Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
8711efb4
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
1 年多 前同步成功
通知
9
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
8711efb4
编写于
4月 20, 2009
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Updates from 1.0.0-stable branch.
上级
e5fa864f
变更
33
隐藏空白更改
内联
并排
Showing
33 changed file
with
97 addition
and
73 deletion
+97
-73
CHANGES.SSLeay
CHANGES.SSLeay
+1
-1
apps/cms.c
apps/cms.c
+1
-1
apps/s_server.c
apps/s_server.c
+1
-1
crypto/cryptlib.c
crypto/cryptlib.c
+1
-1
crypto/mem_dbg.c
crypto/mem_dbg.c
+1
-1
crypto/symhacks.h
crypto/symhacks.h
+1
-1
crypto/x509v3/v3_crld.c
crypto/x509v3/v3_crld.c
+1
-1
crypto/x509v3/v3_pci.c
crypto/x509v3/v3_pci.c
+2
-2
crypto/x509v3/v3err.c
crypto/x509v3/v3err.c
+3
-3
crypto/x509v3/x509v3.h
crypto/x509v3/x509v3.h
+3
-3
doc/crypto/BIO_s_mem.pod
doc/crypto/BIO_s_mem.pod
+1
-1
doc/ssleay.txt
doc/ssleay.txt
+13
-13
e_os.h
e_os.h
+4
-4
e_os2.h
e_os2.h
+1
-1
engines/ccgost/gost94_keyx.c
engines/ccgost/gost94_keyx.c
+1
-1
engines/ccgost/gost_sign.c
engines/ccgost/gost_sign.c
+1
-1
ssl/d1_both.c
ssl/d1_both.c
+13
-4
ssl/d1_clnt.c
ssl/d1_clnt.c
+3
-2
ssl/d1_lib.c
ssl/d1_lib.c
+4
-1
ssl/d1_pkt.c
ssl/d1_pkt.c
+10
-4
ssl/d1_srvr.c
ssl/d1_srvr.c
+2
-1
ssl/dtls1.h
ssl/dtls1.h
+1
-0
ssl/kssl.c
ssl/kssl.c
+0
-5
ssl/s3_clnt.c
ssl/s3_clnt.c
+1
-1
ssl/s3_enc.c
ssl/s3_enc.c
+1
-1
ssl/s3_pkt.c
ssl/s3_pkt.c
+5
-5
ssl/s3_srvr.c
ssl/s3_srvr.c
+1
-1
ssl/ssl.h
ssl/ssl.h
+2
-0
ssl/ssl_lib.c
ssl/ssl_lib.c
+2
-1
ssl/ssl_sess.c
ssl/ssl_sess.c
+5
-0
ssl/t1_enc.c
ssl/t1_enc.c
+2
-2
test/times
test/times
+8
-8
times/x86/des3s.cpp
times/x86/des3s.cpp
+1
-1
未找到文件。
CHANGES.SSLeay
浏览文件 @
8711efb4
...
...
@@ -148,7 +148,7 @@ eric (about to go bushwalking for the 4 day easter break :-)
This would tend to cause memory overwrites since SSLv3 has
a maximum packet size of 16k. If your program uses
buffers <= 16k, you would probably never see this problem.
- Fixed a
n
ew errors that were cause by malloc() not returning
- Fixed a
f
ew errors that were cause by malloc() not returning
0 initialised memory..
- SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing
...
...
apps/cms.c
浏览文件 @
8711efb4
...
...
@@ -704,7 +704,7 @@ int MAIN(int argc, char **argv)
if
(
secret_key
&&
!
secret_keyid
)
{
BIO_printf
(
bio_err
,
"No sec
tre
key id
\n
"
);
BIO_printf
(
bio_err
,
"No sec
ret
key id
\n
"
);
goto
end
;
}
...
...
apps/s_server.c
浏览文件 @
8711efb4
...
...
@@ -671,7 +671,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
return
p
->
extension_error
;
if
(
ctx2
)
{
BIO_printf
(
p
->
biodebug
,
"Swiching server context.
\n
"
);
BIO_printf
(
p
->
biodebug
,
"Swi
t
ching server context.
\n
"
);
SSL_set_SSL_CTX
(
s
,
ctx2
);
}
}
...
...
crypto/cryptlib.c
浏览文件 @
8711efb4
...
...
@@ -205,7 +205,7 @@ int CRYPTO_get_new_lockid(char *name)
#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
/* A hack to make Visual C++ 5.0 work correctly when linking as
* a DLL using /MT. Without this, the application cannot use
* an
d
floating point printf's.
