Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
1 年多 前同步成功

通知 9
Star 18
Fork 1
T
Third Party Openssl
提交 52b8dad8 编写于 作者: B Bodo Möller
浏览文件
操作

Reorganize the data used for SSL ciphersuite pattern matching. 

This change resolves a number of problems and obviates multiple kludges.
A new feature is that you can now say "AES256" or "AES128" (not just
"AES", which enables both).

In some cases the ciphersuite list generated from a given string is
affected by this change.  I hope this is just in those cases where the
previous behaviour did not make sense.
上级 cc684e33
展开全部 隐藏空白更改
内联 并排
Showing with 1838 addition and 1368 deletion
CHANGES
浏览文件 @ 52b8dad8
......@@ -4,6 +4,28 @@
Changes between 0.9.8e and 0.9.9 [xx XXX xxxx]
*) Split the SSL/TLS algorithm mask (as used for ciphersuite string
processing) into multiple integers instead of setting
"SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
"SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
(These masks as well as the individual bit definitions are hidden
away into the non-exported interface ssl/ssl_locl.h, so this
change to the definition of the SSL_CIPHER structure shouldn't
affect applications.) This give us more bits for each of these
categories, so there is no longer a need to coagulate AES128 and
AES256 into a single algorithm bit, and to coagulate Camellia128
and Camellia256 into a single algorithm bit, which has led to all
kinds of kludges.
Thus, among other things, the kludge introduced in 0.9.7m and
0.9.8e for masking out AES256 independently of AES128 or masking
out Camellia256 independently of AES256 is not needed here in 0.9.9.
With the change, we also introduce new ciphersuite aliases that
so far were missing: "AES128", "AES256", "CAMELLIA128", and
"CAMELLIA256".
[Bodo Moeller]
*) Add support for dsa-with-SHA224 and dsa-with-SHA256.
Use the leftmost N bytes of the signature input if the input is
larger than the prime q (with N being the size in bytes of q).
......@@ -430,6 +452,13 @@
Changes between 0.9.8d and 0.9.8e [XX xxx XXXX]
*) Since AES128 and AES256 (and similarly Camellia128 and
Camellia256) share a single mask bit in the logic of
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
kludge to work properly if AES128 is available and AES256 isn't
(or if Camellia128 is available and Camellia256 isn't).
[Victor Duchovni]
*) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
(within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
When a point or a seed is encoded in a BIT STRING, we need to
......@@ -1459,6 +1488,11 @@
Changes between 0.9.7l and 0.9.7m [xx XXX xxxx]
*) Since AES128 and AES256 share a single mask bit in the logic of
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
kludge to work properly if AES128 is available and AES256 isn't.
[Victor Duchovni]
*) Have SSL/TLS server implementation tolerate "mismatched" record
protocol version while receiving ClientHello even if the
ClientHello is fragmented. (The server can't insist on the
......
LICENSE
浏览文件 @ 52b8dad8
......@@ -12,7 +12,7 @@
---------------
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......
README
浏览文件 @ 52b8dad8
OpenSSL 0.9.9-dev XX xxx XXXX
Copyright (c) 1998-2005 The OpenSSL Project
Copyright (c) 1998-2007 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
......
crypto/opensslv.h
浏览文件 @ 52b8dad8
......@@ -83,7 +83,7 @@
* should only keep the versions that are binary compatible with the current.
*/
#define SHLIB_VERSION_HISTORY ""
#define SHLIB_VERSION_NUMBER "0.9.8"
#define SHLIB_VERSION_NUMBER "0.9.9"
#endif /* HEADER_OPENSSLV_H */
ssl/d1_clnt.c
浏览文件 @ 52b8dad8
......@@ -4,7 +4,7 @@
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
*/
/* ====================================================================
* Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
* Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -274,7 +274,7 @@ int dtls1_connect(SSL *s)
case SSL3_ST_CR_CERT_A:
case SSL3_ST_CR_CERT_B:
/* Check if it is anon DH */
if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
{
ret=ssl3_get_server_certificate(s);
if (ret <= 0) goto end;
......@@ -335,7 +335,6 @@ int dtls1_connect(SSL *s)
case SSL3_ST_CW_KEY_EXCH_B:
ret=dtls1_send_client_key_exchange(s);
if (ret <= 0) goto end;
l=s->s3->tmp.new_cipher->algorithms;
/* EAY EAY EAY need to check for DH fix cert
* sent back */
/* For TLS, cert_req is set to 2, so a cert chain
......@@ -684,7 +683,7 @@ int dtls1_send_client_key_exchange(SSL *s)
{
unsigned char *p,*d;
int n;
unsigned long l;
unsigned long alg_k;
#ifndef OPENSSL_NO_RSA
unsigned char *q;
EVP_PKEY *pkey=NULL;
......@@ -697,13 +696,13 @@ int dtls1_send_client_key_exchange(SSL *s)
{
d=(unsigned char *)s->init_buf->data;
p= &(d[DTLS1_HM_HEADER_LENGTH]);
l=s->s3->tmp.new_cipher->algorithms;
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
/* Fool emacs indentation */
if (0) {}
#ifndef OPENSSL_NO_RSA
else if (l & SSL_kRSA)
else if (alg_k & SSL_kRSA)
{
RSA *rsa;
unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
......@@ -762,7 +761,7 @@ int dtls1_send_client_key_exchange(SSL *s)
}
#endif
#ifndef OPENSSL_NO_KRB5
else if (l & SSL_kKRB5)
else if (alg_k & SSL_kKRB5)
{
krb5_error_code krb5rc;
KSSL_CTX *kssl_ctx = s->kssl_ctx;
......@@ -781,7 +780,7 @@ int dtls1_send_client_key_exchange(SSL *s)
#ifdef KSSL_DEBUG
printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
l, SSL_kKRB5);
alg_k, SSL_kKRB5);
#endif /* KSSL_DEBUG */
authp = NULL;
......@@ -894,7 +893,7 @@ int dtls1_send_client_key_exchange(SSL *s)
}
#endif
#ifndef OPENSSL_NO_DH
else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
DH *dh_srvr,*dh_clnt;
......
