diff options
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/KEYS | 28 | ||||
| -rw-r--r-- | ssl/f | 52 | ||||
| -rw-r--r-- | ssl/f.mak | 0 | ||||
| -rw-r--r-- | ssl/s23_clnt.c | 4 | ||||
| -rw-r--r-- | ssl/s23_lib.c | 3 | ||||
| -rw-r--r-- | ssl/s23_srvr.c | 20 | ||||
| -rw-r--r-- | ssl/s2_clnt.c | 7 | ||||
| -rw-r--r-- | ssl/s2_lib.c | 13 | ||||
| -rw-r--r-- | ssl/s3_both.c | 24 | ||||
| -rw-r--r-- | ssl/s3_clnt.c | 39 | ||||
| -rw-r--r-- | ssl/s3_enc.c | 58 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 54 | ||||
| -rw-r--r-- | ssl/s3_pkt.c | 48 | ||||
| -rw-r--r-- | ssl/s3_srvr.c | 2 | ||||
| -rw-r--r-- | ssl/ssl.err | 272 | ||||
| -rw-r--r-- | ssl/ssl.h | 327 | ||||
| -rw-r--r-- | ssl/ssl3.h | 14 | ||||
| -rw-r--r-- | ssl/ssl_algs.c | 6 | ||||
| -rw-r--r-- | ssl/ssl_cert.c | 25 | ||||
| -rw-r--r-- | ssl/ssl_ciph.c | 2 | ||||
| -rw-r--r-- | ssl/ssl_comp.c | 580 | ||||
| -rw-r--r-- | ssl/ssl_err.c | 20 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 40 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 48 | ||||
| -rw-r--r-- | ssl/ssl_rsa.c | 18 | ||||
| -rw-r--r-- | ssl/ssl_sess.c | 2 | ||||
| -rw-r--r-- | ssl/ssltest.c | 1 | ||||
| -rw-r--r-- | ssl/t1_enc.c | 63 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 3 |
29 files changed, 1346 insertions, 427 deletions
diff --git a/ssl/KEYS b/ssl/KEYS new file mode 100644 index 0000000000..710d102324 --- /dev/null +++ b/ssl/KEYS @@ -0,0 +1,28 @@ +EVP_PKEY_DSA +EVP_PKEY_DSA2 +EVP_PKEY_DSA3 +EVP_PKEY_DSA4 + +EVP_PKEY_RSA +EVP_PKEY_RSA2 + +valid DSA pkey types + NID_dsa + NID_dsaWithSHA + NID_dsaWithSHA1 + NID_dsaWithSHA1_2 + +valid RSA pkey types + NID_rsaEncryption + NID_rsa + +NID_dsaWithSHA NID_dsaWithSHA DSA SHA +NID_dsa NID_dsaWithSHA1 DSA SHA1 +NID_md2 NID_md2WithRSAEncryption RSA-pkcs1 MD2 +NID_md5 NID_md5WithRSAEncryption RSA-pkcs1 MD5 +NID_mdc2 NID_mdc2WithRSA RSA-none MDC2 +NID_ripemd160 NID_ripemd160WithRSA RSA-pkcs1 RIPEMD160 +NID_sha NID_shaWithRSAEncryption RSA-pkcs1 SHA +NID_sha1 NID_sha1WithRSAEncryption RSA-pkcs1 SHA1 +:w + @@ -1,40 +1,12 @@ -/* return the actual cipher being used */ -char *SSL_CIPHER_get_name(c) -SSL_CIPHER *c; - { - if (c != NULL) - return(c->name); - return("UNKNOWN"); - } - -/* number of bits for symetric cipher */ -int SSL_CIPHER_get_bits(c,alg_bits) -SSL_CIPHER *c; -int *alg_bits; - { - int ret=0,a=0; - EVP_CIPHER *enc; - - if (c != NULL) - { - if (!ssl_cipher_get_evp(c,&enc,NULL)) - return(0); - - a=EVP_CIPHER_key_length(enc)*8; - - if (s->session->cipher->algorithms & SSL_EXP) - { - if (c->algorithm2 & SSL2_CF_8_BYTE_ENC) - ret=64; - else - ret=40; - } - else - ret=a; - } - - if (alg_bits != NULL) *alg_bits=a; - - return(ret); - } - + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECRYPTION_FAILED); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_RECORD_OVERFLOW + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_UNKNOWN_CA); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_ACCESS_DENIED); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECODE_ERROR); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECRYPT_ERROR); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_EXPORT_RESTRICION); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_PROTOCOL_VERSION); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_INTERNAL_ERROR); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_USER_CANCLED); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_NO_RENEGOTIATION); diff --git a/ssl/f.mak b/ssl/f.mak new file mode 100644 index 0000000000..e69de29bb2 --- /dev/null +++ b/ssl/f.mak diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index a4661ebb68..597cc8772e 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -179,7 +179,7 @@ SSL *s; ret=ssl23_get_server_hello(s); if (ret >= 0) cb=NULL; goto end; - break; + /* break; */ default: SSLerr(SSL_F_SSL23_CONNECT,SSL_R_UNKNOWN_STATE); @@ -443,7 +443,7 @@ SSL *s; } s->rwstate=SSL_NOTHING; - SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,1000+p[6]); + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]); goto err; } else diff --git a/ssl/s23_lib.c b/ssl/s23_lib.c index e16f641101..1eb2b3a331 100644 --- a/ssl/s23_lib.c +++ b/ssl/s23_lib.c @@ -78,7 +78,7 @@ static int ssl23_put_cipher_by_char(); static SSL_CIPHER *ssl23_get_cipher_by_char(); #endif -char *SSL23_version_str="SSLv2/3 compatablity part of SSLeay 0.7.0 30-Jan-1997"; +char *SSL23_version_str="SSLv2/3 compatablity part of SSLeay 0.9.1a 06-Jul-1998"; static SSL_METHOD SSLv23_data= { TLS1_VERSION, @@ -92,6 +92,7 @@ static SSL_METHOD SSLv23_data= { ssl23_write, ssl_undefined_function, ssl_undefined_function, + ssl_ok, ssl3_ctrl, ssl3_ctx_ctrl, ssl23_get_cipher_by_char, diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index c7b9ecbcf2..888ffaca06 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -166,7 +166,7 @@ SSL *s; ret=ssl23_get_client_hello(s); if (ret >= 0) cb=NULL; goto end; - break; + /* break; */ default: SSLerr(SSL_F_SSL23_ACCEPT,SSL_R_UNKNOWN_STATE); @@ -237,9 +237,15 @@ SSL *s; { s->state=SSL23_ST_SR_CLNT_HELLO_B; } + else if (!(s->options & SSL_OP_NO_SSLv2)) + { + type=1; + } } else if (!(s->options & SSL_OP_NO_SSLv3)) s->state=SSL23_ST_SR_CLNT_HELLO_B; + else if (!(s->options & SSL_OP_NO_SSLv2)) + type=1; if (s->options & SSL_OP_NON_EXPORT_FIRST) { @@ -313,15 +319,15 @@ SSL *s; else if (!(s->options & SSL_OP_NO_SSLv3)) type=3; } - else if ((strncmp("GET ", p,4) == 0) || - (strncmp("POST ",p,5) == 0) || - (strncmp("HEAD ",p,5) == 0) || - (strncmp("PUT ", p,4) == 0)) + else if ((strncmp("GET ", (char *)p,4) == 0) || + (strncmp("POST ",(char *)p,5) == 0) || + (strncmp("HEAD ",(char *)p,5) == 0) || + (strncmp("PUT ", (char *)p,4) == 0)) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTP_REQUEST); goto err; } - else if (strncmp("CONNECT",p,7) == 0) + else if (strncmp("CONNECT",(char *)p,7) == 0) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_HTTPS_PROXY_REQUEST); goto err; @@ -387,7 +393,7 @@ next_bit: } s2n(j,dd); - /* compression */ + /* COMPRESSION */ *(d++)=1; *(d++)=0; diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 16df9ec565..2170e29289 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -268,7 +268,7 @@ SSL *s; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); goto end; - break; + /* break; */ default: SSLerr(SSL_F_SSL2_CONNECT,SSL_R_UNKNOWN_STATE); return(-1); @@ -587,6 +587,11 @@ SSL *s; SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PUBLIC_KEY_ENCRYPT_ERROR); return(-1); } +#ifdef PKCS1_CHECK + if (s->options & SSL_OP_PKCS1_CHECK_1) d[1]++; + if (s->options & SSL_OP_PKCS1_CHECK_2) + sess->master_key[clear]++; +#endif s2n(enc,p); d+=enc; karg=sess->key_arg_length; diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c index 275eb52f13..172fc361cf 100644 --- a/ssl/s2_lib.c +++ b/ssl/s2_lib.c @@ -62,14 +62,12 @@ #include "ssl_locl.h" #ifndef NOPROTO -static int ssl2_ok(SSL *s); static long ssl2_default_timeout(void ); #else -static int ssl2_ok(); static long ssl2_default_timeout(); #endif -char *ssl2_version_str="SSLv2 part of SSLeay 0.9.0b 29-Jun-1998"; +char *ssl2_version_str="SSLv2 part of SSLeay 0.9.1a 06-Jul-1998"; #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER)) @@ -184,7 +182,8 @@ static SSL_METHOD SSLv2_data= { ssl2_peek, ssl2_write, ssl2_shutdown, - ssl2_ok, + ssl_ok, /* NULL - renegotiate */ + ssl_ok, /* NULL - check renegotiate */ ssl2_ctrl, /* local */ ssl2_ctx_ctrl, /* local */ ssl2_get_cipher_by_char, @@ -429,12 +428,6 @@ SSL *s; s->error=0; */ } -static int ssl2_ok(s) -SSL *s; - { - return(1); - } - int ssl2_shutdown(s) SSL *s; { diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 6de62e1591..251bcedd7d 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -92,6 +92,13 @@ int slen; p+=i; l=i; +#ifdef WIN16 + /* MSVC 1.5 does not clear the top bytes of the word unless + * I do this. + */ + l&=0xffff; +#endif + *(d++)=SSL3_MT_FINISHED; l2n3(l,d); s->init_num=(int)l+4; @@ -236,6 +243,23 @@ X509 *x; X509_STORE_CTX_cleanup(&xs_ctx); } + /* Thwate special :-) */ + if (s->ctx->extra_certs != NULL) + for (i=0; i<sk_num(s->ctx->extra_certs); i++) + { + x=(X509 *)sk_value(s->ctx->extra_certs,i); + n=i2d_X509(x,NULL); + if (!BUF_MEM_grow(buf,(int)(n+l+3))) + { + SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB); + return(0); + } + p=(unsigned char *)&(buf->data[l]); + l2n3(n,p); + i2d_X509(x,&p); + l+=n+3; + } + l-=7; p=(unsigned char *)&(buf->data[4]); l2n3(l,p); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 940c6a458f..d4ff1d99c8 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -430,7 +430,7 @@ SSL *s; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); goto end; - break; + /* break; */ default: SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE); @@ -478,7 +478,8 @@ SSL *s; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { if ((s->session == NULL) || - (s->session->ssl_version != s->version)) + (s->session->ssl_version != s->version) || + (s->session->not_resumable)) { if (!ssl_get_new_session(s,0)) goto err; @@ -488,7 +489,7 @@ SSL *s; p=s->s3->client_random; Time=time(NULL); /* Time */ l2n(Time,p); - RAND_bytes(&(p[4]),SSL3_RANDOM_SIZE-sizeof(Time)); + RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); /* Do the message type and length last */ d=p= &(buf[4]); @@ -523,6 +524,7 @@ SSL *s; p+=i; /* hardwire in the NULL compression algorithm. */ + /* COMPRESSION */ *(p++)=1; *(p++)=0; @@ -643,6 +645,7 @@ SSL *s; s->s3->tmp.new_cipher=c; /* lets get the compression algorithm */ + /* COMPRESSION */ j= *(p++); if (j != 0) { @@ -771,7 +774,7 @@ SSL *s; pkey=X509_get_pubkey(x); - if (EVP_PKEY_missing_parameters(pkey)) + if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)) { x=NULL; al=SSL3_AL_FATAL; @@ -998,6 +1001,13 @@ SSL *s; goto f_err; } #endif + if (alg & SSL_aFZA) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); + goto f_err; + } + /* p points to the next byte, there are 'n' bytes left */ @@ -1014,7 +1024,7 @@ SSL *s; /* wrong packet length */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_WRONG_SIGNATURE_LENGTH); - goto err; + goto f_err; } #ifndef NO_RSA @@ -1167,6 +1177,15 @@ SSL *s; /* get the CA RDNs */ n2s(p,llen); +#if 0 +{ +FILE *out; +out=fopen("/tmp/vsign.der","w"); +fwrite(p,1,llen,out); +fclose(out); +} +#endif + if ((llen+ctype_num+2+1) != n) { ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR); @@ -1286,7 +1305,7 @@ SSL *s; if (l & SSL_kRSA) { RSA *rsa; - unsigned char tmp_buf[48]; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; if (s->session->cert->rsa_tmp != NULL) rsa=s->session->cert->rsa_tmp; @@ -1315,6 +1334,10 @@ SSL *s; p+=2; n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH, tmp_buf,p,rsa,RSA_PKCS1_PADDING); +#ifdef PKCS1_CHECK + if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; + if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; +#endif if (n <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); @@ -1331,8 +1354,8 @@ SSL *s; s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, - tmp_buf,48); - memset(tmp_buf,0,48); + tmp_buf,SSL_MAX_MASTER_KEY_LENGTH); + memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH); } else #endif diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index bbd9b637c5..116b096155 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -136,7 +136,7 @@ int which; unsigned char *ms,*key,*iv,*er1,*er2; EVP_CIPHER_CTX *dd; EVP_CIPHER *c; - SSL_COMPRESSION *comp; + COMP_METHOD *comp; EVP_MD *m; MD5_CTX md; int exp,n,i,j,k; @@ -155,7 +155,25 @@ int which; goto err; dd= s->enc_read_ctx; s->read_hash=m; - s->read_compression=comp; + /* COMPRESS */ + if (s->expand != NULL) + { + COMP_CTX_free(s->expand); + s->expand=NULL; + } + if (comp != NULL) + { + s->expand=COMP_CTX_new(comp); + if (s->expand == NULL) + { + SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); + goto err2; + } + s->s3->rrec.comp=(unsigned char *) + Malloc(SSL3_RT_MAX_PLAIN_LENGTH); + if (s->s3->rrec.comp == NULL) + goto err; + } memset(&(s->s3->read_sequence[0]),0,8); mac_secret= &(s->s3->read_mac_secret[0]); } @@ -167,7 +185,21 @@ int which; goto err; dd= s->enc_write_ctx; s->write_hash=m; - s->write_compression=comp; + /* COMPRESS */ + if (s->compress != NULL) + { + COMP_CTX_free(s->compress); + s->compress=NULL; + } + if (comp != NULL) + { + s->compress=COMP_CTX_new(comp); + if (s->compress == NULL) + { + SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); + goto err2; + } + } memset(&(s->s3->write_sequence[0]),0,8); mac_secret= &(s->s3->write_mac_secret[0]); } @@ -258,6 +290,11 @@ SSL *s; s->s3->tmp.new_sym_enc=c; s->s3->tmp.new_hash=hash; +#ifdef ZLIB + s->s3->tmp.new_compression=COMP_zlib(); +#endif +/* s->s3->tmp.new_compression=COMP_rle(); */ +/* s->session->compress_meth= xxxxx */ exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0; @@ -302,35 +339,28 @@ int send; unsigned long l; int bs,i; EVP_CIPHER *enc; - SSL_COMPRESSION *comp; if (send) { ds=s->enc_write_ctx; rec= &(s->s3->wrec); if (s->enc_write_ctx == NULL) - { enc=NULL; comp=NULL; } + enc=NULL; else - { enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); - comp=s->write_compression; - } } else { ds=s->enc_read_ctx; rec= &(s->s3->rrec); if (s->enc_read_ctx == NULL) - { enc=NULL; comp=NULL; } + enc=NULL; else - { enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); - comp=s->read_compression; - } } if ((s->session == NULL) || (ds == NULL) || - ((enc == NULL) && (comp == NULL))) + (enc == NULL)) { memcpy(rec->data,rec->input,rec->length); rec->input=rec->data; @@ -340,6 +370,8 @@ int send; l=rec->length; bs=EVP_CIPHER_block_size(ds->cipher); + /* COMPRESS */ + /* This should be using (bs-1) and bs instead of 7 and 8 */ if ((bs != 1) && send) { diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 0fd945025d..41b1814070 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -60,7 +60,7 @@ #include "objects.h" #include "ssl_locl.h" -char *ssl3_version_str="SSLv3 part of SSLeay 0.9.0b 29-Jun-1998"; +char *ssl3_version_str="SSLv3 part of SSLeay 0.9.1a 06-Jul-1998"; #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) @@ -384,6 +384,7 @@ static SSL_METHOD SSLv3_data= { ssl3_write, ssl3_shutdown, ssl3_renegotiate, + ssl3_renegotiate_check, ssl3_ctrl, ssl3_ctx_ctrl, ssl3_get_cipher_by_char, @@ -460,6 +461,8 @@ SSL *s; Free(s->s3->rbuf.buf); if (s->s3->wbuf.buf != NULL) Free(s->s3->wbuf.buf); + if (s->s3->rrec.comp != NULL) + Free(s->s3->rrec.comp); #ifndef NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); @@ -486,6 +489,13 @@ SSL *s; memset(s->s3,0,sizeof(SSL3_CTX)); if (rp != NULL) s->s3->rbuf.buf=rp; if (wp != NULL) s->s3->wbuf.buf=wp; + + if (s->s3->rrec.comp != NULL) + { + Free(s->s3->rrec.comp); + s->s3->rrec.comp=NULL; + } + s->packet_length=0; s->s3->renegotiate=0; s->s3->total_renegotiations=0; @@ -519,6 +529,9 @@ char *parg; case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS: ret=s->s3->total_renegotiations; break; + case SSL_CTRL_GET_FLAGS: + ret=s->s3->flags; + break; default: break; } @@ -546,7 +559,7 @@ char *parg; return(1); else return(0); - break; + /* break; */ case SSL_CTRL_SET_TMP_RSA: { RSA *rsa; @@ -574,7 +587,7 @@ char *parg; return(1); } } - break; + /* break; */ case SSL_CTRL_SET_TMP_RSA_CB: cert->rsa_tmp_cb=(RSA *(*)())parg; break; @@ -583,6 +596,7 @@ char *parg; case SSL_CTRL_SET_TMP_DH: { DH *new=NULL,*dh; + int rret=0; dh=(DH *)parg; if ( ((new=DHparams_dup(dh)) == NULL) || @@ -590,21 +604,31 @@ char *parg; { SSLerr(SSL_F_SSL3_CTX_CTRL,ERR_R_DH_LIB); if (new != NULL) DH_free(new); - return(0); } else { if (cert->dh_tmp != NULL) DH_free(cert->dh_tmp); cert->dh_tmp=new; - return(1); + rret=1; } + return(rret); } - break; + /*break; */ case SSL_CTRL_SET_TMP_DH_CB: cert->dh_tmp_cb=(DH *(*)())parg; break; #endif + /* A Thwate special :-) */ + case SSL_CTRL_EXTRA_CHAIN_CERT: + if (ctx->extra_certs == NULL) + { + if ((ctx->extra_certs=sk_new_null()) == NULL) + return(0); + } + sk_push(ctx->extra_certs,(char *)parg); + break; + default: return(0); } @@ -743,28 +767,30 @@ unsigned char *p; #ifndef NO_DH if (alg & (SSL_kDHr|SSL_kEDH)) { -#ifndef NO_RSA +# ifndef NO_RSA p[ret++]=SSL3_CT_RSA_FIXED_DH; -#endif -#ifndef NO_DSA +# endif +# ifndef NO_DSA p[ret++]=SSL3_CT_DSS_FIXED_DH; -#endif +# endif } if ((s->version == SSL3_VERSION) && (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { -#ifndef NO_RSA +# ifndef NO_RSA p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; -#endif -#ifndef NO_DSA +# endif +# ifndef NO_DSA p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; -#endif +# endif } #endif /* !NO_DH */ #ifndef NO_RSA p[ret++]=SSL3_CT_RSA_SIGN; #endif +#ifndef NO_DSA p[ret++]=SSL3_CT_DSS_SIGN; +#endif return(ret); } diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 2385080347..444263b709 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -79,6 +79,18 @@ * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED); * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN); * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECRYPTION_FAILED); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_RECORD_OVERFLOW); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_UNKNOWN_CA); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_ACCESS_DENIED); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECODE_ERROR); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_DECRYPT_ERROR); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_EXPORT_RESTRICION); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_PROTOCOL_VERSION); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_INTERNAL_ERROR); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_USER_CANCLED); + * SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_TLSV1_ALERT_NO_RENEGOTIATION); */ #ifndef NOPROTO @@ -213,7 +225,6 @@ int extend; static int ssl3_get_record(s) SSL *s; { - char tmp_buf[512]; int ssl_major,ssl_minor,al; int n,i,ret= -1; SSL3_BUFFER *rb; @@ -331,7 +342,6 @@ again: /* decrypt in place in 'rr->input' */ rr->data=rr->input; - memcpy(tmp_buf,rr->input,(rr->length > 512)?512:rr->length); if (!s->method->ssl3_enc->enc(s,0)) { @@ -340,7 +350,7 @@ again: } #ifdef TLS_DEBUG printf("dec %d\n",rr->length); -{ int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } +{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } printf("\n"); #endif /* r->length is now the compressed data plus mac */ @@ -378,7 +388,7 @@ printf("\n"); } /* r->length is now just compressed */ - if ((sess != NULL) && (sess->read_compression != NULL)) + if (s->expand != NULL) { if (rr->length > (unsigned int)SSL3_RT_MAX_COMPRESSED_LENGTH+extra) @@ -427,12 +437,37 @@ err: static int do_uncompress(ssl) SSL *ssl; { + int i; + SSL3_RECORD *rr; + + rr= &(ssl->s3->rrec); + i=COMP_expand_block(ssl->expand,rr->comp, + SSL3_RT_MAX_PLAIN_LENGTH,rr->data,(int)rr->length); + if (i < 0) + return(0); + else + rr->length=i; + rr->data=rr->comp; + return(1); } static int do_compress(ssl) SSL *ssl; { + int i; + SSL3_RECORD *wr; + + wr= &(ssl->s3->wrec); + i=COMP_compress_block(ssl->compress,wr->data, + SSL3_RT_MAX_COMPRESSED_LENGTH, + wr->input,(int)wr->length); + if (i < 0) + return(0); + else + wr->length=i; + + wr->input=wr->data; return(1); } @@ -552,7 +587,7 @@ unsigned int len; * wr->data */ /* first we compress */ - if ((sess != NULL) && (sess->write_compression != NULL)) + if (s->compress != NULL) { if (!do_compress(s)) { @@ -786,7 +821,8 @@ start: s->rwstate=SSL_NOTHING; s->s3->fatal_alert=n; - SSLerr(SSL_F_SSL3_READ_BYTES,1000+n); + SSLerr(SSL_F_SSL3_READ_BYTES, + SSL_AD_REASON_OFFSET+n); sprintf(tmp,"%d",n); ERR_add_error_data(2,"SSL alert number ",tmp); s->shutdown|=SSL_RECEIVED_SHUTDOWN; diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 64903af151..743f8ea235 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1259,7 +1259,7 @@ SSL *s; i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); #if 1 - /* If a bad decrypt, use a dud master key */ + /* If a bad decrypt, use a random master key */ if ((i != SSL_MAX_MASTER_KEY_LENGTH) || ((p[0] != (s->version>>8)) || (p[1] != (s->version & 0xff)))) diff --git a/ssl/ssl.err b/ssl/ssl.err index c54326c624..10ca9c5342 100644 --- a/ssl/ssl.err +++ b/ssl/ssl.err @@ -105,11 +105,12 @@ #define SSL_F_SSL_USE_RSAPRIVATEKEY 201 #define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202 #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203 -#define SSL_F_SSL_WRITE 204 -#define SSL_F_TLS1_CHANGE_CIPHER_STATE 205 -#define SSL_F_TLS1_ENC 206 -#define SSL_F_TLS1_SETUP_KEY_BLOCK 207 -#define SSL_F_WRITE_PENDING 208 +#define SSL_F_SSL_VERIFY_CERT_CHAIN 204 +#define SSL_F_SSL_WRITE 205 +#define SSL_F_TLS1_CHANGE_CIPHER_STATE 206 +#define SSL_F_TLS1_ENC 207 +#define SSL_F_TLS1_SETUP_KEY_BLOCK 208 +#define SSL_F_WRITE_PENDING 209 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 @@ -154,83 +155,85 @@ #define SSL_R_CIPHER_TABLE_SRC_ERROR 139 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140 #define SSL_R_COMPRESSION_FAILURE 141 -#define SSL_R_CONNECTION_ID_IS_DIFFERENT 142 -#define SSL_R_CONNECTION_TYPE_NOT_SET 143 -#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 144 -#define SSL_R_DATA_LENGTH_TOO_LONG 145 -#define SSL_R_DECRYPTION_FAILED 146 -#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 147 -#define SSL_R_DIGEST_CHECK_FAILED 148 -#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 149 -#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 150 -#define SSL_R_EXCESSIVE_MESSAGE_SIZE 151 -#define SSL_R_EXTRA_DATA_IN_MESSAGE 152 -#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 153 -#define SSL_R_HTTPS_PROXY_REQUEST 154 -#define SSL_R_HTTP_REQUEST 155 -#define SSL_R_INTERNAL_ERROR 156 -#define SSL_R_INVALID_CHALLENGE_LENGTH 157 -#define SSL_R_LENGTH_MISMATCH 158 -#define SSL_R_LENGTH_TOO_SHORT 159 -#define SSL_R_LIBRARY_HAS_NO_CIPHERS 160 -#define SSL_R_MISSING_DH_DSA_CERT 161 -#define SSL_R_MISSING_DH_KEY 162 -#define SSL_R_MISSING_DH_RSA_CERT 163 -#define SSL_R_MISSING_DSA_SIGNING_CERT 164 -#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 165 -#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 166 -#define SSL_R_MISSING_RSA_CERTIFICATE 167 -#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 168 -#define SSL_R_MISSING_RSA_SIGNING_CERT 169 -#define SSL_R_MISSING_TMP_DH_KEY 170 -#define SSL_R_MISSING_TMP_RSA_KEY 171 -#define SSL_R_MISSING_TMP_RSA_PKEY 172 -#define SSL_R_MISSING_VERIFY_MESSAGE 173 -#define SSL_R_NON_SSLV2_INITIAL_PACKET 174 -#define SSL_R_NO_CERTIFICATES_RETURNED 175 -#define SSL_R_NO_CERTIFICATE_ASSIGNED 176 -#define SSL_R_NO_CERTIFICATE_RETURNED 177 -#define SSL_R_NO_CERTIFICATE_SET 178 -#define SSL_R_NO_CERTIFICATE_SPECIFIED 179 -#define SSL_R_NO_CIPHERS_AVAILABLE 180 -#define SSL_R_NO_CIPHERS_PASSED 181 -#define SSL_R_NO_CIPHERS_SPECIFIED 182 -#define SSL_R_NO_CIPHER_LIST 183 -#define SSL_R_NO_CIPHER_MATCH 184 -#define SSL_R_NO_CLIENT_CERT_RECEIVED 185 -#define SSL_R_NO_COMPRESSION_SPECIFIED 186 -#define SSL_R_NO_PRIVATEKEY 187 -#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 188 -#define SSL_R_NO_PROTOCOLS_AVAILABLE 189 -#define SSL_R_NO_PUBLICKEY 190 -#define SSL_R_NO_SHARED_CIPHER 191 -#define SSL_R_NULL_SSL_CTX 192 -#define SSL_R_NULL_SSL_METHOD_PASSED 193 -#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 194 -#define SSL_R_PACKET_LENGTH_TOO_LONG 195 -#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 196 -#define SSL_R_PEER_ERROR 197 -#define SSL_R_PEER_ERROR_CERTIFICATE 198 -#define SSL_R_PEER_ERROR_NO_CERTIFICATE 199 -#define SSL_R_PEER_ERROR_NO_CIPHER 200 -#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 201 -#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 202 -#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 203 -#define SSL_R_PROTOCOL_IS_SHUTDOWN 204 -#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 205 -#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 206 -#define SSL_R_PUBLIC_KEY_NOT_RSA 207 -#define SSL_R_READ_BIO_NOT_SET 208 -#define SSL_R_READ_WRONG_PACKET_TYPE 209 -#define SSL_R_RECORD_LENGTH_MISMATCH 210 -#define SSL_R_RECORD_TOO_LARGE 211 -#define SSL_R_REQUIRED_CIPHER_MISSING 212 -#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 213 -#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 214 -#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 215 -#define SSL_R_SHORT_READ 216 -#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 217 -#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 218 +#define SSL_R_COMPRESSION_LIBRARY_ERROR 142 +#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143 +#define SSL_R_CONNECTION_TYPE_NOT_SET 144 +#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 +#define SSL_R_DATA_LENGTH_TOO_LONG 146 +#define SSL_R_DECRYPTION_FAILED 147 +#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 +#define SSL_R_DIGEST_CHECK_FAILED 149 +#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 +#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 +#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 +#define SSL_R_EXTRA_DATA_IN_MESSAGE 153 +#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 +#define SSL_R_HTTPS_PROXY_REQUEST 155 +#define SSL_R_HTTP_REQUEST 156 +#define SSL_R_INTERNAL_ERROR 157 +#define SSL_R_INVALID_CHALLENGE_LENGTH 158 +#define SSL_R_LENGTH_MISMATCH 159 +#define SSL_R_LENGTH_TOO_SHORT 160 +#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161 +#define SSL_R_MISSING_DH_DSA_CERT 162 +#define SSL_R_MISSING_DH_KEY 163 +#define SSL_R_MISSING_DH_RSA_CERT 164 +#define SSL_R_MISSING_DSA_SIGNING_CERT 165 +#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166 +#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167 +#define SSL_R_MISSING_RSA_CERTIFICATE 168 +#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169 +#define SSL_R_MISSING_RSA_SIGNING_CERT 170 +#define SSL_R_MISSING_TMP_DH_KEY 171 +#define SSL_R_MISSING_TMP_RSA_KEY 172 +#define SSL_R_MISSING_TMP_RSA_PKEY 173 +#define SSL_R_MISSING_VERIFY_MESSAGE 174 +#define SSL_R_NON_SSLV2_INITIAL_PACKET 175 +#define SSL_R_NO_CERTIFICATES_RETURNED 176 +#define SSL_R_NO_CERTIFICATE_ASSIGNED 177 +#define SSL_R_NO_CERTIFICATE_RETURNED 178 +#define SSL_R_NO_CERTIFICATE_SET 179 +#define SSL_R_NO_CERTIFICATE_SPECIFIED 180 +#define SSL_R_NO_CIPHERS_AVAILABLE 181 +#define SSL_R_NO_CIPHERS_PASSED 182 +#define SSL_R_NO_CIPHERS_SPECIFIED 183 +#define SSL_R_NO_CIPHER_LIST 184 +#define SSL_R_NO_CIPHER_MATCH 185 +#define SSL_R_NO_CLIENT_CERT_RECEIVED 186 +#define SSL_R_NO_COMPRESSION_SPECIFIED 187 +#define SSL_R_NO_PRIVATEKEY 188 +#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 189 +#define SSL_R_NO_PROTOCOLS_AVAILABLE 190 +#define SSL_R_NO_PUBLICKEY 191 +#define SSL_R_NO_SHARED_CIPHER 192 +#define SSL_R_NO_VERIFY_CALLBACK 193 +#define SSL_R_NULL_SSL_CTX 194 +#define SSL_R_NULL_SSL_METHOD_PASSED 195 +#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 196 +#define SSL_R_PACKET_LENGTH_TOO_LONG 197 +#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 198 +#define SSL_R_PEER_ERROR 199 +#define SSL_R_PEER_ERROR_CERTIFICATE 200 +#define SSL_R_PEER_ERROR_NO_CERTIFICATE 201 +#define SSL_R_PEER_ERROR_NO_CIPHER 202 +#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 203 +#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 204 +#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 205 +#define SSL_R_PROTOCOL_IS_SHUTDOWN 206 +#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 207 +#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 208 +#define SSL_R_PUBLIC_KEY_NOT_RSA 209 +#define SSL_R_READ_BIO_NOT_SET 210 +#define SSL_R_READ_WRONG_PACKET_TYPE 211 +#define SSL_R_RECORD_LENGTH_MISMATCH 212 +#define SSL_R_RECORD_TOO_LARGE 213 +#define SSL_R_REQUIRED_CIPHER_MISSING 214 +#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 215 +#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 216 +#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 217 +#define SSL_R_SHORT_READ 218 +#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 219 +#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 220 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 @@ -240,51 +243,64 @@ #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 219 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 220 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 221 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 222 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 221 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 222 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 223 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 -#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 223 +#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 225 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 -#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 224 -#define SSL_R_SSL_HANDSHAKE_FAILURE 225 -#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 226 -#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 227 -#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 228 -#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 229 -#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 230 -#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 231 -#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 232 -#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 233 -#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 234 -#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 235 -#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 236 -#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 237 -#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 238 -#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 239 -#define SSL_R_UNEXPECTED_MESSAGE 240 -#define SSL_R_UNEXPECTED_RECORD 241 -#define SSL_R_UNKNOWN_ALERT_TYPE 242 -#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 243 -#define SSL_R_UNKNOWN_CIPHER_RETURNED 244 -#define SSL_R_UNKNOWN_CIPHER_TYPE 245 -#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 246 -#define SSL_R_UNKNOWN_PKEY_TYPE 247 -#define SSL_R_UNKNOWN_PROTOCOL 248 -#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 249 -#define SSL_R_UNKNOWN_SSL_VERSION 250 -#define SSL_R_UNKNOWN_STATE 251 -#define SSL_R_UNSUPPORTED_CIPHER 252 -#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 253 -#define SSL_R_UNSUPPORTED_PROTOCOL 254 -#define SSL_R_UNSUPPORTED_SSL_VERSION 255 -#define SSL_R_WRITE_BIO_NOT_SET 256 -#define SSL_R_WRONG_CIPHER_RETURNED 257 -#define SSL_R_WRONG_MESSAGE_TYPE 258 -#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 259 -#define SSL_R_WRONG_SIGNATURE_LENGTH 260 -#define SSL_R_WRONG_SIGNATURE_SIZE 261 -#define SSL_R_WRONG_SSL_VERSION 262 -#define SSL_R_WRONG_VERSION_NUMBER 263 -#define SSL_R_X509_LIB 264 +#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 226 +#define SSL_R_SSL_HANDSHAKE_FAILURE 227 +#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 228 +#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 