diff options
| author |   djm <djm@openbsd.org> | 2011-11-03 02:34:28 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2011-11-03 02:34:28 +0000 |
| commit | c32db552feb5310e2f4b27f02d313cfbf0b82a8a (patch) | |
| tree | b7b6074be11e20dcb5106c8a27f96bcb3fcdf5c2 /lib/libssl/src/ssl | |
| parent | import OpenSSL 1.0.0e (diff) | |
| download | wireguard-openbsd-c32db552feb5310e2f4b27f02d313cfbf0b82a8a.tar.xz wireguard-openbsd-c32db552feb5310e2f4b27f02d313cfbf0b82a8a.zip | |
openssl-1.0.0e: resolve conflicts
Diffstat (limited to 'lib/libssl/src/ssl')
| -rw-r--r-- | lib/libssl/src/ssl/bio_ssl.c | 4 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/d1_clnt.c | 6 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/d1_pkt.c | 22 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/d1_srvr.c | 26 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/s23_lib.c | 7 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/s2_srvr.c | 7 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/s3_clnt.c | 3 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/s3_enc.c | 3 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/s3_lib.c | 6 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/s3_pkt.c | 6 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/s3_srvr.c | 36 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssl-lib.com | 295 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssl_asn1.c | 3 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssl_ciph.c | 6 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssl_lib.c | 47 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/ssltest.c | 3 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/t1_enc.c | 14 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/t1_lib.c | 20 |
18 files changed, 339 insertions, 175 deletions
diff --git a/lib/libssl/src/ssl/bio_ssl.c b/lib/libssl/src/ssl/bio_ssl.c index af319af302a..eedac8a3fcf 100644 --- a/lib/libssl/src/ssl/bio_ssl.c +++ b/lib/libssl/src/ssl/bio_ssl.c @@ -348,7 +348,11 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) break; case BIO_C_SET_SSL: if (ssl != NULL) + { ssl_free(b); + if (!ssl_new(b)) + return 0; + } b->shutdown=(int)num; ssl=(SSL *)ptr; ((BIO_SSL *)b->ptr)->ssl=ssl; diff --git a/lib/libssl/src/ssl/d1_clnt.c b/lib/libssl/src/ssl/d1_clnt.c index 5bc9eb6603f..089fa4c7f82 100644 --- a/lib/libssl/src/ssl/d1_clnt.c +++ b/lib/libssl/src/ssl/d1_clnt.c @@ -407,7 +407,8 @@ int dtls1_connect(SSL *s) case SSL3_ST_CW_CHANGE_A: case SSL3_ST_CW_CHANGE_B: - dtls1_start_timer(s); + if (!s->hit) + dtls1_start_timer(s); ret=dtls1_send_change_cipher_spec(s, SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); if (ret <= 0) goto end; @@ -442,7 +443,8 @@ int dtls1_connect(SSL *s) case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: - dtls1_start_timer(s); + if (!s->hit) + dtls1_start_timer(s); ret=dtls1_send_finished(s, SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, s->method->ssl3_enc->client_finished_label, diff --git a/lib/libssl/src/ssl/d1_pkt.c b/lib/libssl/src/ssl/d1_pkt.c index a5439d544fb..39aac73e104 100644 --- a/lib/libssl/src/ssl/d1_pkt.c +++ b/lib/libssl/src/ssl/d1_pkt.c @@ -296,9 +296,6 @@ dtls1_process_buffered_records(SSL *s) item = pqueue_peek(s->d1->unprocessed_rcds.q); if (item) { - DTLS1_RECORD_DATA *rdata; - rdata = (DTLS1_RECORD_DATA *)item->data; - /* Check if epoch is current. */ if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) return(1); /* Nothing to do. */ @@ -412,11 +409,12 @@ dtls1_process_record(SSL *s) enc_err = s->method->ssl3_enc->enc(s,0); if (enc_err <= 0) { - if (enc_err == 0) - /* SSLerr() and ssl3_send_alert() have been called */ - goto err; - - /* otherwise enc_err == -1 */ + /* decryption failed, silently discard message */ + if (enc_err < 0) + { + rr->length = 0; + s->packet_length = 0; + } goto err; } @@ -528,14 +526,12 @@ int dtls1_get_record(SSL *s) int ssl_major,ssl_minor; int i,n; SSL3_RECORD *rr; - SSL_SESSION *sess; unsigned char *p = NULL; unsigned short version; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; rr= &(s->s3->rrec); - sess=s->session; /* The epoch may have changed. If so, process all the * pending records. This is a non-blocking operation. */ @@ -662,10 +658,12 @@ again: /* If this record is from the next epoch (either HM or ALERT), * and a handshake is currently in progress, buffer it since it - * cannot be processed at this time. */ + * cannot be processed at this time. However, do not buffer + * anything while listening. + */ if (is_next_epoch) { - if (SSL_in_init(s) || s->in_handshake) + if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); } diff --git a/lib/libssl/src/ssl/d1_srvr.c b/lib/libssl/src/ssl/d1_srvr.c index 301ceda7a57..a6a4c87ea64 100644 --- a/lib/libssl/src/ssl/d1_srvr.c +++ b/lib/libssl/src/ssl/d1_srvr.c @@ -150,6 +150,7 @@ int dtls1_accept(SSL *s) unsigned long alg_k; int ret= -1; int new_state,state,skip=0; + int listen; RAND_add(&Time,sizeof(Time),0); ERR_clear_error(); @@ -159,11 +160,15 @@ int dtls1_accept(SSL *s) cb=s->info_callback; else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; + + listen = s->d1->listen; /* init things to blank */ s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); + s->d1->listen = listen; + if (s->cert == NULL) { SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET); @@ -273,11 +278,23 @@ int dtls1_accept(SSL *s) s->init_num=0; + /* Reflect ClientHello sequence to remain stateless while listening */ + if (listen) + { + memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence)); + } + /* If we're just listening, stop here */ - if (s->d1->listen && s->state == SSL3_ST_SW_SRVR_HELLO_A) + if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A) { ret = 2; s->d1->listen = 0; + /* Set expected sequence numbers + * to continue the handshake. + */ + s->d1->handshake_read_seq = 2; + s->d1->handshake_write_seq = 1; + s->d1->next_handshake_write_seq = 1; goto end; } @@ -286,7 +303,6 @@ int dtls1_accept(SSL *s) case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: - dtls1_start_timer(s); ret = dtls1_send_hello_verify_request(s); if ( ret <= 0) goto end; s->state=SSL3_ST_SW_FLUSH; @@ -736,9 +752,6 @@ int dtls1_send_hello_verify_request(SSL *s) /* number of bytes to write */ s->init_num=p-buf; s->init_off=0; - - /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 0); } /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ @@ -1017,12 +1030,11 @@ int dtls1_send_server_key_exchange(SSL *s) SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - if (!EC_KEY_up_ref(ecdhp)) + if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - ecdh = ecdhp; s->s3->tmp.ecdh=ecdh; if ((EC_KEY_get0_public_key(ecdh) == NULL) || diff --git a/lib/libssl/src/ssl/s23_lib.c b/lib/libssl/src/ssl/s23_lib.c index e3fce534304..3bf728318a4 100644 --- a/lib/libssl/src/ssl/s23_lib.c +++ b/lib/libssl/src/ssl/s23_lib.c @@ -92,15 +92,8 @@ const SSL_CIPHER *ssl23_get_cipher(unsigned int u) * available */ const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p) { - SSL_CIPHER c; const SSL_CIPHER *cp; - unsigned long id; - int n; - n=ssl3_num_ciphers(); - id=0x03000000|((unsigned long)p[0]<<16L)| - ((unsigned long)p[1]<<8L)|(unsigned long)p[2]; - c.id=id; cp=ssl3_get_cipher_by_char(p); #ifndef OPENSSL_NO_SSL2 if (cp == NULL) diff --git a/lib/libssl/src/ssl/s2_srvr.c b/lib/libssl/src/ssl/s2_srvr.c index 1434e734dd0..bc885e8e7f6 100644 --- a/lib/libssl/src/ssl/s2_srvr.c +++ b/lib/libssl/src/ssl/s2_srvr.c @@ -403,13 +403,14 @@ static int get_client_master_key(SSL *s) p+=3; n2s(p,i); s->s2->tmp.clear=i; n2s(p,i); s->s2->tmp.enc=i; - n2s(p,i); s->session->key_arg_length=i; - if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH) + n2s(p,i); + if(i > SSL_MAX_KEY_ARG_LENGTH) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG); return -1; } + s->session->key_arg_length=i; s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; } @@ -697,7 +698,6 @@ static int server_hello(SSL *s) { unsigned char *p,*d; int n,hit; - STACK_OF(SSL_CIPHER) *sk; p=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_SEND_SERVER_HELLO_A) @@ -778,7 +778,6 @@ static int server_hello(SSL *s) /* lets send out the ciphers we like in the * prefered order */ - sk= s->session->ciphers; n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0); d+=n; s2n(n,p); /* add cipher length */ diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c index 8cc291b9228..50bd415b568 100644 --- a/lib/libssl/src/ssl/s3_clnt.c +++ b/lib/libssl/src/ssl/s3_clnt.c @@ -1511,6 +1511,7 @@ int ssl3_get_key_exchange(SSL *s) s->session->sess_cert->peer_ecdh_tmp=ecdh; ecdh=NULL; BN_CTX_free(bn_ctx); + bn_ctx = NULL; EC_POINT_free(srvr_ecpoint); srvr_ecpoint = NULL; } @@ -2242,6 +2243,7 @@ int ssl3_send_client_key_exchange(SSL *s) if (!DH_generate_key(dh_clnt)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); + DH_free(dh_clnt); goto err; } @@ -2253,6 +2255,7 @@ int ssl3_send_client_key_exchange(SSL *s) if (n <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); + DH_free(dh_clnt); goto err; } diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c index 3d7aec97a20..58386e1ba03 100644 --- a/lib/libssl/src/ssl/s3_enc.c +++ b/lib/libssl/src/ssl/s3_enc.c @@ -214,7 +214,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) int ssl3_change_cipher_state(SSL *s, int which) { - unsigned char *p,*key_block,*mac_secret; + unsigned char *p,*mac_secret; unsigned char exp_key[EVP_MAX_KEY_LENGTH]; unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms,*key,*iv,*er1,*er2; @@ -239,7 +239,6 @@ int ssl3_change_cipher_state(SSL *s, int which) else comp=s->s3->tmp.new_compression->method; #endif - key_block=s->s3->tmp.key_block; if (which & SSL3_CC_READ) { diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c index d6b047c9955..62c791cb724 100644 --- a/lib/libssl/src/ssl/s3_lib.c +++ b/lib/libssl/src/ssl/s3_lib.c @@ -2198,11 +2198,17 @@ void ssl3_clear(SSL *s) } #ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) + { DH_free(s->s3->tmp.dh); + s->s3->tmp.dh = NULL; + } #endif #ifndef OPENSSL_NO_ECDH if (s->s3->tmp.ecdh != NULL) + { EC_KEY_free(s->s3->tmp.ecdh); + s->s3->tmp.ecdh = NULL; + } #endif rp = s->s3->rbuf.buf; diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c index e3f6050a26a..f9b3629cf78 100644 --- a/lib/libssl/src/ssl/s3_pkt.c +++ b/lib/libssl/src/ssl/s3_pkt.c @@ -246,7 +246,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) if (i <= 0) { rb->left = left; - if (s->mode & SSL_MODE_RELEASE_BUFFERS) + if (s->mode & SSL_MODE_RELEASE_BUFFERS && + SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) if (len+left == 0) ssl3_release_read_buffer(s); return(i); @@ -846,7 +847,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, { wb->left=0; wb->offset+=i; - if (s->mode & SSL_MODE_RELEASE_BUFFERS) + if (s->mode & SSL_MODE_RELEASE_BUFFERS && + SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) ssl3_release_write_buffer(s); s->rwstate=SSL_NOTHING; return(s->s3->wpend_ret); diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index 61ee0a3e422..c3b5ff33ff8 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -768,9 +768,7 @@ int ssl3_check_client_hello(SSL *s) if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { /* Throw away what we have done so far in the current handshake, - * which will now be aborted. (A full SSL_clear would be too much.) - * I hope that tmp.dh is the only thing that may need to be cleared - * when a handshake is not completed ... */ + * which will now be aborted. (A full SSL_clear would be too much.) */ #ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) { @@ -778,6 +776,13 @@ int ssl3_check_client_hello(SSL *s) s->s3->tmp.dh = NULL; } #endif +#ifndef OPENSSL_NO_ECDH + if (s->s3->tmp.ecdh != NULL) + { + EC_KEY_free(s->s3->tmp.ecdh); + s->s3->tmp.ecdh = NULL; + } +#endif return 2; } return 1; @@ -1491,7 +1496,6 @@ int ssl3_send_server_key_exchange(SSL *s) if (s->s3->tmp.dh != NULL) { - DH_free(dh); SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } @@ -1552,7 +1556,6 @@ int ssl3_send_server_key_exchange(SSL *s) if (s->s3->tmp.ecdh != NULL) { - EC_KEY_free(s->s3->tmp.ecdh); SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } @@ -1563,12 +1566,11 @@ int ssl3_send_server_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - if (!EC_KEY_up_ref(ecdhp)) + if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB); goto err; } - ecdh = ecdhp; s->s3->tmp.ecdh=ecdh; if ((EC_KEY_get0_public_key(ecdh) == NULL) || @@ -1731,6 +1733,7 @@ int ssl3_send_server_key_exchange(SSL *s) (unsigned char *)encodedPoint, encodedlen); OPENSSL_free(encodedPoint); + encodedPoint = NULL; p += encodedlen; } #endif @@ -2440,6 +2443,12 @@ int ssl3_get_client_key_exchange(SSL *s) /* Get encoded point length */ i = *p; p += 1; + if (n != 1 + i) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + ERR_R_EC_LIB); + goto err; + } if (EC_POINT_oct2point(group, clnt_ecpoint, p, i, bn_ctx) == 0) { @@ -2584,12 +2593,19 @@ int ssl3_get_client_key_exchange(SSL *s) { int ret = 0; EVP_PKEY_CTX *pkey_ctx; - EVP_PKEY *client_pub_pkey = NULL; + EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; unsigned char premaster_secret[32], *start; - size_t outlen=32, inlen; + size_t outlen=32, inlen; + unsigned long alg_a; /* Get our certificate private key*/ - pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL); + alg_a = s->s3->tmp.new_cipher->algorithm_auth; + if (alg_a & SSL_aGOST94) + pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; + else if (alg_a & SSL_aGOST01) + pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; + + pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); EVP_PKEY_decrypt_init(pkey_ctx); /* If client certificate is present and is of the same type, maybe * use it for key exchange. Don't mind errors from diff --git a/lib/libssl/src/ssl/ssl-lib.com b/lib/libssl/src/ssl/ssl-lib.com index c5ca9e1df71..180f3a2d883 100644 --- a/lib/libssl/src/ssl/ssl-lib.com +++ b/lib/libssl/src/ssl/ssl-lib.com @@ -42,11 +42,33 @@ $! SOCKETSHR for SOCKETSHR+NETLIB $! $! P5, if defined, sets a compiler thread NOT needed on OpenVMS 7.1 (and up) $! +$! P6, if defined, specifies the C pointer size. Ignored on VAX. +$! ("64=ARGV" gives more efficient code with HP C V7.3 or newer.) +$! Supported values are: +$! +$! "" Compile with default (/NOPOINTER_SIZE) +$! 