ssl/d1_srvr.c
浏览文件 @ 52b8dad8
......@@ -4,7 +4,7 @@
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
*/
/* ====================================================================
* Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
* Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -148,6 +148,7 @@ int dtls1_accept(SSL *s)
unsigned long l,Time=(unsigned long)time(NULL);
void (*cb)(const SSL *ssl,int type,int val)=NULL;
long num1;
unsigned long alg_k;
int ret= -1;
int new_state,state,skip=0;
......@@ -237,11 +238,11 @@ int dtls1_accept(SSL *s)
s->state=SSL3_ST_SW_HELLO_REQ_A;
}
if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
s->d1->send_cookie = 1;
else
s->d1->send_cookie = 0;
if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
s->d1->send_cookie = 1;
else
s->d1->send_cookie = 0;
break;
case SSL3_ST_SW_HELLO_REQ_A:
......@@ -270,7 +271,7 @@ int dtls1_accept(SSL *s)
if (ret <= 0) goto end;
s->new_session = 2;
if ( s->d1->send_cookie)
if (s->d1->send_cookie)
s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
else
s->state = SSL3_ST_SW_SRVR_HELLO_A;
......@@ -303,7 +304,7 @@ int dtls1_accept(SSL *s)
case SSL3_ST_SW_CERT_A:
case SSL3_ST_SW_CERT_B:
/* Check if it is anon DH */
if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
{
ret=dtls1_send_server_certificate(s);
if (ret <= 0) goto end;
......@@ -316,13 +317,13 @@ int dtls1_accept(SSL *s)
case SSL3_ST_SW_KEY_EXCH_A:
case SSL3_ST_SW_KEY_EXCH_B:
l=s->s3->tmp.new_cipher->algorithms;
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
/* clear this, it may get reset by
* send_server_key_exchange */
if ((s->options & SSL_OP_EPHEMERAL_RSA)
#ifndef OPENSSL_NO_KRB5
&& !(l & SSL_KRB5)
&& !(alg_k & SSL_kKRB5)
#endif /* OPENSSL_NO_KRB5 */
)
/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
......@@ -336,8 +337,8 @@ int dtls1_accept(SSL *s)
/* only send if a DH key exchange or
* RSA but we have a sign only certificate */
if (s->s3->tmp.use_rsa_tmp
|| (l & SSL_DH)
|| ((l & SSL_kRSA)
|| (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
|| ((alg_k & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
......@@ -367,12 +368,12 @@ int dtls1_accept(SSL *s)
/* never request cert in anonymous ciphersuites
* (see section "Certificate request" in SSL 3 drafts
* and in RFC 2246): */
((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
/* ... except when the application insists on verification
* (against the specs, but s3_clnt.c accepts this for SSL 3) */
!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
/* never request cert in Kerberos ciphersuites */
(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
/* never request cert in Kerberos ciphersuites */
(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
{
/* no cert request */
skip=1;
......@@ -625,15 +626,15 @@ int dtls1_send_hello_verify_request(SSL *s)
*(p++) = s->version & 0xFF;
*(p++) = (unsigned char) s->d1->cookie_len;
if ( s->ctx->app_gen_cookie_cb != NULL &&
s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
&(s->d1->cookie_len)) == 0)
{
SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
return 0;
}
/* else the cookie is assumed to have
* been initialized by the application */
if (s->ctx->app_gen_cookie_cb != NULL &&
s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
&(s->d1->cookie_len)) == 0)
{
SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
return 0;
}
/* else the cookie is assumed to have
* been initialized by the application */
memcpy(p, s->d1->cookie, s->d1->cookie_len);
p += s->d1->cookie_len;
......@@ -784,7 +785,7 @@ int dtls1_send_server_key_exchange(SSL *s)
EVP_MD_CTX_init(&md_ctx);
if (s->state == SSL3_ST_SW_KEY_EXCH_A)
{
type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
type=s->s3->tmp.new_cipher->algorithm_mkey;
cert=s->cert;
buf=s->init_buf;
......@@ -889,7 +890,7 @@ int dtls1_send_server_key_exchange(SSL *s)
n+=2+nr[i];
}
if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
{
if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
== NULL)
......@@ -1107,14 +1108,15 @@ int dtls1_send_server_certificate(SSL *s)
if (s->state == SSL3_ST_SW_CERT_A)
{
x=ssl_get_server_send_cert(s);
if (x == NULL &&
/* VRS: allow null cert if auth == KRB5 */
(s->s3->tmp.new_cipher->algorithms
& (SSL_MKEY_MASK|SSL_AUTH_MASK))
!= (SSL_aKRB5|SSL_kKRB5))
if (x == NULL)
{
SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
return(0);
/* VRS: allow null cert if auth == KRB5 */
if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
(s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5))
{
SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
return(0);
}
}
l=dtls1_output_cert_chain(s,x);
......
ssl/s2_lib.c
浏览文件 @ 52b8dad8
......@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include "ssl_locl.h"
#ifndef OPENSSL_NO_SSL2
......@@ -69,131 +122,158 @@ const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT;
/* list of available SSLv2 ciphers (sorted by id) */
OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
/* NULL_WITH_MD5 v3 */
#if 0
/* NULL_WITH_MD5 v3 */
{
1,
SSL2_TXT_NULL_WITH_MD5,
SSL2_CK_NULL_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2,
SSL_kRSA,
SSL_aRSA,
SSL_eNULL,
SSL_MD5,
SSL_SSLV2,
SSL_EXPORT|SSL_EXP40|SSL_STRONG_NONE,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif
/* RC4_128_WITH_MD5 */
{
1,
SSL2_TXT_RC4_128_WITH_MD5,
SSL2_CK_RC4_128_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
SSL_kRSA,
SSL_aRSA,
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* RC4_128_EXPORT40_WITH_MD5 */
{
1,
SSL2_TXT_RC4_128_EXPORT40_WITH_MD5,
SSL2_CK_RC4_128_EXPORT40_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
SSL_kRSA,
SSL_aRSA,
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
SSL_EXPORT|SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* RC2_128_CBC_WITH_MD5 */
{
1,
SSL2_TXT_RC2_128_CBC_WITH_MD5,
SSL2_CK_RC2_128_CBC_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
SSL_kRSA,
SSL_aRSA,
SSL_RC2,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* RC2_128_CBC_EXPORT40_WITH_MD5 */
{
1,
SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5,
SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2,
SSL_kRSA,
SSL_aRSA,
SSL_RC2,
SSL_MD5,
SSL_SSLV2,
SSL_EXPORT|SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* IDEA_128_CBC_WITH_MD5 */
#ifndef OPENSSL_NO_IDEA
/* IDEA_128_CBC_WITH_MD5 */
{
1,
SSL2_TXT_IDEA_128_CBC_WITH_MD5,
SSL2_CK_IDEA_128_CBC_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_SSLV2,
SSL_kRSA,
SSL_aRSA,
SSL_IDEA,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP|SSL_MEDIUM,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif
/* DES_64_CBC_WITH_MD5 */
{
1,
SSL2_TXT_DES_64_CBC_WITH_MD5,
SSL2_CK_DES_64_CBC_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_SSLV2,
SSL_kRSA,
SSL_aRSA,
SSL_DES,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* DES_192_EDE3_CBC_WITH_MD5 */
{
1,
SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5,
SSL2_CK_DES_192_EDE3_CBC_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_SSLV2,
SSL_kRSA,
SSL_aRSA,
SSL_3DES,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* RC4_64_WITH_MD5 */
#if 0
/* RC4_64_WITH_MD5 */
{
1,
SSL2_TXT_RC4_64_WITH_MD5,
SSL2_CK_RC4_64_WITH_MD5,
SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2,
SSL_kRSA,
SSL_aRSA,
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
SSL_NOT_EXP|SSL_LOW,
SSL2_CF_8_BYTE_ENC,
64,
64,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif
/* NULL SSLeay (testing) */
#if 0
/* NULL SSLeay (testing) */
{
0,
SSL2_TXT_NULL,
......@@ -203,8 +283,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif
......