* an
y
floating point printf's.
* It also seems to be needed for Visual C 1.5 (win16) */
SSLeay_MSVC5_hack
=
(
double
)
name
[
0
]
*
(
double
)
name
[
1
];
#endif
...
...
crypto/mem_dbg.c
浏览文件 @
8711efb4
...
...
@@ -787,7 +787,7 @@ void CRYPTO_mem_leaks(BIO *b)
* XXX This should be in CRYPTO_mem_leaks_cb,
* and CRYPTO_mem_leaks should be implemented by
* using CRYPTO_mem_leaks_cb.
* (Also the
ir
should be a variant of lh_doall_arg
* (Also the
re
should be a variant of lh_doall_arg
* that takes a function pointer instead of a void *;
* this would obviate the ugly and illegal
* void_fn_to_char kludge in CRYPTO_mem_leaks_cb.
...
...
crypto/symhacks.h
浏览文件 @
8711efb4
...
...
@@ -382,7 +382,7 @@
#endif
/* defined OPENSSL_SYS_VMS */
/* Case insensit
e
ve linking causes problems.... */
/* Case insensit
i
ve linking causes problems.... */
#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2)
#undef ERR_load_CRYPTO_strings
#define ERR_load_CRYPTO_strings ERR_load_CRYPTOlib_strings
...
...
crypto/x509v3/v3_crld.c
浏览文件 @
8711efb4
...
...
@@ -152,7 +152,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx,
sk_X509_NAME_ENTRY_num
(
rnm
)
-
1
)
->
set
)
{
X509V3err
(
X509V3_F_SET_DIST_POINT_NAME
,
X509V3_R_INVAID_MULTIPLE_RDNS
);
X509V3_R_INVA
L
ID_MULTIPLE_RDNS
);
goto
err
;
}
}
...
...
crypto/x509v3/v3_pci.c
浏览文件 @
8711efb4
...
...
@@ -82,7 +82,7 @@ static int process_pci_value(CONF_VALUE *val,
{
if
(
*
language
)
{
X509V3err
(
X509V3_F_PROCESS_PCI_VALUE
,
X509V3_R_POLICY_LANGUAGE_ALREAD
T
Y_DEFINED
);
X509V3err
(
X509V3_F_PROCESS_PCI_VALUE
,
X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED
);
X509V3_conf_err
(
val
);
return
0
;
}
...
...
@@ -97,7 +97,7 @@ static int process_pci_value(CONF_VALUE *val,
{
if
(
*
pathlen
)
{
X509V3err
(
X509V3_F_PROCESS_PCI_VALUE
,
X509V3_R_POLICY_PATH_LENGTH_ALREAD
T
Y_DEFINED
);
X509V3err
(
X509V3_F_PROCESS_PCI_VALUE
,
X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED
);
X509V3_conf_err
(
val
);
return
0
;
}
...
...
crypto/x509v3/v3err.c
浏览文件 @
8711efb4
...
...
@@ -159,7 +159,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
{
ERR_REASON
(
X509V3_R_ILLEGAL_EMPTY_EXTENSION
),
"illegal empty extension"
},
{
ERR_REASON
(
X509V3_R_ILLEGAL_HEX_DIGIT
)
,
"illegal hex digit"
},
{
ERR_REASON
(
X509V3_R_INCORRECT_POLICY_SYNTAX_TAG
),
"incorrect policy syntax tag"
},
{
ERR_REASON
(
X509V3_R_INVA
ID_MULTIPLE_RDNS
),
"inva
id multiple rdns"
},
{
ERR_REASON
(
X509V3_R_INVA
LID_MULTIPLE_RDNS
),
"inval
id multiple rdns"
},
{
ERR_REASON
(
X509V3_R_INVALID_ASNUMBER
)
,
"invalid asnumber"
},
{
ERR_REASON
(
X509V3_R_INVALID_ASRANGE
)
,
"invalid asrange"
},
{
ERR_REASON
(
X509V3_R_INVALID_BOOLEAN_STRING
),
"invalid boolean string"
},
...
...
