From: Dr. Stephen Henson Date: Fri, 30 Sep 2005 23:35:33 +0000 (+0000) Subject: Make OPENSSL_NO_COMP compile again. X-Git-Tag: OpenSSL_0_9_8k^2~1788 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=09b6c2ef15139aa6ef2cee11676070939dd37817;p=oweals%2Fopenssl.git Make OPENSSL_NO_COMP compile again. --- diff --git a/FAQ b/FAQ index 82d8a6f887..8fb4da5daa 100644 --- a/FAQ +++ b/FAQ @@ -31,6 +31,7 @@ OpenSSL - Frequently Asked Questions * Why does my browser give a warning about a mismatched hostname? * How do I install a CA certificate into a browser? * Why is OpenSSL x509 DN output not conformant to RFC2253? +* What is a "128 bit certificate"? Can I create one with OpenSSL? [BUILD] Questions about building and testing OpenSSL @@ -386,6 +387,43 @@ interface, the "-nameopt" option could be introduded. See the manual page of the "openssl x509" commandline tool for details. The old behaviour has however been left as default for the sake of compatibility. +* What is a "128 bit certificate"? Can I create one with OpenSSL? + +The term "128 bit certificate" is a highly misleading marketing term. It does +*not* refer to the size of the public key in the certificate! A certificate +containing a 128 bit RSA key would have negligible security. + +There were various other names such as "magic certificates", "SGC +certificates", "step up certificates" etc. + +You can't generally create such a certificate using OpenSSL but there is no +need to any more. Nowadays web browsers using unrestricted strong encryption +are generally available. + +When there were tight export restrictions on the export of strong encryption +software from the US only weak encryption algorithms could be freely exported +(initially 40 bit and then 56 bit). It was widely recognised that this was +inadequate. A relaxation the rules allowed the use of strong encryption but +only to an authorised server. + +Two slighly different techniques were developed to support this, one used by +Netscape was called "step up", the other used by MSIE was called "Server Gated +Cryptography" (SGC). When a browser initially connected to a server it would +check to see if the certificate contained certain extensions and was issued by +an authorised authority. If these test succeeded it would reconnect using +strong encryption. + +Only certain (initially one) certificate authorities could issue the +certificates and they generally cost more than ordinary certificates. + +Although OpenSSL can create certificates containing the appropriate extensions +the certificate would not come from a permitted authority and so would not +be recognized. + +The export laws were later changed to allow almost unrestricted use of strong +encryption so these certificates are now obsolete. + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? diff --git a/apps/s_client.c b/apps/s_client.c index 6478ae321a..96ae832ca1 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1096,7 +1096,9 @@ static void print_stuff(BIO *bio, SSL *s, int full) SSL_CIPHER *c; X509_NAME *xn; int j,i; +#ifndef OPENSSL_NO_COMP const COMP_METHOD *comp, *expansion; +#endif if (full) { @@ -1199,12 +1201,14 @@ static void print_stuff(BIO *bio, SSL *s, int full) EVP_PKEY_bits(pktmp)); EVP_PKEY_free(pktmp); } +#ifndef OPENSSL_NO_COMP comp=SSL_get_current_compression(s); expansion=SSL_get_current_expansion(s); BIO_printf(bio,"Compression: %s\n", comp ? SSL_COMP_get_name(comp) : "NONE"); BIO_printf(bio,"Expansion: %s\n", expansion ? SSL_COMP_get_name(expansion) : "NONE"); +#endif SSL_SESSION_print(bio,SSL_get_session(s)); BIO_printf(bio,"---\n"); if (peer != NULL) diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c index 0f72711452..382aed5a6d 100644 --- a/crypto/asn1/x_crl.c +++ b/crypto/asn1/x_crl.c @@ -102,6 +102,23 @@ ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = { ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0) } ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO) +static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, + void *exarg) +{ + X509_CRL *a = (X509_CRL_INFO *)*pval; + +#ifndef OPENSSL_NO_SHA + switch(operation) { + /* Hash CRL here for