ssl/s3_clnt.c
浏览文件 @ 52b8dad8
......@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -180,7 +180,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
int ssl3_connect(SSL *s)
{
BUF_MEM *buf=NULL;
unsigned long Time=(unsigned long)time(NULL),l;
unsigned long Time=(unsigned long)time(NULL);
long num1;
void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
......@@ -288,8 +288,8 @@ int ssl3_connect(SSL *s)
case SSL3_ST_CR_CERT_B:
/* Check if it is anon DH/ECDH */
/* or PSK */
if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
&& !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
!(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
{
ret=ssl3_get_server_certificate(s);
if (ret <= 0) goto end;
......@@ -350,7 +350,6 @@ int ssl3_connect(SSL *s)
case SSL3_ST_CW_KEY_EXCH_B:
ret=ssl3_send_client_key_exchange(s);
if (ret <= 0) goto end;
l=s->s3->tmp.new_cipher->algorithms;
/* EAY EAY EAY need to check for DH fix cert
* sent back */
/* For TLS, cert_req is set to 2, so a cert chain
......@@ -940,10 +939,10 @@ int ssl3_get_server_certificate(SSL *s)
i=ssl_verify_cert_chain(s,sk);
if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
#ifndef OPENSSL_NO_KRB5
&& (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
!= (SSL_aKRB5|SSL_kKRB5)
&& !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
#endif /* OPENSSL_NO_KRB5 */
)
)
{
al=ssl_verify_alarm_type(s->verify_result);
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
......@@ -967,15 +966,15 @@ int ssl3_get_server_certificate(SSL *s)
pkey=X509_get_pubkey(x);
/* VRS: allow null cert if auth == KRB5 */
need_cert = ((s->s3->tmp.new_cipher->algorithms
& (SSL_MKEY_MASK|SSL_AUTH_MASK))
== (SSL_aKRB5|SSL_kKRB5))? 0: 1;
need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
? 0 : 1;
#ifdef KSSL_DEBUG
printf("pkey,x = %p, %p\n", pkey,x);
printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
s->s3->tmp.new_cipher->algorithms, need_cert);
printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
#endif /* KSSL_DEBUG */
if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
......@@ -1047,7 +1046,7 @@ int ssl3_get_key_exchange(SSL *s)
EVP_MD_CTX md_ctx;
unsigned char *param,*p;
int al,i,j,param_len,ok;
long n,alg;
long n,alg_k,alg_a;
EVP_PKEY *pkey=NULL;
#ifndef OPENSSL_NO_RSA
RSA *rsa=NULL;
......@@ -1080,7 +1079,7 @@ int ssl3_get_key_exchange(SSL *s)
omitted if no identity hint is sent. Set
session->sess_cert anyway to avoid problems
later.*/
if (s->s3->tmp.new_cipher->algorithms & SSL_kPSK)
if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
{
s->session->sess_cert=ssl_sess_cert_new();
if (s->ctx->psk_identity_hint)
......@@ -1123,12 +1122,13 @@ int ssl3_get_key_exchange(SSL *s)
}
param_len=0;
alg=s->s3->tmp.new_cipher->algorithms;
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
EVP_MD_CTX_init(&md_ctx);
#ifndef OPENSSL_NO_PSK
if (alg & SSL_kPSK)
{
if (alg_k & SSL_kPSK)
{
char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
al=SSL_AD_HANDSHAKE_FAILURE;
......@@ -1164,7 +1164,7 @@ int ssl3_get_key_exchange(SSL *s)
{
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
goto f_err;
}
}
p+=i;
n-=param_len;
......@@ -1172,7 +1172,7 @@ int ssl3_get_key_exchange(SSL *s)
else
#endif /* !OPENSSL_NO_PSK */
#ifndef OPENSSL_NO_RSA
if (alg & SSL_kRSA)
if (alg_k & SSL_kRSA)
{
if ((rsa=RSA_new()) == NULL)
{
......@@ -1211,7 +1211,7 @@ int ssl3_get_key_exchange(SSL *s)
n-=param_len;
/* this should be because we are using an export cipher */
if (alg & SSL_aRSA)
if (alg_a & SSL_aRSA)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
else
{
......@@ -1226,7 +1226,7 @@ int ssl3_get_key_exchange(SSL *s)
;
#endif
#ifndef OPENSSL_NO_DH
else if (alg & SSL_kEDH)
else if (alg_k & SSL_kEDH)
{
if ((dh=DH_new()) == NULL)
{
......@@ -1280,14 +1280,14 @@ int ssl3_get_key_exchange(SSL *s)
n-=param_len;
#ifndef OPENSSL_NO_RSA
if (alg & SSL_aRSA)
if (alg_a & SSL_aRSA)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
#else
if (0)
;
#endif
#ifndef OPENSSL_NO_DSA
else if (alg & SSL_aDSS)
else if (alg_a & SSL_aDSS)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
#endif
/* else anonymous DH, so no certificate or pkey. */
......@@ -1295,7 +1295,7 @@ int ssl3_get_key_exchange(SSL *s)
s->session->sess_cert->peer_dh_tmp=dh;
dh=NULL;
}
else if ((alg & SSL_kDHr) || (alg & SSL_kDHd))
else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd))
{
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
......@@ -1304,7 +1304,7 @@ int ssl3_get_key_exchange(SSL *s)
#endif /* !OPENSSL_NO_DH */
#ifndef OPENSSL_NO_ECDH
else if (alg & SSL_kEECDH)
else if (alg_k & SSL_kEECDH)
{
EC_GROUP *ngroup;
const EC_GROUP *group;
......@@ -1388,11 +1388,11 @@ int ssl3_get_key_exchange(SSL *s)
*/
if (0) ;
#ifndef OPENSSL_NO_RSA
else if (alg & SSL_aRSA)
else if (alg_a & SSL_aRSA)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
#endif
#ifndef OPENSSL_NO_ECDSA
else if (alg & SSL_aECDSA)
else if (alg_a & SSL_aECDSA)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
#endif
/* else anonymous ECDH, so no certificate or pkey. */
......@@ -1403,7 +1403,7 @@ int ssl3_get_key_exchange(SSL *s)
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}
else if (alg)
else if (alg_k)
{
al=SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
......@@ -1508,7 +1508,7 @@ int ssl3_get_key_exchange(SSL *s)
}
else
{
if (!(alg & SSL_aNULL) && !(alg & SSL_kPSK))
if (!(alg_a & SSL_aNULL) && !(alg_k & SSL_kPSK))
/* aNULL or kPSK do not need public keys */
{
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