@@ -193,9 +193,9 @@ static ERR_STRING_DATA X509V3_str_reasons[]=
{
ERR_REASON
(
X509V3_R_ODD_NUMBER_OF_DIGITS
),
"odd number of digits"
},
{
ERR_REASON
(
X509V3_R_OPERATION_NOT_DEFINED
),
"operation not defined"
},
{
ERR_REASON
(
X509V3_R_OTHERNAME_ERROR
)
,
"othername error"
},
{
ERR_REASON
(
X509V3_R_POLICY_LANGUAGE_ALREAD
TY_DEFINED
),
"policy language alreadt
y defined"
},
{
ERR_REASON
(
X509V3_R_POLICY_LANGUAGE_ALREAD
Y_DEFINED
),
"policy language alread
y defined"
},
{
ERR_REASON
(
X509V3_R_POLICY_PATH_LENGTH
)
,
"policy path length"
},
{
ERR_REASON
(
X509V3_R_POLICY_PATH_LENGTH_ALREAD
TY_DEFINED
),
"policy path length alreadt
y defined"
},
{
ERR_REASON
(
X509V3_R_POLICY_PATH_LENGTH_ALREAD
Y_DEFINED
),
"policy path length alread
y defined"
},
{
ERR_REASON
(
X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED
),
"policy syntax not currently supported"
},
{
ERR_REASON
(
X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY
),
"policy when proxy language requires no policy"
},
{
ERR_REASON
(
X509V3_R_SECTION_NOT_FOUND
)
,
"section not found"
},
...
...
crypto/x509v3/x509v3.h
浏览文件 @
8711efb4
...
...
@@ -951,7 +951,7 @@ void ERR_load_X509V3_strings(void);
#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151
#define X509V3_R_ILLEGAL_HEX_DIGIT 113
#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152
#define X509V3_R_INVAID_MULTIPLE_RDNS 161
#define X509V3_R_INVA
L
ID_MULTIPLE_RDNS 161
#define X509V3_R_INVALID_ASNUMBER 162
#define X509V3_R_INVALID_ASRANGE 163
#define X509V3_R_INVALID_BOOLEAN_STRING 104
...
...
@@ -985,9 +985,9 @@ void ERR_load_X509V3_strings(void);
#define X509V3_R_ODD_NUMBER_OF_DIGITS 112
#define X509V3_R_OPERATION_NOT_DEFINED 148
#define X509V3_R_OTHERNAME_ERROR 147
#define X509V3_R_POLICY_LANGUAGE_ALREAD
T
Y_DEFINED 155
#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 155
#define X509V3_R_POLICY_PATH_LENGTH 156
#define X509V3_R_POLICY_PATH_LENGTH_ALREAD
T
Y_DEFINED 157
#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 157
#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 158
#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
#define X509V3_R_SECTION_NOT_FOUND 150
...
...
doc/crypto/BIO_s_mem.pod
浏览文件 @
8711efb4
...
...
@@ -74,7 +74,7 @@ Writes to memory BIOs will always succeed if memory is available: that is
their size can grow indefinitely.
Every read from a read write memory BIO will remove the data just read with
an internal copy operation, if a BIO contains a lot
s
of data and it is
an internal copy operation, if a BIO contains a lot of data and it is
read in small chunks the operation can be very slow. The use of a read only
memory BIO avoids this problem. If the BIO must be read write then adding
a buffering BIO to the chain will speed up the process.
...
...
doc/ssleay.txt
浏览文件 @
8711efb4
...
...
@@ -20,7 +20,7 @@ don't do that.
==== readme ========================================================
This is the old 0.6.6 docuementation. Most of the cipher stuff is still
relevent but I'm working (very slowly) on new docu
em
tation.
relevent but I'm working (very slowly) on new docu
men
tation.
The current version can be found online at
http://www.cryptsoft.com/ssleay/doc
...
...
@@ -548,8 +548,8 @@ application, ssleay. This one program is composed of many programs that
can all be compiled independantly.
ssleay has 3 modes of operation.
1) If the ssleay binar
a
y has the name of one of its component programs, it
executes that program and then exits. This can be achieve by using hard or
1) If the ssleay binary has the name of one of its component programs, it
executes that program and then exits. This can be achieve
d
by using hard or
symbolic links, or failing that, just renaming the binary.
2) If the first argument to ssleay is the name of one of the component
programs, that program runs that program and then exits.
...
...
@@ -1185,7 +1185,7 @@ typedef struct bio_st
example is for BIO_s_sock(). A socket needs to be
assigned to the BIO before it can be used.
- 'shutdown', this flag indicates if the underlying
com
unication prima
tive being used should be closed/freed
com
munication primi
tive being used should be closed/freed
when the BIO is closed.
- 'flags' is used to hold extra state. It is primarily used
to hold information about why a non-blocking operation
...
...
@@ -1799,7 +1799,7 @@ int BN_set_word(BIGNUM *a, unsigned long w);
unsigned long BN_get_word(BIGNUM *a);
Returns 'a' in an unsigned long. Not remarkably, often 'a' will
be biger than a word, in which case 0xffffffffL is returned.
be big
g
er than a word, in which case 0xffffffffL is returned.
