Skip to content

O
openssl

btwise / openssl

通知 1
Star 0
Fork 0
O
openssl

体验新版 GitCode,发现更多精彩内容 >>

提交 f9b3bff6 编写于 作者: R Richard Levitte
浏览文件
操作

First tentative impementation of Kerberos 5 cryptos and keys for SSL/TLS. ... 

First tentative impementation of Kerberos 5 cryptos and keys for SSL/TLS.  Implemented by Vern Staats <staatsvr@asc.hpc.mil>, further hacked and distributed by Jeffrey Altman <jaltnab@columbia.edu>
上级 fc2e05c2
展开全部 隐藏空白更改
内联 并排
Showing with 1873 addition and 811 deletion
Configure
浏览文件 @ f9b3bff6
......@@ -10,7 +10,7 @@ use strict;
# see INSTALL for instructions.
my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n";
my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [no-threads] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx=vvv] os/compiler[:flags]\n";
# Options:
#
......@@ -23,6 +23,16 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
# default). This needn't be set in advance, you can
# just as well use "make INSTALL_PREFIX=/whatever install".
#
# --with-krb5-dir Declare where Kerberos 5 lives. The libraries are expected
# to live in the subdirectory lib/ and the header files in
# include/.
# --with-krb5-lib Declare where the Kerberos 5 libraries live.
# (Default: KRB5_DIR/lib)
# --with-krb5-include Declare where the Kerberos 5 header files live.
# (Default: KRB5_DIR/include)
# --with-krb5-flavor Declare what flavor of Kerberos 5 is used. Currently
# supported values are "MIT" and "Heimdal".
#
# no-hw-xxx do not compile support for specific crypto hardware.
# Generic OpenSSL-style methods relating to this support
# are always compiled but return NULL if the hardware
......@@ -35,6 +45,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
# no-asm do not use assembler
# no-dso do not compile in any native shared-library methods. This
# will ensure that all methods just return NULL.
# no-krb5 do not compile in any KRB5 library or code.
# 386 generate 80386 code
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through
......@@ -423,6 +434,7 @@ my $openssldir="";
my $install_prefix="";
my $no_threads=0;
my $no_shared=1;
my $no_krb5=0;
my $threads=0;
my $no_asm=0;
my $no_dso=0;
......@@ -465,6 +477,7 @@ my $libs;
my $target;
my $options;
my $symlink;
my %withargs=();
my @argvcopy=@ARGV;
my $argvstring="";
......@@ -509,6 +522,8 @@ PROCESS_ARGS:
}
elsif (/^no-dso$/)
{ $no_dso=1; }
elsif (/^no-krb5$/)
{ $no_krb5=1; }
elsif (/^no-threads$/)
{ $no_threads=1; }
elsif (/^threads$/)
......@@ -589,6 +604,10 @@ PROCESS_ARGS:
{
$install_prefix=$1;
}
elsif (/^--with-krb5-(dir|lib|include|flavor)=(.*)$/)
{
$withargs{"krb5-".$1}=$2;
}
else
{
print STDERR $usage;
......@@ -653,6 +672,38 @@ print "IsWindows=$IsWindows\n";
split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
$cflags="$flags$cflags" if ($flags ne "");
# Kerberos settings. The flavor must be provided from outside, either through
# the script "config" or manually.
if ($no_krb5
|| !defined($withargs{"krb5-flavor"})
|| $withargs{"krb5-flavor"} eq "")
{
$cflags="-DNO_KRB5 $cflags";
}
else
{
if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/)
{
$withargs{"krb5-dir"} = "/usr/heimdal"
if $withargs{"krb5-dir"} eq "";
$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
"/lib -lgssapi -lkrb5 -lcom_err"
if $withargs{"krb5-lib"} eq "";
$cflags="-DKRB5_HEIMDAL $cflags";
}
if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]$/)
{
$withargs{"krb5-dir"} = "/usr/kerberos"
if $withargs{"krb5-dir"} eq "";
$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
"/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto"
if $withargs{"krb5-lib"} eq "";
$cflags="-DKRB5_MIT $cflags";
}
$withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include"
if $withargs{"krb5-include"} eq "" && $withargs{"krb5-dir"} ne "";
}
# The DSO code currently always implements all functions so that no
# applications will have to worry about that from a compilation point
# of view. However, the "method"s may return zero unless that platform
......@@ -845,6 +896,8 @@ while (<IN>)
s/^PROCESSOR=.*/PROCESSOR= $processor/;
s/^RANLIB=.*/RANLIB= $ranlib/;
s/^PERL=.*/PERL= $perl/;
s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
......@@ -878,6 +931,10 @@ print "RMD160_OBJ_ASM=$rmd160_obj\n";
print "PROCESSOR =$processor\n";
print "RANLIB =$ranlib\n";
print "PERL =$perl\n";
print "KRB5_INCLUDES =",$withargs{"krb5-include"},"\n"
if $withargs{"krb5-include"} ne "";
print "LIBKRB5 =",$withargs{"krb5-lib"},"\n"
if $withargs{"krb5-lib"} ne "";
my $des_ptr=0;
my $des_risc1=0;
......
