ if (BIO_puts(bp, " Verify return code: ") <= 0) goto err;
+ sprintf(str, "%ld (%s)\n", x->verify_result,
+ X509_verify_cert_error_string(x->verify_result));
+ if (BIO_puts(bp,str) <= 0) goto err;
return(1);
err:
diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c
index 90570f4bee7d..dde35794f54a 100644
--- a/crypto/openssl/ssl/ssltest.c
+++ b/crypto/openssl/ssl/ssltest.c
@@ -56,27 +56,27 @@
* [including the GNU Public Licence.]
*/
+#include <assert.h>
+#include <errno.h>
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <errno.h>
-#include <limits.h>
+#include <time.h>
#include "openssl/e_os.h"
#include <openssl/bio.h>
#include <openssl/crypto.h>
+#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
+#include <openssl/rand.h>
#ifdef WINDOWS
#include "../crypto/bio/bss_file.c"
#endif
-#if defined(NO_RSA) && !defined(NO_SSL2)
-#define NO_SSL2
-#endif
-
#ifdef VMS
# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
@@ -85,19 +85,22 @@
# define TEST_CLIENT_CERT "../apps/client.pem"
#endif
-int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
+static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
#ifndef NO_RSA
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
#endif
#ifndef NO_DH
static DH *get_dh512(void);
+static DH *get_dh1024(void);
+static DH *get_dh1024dsa(void);
#endif
-BIO *bio_err=NULL;
-BIO *bio_stdout=NULL;
+
+static BIO *bio_err=NULL;
+static BIO *bio_stdout=NULL;
static char *cipher=NULL;
-int verbose=0;
-int debug=0;
+static int verbose=0;
+static int debug=0;
#if 0
/* Not used yet. */
#ifdef FIONBIO
@@ -105,8 +108,9 @@ static int s_nbio=0;
#endif
#endif
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
-int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes);
+int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
static void sv_usage(void)
{
@@ -119,8 +123,10 @@ static void sv_usage(void)
fprintf(stderr," -reuse - use session-id reuse\n");
fprintf(stderr," -num <val> - number of connections to perform\n");
fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
-#if !defined NO_DH && !defined NO_DSA
- fprintf(stderr," -dhe1024 - generate 1024 bit key for DHE\n");
+#ifndef NO_DH
+ fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
+ fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
+ fprintf(stderr," -no_dhe - disable DHE\n");
#endif
#ifndef NO_SSL2
fprintf(stderr," -ssl2 - use SSLv2\n");
@@ -133,12 +139,58 @@ static void sv_usage(void)
#endif
fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
- fprintf(stderr," -cert arg - Certificate file\n");
- fprintf(stderr," -s_cert arg - Just the server certificate file\n");
- fprintf(stderr," -c_cert arg - Just the client certificate file\n");
+ fprintf(stderr," -cert arg - Server certificate file\n");
+ fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
+ fprintf(stderr," -c_cert arg - Client certificate file\n");
+ fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
fprintf(stderr," -cipher arg - The cipher list\n");
fprintf(stderr," -bio_pair - Use BIO pairs\n");
fprintf(stderr," -f - Test even cases that can't work\n");
+ fprintf(stderr," -time - measure processor time used by client and server\n");
+ }
+
+static void print_details(SSL *c_ssl, const char *prefix)
+ {
+ SSL_CIPHER *ciph;
+ X509 *cert;
+
+ ciph=SSL_get_current_cipher(c_ssl);
+ BIO_printf(bio_stdout,"%s%s, cipher %s %s",
+ prefix,
+ SSL_get_version(c_ssl),
+ SSL_CIPHER_get_version(ciph),
+ SSL_CIPHER_get_name(ciph));
+ cert=SSL_get_peer_certificate(c_ssl);
+ if (cert != NULL)
+ {
+ EVP_PKEY *pkey = X509_get_pubkey(cert);
+ if (pkey != NULL)
+ {
+ if (0)
+ ;
+#ifndef NO_RSA
+ else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
