diff options
| author | kris <kris@FreeBSD.org> | 2000-04-13 07:15:03 +0000 |
|---|---|---|
| committer | kris <kris@FreeBSD.org> | 2000-04-13 07:15:03 +0000 |
| commit | 6b5aa791691598fc101d47b4b016e597d4e604c4 (patch) | |
| tree | 6c76d880ce419c2a70941c0634805027ea31fc80 /crypto/openssl/ssl | |
| parent | 254febffb998a2a1fd6e6be57dcb73d57335fa14 (diff) | |
| download | FreeBSD-src-6b5aa791691598fc101d47b4b016e597d4e604c4.zip FreeBSD-src-6b5aa791691598fc101d47b4b016e597d4e604c4.tar.gz | |
Resolve conflicts.
Diffstat (limited to 'crypto/openssl/ssl')
| -rw-r--r-- | crypto/openssl/ssl/s23_clnt.c | 13 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s23_lib.c | 9 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s23_srvr.c | 132 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s2_clnt.c | 75 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s2_enc.c | 8 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s2_lib.c | 98 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s2_meth.c | 8 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s2_pkt.c | 8 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s2_srvr.c | 21 |
9 files changed, 267 insertions, 105 deletions
diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c index a5eca37..c6b2323 100644 --- a/crypto/openssl/ssl/s23_clnt.c +++ b/crypto/openssl/ssl/s23_clnt.c @@ -106,7 +106,7 @@ int ssl23_connect(SSL *s) int ret= -1; int new_state,state; - RAND_seed(&Time,sizeof(Time)); + RAND_add(&Time,sizeof(Time),0); ERR_clear_error(); clear_sys_error(); @@ -226,7 +226,7 @@ static int ssl23_client_hello(SSL *s) #endif p=s->s3->client_random; - RAND_bytes(p,SSL3_RANDOM_SIZE); + RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE); /* Do the message type and length last */ d= &(buf[2]); @@ -287,7 +287,7 @@ static int ssl23_client_hello(SSL *s) i=ch_len; s2n(i,d); memset(&(s->s3->client_random[0]),0,SSL3_RANDOM_SIZE); - RAND_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); + RAND_pseudo_bytes(&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); memcpy(p,&(s->s3->client_random[SSL3_RANDOM_SIZE-i]),i); p+=i; @@ -311,7 +311,7 @@ static int ssl23_get_server_hello(SSL *s) { char buf[8]; unsigned char *p; - int i,ch_len; + int i; int n; n=ssl23_read_bytes(s,7); @@ -325,12 +325,13 @@ static int ssl23_get_server_hello(SSL *s) (p[5] == 0x00) && (p[6] == 0x02)) { #ifdef NO_SSL2 - SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); - goto err; + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); + goto err; #else /* we are talking sslv2 */ /* we need to clean up the SSLv3 setup and put in the * sslv2 stuff. */ + int ch_len; if (s->options & SSL_OP_NO_SSLv2) { diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c index 5e029d1..bc77e84 100644 --- a/crypto/openssl/ssl/s23_lib.c +++ b/crypto/openssl/ssl/s23_lib.c @@ -69,7 +69,7 @@ static int ssl23_write(SSL *s, const void *buf, int len); static long ssl23_default_timeout(void ); static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p); -char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT; +const char *SSL23_version_str="SSLv2/3 compatibility" OPENSSL_VERSION_PTEXT; static SSL_METHOD SSLv23_data= { TLS1_VERSION, @@ -94,6 +94,9 @@ static SSL_METHOD SSLv23_data= { ssl_bad_method, ssl23_default_timeout, &ssl3_undef_enc_method, + ssl_undefined_function, + ssl3_callback_ctrl, + ssl3_ctx_callback_ctrl, }; static long ssl23_default_timeout(void) @@ -110,9 +113,9 @@ static int ssl23_num_ciphers(void) { return(ssl3_num_ciphers() #ifndef NO_SSL2 - +ssl2_num_ciphers() + + ssl2_num_ciphers() #endif - ); + ); } static SSL_CIPHER *ssl23_get_cipher(unsigned int u) diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c index b4836c1..c1c2e9d 100644 --- a/crypto/openssl/ssl/s23_srvr.c +++ b/crypto/openssl/ssl/s23_srvr.c @@ -105,7 +105,7 @@ int ssl23_accept(SSL *s) int ret= -1; int new_state,state; - RAND_seed(&Time,sizeof(Time)); + RAND_add(&Time,sizeof(Time),0); ERR_clear_error(); clear_sys_error(); @@ -190,23 +190,39 @@ end: int ssl23_get_client_hello(SSL *s) { - char buf_space[8]; + char