Makefile.org
浏览文件 @ f9b3bff6
......@@ -149,6 +149,10 @@ RMD160_ASM_OBJ= asm/rm86-out.o
#RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD
#RMD160_ASM_OBJ= asm/rm86bsdi.o # bsdi
# KRB5 stuff
KRB5_INCLUDES=
LIBKRB5=
# When we're prepared to use shared libraries in the programs we link here
# we might set SHLIB_MARK to '$(SHARED_LIBS)'.
SHLIB_MARK=
......@@ -204,7 +208,7 @@ sub_all:
do \
if [ -d "$$i" ]; then \
(cd $$i && echo "making all in $$i..." && \
$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' all ) || exit 1; \
else \
$(MAKE) $$i; \
fi; \
......@@ -373,7 +377,7 @@ links:
@for i in $(DIRS); do \
if [ -d "$$i" ]; then \
(cd $$i && echo "making links in $$i..." && \
$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \
$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \
fi; \
done;
......@@ -396,7 +400,7 @@ test: tests
tests: rehash
@(cd test && echo "testing..." && \
$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' TESTS='${TESTS}' tests );
$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' tests );
@apps/openssl version -a
report:
......
apps/Makefile.ssl
浏览文件 @ f9b3bff6
此差异已折叠。
apps/s_client.c
浏览文件 @ f9b3bff6
......@@ -420,6 +420,12 @@ bad:
con=SSL_new(ctx);
#ifndef NO_KRB5
if (con && (con->kssl_ctx = kssl_ctx_new()) != NULL)
{
kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVER, host);
}
#endif /* NO_KRB5 */
/* SSL_set_cipher_list(con,"RC4-MD5"); */
re_start:
......
apps/s_server.c
浏览文件 @ f9b3bff6
......@@ -821,6 +821,13 @@ static int sv_body(char *hostname, int s, unsigned char *context)
if (con == NULL) {
con=SSL_new(ctx);
#ifndef NO_KRB5
if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
{
kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
}
#endif /* NO_KRB5 */
if(context)
SSL_set_session_id_context(con, context,
strlen((char *)context));
......
config
浏览文件 @ f9b3bff6
......@@ -536,6 +536,27 @@ do
fi
done
# Discover Kerberos 5 (since it's still a prototype, we don't
# do any guesses yet, that's why this section is commented away.
#if [ -d /usr/kerberos ]; then
# krb5_dir=/usr/kerberos
# if [ \( -f $krb5_dir/lib/libgssapi_krb5.a -o -f $krb5_dir/lib/libgssapi_krb5.so* \)\
# -a \( -f $krb5_dir/lib/libkrb5.a -o -f $krb5_dir/lib/libkrb5.so* \)\
# -a \( -f $krb5_dir/lib/libcom_err.a -o -f $krb5_dir/lib/libcom_err.so* \)\
# -a \( -f $krb5_dir/lib/libk5crypto.a -o -f $krb5_dir/lib/libk5crypto.so* \)\
# -a \( -f $krb5_dir/include/krb5.h \) ]; then
# options="$options --with-krb5-flavor=MIT"
# fi
#elif [ -d /usr/heimdal ]; then
# krb5_dir=/usr/heimdal
# if [ \( -f $krb5_dir/lib/libgssapi.a -o -f $krb5_dir/lib/libgssapi.so* \)\
# -a \( -f $krb5_dir/lib/libkrb5.a -o -f $krb5_dir/lib/libkrb5.so* \)\
# -a \( -f $krb5_dir/lib/libcom_err.a -o -f $krb5_dir/lib/libcom_err.so* \)\
# -a \( -f $krb5_dir/include/krb5.h \) ]; then
# options="$options --with-krb5-flavor=Heimdal"
# fi
#fi
if [ -z "$OUT" ]; then
OUT="$CC"
fi
......
crypto/evp/e_des3.c
浏览文件 @ f9b3bff6
......@@ -93,6 +93,17 @@ static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl)
{
#ifdef KSSL_DEBUG
{
int i;
char *cp;
printf("des_ede_cbc_cipher(ctx=%lx, buflen=%d)\n", ctx, ctx->buf_len);
printf("\t iv= ");
for(i=0;i<8;i++)
printf("%02X",ctx->iv[i]);
printf("\n");
}
#endif /* KSSL_DEBUG */
des_ede3_cbc_encrypt(in, out, (long)inl,
ctx->c.des_ede.ks1, ctx->c.des_ede.ks2, ctx->c.des_ede.ks3,
(des_cblock *)ctx->iv, ctx->encrypt);
......@@ -145,6 +156,16 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
des_cblock *deskey = (des_cblock *)key;
#ifdef KSSL_DEBUG
{
int i;
printf("des_ede3_init_key(ctx=%lx)\n", ctx);
printf("\tKEY= ");
for(i=0;i<24;i++) printf("%02X",key[i]); printf("\n");
printf("\t IV= ");
for(i=0;i<8;i++) printf("%02X",iv[i]); printf("\n");
}
#endif /* KSSL_DEBUG */
des_set_key_unchecked(&deskey[0],ctx->c.des_ede.ks1);
des_set_key_unchecked(&deskey[1],ctx->c.des_ede.ks2);
......