Word Operations
These functions are much more efficient that the normal bignum arithmetic
...
...
@@ -2058,7 +2058,7 @@ Now you will notice that macros like
PEM_ASN1_write((int (*)())i2d_X509,PEM_STRING_X509,fp, \
(char *)x, NULL,NULL,0,NULL)
Don't do encryption normally. If you want to PEM encrypt your X509 structure,
either just call PEM_ASN1_write directly or just define you own
either just call PEM_ASN1_write directly or just define you
r
own
macro variant. As you can see, this macro just sets all encryption related
parameters to NULL.
...
...
@@ -5566,7 +5566,7 @@ These 2 functions create and destroy SSL_CTX structures
The SSL_CTX has a session_cache_mode which is by default,
in SSL_SESS_CACHE_SERVER mode. What this means is that the library
will automatically add new session-id's to the cache
apon sucs
essful
will automatically add new session-id's to the cache
upon succ
essful
SSL_accept() calls.
If SSL_SESS_CACHE_CLIENT is set, then client certificates are also added
to the cache.
...
...
@@ -5580,12 +5580,12 @@ SSL_SESS_NO_CACHE_BOTH - Either SSL_accept() or SSL_connect().
If SSL_SESS_CACHE_NO_AUTO_CLEAR is set, old timed out sessions are
not automatically removed each 255, SSL_connect()s or SSL_accept()s.
By default,
a
pon every 255 successful SSL_connect() or SSL_accept()s,
By default,
u
pon every 255 successful SSL_connect() or SSL_accept()s,
the cache is flush. Please note that this could be expensive on
a heavily loaded SSL server, in which case, turn this off and
clear the cache of old entries 'manually' (with one of the functions
listed below) every few hours. Perhaps I should up this number, it is hard
to say. Remember, the '255' new calls is just a mechani
ms
to get called
to say. Remember, the '255' new calls is just a mechani
sm
to get called
every now and then, in theory at most 255 new session-id's will have been
added but if 100 are added every minute, you would still have
500 in the cache before any would start being flushed (assuming a 3 minute
...
...
@@ -5628,10 +5628,10 @@ if copy is 1. Otherwise, the reference count is not modified.
void SSL_CTX_sess_set_get_cb(ctx,cb) sets the callback and
int (*cb)()SSL_CTX_sess_get_get_cb(ctx) returns the callback.
These callbacks are basically in
d
ended to be used by processes to
These callbacks are basically in
t
ended to be used by processes to
send their session-id's to other processes. I currently have not implemented
non-blocking semantics for these callbacks, it is upto the appication
to make the callbacks effi
ec
ent if they require blocking (perhaps
non-blocking semantics for these callbacks, it is upto the app
l
ication
to make the callbacks effi
ci
ent if they require blocking (perhaps
by 'saving' them and then 'posting them' when control returns from
the SSL_accept().
...
...
@@ -6589,7 +6589,7 @@ This information can be used to recall the functions when the 'error'
condition has dissapeared.
After the connection has been made, information can be retrived about the
SSL session and the session-id values that have been decided
a
pon.
SSL session and the session-id values that have been decided
u
pon.
The 'peer' certificate can be retrieved.
The session-id values include
...
...
e_os.h
浏览文件 @
8711efb4
...
...
@@ -112,7 +112,7 @@ extern "C" {
/********************************************************************
The Microsoft section
********************************************************************/
/* The following is used becaue of the small stack in some
/* The following is used becau
s
e of the small stack in some
* Microsoft operating systems */
#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYSNAME_WIN32)
# define MS_STATIC static
...
...
@@ -275,14 +275,14 @@ extern "C" {
# if !defined(OPENSSL_NO_SOCK) && defined(_WIN32_WINNT)
/*
* Just like defining _WIN32_WINNT including winsock2.h implies
* certain "discipline" for maintaing [broad] binary compatibility.
* certain "discipline" for maintain
in
g [broad] binary compatibility.
* As long as structures are invariant among Winsock versions,
* it's sufficient to check for specific Winsock2 API availability
* at run-time [DSO_global_lookup is recommended]...
*/
# include <winsock2.h>
# include <ws2tcpip.h>
/* yes, they have to be #included prior <windows.h> */
/* yes, they have to be #included prior
to
<windows.h> */
# endif
# include <windows.h>
# include <stdio.h>
...
...
