From: Ben Laurie Date: Sun, 21 Feb 1999 21:58:59 +0000 (+0000) Subject: More stuff for new TLS ciphersuites. X-Git-Tag: OpenSSL_0_9_2b~127 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=60e31c3a4bbdbdb4259eaa3c48639f3e3915f380;p=oweals%2Fopenssl.git More stuff for new TLS ciphersuites. --- diff --git a/apps/s_server.c b/apps/s_server.c index c0546f6f9b..35b9718b63 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -75,7 +75,7 @@ #include "s_apps.h" #ifndef NOPROTO -static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export); +static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export,int keylength); static int sv_body(char *hostname, int s); static int www_body(char *hostname, int s); static void close_accept_socket(void ); @@ -1211,9 +1211,10 @@ err: return(ret); } -static RSA MS_CALLBACK *tmp_rsa_cb(s,export) +static RSA MS_CALLBACK *tmp_rsa_cb(s,export,keylength) SSL *s; int export; +int keylength; { static RSA *rsa_tmp=NULL; @@ -1221,11 +1222,11 @@ int export; { if (!s_quiet) { - BIO_printf(bio_err,"Generating temp (512 bit) RSA key..."); + BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); BIO_flush(bio_err); } #ifndef NO_RSA - rsa_tmp=RSA_generate_key(512,RSA_F4,NULL,NULL); + rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL); #endif if (!s_quiet) { diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 4d79895e99..b6f5d82f21 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -752,15 +752,16 @@ STACK *have,*pref; else cert=s->ctx->default_cert; - ssl_set_cert_masks(cert); - mask=cert->mask; - emask=cert->export_mask; - sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); for (i=0; imask; + emask=cert->export_mask; + alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); if (SSL_IS_EXPORT(alg)) { diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 233de6ca90..6fe489eb18 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -945,7 +945,8 @@ SSL *s; if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL)) { rsa=s->ctx->default_cert->rsa_tmp_cb(s, - !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)); + !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), + SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); cert->rsa_tmp=rsa; } @@ -967,7 +968,8 @@ SSL *s; dhp=cert->dh_tmp; if ((dhp == NULL) && (cert->dh_tmp_cb != NULL)) dhp=cert->dh_tmp_cb(s, - !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)); + !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), + SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); if (dhp == NULL) { al=SSL_AD_HANDSHAKE_FAILURE; diff --git a/ssl/ssl.h b/ssl/ssl.h index 7cbc2aaa8c..2a9cd7f5ab 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1022,13 +1022,12 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void ); #define SSL_CTX_set_read_ahead(ctx,m) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL) -/* For the next 2, the callbacks are - * RSA *tmp_rsa_cb(SSL *ssl,int export) - * DH *tmp_dh_cb(SSL *ssl,int export) - */ + /* NB: the keylength is only applicable when export is true */ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, - RSA *(*cb)(SSL *ssl,int export)); -void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export)); + RSA *(*cb)(SSL *ssl,int export, + int keylength)); +void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, + DH *(*dh)(SSL *ssl,int export,int keylength)); #ifdef HEADER_COMP_H int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 862a555efa..c4be734af4 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1131,46 +1131,49 @@ int (*cb)(); X509_STORE_set_verify_cb_func(ctx->cert_store,cb); } -void ssl_set_cert_masks(c) +void ssl_set_cert_masks(c,cipher) CERT *c; +SSL_CIPHER *cipher; { CERT_PKEY *cpk; int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; int rsa_enc_export,dh_rsa_export,dh_dsa_export; - int rsa_tmp_export,dh_tmp_export; + int rsa_tmp_export,dh_tmp_export,kl; unsigned long mask,emask; if ((c == NULL) || (c->valid)) return; + kl=SSL_C_EXPORT_PKEYLENGTH(cipher); + #ifndef NO_RSA - rsa_tmp=((c->rsa_tmp != NULL) || (c->rsa_tmp_cb != NULL))?1:0; - rsa_tmp_export=((c->rsa_tmp_cb != NULL) || - (rsa_tmp && (RSA_size(c->rsa_tmp)*8 <= 512)))?1:0; + rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); + rsa_tmp_export=(c->rsa_tmp_cb != NULL || + (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); #else