ssl/Makefile.ssl
浏览文件 @ f9b3bff6
此差异已折叠。
ssl/kssl.c
浏览文件 @ f9b3bff6
此差异已折叠。
ssl/kssl.h
浏览文件 @ f9b3bff6
......@@ -73,6 +73,15 @@
extern "C" {
#endif
/*
** Depending on which KRB5 implementation used, some types from
** the other may be missing. Resolve that here and now
*/
#ifdef KRB5_HEIMDAL
typedef unsigned char krb5_octet;
#define FAR
#endif
/* Uncomment this to debug kssl problems or
** to trace usage of the Kerberos session key
**
......@@ -106,6 +115,7 @@ typedef struct kssl_ctx_st
char *service_host; /* C input, REQUIRED */
char *client_princ; /* S output from krb5 ticket */
char *keytab_file; /* S NULL (/etc/krb5.keytab) */
char *cred_cache; /* C NULL (default) */
krb5_enctype enctype;
int length;
krb5_octet FAR *key;
......@@ -121,6 +131,7 @@ typedef struct kssl_ctx_st
#define KSSL_NOMEM 2
/* Private (internal to OpenSSL) */
void print_krb5_data(char *label, krb5_data *kdata);
void print_krb5_authdata(char *label, krb5_authdata **adata);
void print_krb5_keyblock(char *label, krb5_keyblock *keyblk);
......@@ -129,20 +140,20 @@ char *kstring(char *string);
char *knumber(int len, krb5_octet *contents);
void kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text);
/* Public (for use by applications that use OpenSSL with Kerberos 5 support */
krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text);
KSSL_CTX *kssl_ctx_new(void);
KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
void kssl_ctx_show(KSSL_CTX *kssl_ctx);
krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session);
krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text);
krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
krb5_data *realm, krb5_data *entity);
krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data *ap_req,
KSSL_ERR *kssl_err);
krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx, char *msg, int msglen,
KSSL_ERR *kssl_err);
krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session);
void kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text);
void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data);
#ifdef __cplusplus
}
......
ssl/s3_clnt.c
浏览文件 @ f9b3bff6
......@@ -65,6 +65,10 @@
#include <openssl/evp.h>
#include "ssl_locl.h"
#ifndef NO_KRB5
#include "kssl.h"
#endif
static SSL_METHOD *ssl3_get_client_method(int ver);
static int ssl3_client_hello(SSL *s);
static int ssl3_get_server_hello(SSL *s);
......@@ -687,6 +691,7 @@ static int ssl3_get_server_certificate(SSL *s)
STACK_OF(X509) *sk=NULL;
SESS_CERT *sc;
EVP_PKEY *pkey=NULL;
int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
n=ssl3_get_message(s,
SSL3_ST_CR_CERT_A,
......@@ -782,10 +787,23 @@ static int ssl3_get_server_certificate(SSL *s)
* certificate, which we don't include in s3_srvr.c */
x=sk_X509_value(sk,0);
sk=NULL;
/* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end */
pkey=X509_get_pubkey(x);
if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
/* VRS: allow null cert if auth == KRB5 */
need_cert =
((s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
== (SSL_aKRB5|SSL_kKRB5))? 0: 1;
#ifdef KSSL_DEBUG
printf("pkey,x = %p, %p\n", pkey,x);
printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
s->s3->tmp.new_cipher->algorithms, need_cert);
#endif /* KSSL_DEBUG */
if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
{
x=NULL;
al=SSL3_AL_FATAL;
......@@ -794,7 +812,7 @@ static int ssl3_get_server_certificate(SSL *s)
}
i=ssl_cert_type(x,pkey);
if (i < 0)
if (need_cert && i < 0)
{
x=NULL;
al=SSL3_AL_FATAL;
......@@ -802,19 +820,31 @@ static int ssl3_get_server_certificate(SSL *s)
goto f_err;
}
sc->peer_cert_type=i;
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
if (sc->peer_pkeys[i].x509 != NULL) /* Why would this ever happen?
* We just created sc a couple of
* lines ago. */
X509_free(sc->peer_pkeys[i].x509);
sc->peer_pkeys[i].x509=x;
sc->peer_key= &(sc->peer_pkeys[i]);
if (s->session->peer != NULL)
X509_free(s->session->peer);
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
s->session->peer=x;
if (need_cert)
{
sc->peer_cert_type=i;
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
/* Why would the following ever happen?