+ && pkey->pkey.rsa->n != NULL)
+ {
+ BIO_printf(bio_stdout, ", %d bit RSA",
+ BN_num_bits(pkey->pkey.rsa->n));
+ }
+#endif
+#ifndef NO_DSA
+ else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
+ && pkey->pkey.dsa->p != NULL)
+ {
+ BIO_printf(bio_stdout, ", %d bit DSA",
+ BN_num_bits(pkey->pkey.dsa->p));
+ }
+#endif
+ EVP_PKEY_free(pkey);
+ }
+ X509_free(cert);
+ }
+ /* The SSL API does not allow us to look at temporary RSA/DH keys,
+ * otherwise we should print their lengths too */
+ BIO_printf(bio_stdout,"\n");
}
int main(int argc, char *argv[])
@@ -151,24 +203,34 @@ int main(int argc, char *argv[])
int client_auth=0;
int server_auth=0,i;
char *server_cert=TEST_SERVER_CERT;
+ char *server_key=NULL;
char *client_cert=TEST_CLIENT_CERT;
+ char *client_key=NULL;
SSL_CTX *s_ctx=NULL;
SSL_CTX *c_ctx=NULL;
SSL_METHOD *meth=NULL;
SSL *c_ssl,*s_ssl;
int number=1,reuse=0;
long bytes=1L;
- SSL_CIPHER *ciph;
- int dhe1024 = 0;
#ifndef NO_DH
DH *dh;
+ int dhe1024 = 0, dhe1024dsa = 0;
#endif
+ int no_dhe = 0;
+ int print_time = 0;
+ clock_t s_time = 0, c_time = 0;
+
+ verbose = 0;
+ debug = 0;
+ cipher = 0;
+
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+ RAND_seed(rnd_seed, sizeof rnd_seed);
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-
argc--;
argv++;
@@ -184,8 +246,14 @@ int main(int argc, char *argv[])
debug=1;
else if (strcmp(*argv,"-reuse") == 0)
reuse=1;
+#ifndef NO_DH
else if (strcmp(*argv,"-dhe1024") == 0)
dhe1024=1;
+ else if (strcmp(*argv,"-dhe1024dsa") == 0)
+ dhe1024dsa=1;
+#endif
+ else if (strcmp(*argv,"-no_dhe") == 0)
+ no_dhe=1;
else if (strcmp(*argv,"-ssl2") == 0)
ssl2=1;
else if (strcmp(*argv,"-tls1") == 0)
@@ -217,11 +285,26 @@ int main(int argc, char *argv[])
if (--argc < 1) goto bad;
server_cert= *(++argv);
}
+ else if (strcmp(*argv,"-key") == 0)
+ {
+ if (--argc < 1) goto bad;
+ server_key= *(++argv);
+ }
+ else if (strcmp(*argv,"-s_key") == 0)
+ {
+ if (--argc < 1) goto bad;
+ server_key= *(++argv);
+ }
else if (strcmp(*argv,"-c_cert") == 0)
{
if (--argc < 1) goto bad;
client_cert= *(++argv);
}
+ else if (strcmp(*argv,"-c_key") == 0)
+ {
+ if (--argc < 1) goto bad;
+ client_key= *(++argv);
+ }
else if (strcmp(*argv,"-cipher") == 0)
{
if (--argc < 1) goto bad;
@@ -245,6 +328,10 @@ int main(int argc, char *argv[])
{
force = 1;
}
+ else if (strcmp(*argv,"-time") == 0)
+ {
+ print_time = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
@@ -263,15 +350,24 @@ bad:
if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
{
- fprintf(stderr, "This case cannot work. Use -f switch to perform "
- "the test anyway\n"
- "(and -d to see what happens, "
- "and -bio_pair to really make it happen :-)\n"
- "or add one of -ssl2, -ssl3, -tls1, -reuse to "
- "avoid protocol mismatch.\n");
+ fprintf(stderr, "This case cannot work. Use -f to perform "
+ "the test anyway (and\n-d to see what happens), "
+ "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
+ "to avoid protocol mismatch.\n");
exit(1);
}
+ if (print_time)
+ {
+ if (!bio_pair)
+ {
+ fprintf(stderr, "Using BIO pair (-bio_pair)\n");
+ bio_pair = 1;
+ }
+ if (number < 50 && !force)
+ fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
+ }
+
/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
SSL_library_init();
@@ -311,31 +407,23 @@ bad:
}
#ifndef NO_DH
-# ifndef NO_DSA
- if (dhe1024)
+ if (!no_dhe)
{
- DSA *dsa;
-
- if (verbose)
+ if (dhe1024dsa)
{
- fprintf(stdout, "Creating 1024 bit DHE parameters ...");
- fflush(stdout);
+ /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
+ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
+ dh=get_dh1024dsa();
}
-
- dsa = DSA_generate_parameters(1024, NULL, 0, NULL, NULL, 0, NULL);
- dh = DSA_dup_DH(dsa);
