summaryrefslogtreecommitdiffstats
path: root/crypto/openssl/ssl
diff options
context:
space:
mode:
authornectar <nectar@FreeBSD.org>2003-10-01 12:32:41 +0000
committernectar <nectar@FreeBSD.org>2003-10-01 12:32:41 +0000
commitee25ce74b3f6742c1079590363995e56ff51b014 (patch)
tree69b3ffc611270d72c473248fe700c2942eb5e6b5 /crypto/openssl/ssl
parent5d79b842c13e718f85a9f2e1676e361b6fc55367 (diff)
downloadFreeBSD-src-ee25ce74b3f6742c1079590363995e56ff51b014.zip
FreeBSD-src-ee25ce74b3f6742c1079590363995e56ff51b014.tar.gz
Vendor import of OpenSSL 0.9.7c
Diffstat (limited to 'crypto/openssl/ssl')
-rw-r--r--crypto/openssl/ssl/kssl.c36
-rw-r--r--crypto/openssl/ssl/kssl.h2
-rw-r--r--crypto/openssl/ssl/s3_clnt.c1
-rw-r--r--crypto/openssl/ssl/s3_srvr.c15
-rw-r--r--crypto/openssl/ssl/ssl_ciph.c7
-rw-r--r--crypto/openssl/ssl/ssl_lib.c5
-rw-r--r--crypto/openssl/ssl/ssl_rsa.c4
-rw-r--r--crypto/openssl/ssl/ssl_sess.c4
-rw-r--r--crypto/openssl/ssl/ssltest.c3
9 files changed, 54 insertions, 23 deletions
diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c
index 327b92f..7c45f8f 100644
--- a/crypto/openssl/ssl/kssl.c
+++ b/crypto/openssl/ssl/kssl.c
@@ -70,6 +70,7 @@
#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */
#include <time.h>
+#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
#include <string.h>
#include <openssl/ssl.h>
@@ -1495,8 +1496,9 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
"bad ticket from krb5_rd_req.\n");
}
else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
- &krb5ticket->enc_part2->client->realm,
- krb5ticket->enc_part2->client->data))
+ &krb5ticket->enc_part2->client->realm,
+ krb5ticket->enc_part2->client->data,
+ krb5ticket->enc_part2->client->length))
{
kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
"kssl_ctx_setprinc() fails.\n");
@@ -1563,16 +1565,17 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
}
-/* Given a (krb5_data *) entity (and optional realm),
+/* Given an array of (krb5_data *) entity (and optional realm),
** set the plain (char *) client_princ or service_host member
** of the kssl_ctx struct.
*/
krb5_error_code
kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
- krb5_data *realm, krb5_data *entity)
+ krb5_data *realm, krb5_data *entity, int nentities)
{
char **princ;
int length;
+ int i;
if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR;
@@ -1584,18 +1587,33 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
}
if (*princ) free(*princ);
- length = entity->length + ((realm)? realm->length + 2: 1);
+ /* Add up all the entity->lengths */
+ length = 0;
+ for (i=0; i < nentities; i++)
+ {
+ length += entity[i].length;
+ }
+ /* Add in space for the '/' character(s) (if any) */
+ length += nentities-1;
+ /* Space for the ('@'+realm+NULL | NULL) */
+ length += ((realm)? realm->length + 2: 1);
+
if ((*princ = calloc(1, length)) == NULL)
return KSSL_CTX_ERR;
else
- {
- strncpy(*princ, entity->data, entity->length);
- (*princ)[entity->length]='\0';
+ {
+ for (i = 0; i < nentities; i++)
+ {
+ strncat(*princ, entity[i].data, entity[i].length);
+ if (i < nentities-1)
+ {
+ strcat (*princ, "/");
+ }
+ }
if (realm)
{
strcat (*princ, "@");
(void) strncat(*princ, realm->data, realm->length);
- (*princ)[entity->length+1+realm->length]='\0';
}
}
diff --git a/crypto/openssl/ssl/kssl.h b/crypto/openssl/ssl/kssl.h
index cf7ebdd..19a689b 100644
--- a/crypto/openssl/ssl/kssl.h
+++ b/crypto/openssl/ssl/kssl.h
@@ -149,7 +149,7 @@ KSSL_CTX *kssl_ctx_new(void);
KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
void kssl_ctx_show(KSSL_CTX *kssl_ctx);
krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
- krb5_data *realm, krb5_data *entity);
+ krb5_data *realm, krb5_data *entity, int nentities);
krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data **enc_tktp,
krb5_data *authenp, KSSL_ERR *kssl_err);
krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data *indata,
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index fae8ead..eb7daeb 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -1769,6 +1769,7 @@ static int ssl3_send_client_verify(SSL *s)
*(d++)=SSL3_MT_CERTIFICATE_VERIFY;
l2n3(n,d);
+ s->state=SSL3_ST_CW_CERT_VRFY_B;
s->init_num=(int)n+4;
s->init_off=0;
}
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index df40032..881f68b 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -431,10 +431,11 @@ int ssl3_accept(SSL *s)
if (ret == 2)