32 Compile with /POINTER_SIZE=32 (SHORT) +$! 64 Compile with /POINTER_SIZE=64[=ARGV] (LONG[=ARGV]) +$! (Automatically select ARGV if compiler supports it.) +$! 64= Compile with /POINTER_SIZE=64 (LONG). +$! 64=ARGV Compile with /POINTER_SIZE=64=ARGV (LONG=ARGV). +$! +$! P7, if defined, specifies a directory where ZLIB files (zlib.h, +$! libz.olb) may be found. Optionally, a non-default object library +$! name may be included ("dev:[dir]libz_64.olb", for example). +$! +$! +$! Announce/identify. +$! +$ proc = f$environment( "procedure") +$ write sys$output "@@@ "+ - + f$parse( proc, , , "name")+ f$parse( proc, , , "type") $! $! Define A TCP/IP Library That We Will Need To Link To. $! (That Is, If We Need To Link To One.) $! $ TCPIP_LIB = "" +$ ZLIB_LIB = "" $! $! Check What Architecture We Are Using. $! @@ -70,17 +92,33 @@ $! End The Architecture Check. $! $ ENDIF $! -$! Define The OBJ Directory. +$ ARCHD = ARCH +$ LIB32 = "32" +$ OPT_FILE = "" +$ POINTER_SIZE = "" $! -$ OBJ_DIR := SYS$DISK:[-.'ARCH'.OBJ.SSL] +$! Check To Make Sure We Have Valid Command Line Parameters. $! -$! Define The EXE Directory. +$ GOSUB CHECK_OPTIONS $! -$ EXE_DIR := SYS$DISK:[-.'ARCH'.EXE.SSL] +$! Define The OBJ and EXE Directories. $! -$! Check To Make Sure We Have Valid Command Line Parameters. +$ OBJ_DIR := SYS$DISK:[-.'ARCHD'.OBJ.SSL] +$ EXE_DIR := SYS$DISK:[-.'ARCHD'.EXE.SSL] $! -$ GOSUB CHECK_OPTIONS +$! Specify the destination directory in any /MAP option. +$! +$ if (LINKMAP .eqs. "MAP") +$ then +$ LINKMAP = LINKMAP+ "=''EXE_DIR'" +$ endif +$! +$! Add the location prefix to the linker options file name. +$! +$ if (OPT_FILE .nes. "") +$ then +$ OPT_FILE = EXE_DIR+ OPT_FILE +$ endif $! $! Initialise logical names and such $! @@ -88,7 +126,7 @@ $ GOSUB INITIALISE $! $! Tell The User What Kind of Machine We Run On. $! -$ WRITE SYS$OUTPUT "Compiling On A ",ARCH," Machine." +$ WRITE SYS$OUTPUT "Host system architecture: ''ARCHD'" $! $! Check To See If The Architecture Specific OBJ Directory Exists. $! @@ -118,11 +156,15 @@ $ ENDIF $! $! Define The Library Name. $! -$ SSL_LIB := 'EXE_DIR'LIBSSL.OLB +$ SSL_LIB := 'EXE_DIR'SSL_LIBSSL'LIB32'.OLB $! $! Define The CRYPTO-LIB We Are To Use. $! -$ CRYPTO_LIB := SYS$DISK:[-.'ARCH'.EXE.CRYPTO]LIBCRYPTO.OLB +$ CRYPTO_LIB := SYS$DISK:[-.'ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO'LIB32'.OLB +$! +$! Set up exceptional compilations. +$! +$ CC5_SHOWN = 0 $! $! Check To See What We Are To Do. $! @@ -156,7 +198,7 @@ $! Compile The Library. $! $ LIBRARY: $! -$! Check To See If We Already Have A "[.xxx.EXE.SSL]LIBSSL.OLB" Library... +$! Check To See If We Already Have A "[.xxx.EXE.SSL]SSL_LIBSSL''LIB32'.OLB" Library... $! $ IF (F$SEARCH(SSL_LIB).EQS."") $ THEN @@ -182,6 +224,8 @@ $ LIB_SSL = "s2_meth,s2_srvr,s2_clnt,s2_lib,s2_enc,s2_pkt,"+ - "ssl_asn1,ssl_txt,ssl_algs,"+ - "bio_ssl,ssl_err,kssl,t1_reneg" $! +$ COMPILEWITH_CC5 = "" +$! $! Tell The User That We Are Compiling The Library. $! $ WRITE SYS$OUTPUT "Building The ",SSL_LIB," Library." @@ -295,42 +339,47 @@ $! End The SSL_TASK.C File Check. $! $ ENDIF $! +$ COMPILEWITH_CC5 = "" !!! ",ssl_task," +$! +$! Tell The User We Are Creating The SSL_TASK. +$! $! Tell The User We Are Creating The SSL_TASK. $! $ WRITE SYS$OUTPUT "Creating SSL_TASK OSU HTTP SSL Engine." $! +$! Tell The User What File We Are Compiling. +$! +$ FILE_NAME = "ssl_task" +$ WRITE SYS$OUTPUT " ",FILE_NAME,".c" +$! $! Compile The File. $! $ ON ERROR THEN GOTO SSL_TASK_END -$ CC5/OBJECT='OBJ_DIR'SSL_TASK.OBJ SYS$DISK:[]SSL_TASK.C $! -$! Link The Program. -$! Check To See If We Are To Link With A Specific TCP/IP Library. -$! -$ IF (TCPIP_LIB.NES."") +$ FILE_NAME0 = ","+ F$ELEMENT(0,".",FILE_NAME)+ "," +$ IF COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5 $ THEN -$! -$! Link With TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE - - 'OBJ_DIR'SSL_TASK.OBJ, - - 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - - 'TCPIP_LIB','OPT_FILE'/OPTION -$! -$! Else... -$! +$ if (.not. CC5_SHOWN) +$ then +$ CC5_SHOWN = 1 +$ write sys$output " \Using special rule (5)" +$ x = " "+ CC5 +$ write /symbol sys$output x +$ endif +$ CC5 /OBJECT='OBJ_DIR''FILE_NAME'.OBJ SYS$DISK:[]'FILE_NAME'.C $ ELSE +$ CC /OBJECT='OBJ_DIR''FILE_NAME'.OBJ SYS$DISK:[]'FILE_NAME'.C +$ ENDIF $! -$! Don't Link With TCP/IP Library. -$! -$ LINK/'DEBUGGER'/'TRACEBACK'/EXE='EXE_DIR'SSL_TASK.EXE - - 'OBJ_DIR'SSL_TASK.OBJ,- - 'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, - - 'OPT_FILE'/OPTION -$! -$! End The TCP/IP Library Check. +$! Link The Program. $! -$ ENDIF +$ LINK /'DEBUGGER' /'LINKMAP' /'TRACEBACK' /EXE='EXE_DIR'SSL_TASK.EXE - + 'OBJ_DIR'SSL_TASK.OBJ, - + 'SSL_LIB'/LIBRARY, - + 'CRYPTO_LIB'/LIBRARY - + 'TCPIP_LIB' - + 'ZLIB_LIB' - + ,'OPT_FILE' /OPTIONS $! $! Time To Return. $! @@ -356,7 +405,7 @@ $! $ CREATE 'OPT_FILE' $DECK ! -! Default System Options File To Link Agianst +! Default System Options File To Link Against ! The Sharable VAX C Runtime Library. ! SYS$SHARE:VAXCRTL.EXE/SHARE @@ -385,7 +434,7 @@ $! $ CREATE 'OPT_FILE' $DECK ! -! Default System Options File To Link Agianst +! Default System Options File To Link Against ! The Sharable C Runtime Library. ! GNU_CC:[000000]GCCLIB/LIBRARY @@ -420,7 +469,7 @@ $! $ CREATE 'OPT_FILE' $DECK ! -! Default System Options File To Link Agianst +! Default System Options File To Link Against ! The Sharable DEC C Runtime Library. ! SYS$SHARE:DECC$SHR.EXE/SHARE @@ -435,7 +484,7 @@ $! $ CREATE 'OPT_FILE' $DECK ! -! Default System Options File For non-VAX To Link Agianst +! Default System Options File For non-VAX To Link Against ! The Sharable C Runtime Library. ! SYS$SHARE:CMA$OPEN_LIB_SHR/SHARE @@ -548,8 +597,8 @@ $ WRITE SYS$OUTPUT " SSL_TASK : To Compile Just The [.xxx.EXE.SSL]SSL_TA $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT " Where 'xxx' Stands For:" $ WRITE SYS$OUTPUT "" -$ WRITE SYS$OUTPUT " ALPHA : Alpha Architecture." -$ WRITE SYS$OUTPUT " IA64 : IA64 Architecture." +$ WRITE SYS$OUTPUT " ALPHA[64]: Alpha Architecture." +$ WRITE SYS$OUTPUT " IA64[64] : IA64 Architecture." $ WRITE SYS$OUTPUT " VAX : VAX Architecture." $ WRITE SYS$OUTPUT "" $! @@ -570,14 +619,15 @@ $! $ IF (P2.EQS."NODEBUG") $ THEN $! -$! P2 Is NODEBUG, So Compile Without Debugger Information. +$! P2 Is NODEBUG, So Compile Without Debugger Information. $! -$ DEBUGGER = "NODEBUG" -$ TRACEBACK = "NOTRACEBACK" -$ GCC_OPTIMIZE = "OPTIMIZE" -$ CC_OPTIMIZE = "OPTIMIZE" -$ WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile." -$ WRITE SYS$OUTPUT "Compiling With Compiler Optimization." +$ DEBUGGER = "NODEBUG" +$ LINKMAP = "NOMAP" +$ TRACEBACK = "NOTRACEBACK" +$ GCC_OPTIMIZE = "OPTIMIZE" +$ CC_OPTIMIZE = "OPTIMIZE" +$ WRITE SYS$OUTPUT "No Debugger Information Will Be Produced During Compile." +$ WRITE SYS$OUTPUT "Compiling With Compiler Optimization." $! $! Else... $! @@ -591,6 +641,7 @@ $! $! Compile With Debugger Information. $! $ DEBUGGER = "DEBUG" +$ LINKMAP = "MAP" $ TRACEBACK = "TRACEBACK" $ GCC_OPTIMIZE = "NOOPTIMIZE" $ CC_OPTIMIZE = "NOOPTIMIZE" @@ -598,7 +649,7 @@ $ WRITE SYS$OUTPUT "Debugger Information Will Be Produced During Compile." $ WRITE SYS$OUTPUT "Compiling Without Compiler Optimization." $ ELSE $! -$! Tell The User Entered An Invalid Option.. +$! Tell The User Entered An Invalid Option. $! $ WRITE SYS$OUTPUT "" $ WRITE SYS$OUTPUT "The Option ",P2," Is Invalid. The Valid Options Are:" @@ -653,6 +704,59 @@ $! End The P5 Check. $! $ ENDIF $! +$! Check P6 (POINTER_SIZE). +$! +$ IF (P6 .NES. "") .AND. (ARCH .NES. "VAX") +$ THEN +$! +$ IF (P6 .EQS. "32") +$ THEN +$ POINTER_SIZE = " /POINTER_SIZE=32" +$ ELSE +$ POINTER_SIZE = F$EDIT( P6, "COLLAPSE, UPCASE") +$ IF ((POINTER_SIZE .EQS. "64") .OR. - + (POINTER_SIZE .EQS. "64=") .OR. - + (POINTER_SIZE .EQS. "64=ARGV")) +$ THEN +$ ARCHD = ARCH+ "_64" +$ LIB32 = "" +$ POINTER_SIZE = " /POINTER_SIZE=64" +$ ELSE +$! +$! Tell The User Entered An Invalid Option. +$! +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "The Option ", P6, - + " Is Invalid. The Valid Options Are:" +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT - + " """" : Compile with default (short) pointers." +$ WRITE SYS$OUTPUT - + " 32 : Compile with 32-bit (short) pointers." +$ WRITE SYS$OUTPUT - + " 64 : Compile with 64-bit (long) pointers (auto ARGV)." +$ WRITE SYS$OUTPUT - + " 64= : Compile with 64-bit (long) pointers (no ARGV)." +$ WRITE SYS$OUTPUT - + " 64=ARGV : Compile with 64-bit (long) pointers (ARGV)." +$ WRITE SYS$OUTPUT "" +$! +$! Time To EXIT. +$! +$ EXIT +$! +$ ENDIF +$! +$ ENDIF +$! +$! End The P6 (POINTER_SIZE) Check. +$! +$ ENDIF +$! +$! Set basic C compiler /INCLUDE directories. +$! +$ CC_INCLUDES = "SYS$DISK:[-.CRYPTO],SYS$DISK:[-]" +$! $! Check To See If P3 Is Blank. $! $ IF (P3.EQS."") @@ -753,11 +857,64 @@ $ CCDEFS = "TCPIP_TYPE_''P4'" $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS $ CCEXTRAFLAGS = "" $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS -$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR" +$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR" $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN - CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS $! -$! Check To See If The User Entered A Valid Paramter. +$! Check To See If We Have A ZLIB Option. +$! +$ ZLIB = P7 +$ IF (ZLIB .NES. "") +$ THEN +$! +$! Check for expected ZLIB files. +$! +$ err = 0 +$ file1 = f$parse( "zlib.h", ZLIB, , , "SYNTAX_ONLY") +$ if (f$search( file1) .eqs. "") +$ then +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid." +$ WRITE SYS$OUTPUT " Can't find header: ''file1'" +$ err = 1 +$ endif +$ file1 = f$parse( "A.;", ZLIB)- "A.;" +$! +$ file2 = f$parse( ZLIB, "libz.olb", , , "SYNTAX_ONLY") +$ if (f$search( file2) .eqs. "") +$ then +$ if (err .eq. 0) +$ then +$ WRITE SYS$OUTPUT "" +$ WRITE SYS$OUTPUT "The Option ", ZLIB, " Is Invalid." +$ endif +$ WRITE SYS$OUTPUT " Can't find library: ''file2'" +$ WRITE SYS$OUTPUT "" +$ err = err+ 2 +$ endif +$ if (err .eq. 1) +$ then +$ WRITE SYS$OUTPUT "" +$ endif +$! +$ if (err .ne. 0) +$ then +$ EXIT +$ endif +$! +$ CCDEFS = """ZLIB=1"", "+ CCDEFS +$ CC_INCLUDES = CC_INCLUDES+ ", "+ file1 +$ ZLIB_LIB = ", ''file2' /library" +$! +$! Print info +$! +$ WRITE SYS$OUTPUT "ZLIB library spec: ", file2 +$! +$! End The ZLIB Check. +$! +$ ENDIF +$! +$! Check To See If The User Entered A Valid Parameter. $! $ IF (P3.EQS."VAXC").OR.(P3.EQS."DECC").OR.(P3.EQS."GNUC") $ THEN @@ -780,13 +937,13 @@ $! $ CC = "CC" $ IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" - THEN CC = "CC/DECC" -$ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + - - "/NOLIST/PREFIX=ALL" + - - "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[-])" + CCEXTRAFLAGS +$ CC = CC + " /''CC_OPTIMIZE' /''DEBUGGER' /STANDARD=RELAXED"+ - + "''POINTER_SIZE' /NOLIST /PREFIX=ALL" + - + " /INCLUDE=(''CC_INCLUDES') " + CCEXTRAFLAGS $! $! Define The Linker Options File Name. $! -$ OPT_FILE = "''EXE_DIR'VAX_DECC_OPTIONS.OPT" +$ OPT_FILE = "VAX_DECC_OPTIONS.OPT" $! $! End DECC Check. $! @@ -815,7 +972,7 @@ $ EXIT $ ENDIF $ IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC" $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - - "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS $ CCDEFS = CCDEFS + ",""VAXC""" $! $! Define <sys> As SYS$COMMON:[SYSLIB] @@ -824,7 +981,7 @@ $ DEFINE/NOLOG SYS SYS$COMMON:[SYSLIB] $! $! Define The Linker Options File Name. $! -$ OPT_FILE = "''EXE_DIR'VAX_VAXC_OPTIONS.OPT" +$ OPT_FILE = "VAX_VAXC_OPTIONS.OPT" $! $! End VAXC Check $! @@ -847,11 +1004,11 @@ $! Use GNU C... $! $ IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC $ CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - - "/INCLUDE=(SYS$DISK:[-.CRYPTO],SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(''CC_INCLUDES')" + CCEXTRAFLAGS $! $! Define The Linker Options File Name. $! -$ OPT_FILE = "''EXE_DIR'VAX_GNUC_OPTIONS.OPT" +$ OPT_FILE = "VAX_GNUC_OPTIONS.OPT" $! $! End The GNU C Check. $! @@ -870,16 +1027,16 @@ $ THEN $ CC4DISABLEWARNINGS = "DOLLARID" $ ELSE $ CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID" -$ CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))" +$ CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))" $ ENDIF -$ CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))" +$ CC4DISABLEWARNINGS = " /WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))" $ ELSE $ CCDISABLEWARNINGS = "" $ CC4DISABLEWARNINGS = "" $ ENDIF -$ CC2 = CC + "/DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS -$ CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS -$ CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS +$ CC2 = CC + " /DEFINE=(" + CCDEFS + ",_POSIX_C_SOURCE)" + CCDISABLEWARNINGS +$ CC3 = CC + " /DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS +$ CC = CC + " /DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS $ IF COMPILER .EQS. "DECC" $ THEN $ CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS @@ -925,7 +1082,7 @@ $ THEN $! $! Set the library to use SOCKETSHR $! -$ TCPIP_LIB = "SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT/OPT" +$ TCPIP_LIB = ",SYS$DISK:[-.VMS]SOCKETSHR_SHR.OPT /OPTIONS" $! $! Done with SOCKETSHR $! @@ -951,13 +1108,13 @@ $ THEN $! $! Set the library to use UCX. $! -$ TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT/OPT" +$ TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC.OPT /OPTIONS" $ IF F$TRNLNM("UCX$IPC_SHR") .NES. "" $ THEN -$ TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT/OPT" +$ TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_DECC_LOG.OPT /OPTIONS" $ ELSE $ IF COMPILER .NES. "DECC" .AND. ARCH .EQS. "VAX" THEN - - TCPIP_LIB = "SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT/OPT" + TCPIP_LIB = ",SYS$DISK:[-.VMS]UCX_SHR_VAXC.OPT /OPTIONS" $ ENDIF $! $! Done with UCX @@ -971,7 +1128,7 @@ $ THEN $! $! Set the library to use TCPIP (post UCX). $! -$ TCPIP_LIB = "SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT/OPT" +$ TCPIP_LIB = ",SYS$DISK:[-.VMS]TCPIP_SHR_DECC.OPT /OPTIONS" $! $! Done with TCPIP $! @@ -992,7 +1149,7 @@ $ ENDIF $! $! Print info $! -$ WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB +$ WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB- "," $! $! Else The User Entered An Invalid Argument. $! diff --git a/lib/libssl/src/ssl/ssl_asn1.c