- DSA_free(dsa);
- /* important: SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
- SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
-
- if (verbose)
- fprintf(stdout, " done\n");
+ else if (dhe1024)
+ dh=get_dh1024();
+ else
+ dh=get_dh512();
+ SSL_CTX_set_tmp_dh(s_ctx,dh);
+ DH_free(dh);
}
- else
-# endif
- dh=get_dh512();
- SSL_CTX_set_tmp_dh(s_ctx,dh);
- DH_free(dh);
+#else
+ (void)no_dhe;
#endif
#ifndef NO_RSA
@@ -346,8 +434,8 @@ bad:
{
ERR_print_errors(bio_err);
}
- else if (!SSL_CTX_use_PrivateKey_file(s_ctx,server_cert,
- SSL_FILETYPE_PEM))
+ else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
+ (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
{
ERR_print_errors(bio_err);
goto end;
@@ -357,7 +445,8 @@ bad:
{
SSL_CTX_use_certificate_file(c_ctx,client_cert,
SSL_FILETYPE_PEM);
- SSL_CTX_use_PrivateKey_file(c_ctx,client_cert,
+ SSL_CTX_use_PrivateKey_file(c_ctx,
+ (client_key?client_key:client_cert),
SSL_FILETYPE_PEM);
}
@@ -373,17 +462,22 @@ bad:
if (client_auth)
{
- fprintf(stderr,"client authentication\n");
+ BIO_printf(bio_err,"client authentication\n");
SSL_CTX_set_verify(s_ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
}
if (server_auth)
{
- fprintf(stderr,"server authentication\n");
+ BIO_printf(bio_err,"server authentication\n");
SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
verify_callback);
}
+
+ {
+ int session_id_context = 0;
+ SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
+ }
c_ssl=SSL_new(c_ctx);
s_ssl=SSL_new(s_ctx);
@@ -392,21 +486,38 @@ bad:
{
if (!reuse) SSL_set_session(c_ssl,NULL);
if (bio_pair)
- ret=doit_biopair(s_ssl,c_ssl,bytes);
+ ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
else
ret=doit(s_ssl,c_ssl,bytes);
}
if (!verbose)
{
- ciph=SSL_get_current_cipher(c_ssl);
- fprintf(stdout,"Protocol %s, cipher %s, %s\n",
- SSL_get_version(c_ssl),
- SSL_CIPHER_get_version(ciph),
- SSL_CIPHER_get_name(ciph));
+ print_details(c_ssl, "");
}
if ((number > 1) || (bytes > 1L))
- printf("%d handshakes of %ld bytes done\n",number,bytes);
+ BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
+ if (print_time)
+ {
+#ifdef CLOCKS_PER_SEC
+ /* "To determine the time in seconds, the value returned
+ * by the clock function should be divided by the value
+ * of the macro CLOCKS_PER_SEC."
+ * -- ISO/IEC 9899 */
+ BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
+ "Approximate total client time: %6.2f s\n",
+ (double)s_time/CLOCKS_PER_SEC,
+ (double)c_time/CLOCKS_PER_SEC);
+#else
+ /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
+ * -- cc on NeXTstep/OpenStep */
+ BIO_printf(bio_stdout,
+ "Approximate total server time: %6.2f units\n"
+ "Approximate total client time: %6.2f units\n",
+ (double)s_time,
+ (double)c_time);
+#endif
+ }
SSL_free(s_ssl);
SSL_free(c_ssl);
@@ -421,15 +532,16 @@ end:
ERR_remove_state(0);
EVP_cleanup();
CRYPTO_mem_leaks(bio_err);
+ if (bio_err != NULL) BIO_free(bio_err);
EXIT(ret);
}
-int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
+int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
+ clock_t *s_time, clock_t *c_time)
{
long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
- SSL_CIPHER *ciph;
int ret = 1;
size_t bufsiz = 256; /* small buffer for testing */
@@ -485,7 +597,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
* BIO_ctrl_pending(bio) number of bytes we can read now
* BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
* other side's read attempt
- * BIO_ctrl_get_write_gurantee(bio) number of bytes we can write now
+ * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
*
* ..._read_request is never more than ..._write_guarantee;
* it depends on the application which one you should use.