* We just created sc a couple of lines ago. */
if (sc->peer_pkeys[i].x509 != NULL)
X509_free(sc->peer_pkeys[i].x509);
sc->peer_pkeys[i].x509=x;
sc->peer_key= &(sc->peer_pkeys[i]);
if (s->session->peer != NULL)
X509_free(s->session->peer);
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
s->session->peer=x;
}
else
{
sc->peer_cert_type=i;
sc->peer_key= NULL;
if (s->session->peer != NULL)
X509_free(s->session->peer);
s->session->peer=NULL;
}
s->session->verify_result = s->verify_result;
x=NULL;
......@@ -1322,6 +1352,9 @@ static int ssl3_send_client_key_exchange(SSL *s)
unsigned char *q;
EVP_PKEY *pkey=NULL;
#endif
#ifndef NO_KRB5
KSSL_ERR kssl_err;
#endif /* NO_KRB5 */
if (s->state == SSL3_ST_CW_KEY_EXCH_A)
{
......@@ -1330,8 +1363,10 @@ static int ssl3_send_client_key_exchange(SSL *s)
l=s->s3->tmp.new_cipher->algorithms;
/* Fool emacs indentation */
if (0) {}
#ifndef NO_RSA
if (l & SSL_kRSA)
else if (l & SSL_kRSA)
{
RSA *rsa;
unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
......@@ -1388,10 +1423,75 @@ static int ssl3_send_client_key_exchange(SSL *s)
tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
}
else
#endif
#ifndef NO_KRB5
else if (l & SSL_kKRB5)
{
krb5_error_code krb5rc;
KSSL_CTX *kssl_ctx = s->kssl_ctx;
krb5_data krb5_ap_req;
#ifdef KSSL_DEBUG
printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
l, SSL_kKRB5);
#endif /* KSSL_DEBUG */
/*
** Tried to send random tmp_buf[] as PMS in Kerberos ticket
** by passing krb5_mk_req_extended(ctx,authctx,opts, tmp_buf, ...)
** but: I can't retrieve the PMS on the other side! There is
** some indication in the krb5 source that this is only used
** to generate a checksum. OTOH, the Tung book shows data
** ("GET widget01.txt") being passed in krb5_mk_req_extended()
** by way of krb5_sendauth(). I don't get it.
** Until Kerberos goes 3DES, the big PMS secret would only be
** encrypted in 1-DES anyway. So losing the PMS shouldn't be
** a big deal.
*/
krb5rc = kssl_cget_tkt(kssl_ctx, &krb5_ap_req,
&kssl_err);
#ifdef KSSL_DEBUG
{
printf("kssl_cget_tkt rtn %d\n", krb5rc);
kssl_ctx_show(kssl_ctx);
if (krb5rc && kssl_err.text)
printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
}
#endif /* KSSL_DEBUG */
if (krb5rc)
{
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason);
goto err;
}
/* Send ticket (copy to *p, set n = length)
*/
n = krb5_ap_req.length;
memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
if (krb5_ap_req.data)
kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
/* 19991013 VRS - 3DES is kind of bogus here,
** at least until Kerberos supports 3DES. The only
** real secret is the 8-byte Kerberos session key;
** the other key material ((s->) client_random, server_random)
** could be sniffed. Mixing in these nonces should help
** protect against replay attacks, however.
**
** Alternate code for Kerberos Purists:
**
** memcpy(s->session->master_key, kssl_ctx->key, kssl_ctx->length);
** s->session->master_key_length = kssl_ctx->length;
*/
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, kssl_ctx->key,kssl_ctx->length);
}
#endif
#ifndef NO_DH
if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
DH *dh_srvr,*dh_clnt;
......@@ -1445,8 +1545,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
/* perhaps clean things up a bit EAY EAY EAY EAY*/
}
else
#endif
else
{
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
......@@ -1641,7 +1741,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
algs=s->s3->tmp.new_cipher->algorithms;
/* we don't have a certificate */
if (algs & (SSL_aDH|SSL_aNULL))
if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
return(1);
#ifndef NO_RSA
......
ssl/s3_lib.c
浏览文件 @ f9b3bff6
......@@ -473,6 +473,95 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
#ifndef NO_KRB5
/* The Kerberos ciphers
** 20000107 VRS: And the first shall be last,
** in hopes of avoiding the lynx ssl renegotiation problem.
*/
/* Cipher 21 VRS */
{
1,
SSL3_TXT_KRB5_DES_40_CBC_SHA,
SSL3_CK_KRB5_DES_40_CBC_SHA,
SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 22 VRS */
{
1,
SSL3_TXT_KRB5_DES_40_CBC_MD5,
SSL3_CK_KRB5_DES_40_CBC_MD5,
SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
40,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 23 VRS */
{
1,
SSL3_TXT_KRB5_DES_64_CBC_SHA,
SSL3_CK_KRB5_DES_64_CBC_SHA,
SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 24 VRS */
{
1,
SSL3_TXT_KRB5_DES_64_CBC_MD5,
SSL3_CK_KRB5_DES_64_CBC_MD5,
SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 25 VRS */
{
1,
SSL3_TXT_KRB5_DES_192_CBC3_SHA,
SSL3_CK_KRB5_DES_192_CBC3_SHA,
SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
112,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 26 VRS */
{
1,
SSL3_TXT_KRB5_DES_192_CBC3_MD5,
SSL3_CK_KRB5_DES_192_CBC3_MD5,
SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
112,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif /* NO_KRB5 */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
/* New TLS Export CipherSuites */
/* Cipher 60 */
......@@ -1076,10 +1165,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
#ifdef CIPHER_DEBUG
printf("Have:\n");
for(i=0 ; i < sk_num(pref) ; ++i)
printf("Have %d from %p:\n", sk_SSL_CIPHER_num(pref), pref);
for(i=0 ; i < sk_SSL_CIPHER_num(pref) ; ++i)
{
c=(SSL_CIPHER *)sk_value(pref,i);
c=sk_SSL_CIPHER_value(pref,i);
printf("%p:%s\n",c,c->name);
}
#endif
......@@ -1092,6 +1181,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
mask=cert->mask;
emask=cert->export_mask;
#ifdef KSSL_DEBUG
printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);
#endif /* KSSL_DEBUG */
alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
if (SSL_C_IS_EXPORT(c))
{
......