@@ -372,7 +372,7 @@ static unsigned int _strlen31(const char *str)
# define DEFAULT_HOME "C:"
# endif
#else
/* The non-microsoft world
world
*/
#else
/* The non-microsoft world */
# ifdef OPENSSL_SYS_VMS
# define VMS 1
...
...
e_os2.h
浏览文件 @
8711efb4
...
...
@@ -262,7 +262,7 @@ extern "C" {
#define OPENSSL_EXTERN OPENSSL_IMPORT
/* Macros to allow global variables to be reached through function calls when
required (if a shared library version requ
v
res it, for example.
required (if a shared library version requ
i
res it, for example.
The way it's done allows definitions like this:
// in foobar.c
...
...
engines/ccgost/gost94_keyx.c
浏览文件 @
8711efb4
...
...
@@ -25,7 +25,7 @@
/* Computes Diffie-Hellman key and stores it into buffer in
* little-endian byte order as expected by both versions of GOST 94
* algori
g
thm
* algorithm
*/
static
int
compute_pair_key_le
(
unsigned
char
*
pair_key
,
BIGNUM
*
pub_key
,
DH
*
dh
)
{
...
...
engines/ccgost/gost_sign.c
浏览文件 @
8711efb4
...
...
@@ -3,7 +3,7 @@
* Copyright (c) 2005-2006 Cryptocom LTD *
* This file is distributed under the same license as OpenSSL *
* *
* Implementation of GOST R 34.10-94 signature algorit
gthm
*
* Implementation of GOST R 34.10-94 signature algorit
hm
*
* for OpenSSL *
* Requires OpenSSL 0.9.9 for compilation *
**********************************************************************/
...
...
ssl/d1_both.c
浏览文件 @
8711efb4
...
...
@@ -300,7 +300,7 @@ int dtls1_do_write(SSL *s, int type)
const
struct
hm_header_st
*
msg_hdr
=
&
s
->
d1
->
w_msg_hdr
;
int
xlen
;
if
(
frag_off
==
0
)
if
(
frag_off
==
0
&&
s
->
version
!=
DTLS1_BAD_VER
)
{
/* reconstruct message header is if it
* is being sent in single fragment */
...
...
@@ -407,8 +407,10 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
s2n
(
msg_hdr
->
seq
,
p
);
l2n3
(
0
,
p
);
l2n3
(
msg_len
,
p
);
p
-=
DTLS1_HM_HEADER_LENGTH
;
msg_len
+=
DTLS1_HM_HEADER_LENGTH
;
if
(
s
->
version
!=
DTLS1_BAD_VER
)
{
p
-=
DTLS1_HM_HEADER_LENGTH
;
msg_len
+=
DTLS1_HM_HEADER_LENGTH
;
}
ssl3_finish_mac
(
s
,
p
,
msg_len
);
if
(
s
->
msg_callback
)
...
...
@@ -775,6 +777,13 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
*
p
++=
SSL3_MT_CCS
;
s
->
d1
->
handshake_write_seq
=
s
->
d1
->
next_handshake_write_seq
;
s
->
init_num
=
DTLS1_CCS_HEADER_LENGTH
;
if
(
s
->
version
==
DTLS1_BAD_VER
)
{
s
->
d1
->
next_handshake_write_seq
++
;
s2n
(
s
->
d1
->
handshake_write_seq
,
p
);
s
->
init_num
+=
2
;
}
s
->
init_off
=
0
;
dtls1_set_message_header_int
(
s
,
SSL3_MT_CCS
,
0
,
...
...
@@ -989,7 +998,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
if
(
is_ccs
)
{
OPENSSL_assert
(
s
->
d1
->
w_msg_hdr
.
msg_len
+
DTLS1_CCS_HEADER_LENGTH
==
(
unsigned
int
)
s
->
init_num
);
((
s
->
version
==
DTLS1_VERSION
)
?
DTLS1_CCS_HEADER_LENGTH
:
3
)
==
(
unsigned
int
)
s
->
init_num
);
}
else
{
...
...
ssl/d1_clnt.c
浏览文件 @
8711efb4
...
...
@@ -130,7 +130,7 @@ static int dtls1_get_hello_verify(SSL *s);
static
const
SSL_METHOD
*
dtls1_get_client_method
(
int
ver
)
{
if
(
ver
==
DTLS1_VERSION
)
if
(
ver
==
DTLS1_VERSION
||
ver
==
DTLS1_BAD_VER
)
return
(
DTLSv1_client_method
());
else
return
(
NULL
);
...
...