b/lib/libssl/src/ssl/ssl_asn1.c index 28709978b53..d7f4c6087e3 100644 --- a/lib/libssl/src/ssl/ssl_asn1.c +++ b/lib/libssl/src/ssl/ssl_asn1.c @@ -357,7 +357,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) { - int version,ssl_version=0,i; + int ssl_version=0,i; long id; ASN1_INTEGER ai,*aip; ASN1_OCTET_STRING os,*osp; @@ -371,7 +371,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, ai.data=NULL; ai.length=0; M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER); - version=(int)ASN1_INTEGER_get(aip); if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } /* we don't care about the version right now :-) */ diff --git a/lib/libssl/src/ssl/ssl_ciph.c b/lib/libssl/src/ssl/ssl_ciph.c index bee3507ea18..a8ce186b783 100644 --- a/lib/libssl/src/ssl/ssl_ciph.c +++ b/lib/libssl/src/ssl/ssl_ciph.c @@ -1027,7 +1027,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, const SSL_CIPHER **ca_list) { unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength; - const char *l, *start, *buf; + const char *l, *buf; int j, multi, found, rule, retval, ok, buflen; unsigned long cipher_id = 0; char ch; @@ -1064,7 +1064,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str, alg_ssl = 0; algo_strength = 0; - start=l; for (;;) { ch = *l; @@ -1456,7 +1455,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) int is_export,pkl,kl; const char *ver,*exp_str; const char *kx,*au,*enc,*mac; - unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2,alg_s; + unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2; #ifdef KSSL_DEBUG static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n"; #else @@ -1469,7 +1468,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) alg_mac = cipher->algorithm_mac; alg_ssl = cipher->algorithm_ssl; - alg_s=cipher->algo_strength; alg2=cipher->algorithm2; is_export=SSL_C_IS_EXPORT(cipher); diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index 497515f9ec4..a3c9309488a 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -1830,7 +1830,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) #endif X509 *x = NULL; EVP_PKEY *ecc_pkey = NULL; - int signature_nid = 0; + int signature_nid = 0, pk_nid = 0, md_nid = 0; if (c == NULL) return; @@ -1960,18 +1960,15 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) EVP_PKEY_bits(ecc_pkey) : 0; EVP_PKEY_free(ecc_pkey); if ((x->sig_alg) && (x->sig_alg->algorithm)) + { signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); + OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); + } #ifndef OPENSSL_NO_ECDH if (ecdh_ok) { - const char *sig = OBJ_nid2ln(signature_nid); - if (sig == NULL) - { - ERR_clear_error(); - sig = "unknown"; - } - - if (strstr(sig, "WithRSA")) + + if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { mask_k|=SSL_kECDHr; mask_a|=SSL_aECDH; @@ -1982,7 +1979,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) } } - if (signature_nid == NID_ecdsa_with_SHA1) + if (pk_nid == NID_X9_62_id_ecPublicKey) { mask_k|=SSL_kECDHe; mask_a|=SSL_aECDH; @@ -2036,7 +2033,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs) unsigned long alg_k, alg_a; EVP_PKEY *pkey = NULL; int keysize = 0; - int signature_nid = 0; + int signature_nid = 0, md_nid = 0, pk_nid = 0; alg_k = cs->algorithm_mkey; alg_a = cs->algorithm_auth; @@ -2054,7 +2051,10 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs) /* This call populates the ex_flags field correctly */ X509_check_purpose(x, -1, 0); if ((x->sig_alg) && (x->sig_alg->algorithm)) + { signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); + OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); + } if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) { /* key usage, if present, must allow key agreement */ @@ -2066,7 +2066,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs) if (alg_k & SSL_kECDHe) { /* signature alg must be ECDSA */ - if (signature_nid != NID_ecdsa_with_SHA1) + if (pk_nid != NID_X9_62_id_ecPublicKey) { SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE); return 0; @@ -2076,13 +2076,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs) { /* signature alg must be RSA */ - const char *sig = OBJ_nid2ln(signature_nid); - if (sig == NULL) - { - ERR_clear_error(); - sig = "unknown"; - } - if (strstr(sig, "WithRSA") == NULL) + if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) { SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE); return 0; @@ -2107,23 +2101,12 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs) /* THIS NEEDS CLEANING UP */ X509 *ssl_get_server_send_cert(SSL *s) { - unsigned long alg_k,alg_a,mask_k,mask_a; + unsigned long alg_k,alg_a; CERT *c; - int i,is_export; + int i; c=s->cert; ssl_set_cert_masks(c, s->s3->tmp.new_cipher); - is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); - if (is_export) - { - mask_k = c->export_mask_k; - mask_a = c->export_mask_a; - } - else - { - mask_k = c->mask_k; - mask_a = c->mask_a; - } alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_a = s->s3->tmp.new_cipher->algorithm_auth; diff --git a/lib/libssl/src/ssl/ssltest.c b/lib/libssl/src/ssl/ssltest.c index 1d8ba372bcc..08c90478f48 100644 --- a/lib/libssl/src/ssl/ssltest.c +++ b/lib/libssl/src/ssl/ssltest.c @@ -1432,7 +1432,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) BIO *c_bio=NULL; BIO *s_bio=NULL; int c_r,c_w,s_r,s_w; - int c_want,s_want; int i,j; int done=0; int c_write,s_write; @@ -1467,8 +1466,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) c_r=0; s_r=1; c_w=1; s_w=0; - c_want=W_WRITE; - s_want=0; c_write=1,s_write=0; /* We can always do writes */ diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c index 9719541f2b4..793ea43e902 100644 --- a/lib/libssl/src/ssl/t1_enc.c +++ b/lib/libssl/src/ssl/t1_enc.c @@ -157,7 +157,7 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, const void *seed5, int seed5_len, unsigned char *out, int olen) { - int chunk,n; + int chunk; unsigned int j; HMAC_CTX ctx; HMAC_CTX ctx_tmp; @@ -187,7 +187,6 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, if (!HMAC_Final(&ctx,A1,&A1_len)) goto err; - n=0; for (;;) { if (!HMAC_Init_ex(&ctx,NULL,0,NULL,NULL)) /* re-init */ @@ -309,13 +308,13 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, int tls1_change_cipher_state(SSL *s, int which) { static const unsigned char empty[]=""; - unsigned char *p,*key_block,*mac_secret; + unsigned char *p,*mac_secret; unsigned char *exp_label; unsigned char tmp1[EVP_MAX_KEY_LENGTH]; unsigned char tmp2[EVP_MAX_KEY_LENGTH]; unsigned char iv1[EVP_MAX_IV_LENGTH*2]; unsigned char iv2[EVP_MAX_IV_LENGTH*2]; - unsigned char *ms,*key,*iv,*er1,*er2; + unsigned char *ms,*key,*iv; int client_write; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; @@ -337,7 +336,6 @@ int tls1_change_cipher_state(SSL *s, int which) #ifndef OPENSSL_NO_COMP comp=s->s3->tmp.new_compression; #endif - key_block=s->s3->tmp.key_block; #ifdef KSSL_DEBUG printf("tls1_change_cipher_state(which= %d) w/\n", which); @@ -448,8 +446,6 @@ int tls1_change_cipher_state(SSL *s, int which) cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); - er1= &(s->s3->client_random[0]); - er2= &(s->s3->server_random[0]); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { @@ -880,7 +876,7 @@ int tls1_final_finish_mac(SSL *s, int tls1_mac(SSL *ssl, unsigned char *md, int send) { SSL3_RECORD *rec; - unsigned char *mac_sec,*seq; + unsigned char *seq; EVP_MD_CTX *hash; size_t md_size; int i; @@ -892,14 +888,12 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) if (send) { rec= &(ssl->s3->wrec); - mac_sec= &(ssl->s3->write_mac_secret[0]); seq= &(ssl->s3->write_sequence[0]); hash=ssl->write_hash; } else { rec= &(ssl->s3->rrec); - mac_sec= &(ssl->s3->read_mac_secret[0]); seq= &(ssl->s3->read_sequence[0]); hash=ssl->read_hash; } diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c index 0baa70663aa..85371c87b8e 100644 --- a/lib/libssl/src/ssl/t1_lib.c +++ b/lib/libssl/src/ssl/t1_lib.c @@ -1013,9 +1013,9 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) { + unsigned short length; unsigned short type; unsigned short size; - unsigned short len; unsigned char *data = *p; int tlsext_servername = 0; int renegotiate_seen = 0; @@ -1023,7 +1023,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in if (data >= (d+n-2)) goto ri_check; - n2s(data,len); + n2s(data,length); + if (data+length != d+n) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } while(data <= (d+n-4)) { @@ -1453,23 +1458,20 @@ int ssl_check_serverhello_tlsext(SSL *s) int al = SSL_AD_UNRECOGNIZED_NAME; #ifndef OPENSSL_NO_EC - /* If we are client and using an elliptic curve cryptography cipher suite, then server - * must return a an EC point formats lists containing uncompressed. + /* If we are client and using an elliptic curve cryptography cipher + * suite, then if server returns an EC point formats lists extension + * it must contain uncompressed. */ unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth; if ((s->tlsext_ecpointformatlist != NULL) && (s->tlsext_ecpointformatlist_length > 0) && + (s->session->tlsext_ecpointformatlist != NULL) && (s->session->tlsext_ecpointformatlist_length > 0) && ((alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a & SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; int found_uncompressed = 0; - if ((s->session->tlsext_ecpointformatlist == NULL) || (s->session->tlsext_ecpointformatlist_length == 0)) - { - SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); - return -1; - } list = s->session->tlsext_ecpointformatlist; for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) { |