From 413c4f45ed0508d2242638696b7665f499d68265 Mon Sep 17 00:00:00 2001 From: "Mark J. Cox" Date: Tue, 16 Feb 1999 09:22:21 +0000 Subject: [PATCH] Updates to the new SSL compression code [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] Fix so that the version number in the master secret, when passed via RSA, checks that if TLS was proposed, but we roll back to SSLv3 (because the server will not accept higher), that the version number is 0x03,0x01, not 0x03,0x00 [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] Submitted by: Reviewed by: PR: --- CHANGES | 9 + ssl/s23_clnt.c | 12 +- ssl/s23_pkt.c | 2 +- ssl/s23_srvr.c | 9 +- ssl/s2_clnt.c | 16 +- ssl/s2_enc.c | 2 +- ssl/s2_srvr.c | 11 +- ssl/s3_clnt.c | 73 ++++--- ssl/s3_enc.c | 21 ++- ssl/s3_lib.c | 25 ++- ssl/s3_pkt.c | 4 +- ssl/s3_srvr.c | 101 +++++++--- ssl/ssl.err | 257 ++++++++++++------------- ssl/ssl.h | 503 ++++++++++++++++++++++++++++--------------------- ssl/ssl3.h | 3 +- ssl/ssl_algs.c | 3 +- ssl/ssl_ciph.c | 90 ++++++++- ssl/ssl_err.c | 5 + ssl/ssl_lib.c | 210 +++++++++++++++++---- ssl/ssl_locl.h | 17 +- ssl/ssl_rsa.c | 4 +- ssl/ssl_sess.c | 48 ++++- ssl/ssl_txt.c | 17 ++ ssl/ssltest.c | 2 +- ssl/t1_enc.c | 21 ++- 25 files changed, 964 insertions(+), 501 deletions(-) diff --git a/CHANGES b/CHANGES index 043c7552a7..470435fe82 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,15 @@ Changes between 0.9.1c and 0.9.2 + *) Updates to the new SSL compression code + [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] + + *) Fix so that the version number in the master secret, when passed + via RSA, checks that if TLS was proposed, but we roll back to SSLv3 + (because the server will not accept higher), that the version number + is 0x03,0x01, not 0x03,0x00 + [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] + *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes in apps/ and an unrellated leak in crypto/dsa/dsa_vrf.c diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 1b4c06838b..c0948fd2da 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -136,6 +136,13 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_CONNECT: case SSL_ST_OK|SSL_ST_CONNECT: + if (s->session != NULL) + { + SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE); + ret= -1; + goto end; + } + s->server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); /* s->version=TLS1_VERSION; */ @@ -161,7 +168,7 @@ SSL *s; ssl3_init_finished_mac(s); s->state=SSL23_ST_CW_CLNT_HELLO_A; - s->ctx->sess_connect++; + s->ctx->stats.sess_connect++; s->init_num=0; break; @@ -238,16 +245,19 @@ SSL *s; { *(d++)=TLS1_VERSION_MAJOR; *(d++)=TLS1_VERSION_MINOR; + s->client_version=TLS1_VERSION; } else if (!(s->options & SSL_OP_NO_SSLv3)) { *(d++)=SSL3_VERSION_MAJOR; *(d++)=SSL3_VERSION_MINOR; + s->client_version=SSL3_VERSION; } else if (!(s->options & SSL_OP_NO_SSLv2)) { *(d++)=SSL2_VERSION_MAJOR; *(d++)=SSL2_VERSION_MINOR; + s->client_version=SSL2_VERSION; } else { diff --git a/ssl/s23_pkt.c b/ssl/s23_pkt.c index c25c312772..99f909d50f 100644 --- a/ssl/s23_pkt.c +++ b/ssl/s23_pkt.c @@ -76,7 +76,7 @@ SSL *s; { s->rwstate=SSL_WRITING; i=BIO_write(s->wbio,&(buf[tot]),num); - if (i < 0) + if (i <= 0) { s->init_off=tot; s->init_num=num; diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 6c8afeb857..d1f49e5ac3 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -134,6 +134,7 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: + s->server=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); /* s->version=SSL3_VERSION; */ @@ -157,7 +158,7 @@ SSL *s; ssl3_init_finished_mac(s); s->state=SSL23_ST_SR_CLNT_HELLO_A; - s->ctx->sess_accept++; + s->ctx->stats.sess_accept++; s->init_num=0; break; @@ -203,8 +204,10 @@ SSL *s; unsigned int csl,sil,cl; int n=0,j,tls1=0; int type=0,use_sslv2_strong=0; + int v[2]; /* read the initial header */ + v[0]=v[1]=0; if (s->state == SSL23_ST_SR_CLNT_HELLO_A) { if (!ssl3_setup_buffers(s)) goto err; @@ -221,12 +224,14 @@ SSL *s; /* SSLv2 header */ if ((p[3] == 0x00) && (p[4] == 0x02)) { + v[0]=p[3]; v[1]=p[4]; /* SSLv2 */ if (!(s->options & SSL_OP_NO_SSLv2)) type=1; } else if (p[3] == SSL3_VERSION_MAJOR) { + v[0]=p[3]; v[1]=p[4]; /* SSLv3/TLSv1 */ if (p[4] >= TLS1_VERSION_MINOR) { @@ -307,6 +312,7 @@ SSL *s; (p[1] == SSL3_VERSION_MAJOR) && (p[5] == SSL3_MT_CLIENT_HELLO)) { + v[0]=p[1]; v[1]=p[2]; /* true SSLv3 or tls1 */ if (p[2] >= TLS1_VERSION_MINOR) { @@ -486,6 +492,7 @@ next_bit: s->version=SSL3_VERSION; s->method=SSLv3_server_method(); } + s->client_version=(v[0]<<8)|v[1]; s->handshake_func=s->method->ssl_accept; } diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 9c8037b48b..bbac33cf36 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -146,6 +146,7 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_CONNECT: case SSL_ST_OK|SSL_ST_CONNECT: + s->server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); s->version=SSL2_VERSION; @@ -166,7 +167,7 @@ SSL *s; s->init_buf=buf; s->init_num=0; s->state=SSL2_ST_SEND_CLIENT_HELLO_A; - s->ctx->sess_connect++; + s->ctx->stats.sess_connect++; s->handshake_func=ssl2_connect; BREAK; @@ -249,8 +250,11 @@ SSL *s; break; case SSL_ST_OK: - BUF_MEM_free(s->init_buf); - s->init_buf=NULL; + if (s->init_buf != NULL) + { + BUF_MEM_free(s->init_buf); + s->init_buf=NULL; + } s->init_num=0; /* ERR_clear_error();*/ @@ -261,11 +265,11 @@ SSL *s; */ ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); - if (s->hit) s->ctx->sess_hit++; + if (s->hit) s->ctx->stats.sess_hit++; ret=1; /* s->server=0; */ - s->ctx->sess_connect_good++; + s->ctx->stats.sess_connect_good++; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); @@ -538,7 +542,7 @@ SSL *s; if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A) { - if (!ssl_cipher_get_evp(s->session->cipher,&c,&md)) + if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); diff --git a/ssl/s2_enc.c b/ssl/s2_enc.c index b43056fa14..63ebf28748 100644 --- a/ssl/s2_enc.c +++ b/ssl/s2_enc.c @@ -69,7 +69,7 @@ int client; EVP_MD *md; int num; - if (!ssl_cipher_get_evp(s->session->cipher,&c,&md)) + if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 8580ac6a8d..814e38f480 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -155,6 +155,7 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: + s->server=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); s->version=SSL2_VERSION; @@ -168,7 +169,7 @@ SSL *s; { ret= -1; goto end; } s->init_buf=buf; s->init_num=0; - s->ctx->sess_accept++; + s->ctx->stats.sess_accept++; s->handshake_func=ssl2_accept; s->state=SSL2_ST_GET_CLIENT_HELLO_A; BREAK; @@ -295,13 +296,14 @@ SSL *s; case SSL_ST_OK: BUF_MEM_free(s->init_buf); + ssl_free_wbio_buffer(s); s->init_buf=NULL; s->init_num=0; /* ERR_clear_error();*/ ssl_update_cache(s,SSL_SESS_CACHE_SERVER); - s->ctx->sess_accept_good++; + s->ctx->stats.sess_accept_good++; /* s->server=1; */ ret=1; @@ -336,9 +338,6 @@ static int get_client_master_key(s) SSL *s; { int export,i,n,keya,ek; -#if 0 - int error=0; -#endif unsigned char *p; SSL_CIPHER *cp; EVP_CIPHER *c; @@ -404,7 +403,7 @@ SSL *s; export=(s->session->cipher->algorithms & SSL_EXP)?1:0; - if (!ssl_cipher_get_evp(s->session->cipher,&c,&md)) + if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 363118835c..b2649ed998 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -134,7 +134,6 @@ SSL *s; long num1; void (*cb)()=NULL; int ret= -1; - BIO *under; int new_state,state,skip=0;; RAND_seed(&Time,sizeof(Time)); @@ -158,13 +157,14 @@ SSL *s; case SSL_ST_RENEGOTIATE: s->new_session=1; s->state=SSL_ST_CONNECT; - s->ctx->sess_connect_renegotiate++; + s->ctx->stats.sess_connect_renegotiate++; /* break */ case SSL_ST_BEFORE: case SSL_ST_CONNECT: case SSL_ST_BEFORE|SSL_ST_CONNECT: case SSL_ST_OK|SSL_ST_CONNECT: + s->server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version & 0xff00 ) != 0x0300) @@ -197,7 +197,7 @@ SSL *s; ssl3_init_finished_mac(s); s->state=SSL3_ST_CW_CLNT_HELLO_A; - s->ctx->sess_connect++; + s->ctx->stats.sess_connect++; s->init_num=0; break; @@ -326,6 +326,11 @@ SSL *s; s->init_num=0; s->session->cipher=s->s3->tmp.new_cipher; + if (s->s3->tmp.new_compression == NULL) + s->session->compress_meth=0; + else + s->session->compress_meth= + s->s3->tmp.new_compression->id; if (!s->method->ssl3_enc->setup_key_block(s)) { ret= -1; @@ -401,33 +406,28 @@ SSL *s; /* clean a few things up */ ssl3_cleanup_key_block(s); - BUF_MEM_free(s->init_buf); - s->init_buf=NULL; - - if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) + if (s->init_buf != NULL) { - /* remove buffering */ - under=BIO_pop(s->wbio); - if (under != NULL) - s->wbio=under; - else - abort(); /* ok */ - - BIO_free(s->bbio); - s->bbio=NULL; + BUF_MEM_free(s->init_buf); + s->init_buf=NULL; } - /* else do it later */ + + /* If we are not 'joining' the last two packets, + * remove the buffering now */ + if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) + ssl_free_wbio_buffer(s); + /* else do it later in ssl3_write */ s->init_num=0; s->new_session=0; ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); - if (s->hit) s->ctx->sess_hit++; + if (s->hit) s->ctx->stats.sess_hit++; ret=1; /* s->server=0; */ s->handshake_func=ssl3_connect; - s->ctx->sess_connect_good++; + s->ctx->stats.sess_connect_good++; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); @@ -473,8 +473,9 @@ SSL *s; { unsigned char *buf; unsigned char *p,*d; - int i; + int i,j; unsigned long Time,l; + SSL_COMP *comp; buf=(unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) @@ -498,6 +499,7 @@ SSL *s; *(p++)=s->version>>8; *(p++)=s->version&0xff; + s->client_version=s->version; /* Random stuff */ memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); @@ -525,10 +527,18 @@ SSL *s; s2n(i,p); p+=i; - /* hardwire in the NULL compression algorithm. */ /* COMPRESSION */ - *(p++)=1; - *(p++)=0; + if (s->ctx->comp_methods == NULL) + j=0; + else + j=sk_num(s->ctx->comp_methods); + *(p++)=1+j; + for (i=0; ictx->comp_methods,i); + *(p++)=comp->id; + } + *(p++)=0; /* Add the NULL method */ l=(p-d); d=buf; @@ -556,6 +566,7 @@ SSL *s; int i,al,ok; unsigned int j; long n; + SSL_COMP *comp; n=ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, @@ -649,12 +660,21 @@ SSL *s; /* lets get the compression algorithm */ /* COMPRESSION */ j= *(p++); - if (j != 0) + if (j == 0) + comp=NULL; + else + comp=ssl3_comp_find(s->ctx->comp_methods,j); + + if ((j != 0) && (comp == NULL)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); goto f_err; } + else + { + s->s3->tmp.new_compression=comp; + } if (p != (d+n)) { @@ -996,6 +1016,7 @@ SSL *s; /* else anonymous DH, so no certificate or pkey. */ s->session->cert->dh_tmp=dh; + dh=NULL; } else if ((alg & SSL_kDHr) || (alg & SSL_kDHd)) { @@ -1326,8 +1347,8 @@ SSL *s; rsa=pkey->pkey.rsa; } - tmp_buf[0]=s->version>>8; - tmp_buf[1]=s->version&0xff; + tmp_buf[0]=s->client_version>>8; + tmp_buf[1]=s->client_version&0xff; RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2); s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH; diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index c5c9a3be42..a655e12bec 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -144,7 +144,10 @@ int which; exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0; c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; - comp=s->s3->tmp.new_compression; + if (s->s3->tmp.new_compression == NULL) + comp=NULL; + else + comp=s->s3->tmp.new_compression->method; key_block=s->s3->tmp.key_block; if (which & SSL3_CC_READ) @@ -169,8 +172,9 @@ int which; SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } - s->s3->rrec.comp=(unsigned char *) - Malloc(SSL3_RT_MAX_PLAIN_LENGTH); + if (s->s3->rrec.comp == NULL) + s->s3->rrec.comp=(unsigned char *) + Malloc(SSL3_RT_MAX_PLAIN_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } @@ -280,11 +284,12 @@ SSL *s; EVP_CIPHER *c; EVP_MD *hash; int num,exp; + SSL_COMP *comp; if (s->s3->tmp.key_block_length != 0) return(1); - if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash)) + if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) { SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return(0); @@ -292,11 +297,7 @@ SSL *s; s->s3->tmp.new_sym_enc=c; s->s3->tmp.new_hash=hash; -#ifdef ZLIB - s->s3->tmp.new_compression=COMP_zlib(); -#endif -/* s->s3->tmp.new_compression=COMP_rle(); */ -/* s->session->compress_meth= xxxxx */ + s->s3->tmp.new_compression=comp; exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0; @@ -454,7 +455,7 @@ unsigned char *p; unsigned char md_buf[EVP_MAX_MD_SIZE]; EVP_MD_CTX ctx; - memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX)); + EVP_MD_CTX_copy(&ctx,in_ctx); n=EVP_MD_CTX_size(&ctx); npad=(48/n)*n; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 495c1c334f..c64b760a44 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -486,6 +486,12 @@ SSL *s; if (s->s3->tmp.ca_names != NULL) sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free); + if (s->s3->rrec.comp != NULL) + { + Free(s->s3->rrec.comp); + s->s3->rrec.comp=NULL; + } + rp=s->s3->rbuf.buf; wp=s->s3->wbuf.buf; @@ -493,11 +499,7 @@ SSL *s; if (rp != NULL) s->s3->rbuf.buf=rp; if (wp != NULL) s->s3->wbuf.buf=wp; - if (s->s3->rrec.comp != NULL) - { - Free(s->s3->rrec.comp); - s->s3->rrec.comp=NULL; - } + ssl_free_wbio_buffer(s); s->packet_length=0; s->s3->renegotiate=0; @@ -844,7 +846,6 @@ const char *buf; int len; { int ret,n; - BIO *under; #if 0 if (s->shutdown & SSL_SEND_SHUTDOWN) @@ -878,15 +879,12 @@ int len; if (n <= 0) return(n); s->rwstate=SSL_NOTHING; - /* We have flushed the buffer */ - under=BIO_pop(s->wbio); - s->wbio=under; - BIO_free(s->bbio); - s->bbio=NULL; + /* We have flushed the buffer, so remove it */ + ssl_free_wbio_buffer(s); + s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; + ret=s->s3->delay_buf_pop_ret; s->s3->delay_buf_pop_ret=0; - - s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; } else { @@ -987,4 +985,3 @@ need to go to SSL_ST_ACCEPT. return(ret); } - diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index b7edc8faf3..f5350bf1b7 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -872,7 +872,9 @@ start: if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { - s->state=SSL_ST_BEFORE; + s->state=SSL_ST_BEFORE|(s->server) + ?SSL_ST_ACCEPT + :SSL_ST_CONNECT; s->new_session=1; } n=s->handshake_func(s); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index a827a58d49..a4c0744488 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -135,7 +135,6 @@ SSL *s; long num1; int ret= -1; CERT *ct; - BIO *under; int new_state,state,skip=0; RAND_seed(&Time,sizeof(Time)); @@ -178,6 +177,7 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: + s->server=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version>>8) != 3) @@ -217,11 +217,11 @@ SSL *s; { s->state=SSL3_ST_SR_CLNT_HELLO_A; ssl3_init_finished_mac(s); - s->ctx->sess_accept++; + s->ctx->stats.sess_accept++; } else { - s->ctx->sess_accept_renegotiate++; + s->ctx->stats.sess_accept_renegotiate++; s->state=SSL3_ST_SW_HELLO_REQ_A; } break; @@ -240,15 +240,6 @@ SSL *s; break; case SSL3_ST_SW_HELLO_REQ_C: - /* remove buffering on output */ - under=BIO_pop(s->wbio); - if (under != NULL) - s->wbio=under; - else - abort(); /* ok */ - BIO_free(s->bbio); - s->bbio=NULL; - s->state=SSL_ST_OK; ret=1; goto end; @@ -480,20 +471,14 @@ SSL *s; s->init_buf=NULL; /* remove buffering on output */ - under=BIO_pop(s->wbio); - if (under != NULL) - s->wbio=under; - else - abort(); /* ok */ - BIO_free(s->bbio); - s->bbio=NULL; + ssl_free_wbio_buffer(s); s->new_session=0; s->init_num=0; ssl_update_cache(s,SSL_SESS_CACHE_SERVER); - s->ctx->sess_accept_good++; + s->ctx->stats.sess_accept_good++; /* s->server=1; */ s->handshake_func=ssl3_accept; ret=1; @@ -567,8 +552,9 @@ SSL *s; int i,j,ok,al,ret= -1; long n; unsigned long id; - unsigned char *p,*d; + unsigned char *p,*d,*q; SSL_CIPHER *c; + SSL_COMP *comp=NULL; STACK *ciphers=NULL; /* We do this so that we will respond with our native type. @@ -595,6 +581,7 @@ SSL *s; /* The version number has already been checked in ssl3_get_message. * I a native TLSv1/SSLv3 method, the match must be correct except * perhaps for the first message */ +/* s->client_version=(((int)p[0])<<8)|(int)p[1]; */ p+=2; /* load the client random */ @@ -653,9 +640,16 @@ SSL *s; j=0; id=s->session->cipher->id; +#ifdef CIPHER_DEBUG + printf("client sent %d ciphers\n",sk_num(ciphers)); +#endif for (i=0; iid == id) { j=1; @@ -683,8 +677,11 @@ SSL *s; /* compression */ i= *(p++); + q=p; for (j=0; j= i) @@ -695,6 +692,35 @@ SSL *s; goto f_err; } + /* Worst case, we will use the NULL compression, but if we have other + * options, we will now look for them. We have i-1 compression + * algorithms from the client, starting at q. */ + s->s3->tmp.new_compression=NULL; + if (s->ctx->comp_methods != NULL) + { /* See if we have a match */ + int m,nn,o,v,done=0; + + nn=sk_num(s->ctx->comp_methods); + for (m=0; mctx->comp_methods,m); + v=comp->id; + for (o=0; os3->tmp.new_compression=comp; + else + comp=NULL; + } + /* TLS does not mind if there is extra stuff */ if (s->version == SSL3_VERSION) { @@ -708,13 +734,12 @@ SSL *s; } } - /* do nothing with compression */ - /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must * pick a cipher */ if (!s->hit) { + s->session->compress_meth=(comp == NULL)?0:comp->id; if (s->session->ciphers != NULL) sk_free(s->session->ciphers); s->session->ciphers=ciphers; @@ -835,7 +860,10 @@ SSL *s; p+=i; /* put the compression method */ - *(p++)=0; + if (s->s3->tmp.new_compression == NULL) + *(p++)=0; + else + *(p++)=s->s3->tmp.new_compression->id; /* do the header */ l=(p-d); @@ -1266,13 +1294,26 @@ SSL *s; #if 1 /* If a bad decrypt, use a random master key */ if ((i != SSL_MAX_MASTER_KEY_LENGTH) || - ((p[0] != (s->version>>8)) || - (p[1] != (s->version & 0xff)))) + ((p[0] != (s->client_version>>8)) || + (p[1] != (s->client_version & 0xff)))) { - p[0]=(s->version>>8); - p[1]=(s->version & 0xff); - RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2); - i=SSL_MAX_MASTER_KEY_LENGTH; + int bad=1; + + if ((i == SSL_MAX_MASTER_KEY_LENGTH) && + (p[0] == (s->version>>8)) && + (p[1] == 0)) + { + if (s->options & SSL_OP_TLS_ROLLBACK_BUG) + bad=0; + } + if (bad) + { + p[0]=(s->version>>8); + p[1]=(s->version & 0xff); + RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2); + i=SSL_MAX_MASTER_KEY_LENGTH; + } + /* else, an SSLeay bug, ssl only server, tls client */ } #else if (i != SSL_MAX_MASTER_KEY_LENGTH) diff --git a/ssl/ssl.err b/ssl/ssl.err index 10ca9c5342..84256f905a 100644 --- a/ssl/ssl.err +++ b/ssl/ssl.err @@ -65,52 +65,55 @@ #define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 #define SSL_F_SSL_CERT_NEW 162 #define SSL_F_SSL_CHECK_PRIVATE_KEY 163 -#define SSL_F_SSL_CREATE_CIPHER_LIST 164 -#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 165 -#define SSL_F_SSL_CTX_NEW 166 -#define SSL_F_SSL_CTX_SET_SSL_VERSION 167 -#define SSL_F_SSL_CTX_USE_CERTIFICATE 168 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 169 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 170 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY 171 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 172 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 173 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 174 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 175 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 176 -#define SSL_F_SSL_DO_HANDSHAKE 177 -#define SSL_F_SSL_GET_NEW_SESSION 178 -#define SSL_F_SSL_GET_SERVER_SEND_CERT 179 -#define