229 +#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 +#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 +#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 +#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 +#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICION 1060 +#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 +#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 +#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 +#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 +#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 +#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 +#define SSL_R_TLSV1_ALERT_USER_CANCLED 1090 +#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 230 +#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231 +#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 232 +#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 233 +#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 234 +#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 235 +#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 236 +#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 237 +#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 238 +#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 239 +#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 240 +#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 241 +#define SSL_R_UNEXPECTED_MESSAGE 242 +#define SSL_R_UNEXPECTED_RECORD 243 +#define SSL_R_UNKNOWN_ALERT_TYPE 244 +#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 245 +#define SSL_R_UNKNOWN_CIPHER_RETURNED 246 +#define SSL_R_UNKNOWN_CIPHER_TYPE 247 +#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 248 +#define SSL_R_UNKNOWN_PKEY_TYPE 249 +#define SSL_R_UNKNOWN_PROTOCOL 250 +#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 251 +#define SSL_R_UNKNOWN_SSL_VERSION 252 +#define SSL_R_UNKNOWN_STATE 253 +#define SSL_R_UNSUPPORTED_CIPHER 254 +#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 255 +#define SSL_R_UNSUPPORTED_PROTOCOL 256 +#define SSL_R_UNSUPPORTED_SSL_VERSION 257 +#define SSL_R_WRITE_BIO_NOT_SET 258 +#define SSL_R_WRONG_CIPHER_RETURNED 259 +#define SSL_R_WRONG_MESSAGE_TYPE 260 +#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 261 +#define SSL_R_WRONG_SIGNATURE_LENGTH 262 +#define SSL_R_WRONG_SIGNATURE_SIZE 263 +#define SSL_R_WRONG_SSL_VERSION 264 +#define SSL_R_WRONG_VERSION_NUMBER 265 +#define SSL_R_X509_LIB 266 +#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 267 @@ -124,6 +124,7 @@ extern "C" { #define SSL_TXT_EXPORT "EXPORT" #define SSL_TXT_SSLV2 "SSLv2" #define SSL_TXT_SSLV3 "SSLv3" +#define SSL_TXT_TLSV1 "TLSv1" #define SSL_TXT_ALL "ALL" /* 'DEFAULT' at the start of the cipher list insert the following string @@ -178,6 +179,7 @@ typedef struct ssl_method_st int (*ssl_write)(); int (*ssl_shutdown)(); int (*ssl_renegotiate)(); + int (*ssl_renegotiate_check)(); long (*ssl_ctrl)(); long (*ssl_ctx_ctrl)(); SSL_CIPHER *(*get_cipher_by_char)(); @@ -190,11 +192,6 @@ typedef struct ssl_method_st struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ } SSL_METHOD; -typedef struct ssl_compression_st - { - char *stuff; - } SSL_COMPRESSION; - /* Lets make this into an ASN.1 type structure as follows * SSL_SESSION_ID ::= SEQUENCE { * version INTEGER, -- structure version number @@ -206,6 +203,7 @@ typedef struct ssl_compression_st * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate + * Compression [4] IMPLICIT ASN1_OBJECT -- compression OID XXXXX * } * Look in ssl/ssl_asn1.c for more details * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). @@ -237,8 +235,11 @@ typedef struct ssl_session_st long timeout; long time; - SSL_COMPRESSION *read_compression; - SSL_COMPRESSION *write_compression; +#ifdef HEADER_COMP_H + COMP_CTX *compress_meth; +#else + char *compress_meth; +#endif SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this @@ -262,13 +263,17 @@ typedef struct ssl_session_st #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L -#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L +#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L /* If set, only use tmp_dh parameters once */ #define SSL_OP_SINGLE_DH_USE 0x00100000L /* Set to also use the tmp_rsa key when doing RSA operations. */ #define SSL_OP_EPHEMERAL_RSA 0x00200000L +/* The next flag deliberatly changes the ciphertest, this is a check + * for the PKCS#1 attack */ +#define SSL_OP_PKCS1_CHECK_1 0x08000000L +#define SSL_OP_PKCS1_CHECK_2 0x10000000L #define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L #define SSL_OP_NON_EXPORT_FIRST 0x40000000L #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L @@ -385,6 +390,8 @@ typedef struct ssl_ctx_st EVP_MD *rsa_md5;/* For SSLv2 - name is 'ssl2-md5' */ EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ + + STACK *extra_certs; } SSL_CTX; #define SSL_SESS_CACHE_OFF 0x0000 @@ -512,11 +519,19 @@ typedef struct ssl_st EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */ EVP_MD *read_hash; /* used for mac generation */ - SSL_COMPRESSION *read_compression; /* compression */ +#ifdef HEADER_COMP_H + COMP_CTX *expand; /* uncompress */ +#else + char *expand; +#endif EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ EVP_MD *write_hash; /* used for mac generation */ - SSL_COMPRESSION *write_compression; /* compression */ +#ifdef HEADER_COMP_H + COMP_CTX *compress; /* compression */ +#else + char *compress; +#endif /* session info */ @@ -660,6 +675,7 @@ typedef struct ssl_st PEM_STRING_SSL_SESSION,bp, (char *)x, NULL,NULL,0,NULL) #endif +#define SSL_AD_REASON_OFFSET 1000 /* These alert types are for SSLv3 and TLSv1 */ #define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY #define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE /* fatal */ @@ -706,6 +722,9 @@ typedef struct ssl_st #define SSL_CTRL_GET_NUM_RENEGOTIATIONS 8 #define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 9 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 10 +#define SSL_CTRL_GET_FLAGS 11 + +#define SSL_CTRL_EXTRA_CHAIN_CERT 11 #define SSL_session_reused(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL) @@ -724,14 +743,17 @@ typedef struct ssl_st SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)dh) /* For the next 2, the callbacks are - * RSA *tmp_rsa_cb(int export) - * DH *tmp_dh_cb(int export) + * RSA *tmp_rsa_cb(SSL *ssl,int export) + * DH *tmp_dh_cb(SSL *ssl,int export) */ #define SSL_CTX_set_tmp_rsa_callback(ctx,cb) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb) #define SSL_CTX_set_tmp_dh_callback(ctx,dh) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,0,(char *)dh) +#define SSL_CTX_add_extra_chain_cert(ctx,x509) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) + #ifndef NOPROTO #ifdef HEADER_BIO_H @@ -944,6 +966,8 @@ char *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx); int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(), int (*dup_func)(), void (*free_func)()); +int SSL_get_ex_data_X509_STORE_CTX_idx(void ); + #else BIO_METHOD *BIO_f_ssl(); @@ -1120,6 +1144,7 @@ X509 *SSL_get_certificate(); #ifdef this_is_for_mk1mf_pl EVP *SSL_get_privatekey(); +#endif void SSL_CTX_set_quiet_shutdown(); int SSL_CTX_get_quiet_shutdown(); @@ -1133,7 +1158,7 @@ int SSL_CTX_load_verify_locations(); SSL_SESSION *SSL_get_session(); SSL_CTX *SSL_get_SSL_CTX(); void SSL_set_info_callback(); -int (*SSL_get_info_callback())(); +void (*SSL_get_info_callback())(); int SSL_state(); void SSL_set_verify_result(); long SSL_get_verify_result(); @@ -1150,7 +1175,9 @@ int SSL_CTX_set_ex_data(); char *SSL_CTX_get_ex_data(); int SSL_CTX_get_ex_new_index(); -#endif +int SSL_get_ex_data_X509_STORE_CTX_idx(); + +/* #endif */ #endif @@ -1262,11 +1289,12 @@ int SSL_CTX_get_ex_new_index(); #define SSL_F_SSL_USE_RSAPRIVATEKEY 201 #define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202 #define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203 -#define SSL_F_SSL_WRITE 204 -#define SSL_F_TLS1_CHANGE_CIPHER_STATE 205 -#define SSL_F_TLS1_ENC 206 -#define SSL_F_TLS1_SETUP_KEY_BLOCK 207 -#define SSL_F_WRITE_PENDING 208 +#define SSL_F_SSL_VERIFY_CERT_CHAIN 204 +#define SSL_F_SSL_WRITE 205 +#define SSL_F_TLS1_CHANGE_CIPHER_STATE 206 +#define SSL_F_TLS1_ENC 207 +#define SSL_F_TLS1_SETUP_KEY_BLOCK 208 +#define SSL_F_WRITE_PENDING 209 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 @@ -1311,83 +1339,85 @@ int SSL_CTX_get_ex_new_index(); #define SSL_R_CIPHER_TABLE_SRC_ERROR 139 #define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140 #define SSL_R_COMPRESSION_FAILURE 141 -#define SSL_R_CONNECTION_ID_IS_DIFFERENT 142 -#define SSL_R_CONNECTION_TYPE_NOT_SET 143 -#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 144 -#define SSL_R_DATA_LENGTH_TOO_LONG 145 -#define SSL_R_DECRYPTION_FAILED 146 -#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 147 -#define SSL_R_DIGEST_CHECK_FAILED 148 -#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 149 -#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 150 -#define SSL_R_EXCESSIVE_MESSAGE_SIZE 151 -#define SSL_R_EXTRA_DATA_IN_MESSAGE 152 -#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 153 -#define SSL_R_HTTPS_PROXY_REQUEST 154 -#define SSL_R_HTTP_REQUEST 155 -#define SSL_R_INTERNAL_ERROR 156 -#define SSL_R_INVALID_CHALLENGE_LENGTH 157 -#define SSL_R_LENGTH_MISMATCH 158 -#define SSL_R_LENGTH_TOO_SHORT 159 -#define SSL_R_LIBRARY_HAS_NO_CIPHERS 160 -#define SSL_R_MISSING_DH_DSA_CERT 161 -#define SSL_R_MISSING_DH_KEY 162 -#define SSL_R_MISSING_DH_RSA_CERT 163 -#define SSL_R_MISSING_DSA_SIGNING_CERT 164 -#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 165 -#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 166 -#define SSL_R_MISSING_RSA_CERTIFICATE 167 -#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 168 -#define SSL_R_MISSING_RSA_SIGNING_CERT 169 -#define SSL_R_MISSING_TMP_DH_KEY 170 -#define SSL_R_MISSING_TMP_RSA_KEY 171 -#define SSL_R_MISSING_TMP_RSA_PKEY 172 -#define SSL_R_MISSING_VERIFY_MESSAGE 173 -#define SSL_R_NON_SSLV2_INITIAL_PACKET 174 -#define SSL_R_NO_CERTIFICATES_RETURNED 175 -#define SSL_R_NO_CERTIFICATE_ASSIGNED 176 -#define SSL_R_NO_CERTIFICATE_RETURNED 177 -#define SSL_R_NO_CERTIFICATE_SET 178 -#define SSL_R_NO_CERTIFICATE_SPECIFIED 179 -#define SSL_R_NO_CIPHERS_AVAILABLE 