@@ -502,6 +614,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
MS_STATIC char cbuf[1024*8];
int i, r;
+ clock_t c_clock = clock();
if (debug)
if (SSL_in_init(c_ssl))
@@ -517,7 +630,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
else
i = (int)cw_num;
r = BIO_write(c_ssl_bio, cbuf, i);
- if (r == -1)
+ if (r < 0)
{
if (!BIO_should_retry(c_ssl_bio))
{
@@ -568,6 +681,16 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
cr_num -= r;
}
}
+
+ /* c_time and s_time increments will typically be very small
+ * (depending on machine speed and clock tick intervals),
+ * but sampling over a large number of connections should
+ * result in fairly accurate figures. We cannot guarantee
+ * a lot, however -- if each connection lasts for exactly
+ * one clock tick, it will be counted only for the client
+ * or only for the server or even not at all.
+ */
+ *c_time += (clock() - c_clock);
}
{
@@ -575,6 +698,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
MS_STATIC char sbuf[1024*8];
int i, r;
+ clock_t s_clock = clock();
if (debug)
if (SSL_in_init(s_ssl))
@@ -590,7 +714,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
else
i = (int)sw_num;
r = BIO_write(s_ssl_bio, sbuf, i);
- if (r == -1)
+ if (r < 0)
{
if (!BIO_should_retry(s_ssl_bio))
{
@@ -638,50 +762,47 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
sr_num -= r;
}
}
+
+ *s_time += (clock() - s_clock);
}
{
/* "I/O" BETWEEN CLIENT AND SERVER. */
-#define RELAYBUFSIZ 200
- static char buf[RELAYBUFSIZ];
-
- /* RELAYBUF is arbitrary. When writing data over some real
- * network, use a buffer of the same size as in the BIO_pipe
- * and make that size large (for reading from the network
- * small buffers usually won't hurt).
- * Here sizes differ for testing. */
-
size_t r1, r2;
- size_t num;
- int r;
+ BIO *io1 = server_io, *io2 = client_io;
+ /* we use the non-copying interface for io1
+ * and the standard BIO_write/BIO_read interface for io2
+ */
+
static int prev_progress = 1;
int progress = 0;
- /* client to server */
+ /* io1 to io2 */
do
{
- r1 = BIO_ctrl_pending(client_io);
- r2 = BIO_ctrl_get_write_guarantee(server_io);
+ size_t num;
+ int r;
+
+ r1 = BIO_ctrl_pending(io1);
+ r2 = BIO_ctrl_get_write_guarantee(io2);
num = r1;
if (r2 < num)
num = r2;
if (num)
{
- if (sizeof buf < num)
- num = sizeof buf;
+ char *dataptr;
+
if (INT_MAX < num) /* yeah, right */
num = INT_MAX;
- r = BIO_read(client_io, buf, (int)num);
- if (r != (int)num) /* can't happen */
- {
- fprintf(stderr, "ERROR: BIO_read could not read "
- "BIO_ctrl_pending() bytes");
- goto err;
- }
- r = BIO_write(server_io, buf, (int)num);
+ r = BIO_nread(io1, &dataptr, (int)num);
+ assert(r > 0);
+ assert(r <= (int)num);
+ /* possibly r < num (non-contiguous data) */
+ num = r;
+ r = BIO_write(io2, dataptr, (int)num);
if (r != (int)num) /* can't happen */
{
fprintf(stderr, "ERROR: BIO_write could not write "
@@ -691,48 +812,58 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
progress = 1;
if (debug)
- printf("C->S relaying: %d bytes\n", (int)num);
+ printf((io1 == client_io) ?