......@@ -1584,8 +1584,7 @@ int ssl3_get_certificate_request(SSL *s)
/* TLS does not like anon-DH with client cert */
if (s->version > SSL3_VERSION)
{
l=s->s3->tmp.new_cipher->algorithms;
if (l & SSL_aNULL)
if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
{
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
......@@ -1724,7 +1723,7 @@ int ssl3_send_client_key_exchange(SSL *s)
{
unsigned char *p,*d;
int n;
unsigned long l;
unsigned long alg_k;
#ifndef OPENSSL_NO_RSA
unsigned char *q;
EVP_PKEY *pkey=NULL;
......@@ -1746,12 +1745,12 @@ int ssl3_send_client_key_exchange(SSL *s)
d=(unsigned char *)s->init_buf->data;
p= &(d[4]);
l=s->s3->tmp.new_cipher->algorithms;
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
/* Fool emacs indentation */
if (0) {}
#ifndef OPENSSL_NO_RSA
else if (l & SSL_kRSA)
else if (alg_k & SSL_kRSA)
{
RSA *rsa;
unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
......@@ -1810,7 +1809,7 @@ int ssl3_send_client_key_exchange(SSL *s)
}
#endif
#ifndef OPENSSL_NO_KRB5
else if (l & SSL_kKRB5)
else if (alg_k & SSL_kKRB5)
{
krb5_error_code krb5rc;
KSSL_CTX *kssl_ctx = s->kssl_ctx;
......@@ -1829,7 +1828,7 @@ int ssl3_send_client_key_exchange(SSL *s)
#ifdef KSSL_DEBUG
printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
l, SSL_kKRB5);
l, SSL_kKRB5);
#endif /* KSSL_DEBUG */
authp = NULL;
......@@ -1935,7 +1934,7 @@ int ssl3_send_client_key_exchange(SSL *s)
n+=outl + 2;
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,
tmp_buf, sizeof tmp_buf);
......@@ -1944,7 +1943,7 @@ int ssl3_send_client_key_exchange(SSL *s)
}
#endif
#ifndef OPENSSL_NO_DH
else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
DH *dh_srvr,*dh_clnt;
......@@ -2001,7 +2000,7 @@ int ssl3_send_client_key_exchange(SSL *s)
#endif
#ifndef OPENSSL_NO_ECDH
else if ((l & SSL_kECDH) || (l & SSL_kEECDH))
else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
{
const EC_GROUP *srvr_group = NULL;
EC_KEY *tkey;
......@@ -2013,7 +2012,7 @@ int ssl3_send_client_key_exchange(SSL *s)
* computation as part of client certificate?
* If so, set ecdh_clnt_cert to 1.
*/
if ((l & SSL_kECDH) && (s->cert != NULL))
if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))
{
/* XXX: For now, we do not support client
* authentication using ECDH certificates.
......@@ -2186,7 +2185,7 @@ int ssl3_send_client_key_exchange(SSL *s)
}
#endif /* !OPENSSL_NO_ECDH */
#ifndef OPENSSL_NO_PSK
else if (l & SSL_kPSK)
else if (alg_k & SSL_kPSK)
{
char identity[PSK_MAX_IDENTITY_LEN];
unsigned char *t = NULL;
......@@ -2259,7 +2258,7 @@ int ssl3_send_client_key_exchange(SSL *s)
psk_err = 0;
psk_err:
OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
if (psk_err != 0)
{
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
......@@ -2468,7 +2467,7 @@ int ssl3_send_client_certificate(SSL *s)
int ssl3_check_cert_and_algorithm(SSL *s)
{
int i,idx;
long algs;
long alg_k,alg_a;
EVP_PKEY *pkey=NULL;
SESS_CERT *sc;
#ifndef OPENSSL_NO_RSA
......@@ -2485,10 +2484,11 @@ int ssl3_check_cert_and_algorithm(SSL *s)
goto err;
}
algs=s->s3->tmp.new_cipher->algorithms;
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
/* we don't have a certificate */
if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5|SSL_kPSK))
if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
return(1);
#ifndef OPENSSL_NO_RSA
......@@ -2508,7 +2508,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
s->s3->tmp.new_cipher) == 0)
{ /* check failed */
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_BAD_ECC_CERT);
goto f_err;
goto f_err;
}
else
{
......@@ -2522,20 +2522,20 @@ int ssl3_check_cert_and_algorithm(SSL *s)
/* Check that we have a certificate if we require one */
if ((algs & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
if ((alg_a & SSL_aRSA) && !has_bits(i,EVP_PK_RSA|EVP_PKT_SIGN))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
goto f_err;
}
#ifndef OPENSSL_NO_DSA
else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
else if ((alg_a & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
goto f_err;
}
#endif
#ifndef OPENSSL_NO_RSA
if ((algs & SSL_kRSA) &&
if ((alg_k & SSL_kRSA) &&
!(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_ENCRYPTING_CERT);
......@@ -2543,19 +2543,19 @@ int ssl3_check_cert_and_algorithm(SSL *s)
}
#endif
#ifndef OPENSSL_NO_DH
if ((algs & SSL_kEDH) &&
if ((alg_k & SSL_kEDH) &&
!(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
goto f_err;
}
else if ((algs & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
goto f_err;
}
#ifndef OPENSSL_NO_DSA
else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
goto f_err;
......@@ -2566,7 +2566,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
{
#ifndef OPENSSL_NO_RSA
if (algs & SSL_kRSA)
if (alg_k & SSL_kRSA)
{
if (rsa == NULL
|| RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
......@@ -2578,7 +2578,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
else
#endif
#ifndef OPENSSL_NO_DH
if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
if (dh == NULL
|| DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
......
ssl/s3_enc.c
浏览文件 @ 52b8dad8
......@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -430,11 +430,11 @@ int ssl3_setup_key_block(SSL *s)
if (s->session->cipher != NULL)
{
if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
if (s->session->cipher->algorithm_enc == SSL_eNULL)
s->s3->need_empty_fragments = 0;
#ifndef OPENSSL_NO_RC4
if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
if (s->session->cipher->algorithm_enc == SSL_RC4)
s->s3->need_empty_fragments = 0;
#endif
}
......