s->state = SSL3_ST_SR_CLNT_HELLO_C;
else {
- /* could be sent for a DH cert, even if we
- * have not asked for it :-) */
- ret=ssl3_get_client_certificate(s);
- if (ret <= 0) goto end;
+ if (s->s3->tmp.cert_request)
+ {
+ ret=ssl3_get_client_certificate(s);
+ if (ret <= 0) goto end;
+ }
s->init_num=0;
s->state=SSL3_ST_SR_KEY_EXCH_A;
}
@@ -844,6 +845,9 @@ static int ssl3_get_client_hello(SSL *s)
}
/* TLS does not mind if there is extra stuff */
+#if 0 /* SSL 3.0 does not mind either, so we should disable this test
+ * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
+ * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
if (s->version == SSL3_VERSION)
{
if (p < (d+n))
@@ -855,6 +859,7 @@ static int ssl3_get_client_hello(SSL *s)
goto f_err;
}
}
+#endif
/* Given s->session->ciphers and SSL_get_ciphers, we must
* pick a cipher */
@@ -1352,6 +1357,7 @@ static int ssl3_send_certificate_request(SSL *s)
s->init_num += 4;
#endif
+ s->state = SSL3_ST_SW_CERT_REQ_B;
}
/* SSL3_ST_SW_CERT_REQ_B */
@@ -1472,7 +1478,6 @@ static int ssl3_get_client_key_exchange(SSL *s)
* made up by the adversary is properly formatted except
* that the version number is wrong. To avoid such attacks,
* we should treat this just like any other decryption error. */
- p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19";
}
}
diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c
index c72be89..888b667 100644
--- a/crypto/openssl/ssl/ssl_ciph.c
+++ b/crypto/openssl/ssl/ssl_ciph.c
@@ -668,13 +668,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
* So additionally check whether the cipher name found
* has the correct length. We can save a strlen() call:
* just checking for the '\0' at the right place is
- * sufficient, we have to strncmp() anyway.
+ * sufficient, we have to strncmp() anyway. (We cannot
+ * use strcmp(), because buf is not '\0' terminated.)
*/
j = found = 0;
while (ca_list[j])
{
- if ((ca_list[j]->name[buflen] == '\0') &&
- !strncmp(buf, ca_list[j]->name, buflen))
+ if (!strncmp(buf, ca_list[j]->name, buflen) &&
+ (ca_list[j]->name[buflen] == '\0'))
{
found = 1;
break;
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index ddd8114..6d69890 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -473,6 +473,11 @@ void SSL_free(SSL *s)
if (s->method != NULL) s->method->ssl_free(s);
+#ifndef OPENSSL_NO_KRB5
+ if (s->kssl_ctx != NULL)
+ kssl_ctx_free(s->kssl_ctx);
+#endif /* OPENSSL_NO_KRB5 */
+
OPENSSL_free(s);
}
diff --git a/crypto/openssl/ssl/ssl_rsa.c b/crypto/openssl/ssl/ssl_rsa.c
index 03828b6..3303905 100644
--- a/crypto/openssl/ssl/ssl_rsa.c
+++ b/crypto/openssl/ssl/ssl_rsa.c
@@ -207,7 +207,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
ok=1;
else
#endif
- if (!X509_check_private_key(c->pkeys[i].x509,pkey))
+ if (!X509_check_private_key(c->pkeys[i].x509,pkey))
{
if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA))
{
@@ -241,6 +241,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
return(0);
}
+ ERR_clear_error(); /* make sure no error from X509_check_private_key()
+ * is left if we have chosen to ignore it */
if (c->pkeys[i].privatekey != NULL)
EVP_PKEY_free(c->pkeys[i].privatekey);
CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c
index fbc30b9..fabcdef 100644
--- a/crypto/openssl/ssl/ssl_sess.c
+++ b/crypto/openssl/ssl/ssl_sess.c
@@ -79,11 +79,11 @@ SSL_SESSION *SSL_get1_session(SSL *ssl)
/* Need to lock this all up rather than just use CRYPTO_add so that
* somebody doesn't free ssl->session between when we check it's
* non-null and when we up the reference count. */
- CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION);
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
sess = ssl->session;
if(sess)
sess->references++;
- CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION);
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
return(sess);
}
diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c
index 42b6f1f..42289c2 100644
--- a/crypto/openssl/ssl/ssltest.c
+++ b/crypto/openssl/ssl/ssltest.c
@@ -142,7 +142,6 @@
#ifdef OPENSSL_SYS_WINDOWS
#include <winsock.h>
-#include "../crypto/bio/bss_file.c"
#else
#include OPENSSL_UNISTD
#endif
@@ -291,7 +290,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
goto err;
}
- if (type < 0 || type > CRYPTO_NUM_LOCKS)
+ if (type < 0 || type >= CRYPTO_NUM_LOCKS)
{
errstr = "type out of bounds";
goto err;
OpenPOWER on IntegriCloud