+ "C->S relaying: %d bytes\n" :
+ "S->C relaying: %d bytes\n",
+ (int)num);
}
}
while (r1 && r2);
- /* server to client */
- do
- {
- r1 = BIO_ctrl_pending(server_io);
- r2 = BIO_ctrl_get_write_guarantee(client_io);
-
+ /* io2 to io1 */
+ {
+ size_t num;
+ int r;
+
+ r1 = BIO_ctrl_pending(io2);
+ r2 = BIO_ctrl_get_read_request(io1);
+ /* here we could use ..._get_write_guarantee instead of
+ * ..._get_read_request, but by using the latter
+ * we test restartability of the SSL implementation
+ * more thoroughly */
num = r1;
if (r2 < num)
num = r2;
if (num)
{
- if (sizeof buf < num)
- num = sizeof buf;
+ char *dataptr;
+
if (INT_MAX < num)
num = INT_MAX;
+
+ if (num > 1)
+ --num; /* test restartability even more thoroughly */
- r = BIO_read(server_io, buf, (int)num);
+ r = BIO_nwrite(io1, &dataptr, (int)num);
+ assert(r > 0);
+ assert(r <= (int)num);
+ num = r;
+ r = BIO_read(io2, dataptr, (int)num);
if (r != (int)num) /* can't happen */
{
fprintf(stderr, "ERROR: BIO_read could not read "
"BIO_ctrl_pending() bytes");
goto err;
}
- r = BIO_write(client_io, buf, (int)num);
- if (r != (int)num) /* can't happen */
- {
- fprintf(stderr, "ERROR: BIO_write could not write "
- "BIO_ctrl_get_write_guarantee() bytes");
- goto err;
- }
progress = 1;
-
+
if (debug)
- printf("S->C relaying: %d bytes\n", (int)num);
+ printf((io2 == client_io) ?
+ "C->S relaying: %d bytes\n" :
+ "S->C relaying: %d bytes\n",
+ (int)num);
}
- }
- while (r1 && r2);
+ } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
if (!progress && !prev_progress)
if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
@@ -758,13 +889,9 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count)
}
while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
- ciph = SSL_get_current_cipher(c_ssl);
if (verbose)
- fprintf(stdout,"DONE via BIO pair, protocol %s, cipher %s, %s\n",
- SSL_get_version(c_ssl),
- SSL_CIPHER_get_version(ciph),
- SSL_CIPHER_get_name(ciph));
- end:
+ print_details(c_ssl, "DONE via BIO pair: ");
+end:
ret = 0;
err:
@@ -808,7 +935,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
int done=0;
int c_write,s_write;
int do_server=0,do_client=0;
- SSL_CIPHER *ciph;
c_to_s=BIO_new(BIO_s_mem());
s_to_c=BIO_new(BIO_s_mem());
@@ -1058,12 +1184,8 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
if ((done & S_DONE) && (done & C_DONE)) break;
}
- ciph=SSL_get_current_cipher(c_ssl);
if (verbose)
- fprintf(stdout,"DONE, protocol %s, cipher %s, %s\n",
- SSL_get_version(c_ssl),
- SSL_CIPHER_get_version(ciph),
- SSL_CIPHER_get_name(ciph));
+ print_details(c_ssl, "DONE: ");
ret=0;
err:
/* We have to set the BIO's to NULL otherwise they will be
@@ -1091,7 +1213,7 @@ err:
return(ret);
}
-int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
+static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
{
char *s,buf[256];
@@ -1119,32 +1241,6 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
return(ok);
}
-#ifndef NO_DH
-static unsigned char dh512_p[]={
- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
- 0x47,0x74,0xE8,0x33,
- };
-static unsigned char dh512_g[]={
- 0x02,
- };
-
-static DH *get_dh512(void)
- {
- DH *dh=NULL;
-
- if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL))
- return(NULL);
- return(dh);
- }
-#endif
-
#ifndef NO_RSA
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
{
@@ -1161,3 +1257,101 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
return(rsa_tmp);
}
#endif
+
+#ifndef NO_DH
+/* These DH parameters have been generated as follows:
+ * $ openssl dhparam -C -noout 512
+ * $ openssl dhparam -C -noout 1024
+ * $ openssl dhparam -C -noout -dsaparam 1024
+ * (The third function has been renamed to avoid name conflicts.)