@@ -181,7 +181,8 @@ int dtls1_connect(SSL *s)
s
->
server
=
0
;
if
(
cb
!=
NULL
)
cb
(
s
,
SSL_CB_HANDSHAKE_START
,
1
);
if
((
s
->
version
&
0xff00
)
!=
(
DTLS1_VERSION
&
0xff00
))
if
((
s
->
version
&
0xff00
)
!=
(
DTLS1_VERSION
&
0xff00
)
&&
(
s
->
version
&
0xff00
)
!=
(
DTLS1_BAD_VER
&
0xff00
))
{
SSLerr
(
SSL_F_DTLS1_CONNECT
,
ERR_R_INTERNAL_ERROR
);
ret
=
-
1
;
...
...
ssl/d1_lib.c
浏览文件 @
8711efb4
...
...
@@ -176,7 +176,10 @@ void dtls1_free(SSL *s)
void
dtls1_clear
(
SSL
*
s
)
{
ssl3_clear
(
s
);
s
->
version
=
DTLS1_VERSION
;
if
(
s
->
options
&
SSL_OP_CISCO_ANYCONNECT
)
s
->
version
=
DTLS1_BAD_VER
;
else
s
->
version
=
DTLS1_VERSION
;
}
/*
...
...
ssl/d1_pkt.c
浏览文件 @
8711efb4
...
...
@@ -591,7 +591,7 @@ again:
}
}
if
((
version
&
0xff00
)
!=
(
DTLS1_VERSION
&
0xff00
))
if
((
version
&
0xff00
)
!=
(
s
->
version
&
0xff00
))
{
SSLerr
(
SSL_F_DTLS1_GET_RECORD
,
SSL_R_WRONG_VERSION_NUMBER
);
goto
err
;
...
...
@@ -1067,13 +1067,17 @@ start:
if
(
rr
->
type
==
SSL3_RT_CHANGE_CIPHER_SPEC
)
{
struct
ccs_header_st
ccs_hdr
;
int
ccs_hdr_len
=
DTLS1_CCS_HEADER_LENGTH
;
dtls1_get_ccs_header
(
rr
->
data
,
&
ccs_hdr
);
if
(
s
->
version
==
DTLS1_BAD_VER
)
ccs_hdr_len
=
3
;
/* 'Change Cipher Spec' is just a single byte, so we know
* exactly what the record payload has to look like */
/* XDTLS: check that epoch is consistent */
if
(
(
rr
->
length
!=
DTLS1_CCS_HEADER_LENGTH
)
||
if
(
(
rr
->
length
!=
ccs_hdr_len
)
||
(
rr
->
off
!=
0
)
||
(
rr
->
data
[
0
]
!=
SSL3_MT_CCS
))
{
i
=
SSL_AD_ILLEGAL_PARAMETER
;
...
...
@@ -1094,6 +1098,9 @@ start:
/* do this whenever CCS is processed */
dtls1_reset_seq_numbers
(
s
,
SSL3_CC_READ
);
if
(
s
->
version
==
DTLS1_BAD_VER
)
s
->
d1
->
handshake_read_seq
++
;
goto
start
;
}
...
...
@@ -1401,7 +1408,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
#if 0
/* 'create_empty_fragment' is true only when this function calls itself */
if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
&& SSL_version(s) != DTLS1_VERSION
)
&& SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER
)
{
/* countermeasure against known-IV weakness in CBC ciphersuites
* (see http://www.openssl.org/~bodo/tls-cbc.txt)
...
...
@@ -1428,7 +1435,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
s->s3->empty_fragment_done = 1;
}
#endif
p
=
wb
->
buf
+
prefix_len
;
/* write the header */
...
...
ssl/d1_srvr.c
浏览文件 @
8711efb4
...
...
@@ -292,7 +292,8 @@ int dtls1_accept(SSL *s)
s
->
s3
->
tmp
.
next_state
=
SSL3_ST_SR_CLNT_HELLO_A
;
/* HelloVerifyRequest resets Finished MAC */
ssl3_init_finished_mac
(
s
);
if
(
s
->
version
!=
DTLS1_BAD_VER
)
ssl3_init_finished_mac
(
s
);
break
;
case
SSL3_ST_SW_SRVR_HELLO_A
:
...
...
ssl/dtls1.h
浏览文件 @
8711efb4
...
...
@@ -68,6 +68,7 @@ extern "C" {
#endif
#define DTLS1_VERSION 0xFEFF
#define DTLS1_BAD_VER 0x0100
#if 0
/* this alert description is not specified anywhere... */
...
...
ssl/kssl.c
浏览文件 @
8711efb4
...