ssl/s3_srvr.c
浏览文件 @ f9b3bff6
......@@ -70,6 +70,10 @@
#include <openssl/x509.h>
#include "ssl_locl.h"
#ifndef NO_KRB5
#include "kssl.h"
#endif /* NO_KRB5 */
static SSL_METHOD *ssl3_get_server_method(int ver);
static int ssl3_get_client_hello(SSL *s);
static int ssl3_check_client_hello(SSL *s);
......@@ -262,7 +266,11 @@ int ssl3_accept(SSL *s)
/* clear this, it may get reset by
* send_server_key_exchange */
if (s->options & SSL_OP_EPHEMERAL_RSA)
if ((s->options & SSL_OP_EPHEMERAL_RSA)
#ifndef NO_KRB5
&& !(l & SSL_KRB5)
#endif /* NO_KRB5 */
)
s->s3->tmp.use_rsa_tmp=1;
else
s->s3->tmp.use_rsa_tmp=0;
......@@ -1257,6 +1265,9 @@ static int ssl3_get_client_key_exchange(SSL *s)
BIGNUM *pub=NULL;
DH *dh_srvr;
#endif
#ifndef NO_KRB5
KSSL_ERR kssl_err;
#endif /* NO_KRB5 */
n=ssl3_get_message(s,
SSL3_ST_SR_KEY_EXCH_A,
......@@ -1417,6 +1428,53 @@ static int ssl3_get_client_key_exchange(SSL *s)
}
else
#endif
#ifndef NO_KRB5
if (l & SSL_kKRB5)
{
krb5_error_code krb5rc;
KSSL_CTX *kssl_ctx = s->kssl_ctx;
if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
if ((krb5rc = kssl_sget_tkt(kssl_ctx,
s->init_buf->data, s->init_buf->length,
&kssl_err)) != 0)
{
#ifdef KSSL_DEBUG
printf("kssl_sget_tkt rtn %d [%d]\n",
krb5rc, kssl_err.reason);
if (kssl_err.text)
printf("kssl_err text= %s\n", kssl_err.text);
#endif /* KSSL_DEBUG */
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
kssl_err.reason);
goto err;
}
#ifdef KSSL_DEBUG
kssl_ctx_show(kssl_ctx);
#endif /* KSSL_DEBUG */
/* 19991013 VRS - 3DES is kind of bogus here,
** at least until Kerberos supports 3DES. The only
** real secret is the 8-byte Kerberos session key;
** the other key material (client_random, server_random)
** could be sniffed. Nonces may help against replays though.
**
** Alternate code for Kerberos Purists:
**
** memcpy(s->session->master_key, kssl_ctx->key, kssl_ctx->length);
** s->session->master_key_length = kssl_ctx->length;
*/
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, kssl_ctx->key, kssl_ctx->length);
/* Was doing kssl_ctx_free() here, but it caused problems for apache.
** kssl_ctx = kssl_ctx_free(kssl_ctx);
** if (s->kssl_ctx) s->kssl_ctx = NULL;
*/
}
else
#endif /* NO_KRB5 */
{
al=SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
......@@ -1737,7 +1795,11 @@ int ssl3_send_server_certificate(SSL *s)
if (s->state == SSL3_ST_SW_CERT_A)
{
x=ssl_get_server_send_cert(s);
if (x == NULL)
if (x == NULL &&
/* VRS: allow null cert if auth == KRB5 */
(s->s3->tmp.new_cipher->algorithms
& (SSL_MKEY_MASK|SSL_AUTH_MASK))
!= (SSL_aKRB5|SSL_kKRB5))
{
SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
return(0);
......