rsa_tmp=rsa_tmp_export=0; #endif #ifndef NO_DH - dh_tmp=((c->dh_tmp != NULL) || (c->dh_tmp_cb != NULL))?1:0; - dh_tmp_export=((c->dh_tmp_cb != NULL) || - (dh_tmp && (DH_size(c->dh_tmp)*8 <= 512)))?1:0; + dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); + dh_tmp_export=(c->dh_tmp_cb != NULL || + (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); #else dh_tmp=dh_tmp_export=0; #endif cpk= &(c->pkeys[SSL_PKEY_RSA_ENC]); - rsa_enc= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0; - rsa_enc_export=(rsa_enc && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0; + rsa_enc= (cpk->x509 != NULL && cpk->privatekey != NULL); + rsa_enc_export=(rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_RSA_SIGN]); - rsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0; + rsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); cpk= &(c->pkeys[SSL_PKEY_DSA_SIGN]); - dsa_sign=((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0; + dsa_sign=(cpk->x509 != NULL && cpk->privatekey != NULL); cpk= &(c->pkeys[SSL_PKEY_DH_RSA]); - dh_rsa= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0; - dh_rsa_export=(dh_rsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0; + dh_rsa= (cpk->x509 != NULL && cpk->privatekey != NULL); + dh_rsa_export=(dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); cpk= &(c->pkeys[SSL_PKEY_DH_DSA]); /* FIX THIS EAY EAY EAY */ - dh_dsa= ((cpk->x509 != NULL) && (cpk->privatekey != NULL))?1:0; - dh_dsa_export=(dh_dsa && (EVP_PKEY_size(cpk->privatekey)*8 <= 512))?1:0; + dh_dsa= (cpk->x509 != NULL && cpk->privatekey != NULL); + dh_dsa_export=(dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); mask=0; emask=0; @@ -1236,13 +1239,13 @@ SSL *s; { unsigned long alg,mask,kalg; CERT *c; - int i,_export; + int i,export; c=s->cert; - ssl_set_cert_masks(c); + ssl_set_cert_masks(c,s->s3->tmp.new_cipher); alg=s->s3->tmp.new_cipher->algorithms; - _export=SSL_IS_EXPORT(alg); - mask=_export?c->export_mask:c->mask; + export=SSL_IS_EXPORT(alg); + mask=export?c->export_mask:c->mask; kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); if (kalg & SSL_kDHr) @@ -1888,10 +1891,12 @@ SSL *s; return(s->rwstate); } -void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,int export)) +void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,int export, + int keylength)) { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); } -void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export)) +void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export, + int keylength)) { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh); } #if defined(_WINDLL) && defined(WIN16) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 0cb5288c32..e4d783aa13 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -275,8 +275,8 @@ typedef struct cert_st RSA *rsa_tmp; DH *dh_tmp; - RSA *(*rsa_tmp_cb)(); - DH *(*dh_tmp_cb)(); + RSA *(*rsa_tmp_cb)(SSL *ssl,int export,int keysize); + DH *(*dh_tmp_cb)(SSL *ssl,int export,int keysize); CERT_PKEY pkeys[SSL_PKEY_NUM]; STACK *cert_chain; @@ -366,7 +366,7 @@ int ssl_undefined_function(SSL *s); X509 *ssl_get_server_send_cert(SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); -void ssl_set_cert_masks(CERT *c); +void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher); STACK *ssl_get_ciphers_by_id(SSL *s); int ssl_verify_alarm_type(long type); diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 4662770e38..720abfa01e 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -75,7 +75,7 @@ #ifndef NOPROTO int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); -static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export); +static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int export,int keylength); #ifndef NO_DSA static DH *get_dh512(void); #endif @@ -730,18 +730,19 @@ static DH *get_dh512() } #endif -static RSA MS_CALLBACK *tmp_rsa_cb(s,export) +static RSA MS_CALLBACK *tmp_rsa_cb(s,export,keylength) SSL *s; int export; +int keylength; { static RSA *rsa_tmp=NULL; if (rsa_tmp == NULL) { - BIO_printf(bio_err,"Generating temp (512 bit) RSA key..."); + BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); BIO_flush(bio_err); #ifndef NO_RSA - rsa_tmp=RSA_generate_key(512,RSA_F4,NULL,NULL); + rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL); #endif BIO_printf(bio_err,"\n"); BIO_flush(bio_err);