...
@@ -68,11 +68,6 @@
#include <openssl/opensslconf.h>
#define _XOPEN_SOURCE 500
/* glibc2 needs this to declare strptime() */
#include <time.h>
#if 0 /* Experimental */
#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
#endif
#include <string.h>
#define KRB5_PRIVATE 1
...
...
ssl/s3_clnt.c
浏览文件 @
8711efb4
...
...
@@ -737,7 +737,7 @@ int ssl3_get_server_hello(SSL *s)
if
(
!
ok
)
return
((
int
)
n
);
if
(
SSL_version
(
s
)
==
DTLS1_VERSION
)
if
(
SSL_version
(
s
)
==
DTLS1_VERSION
||
SSL_version
(
s
)
==
DTLS1_BAD_VER
)
{
if
(
s
->
s3
->
tmp
.
message_type
==
DTLS1_MT_HELLO_VERIFY_REQUEST
)
{
...
...
ssl/s3_enc.c
浏览文件 @
8711efb4
...
...
@@ -655,7 +655,7 @@ static int ssl3_handshake_mac(SSL *s, int md_nid,
if
(
!
ssl3_digest_cached_records
(
s
))
return
0
;
/* Search for d
jgest of specified type
in the handshake_dgst
/* Search for d
igest of specified type
in the handshake_dgst
* array*/
for
(
i
=
0
;
i
<
SSL_MAX_DIGEST
;
i
++
)
{
...
...
ssl/s3_pkt.c
浏览文件 @
8711efb4
...
...
@@ -177,8 +177,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
}
/* extend reads should not span multiple packets for DTLS */
if
(
SSL_version
(
s
)
==
DTLS1_VERSION
&&
extend
)
if
(
(
SSL_version
(
s
)
==
DTLS1_VERSION
||
SSL_version
(
s
)
==
DTLS1_BAD_VER
)
&&
extend
)
{
if
(
left
>
0
&&
n
>
left
)
n
=
left
;
...
...
@@ -836,9 +836,9 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
return
(
s
->
s3
->
wpend_ret
);
}
else
if
(
i
<=
0
)
{
if
(
s
->
version
==
DTLS1_VERSION
)
{
/* For DTLS, just drop it. That's kind of the wh
ole
if
(
s
->
version
==
DTLS1_VERSION
||
s
->
version
==
DTLS1_BAD_VER
)
{
/* For DTLS, just drop it. That's kind of the wh
ole
point in using a datagram service */
wb
->
left
=
0
;
}
...
...
ssl/s3_srvr.c
浏览文件 @
8711efb4
...
...
@@ -1920,7 +1920,7 @@ int ssl3_get_client_key_exchange(SSL *s)
}
/* TLS and [incidentally] DTLS{0xFEFF} */
if
(
s
->
version
>
SSL3_VERSION
)
if
(
s
->
version
>
SSL3_VERSION
&&
s
->
version
!=
DTLS1_BAD_VER
)
{
n2s
(
p
,
i
);
if
(
n
!=
i
+
2
)
...
...
ssl/ssl.h
浏览文件 @
8711efb4
...
...
@@ -542,6 +542,8 @@ typedef struct ssl_session_st
#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
/* Don't use RFC4507 ticket extension */
#define SSL_OP_NO_TICKET 0x00004000L
/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
/* As server, disallow session resumption on renegotiation */
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
...
...
ssl/ssl_lib.c
浏览文件 @
8711efb4
...
...
@@ -1038,7 +1038,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
s
->
max_cert_list
=
larg
;
return
(
l
);
case
SSL_CTRL_SET_MTU
:
if
(
SSL_version
(
s
)
==
DTLS1_VERSION
)
if
(
SSL_version
(
s
)
==
DTLS1_VERSION
||
SSL_version
(
s
)
==
DTLS1_BAD_VER
)
{
s
->
d1
->
mtu
=
larg
;
return
larg
;
...
...
ssl/ssl_sess.c
浏览文件 @
8711efb4
...
...
@@ -300,6 +300,11 @@ int ssl_get_new_session(SSL *s, int session)
ss
->
ssl_version
=
TLS1_VERSION
;
ss
->
session_id_length
=
SSL3_SSL_SESSION_ID_LENGTH
;
}
else
if
(
s
->
version
==
DTLS1_BAD_VER
)
{
ss
->
ssl_version
=
DTLS1_BAD_VER
;
ss
->
session_id_length
=
SSL3_SSL_SESSION_ID_LENGTH
;
}
else
if
(
s
->
version
==
DTLS1_VERSION
)
{
ss
->
ssl_version
=
DTLS1_VERSION
;
...