ssl/ssl.h
浏览文件 @ f9b3bff6
......@@ -68,6 +68,9 @@
#ifndef NO_X509
#include <openssl/x509.h>
#endif
#ifndef NO_KRB5
#include <openssl/kssl.h>
#endif
#include <openssl/safestack.h>
#ifdef __cplusplus
......@@ -92,6 +95,15 @@ extern "C" {
#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
/* VRS Additional Kerberos5 entries
*/
#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
#define SSL_MAX_SID_CTX_LENGTH 32
......@@ -112,6 +124,10 @@ extern "C" {
#define SSL_TXT_eNULL "eNULL"
#define SSL_TXT_NULL "NULL"
#define SSL_TXT_kKRB5 "kKRB5"
#define SSL_TXT_aKRB5 "aKRB5"
#define SSL_TXT_KRB5 "KRB5"
#define SSL_TXT_kRSA "kRSA"
#define SSL_TXT_kDHr "kDHr"
#define SSL_TXT_kDHd "kDHd"
......@@ -655,6 +671,10 @@ struct ssl_st
int error; /* error bytes to be written */
int error_code; /* actual code */
#ifndef NO_KRB5
KSSL_CTX *kssl_ctx; /* Kerberos 5 context */
#endif /* NO_KRB5 */
SSL_CTX *ctx;
/* set this flag to 1 and a sleep(1) is put into all SSL_read()
* and SSL_write() calls, good for nbio debuging :-) */
......
ssl/ssl3.h
浏览文件 @ f9b3bff6
......@@ -105,6 +105,22 @@ extern "C" {
#define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
#define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
/* VRS Additional Kerberos5 entries
*/
#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000021
#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000022
#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x03000023
#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000024
#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x03000025
#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000026
#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA"
#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5"
#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5"
#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5"
#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5"
......
ssl/ssl_ciph.c
浏览文件 @ f9b3bff6
......@@ -100,6 +100,7 @@ typedef struct cipher_order_st
static const SSL_CIPHER cipher_aliases[]={
/* Don't include eNULL unless specifically enabled */
{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
{0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0},
......@@ -108,6 +109,7 @@ static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
{0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */
{0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0},
......@@ -128,6 +130,7 @@ static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
......@@ -291,6 +294,9 @@ static unsigned long ssl_cipher_get_disabled(void)
#ifdef NO_DH
mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
#endif
#ifdef NO_KRB5
mask |= SSL_kKRB5|SSL_aKRB5;
#endif
#ifdef SSL_FORBID_ENULL
mask |= SSL_eNULL;
......@@ -336,6 +342,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
list[list_num].prev = NULL;
list[list_num].active = 0;
list_num++;
#ifdef KSSL_DEBUG
printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms);
#endif /* KSSL_DEBUG */
/*
if (!sk_push(ca_list,(char *)c)) goto err;
*/
......@@ -738,6 +747,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* it is used for allocation.
*/
num_of_ciphers = ssl_method->num_ciphers();
#ifdef KSSL_DEBUG
printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
#endif /* KSSL_DEBUG */
list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
if (list == NULL)
{
......@@ -872,8 +884,12 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
char *ver,*exp;
char *kx,*au,*enc,*mac;
unsigned long alg,alg2,alg_s;
#ifdef KSSL_DEBUG
static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n";
#else
static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
#endif /* KSSL_DEBUG */
alg=cipher->algorithms;
alg_s=cipher->algo_strength;
alg2=cipher->algorithm2;
......@@ -901,6 +917,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
case SSL_kDHd:
kx="DH/DSS";
break;
case SSL_kKRB5: /* VRS */
case SSL_KRB5: /* VRS */
kx="KRB5";
break;
case SSL_kFZA:
kx="Fortezza";
break;
......@@ -922,6 +942,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
case SSL_aDH:
au="DH";
break;
case SSL_aKRB5: /* VRS */
case SSL_KRB5: /* VRS */
au="KRB5";
break;
case SSL_aFZA:
case SSL_aNULL:
au="None";
......@@ -982,7 +1006,11 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
else if (len < 128)
return("Buffer too small");
#ifdef KSSL_DEBUG
BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp,alg);
#else
BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp);
#endif /* KSSL_DEBUG */
return(buf);
}
......
ssl/ssl_lib.c
浏览文件 @ f9b3bff6
......@@ -191,6 +191,10 @@ SSL *SSL_new(SSL_CTX *ctx)
if (s == NULL) goto err;
memset(s,0,sizeof(SSL));
#ifndef NO_KRB5
s->kssl_ctx = kssl_ctx_new();
#endif /* NO_KRB5 */
if (ctx->cert != NULL)
{
/* Earlier library versions used to copy the pointer to
......@@ -1383,6 +1387,11 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
mask|=SSL_aNULL;
emask|=SSL_aNULL;
#ifndef NO_KRB5
mask|=SSL_kKRB5|SSL_aKRB5;
emask|=SSL_kKRB5|SSL_aKRB5;
#endif
c->mask=mask;
c->export_mask=emask;
c->valid=1;
......@@ -1415,6 +1424,11 @@ X509 *ssl_get_server_send_cert(SSL *s)
else
i=SSL_PKEY_RSA_ENC;
}
else if (kalg & SSL_aKRB5)
{
/* VRS something else here? */
return(NULL);
}
else /* if (kalg & SSL_aNULL) */
{
SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,SSL_R_INTERNAL_ERROR);
......