ssl/s3_lib.c
浏览文件 @ 52b8dad8
此差异已折叠。
ssl/s3_srvr.c
浏览文件 @ 52b8dad8
......@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -186,7 +186,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
int ssl3_accept(SSL *s)
{
BUF_MEM *buf;
unsigned long l,Time=(unsigned long)time(NULL);
unsigned long alg_k,Time=(unsigned long)time(NULL);
void (*cb)(const SSL *ssl,int type,int val)=NULL;
long num1;
int ret= -1;
......@@ -325,9 +325,9 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SW_CERT_B:
/* Check if it is anon DH or anon ECDH, */
/* normal PSK or KRB5 */
if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
&& !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK)
&& !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
&& !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
{
ret=ssl3_send_server_certificate(s);
if (ret <= 0) goto end;
......@@ -340,13 +340,13 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SW_KEY_EXCH_A:
case SSL3_ST_SW_KEY_EXCH_B:
l=s->s3->tmp.new_cipher->algorithms;
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
/* clear this, it may get reset by
* send_server_key_exchange */
if ((s->options & SSL_OP_EPHEMERAL_RSA)
#ifndef OPENSSL_NO_KRB5
&& !(l & SSL_KRB5)
&& !(alg_k & SSL_kKRB5)
#endif /* OPENSSL_NO_KRB5 */
)
/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
......@@ -373,11 +373,11 @@ int ssl3_accept(SSL *s)
/* PSK: send ServerKeyExchange if PSK identity
* hint if provided */
#ifndef OPENSSL_NO_PSK
|| ((l & SSL_kPSK) && s->ctx->psk_identity_hint)
|| ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
#endif
|| (l & SSL_DH)
|| (l & SSL_kEECDH)
|| ((l & SSL_kRSA)
|| (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
|| (alg_k & SSL_kEECDH)
|| ((alg_k & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
......@@ -407,15 +407,15 @@ int ssl3_accept(SSL *s)
/* never request cert in anonymous ciphersuites
* (see section "Certificate request" in SSL 3 drafts
* and in RFC 2246): */
((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
/* ... except when the application insists on verification
* (against the specs, but s3_clnt.c accepts this for SSL 3) */
!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
/* never request cert in Kerberos ciphersuites */
(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)
/* never request cert in Kerberos ciphersuites */
(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
/* With normal PSK Certificates and
* Certificate Requests are omitted */
|| (s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
|| (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
{
/* no cert request */
skip=1;
......@@ -1025,7 +1025,7 @@ int ssl3_get_client_hello(SSL *s)
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
c=sk_SSL_CIPHER_value(sk,i);
if (c->algorithms & SSL_eNULL)
if (c->algorithm_enc & SSL_eNULL)
nc=c;
if (SSL_C_IS_EXPORT(c))
ec=c;
......@@ -1209,7 +1209,7 @@ int ssl3_send_server_key_exchange(SSL *s)
EVP_MD_CTX_init(&md_ctx);
if (s->state == SSL3_ST_SW_KEY_EXCH_A)
{
type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
type=s->s3->tmp.new_cipher->algorithm_mkey;
cert=s->cert;
buf=s->init_buf;
......@@ -1450,8 +1450,8 @@ int ssl3_send_server_key_exchange(SSL *s)
n+=2+nr[i];
}
if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
&& !(s->s3->tmp.new_cipher->algorithms & SSL_kPSK))
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
{
if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
== NULL)
......@@ -1712,7 +1712,7 @@ int ssl3_get_client_key_exchange(SSL *s)
{
int i,al,ok;
long n;
unsigned long l;
unsigned long alg_k;
unsigned char *p;
#ifndef OPENSSL_NO_RSA
RSA *rsa=NULL;
......@@ -1723,7 +1723,7 @@ int ssl3_get_client_key_exchange(SSL *s)
DH *dh_srvr;
#endif
#ifndef OPENSSL_NO_KRB5
KSSL_ERR kssl_err;
KSSL_ERR kssl_err;
#endif /* OPENSSL_NO_KRB5 */
#ifndef OPENSSL_NO_ECDH
......@@ -1743,10 +1743,10 @@ int ssl3_get_client_key_exchange(SSL *s)
if (!ok) return((int)n);
p=(unsigned char *)s->init_msg;
l=s->s3->tmp.new_cipher->algorithms;
alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
#ifndef OPENSSL_NO_RSA
if (l & SSL_kRSA)
if (alg_k & SSL_kRSA)
{
/* FIX THIS UP EAY EAY EAY EAY */
if (s->s3->tmp.use_rsa_tmp)
......@@ -1852,7 +1852,7 @@ int ssl3_get_client_key_exchange(SSL *s)
else
#endif
#ifndef OPENSSL_NO_DH
if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
n2s(p,i);
if (n != i+2)
......@@ -1915,25 +1915,25 @@ int ssl3_get_client_key_exchange(SSL *s)
else
#endif
#ifndef OPENSSL_NO_KRB5
if (l & SSL_kKRB5)
{
krb5_error_code krb5rc;
if (alg_k & SSL_kKRB5)
{
krb5_error_code krb5rc;
krb5_data enc_ticket;
krb5_data authenticator;
krb5_data enc_pms;
KSSL_CTX *kssl_ctx = s->kssl_ctx;
KSSL_CTX *kssl_ctx = s->kssl_ctx;
EVP_CIPHER_CTX ciph_ctx;
EVP_CIPHER *enc = NULL;
unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
+ EVP_MAX_BLOCK_LENGTH];
int padl, outl;
+ EVP_MAX_BLOCK_LENGTH];
int padl, outl;
krb5_timestamp authtime = 0;
krb5_ticket_times ttimes;
EVP_CIPHER_CTX_init(&ciph_ctx);
if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
n2s(p,i);
enc_ticket.length = i;
......@@ -1984,19 +1984,19 @@ int ssl3_get_client_key_exchange(SSL *s)
goto err;
}
if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
&kssl_err)) != 0)
{
{
#ifdef KSSL_DEBUG
printf("kssl_sget_tkt rtn %d [%d]\n",
krb5rc, kssl_err.reason);
if (kssl_err.text)
printf("kssl_err text= %s\n", kssl_err.text);
printf("kssl_sget_tkt rtn %d [%d]\n",
krb5rc, kssl_err.reason);
if (kssl_err.text)
printf("kssl_err text= %s\n", kssl_err.text);
#endif /* KSSL_DEBUG */
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
kssl_err.reason);
goto err;
}
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
kssl_err.reason);
goto err;