...
ssl/t1_enc.c
浏览文件 @
8711efb4
...
...
@@ -882,7 +882,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
mac_ctx
=
&
hmac
;
}
if
(
ssl
->
version
==
DTLS1_VERSION
)
if
(
ssl
->
version
==
DTLS1_VERSION
||
ssl
->
version
==
DTLS1_BAD_VER
)
{
unsigned
char
dtlsseq
[
8
],
*
p
=
dtlsseq
;
...
...
@@ -911,7 +911,7 @@ printf("rec=");
{
unsigned
int
z
;
for
(
z
=
0
;
z
<
rec
->
length
;
z
++
)
printf
(
"%02X "
,
buf
[
z
]);
printf
(
"
\n
"
);
}
#endif
if
(
ssl
->
version
!=
DTLS1_VERSION
)
if
(
ssl
->
version
!=
DTLS1_VERSION
&&
ssl
->
version
!=
DTLS1_BAD_VER
)
{
for
(
i
=
7
;
i
>=
0
;
i
--
)
{
...
...
test/times
浏览文件 @
8711efb4
More number for the questions about SSL overheads....
The following numbers were generated on a
pentium pro 200, running l
inux.
The following numbers were generated on a
Pentium pro 200, running L
inux.
They give an indication of the SSL protocol and encryption overheads.
The program that generated them is an unreleased version of ssl/ssltest.c
...
...
@@ -11,7 +11,7 @@ interface.
How do I read this? The protocol and cipher are reasonable obvious.
The next number is the number of connections being made. The next is the
number of bytes exchanged be
wt
een the client and server side of the protocol.
number of bytes exchanged be
tw
een the client and server side of the protocol.
This is the number of bytes that the client sends to the server, and then
the server sends back. Because this is all happening in one process,
the data is being encrypted, decrypted, encrypted and then decrypted again.
...
...
@@ -55,10 +55,10 @@ SSLv3 DES-CBC3-SHA 1000 x 102400 336.61s 323.82s
What does this all mean? Well for a server, with no session-id reuse, with
a transfer size of 10240 bytes, using RC4-MD5 and a 512bit server key,
a
pentium pro 200 running l
inux can handle the SSLv3 protocol overheads of
a
Pentium pro 200 running L
inux can handle the SSLv3 protocol overheads of
about 49 connections a second. Reality will be quite different :-).
Remeber the first number is 1000 full ssl handshakes, the second is
Reme
m
ber the first number is 1000 full ssl handshakes, the second is
1 full and 999 with session-id reuse. The RSA overheads for each exchange
would be one public and one private operation, but the protocol/MAC/cipher
cost would be quite similar in both the client and server.
...
...
@@ -72,21 +72,21 @@ eric (adding numbers to speculation)
killer in SSL. Often delays in the TCP protocol will make session-id
reuse look slower that new sessions, but this would not be the case on
a loaded server.
- The TCP round trip latencies, while slowing ind
er
vidual connections,
- The TCP round trip latencies, while slowing ind
i
vidual connections,
would have minimal impact on throughput.
- Instead of sending one 102400 byte buffer, one 8k buffer is sent until
- the required number of bytes are processed.
- The SSLv3 connections were actually SSLv2 compat
a
ble SSLv3 headers.
- The SSLv3 connections were actually SSLv2 compat
i
ble SSLv3 headers.
- A 512bit server key was being used except where noted.
- No server key verification was being performed on the client side of the
protocol. This would slow things down very little.
- The library being used is SSLeay 0.8.x.
- The normal me
sa
uring system was commands of the form
- The normal me
as
uring system was commands of the form
time ./ssltest -num 1000 -bytes 102400 -cipher DES-CBC-SHA -reuse
This modified version of ssltest should be in the next public release of
SSLeay.
The general cipher performace number for this platform are
The general cipher performa
n
ce number for this platform are
SSLeay 0.8.2a 04-Sep-1997
built on Fri Sep 5 17:37:05 EST 1997
...
...
times/x86/des3s.cpp
浏览文件 @
8711efb4
...
...
@@ -60,7 +60,7 @@ void main(int argc,char *argv[])
des_encrypt3
(
&
data
[
0
],
key1
,
key2
,
key3
);
}
printf
(
"des %d %d (%d)
\n
"
,
printf
(
"des
3
%d %d (%d)
\n
"
,
e1
-
s1
,
e2
-
s2
,((
e2
-
s2
)
-
(
e1
-
s1
)));
}
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录