ssl/ssl_locl.h
浏览文件 @ f9b3bff6
......@@ -168,48 +168,51 @@
* that the different entities within are mutually exclusive:
* ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
*/
#define SSL_MKEY_MASK 0x0000001FL
#define SSL_MKEY_MASK 0x0000003FL
#define SSL_kRSA 0x00000001L /* RSA key exchange */
#define SSL_kDHr 0x00000002L /* DH cert RSA CA cert */
#define SSL_kDHd 0x00000004L /* DH cert DSA CA cert */
#define SSL_kFZA 0x00000008L
#define SSL_kEDH 0x00000010L /* tmp DH key no DH cert */
#define SSL_kKRB5 0x00000020L /* Kerberos5 key exchange */
#define SSL_EDH (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
#define SSL_AUTH_MASK 0x000003e0L
#define SSL_aRSA 0x00000020L /* Authenticate with RSA */
#define SSL_aDSS 0x00000040L /* Authenticate with DSS */
#define SSL_AUTH_MASK 0x00000FC0L
#define SSL_aRSA 0x00000040L /* Authenticate with RSA */
#define SSL_aDSS 0x00000080L /* Authenticate with DSS */
#define SSL_DSS SSL_aDSS
#define SSL_aFZA 0x00000080L
#define SSL_aNULL 0x00000100L /* no Authenticate, ADH */
#define SSL_aDH 0x00000200L /* no Authenticate, ADH */
#define SSL_aFZA 0x00000100L
#define SSL_aNULL 0x00000200L /* no Authenticate, ADH */
#define SSL_aDH 0x00000400L /* no Authenticate, ADH */
#define SSL_aKRB5 0x00000800L /* Authenticate with KRB5 */
#define SSL_NULL (SSL_eNULL)
#define SSL_ADH (SSL_kEDH|SSL_aNULL)
#define SSL_RSA (SSL_kRSA|SSL_aRSA)
#define SSL_DH (SSL_kDHr|SSL_kDHd|SSL_kEDH)
#define SSL_FZA (SSL_aFZA|SSL_kFZA|SSL_eFZA)
#define SSL_ENC_MASK 0x0001Fc00L
#define SSL_DES 0x00000400L
#define SSL_3DES 0x00000800L
#define SSL_RC4 0x00001000L
#define SSL_RC2 0x00002000L
#define SSL_IDEA 0x00004000L
#define SSL_eFZA 0x00008000L
#define SSL_eNULL 0x00010000L
#define SSL_MAC_MASK 0x00060000L
#define SSL_MD5 0x00020000L
#define SSL_SHA1 0x00040000L
#define SSL_KRB5 (SSL_kKRB5|SSL_aKRB5)
#define SSL_ENC_MASK 0x0007F000L
#define SSL_DES 0x00001000L
#define SSL_3DES 0x00002000L
#define SSL_RC4 0x00004000L
#define SSL_RC2 0x00008000L
#define SSL_IDEA 0x00010000L
#define SSL_eFZA 0x00020000L
#define SSL_eNULL 0x00040000L
#define SSL_MAC_MASK 0x00180000L
#define SSL_MD5 0x00080000L
#define SSL_SHA1 0x00100000L
#define SSL_SHA (SSL_SHA1)
#define SSL_SSL_MASK 0x00180000L
#define SSL_SSLV2 0x00080000L
#define SSL_SSLV3 0x00100000L
#define SSL_SSL_MASK 0x00600000L
#define SSL_SSLV2 0x00200000L
#define SSL_SSLV3 0x00400000L
#define SSL_TLSV1 SSL_SSLV3 /* for now */
/* we have used 001fffff - 11 bits left to go */
/* we have used 007fffff - 9 bits left to go */
/*
* Export and cipher strength information. For each cipher we have to decide
......
ssl/ssltest.c
浏览文件 @ f9b3bff6
......@@ -74,6 +74,7 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#ifdef WINDOWS
#include <winsock.h>
#include "../crypto/bio/bss_file.c"
#endif
......@@ -517,6 +518,19 @@ bad:
c_ssl=SSL_new(c_ctx);
s_ssl=SSL_new(s_ctx);
#ifndef NO_KRB5
if (c_ssl && c_ssl->kssl_ctx)
{
char localhost[257];
if (gethostname(localhost, 256) == 0)
{
kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
localhost);
}
}
#endif /* NO_KRB5 */
for (i=0; i<number; i++)
{
if (!reuse) SSL_set_session(c_ssl,NULL);
......