}
/* Note: no authenticator is not considered an error,
** but will return authtime == 0.
......@@ -2005,29 +2005,29 @@ int ssl3_get_client_key_exchange(SSL *s)
&authtime, &kssl_err)) != 0)
{
#ifdef KSSL_DEBUG
printf("kssl_check_authent rtn %d [%d]\n",
krb5rc, kssl_err.reason);
if (kssl_err.text)
printf("kssl_err text= %s\n", kssl_err.text);
printf("kssl_check_authent rtn %d [%d]\n",
krb5rc, kssl_err.reason);
if (kssl_err.text)
printf("kssl_err text= %s\n", kssl_err.text);
#endif /* KSSL_DEBUG */
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
kssl_err.reason);
goto err;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
kssl_err.reason);
goto err;
}
if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, krb5rc);
goto err;
goto err;
}
#ifdef KSSL_DEBUG
kssl_ctx_show(kssl_ctx);
kssl_ctx_show(kssl_ctx);
#endif /* KSSL_DEBUG */
enc = kssl_map_enc(kssl_ctx->enctype);
if (enc == NULL)
goto err;
if (enc == NULL)
goto err;
memset(iv, 0, sizeof iv); /* per RFC 1510 */
......@@ -2075,7 +2075,7 @@ int ssl3_get_client_key_exchange(SSL *s)
*/
if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
{
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSL_AD_DECODE_ERROR);
goto err;
......@@ -2084,32 +2084,32 @@ int ssl3_get_client_key_exchange(SSL *s)
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, pms, outl);
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, pms, outl);
if (kssl_ctx->client_princ)
{
size_t len = strlen(kssl_ctx->client_princ);
if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
{
s->session->krb5_client_princ_len = len;
memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
}
}
if (kssl_ctx->client_princ)
{
size_t len = strlen(kssl_ctx->client_princ);
if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
{
s->session->krb5_client_princ_len = len;
memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
}
}
/* Was doing kssl_ctx_free() here,
/* Was doing kssl_ctx_free() here,
** but it caused problems for apache.
** kssl_ctx = kssl_ctx_free(kssl_ctx);
** if (s->kssl_ctx) s->kssl_ctx = NULL;
*/
}
** kssl_ctx = kssl_ctx_free(kssl_ctx);
** if (s->kssl_ctx) s->kssl_ctx = NULL;
*/
}
else
#endif /* OPENSSL_NO_KRB5 */
#ifndef OPENSSL_NO_ECDH
if ((l & SSL_kECDH) || (l & SSL_kEECDH))
if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
{
int ret = 1;
int field_size = 0;
......@@ -2117,18 +2117,18 @@ int ssl3_get_client_key_exchange(SSL *s)
const EC_GROUP *group;
const BIGNUM *priv_key;
/* initialize structures for server's ECDH key pair */
/* initialize structures for server's ECDH key pair */
if ((srvr_ecdh = EC_KEY_new()) == NULL)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
ERR_R_MALLOC_FAILURE);
goto err;
goto err;
}
/* Let's get server private key and group information */
if (l & SSL_kECDH)
if (alg_k & (SSL_kECDHr|SSL_kECDHe))
{
/* use the certificate */
/* use the certificate */
tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
}
else
......@@ -2158,20 +2158,20 @@ int ssl3_get_client_key_exchange(SSL *s)
goto err;
}
if (n == 0L)
{
if (n == 0L)
{
/* Client Publickey was in Client Certificate */
if (l & SSL_kEECDH)
if (alg_k & SSL_kEECDH)
{
al=SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
goto f_err;
}
if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
if (((clnt_pub_pkey=X509_get_pubkey(s->session->peer))
== NULL) ||
(clnt_pub_pkey->type != EVP_PKEY_EC))
{
{
/* XXX: For now, we do not support client
* authentication using ECDH certificates
* so this branch (n == 0L) of the code is
......@@ -2183,11 +2183,11 @@ int ssl3_get_client_key_exchange(SSL *s)
* the two ECDH shares are for the same
* group.
*/
al=SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
al=SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSL_R_UNABLE_TO_DECODE_ECDH_CERTS);
goto f_err;
}
goto f_err;
}
if (EC_POINT_copy(clnt_ecpoint,
EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0)
......@@ -2196,10 +2196,10 @@ int ssl3_get_client_key_exchange(SSL *s)
ERR_R_EC_LIB);
goto err;
}
ret = 2; /* Skip certificate verify processing */
}
else
{
ret = 2; /* Skip certificate verify processing */
}
else
{
/* Get client's public key from encoded point
* in the ClientKeyExchange message.
*/
......@@ -2210,21 +2210,21 @@ int ssl3_get_client_key_exchange(SSL *s)
goto err;
}
/* Get encoded point length */
i = *p;
/* Get encoded point length */
i = *p;
p += 1;
if (EC_POINT_oct2point(group,
if (EC_POINT_oct2point(group,
clnt_ecpoint, p, i, bn_ctx) == 0)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
ERR_R_EC_LIB);
goto err;
}
/* p is pointing to somewhere in the buffer
* currently, so set it to the start
*/
p=(unsigned char *)s->init_buf->data;
}
/* p is pointing to somewhere in the buffer
* currently, so set it to the start
*/
p=(unsigned char *)s->init_buf->data;
}
/* Compute the shared pre-master secret */
field_size = EC_GROUP_get_degree(group);
......@@ -2235,12 +2235,12 @@ int ssl3_get_client_key_exchange(SSL *s)
goto err;
}
i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
if (i <= 0)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
if (i <= 0)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
ERR_R_ECDH_LIB);
goto err;
}
goto err;
}
EVP_PKEY_free(clnt_pub_pkey);
EC_POINT_free(clnt_ecpoint);
......@@ -2249,16 +2249,16 @@ int ssl3_get_client_key_exchange(SSL *s)
BN_CTX_free(bn_ctx);
/* Compute the master secret */
s->session->master_key_length = s->method->ssl3_enc-> \
s->session->master_key_length = s->method->ssl3_enc-> \
generate_master_secret(s, s->session->master_key, p, i);
OPENSSL_cleanse(p, i);
return (ret);
OPENSSL_cleanse(p, i);
return (ret);
}
else
#endif
#ifndef OPENSSL_NO_PSK
if (l & SSL_kPSK)
if (alg_k & SSL_kPSK)
{
unsigned char *t = NULL;
unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
......@@ -2347,8 +2347,8 @@ int ssl3_get_client_key_exchange(SSL *s)
psk_err = 0;
psk_err:
OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
if (psk_err != 0)
goto f_err;
if (psk_err != 0)
goto f_err;
}
else
#endif
......@@ -2694,14 +2694,15 @@ int ssl3_send_server_certificate(SSL *s)
if (s->state == SSL3_ST_SW_CERT_A)
{
x=ssl_get_server_send_cert(s);
if (x == NULL &&
/* VRS: allow null cert if auth == KRB5 */
(s->s3->tmp.new_cipher->algorithms
& (SSL_MKEY_MASK|SSL_AUTH_MASK))
!= (SSL_aKRB5|SSL_kKRB5))
{
SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
return(0);
if (x == NULL)
{
/* VRS: allow null cert if auth == KRB5 */
if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5))
{
SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
return(0);
}
}
l=ssl3_output_cert_chain(s,x);
......