+ */
+DH *get_dh512()
+ {
+ static unsigned char dh512_p[]={
+ 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
+ 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
+ 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
+ 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
+ 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
+ 0x02,0xC5,0xAE,0x23,
+ };
+ static unsigned char dh512_g[]={
+ 0x02,
+ };
+ DH *dh;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+ dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+ if ((dh->p == NULL) || (dh->g == NULL))
+ { DH_free(dh); return(NULL); }
+ return(dh);
+ }
+
+DH *get_dh1024()
+ {
+ static unsigned char dh1024_p[]={
+ 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
+ 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
+ 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
+ 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
+ 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
+ 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
+ 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
+ 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
+ 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
+ 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
+ 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
+ };
+ static unsigned char dh1024_g[]={
+ 0x02,
+ };
+ DH *dh;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
+ dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
+ if ((dh->p == NULL) || (dh->g == NULL))
+ { DH_free(dh); return(NULL); }
+ return(dh);
+ }
+
+DH *get_dh1024dsa()
+ {
+ static unsigned char dh1024_p[]={
+ 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
+ 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
+ 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
+ 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
+ 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
+ 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
+ 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
+ 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
+ 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
+ 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
+ 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
+ };
+ static unsigned char dh1024_g[]={
+ 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
+ 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
+ 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
+ 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
+ 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
+ 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
+ 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
+ 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
+ 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
+ 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
+ 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
+ };
+ DH *dh;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
+ dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
+ if ((dh->p == NULL) || (dh->g == NULL))
+ { DH_free(dh); return(NULL); }
+ dh->length = 160;
+ return(dh);
+ }
+#endif
diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c
index 914b7434987f..279e45db5dd5 100644
--- a/crypto/openssl/ssl/t1_enc.c
+++ b/crypto/openssl/ssl/t1_enc.c
@@ -494,7 +494,7 @@ int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
}
int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
- unsigned char *str, int slen, unsigned char *out)
+ const char *str, int slen, unsigned char *out)
{
unsigned int i;
EVP_MD_CTX ctx;
@@ -621,11 +621,11 @@ int tls1_alert_code(int code)
case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED);
case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR);
case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR);
- case SSL_AD_EXPORT_RESTRICION: return(TLS1_AD_EXPORT_RESTRICION);
+ case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION);
case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION);
case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
- case SSL_AD_USER_CANCLED: return(TLS1_AD_USER_CANCLED);
+ case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
default: return(-1);
}
diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c
index ddf5c15799ef..ca6c03d5af18 100644
--- a/crypto/openssl/ssl/t1_lib.c
+++ b/crypto/openssl/ssl/t1_lib.c
@@ -60,13 +60,9 @@
#include <openssl/objects.h>
#include "ssl_locl.h"
-char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
+const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
-#ifndef NO_PROTO
static long tls1_default_timeout(void);
-#else
-static long tls1_default_timeout();
-#endif
static SSL3_ENC_METHOD TLSv1_enc_data={
tls1_enc,
@@ -105,6 +101,9 @@ static SSL_METHOD TLSv1_data= {
ssl_bad_method,
tls1_default_timeout,
&TLSv1_enc_data,
+ ssl_undefined_function,
+ ssl3_callback_ctrl,
+ ssl3_ctx_callback_ctrl,
};
static long tls1_default_timeout(void)
@@ -142,4 +141,9 @@ long tls1_ctrl(SSL *s, int cmd, long larg, char *parg)
{
return(0);
}
+
+long tls1_callback_ctrl(SSL *s, int cmd, void *(*fp)())
+ {
+ return(0);
+ }
#endif
diff --git a/crypto/openssl/ssl/tls1.h b/crypto/openssl/ssl/tls1.h
index a931efa936a0..6e2b06d34f71 100644
--- a/crypto/openssl/ssl/tls1.h
+++ b/crypto/openssl/ssl/tls1.h
@@ -65,7 +65,7 @@
extern "C" {
#endif
-#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
+#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1
#define TLS1_VERSION 0x0301
#define TLS1_VERSION_MAJOR 0x03
@@ -77,11 +77,11 @@ extern "C" {
#define TLS1_AD_ACCESS_DENIED 49 /* fatal */
#define TLS1_AD_DECODE_ERROR 50 /* fatal */
#define TLS1_AD_DECRYPT_ERROR 51
-#define TLS1_AD_EXPORT_RESTRICION 60 /* fatal */
+#define TLS1_AD_EXPORT_RESTRICTION 60 /* fatal */
#define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
#define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
-#define TLS1_AD_USER_CANCLED 90
+#define TLS1_AD_USER_CANCELLED 90
#define TLS1_AD_NO_RENEGOTIATION 100
#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-23 16:25:33 +0000