180 -#define SSL_R_NO_CIPHERS_PASSED 181 -#define SSL_R_NO_CIPHERS_SPECIFIED 182 -#define SSL_R_NO_CIPHER_LIST 183 -#define SSL_R_NO_CIPHER_MATCH 184 -#define SSL_R_NO_CLIENT_CERT_RECEIVED 185 -#define SSL_R_NO_COMPRESSION_SPECIFIED 186 -#define SSL_R_NO_PRIVATEKEY 187 -#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 188 -#define SSL_R_NO_PROTOCOLS_AVAILABLE 189 -#define SSL_R_NO_PUBLICKEY 190 -#define SSL_R_NO_SHARED_CIPHER 191 -#define SSL_R_NULL_SSL_CTX 192 -#define SSL_R_NULL_SSL_METHOD_PASSED 193 -#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 194 -#define SSL_R_PACKET_LENGTH_TOO_LONG 195 -#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 196 -#define SSL_R_PEER_ERROR 197 -#define SSL_R_PEER_ERROR_CERTIFICATE 198 -#define SSL_R_PEER_ERROR_NO_CERTIFICATE 199 -#define SSL_R_PEER_ERROR_NO_CIPHER 200 -#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 201 -#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 202 -#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 203 -#define SSL_R_PROTOCOL_IS_SHUTDOWN 204 -#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 205 -#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 206 -#define SSL_R_PUBLIC_KEY_NOT_RSA 207 -#define SSL_R_READ_BIO_NOT_SET 208 -#define SSL_R_READ_WRONG_PACKET_TYPE 209 -#define SSL_R_RECORD_LENGTH_MISMATCH 210 -#define SSL_R_RECORD_TOO_LARGE 211 -#define SSL_R_REQUIRED_CIPHER_MISSING 212 -#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 213 -#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 214 -#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 215 -#define SSL_R_SHORT_READ 216 -#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 217 -#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 218 +#define SSL_R_COMPRESSION_LIBRARY_ERROR 142 +#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143 +#define SSL_R_CONNECTION_TYPE_NOT_SET 144 +#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 +#define SSL_R_DATA_LENGTH_TOO_LONG 146 +#define SSL_R_DECRYPTION_FAILED 147 +#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 +#define SSL_R_DIGEST_CHECK_FAILED 149 +#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 +#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 +#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 +#define SSL_R_EXTRA_DATA_IN_MESSAGE 153 +#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 +#define SSL_R_HTTPS_PROXY_REQUEST 155 +#define SSL_R_HTTP_REQUEST 156 +#define SSL_R_INTERNAL_ERROR 157 +#define SSL_R_INVALID_CHALLENGE_LENGTH 158 +#define SSL_R_LENGTH_MISMATCH 159 +#define SSL_R_LENGTH_TOO_SHORT 160 +#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161 +#define SSL_R_MISSING_DH_DSA_CERT 162 +#define SSL_R_MISSING_DH_KEY 163 +#define SSL_R_MISSING_DH_RSA_CERT 164 +#define SSL_R_MISSING_DSA_SIGNING_CERT 165 +#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 166 +#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 167 +#define SSL_R_MISSING_RSA_CERTIFICATE 168 +#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169 +#define SSL_R_MISSING_RSA_SIGNING_CERT 170 +#define SSL_R_MISSING_TMP_DH_KEY 171 +#define SSL_R_MISSING_TMP_RSA_KEY 172 +#define SSL_R_MISSING_TMP_RSA_PKEY 173 +#define SSL_R_MISSING_VERIFY_MESSAGE 174 +#define SSL_R_NON_SSLV2_INITIAL_PACKET 175 +#define SSL_R_NO_CERTIFICATES_RETURNED 176 +#define SSL_R_NO_CERTIFICATE_ASSIGNED 177 +#define SSL_R_NO_CERTIFICATE_RETURNED 178 +#define SSL_R_NO_CERTIFICATE_SET 179 +#define SSL_R_NO_CERTIFICATE_SPECIFIED 180 +#define SSL_R_NO_CIPHERS_AVAILABLE 181 +#define SSL_R_NO_CIPHERS_PASSED 182 +#define SSL_R_NO_CIPHERS_SPECIFIED 183 +#define SSL_R_NO_CIPHER_LIST 184 +#define SSL_R_NO_CIPHER_MATCH 185 +#define SSL_R_NO_CLIENT_CERT_RECEIVED 186 +#define SSL_R_NO_COMPRESSION_SPECIFIED 187 +#define SSL_R_NO_PRIVATEKEY 188 +#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 189 +#define SSL_R_NO_PROTOCOLS_AVAILABLE 190 +#define SSL_R_NO_PUBLICKEY 191 +#define SSL_R_NO_SHARED_CIPHER 192 +#define SSL_R_NO_VERIFY_CALLBACK 193 +#define SSL_R_NULL_SSL_CTX 194 +#define SSL_R_NULL_SSL_METHOD_PASSED 195 +#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 196 +#define SSL_R_PACKET_LENGTH_TOO_LONG 197 +#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 198 +#define SSL_R_PEER_ERROR 199 +#define SSL_R_PEER_ERROR_CERTIFICATE 200 +#define SSL_R_PEER_ERROR_NO_CERTIFICATE 201 +#define SSL_R_PEER_ERROR_NO_CIPHER 202 +#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 203 +#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 204 +#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 205 +#define SSL_R_PROTOCOL_IS_SHUTDOWN 206 +#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 207 +#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 208 +#define SSL_R_PUBLIC_KEY_NOT_RSA 209 +#define SSL_R_READ_BIO_NOT_SET 210 +#define SSL_R_READ_WRONG_PACKET_TYPE 211 +#define SSL_R_RECORD_LENGTH_MISMATCH 212 +#define SSL_R_RECORD_TOO_LARGE 213 +#define SSL_R_REQUIRED_CIPHER_MISSING 214 +#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 215 +#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 216 +#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 217 +#define SSL_R_SHORT_READ 218 +#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 219 +#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 220 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 @@ -1397,54 +1427,67 @@ int SSL_CTX_get_ex_new_index(); #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 219 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 220 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 221 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 222 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 221 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 222 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 223 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 -#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 223 +#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 225 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 -#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 224 -#define SSL_R_SSL_HANDSHAKE_FAILURE 225 -#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 226 -#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 227 -#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 228 -#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 229 -#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 230 -#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 231 -#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 232 -#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 233 -#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 234 -#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 235 -#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 236 -#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 237 -#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 238 -#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 239 -#define SSL_R_UNEXPECTED_MESSAGE 240 -#define SSL_R_UNEXPECTED_RECORD 241 -#define SSL_R_UNKNOWN_ALERT_TYPE 242 -#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 243 -#define SSL_R_UNKNOWN_CIPHER_RETURNED 244 -#define SSL_R_UNKNOWN_CIPHER_TYPE 245 -#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 246 -#define SSL_R_UNKNOWN_PKEY_TYPE 247 -#define SSL_R_UNKNOWN_PROTOCOL 248 -#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 249 -#define SSL_R_UNKNOWN_SSL_VERSION 250 -#define SSL_R_UNKNOWN_STATE 251 -#define SSL_R_UNSUPPORTED_CIPHER 252 -#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 253 -#define SSL_R_UNSUPPORTED_PROTOCOL 254 -#define SSL_R_UNSUPPORTED_SSL_VERSION 255 -#define SSL_R_WRITE_BIO_NOT_SET 256 -#define SSL_R_WRONG_CIPHER_RETURNED 257 -#define SSL_R_WRONG_MESSAGE_TYPE 258 -#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 259 -#define SSL_R_WRONG_SIGNATURE_LENGTH 260 -#define SSL_R_WRONG_SIGNATURE_SIZE 261 -#define SSL_R_WRONG_SSL_VERSION 262 -#define SSL_R_WRONG_VERSION_NUMBER 263 -#define SSL_R_X509_LIB 264 +#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 226 +#define SSL_R_SSL_HANDSHAKE_FAILURE 227 +#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 228 +#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 229 +#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 +#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 +#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 +#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 +#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICION 1060 +#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 +#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 +#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 +#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 +#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 +#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 +#define SSL_R_TLSV1_ALERT_USER_CANCLED 1090 +#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 230 +#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231 +#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 232 +#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 233 +#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 234 +#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 235 +#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 236 +#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 237 +#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 238 +#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 239 +#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 240 +#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 241 +#define SSL_R_UNEXPECTED_MESSAGE 242 +#define SSL_R_UNEXPECTED_RECORD 243 +#define SSL_R_UNKNOWN_ALERT_TYPE 244 +#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 245 +#define SSL_R_UNKNOWN_CIPHER_RETURNED 246 +#define SSL_R_UNKNOWN_CIPHER_TYPE 247 +#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 248 +#define SSL_R_UNKNOWN_PKEY_TYPE 249 +#define SSL_R_UNKNOWN_PROTOCOL 250 +#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 251 +#define SSL_R_UNKNOWN_SSL_VERSION 252 +#define SSL_R_UNKNOWN_STATE 253 +#define SSL_R_UNSUPPORTED_CIPHER 254 +#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 255 +#define