SSL_F_SSL_GET_SIGN_PKEY 180 -#define SSL_F_SSL_INIT_WBIO_BUFFER 181 -#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 182 -#define SSL_F_SSL_NEW 183 -#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 184 -#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 185 -#define SSL_F_SSL_SESSION_NEW 186 -#define SSL_F_SSL_SESSION_PRINT_FP 187 -#define SSL_F_SSL_SET_CERT 188 -#define SSL_F_SSL_SET_FD 189 -#define SSL_F_SSL_SET_PKEY 190 -#define SSL_F_SSL_SET_RFD 191 -#define SSL_F_SSL_SET_SESSION 192 -#define SSL_F_SSL_SET_WFD 193 -#define SSL_F_SSL_UNDEFINED_FUNCTION 194 -#define SSL_F_SSL_USE_CERTIFICATE 195 -#define SSL_F_SSL_USE_CERTIFICATE_ASN1 196 -#define SSL_F_SSL_USE_CERTIFICATE_FILE 197 -#define SSL_F_SSL_USE_PRIVATEKEY 198 -#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 199 -#define SSL_F_SSL_USE_PRIVATEKEY_FILE 200 -#define SSL_F_SSL_USE_RSAPRIVATEKEY 201 -#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202 -#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203 -#define SSL_F_SSL_VERIFY_CERT_CHAIN 204 -#define SSL_F_SSL_WRITE 205 -#define SSL_F_TLS1_CHANGE_CIPHER_STATE 206 -#define SSL_F_TLS1_ENC 207 -#define SSL_F_TLS1_SETUP_KEY_BLOCK 208 -#define SSL_F_WRITE_PENDING 209 +#define SSL_F_SSL_CLEAR 164 +#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165 +#define SSL_F_SSL_CREATE_CIPHER_LIST 166 +#define SSL_F_SSL_CTX_ADD_COMPRESSION 167 +#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 +#define SSL_F_SSL_CTX_NEW 169 +#define SSL_F_SSL_CTX_SET_SSL_VERSION 170 +#define SSL_F_SSL_CTX_USE_CERTIFICATE 171 +#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172 +#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179 +#define SSL_F_SSL_DO_HANDSHAKE 180 +#define SSL_F_SSL_GET_NEW_SESSION 181 +#define SSL_F_SSL_GET_SERVER_SEND_CERT 182 +#define SSL_F_SSL_GET_SIGN_PKEY 183 +#define SSL_F_SSL_INIT_WBIO_BUFFER 184 +#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 +#define SSL_F_SSL_NEW 186 +#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 +#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 +#define SSL_F_SSL_SESSION_NEW 189 +#define SSL_F_SSL_SESSION_PRINT_FP 190 +#define SSL_F_SSL_SET_CERT 191 +#define SSL_F_SSL_SET_FD 192 +#define SSL_F_SSL_SET_PKEY 193 +#define SSL_F_SSL_SET_RFD 194 +#define SSL_F_SSL_SET_SESSION 195 +#define SSL_F_SSL_SET_WFD 196 +#define SSL_F_SSL_UNDEFINED_FUNCTION 197 +#define SSL_F_SSL_USE_CERTIFICATE 198 +#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 +#define SSL_F_SSL_USE_CERTIFICATE_FILE 200 +#define SSL_F_SSL_USE_PRIVATEKEY 201 +#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 +#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203 +#define SSL_F_SSL_USE_RSAPRIVATEKEY 204 +#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205 +#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 +#define SSL_F_SSL_VERIFY_CERT_CHAIN 207 +#define SSL_F_SSL_WRITE 208 +#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 +#define SSL_F_TLS1_ENC 210 +#define SSL_F_TLS1_SETUP_KEY_BLOCK 211 +#define SSL_F_WRITE_PENDING 212 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 @@ -201,39 +204,41 @@ #define SSL_R_NO_CIPHER_MATCH 185 #define SSL_R_NO_CLIENT_CERT_RECEIVED 186 #define SSL_R_NO_COMPRESSION_SPECIFIED 187 -#define SSL_R_NO_PRIVATEKEY 188 -#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 189 -#define SSL_R_NO_PROTOCOLS_AVAILABLE 190 -#define SSL_R_NO_PUBLICKEY 191 -#define SSL_R_NO_SHARED_CIPHER 192 -#define SSL_R_NO_VERIFY_CALLBACK 193 -#define SSL_R_NULL_SSL_CTX 194 -#define SSL_R_NULL_SSL_METHOD_PASSED 195 -#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 196 -#define SSL_R_PACKET_LENGTH_TOO_LONG 197 -#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 198 -#define SSL_R_PEER_ERROR 199 -#define SSL_R_PEER_ERROR_CERTIFICATE 200 -#define SSL_R_PEER_ERROR_NO_CERTIFICATE 201 -#define SSL_R_PEER_ERROR_NO_CIPHER 202 -#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 203 -#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 204 -#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 205 -#define SSL_R_PROTOCOL_IS_SHUTDOWN 206 -#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 207 -#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 208 -#define SSL_R_PUBLIC_KEY_NOT_RSA 209 -#define SSL_R_READ_BIO_NOT_SET 210 -#define SSL_R_READ_WRONG_PACKET_TYPE 211 -#define SSL_R_RECORD_LENGTH_MISMATCH 212 -#define SSL_R_RECORD_TOO_LARGE 213 -#define SSL_R_REQUIRED_CIPHER_MISSING 214 -#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 215 -#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 216 -#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 217 -#define SSL_R_SHORT_READ 218 -#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 219 -#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 220 +#define SSL_R_NO_METHOD_SPECIFIED 188 +#define SSL_R_NO_PRIVATEKEY 189 +#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 +#define SSL_R_NO_PROTOCOLS_AVAILABLE 191 +#define SSL_R_NO_PUBLICKEY 192 +#define SSL_R_NO_SHARED_CIPHER 193 +#define SSL_R_NO_VERIFY_CALLBACK 194 +#define SSL_R_NULL_SSL_CTX 195 +#define SSL_R_NULL_SSL_METHOD_PASSED 196 +#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 +#define SSL_R_PACKET_LENGTH_TOO_LONG 198 +#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 +#define SSL_R_PEER_ERROR 200 +#define SSL_R_PEER_ERROR_CERTIFICATE 201 +#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202 +#define SSL_R_PEER_ERROR_NO_CIPHER 203 +#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204 +#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205 +#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206 +#define SSL_R_PROTOCOL_IS_SHUTDOWN 207 +#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208 +#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209 +#define SSL_R_PUBLIC_KEY_NOT_RSA 210 +#define SSL_R_READ_BIO_NOT_SET 211 +#define SSL_R_READ_WRONG_PACKET_TYPE 212 +#define SSL_R_RECORD_LENGTH_MISMATCH 213 +#define SSL_R_RECORD_TOO_LARGE 214 +#define SSL_R_REQUIRED_CIPHER_MISSING 215 +#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 +#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 +#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218 +#define SSL_R_SHORT_READ 219 +#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 +#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 @@ -243,17 +248,17 @@ #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 221 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 222 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 223 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 -#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 225 +#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 -#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 226 -#define SSL_R_SSL_HANDSHAKE_FAILURE 227 -#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 228 -#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 229 +#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 +#define SSL_R_SSL_HANDSHAKE_FAILURE 229 +#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230 +#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 @@ -266,41 +271,41 @@ #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 #define SSL_R_TLSV1_ALERT_USER_CANCLED 1090 -#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 230 -#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231 -#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 232 -#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 233 -#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 234 -#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 235 -#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 236 -#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 237 -#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 238 -#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 239 -#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 240 -#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 241 -#define SSL_R_UNEXPECTED_MESSAGE 242 -#define SSL_R_UNEXPECTED_RECORD 243 -#define SSL_R_UNKNOWN_ALERT_TYPE 244 -#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 245 -#define SSL_R_UNKNOWN_CIPHER_RETURNED 246 -#define SSL_R_UNKNOWN_CIPHER_TYPE 247 -#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 248 -#define SSL_R_UNKNOWN_PKEY_TYPE 249 -#define SSL_R_UNKNOWN_PROTOCOL 250 -#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 251 -#define SSL_R_UNKNOWN_SSL_VERSION 252 -#define SSL_R_UNKNOWN_STATE 253 -#define SSL_R_UNSUPPORTED_CIPHER 254 -#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 255 -#define SSL_R_UNSUPPORTED_PROTOCOL 256 -#define SSL_R_UNSUPPORTED_SSL_VERSION 257 -#define SSL_R_WRITE_BIO_NOT_SET 258 -#define SSL_R_WRONG_CIPHER_RETURNED 259 -#define SSL_R_WRONG_MESSAGE_TYPE 260 -#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 261 -#define SSL_R_WRONG_SIGNATURE_LENGTH 262 -#define SSL_R_WRONG_SIGNATURE_SIZE 263 -#define SSL_R_WRONG_SSL_VERSION 264 -#define SSL_R_WRONG_VERSION_NUMBER 265 -#define SSL_R_X509_LIB 266 -#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 267 +#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 +#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 +#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 +#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 +#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236 +#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237 +#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238 +#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239 +#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240 +#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241 +#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242 +#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 +#define SSL_R_UNEXPECTED_MESSAGE 244 +#define SSL_R_UNEXPECTED_RECORD 245 +#define SSL_R_UNKNOWN_ALERT_TYPE 246 +#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247 +#define SSL_R_UNKNOWN_CIPHER_RETURNED 248 +#define SSL_R_UNKNOWN_CIPHER_TYPE 249 +#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250 +#define SSL_R_UNKNOWN_PKEY_TYPE 251 +#define SSL_R_UNKNOWN_PROTOCOL 252 +#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 +#define SSL_R_UNKNOWN_SSL_VERSION 254 +#define SSL_R_UNKNOWN_STATE 255 +#define SSL_R_UNSUPPORTED_CIPHER 256 +#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 +#define SSL_R_UNSUPPORTED_PROTOCOL 258 +#define SSL_R_UNSUPPORTED_SSL_VERSION 259 +#define SSL_R_WRITE_BIO_NOT_SET 260 +#define SSL_R_WRONG_CIPHER_RETURNED 261 +#define SSL_R_WRONG_MESSAGE_TYPE 262 +#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263 +#define SSL_R_WRONG_SIGNATURE_LENGTH 264 +#define SSL_R_WRONG_SIGNATURE_SIZE 265 +#define SSL_R_WRONG_SSL_VERSION 266 +#define SSL_R_WRONG_VERSION_NUMBER 267 +#define SSL_R_X509_LIB 268 +#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 diff --git a/ssl/ssl.h b/ssl/ssl.h index 92b7695e61..689122db02 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1,3 +1,15 @@ +#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb)) +#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb) +#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb)) +#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb) +#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb)) +#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb) +#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb)) +#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback) + +#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb)) +#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb) + /* ssl/ssl.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. @@ -193,6 +205,7 @@ typedef struct ssl_method_st struct ssl_method_st *(*get_ssl_method)(int version); long (*get_timeout)(void); struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ + int (*ssl_version)(); } SSL_METHOD; /* Lets make this into an ASN.1 type structure as follows @@ -238,11 +251,7 @@ typedef struct ssl_session_st long timeout; long time; -#ifdef HEADER_COMP_H - COMP_CTX *compress_meth; -#else - char *compress_meth; -#endif + int compress_meth; /* Need to lookup the method */ SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this @@ -267,6 +276,7 @@ typedef struct ssl_session_st #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L +#define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L /* If set, only use tmp_dh parameters once */ #define SSL_OP_SINGLE_DH_USE 0x00100000L @@ -282,22 +292,32 @@ typedef struct ssl_session_st #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L #define SSL_OP_ALL 0x000FFFFFL -#define SSL_CTX_set_options(ctx,op) ((ctx)->options|=(op)) -#define SSL_set_options(ssl,op) ((ssl)->options|=(op)) +#define SSL_CTX_set_options(ctx,op) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,op,NULL) +#define SSL_CTX_get_options(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL) +#define SSL_set_options(ssl,op) \ + SSL_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL) +#define SSL_get_options(ssl) \ + SSL_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL) #define SSL_OP_NO_SSLv2 0x01000000L #define SSL_OP_NO_SSLv3 0x02000000L #define SSL_OP_NO_TLSv1 0x04000000L -/* Normally you will only use these if your application wants to use - * the certificate store in other places, perhaps PKCS7 */ -#define SSL_CTX_get_cert_store(ctx) ((ctx)->cert_store) -#define SSL_CTX_set_cert_store(ctx,cs) \ - (X509_STORE_free((ctx)->cert_store),(ctx)->cert_store=(cs)) - - #define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20) +typedef struct ssl_comp_st +{ + int id; + char *name; +#ifdef HEADER_COMP_H + COMP_METHOD *method; +#else + char *method; +#endif +} SSL_COMP; + struct ssl_ctx_st { SSL_METHOD *method; @@ -347,46 +367,50 @@ struct ssl_ctx_st SSL_SESSION *(*get_session_cb)(); #endif - int sess_connect; /* SSL new connection - started */ - int sess_connect_renegotiate;/* SSL renegotiatene - requested */ - int sess_connect_good; /* SSL new connection/renegotiate - finished */ - int sess_accept; /* SSL new accept - started */ - int sess_accept_renegotiate;/* SSL renegotiatene - requested */ - int sess_accept_good; /* SSL accept/renegotiate - finished */ - int sess_miss; /* session lookup misses */ - int sess_timeout; /* session reuse attempt on timeouted session */ - int sess_cache_full; /* session removed due to full cache */ - int sess_hit; /* session reuse actually done */ - int sess_cb_hit; /* session-id that was not in the cache was - * passed back via the callback. This - * indicates that the application is supplying - * session-id's from other processes - - * spooky :-) */ + struct + { + int sess_connect; /* SSL new conn - started */ + int sess_connect_renegotiate;/* SSL reneg - requested */ + int sess_connect_good; /* SSL new conne/reneg - finished */ + int sess_accept; /* SSL new accept - started */ + int sess_accept_renegotiate;/* SSL reneg - requested */ + int sess_accept_good; /* SSL accept/reneg - finished */ + int sess_miss; /* session lookup misses */ + int sess_timeout; /* reuse attempt on timeouted session */ + int sess_cache_full; /* session removed due to full cache */ + int sess_hit; /* session reuse actually done */ + int sess_cb_hit; /* session-id that was not + * in the cache was + * passed back via the callback. This + * indicates that the application is + * supplying session-id's from other + * processes - spooky :-) */ + } stats; int references; - void (*info_callback)(); +/**/ void (*info_callback)(); /* if defined, these override the X509_verify_cert() calls */ - int (*app_verify_callback)(); - char *app_verify_arg; +/**/ int (*app_verify_callback)(); +/**/ char *app_verify_arg; /* default values to use in SSL structures */ - struct cert_st /* CERT */ *default_cert; - int default_read_ahead; - int default_verify_mode; - int (*default_verify_callback)(); +/**/ struct cert_st /* CERT */ *default_cert; +/**/ int read_ahead; +/**/ int verify_mode; +/**/ int (*default_verify_callback)(); /* Default password callback. */ - int (*default_passwd_callback)(); +/**/ int (*default_passwd_callback)(); /* get client cert callback */ - int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */); +/**/ int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */); /* what we put in client requests */ STACK *client_CA; - int quiet_shutdown; +/**/ int quiet_shutdown; CRYPTO_EX_DATA ex_data; @@ -395,6 +419,7 @@ struct ssl_ctx_st EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ STACK *extra_certs; + STACK *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ }; #define SSL_SESS_CACHE_OFF 0x0000 @@ -407,41 +432,30 @@ struct ssl_ctx_st * defined, this will still get called. */ #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 -#define SSL_CTX_sessions(ctx) ((ctx)->sessions) -/* You will need to include lhash.h to access the following #define */ -#define SSL_CTX_sess_number(ctx) ((ctx)->sessions->num_items) -#define SSL_CTX_sess_connect(ctx) ((ctx)->sess_connect) -#define SSL_CTX_sess_connect_good(ctx) ((ctx)->sess_connect_good) -#define SSL_CTX_sess_accept(ctx) ((ctx)->sess_accept) -#define SSL_CTX_sess_accept_renegotiate(ctx) ((ctx)->sess_accept_renegotiate) -#define SSL_CTX_sess_connect_renegotiate(ctx) ((ctx)->sess_connect_renegotiate) -#define SSL_CTX_sess_accept_good(ctx) ((ctx)->sess_accept_good) -#define SSL_CTX_sess_hits(ctx) ((ctx)->sess_hit) -#define SSL_CTX_sess_cb_hits(ctx) ((ctx)->sess_cb_hit) -#define SSL_CTX_sess_misses(ctx) ((ctx)->sess_miss) -#define SSL_CTX_sess_timeouts(ctx) ((ctx)->sess_timeout) -#define SSL_CTX_sess_cache_full(ctx) ((ctx)->sess_cache_full) - -#define SSL_CTX_sess_set_cache_size(ctx,t) ((ctx)->session_cache_size=(t)) -#define SSL_CTX_sess_get_cache_size(ctx) ((ctx)->session_cache_size) - -#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb)) -#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb) -#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb)) -#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb) -#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb)) -#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb) -#define SSL_CTX_set_session_cache_mode(ctx,m) ((ctx)->session_cache_mode=(m)) -#define SSL_CTX_get_session_cache_mode(ctx) ((ctx)->session_cache_mode) -#define SSL_CTX_set_timeout(ctx,t) ((ctx)->session_timeout=(t)) -#define SSL_CTX_get_timeout(ctx) ((ctx)->session_timeout) - -#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb)) -#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback) -#define SSL_CTX_set_default_read_ahead(ctx,m) (((ctx)->default_read_ahead)=(m)) - -#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb)) -#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb) +#define SSL_CTX_sess_number(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL) +#define SSL_CTX_sess_connect(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL) +#define SSL_CTX_sess_connect_good(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL) +#define SSL_CTX_sess_connect_renegotiate(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL) +#define SSL_CTX_sess_accept(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL) +#define SSL_CTX_sess_accept_renegotiate(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL) +#define SSL_CTX_sess_accept_good(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL) +#define SSL_CTX_sess_hits(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL) +#define