ssl/t1_enc.c
浏览文件 @ f9b3bff6
......@@ -148,6 +148,17 @@ static void tls1_generate_key_block(SSL *s, unsigned char *km,
tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
s->session->master_key,s->session->master_key_length,
km,tmp,num);
#ifdef KSSL_DEBUG
printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
s->session->master_key_length);
{
int i;
for (i=0; i < s->session->master_key_length; i++)
{
printf("%02X", s->session->master_key[i]);
}
printf("\n"); }
#endif /* KSSL_DEBUG */
}
int tls1_change_cipher_state(SSL *s, int which)
......@@ -174,6 +185,21 @@ int tls1_change_cipher_state(SSL *s, int which)
comp=s->s3->tmp.new_compression;
key_block=s->s3->tmp.key_block;
#ifdef KSSL_DEBUG
printf("tls1_change_cipher_state(which= %d) w/\n", which);
printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms,
comp);
printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
c->nid,c->block_size,c->key_len,c->iv_len);
printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
{
int i;
for (i=0; i<s->s3->tmp.key_block_length; i++)
printf("%02x", key_block[i]); printf("\n");
}
#endif /* KSSL_DEBUG */
if (which & SSL3_CC_READ)
{
if ((s->enc_read_ctx == NULL) &&
......@@ -309,6 +335,16 @@ printf("which = %04X\nmac key=",which);
}
s->session->key_arg_length=0;
#ifdef KSSL_DEBUG
{
int i;
printf("EVP_CipherInit(dd,c,key=,iv=,which)\n");
printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
printf("\n");
printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
printf("\n");
}
#endif /* KSSL_DEBUG */
EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
#ifdef TLS_DEBUG
......@@ -338,6 +374,10 @@ int tls1_setup_key_block(SSL *s)
int num;
SSL_COMP *comp;
#ifdef KSSL_DEBUG
printf ("tls1_setup_key_block()\n");
#endif /* KSSL_DEBUG */
if (s->s3->tmp.key_block_length != 0)
return(1);
......@@ -417,6 +457,10 @@ int tls1_enc(SSL *s, int send)
enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
}
#ifdef KSSL_DEBUG
printf("tls1_enc(%d)\n", send);
#endif /* KSSL_DEBUG */
if ((s->session == NULL) || (ds == NULL) ||
(enc == NULL))
{
......@@ -447,8 +491,35 @@ int tls1_enc(SSL *s, int send)
rec->length+=i;
}
#ifdef KSSL_DEBUG
{
unsigned long i;
printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
ds,rec->data,rec->input,l);
printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
ds->buf_len, ds->cipher->key_len,
DES_KEY_SZ, DES_SCHEDULE_SZ,
ds->cipher->iv_len);
printf("\t\tIV: ");
for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
printf("\n");
printf("\trec->input=");
for (i=0; i<l; i++) printf(" %02x", rec->input[i]);
printf("\n");
}
#endif /* KSSL_DEBUG */
EVP_Cipher(ds,rec->data,rec->input,l);
#ifdef KSSL_DEBUG
{
unsigned long i;
printf("\trec->data=");
for (i=0; i<l; i++)
printf(" %02x", rec->data[i]); printf("\n");
}
#endif /* KSSL_DEBUG */
if ((bs != 1) && !send)
{
ii=i=rec->data[l-1];
......@@ -586,6 +657,10 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
#ifdef KSSL_DEBUG
printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
#endif /* KSSL_DEBUG */
/* Setup the stuff to munge */
memcpy(buf,TLS_MD_MASTER_SECRET_CONST,
TLS_MD_MASTER_SECRET_CONST_SIZE);
......@@ -596,6 +671,9 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
tls1_PRF(s->ctx->md5,s->ctx->sha1,
buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE);
#ifdef KSSL_DEBUG
printf ("tls1_generate_master_secret() complete\n");
#endif /* KSSL_DEBUG */
return(SSL3_MASTER_SECRET_SIZE);
}
......
test/Makefile.ssl
浏览文件 @ f9b3bff6
......@@ -5,7 +5,7 @@
DIR= test
TOP= ..
CC= cc
INCLUDES= -I../include
INCLUDES= -I../include $(KRB5_INCLUDES)
CFLAG= -g
INSTALL_PREFIX=
OPENSSLDIR= /usr/local/ssl
......@@ -328,7 +328,7 @@ $(METHTEST): $(METHTEST).o $(DLIBCRYPTO)
$(CC) -o $(METHTEST) $(CFLAGS) $(METHTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
$(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
$(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS)
$(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS)
$(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO)
$(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)
......@@ -445,19 +445,19 @@ ssltest.o: ../include/openssl/des.h ../include/openssl/dh.h
ssltest.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
ssltest.o: ../include/openssl/e_os2.h ../include/openssl/err.h
ssltest.o: ../include/openssl/evp.h ../include/openssl/idea.h
ssltest.o: ../include/openssl/lhash.h ../include/openssl/md2.h
ssltest.o: ../include/openssl/md4.h ../include/openssl/md5.h
ssltest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
ssltest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
ssltest.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
ssltest.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
ssltest.o: ../include/openssl/rand.h ../include/openssl/rc2.h
ssltest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
ssltest.o: ../include/openssl/rd_fst.h ../include/openssl/rijndael.h
ssltest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
ssltest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
ssltest.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
ssltest.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
ssltest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
ssltest.o: ../include/openssl/tls1.h ../include/openssl/x509.h
ssltest.o: ../include/openssl/x509_vfy.h
ssltest.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
ssltest.o: ../include/openssl/md2.h ../include/openssl/md4.h
ssltest.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
ssltest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
ssltest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
ssltest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
ssltest.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
ssltest.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
ssltest.o: ../include/openssl/rc5.h ../include/openssl/rd_fst.h
ssltest.o: ../include/openssl/rijndael.h ../include/openssl/ripemd.h
ssltest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
ssltest.o: ../include/openssl/sha.h ../include/openssl/ssl.h
ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册