Changes between 0.9.4 and 0.9.5 [xx XXX 2000]
+ *) ..._ctrl functions now have corresponding ..._callback_ctrl functions
+ where the 'void *' argument is replaced by a function pointer argument.
+ Previously 'void *' was abused to point to functions, which works on
+ many platforms, but is not correct. As these functions are usually
+ called by macros defined in OpenSSL header files, most source code
+ should work without changes.
+
+ *) <openssl/opensslconf.h> (which is created by Configure) now contains
+ sections with information on -D... compiler switches used for
+ compiling the library so that applications can see them. To enable
+ one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
+ must be defined. E.g.,
+ #define OPENSSL_ALGORITHM_DEFINES
+ #include <openssl/opensslconf.h>
+ defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
+
*) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
record layer.
[Bodo Moeller]
To get OpenSSL to support MS SGC we have to permit a second client
hello message after we have sent server done. In addition we have to
- reset the MAC if we do get this second client hello and include the
- data just received.
+ reset the MAC if we do get this second client hello.
[Steve Henson]
*) Add a function 'd2i_AutoPrivateKey()' this will automatically decide
{
$no_asm=1;
$flags .= "-DNO_ASM ";
- $openssl_algorithm_defines .= "#define NO_ASM\n";
+ $openssl_other_defines .= "#define NO_ASM\n";
}
elsif (/^no-threads$/)
{ $no_threads=1; }
while (s->init_num < 4)
{
i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
- 4-s->init_num);
+ 4 - s->init_num);
if (i <= 0)
{
s->rwstate=SSL_READING;
if (p[0] == SSL3_MT_HELLO_REQUEST)
/* The server may always send 'Hello Request' messages --
* we are doing a handshake anyway now, so ignore them
- * if their format is correct */
+ * if their format is correct. Does not count for
+ * 'Finished' MAC. */
if (p[1] == 0 && p[2] == 0 &&p[3] == 0)
skip_message = 1;
}
while (skip_message);
+ /* s->init_num == 4 */
+
if ((mt >= 0) && (*p != mt))
{
al=SSL_AD_UNEXPECTED_MESSAGE;
(stn == SSL3_ST_SR_CERT_B))
{
/* At this point we have got an MS SGC second client
- * hello. We need to restart the mac and mac the data
- * currently received.
+ * hello (maybe we should always allow the client to
+ * start a new handshake?). We need to restart the mac.
*/
ssl3_init_finished_mac(s);
- ssl3_finish_mac(s, p + s->init_num, i);
}
+
+ ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 4);
s->s3->tmp.message_type= *(p++);
s->init_num += i;
n -= i;
}
+ ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num);
*ok=1;
return s->init_num;
f_err:
return(i);
}
- if (type == SSL3_RT_HANDSHAKE)
- ssl3_finish_mac(s,&(buf[tot]),i);
-
if ((i == (int)n) ||
(type == SSL3_RT_APPLICATION_DATA &&
(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
/* move any remaining fragment bytes: */
for (i = 0; i < s->s3->handshake_fragment_len; i++)
s->s3->handshake_fragment[i] = *src++;
- ssl3_finish_mac(s, buf, n);
return n;
}
s->rstate=SSL_ST_READ_HEADER;
rr->off=0;
}
-
- if (type == SSL3_RT_HANDSHAKE)
- ssl3_finish_mac(s,buf,n);
return(n);
}
int ret;
ret=ssl3_write_bytes(s,type,&s->init_buf->data[s->init_off],
- s->init_num);
+ s->init_num);
+ if (ret < 0) return(-1);
+ if (type == SSL3_RT_HANDSHAKE)
+ /* should not be done for 'Hello Request's, but in that case
+ * we'll ignore the result anyway */
+ ssl3_finish_mac(s,&s->init_buf->data[s->init_off],ret);
+
if (ret == s->init_num)
return(1);
- if (ret < 0) return(-1);
s->init_off+=ret;
s->init_num-=ret;
return(0);
s->new_session=1;
/* s->state=SSL_ST_ACCEPT; */
- case SSL3_ST_SR_MS_SGC:
case SSL_ST_BEFORE:
case SSL_ST_ACCEPT:
case SSL_ST_BEFORE|SSL_ST_ACCEPT:
if (s->state != SSL_ST_RENEGOTIATE)
{
- if(s->state != SSL3_ST_SR_MS_SGC) ssl3_init_finished_mac(s);
+ ssl3_init_finished_mac(s);
s->state=SSL3_ST_SR_CLNT_HELLO_A;
s->ctx->stats.sess_accept++;
}
case SSL3_ST_SR_CERT_A:
case SSL3_ST_SR_CERT_B:
- /* Check for second client hello if MS SGC */
+ /* Check for second client hello (MS SGC) */
ret = ssl3_check_client_hello(s);
- if(ret <= 0) goto end;
- if(ret == 2) s->state = SSL3_ST_SR_MS_SGC;
+ if (ret <= 0)
+ goto end;
+ if (ret == 2)
+ s->state = SSL3_ST_SR_CLNT_HELLO_C;
else {
/* could be sent for a DH cert, even if we
* have not asked for it :-) */
#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_MS_SGC (0x113|SSL_ST_ACCEPT)
/* write to client */
#define SSL3_ST_SW_HELLO_REQ_A (0x120|SSL_ST_ACCEPT)
#define SSL3_ST_SW_HELLO_REQ_B (0x121|SSL_ST_ACCEPT)
case SSL3_ST_SR_CLNT_HELLO_A: str="SSLv3 read client hello A"; break;
case SSL3_ST_SR_CLNT_HELLO_B: str="SSLv3 read client hello B"; break;
case SSL3_ST_SR_CLNT_HELLO_C: str="SSLv3 read client hello C"; break;
-case SSL3_ST_SR_MS_SGC: str="SSLv3 read second client hello (MS SGC)"; break;
case SSL3_ST_SW_HELLO_REQ_A: str="SSLv3 write hello request A"; break;
case SSL3_ST_SW_HELLO_REQ_B: str="SSLv3 write hello request B"; break;
case SSL3_ST_SW_HELLO_REQ_C: str="SSLv3 write hello request C"; break;
case SSL3_ST_SR_CLNT_HELLO_A: str="3RCH_A"; break;
case SSL3_ST_SR_CLNT_HELLO_B: str="3RCH_B"; break;
case SSL3_ST_SR_CLNT_HELLO_C: str="3RCH_C"; break;
-case SSL3_ST_SR_MS_SGC: str="3RMSSG"; break;
case SSL3_ST_SW_SRVR_HELLO_A: str="3WSH_A"; break;
case SSL3_ST_SW_SRVR_HELLO_B: str="3WSH_B"; break;
case SSL3_ST_SW_CERT_A: str="3WSC_A"; break;