SSL_CTX_sess_cb_hits(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL) +#define SSL_CTX_sess_misses(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL) +#define SSL_CTX_sess_timeouts(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL) +#define SSL_CTX_sess_cache_full(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) #define SSL_NOTHING 1 #define SSL_WRITING 2 @@ -449,11 +463,10 @@ struct ssl_ctx_st #define SSL_X509_LOOKUP 4 /* These will only be used when doing non-blocking IO */ -#define SSL_want(s) ((s)->rwstate) -#define SSL_want_nothing(s) ((s)->rwstate == SSL_NOTHING) -#define SSL_want_read(s) ((s)->rwstate == SSL_READING) -#define SSL_want_write(s) ((s)->rwstate == SSL_WRITING) -#define SSL_want_x509_lookup(s) ((s)->rwstate == SSL_X509_LOOKUP) +#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) +#define SSL_want_read(s) (SSL_want(s) == SSL_READING) +#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) +#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) struct ssl_st { @@ -490,7 +503,7 @@ struct ssl_st int in_handshake; int (*handshake_func)(); -/* int server;*/ /* are we the server side? */ + int server; /* are we the server side? - mostly used by SSL_clear*/ int new_session;/* 1 if we are to use a new session */ int quiet_shutdown;/* don't send shutdown packets */ @@ -569,6 +582,8 @@ struct ssl_st int references; unsigned long options; int first_packet; + int client_version; /* what was passed, used for + * SSLv3/TLS rolback check */ }; #include "ssl2.h" @@ -634,6 +649,8 @@ struct ssl_st #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 #define SSL_VERIFY_CLIENT_ONCE 0x04 +#define SSLeay_add_ssl_algorithms() SSL_library_init() + /* this is for backward compatablility */ #if 0 /* NEW_SSLEAY */ #define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c) @@ -726,8 +743,29 @@ struct ssl_st #define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 9 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 10 #define SSL_CTRL_GET_FLAGS 11 - -#define SSL_CTRL_EXTRA_CHAIN_CERT 11 +#define SSL_CTRL_EXTRA_CHAIN_CERT 12 + +/* Stats */ +#define SSL_CTRL_SESS_NUMBER 20 +#define SSL_CTRL_SESS_CONNECT 21 +#define SSL_CTRL_SESS_CONNECT_GOOD 22 +#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23 +#define SSL_CTRL_SESS_ACCEPT 24 +#define SSL_CTRL_SESS_ACCEPT_GOOD 25 +#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26 +#define SSL_CTRL_SESS_HIT 27 +#define SSL_CTRL_SESS_CB_HIT 28 +#define SSL_CTRL_SESS_MISSES 29 +#define SSL_CTRL_SESS_TIMEOUTS 30 +#define SSL_CTRL_SESS_CACHE_FULL 31 +#define SSL_CTRL_OPTIONS 32 + +#define SSL_CTRL_GET_READ_AHEAD 40 +#define SSL_CTRL_SET_READ_AHEAD 41 +#define SSL_CTRL_SET_SESS_CACHE_SIZE 42 +#define SSL_CTRL_GET_SESS_CACHE_SIZE 43 +#define SSL_CTRL_SET_SESS_CACHE_MODE 44 +#define SSL_CTRL_GET_SESS_CACHE_MODE 45 #define SSL_session_reused(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL) @@ -763,7 +801,13 @@ void BIO_ssl_shutdown(BIO *ssl_bio); int SSL_CTX_set_cipher_list(SSL_CTX *,char *str); SSL_CTX *SSL_CTX_new(SSL_METHOD *meth); void SSL_CTX_free(SSL_CTX *); -void SSL_clear(SSL *s); +long SSL_CTX_set_timeout(SSL_CTX *ctx,long t); +long SSL_CTX_get_timeout(SSL_CTX *ctx); +X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *); +void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *); +int SSL_want(SSL *s); +int SSL_clear(SSL *s); + void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm); SSL_CIPHER *SSL_get_current_cipher(SSL *s); @@ -796,7 +840,7 @@ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len); int SSL_use_certificate(SSL *ssl, X509 *x); -int SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d); +int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len); #ifndef NO_STDIO int SSL_use_RSAPrivateKey_file(SSL *ssl, char *file, int type); @@ -860,7 +904,6 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx); int SSL_check_private_key(SSL *ctx); SSL * SSL_new(SSL_CTX *ctx); -void SSL_clear(SSL *s); void SSL_free(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); @@ -917,7 +960,7 @@ void SSL_set_accept_state(SSL *s); long SSL_get_default_timeout(SSL *s); -void SSLeay_add_ssl_algorithms(void ); +int SSL_library_init(void ); char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size); STACK *SSL_dup_CA_list(STACK *sk); @@ -962,6 +1005,22 @@ int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(), int SSL_get_ex_data_X509_STORE_CTX_idx(void ); +#define SSL_CTX_sess_set_cache_size(ctx,t) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL) +#define SSL_CTX_sess_get_cache_size(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL) +#define SSL_CTX_set_session_cache_mode(ctx,m) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL) +#define SSL_CTX_get_session_cache_mode(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL) + +#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx) +#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m) +#define SSL_CTX_get_read_ahead(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) +#define SSL_CTX_set_read_ahead(ctx,m) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL) + /* For the next 2, the callbacks are * RSA *tmp_rsa_cb(SSL *ssl,int export) * DH *tmp_dh_cb(SSL *ssl,int export) @@ -970,6 +1029,12 @@ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl,int export)); void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export)); +#ifdef HEADER_COMP_H +int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm); +#else +int SSL_COMP_add_compression_method(int id,char *cm); +#endif + #else BIO_METHOD *BIO_f_ssl(); @@ -979,6 +1044,12 @@ BIO *BIO_new_buffer_ssl_connect(); int BIO_ssl_copy_session_id(); void BIO_ssl_shutdown(); +long SSL_CTX_set_timeout(); +long SSL_CTX_get_timeout(); +X509_STORE *SSL_CTX_get_cert_store(); +void SSL_CTX_set_cert_store(); +int SSL_want(); + int SSL_CTX_set_cipher_list(); SSL_CTX *SSL_CTX_new(); void SSL_CTX_free(); @@ -1134,7 +1205,7 @@ void SSL_set_accept_state(); long SSL_get_default_timeout(); -void SSLeay_add_ssl_algorithms(); +int SSL_library_init(); char *SSL_CIPHER_description(); STACK *SSL_dup_CA_list(); @@ -1178,6 +1249,7 @@ char *SSL_CTX_get_ex_data(); int SSL_CTX_get_ex_new_index(); int SSL_get_ex_data_X509_STORE_CTX_idx(); +int SSL_COMP_add_compression_method(); /* For the next 2, the callbacks are * RSA *tmp_rsa_cb(SSL *ssl,int export) @@ -1258,52 +1330,55 @@ void SSL_CTX_set_tmp_dh_callback(); #define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 #define SSL_F_SSL_CERT_NEW 162 #define SSL_F_SSL_CHECK_PRIVATE_KEY 163 -#define SSL_F_SSL_CREATE_CIPHER_LIST 164 -#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 165 -#define SSL_F_SSL_CTX_NEW 166 -#define SSL_F_SSL_CTX_SET_SSL_VERSION 167 -#define SSL_F_SSL_CTX_USE_CERTIFICATE 168 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 169 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 170 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY 171 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 172 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 173 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 174 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 175 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 176 -#define SSL_F_SSL_DO_HANDSHAKE 177 -#define SSL_F_SSL_GET_NEW_SESSION 178 -#define SSL_F_SSL_GET_SERVER_SEND_CERT 179 -#define SSL_F_SSL_GET_SIGN_PKEY 180 -#define SSL_F_SSL_INIT_WBIO_BUFFER 181 -#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 182 -#define SSL_F_SSL_NEW 183 -#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 184 -#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 185 -#define SSL_F_SSL_SESSION_NEW 186 -#define SSL_F_SSL_SESSION_PRINT_FP 187 -#define SSL_F_SSL_SET_CERT 188 -#define SSL_F_SSL_SET_FD 189 -#define SSL_F_SSL_SET_PKEY 190 -#define SSL_F_SSL_SET_RFD 191 -#define SSL_F_SSL_SET_SESSION 192 -#define SSL_F_SSL_SET_WFD 193 -#define SSL_F_SSL_UNDEFINED_FUNCTION 194 -#define SSL_F_SSL_USE_CERTIFICATE 195 -#define SSL_F_SSL_USE_CERTIFICATE_ASN1 196 -#define SSL_F_SSL_USE_CERTIFICATE_FILE 197 -#define SSL_F_SSL_USE_PRIVATEKEY 198 -#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 199 -#define SSL_F_SSL_USE_PRIVATEKEY_FILE 200 -#define SSL_F_SSL_USE_RSAPRIVATEKEY 201 -#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202 -#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203 -#define SSL_F_SSL_VERIFY_CERT_CHAIN 204 -#define SSL_F_SSL_WRITE 205 -#define SSL_F_TLS1_CHANGE_CIPHER_STATE 206 -#define SSL_F_TLS1_ENC 207 -#define SSL_F_TLS1_SETUP_KEY_BLOCK 208 -#define SSL_F_WRITE_PENDING 209 +#define SSL_F_SSL_CLEAR 164 +#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165 +#define SSL_F_SSL_CREATE_CIPHER_LIST 166 +#define SSL_F_SSL_CTX_ADD_COMPRESSION 167 +#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 +#define SSL_F_SSL_CTX_NEW 169 +#define SSL_F_SSL_CTX_SET_SSL_VERSION 170 +#define SSL_F_SSL_CTX_USE_CERTIFICATE 171 +#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172 +#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179 +#define SSL_F_SSL_DO_HANDSHAKE 180 +#define SSL_F_SSL_GET_NEW_SESSION 181 +#define SSL_F_SSL_GET_SERVER_SEND_CERT 182 +#define SSL_F_SSL_GET_SIGN_PKEY 183 +#define SSL_F_SSL_INIT_WBIO_BUFFER 184 +#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 +#define SSL_F_SSL_NEW 186 +#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 +#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 +#define SSL_F_SSL_SESSION_NEW 189 +#define SSL_F_SSL_SESSION_PRINT_FP 190 +#define SSL_F_SSL_SET_CERT 191 +#define SSL_F_SSL_SET_FD 192 +#define SSL_F_SSL_SET_PKEY 193 +#define SSL_F_SSL_SET_RFD 194 +#define SSL_F_SSL_SET_SESSION 195 +#define SSL_F_SSL_SET_WFD 196 +#define SSL_F_SSL_UNDEFINED_FUNCTION 197 +#define SSL_F_SSL_USE_CERTIFICATE 198 +#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 +#define SSL_F_SSL_USE_CERTIFICATE_FILE 200 +#define SSL_F_SSL_USE_PRIVATEKEY 201 +#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 +#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203 +#define SSL_F_SSL_USE_RSAPRIVATEKEY 204 +#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205 +#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 +#define SSL_F_SSL_VERIFY_CERT_CHAIN 207 +#define SSL_F_SSL_WRITE 208 +#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 +#define SSL_F_TLS1_ENC 210 +#define SSL_F_TLS1_SETUP_KEY_BLOCK 211 +#define SSL_F_WRITE_PENDING 212 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 @@ -1394,39 +1469,41 @@ void SSL_CTX_set_tmp_dh_callback(); #define SSL_R_NO_CIPHER_MATCH 185 #define SSL_R_NO_CLIENT_CERT_RECEIVED 186 #define SSL_R_NO_COMPRESSION_SPECIFIED 187 -#define SSL_R_NO_PRIVATEKEY 188 -#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 189 -#define SSL_R_NO_PROTOCOLS_AVAILABLE 190 -#define SSL_R_NO_PUBLICKEY 191 -#define SSL_R_NO_SHARED_CIPHER 192 -#define SSL_R_NO_VERIFY_CALLBACK 193 -#define SSL_R_NULL_SSL_CTX 194 -#define SSL_R_NULL_SSL_METHOD_PASSED 195 -#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 196 -#define SSL_R_PACKET_LENGTH_TOO_LONG 197 -#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 198 -#define SSL_R_PEER_ERROR 199 -#define SSL_R_PEER_ERROR_CERTIFICATE 200 -#define SSL_R_PEER_ERROR_NO_CERTIFICATE 201 -#define SSL_R_PEER_ERROR_NO_CIPHER 202 -#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 203 -#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 204 -#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 205 -#define SSL_R_PROTOCOL_IS_SHUTDOWN 206 -#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 207 -#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 208 -#define SSL_R_PUBLIC_KEY_NOT_RSA 209 -#define SSL_R_READ_BIO_NOT_SET 210 -#define SSL_R_READ_WRONG_PACKET_TYPE 211 -#define SSL_R_RECORD_LENGTH_MISMATCH 212 -#define SSL_R_RECORD_TOO_LARGE 213 -#define SSL_R_REQUIRED_CIPHER_MISSING 214 -#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 215 -#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 216 -#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 217 -#define SSL_R_SHORT_READ 218 -#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 219 -#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 220 +#define SSL_R_NO_METHOD_SPECIFIED 188 +#define SSL_R_NO_PRIVATEKEY 189 +#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 +#define SSL_R_NO_PROTOCOLS_AVAILABLE 191 +#define SSL_R_NO_PUBLICKEY 192 +#define SSL_R_NO_SHARED_CIPHER 193 +#define SSL_R_NO_VERIFY_CALLBACK 194 +#define SSL_R_NULL_SSL_CTX 195 +#define SSL_R_NULL_SSL_METHOD_PASSED 196 +#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 +#define SSL_R_PACKET_LENGTH_TOO_LONG 198 +#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 +#define SSL_R_PEER_ERROR 200 +#define SSL_R_PEER_ERROR_CERTIFICATE 201 +#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202 +#define SSL_R_PEER_ERROR_NO_CIPHER 203 +#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204 +#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205 +#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206 +#define SSL_R_PROTOCOL_IS_SHUTDOWN 207 +#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208 +#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209 +#define SSL_R_PUBLIC_KEY_NOT_RSA 210 +#define SSL_R_READ_BIO_NOT_SET 211 +#define SSL_R_READ_WRONG_PACKET_TYPE 212 +#define SSL_R_RECORD_LENGTH_MISMATCH 213 +#define SSL_R_RECORD_TOO_LARGE 214 +#define SSL_R_REQUIRED_CIPHER_MISSING 215 +#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 +#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 +#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218 +#define SSL_R_SHORT_READ 219 +#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 +#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 @@ -1436,17 +1513,17 @@ void SSL_CTX_set_tmp_dh_callback(); #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 221 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 222 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 223 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 -#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 225 +#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 -#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 226 -#define SSL_R_SSL_HANDSHAKE_FAILURE 227 -#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 228 -#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 229 +#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 +#define SSL_R_SSL_HANDSHAKE_FAILURE 229 +#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230 +#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 @@ -1459,44 +1536,44 @@ void SSL_CTX_set_tmp_dh_callback(); #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 #define SSL_R_TLSV1_ALERT_USER_CANCLED 1090 -#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 230 -#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231 -#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 232 -#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 233 -#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 234 -#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 235 -#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 236 -#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 237 -#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 238 -#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 239 -#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 240 -#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 241 -#define SSL_R_UNEXPECTED_MESSAGE 242 -#define SSL_R_UNEXPECTED_RECORD 243 -#define SSL_R_UNKNOWN_ALERT_TYPE 244 -#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 245 -#define SSL_R_UNKNOWN_CIPHER_RETURNED 246 -#define SSL_R_UNKNOWN_CIPHER_TYPE 247 -#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 248 -#define SSL_R_UNKNOWN_PKEY_TYPE 249 -#define SSL_R_UNKNOWN_PROTOCOL 250 -#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 251 -#define SSL_R_UNKNOWN_SSL_VERSION 252 -#define SSL_R_UNKNOWN_STATE 253 -#define SSL_R_UNSUPPORTED_CIPHER 254 -#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 255 -#define SSL_R_UNSUPPORTED_PROTOCOL 256 -#define SSL_R_UNSUPPORTED_SSL_VERSION 257 -#define SSL_R_WRITE_BIO_NOT_SET 258 -#define SSL_R_WRONG_CIPHER_RETURNED 259 -#define SSL_R_WRONG_MESSAGE_TYPE 260 -#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 261 -#define SSL_R_WRONG_SIGNATURE_LENGTH 262 -#define SSL_R_WRONG_SIGNATURE_SIZE 263 -#define SSL_R_WRONG_SSL_VERSION 264 -#define SSL_R_WRONG_VERSION_NUMBER 265 -#define SSL_R_X509_LIB 266 -#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 267 +#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 +#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 +#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 +#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 +#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236 +#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237 +#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238 +#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239 +#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240 +#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241 +#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242 +#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 +#define SSL_R_UNEXPECTED_MESSAGE 244 +#define SSL_R_UNEXPECTED_RECORD 245 +#define SSL_R_UNKNOWN_ALERT_TYPE 246 +#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247 +#define SSL_R_UNKNOWN_CIPHER_RETURNED 248 +#define SSL_R_UNKNOWN_CIPHER_TYPE 249 +#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250 +#define SSL_R_UNKNOWN_PKEY_TYPE 251 +#define SSL_R_UNKNOWN_PROTOCOL 252 +#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 +#define SSL_R_UNKNOWN_SSL_VERSION 254 +#define SSL_R_UNKNOWN_STATE 255 +#define SSL_R_UNSUPPORTED_CIPHER 256 +#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 +#define SSL_R_UNSUPPORTED_PROTOCOL 258 +#define SSL_R_UNSUPPORTED_SSL_VERSION 259 +#define SSL_R_WRITE_BIO_NOT_SET 260 +#define SSL_R_WRONG_CIPHER_RETURNED 261 +#define SSL_R_WRONG_MESSAGE_TYPE 262 +#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263 +#define SSL_R_WRONG_SIGNATURE_LENGTH 264 +#define SSL_R_WRONG_SIGNATURE_SIZE 265 +#define SSL_R_WRONG_SSL_VERSION 266 +#define SSL_R_WRONG_VERSION_NUMBER 267 +#define SSL_R_X509_LIB 268 +#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 #ifdef __cplusplus } diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 7c5c94d7c9..cf8238c1eb 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -341,12 +341,13 @@ typedef struct ssl3_ctx_st EVP_CIPHER *new_sym_enc; EVP_MD *new_hash; #ifdef HEADER_COMP_H - COMP_METHOD *new_compression; + SSL_COMP *new_compression; #else char *new_compression; #endif int cert_request; } tmp; + } SSL3_CTX; /* SSLv3 */ diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index 92ec322dae..31809582bd 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -61,7 +61,7 @@ #include "lhash.h" #include "ssl_locl.h" -void SSLeay_add_ssl_algorithms() +int SSL_library_init() { #ifndef NO_DES EVP_add_cipher(EVP_des_cbc()); @@ -98,5 +98,6 @@ void SSLeay_add_ssl_algorithms() EVP_add_digest(EVP_sha()); EVP_add_digest(EVP_dss()); #endif + return(1); } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 87e384f8f7..30501cb700 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -58,6 +58,7 @@ #include #include "objects.h" +#include "comp.h" #include "ssl_locl.h" #define SSL_ENC_DES_IDX 0 @@ -73,6 +74,8 @@ static EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ NULL,NULL,NULL,NULL,NULL,NULL, }; +static STACK /* SSL_COMP */ *ssl_comp_methods=NULL; + #define SSL_MD_MD5_IDX 0 #define SSL_MD_SHA1_IDX 1 #define SSL_MD_NUM_IDX 2 @@ -180,14 +183,41 @@ static void load_ciphers() EVP_get_digestbyname(SN_sha1); } -int ssl_cipher_get_evp(c,enc,md) -SSL_CIPHER *c; +int ssl_cipher_get_evp(s,enc,md,comp) +SSL_SESSION *s; EVP_CIPHER **enc; EVP_MD **md; +SSL_COMP **comp; { int i; + SSL_CIPHER *c; + c=s->cipher; if (c == NULL) return(0); + if (comp != NULL) + { + SSL_COMP ctmp; + + if (s->compress_meth == 0) + *comp=NULL; + else if (ssl_comp_methods == NULL) + { + /* bad */ + *comp=NULL; + } + else + { + + ctmp.id=s->compress_meth; + i=sk_find(ssl_comp_methods,(char *)&ctmp); + if (i >= 0) + *comp=(SSL_COMP *)sk_value(ssl_comp_methods,i); + else + *comp=NULL; + } + } + + if ((enc == NULL) || (md == NULL)) return(0); switch (c->algorithms & SSL_ENC_MASK) { @@ -730,10 +760,12 @@ int *alg_bits; int ret=0,a=0; EVP_CIPHER *enc; EVP_MD *md; + SSL_SESSION ss; if (c != NULL) { - if (!ssl_cipher_get_evp(c,&enc,&md)) + ss.cipher=c; + if (!ssl_cipher_get_evp(&ss,&enc,&md,NULL)) return(0); a=EVP_CIPHER_key_length(enc)*8; @@ -756,3 +788,55 @@ int *alg_bits; return(ret); } +SSL_COMP *ssl3_comp_find(sk,n) +STACK *sk; +int n; + { + SSL_COMP *ctmp; + int i,nn; + + if ((n == 0) || (sk == NULL)) return(NULL); + nn=sk_num(sk); + for (i=0; iid == n) + return(ctmp); + } + return(NULL); + } + +static int sk_comp_cmp(a,b) +SSL_COMP **a,**b; + { + return((*a)->id-(*b)->id); + } + +STACK *SSL_COMP_get_compression_methods() + { + return(ssl_comp_methods); + } + +int SSL_COMP_add_compression_method(id,cm) +int id; +COMP_METHOD *cm; + { + SSL_COMP *comp; + STACK *sk; + + comp=(SSL_COMP *)Malloc(sizeof(SSL_COMP)); + comp->id=id; + comp->method=cm; + if (ssl_comp_methods == NULL) + sk=ssl_comp_methods=sk_new(sk_comp_cmp); + else + sk=ssl_comp_methods; + if ((sk == NULL) || !sk_push(sk,(char *)comp)) + { + SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); + return(0); + } + else + return(1); + } + diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 847f0f3f8a..5f3d94d496 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -127,7 +127,10 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL_BYTES_TO_CIPHER_LIST,0), "SSL_BYTES_TO_CIPHER_LIST"}, {ERR_PACK(0,SSL_F_SSL_CERT_NEW,0), "SSL_CERT_NEW"}, {ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0), "SSL_check_private_key"}, +{ERR_PACK(0,SSL_F_SSL_CLEAR,0), "SSL_clear"}, +{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0), "SSL_COMP_add_compression_method"}, {ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0), "SSL_CREATE_CIPHER_LIST"}, +{ERR_PACK(0,SSL_F_SSL_CTX_ADD_COMPRESSION,0), "SSL_CTX_ADD_COMPRESSION"}, {ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0), "SSL_CTX_check_private_key"}, {ERR_PACK(0,SSL_F_SSL_CTX_NEW,0), "SSL_CTX_new"}, {ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0), "SSL_CTX_set_ssl_version"}, @@ -266,6 +269,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_NO_CIPHER_MATCH ,"no cipher match"}, {SSL_R_NO_CLIENT_CERT_RECEIVED ,"no client cert received"}, {SSL_R_NO_COMPRESSION_SPECIFIED ,"no compression specified"}, +{SSL_R_NO_METHOD_SPECIFIED ,"no method specified"}, {SSL_R_NO_PRIVATEKEY ,"no privatekey"}, {SSL_R_NO_PRIVATE_KEY_ASSIGNED ,"no private key assigned"}, {SSL_R_NO_PROTOCOLS_AVAILABLE ,"no protocols available"}, @@ -298,6 +302,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_REUSE_CIPHER_LIST_NOT_ZERO ,"reuse cipher list not zero"}, {SSL_R_SHORT_READ ,"short read"}, {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, +{SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c9a2285199..2019a400ff 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -77,30 +77,37 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={ ssl_undefined_function, }; -void SSL_clear(s) +int SSL_clear(s) SSL *s; { int state; - if (s->method == NULL) return; + if (s->method == NULL) + { + SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED); + return(0); + } s->error=0; s->hit=0; + s->shutdown=0; +#if 0 /* This is set if we are doing dynamic renegotiation so keep * the old cipher. It is sort of a SSL_clear_lite :-) */ - if (s->new_session) return; + if (s->new_session) return(1); +#endif state=s->state; /* Keep to check if we throw away the session-id */ s->type=0; + s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT); + s->version=s->method->version; + s->client_version=s->version; s->rwstate=SSL_NOTHING; - s->state=SSL_ST_BEFORE; s->rstate=SSL_ST_READ_HEADER; - s->read_ahead=s->ctx->default_read_ahead; - -/* s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); */ + s->read_ahead=s->ctx->read_ahead; if (s->init_buf != NULL) { @@ -116,10 +123,22 @@ SSL *s; s->session=NULL; } - s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); s->first_packet=0; - s->method->ssl_clear(s); +#if 1 + /* Check to see if we were changed into a different method, if + * so, revert back if we are not doing session-id reuse. */ + if ((s->session == NULL) && (s->method != s->ctx->method)) + { + s->method->ssl_free(s); + s->method=s->ctx->method; + if (!s->method->ssl_new(s)) + return(0); + } + else +#endif + s->method->ssl_clear(s); + return(1); } /* Used to change an SSL_CTXs default SSL method type */ @@ -169,7 +188,7 @@ SSL_CTX *ctx; } else s->cert=NULL; - s->verify_mode=ctx->default_verify_mode; + s->verify_mode=ctx->verify_mode; s->verify_callback=ctx->default_verify_callback; CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); s->ctx=ctx; @@ -187,6 +206,7 @@ SSL_CTX *ctx; s->quiet_shutdown=ctx->quiet_shutdown; s->references=1; + s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; s->options=ctx->options; SSL_clear(s); @@ -251,11 +271,6 @@ SSL *s; ssl_clear_cipher_ctx(s); - if (s->expand != NULL) - COMP_CTX_free(s->expand); - if (s->compress != NULL) - COMP_CTX_free(s->compress); - if (s->cert != NULL) ssl_cert_free(s->cert); /* Free up if allocated */ @@ -402,7 +417,7 @@ SSL *s; int SSL_CTX_get_verify_mode(ctx) SSL_CTX *ctx; { - return(ctx->default_verify_mode); + return(ctx->verify_mode); } int (*SSL_CTX_get_verify_callback(ctx))() @@ -623,7 +638,22 @@ int cmd; long larg; char *parg; { - return(s->method->ssl_ctrl(s,cmd,larg,parg)); + long l; + + switch (cmd) + { + case SSL_CTRL_GET_READ_AHEAD: + return(s->read_ahead); + case SSL_CTRL_SET_READ_AHEAD: + l=s->read_ahead; + s->read_ahead=larg; + return(l); + case SSL_CTRL_OPTIONS: + return(s->options|=larg); + default: + return(s->method->ssl_ctrl(s,cmd,larg,parg)); + } + return(0); } long SSL_CTX_ctrl(ctx,cmd,larg,parg) @@ -632,7 +662,60 @@ int cmd; long larg; char *parg; { - return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); + long l; + + switch (cmd) + { + case SSL_CTRL_GET_READ_AHEAD: + return(ctx->read_ahead); + case SSL_CTRL_SET_READ_AHEAD: + l=ctx->read_ahead; + ctx->read_ahead=larg; + return(l); + + case SSL_CTRL_SET_SESS_CACHE_SIZE: + l=ctx->session_cache_size; + ctx->session_cache_size=larg; + return(l); + case SSL_CTRL_GET_SESS_CACHE_SIZE: + return(ctx->session_cache_size); + case SSL_CTRL_SET_SESS_CACHE_MODE: + l=ctx->session_cache_mode; + ctx->session_cache_mode=larg; + return(l); + case SSL_CTRL_GET_SESS_CACHE_MODE: + return(ctx->session_cache_mode); + + case SSL_CTRL_SESS_NUMBER: + return(ctx->sessions->num_items); + case SSL_CTRL_SESS_CONNECT: + return(ctx->stats.sess_connect); + case SSL_CTRL_SESS_CONNECT_GOOD: + return(ctx->stats.sess_connect_good); + case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: + return(ctx->stats.sess_connect_renegotiate); + case SSL_CTRL_SESS_ACCEPT: + return(ctx->stats.sess_accept); + case SSL_CTRL_SESS_ACCEPT_GOOD: + return(ctx->stats.sess_accept_good); + case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: + return(ctx->stats.sess_accept_renegotiate); + case SSL_CTRL_SESS_HIT: + return(ctx->stats.sess_hit); + case SSL_CTRL_SESS_CB_HIT: + return(ctx->stats.sess_cb_hit); + case SSL_CTRL_SESS_MISSES: + return(ctx->stats.sess_miss); + case SSL_CTRL_SESS_TIMEOUTS: + return(ctx->stats.sess_timeout); + case SSL_CTRL_SESS_CACHE_FULL: + return(ctx->stats.sess_cache_full); + case SSL_CTRL_OPTIONS: + return(ctx->options|=larg); + default: + return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); + } + return(0); } int ssl_cipher_id_cmp(a,b) @@ -903,17 +986,7 @@ SSL_METHOD *meth; ret->remove_session_cb=NULL; ret->get_session_cb=NULL; - ret->sess_connect=0; - ret->sess_connect_good=0; - ret->sess_accept=0; - ret->sess_accept_renegotiate=0; - ret->sess_connect_renegotiate=0; - ret->sess_accept_good=0; - ret->sess_miss=0; - ret->sess_timeout=0; - ret->sess_cache_full=0; - ret->sess_hit=0; - ret->sess_cb_hit=0; + memset((char *)&ret->stats,0,sizeof(ret->stats)); ret->references=1; ret->quiet_shutdown=0; @@ -929,8 +1002,8 @@ SSL_METHOD *meth; ret->app_verify_callback=NULL; ret->app_verify_arg=NULL; - ret->default_read_ahead=0; - ret->default_verify_mode=SSL_VERIFY_NONE; + ret->read_ahead=0; + ret->verify_mode=SSL_VERIFY_NONE; ret->default_verify_callback=NULL; if ((ret->default_cert=ssl_cert_new()) == NULL) goto err; @@ -974,6 +1047,7 @@ SSL_METHOD *meth; CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data); ret->extra_certs=NULL; + ret->comp_methods=SSL_COMP_get_compression_methods(); return(ret); err: @@ -1021,6 +1095,8 @@ SSL_CTX *a; sk_pop_free(a->client_CA,X509_NAME_free); if (a->extra_certs != NULL) sk_pop_free(a->extra_certs,X509_free); + if (a->comp_methods != NULL) + sk_pop_free(a->comp_methods,free); Free((char *)a); } @@ -1049,7 +1125,7 @@ int (*cb)(int, X509_STORE_CTX *); int (*cb)(); #endif { - ctx->default_verify_mode=mode; + ctx->verify_mode=mode; ctx->default_verify_callback=cb; /* This needs cleaning up EAY EAY EAY */ X509_STORE_set_verify_cb_func(ctx->cert_store,cb); @@ -1246,8 +1322,8 @@ int mode; ((i & mode) == mode)) { if ( (((mode & SSL_SESS_CACHE_CLIENT) - ?s->ctx->sess_connect_good - :s->ctx->sess_accept_good) & 0xff) == 0xff) + ?s->ctx->stats.sess_connect_good + :s->ctx->stats.sess_accept_good) & 0xff) == 0xff) { SSL_CTX_flush_sessions(s->ctx,time(NULL)); } @@ -1294,12 +1370,20 @@ SSL *s; int i; { int reason; + unsigned long l; BIO *bio; if (i > 0) return(SSL_ERROR_NONE); - if (ERR_peek_error() != 0) - return(SSL_ERROR_SSL); + /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake + * etc, where we do encode the error */ + if ((l=ERR_peek_error()) != 0) + { + if (ERR_GET_LIB(l) == ERR_LIB_SYS) + return(SSL_ERROR_SYSCALL); + else + return(SSL_ERROR_SSL); + } if ((i < 0) && SSL_want_read(s)) { @@ -1381,6 +1465,7 @@ SSL *s; void SSL_set_accept_state(s) SSL *s; { + s->server=1; s->shutdown=0; s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE; s->handshake_func=s->method->ssl_accept; @@ -1391,6 +1476,7 @@ SSL *s; void SSL_set_connect_state(s) SSL *s; { + s->server=0; s->shutdown=0; s->state=SSL_ST_CONNECT|SSL_ST_BEFORE; s->handshake_func=s->method->ssl_connect; @@ -1498,6 +1584,7 @@ SSL *s; ret->shutdown=s->shutdown; ret->state=s->state; ret->handshake_func=s->handshake_func; + ret->server=s->server; if (0) { @@ -1523,6 +1610,16 @@ SSL *s; Free(s->enc_write_ctx); s->enc_write_ctx=NULL; } + if (s->expand != NULL) + { + COMP_CTX_free(s->expand); + s->expand=NULL; + } + if (s->compress != NULL) + { + COMP_CTX_free(s->compress); + s->compress=NULL; + } } /* Fix this function so that it takes an optional type parameter */ @@ -1590,6 +1687,26 @@ int push; } return(1); } + +void ssl_free_wbio_buffer(s) +SSL *s; + { + BIO *under; + + if (s->bbio == NULL) return; + + if (s->bbio == s->wbio) + { + /* remove buffering */ + under=BIO_pop(s->wbio); + if (under != NULL) + s->wbio=under; + else + abort(); /* ok */ + } + BIO_free(s->bbio); + s->bbio=NULL; + } void SSL_CTX_set_quiet_shutdown(ctx,mode) SSL_CTX *ctx; @@ -1750,6 +1867,27 @@ SSL *s; return(1); } +X509_STORE *SSL_CTX_get_cert_store(ctx) +SSL_CTX *ctx; + { + return(ctx->cert_store); + } + +void SSL_CTX_set_cert_store(ctx,store) +SSL_CTX *ctx; +X509_STORE *store; + { + if (ctx->cert_store != NULL) + X509_STORE_free(ctx->cert_store); + ctx->cert_store=store; + } + +int SSL_want(s) +SSL *s; + { + return(s->rwstate); + } + void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,int export)) { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index f2442544e3..1a907514d9 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -348,7 +348,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK *sk,unsigned char *p); STACK *ssl_create_cipher_list(SSL_METHOD *meth,STACK **pref, STACK **sorted,char *str); void ssl_update_cache(SSL *s, int mode); -int ssl_cipher_get_evp(SSL_CIPHER *c, EVP_CIPHER **enc, EVP_MD **md); +int ssl_cipher_get_evp(SSL_SESSION *s, EVP_CIPHER **enc, EVP_MD **md, + SSL_COMP **comp); int ssl_verify_cert_chain(SSL *s,STACK *sk); int ssl_undefined_function(SSL *s); X509 *ssl_get_server_send_cert(SSL *); @@ -442,6 +443,7 @@ long tls1_ctrl(SSL *s,int cmd, long larg, char *parg); SSL_METHOD *tlsv1_base_method(void ); int ssl_init_wbio_buffer(SSL *s, int push); +void ssl_free_wbio_buffer(SSL *s); int tls1_change_cipher_state(SSL *s, int which); int tls1_setup_key_block(SSL *s); @@ -456,6 +458,9 @@ int tls1_alert_code(int code); int ssl3_alert_code(int code); int ssl_ok(SSL *s); +SSL_COMP *ssl3_comp_find(STACK *sk, int n); +STACK *SSL_COMP_get_compression_methods(void); + #else @@ -562,10 +567,8 @@ int ssl23_read_bytes(); int ssl23_write_bytes(); int ssl_init_wbio_buffer(); +void ssl_free_wbio_buffer(); -#endif - -#endif int ssl3_cert_verify_mac(); int ssl3_alert_code(); int tls1_new(); @@ -582,3 +585,9 @@ int tls1_mac(); int tls1_generate_master_secret(); int tls1_alert_code(); int ssl_ok(); +SSL_COMP *ssl3_comp_find(); +STACK *SSL_COMP_get_compression_methods(); + +#endif + +#endif diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 745a8ec24f..43c51bc2b5 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -152,10 +152,10 @@ end: } #endif -int SSL_use_certificate_ASN1(ssl, len, d) +int SSL_use_certificate_ASN1(ssl, d,len) SSL *ssl; -int len; unsigned char *d; +int len; { X509 *x; int ret; diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 95cd7fed8a..adaab3545f 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -123,6 +123,7 @@ SSL_SESSION *SSL_SESSION_new() ss->time=time(NULL); ss->prev=NULL; ss->next=NULL; + ss->compress_meth=0; CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data); return(ss); } @@ -136,8 +137,10 @@ int session; if ((ss=SSL_SESSION_new()) == NULL) return(0); /* If the context has a default timeout, use it */ - if (s->ctx->session_timeout != 0) + if (s->ctx->session_timeout == 0) ss->timeout=SSL_get_default_timeout(s); + else + ss->timeout=s->ctx->session_timeout; if (s->session != NULL) { @@ -218,13 +221,13 @@ int len; { int copy=1; - s->ctx->sess_miss++; + s->ctx->stats.sess_miss++; ret=NULL; if ((s->ctx->get_session_cb != NULL) && ((ret=s->ctx->get_session_cb(s,session_id,len,©)) != NULL)) { - s->ctx->sess_cb_hit++; + s->ctx->stats.sess_cb_hit++; /* The following should not return 1, otherwise, * things are very strange */ @@ -260,14 +263,14 @@ int len; if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */ { - s->ctx->sess_timeout++; + s->ctx->stats.sess_timeout++; /* remove it from the cache */ SSL_CTX_remove_session(s->ctx,ret); SSL_SESSION_free(ret); /* again to actually Free it */ return(0); } - s->ctx->sess_hit++; + s->ctx->stats.sess_hit++; /* ret->time=time(NULL); */ /* rezero timeout? */ /* again, just leave the session @@ -318,7 +321,7 @@ SSL_SESSION *c; ctx->session_cache_tail)) break; else - ctx->sess_cache_full++; + ctx->stats.sess_cache_full++; } } } @@ -413,7 +416,10 @@ SSL_SESSION *session; { if (!SSL_set_ssl_method(s,meth)) return(0); - session->timeout=SSL_get_default_timeout(s); + if (s->ctx->session_timeout == 0) + session->timeout=SSL_get_default_timeout(s); + else + session->timeout=s->ctx->session_timeout; } /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ @@ -431,6 +437,14 @@ SSL_SESSION *session; SSL_SESSION_free(s->session); s->session=NULL; } + + meth=s->ctx->method; + if (meth != s->method) + { + if (!SSL_set_ssl_method(s,meth)) + return(0); + } + ret=1; } return(ret); } @@ -467,6 +481,24 @@ long t; return(t); } +long SSL_CTX_set_timeout(s,t) +SSL_CTX *s; +long t; + { + long l; + if (s == NULL) return(0); + l=s->session_timeout; + s->session_timeout=t; + return(l); + } + +long SSL_CTX_get_timeout(s) +SSL_CTX *s; + { + if (s == NULL) return(0); + return(s->session_timeout); + } + typedef struct timeout_param_st { SSL_CTX *ctx; @@ -499,7 +531,7 @@ long t; TIMEOUT_PARAM tp; tp.ctx=s; - tp.cache=SSL_CTX_sessions(s); + tp.cache=s->sessions; if (tp.cache == NULL) return; tp.time=t; CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index ce60e1a6dd..e41b738f5c 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -133,6 +133,23 @@ SSL_SESSION *x; sprintf(str,"%02X",x->key_arg[i]); if (BIO_puts(bp,str) <= 0) goto err; } + if (x->compress_meth != 0) + { + SSL_COMP *comp; + + ssl_cipher_get_evp(x,NULL,NULL,&comp); + if (comp == NULL) + { + sprintf(str,"\n Compression: %d",x->compress_meth); + if (BIO_puts(bp,str) <= 0) goto err; + } + else + { + sprintf(str,"\n Compression: %d (%s)", + comp->id,comp->method->name); + if (BIO_puts(bp,str) <= 0) goto err; + } + } if (x->time != 0L) { sprintf(str,"\n Start Time: %ld",x->time); diff --git a/ssl/ssltest.c b/ssl/ssltest.c index ff686913d7..4662770e38 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -243,7 +243,7 @@ bad: /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ - SSLeay_add_ssl_algorithms(); + SSL_library_init(); SSL_load_error_strings(); #if !defined(NO_SSL2) && !defined(NO_SSL3) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index ac9da4da3a..f228295bba 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -57,6 +57,7 @@ */ #include +#include "comp.h" #include "evp.h" #include "hmac.h" #include "ssl_locl.h" @@ -175,7 +176,7 @@ int which; int client_write; EVP_CIPHER_CTX *dd; EVP_CIPHER *c; - COMP_METHOD *comp; + SSL_COMP *comp; EVP_MD *m; int exp,n,i,j,k,exp_label_len,cl; @@ -200,14 +201,15 @@ int which; } if (comp != NULL) { - s->expand=COMP_CTX_new(comp); + s->expand=COMP_CTX_new(comp->method); if (s->expand == NULL) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } - s->s3->rrec.comp=(unsigned char *) - Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); + if (s->s3->rrec.comp == NULL) + s->s3->rrec.comp=(unsigned char *) + Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } @@ -229,7 +231,7 @@ int which; } if (comp != NULL) { - s->compress=COMP_CTX_new(comp); + s->compress=COMP_CTX_new(comp->method); if (s->compress == NULL) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); @@ -346,11 +348,12 @@ SSL *s; EVP_CIPHER *c; EVP_MD *hash; int num,exp; + SSL_COMP *comp; if (s->s3->tmp.key_block_length != 0) return(1); - if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash)) + if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) { SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return(0); @@ -504,7 +507,7 @@ unsigned char *out; unsigned int ret; EVP_MD_CTX ctx; - memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX)); + EVP_MD_CTX_copy(&ctx,in_ctx); EVP_DigestFinal(&ctx,out,&ret); return((int)ret); } @@ -525,10 +528,10 @@ unsigned char *out; memcpy(q,str,slen); q+=slen; - memcpy(&ctx,in1_ctx,sizeof(EVP_MD_CTX)); + EVP_MD_CTX_copy(&ctx,in1_ctx); EVP_DigestFinal(&ctx,q,&i); q+=i; - memcpy(&ctx,in2_ctx,sizeof(EVP_MD_CTX)); + EVP_MD_CTX_copy(&ctx,in2_ctx); EVP_DigestFinal(&ctx,q,&i); q+=i; -- 2.25.1