ssl/ssl.h
浏览文件 @ 52b8dad8
......@@ -56,60 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -273,10 +220,15 @@ extern "C" {
#define SSL_MAX_KEY_ARG_LENGTH 8
#define SSL_MAX_MASTER_KEY_LENGTH 48
/* These are used to specify which ciphers to use and not to use */
#define SSL_TXT_EXP40 "EXPORT40"
#define SSL_TXT_EXP56 "EXPORT56"
#define SSL_TXT_LOW "LOW"
#define SSL_TXT_MEDIUM "MEDIUM"
#define SSL_TXT_HIGH "HIGH"
#define SSL_TXT_kFZA "kFZA" /* unused! */
#define SSL_TXT_aFZA "aFZA" /* unused! */
#define SSL_TXT_eFZA "eFZA" /* unused! */
......@@ -289,6 +241,7 @@ extern "C" {
#define SSL_TXT_kRSA "kRSA"
#define SSL_TXT_kDHr "kDHr" /* no such ciphersuites supported! */
#define SSL_TXT_kDHd "kDHd" /* no such ciphersuites supported! */
#define SSL_TXT_kDH "kDH" /* no such ciphersuites supported! */
#define SSL_TXT_kEDH "kEDH"
#define SSL_TXT_kKRB5 "kKRB5"
#define SSL_TXT_kECDHr "kECDHr"
......@@ -314,25 +267,31 @@ extern "C" {
#define SSL_TXT_EECDH "EECDH" /* same as "kEECDH:-AECDH" */
#define SSL_TXT_AECDH "AECDH"
#define SSL_TXT_ECDSA "ECDSA"
#define SSL_TXT_KRB5 "KRB5"
#define SSL_TXT_PSK "PSK"
#define SSL_TXT_DES "DES"
#define SSL_TXT_3DES "3DES"
#define SSL_TXT_RC4 "RC4"
#define SSL_TXT_RC2 "RC2"
#define SSL_TXT_IDEA "IDEA"
#define SSL_TXT_AES128 "AES128"
#define SSL_TXT_AES256 "AES256"
#define SSL_TXT_AES "AES"
#define SSL_TXT_CAMELLIA128 "CAMELLIA128"
#define SSL_TXT_CAMELLIA256 "CAMELLIA256"
#define SSL_TXT_CAMELLIA "CAMELLIA"
#define SSL_TXT_MD5 "MD5"
#define SSL_TXT_SHA1 "SHA1"
#define SSL_TXT_SHA "SHA"
#define SSL_TXT_EXP "EXP"
#define SSL_TXT_EXPORT "EXPORT"
#define SSL_TXT_EXP40 "EXPORT40"
#define SSL_TXT_EXP56 "EXPORT56"
#define SSL_TXT_SHA "SHA" /* same as "SHA1" */
#define SSL_TXT_SSLV2 "SSLv2"
#define SSL_TXT_SSLV3 "SSLv3"
#define SSL_TXT_TLSV1 "TLSv1"
#define SSL_TXT_KRB5 "KRB5"
#define SSL_TXT_PSK "PSK"
#define SSL_TXT_EXP "EXP"
#define SSL_TXT_EXPORT "EXPORT"
#define SSL_TXT_ALL "ALL"
......@@ -389,13 +348,18 @@ typedef struct ssl_cipher_st
int valid;
const char *name; /* text name */
unsigned long id; /* id, 4 bytes, first is version */
unsigned long algorithms; /* what ciphers are used */
/* changed in 0.9.9: these four used to be portions of a single value 'algorithms' */
unsigned long algorithm_mkey; /* key exchange algorithm */
unsigned long algorithm_auth; /* server authentication */
unsigned long algorithm_enc; /* symmetric encryption */
unsigned long algorithm_mac; /* symmetric authentication */
unsigned long algorithm_ssl; /* (major) protocol version */
unsigned long algo_strength; /* strength and export flags */
unsigned long algorithm2; /* Extra flags */
int strength_bits; /* Number of bits really used */
int alg_bits; /* Number of bits for algorithm */
unsigned long mask; /* used for matching */
unsigned long mask_strength; /* also used for matching */
} SSL_CIPHER;
DECLARE_STACK_OF(SSL_CIPHER)
......
ssl/ssl_cert.c
浏览文件 @ 52b8dad8
......@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -197,8 +197,10 @@ CERT *ssl_cert_dup(CERT *cert)
* if you find that more readable */
ret->valid = cert->valid;
ret->mask = cert->mask;
ret->export_mask = cert->export_mask;
ret->mask_k = cert->mask_k;
ret->mask_a = cert->mask_a;
ret->export_mask_k = cert->export_mask_k;
ret->export_mask_a = cert->export_mask_a;
#ifndef OPENSSL_NO_RSA
if (cert->rsa_tmp != NULL)
......