SSL_R_UNSUPPORTED_PROTOCOL 256 +#define SSL_R_UNSUPPORTED_SSL_VERSION 257 +#define SSL_R_WRITE_BIO_NOT_SET 258 +#define SSL_R_WRONG_CIPHER_RETURNED 259 +#define SSL_R_WRONG_MESSAGE_TYPE 260 +#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 261 +#define SSL_R_WRONG_SIGNATURE_LENGTH 262 +#define SSL_R_WRONG_SIGNATURE_SIZE 263 +#define SSL_R_WRONG_SSL_VERSION 264 +#define SSL_R_WRONG_VERSION_NUMBER 265 +#define SSL_R_X509_LIB 266 +#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 267 #ifdef __cplusplus } diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 95772eef60..7c5c94d7c9 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -208,7 +208,7 @@ typedef struct ssl3_record_st /*r */ unsigned int off; /* read/write offset into 'buf' */ /*rw*/ unsigned char *data; /* pointer to the record data */ /*rw*/ unsigned char *input; /* where the decode bytes are */ -/*rw*/ unsigned char *comp; /* only used with decompression */ +/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */ } SSL3_RECORD; typedef struct ssl3_buffer_st @@ -220,10 +220,6 @@ typedef struct ssl3_buffer_st /*rw*/ unsigned char *buf; /* SSL3_RT_MAX_PACKET_SIZE bytes */ } SSL3_BUFFER; -typedef struct ssl3_compression_st { - int nothing; - } SSL3_COMPRESSION; - #define SSL3_CT_RSA_SIGN 1 #define SSL3_CT_DSS_SIGN 2 #define SSL3_CT_RSA_FIXED_DH 3 @@ -236,7 +232,7 @@ typedef struct ssl3_compression_st { #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 #define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002 #define SSL3_FLAGS_POP_BUFFER 0x0004 -#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 +#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 #if 0 #define AD_CLOSE_NOTIFY 0 @@ -344,7 +340,11 @@ typedef struct ssl3_ctx_st EVP_CIPHER *new_sym_enc; EVP_MD *new_hash; - SSL_COMPRESSION *new_compression; +#ifdef HEADER_COMP_H + COMP_METHOD *new_compression; +#else + char *new_compression; +#endif int cert_request; } tmp; } SSL3_CTX; diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index 65f3a59386..92ec322dae 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -82,12 +82,12 @@ void SSLeay_add_ssl_algorithms() #endif #ifndef NO_MD5 EVP_add_digest(EVP_md5()); - EVP_add_alias(SN_md5,"ssl2-md5"); - EVP_add_alias(SN_md5,"ssl3-md5"); + EVP_add_digest_alias(SN_md5,"ssl2-md5"); + EVP_add_digest_alias(SN_md5,"ssl3-md5"); #endif #ifndef NO_SHA1 EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ - EVP_add_alias(SN_sha1,"ssl3-sha1"); + EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); #endif #if !defined(NO_SHA1) && !defined(NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index c1cb86e1b7..783c079e17 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -62,6 +62,18 @@ #include "pem.h" #include "ssl_locl.h" +int SSL_get_ex_data_X509_STORE_CTX_idx() + { + static int ssl_x509_store_ctx_idx= -1; + + if (ssl_x509_store_ctx_idx < 0) + { + ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index( + 0,"SSL for verifiy callback",NULL,NULL,NULL); + } + return(ssl_x509_store_ctx_idx); + } + CERT *ssl_cert_new() { CERT *ret; @@ -150,15 +162,24 @@ STACK *sk; x=(X509 *)sk_value(sk,0); X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk); - X509_STORE_CTX_set_app_data(&ctx,(char *)s); + X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(), + (char *)s); if (s->ctx->app_verify_callback != NULL) i=s->ctx->app_verify_callback(&ctx); else + { +#ifndef NO_X509_VERIFY i=X509_verify_cert(&ctx); +#else + i=0; + ctx.error=X509_V_ERR_APPLICATION_VERIFICATION; + SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,SSL_R_NO_VERIFY_CALLBACK); +#endif + } - X509_STORE_CTX_cleanup(&ctx); s->verify_result=ctx.error; + X509_STORE_CTX_cleanup(&ctx); return(i); } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 820994408b..87e384f8f7 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -145,6 +145,7 @@ static SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_EXPORT,0,SSL_EXPORT,0,SSL_EXP_MASK}, {0,SSL_TXT_SSLV2,0,SSL_SSLV2,0,SSL_SSL_MASK}, {0,SSL_TXT_SSLV3,0,SSL_SSLV3,0,SSL_SSL_MASK}, + {0,SSL_TXT_TLSV1,0,SSL_SSLV3,0,SSL_SSL_MASK}, {0,SSL_TXT_LOW, 0,SSL_LOW,0,SSL_STRONG_MASK}, {0,SSL_TXT_MEDIUM,0,SSL_MEDIUM,0,SSL_STRONG_MASK}, {0,SSL_TXT_HIGH, 0,SSL_HIGH,0,SSL_STRONG_MASK}, @@ -208,7 +209,6 @@ EVP_MD **md; case SSL_eNULL: i=SSL_ENC_NULL_IDX; break; - break; default: i= -1; break; diff --git a/ssl/ssl_comp.c b/ssl/ssl_comp.c new file mode 100644 index 0000000000..7724ff5672 --- /dev/null +++ b/ssl/ssl_comp.c @@ -0,0 +1,580 @@ +/* ssl/ssl_comp.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include <stdio.h> +#include "ssl_locl.h" + +#ifndef NOPROTO +static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); +static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); +#else +static void SSL_SESSION_list_remove(); +static void SSL_SESSION_list_add(); +#endif + +static int ssl_session_num=0; +static STACK *ssl_session_meth=NULL; + +SSL_SESSION *SSL_get_session(ssl) +SSL *ssl; + { + return(ssl->session); + } + +int SSL_SESSION_get_ex_new_index(argl,argp,new_func,dup_func,free_func) +long argl; +char *argp; +int (*new_func)(); +int (*dup_func)(); +void (*free_func)(); + { + ssl_session_num++; + return(CRYPTO_get_ex_new_index(ssl_session_num-1, + &ssl_session_meth, + argl,argp,new_func,dup_func,free_func)); + } + +int SSL_SESSION_set_ex_data(s,idx,arg) +SSL_SESSION *s; +int idx; +char *arg; + { + return(CRYPTO_set_ex_data(&s->ex_data,idx,arg)); + } + +char *SSL_SESSION_get_ex_data(s,idx) +SSL_SESSION *s; +int idx; + { + return(CRYPTO_get_ex_data(&s->ex_data,idx)); + } + +SSL_SESSION *SSL_SESSION_new() + { + SSL_SESSION *ss; + + ss=(SSL_SESSION *)Malloc(sizeof(SSL_SESSION)); + if (ss == NULL) + { + SSLerr(SSL_F_SSL_SESSION_NEW,ERR_R_MALLOC_FAILURE); + return(0); + } + memset(ss,0,sizeof(SSL_SESSION)); + + ss->references=1; + ss->timeout=60*5+4; /* 5 minute timeout by default */ + ss->time=time(NULL); + ss->prev=NULL; + ss->next=NULL; + CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data); + return(ss); + } + +int ssl_get_new_session(s, session) +SSL *s; +int session; + { + SSL_SESSION *ss=NULL; + + if ((ss=SSL_SESSION_new()) == NULL) return(0); + + /* If the context has a default timeout, use it */ + if (s->ctx->session_timeout != 0) + ss->timeout=SSL_get_default_timeout(s); + + if (s->session != NULL) + { + SSL_SESSION_free(s->session); + s->session=NULL; + } + + if (session) + { + if (s->version == SSL2_CLIENT_VERSION) + { + ss->ssl_version=SSL2_VERSION; + ss->session_id_length=SSL2_SSL_SESSION_ID_LENGTH; + } + else if (s->version == SSL3_VERSION) + { + ss->ssl_version=SSL3_VERSION; + ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; + } + else if (s->version == TLS1_VERSION) + { + ss->ssl_version=TLS1_VERSION; + ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; + } + else + { + SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION); + SSL_SESSION_free(ss); + return(0); + } + + for (;;) + { + SSL_SESSION *r; + + RAND_bytes(ss->session_id,ss->session_id_length); + CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); + r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions, + (char *)ss); + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); + if (r == NULL) break; + /* else - woops a session_id match */ + } + } + else + { + ss->session_id_length=0; + } + + s->session=ss; + ss->ssl_version=s->version; + + return(1); + } + +int ssl_get_prev_session(s,session_id,len) +SSL *s; +unsigned char *session_id; +int len; + { + SSL_SESSION *ret=NULL,data; + + /* conn_init();*/ + data.ssl_version=s->version; + data.session_id_length=len; + if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) + return(0); + memcpy(data.session_id,session_id,len);; + + if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) + { + CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); + ret=(SSL_SESSION *)lh_retrieve(s->ctx->sessions,(char *)&data); + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); + } + + if (ret == NULL) + { + int copy=1; + + s->ctx->sess_miss++; + ret=NULL; + if ((s->ctx->get_session_cb != NULL) && + ((ret=s->ctx->get_session_cb(s,session_id,len,©)) + != NULL)) + { + s->ctx->sess_cb_hit++; + + /* The following should not return 1, otherwise, + * things are very strange */ + SSL_CTX_add_session(s->ctx,ret); + /* auto free it */ + if (!copy) + SSL_SESSION_free(ret); + } + if (ret == NULL) return(0); + } + + if (ret->cipher == NULL) + { + char buf[5],*p; + unsigned long l; + + p=buf; + l=ret->cipher_id; + l2n(l,p); + if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR) + ret->cipher=ssl_get_cipher_by_char(s,&(buf[2])); + else + ret->cipher=ssl_get_cipher_by_char(s,&(buf[1])); + if (ret->cipher == NULL) + return(0); + } + + /* If a thread got the session, then 'swaped', and another got + * it and then due to a time-out decided to 'Free' it we could + * be in trouble. So I'll increment it now, then double decrement + * later - am I speaking rubbish?. */ + CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); + + if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */ + { + s->ctx->sess_timeout++; + /* remove it from the cache */ + SSL_CTX_remove_session(s->ctx,ret); + SSL_SESSION_free(ret); /* again to actually Free it */ + return(0); + } + + s->ctx->sess_hit++; + + /* ret->time=time(NULL); */ /* rezero timeout? */ + /* again, just leave the session + * if it is the same session, we have just incremented and + * then decremented the reference count :-) */ + if (s->session != NULL) + SSL_SESSION_free(s->session); + s->session=ret; + return(1); + } + +int SSL_CTX_add_session(ctx,c) +SSL_CTX *ctx; +SSL_SESSION *c; + { + int ret=0; + SSL_SESSION *s; + + /* conn_init(); */ + CRYPTO_add(&c->references,1,CRYPTO_LOCK_SSL_SESSION); + + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + s=(SSL_SESSION *)lh_insert(ctx->sessions,(char *)c); + + /* Put on the end of the queue unless it is already in the cache */ + if (s == NULL) + SSL_SESSION_list_add(ctx,c); + + /* If the same session if is being 're-added', Free the old + * one when the last person stops using it. + * This will also work if it is alread in the cache. + * The references will go up and then down :-) */ + if (s != NULL) + { + SSL_SESSION_free(s); + ret=0; + } + else + { + ret=1; + + if (SSL_CTX_sess_get_cache_size(ctx) > 0) + { + while (SSL_CTX_sess_number(ctx) > + SSL_CTX_sess_get_cache_size(ctx)) + { + if (!SSL_CTX_remove_session(ctx, + ctx->session_cache_tail)) + break; + else + ctx->sess_cache_full++; + } + } + } + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + return(ret); + } + +int SSL_CTX_remove_session(ctx,c) +SSL_CTX *ctx; +SSL_SESSION *c; + { + SSL_SESSION *r; + int ret=0; + + if ((c != NULL) && (c->session_id_length != 0)) + { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + r=(SSL_SESSION *)lh_delete(ctx->sessions,(char *)c); + if (r != NULL) + { + ret=1; + SSL_SESSION_list_remove(ctx,c); + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + + if (ret) + { + r->not_resumable=1; + if (ctx->remove_session_cb != NULL) + ctx->remove_session_cb(ctx,r); + SSL_SESSION_free(r); + } + } + else + ret=0; + return(ret); + } + +void SSL_SESSION_free(ss) +SSL_SESSION *ss; + { + int i; + + i=CRYPTO_add(&ss->references,-1,CRYPTO_LOCK_SSL_SESSION); +#ifdef REF_PRINT + REF_PRINT("SSL_SESSION",ss); +#endif + if (i > 0) return; +#ifdef REF_CHECK + if (i < 0) + { + fprintf(stderr,"SSL_SESSION_free, bad reference count\n"); + abort(); /* ok */ + } +#endif + + CRYPTO_free_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data); + + memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH); + memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH); + memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH); + if (ss->cert != NULL) ssl_cert_free(ss->cert); + if (ss->peer != NULL) X509_free(ss->peer); + if (ss->ciphers != NULL) sk_free(ss->ciphers); + memset(ss,0,sizeof(*ss)); + Free(ss); + } + +int SSL_set_session(s, session) +SSL *s; +SSL_SESSION *session; + { + int ret=0; + SSL_METHOD *meth; + + if (session != NULL) + { + meth=s->ctx->method->get_ssl_method(session->ssl_version); + if (meth == NULL) + meth=s->method->get_ssl_method(session->ssl_version); + if (meth == NULL) + { + SSLerr(SSL_F_SSL_SET_SESSION,SSL_R_UNABLE_TO_FIND_SSL_METHOD); + return(0); + } + + if (meth != s->method) + { + if (!SSL_set_ssl_method(s,meth)) + return(0); + session->timeout=SSL_get_default_timeout(s); + } + + /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ + CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION); + if (s->session != NULL) + SSL_SESSION_free(s->session); + s->session=session; + /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ + ret=1; + } + else + { + if (s->session != NULL) + { + SSL_SESSION_free(s->session); + s->session=NULL; + } + } + return(ret); + } + +long SSL_SESSION_set_timeout(s,t) +SSL_SESSION *s; +long t; + { + if (s == NULL) return(0); + s->timeout=t; + return(1); + } + +long SSL_SESSION_get_timeout(s) +SSL_SESSION *s; + { + if (s == NULL) return(0); + return(s->timeout); + } + +long SSL_SESSION_get_time(s) +SSL_SESSION *s; + { + if (s == NULL) return(0); + return(s->time); + } + +long SSL_SESSION_set_time(s,t) +SSL_SESSION *s; +long t; + { + if (s == NULL) return(0); + s->time=t; + return(t); + } + +typedef struct timeout_param_st + { + SSL_CTX *ctx; + long time; + LHASH *cache; + } TIMEOUT_PARAM; + +static void timeout(s,p) +SSL_SESSION *s; +TIMEOUT_PARAM *p; + { + if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ + { + /* The reason we don't call SSL_CTX_remove_session() is to + * save on locking overhead */ + lh_delete(p->cache,(char *)s); + SSL_SESSION_list_remove(p->ctx,s); + s->not_resumable=1; + if (p->ctx->remove_session_cb != NULL) + p->ctx->remove_session_cb(p->ctx,s); + SSL_SESSION_free(s); + } + } + +void SSL_CTX_flush_sessions(s,t) +SSL_CTX *s; +long t; + { + unsigned long i; + TIMEOUT_PARAM tp; + + tp.ctx=s; + tp.cache=SSL_CTX_sessions(s); + if (tp.cache == NULL) return; + tp.time=t; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + i=tp.cache->down_load; + tp.cache->down_load=0; + lh_doall_arg(tp.cache,(void (*)())timeout,(char *)&tp); + tp.cache->down_load=i; + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + } + +int ssl_clear_bad_session(s) +SSL *s; + { + if ( (s->session != NULL) && + !(s->shutdown & SSL_SENT_SHUTDOWN) && + !(SSL_in_init(s) || SSL_in_before(s))) + { + SSL_CTX_remove_session(s->ctx,s->session); + return(1); + } + else + return(0); + } + +/* locked by SSL_CTX in the calling function */ +static void SSL_SESSION_list_remove(ctx,s) +SSL_CTX *ctx; +SSL_SESSION *s; + { + if ((s->next == NULL) || (s->prev == NULL)) return; + + if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) + { /* last element in list */ + if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) + { /* only one element in list */ + ctx->session_cache_head=NULL; + ctx->session_cache_tail=NULL; + } + else + { + ctx->session_cache_tail=s->prev; + s->prev->next=(SSL_SESSION *)&(ctx->session_cache_tail); + } + } + else + { + if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) + { /* first element in list */ + ctx->session_cache_head=s->next; + s->next->prev=(SSL_SESSION *)&(ctx->session_cache_head); + } + else + { /* middle of list */ + s->next->prev=s->prev; + s->prev->next=s->next; + } + } + s->prev=s->next=NULL; + } + +static void SSL_SESSION_list_add(ctx,s) +SSL_CTX *ctx; +SSL_SESSION *s; + { + if ((s->next != NULL) && (s->prev != NULL)) + SSL_SESSION_list_remove(ctx,s); + + if (ctx->session_cache_head == NULL) + { + ctx->session_cache_head=s; + ctx->session_cache_tail=s; + s->prev=(SSL_SESSION *)&(ctx->session_cache_head); + s->next=(SSL_SESSION *)&(ctx->session_cache_tail); + } + else + { + s->next=ctx->session_cache_head; + s->next->prev=s; + s->prev=(SSL_SESSION *)&(ctx->session_cache_head); + ctx->session_cache_head=s; + } + } + diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index bcbb98591f..847f0f3f8a 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -167,6 +167,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY,0), "SSL_use_RSAPrivateKey"}, {ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1,0), "SSL_use_RSAPrivateKey_ASN1"}, {ERR_PACK(0,SSL_F_SSL_USE_RSAPRIVATEKEY_FILE,0), "SSL_use_RSAPrivateKey_file"}, +{ERR_PACK(0,SSL_F_SSL_VERIFY_CERT_CHAIN,0), "SSL_VERIFY_CERT_CHAIN"}, {ERR_PACK(0,SSL_F_SSL_WRITE,0), "SSL_write"}, {ERR_PACK(0,SSL_F_TLS1_CHANGE_CIPHER_STATE,0), "TLS1_CHANGE_CIPHER_STATE"}, {ERR_PACK(0,SSL_F_TLS1_ENC,0), "TLS1_ENC"}, @@ -219,6 +220,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_CIPHER_TABLE_SRC_ERROR ,"cipher table src error"}, {SSL_R_COMPRESSED_LENGTH_TOO_LONG ,"compressed length too long"}, {SSL_R_COMPRESSION_FAILURE ,"compression failure"}, +{SSL_R_COMPRESSION_LIBRARY_ERROR ,"compression library error"}, {SSL_R_CONNECTION_ID_IS_DIFFERENT ,"connection id is different"}, {SSL_R_CONNECTION_TYPE_NOT_SET ,"connection type not set"}, {SSL_R_DATA_BETWEEN_CCS_AND_FINISHED ,"data between ccs and finished"}, @@ -269,6 +271,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_NO_PROTOCOLS_AVAILABLE ,"no protocols available"}, {SSL_R_NO_PUBLICKEY ,"no publickey"}, {SSL_R_NO_SHARED_CIPHER ,"no shared cipher"}, +{SSL_R_NO_VERIFY_CALLBACK ,"no verify callback"}, {SSL_R_NULL_SSL_CTX ,"null ssl ctx"}, {SSL_R_NULL_SSL_METHOD_PASSED ,"null ssl method passed"}, {SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED ,"old session cipher not returned"}, @@ -316,6 +319,18 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_SSL_HANDSHAKE_FAILURE ,"ssl handshake failure"}, {SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS ,"ssl library has no ciphers"}, {SSL_R_SSL_SESSION_ID_IS_DIFFERENT ,"ssl session id is different"}, +{SSL_R_TLSV1_ALERT_ACCESS_DENIED ,"tlsv1 alert access denied"}, +{SSL_R_TLSV1_ALERT_DECODE_ERROR ,"tlsv1 alert decode error"}, +{SSL_R_TLSV1_ALERT_DECRYPTION_FAILED ,"tlsv1 alert decryption failed"}, +{SSL_R_TLSV1_ALERT_DECRYPT_ERROR ,"tlsv1 alert decrypt error"}, +{SSL_R_TLSV1_ALERT_EXPORT_RESTRICION ,"tlsv1 alert export restricion"}, +{SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY ,"tlsv1 alert insufficient security"}, +{SSL_R_TLSV1_ALERT_INTERNAL_ERROR ,"tlsv1 alert internal error"}, +{SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ,"tlsv1 alert no renegotiation"}, +{SSL_R_TLSV1_ALERT_PROTOCOL_VERSION ,"tlsv1 alert protocol version"}, +{SSL_R_TLSV1_ALERT_RECORD_OVERFLOW ,"tlsv1 alert record overflow"}, +{SSL_R_TLSV1_ALERT_UNKNOWN_CA ,"tlsv1 alert unknown ca"}, +{SSL_R_TLSV1_ALERT_USER_CANCLED ,"tlsv1 alert user cancled"}, {SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER,"tls client cert req with anon cipher"}, {SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST,"tls peer did not respond with certificate list"}, {SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG,"tls rsa encrypted value length is wrong"}, @@ -353,6 +368,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_WRONG_SSL_VERSION ,"wrong ssl version"}, {SSL_R_WRONG_VERSION_NUMBER ,"wrong version number"}, {SSL_R_X509_LIB ,"x509 lib"}, +{SSL_R_X509_VERIFICATION_SETUP_PROBLEMS ,"x509 verification setup problems"}, {0,NULL}, }; @@ -362,8 +378,8 @@ void ERR_load_SSL_strings() { static int init=1; - if (init); - {; + if (init) + { init=0; #ifndef NO_ERR ERR_load_strings(ERR_LIB_SSL,SSL_str_functs); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f562ec6b14..b16339848b 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -61,7 +61,7 @@ #include "lhash.h" #include "ssl_locl.h" -char *SSL_version_str="SSLeay 0.9.0b 29-Jun-1998"; +char *SSL_version_str="SSLeay 0.9.1a 06-Jul-1998"; static STACK *ssl_meth=NULL; static STACK *ssl_ctx_meth=NULL; @@ -248,6 +248,11 @@ SSL *s; ssl_clear_cipher_ctx(s); + if (s->expand != NULL) + COMP_CTX_free(s->expand); + if (s->compress != NULL) + COMP_CTX_free(s->compress); + if (s->cert != NULL) ssl_cert_free(s->cert); /* Free up if allocated */ @@ -839,8 +844,11 @@ SSL_SESSION *a; { unsigned long l; - l= (a->session_id[0] )|(a->session_id[1]<< 8L)| - (a->session_id[2]<<16L)|(a->session_id[3]<<24L); + l=(unsigned long) + ((unsigned int) a->session_id[0] )| + ((unsigned int) a->session_id[1]<< 8L)| + ((unsigned long)a->session_id[2]<<16L)| + ((unsigned long)a->session_id[3]<<24L); return(l); } @@ -858,13 +866,19 @@ SSL_SESSION *b; SSL_CTX *SSL_CTX_new(meth) SSL_METHOD *meth; { - SSL_CTX *ret; + SSL_CTX *ret=NULL; if (meth == NULL) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED); return(NULL); } + + if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) + { + SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); + goto