rapid comparison in X509_digest_cmp() + */ + case ASN1_OP_D2I_POST: + X509_CRL_digest(crl->digest, crl); + break; + } +#endif + return 1; +} + ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = { ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO), ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR), diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index 7b38da0b7c..f985afdb3e 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -371,11 +371,15 @@ int dtls1_connect(SSL *s) s->init_num=0; s->session->cipher=s->s3->tmp.new_cipher; +#ifdef OPENSSL_NO_COMP + s->session->compress_meth=0; +#else if (s->s3->tmp.new_compression == NULL) s->session->compress_meth=0; else s->session->compress_meth= s->s3->tmp.new_compression->id; +#endif if (!s->method->ssl3_enc->setup_key_block(s)) { ret= -1; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 4847a866b5..2b0578ff7f 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -706,10 +706,14 @@ int dtls1_send_server_hello(SSL *s) p+=i; /* put the compression method */ +#ifdef OPENSSL_NO_COMP + *(p++)=0; +#else if (s->s3->tmp.new_compression == NULL) *(p++)=0; else *(p++)=s->s3->tmp.new_compression->id; +#endif /* do the header */ l=(p-d); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 34d0f345a5..cc9df9186d 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -369,11 +369,15 @@ int ssl3_connect(SSL *s) s->init_num=0; s->session->cipher=s->s3->tmp.new_cipher; +#ifdef OPENSSL_NO_COMP + s->session->compress_meth=0; +#else if (s->s3->tmp.new_compression == NULL) s->session->compress_meth=0; else s->session->compress_meth= s->s3->tmp.new_compression->id; +#endif if (!s->method->ssl3_enc->setup_key_block(s)) { ret= -1; @@ -517,9 +521,12 @@ int ssl3_client_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; - int i,j; + int i; unsigned long Time,l; +#ifndef OPENSSL_NO_COMP + int j; SSL_COMP *comp; +#endif buf=(unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) @@ -578,6 +585,9 @@ int ssl3_client_hello(SSL *s) p+=i; /* COMPRESSION */ +#ifdef OPENSSL_NO_COMP + *(p++)=1; +#else if (s->ctx->comp_methods == NULL) j=0; else @@ -588,6 +598,7 @@ int ssl3_client_hello(SSL *s) comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); *(p++)=comp->id; } +#endif *(p++)=0; /* Add the NULL method */ l=(p-d); @@ -615,7 +626,9 @@ int ssl3_get_server_hello(SSL *s) int i,al,ok; unsigned int j; long n; +#ifndef OPENSSL_NO_COMP SSL_COMP *comp; +#endif n=s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, @@ -746,6 +759,14 @@ int ssl3_get_server_hello(SSL *s) /* lets get the compression algorithm */ /* COMPRESSION */ +#ifdef OPENSSL_NO_COMP + if (*(p++) != 0) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + goto f_err; + } +#else j= *(p++); if (j == 0) comp=NULL; @@ -762,6 +783,7 @@ int ssl3_get_server_hello(SSL *s) { s->s3->tmp.new_compression=comp; } +#endif if (p != (d+n)) { diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 6d92050bb1..d83d42e583 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -196,7 +196,9 @@ int ssl3_change_cipher_state(SSL *s, int which) unsigned char *ms,*key,*iv,*er1,*er2; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; +#ifndef OPENSSL_NO_COMP COMP_METHOD *comp; +#endif const EVP_MD *m; EVP_MD_CTX md; int is_exp,n,i,j,k,cl; @@ -205,10 +207,12 @@ int ssl3_change_cipher_state(SSL *s, int which) is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; +#ifndef OPENSSL_NO_COMP if (s->s3->tmp.new_compression == NULL) comp=NULL; else comp=s->s3->tmp.new_compression->method; +#endif key_block=s->s3->tmp.key_block; if (which & SSL3_CC_READ) @@ -219,6 +223,7 @@ int ssl3_change_cipher_state(SSL *s, int which) goto err; dd= s->enc_read_ctx; s->read_hash=m; +#ifndef OPENSSL_NO_COMP /* COMPRESS */ if (s->expand != NULL) { @@ -239,6 +244,7 @@ int ssl3_change_cipher_state(SSL *s, int which) if (s->s3->rrec.comp == NULL) goto err; } +#endif memset(&(s->s3->read_sequence[0]),0,8); mac_secret= &(s->s3->read_mac_secret[0]); } @@ -250,6 +256,7 @@ int ssl3_change_cipher_state(SSL *s, int which) goto err; dd= s->enc_write_ctx; s->write_hash=m; +#ifndef OPENSSL_NO_COMP /* COMPRESS */ if (s->compress != NULL) { @@ -265,6 +272,7 @@ int ssl3_change_cipher_state(SSL *s, int which) goto err2; } } +#endif memset(&(s->s3->write_sequence[0]),0,8); mac_secret= &(s->s3->write_mac_secret[0]); } @@ -350,7 +358,9 @@ int ssl3_setup_key_block(SSL *s) const EVP_MD *hash; int num; int ret = 0; +#ifdef OPENSSL_NO_COMP SSL_COMP *comp; +#endif if (s->s3->tmp.key_block_length != 0) return(1); @@ -363,7 +373,11 @@ int ssl3_setup_key_block(SSL *s) s->s3->tmp.new_sym_enc=c; s->s3->tmp.new_hash=hash; +#ifdef OPENSSL_NO_COMP + s->s3->tmp.new_compression=NULL; +#else s->s3->tmp.new_compression=comp; +#endif num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); num*=2; diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index f90bb77666..d0f54e297b 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -476,6 +476,7 @@ err: int ssl3_do_uncompress(SSL *ssl) { +#ifndef OPENSSL_NO_COMP int i; SSL3_RECORD *rr; @@ -487,12 +488,13 @@ int ssl3_do_uncompress(SSL *ssl) else rr->length=i; rr->data=rr->comp; - +#endif return(1); } int ssl3_do_compress(SSL *ssl) { +#ifndef OPENSSL_NO_COMP int i; SSL3_RECORD *wr; @@ -506,6 +508,7 @@ int ssl3_do_compress(SSL *ssl) wr->length=i; wr->input=wr->data; +#endif return(1); } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 3e11cc4e84..775bac3489 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -666,7 +666,9 @@ int ssl3_get_client_hello(SSL *s) unsigned long id; unsigned char *p,*d,*q; SSL_CIPHER *c; +#ifndef OPENSSL_NO_COMP SSL_COMP *comp=NULL; +#endif STACK_OF(SSL_CIPHER) *ciphers=NULL; /* We do this so that we will respond with our native type. @@ -897,6 +899,7 @@ int ssl3_get_client_hello(SSL *s) * options, we will now look for them. We have i-1 compression * algorithms from the client, starting at q. */ s->s3->tmp.new_compression=NULL; +#ifndef OPENSSL_NO_COMP if (s->ctx->comp_methods != NULL) { /* See if we have a match */ int m,nn,o,v,done=0; @@ -921,6 +924,7 @@ int ssl3_get_client_hello(SSL *s) else comp=NULL; } +#endif /* TLS does not mind if there is extra stuff */ #if 0 /* SSL 3.0 does not mind either, so we should disable this test @@ -944,7 +948,11 @@ int ssl3_get_client_hello(SSL *s) if (!s->hit) { +#ifdef OPENSSL_NO_COMP + s->session->compress_meth=0; +#else s->session->compress_meth=(comp == NULL)?0:comp->id; +#endif if (s->session->ciphers != NULL) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers=ciphers; @@ -1070,10 +1078,14 @@ int ssl3_send_server_hello(SSL *s) p+=i; /* put the compression method */ +#ifdef OPENSSL_NO_COMP + *(p++)=0; +#else if (s->s3->tmp.new_compression == NULL) *(p++)=0; else *(p++)=s->s3->tmp.new_compression->id; +#endif /* do the header */ l=(p-d); diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 0684f05306..f0fbf8275b 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -253,7 +253,11 @@ extern "C" { #endif #define SSL3_RT_MAX_PLAIN_LENGTH 16384 +#ifdef OPENSSL_NO_COMP +#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH +#else #define SSL3_RT_MAX_COMPRESSED_LENGTH (1024+SSL3_RT_MAX_PLAIN_LENGTH) +#endif #define SSL3_RT_MAX_ENCRYPTED_LENGTH (1024+SSL3_RT_MAX_COMPRESSED_LENGTH) #define SSL3_RT_MAX_PACKET_SIZE (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH) #define SSL3_RT_MAX_DATA_SIZE (1024*1024) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 8c2e1c305e..cdd7a9ae74 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -192,6 +192,9 @@ void ssl_load_ciphers(void) EVP_get_digestbyname(SN_sha1); } + +#ifndef OPENSSL_NO_COMP + static int sk_comp_cmp(const SSL_COMP * const *a, const SSL_COMP * const *b) { @@ -231,6 +234,7 @@ static void load_builtin_compressions(void) } CRYPTO_w_unlock(CRYPTO_LOCK_SSL); } +#endif int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, SSL_COMP **comp) @@ -243,8 +247,9 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, if (comp != NULL) { SSL_COMP ctmp; - +#ifndef OPENSSL_NO_COMP load_builtin_compressions(); +#endif *comp=NULL; ctmp.id=s->compress_meth; @@ -1131,6 +1136,21 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) return(NULL); } +#ifdef OPENSSL_NO_COMP +void *SSL_COMP_get_compression_methods(void) + { + return NULL; + } +int