ssl/ssl_ciph.c
浏览文件 @ 52b8dad8
此差异已折叠。
ssl/ssl_lib.c
浏览文件 @ 52b8dad8
此差异已折叠。
ssl/ssl_locl.h
浏览文件 @ 52b8dad8
......@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -275,62 +275,56 @@
* that the different entities within are mutually exclusive:
* ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
*/
#define SSL_MKEY_MASK 0x200000FFL
/* Bits for algorithm_mkey (key exchange algorithm) */
#define SSL_kRSA 0x00000001L /* RSA key exchange */
#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */ /* no such ciphersuites supported! */
#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */ /* no such ciphersuite supported! */
#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
#define SSL_EDH (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
#define SSL_kECDH (SSL_kECDHr|SSL_kECDHe)
#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
#define SSL_EECDH (SSL_kEECDH|(SSL_AUTH_MASK^SSL_aNULL))
#define SSL_kPSK 0x20000000L /* PSK */
#define SSL_AUTH_MASK 0x10007f00L
#define SSL_aRSA 0x00000100L /* RSA auth */
#define SSL_aDSS 0x00000200L /* DSS auth */
#define SSL_DSS SSL_aDSS
#define SSL_aNULL 0x00000400L /* no auth (i.e. use ADH or AECDH) */
#define SSL_aDH 0x00000800L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
#define SSL_aECDH 0x00001000L /* Fixed ECDH auth (kECDHe or kECDHr) */
#define SSL_aKRB5 0x00002000L /* KRB5 auth */
#define SSL_aECDSA 0x00004000L /* ECDSA auth*/
#define SSL_ECDSA SSL_aECDSA
#define SSL_aPSK 0x10000000L /* PSK auth */
#define SSL_NULL (SSL_eNULL)
#define SSL_RSA (SSL_kRSA|SSL_aRSA)
#define SSL_DH (SSL_kDHr|SSL_kDHd|SSL_kEDH)
#define SSL_ADH (SSL_kEDH|SSL_aNULL)
#define SSL_ECDH (SSL_kECDH|SSL_kEECDH)
#define SSL_AECDH (SSL_kEECDH|SSL_aNULL)
#define SSL_KRB5 (SSL_kKRB5|SSL_aKRB5)
#define SSL_PSK (SSL_kPSK|SSL_aPSK)
#define SSL_ENC_MASK 0x0C3F8000L
#define SSL_DES 0x00008000L
#define SSL_3DES 0x00010000L
#define SSL_RC4 0x00020000L
#define SSL_RC2 0x00040000L
#define SSL_IDEA 0x00080000L
#define SSL_eNULL 0x00200000L
#define SSL_AES 0x04000000L
#define SSL_CAMELLIA 0x08000000L
#define SSL_MAC_MASK 0x00c00000L
#define SSL_MD5 0x00400000L
#define SSL_SHA1 0x00800000L
#define SSL_SHA (SSL_SHA1)
#define SSL_SSL_MASK 0x03000000L
#define SSL_SSLV2 0x01000000L
#define SSL_SSLV3 0x02000000L
#define SSL_kPSK 0x00000100L /* PSK */
/* Bits for algorithm_auth (server authentication) */
#define SSL_aRSA 0x00000001L /* RSA auth */
#define SSL_aDSS 0x00000002L /* DSS auth */
#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */ /* no such ciphersuites supported! */
#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
#define SSL_aKRB5 0x00000020L /* KRB5 auth */
#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
#define SSL_aPSK 0x00000080L /* PSK auth */
/* Bits for algorithm_enc (symmetric encryption) */
#define SSL_DES 0x00000001L
#define SSL_3DES 0x00000002L
#define SSL_RC4 0x00000004L
#define SSL_RC2 0x00000008L
#define SSL_IDEA 0x00000010L
#define SSL_eNULL 0x00000020L
#define SSL_AES128 0x00000040L
#define SSL_AES256 0x00000080L
#define SSL_CAMELLIA128 0x00000100L
#define SSL_CAMELLIA256 0x00000200L
#define SSL_AES (SSL_AES128|SSL_AES256)
#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256)
/* Bits for algorithm_mac (symmetric authentication) */
#define SSL_MD5 0x00000001L
#define SSL_SHA1 0x00000002L
/* Bits for algorithm_ssl (protocol version) */
#define SSL_SSLV2 0x00000001L
#define SSL_SSLV3 0x00000002L
#define SSL_TLSV1 SSL_SSLV3 /* for now */
/* we have used 3fffffff - 2 bits left to go. */
/*
* Export and cipher strength information. For each cipher we have to decide
......@@ -348,10 +342,11 @@
* be possible.
*/
#define SSL_EXP_MASK 0x00000003L
#define SSL_STRONG_MASK 0x000000fcL
#define SSL_NOT_EXP 0x00000001L
#define SSL_EXPORT 0x00000002L
#define SSL_STRONG_MASK 0x000000fcL
#define SSL_STRONG_NONE 0x00000004L
#define SSL_EXP40 0x00000008L
#define SSL_MICRO (SSL_EXP40)
......@@ -384,17 +379,14 @@
#define SSL_C_IS_EXPORT40(c) SSL_IS_EXPORT40((c)->algo_strength)
#define SSL_EXPORT_KEYLENGTH(a,s) (SSL_IS_EXPORT40(s) ? 5 : \
((a)&SSL_ENC_MASK) == SSL_DES ? 8 : 7)
(a) == SSL_DES ? 8 : 7)
#define SSL_EXPORT_PKEYLENGTH(a) (SSL_IS_EXPORT40(a) ? 512 : 1024)
#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithms, \
#define SSL_C_EXPORT_KEYLENGTH(c) SSL_EXPORT_KEYLENGTH((c)->algorithm_enc, \
(c)->algo_strength)
#define SSL_C_EXPORT_PKEYLENGTH(c) SSL_EXPORT_PKEYLENGTH((c)->algo_strength)
#define SSL_ALL 0xffffffffL
#define SSL_ALL_CIPHERS (SSL_MKEY_MASK|SSL_AUTH_MASK|SSL_ENC_MASK|\
SSL_MAC_MASK)
#define SSL_ALL_STRENGTHS (SSL_EXP_MASK|SSL_STRONG_MASK)
/* Mostly for SSLv3 */
#define SSL_PKEY_RSA_ENC 0
......@@ -444,8 +436,10 @@ typedef struct cert_st
/* The following masks are for the key and auth
* algorithms that are supported by the certs below */
int valid;
unsigned long mask;
unsigned long export_mask;
unsigned long mask_k;
unsigned long mask_a;
unsigned long export_mask_k;
unsigned long export_mask_a;
#ifndef OPENSSL_NO_RSA
RSA *rsa_tmp;
RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
......
ssl/t1_enc.c
浏览文件 @ 52b8dad8
......@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
......@@ -274,8 +274,10 @@ int tls1_change_cipher_state(SSL *s, int which)
#ifdef KSSL_DEBUG
printf("tls1_change_cipher_state(which= %d) w/\n", which);
printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms,
comp);
printf("\talg= %ld/%ld, comp= %p\n",
s->s3->tmp.new_cipher->algorithm_mkey,
s->s3->tmp.new_cipher->algorithm_auth,
comp);
printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
c->nid,c->block_size,c->key_len,c->iv_len);
......@@ -531,11 +533,11 @@ printf("\nkey block\n");
if (s->session->cipher != NULL)
{
if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
if (s->session->cipher->algorithm_enc == SSL_eNULL)
s->s3->need_empty_fragments = 0;
#ifndef OPENSSL_NO_RC4
if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
if (s->session->cipher->algorithm_enc == SSL_RC4)
s->s3->need_empty_fragments = 0;
#endif
}
......
ssl/t1_lib.c
浏览文件 @ 52b8dad8
此差异已折叠。
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册