err; + } ret=(SSL_CTX *)Malloc(sizeof(SSL_CTX)); if (ret == NULL) goto err; @@ -956,6 +970,8 @@ SSL_METHOD *meth; CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data); + ret->extra_certs=NULL; + return(ret); err: SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE); @@ -1000,6 +1016,8 @@ SSL_CTX *a; ssl_cert_free(a->default_cert); if (a->client_CA != NULL) sk_pop_free(a->client_CA,X509_NAME_free); + if (a->extra_certs != NULL) + sk_pop_free(a->extra_certs,X509_free); Free((char *)a); } @@ -1341,7 +1359,9 @@ SSL *s; SSLerr(SSL_F_SSL_DO_HANDSHAKE,SSL_R_CONNECTION_TYPE_NOT_SET); return(-1); } - if (s->s3->renegotiate) ssl3_renegotiate_check(s); + + s->method->ssl_renegotiate_check(s); + if (SSL_in_init(s) || SSL_in_before(s)) { ret=s->handshake_func(s); @@ -1615,6 +1635,7 @@ SSL *ssl; return(ssl->ctx); } +#ifndef NO_STDIO int SSL_CTX_set_default_verify_paths(ctx) SSL_CTX *ctx; { @@ -1628,6 +1649,7 @@ char *CApath; { return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath)); } +#endif void SSL_set_info_callback(ssl,cb) SSL *ssl; @@ -1639,7 +1661,7 @@ void (*cb)(); void (*SSL_get_info_callback(ssl))() SSL *ssl; { - return(ssl->info_callback); + return((void (*)())ssl->info_callback); } int SSL_state(ssl) @@ -1715,6 +1737,12 @@ int idx; return(CRYPTO_get_ex_data(&s->ex_data,idx)); } +int ssl_ok(s) +SSL *s; + { + return(1); + } + #if defined(_WINDLL) && defined(WIN16) #include "../crypto/bio/bss_file.c" #endif diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index b29517081b..71d4c08c09 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -66,6 +66,7 @@ #include "e_os.h" #include "buffer.h" +#include "comp.h" #include "bio.h" #include "crypto.h" #include "evp.h" @@ -74,6 +75,7 @@ #include "err.h" #include "ssl.h" +#define PKCS1_CHECK #define c2l(c,l) (l = ((unsigned long)(*((c)++))) , \ l|=(((unsigned long)(*((c)++)))<< 8), \ @@ -126,18 +128,18 @@ } \ } -#define n2s(c,s) (s =((unsigned int)(*((c)++)))<< 8, \ - s|=((unsigned int)(*((c)++)))) -#define s2n(s,c) (*((c)++)=(unsigned char)(((s)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((s) )&0xff)) +#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \ + (((unsigned int)(c[1])) )),c+=2) +#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ + c[1]=(unsigned char)(((s) )&0xff)),c+=2) -#define n2l3(c,l) (l =((unsigned long)(*((c)++)))<<16, \ - l|=((unsigned long)(*((c)++)))<< 8, \ - l|=((unsigned long)(*((c)++)))) +#define n2l3(c,l) ((l =(((unsigned long)(c[0]))<<16)| \ + (((unsigned long)(c[1]))<< 8)| \ + (((unsigned long)(c[2])) )),c+=3) -#define l2n3(l,c) (*((c)++)=(unsigned char)(((l)>>16)&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) +#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \ + c[1]=(unsigned char)(((l)>> 8)&0xff), \ + c[2]=(unsigned char)(((l) )&0xff)),c+=3) /* LOCAL STUFF */ @@ -313,6 +315,14 @@ typedef struct ssl3_enc_method int (*alert_value)(); } SSL3_ENC_METHOD; +/* Used for holding the relevent compression methods loaded into SSL_CTX */ +typedef struct ssl3_comp_st + { + int comp_id; /* The identifer byte for this compression type */ + char *name; /* Text name used for the compression type */ + COMP_METHOD *method; /* The method :-) */ + } SSL3_COMP; + extern SSL3_ENC_METHOD ssl3_undef_enc_method; extern SSL_CIPHER ssl2_ciphers[]; extern SSL_CIPHER ssl3_ciphers[]; @@ -431,7 +441,6 @@ void tls1_clear(SSL *s); long tls1_ctrl(SSL *s,int cmd, long larg, char *parg); SSL_METHOD *tlsv1_base_method(void ); - int ssl_init_wbio_buffer(SSL *s, int push); int tls1_change_cipher_state(SSL *s, int which); @@ -445,6 +454,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, int len); int tls1_alert_code(int code); int ssl3_alert_code(int code); +int ssl_ok(SSL *s); #else @@ -556,3 +566,19 @@ int ssl_init_wbio_buffer(); #endif #endif +int ssl3_cert_verify_mac(); +int ssl3_alert_code(); +int tls1_new(); +void tls1_free(); +void tls1_clear(); +long tls1_ctrl(); +SSL_METHOD *tlsv1_base_method(); +int tls1_change_cipher_state(); +int tls1_setup_key_block(); +int tls1_enc(); +int tls1_final_finish_mac(); +int tls1_cert_verify_mac(); +int tls1_mac(); +int tls1_generate_master_secret(); +int tls1_alert_code(); +int ssl_ok(); diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 140475e5fb..a8a62f1b04 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -229,6 +229,10 @@ EVP_PKEY *pkey; if (c->pkeys[i].x509 != NULL) { + EVP_PKEY_copy_parameters( + X509_get_pubkey(c->pkeys[i].x509),pkey); + ERR_clear_error(); + #ifndef NO_RSA /* Don't check the public/private key, this is mostly * for smart cards. */ @@ -504,6 +508,19 @@ X509 *x; if (c->pkeys[i].privatekey != NULL) { + EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey); + ERR_clear_error(); + +#ifndef NO_RSA + /* Don't check the public/private key, this is mostly + * for smart cards. */ + if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && + (RSA_flags(c->pkeys[i].privatekey->pkey.rsa) & + RSA_METHOD_FLAG_NO_CHECK)) + ok=1; + else +#endif + { if (!X509_check_private_key(x,c->pkeys[i].privatekey)) { if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA)) @@ -527,6 +544,7 @@ X509 *x; } else ok=1; + } /* NO_RSA */ } else ok=1; diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 8212600e40..d4978a7d50 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -69,7 +69,7 @@ static void SSL_SESSION_list_remove(); static void SSL_SESSION_list_add(); #endif -static ssl_session_num=0; +static int ssl_session_num=0; static STACK *ssl_session_meth=NULL; SSL_SESSION *SSL_get_session(ssl) diff --git a/ssl/ssltest.c b/ssl/ssltest.c index f9dca4e3ef..ff686913d7 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -361,6 +361,7 @@ end: if (bio_stdout != NULL) BIO_free(bio_stdout); + ERR_free_strings(); ERR_remove_state(0); EVP_cleanup(); CRYPTO_mem_leaks(bio_err); diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index fbdd3bffb5..893c0bc73b 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -155,7 +155,7 @@ int num; memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; - tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf, + tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf), s->session->master_key,s->session->master_key_length, km,tmp,num); } @@ -175,7 +175,7 @@ int which; int client_write; EVP_CIPHER_CTX *dd; EVP_CIPHER *c; - SSL_COMPRESSION *comp; + COMP_METHOD *comp; EVP_MD *m; int exp,n,i,j,k,exp_label_len; @@ -193,7 +193,24 @@ int which; goto err; dd= s->enc_read_ctx; s->read_hash=m; - s->read_compression=comp; + if (s->expand != NULL) + { + COMP_CTX_free(s->expand); + s->expand=NULL; + } + if (comp != NULL) + { + s->expand=COMP_CTX_new(comp); + if (s->expand == NULL) + { + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); + goto err2; + } + s->s3->rrec.comp=(unsigned char *) + Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); + if (s->s3->rrec.comp == NULL) + goto err; + } memset(&(s->s3->read_sequence[0]),0,8); mac_secret= &(s->s3->read_mac_secret[0]); } @@ -205,7 +222,20 @@ int which; goto err; dd= s->enc_write_ctx; s->write_hash=m; - s->write_compression=comp; + if (s->compress != NULL) + { + COMP_CTX_free(s->compress); + s->compress=NULL; + } + if (comp != NULL) + { + s->compress=COMP_CTX_new(comp); + if (s->compress == NULL) + { + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); + goto err2; + } + } memset(&(s->s3->write_sequence[0]),0,8); mac_secret= &(s->s3->write_mac_secret[0]); } @@ -262,7 +292,7 @@ printf("which = %04X\nmac key=",which); p+=SSL3_RANDOM_SIZE; memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; - tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,key,j, + tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j, tmp1,tmp2,EVP_CIPHER_key_length(c)); key=tmp1; @@ -277,7 +307,7 @@ printf("which = %04X\nmac key=",which); memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; tls1_PRF(s->ctx->md5,s->ctx->sha1, - buf,p-buf,"",0,iv1,iv2,k*2); + buf,(int)(p-buf),"",0,iv1,iv2,k*2); if (client_write) iv=iv1; else @@ -374,7 +404,6 @@ int send; unsigned long l; int bs,i,ii,j,k,n=0; EVP_CIPHER *enc; - SSL_COMPRESSION *comp; if (send) { @@ -383,12 +412,9 @@ int send; ds=s->enc_write_ctx; rec= &(s->s3->wrec); if (s->enc_write_ctx == NULL) - { enc=NULL; comp=NULL; } + enc=NULL; else - { enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); - comp=s->write_compression; - } } else { @@ -397,16 +423,13 @@ int send; ds=s->enc_read_ctx; rec= &(s->s3->rrec); if (s->enc_read_ctx == NULL) - { enc=NULL; comp=NULL; } + enc=NULL; else - { enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); - comp=s->read_compression; - } } if ((s->session == NULL) || (ds == NULL) || - ((enc == NULL) && (comp == NULL))) + (enc == NULL)) { memcpy(rec->data,rec->input,rec->length); rec->input=rec->data; @@ -507,7 +530,7 @@ unsigned char *out; EVP_DigestFinal(&ctx,q,&i); q+=i; - tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,q-buf, + tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf), s->session->master_key,s->session->master_key_length, out,buf2,12); memset(&ctx,0,sizeof(EVP_MD_CTX)); @@ -560,20 +583,20 @@ int send; #ifdef TLS_DEBUG printf("sec="); -{int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } +{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } printf("seq="); {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } printf("buf="); {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } printf("rec="); -{int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } +{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } #endif for (i=7; i>=0; i--) if (++seq[i]) break; #ifdef TLS_DEBUG -{int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } +{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } #endif return(md_size); } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index f9fbfa414c..2a319cd09b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -60,7 +60,7 @@ #include "objects.h" #include "ssl_locl.h" -char *tls1_version_str="TLSv1 part of SSLeay 0.9.0b 29-Jun-1998"; +char *tls1_version_str="TLSv1 part of SSLeay 0.9.1a 06-Jul-1998"; #ifndef NO_PROTO static long tls1_default_timeout(void); @@ -94,6 +94,7 @@ static SSL_METHOD TLSv1_data= { ssl3_write, ssl3_shutdown, ssl3_renegotiate, + ssl3_renegotiate_check, ssl3_ctrl, ssl3_ctx_ctrl, ssl3_get_cipher_by_char, |