SSL_COMP_add_compression_method(int id, void *cm) + { + return 1; + } + +const char *SSL_COMP_get_name(const void *comp) + { + return NULL; + } +#else STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { load_builtin_compressions(); @@ -1191,3 +1211,4 @@ const char *SSL_COMP_get_name(const COMP_METHOD *comp) return NULL; } +#endif diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9e18e776b9..6fb9364bea 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2246,6 +2246,7 @@ void ssl_clear_cipher_ctx(SSL *s) OPENSSL_free(s->enc_write_ctx); s->enc_write_ctx=NULL; } +#ifndef OPENSSL_NO_COMP if (s->expand != NULL) { COMP_CTX_free(s->expand); @@ -2256,6 +2257,7 @@ void ssl_clear_cipher_ctx(SSL *s) COMP_CTX_free(s->compress); s->compress=NULL; } +#endif } /* Fix this function so that it takes an optional type parameter */ @@ -2282,6 +2284,16 @@ SSL_CIPHER *SSL_get_current_cipher(const SSL *s) return(s->session->cipher); return(NULL); } +#ifdef OPENSSL_NO_COMP +const void *SSL_get_current_compression(SSL *s) + { + return NULL; + } +const void *SSL_get_current_expansion(SSL *s) + { + return NULL; + } +#else const COMP_METHOD *SSL_get_current_compression(SSL *s) { @@ -2296,6 +2308,7 @@ const COMP_METHOD *SSL_get_current_expansion(SSL *s) return(s->expand->meth); return(NULL); } +#endif int ssl_init_wbio_buffer(SSL *s,int push) { diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 39cf55cbfd..4eb0867155 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -151,6 +151,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err; } #endif /* OPENSSL_NO_KRB5 */ +#ifndef OPENSSL_NO_COMP if (x->compress_meth != 0) { SSL_COMP *comp = NULL; @@ -165,6 +166,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp,"\n Compression: %d (%s)", comp->id,comp->method->name) <= 0) goto err; } } +#endif if (x->time != 0L) { if (BIO_printf(bp, "\n Start Time: %ld",x->time) <= 0) goto err; diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 3818bf3edd..4f7ec37f87 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -420,7 +420,9 @@ int main(int argc, char *argv[]) int print_time = 0; clock_t s_time = 0, c_time = 0; int comp = 0; +#ifndef OPENSSL_NO_COMP COMP_METHOD *cm = NULL; +#endif STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; int test_cipherlist = 0; @@ -652,6 +654,7 @@ bad: SSL_library_init(); SSL_load_error_strings(); +#ifndef OPENSSL_NO_COMP if (comp == COMP_ZLIB) cm = COMP_zlib(); if (comp == COMP_RLE) cm = COMP_rle(); if (cm != NULL) @@ -675,6 +678,7 @@ bad: ERR_print_errors_fp(stderr); } } +#endif ssl_comp_methods = SSL_COMP_get_compression_methods(); fprintf(stderr, "Available compression methods:\n"); { diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index cfcfedaa5d..c544c76495 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -231,7 +231,9 @@ int tls1_change_cipher_state(SSL *s, int which) int client_write; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; +#ifndef OPENSSL_NO_COMP const SSL_COMP *comp; +#endif const EVP_MD *m; int is_export,n,i,j,k,exp_label_len,cl; int reuse_dd = 0; @@ -239,7 +241,9 @@ int tls1_change_cipher_state(SSL *s, int which) is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; +#ifndef OPENSSL_NO_COMP comp=s->s3->tmp.new_compression; +#endif key_block=s->s3->tmp.key_block; #ifdef KSSL_DEBUG @@ -265,6 +269,7 @@ int tls1_change_cipher_state(SSL *s, int which) goto err; dd= s->enc_read_ctx; s->read_hash=m; +#ifndef OPENSSL_NO_COMP if (s->expand != NULL) { COMP_CTX_free(s->expand); @@ -284,6 +289,7 @@ int tls1_change_cipher_state(SSL *s, int which) if (s->s3->rrec.comp == NULL) goto err; } +#endif /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ if (s->version != DTLS1_VERSION) memset(&(s->s3->read_sequence[0]),0,8); @@ -301,6 +307,7 @@ int tls1_change_cipher_state(SSL *s, int which) goto err; dd= s->enc_write_ctx; s->write_hash=m; +#ifndef OPENSSL_NO_COMP if (s->compress != NULL) { COMP_CTX_free(s->compress); @@ -315,6 +322,7 @@ int tls1_change_cipher_state(SSL *s, int which) goto err2; } } +#endif /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ if (s->version != DTLS1_VERSION) memset(&(s->s3->write_sequence[0]),0,8);