buf_space[11]; /* Request this many bytes in initial read. + * We can detect SSL 3.0/TLS 1.0 Client Hellos + * ('type == 3') correctly only when the following + * is in a single record, which is not guaranteed by + * the protocol specification: + * Byte Content + * 0 type \ + * 1/2 version > record header + * 3/4 length / + * 5 msg_type \ + * 6-8 length > Client Hello message + * 9/10 client_version / + */ char *buf= &(buf_space[0]); unsigned char *p,*d,*dd; unsigned int i; unsigned int csl,sil,cl; - int n=0,j,tls1=0; - int type=0,use_sslv2_strong=0; + int n=0,j; + int type=0; int v[2]; +#ifndef NO_RSA + int use_sslv2_strong=0; +#endif - /* read the initial header */ - v[0]=v[1]=0; if (s->state == SSL23_ST_SR_CLNT_HELLO_A) { + /* read the initial header */ + v[0]=v[1]=0; + if (!ssl3_setup_buffers(s)) goto err; - n=ssl23_read_bytes(s,7); - if (n != 7) return(n); /* n == -1 || n == 0 */ + n=ssl23_read_bytes(s, sizeof buf_space); + if (n != sizeof buf_space) return(n); /* n == -1 || n == 0 */ p=s->packet; @@ -214,7 +230,9 @@ int ssl23_get_client_hello(SSL *s) if ((p[0] & 0x80) && (p[2] == SSL2_MT_CLIENT_HELLO)) { - /* SSLv2 header */ + /* + * SSLv2 header + */ if ((p[3] == 0x00) && (p[4] == 0x02)) { v[0]=p[3]; v[1]=p[4]; @@ -230,11 +248,14 @@ int ssl23_get_client_hello(SSL *s) { if (!(s->options & SSL_OP_NO_TLSv1)) { - tls1=1; + s->version=TLS1_VERSION; + /* type=2; */ /* done later to survive restarts */ s->state=SSL23_ST_SR_CLNT_HELLO_B; } else if (!(s->options & SSL_OP_NO_SSLv3)) { + s->version=SSL3_VERSION; + /* type=2; */ s->state=SSL23_ST_SR_CLNT_HELLO_B; } else if (!(s->options & SSL_OP_NO_SSLv2)) @@ -243,12 +264,26 @@ int ssl23_get_client_hello(SSL *s) } } else if (!(s->options & SSL_OP_NO_SSLv3)) + { + s->version=SSL3_VERSION; + /* type=2; */ s->state=SSL23_ST_SR_CLNT_HELLO_B; + } else if (!(s->options & SSL_OP_NO_SSLv2)) type=1; if (s->options & SSL_OP_NON_EXPORT_FIRST) + /* Not only utterly confusing, but broken + * ('fractured programming'?) -- the details + * of this block nearly make it work + * as intended in this environment, but on one + * of the fine points (w.r.t. restarts) it fails. + * The obvious fix would be even more devastating + * to program structure; if you want the functionality, + * throw this away and implement it in a way + * that makes sense */ { +#if 0 STACK_OF(SSL_CIPHER) *sk; SSL_CIPHER *c; int ne2,ne3; @@ -298,27 +333,51 @@ int ssl23_get_client_hello(SSL *s) goto next_bit; } } +#else + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_OPTION); + goto err; +#endif } } } else if ((p[0] == SSL3_RT_HANDSHAKE) && (p[1] == SSL3_VERSION_MAJOR) && - (p[5] == SSL3_MT_CLIENT_HELLO)) + (p[5] == SSL3_MT_CLIENT_HELLO) && + ((p[3] == 0 && p[4] < 5 /* silly record length? */) + || (p[9] == p[1]))) { - v[0]=p[1]; v[1]=p[2]; - /* true SSLv3 or tls1 */ - if (p[2] >= TLS1_VERSION_MINOR) + /* + * SSLv3 or tls1 header + */ + + v[0]=p[1]; /* major version */ + /* We must look at client_version inside the Client Hello message + * to get the correct minor version: */ + v[1]=p[10]; + /* However if we have only a pathologically small fragment of the + * Client Hello message, we simply use the version from the + * record header -- this is incorrect but unlikely to fail in + * practice */ + if (p[3] == 0 && p[4] < 6) + v[1]=p[2]; + if (v[1] >= TLS1_VERSION_MINOR) { if (!(s->options & SSL_OP_NO_TLSv1)) { + s->version=TLS1_VERSION; type=3; - tls1=1; } else if (!(s->options & SSL_OP_NO_SSLv3)) + { + s->version=SSL3_VERSION; type=3; + } } else if (!(s->options & SSL_OP_NO_SSLv3)) + { + s->version=SSL3_VERSION; type=3; + } } else if ((strncmp("GET ", (char *)p,4) == 0) || (strncmp("POST ",(char *)p,5) == 0) || @@ -335,12 +394,16 @@ int ssl23_get_client_hello(SSL *s) } } -next_bit: if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { - /* we have a SSLv3/TLSv1 in a SSLv2 header */ + /* we have SSLv3/TLSv1 in an SSLv2 header + * (other cases skip this state) */ + type=2; p=s->packet; + v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ + v[1] = p[4]; + n=((p[0]&0x7f)<<8)|p[1]; if (n > (1024*4)) { @@ -365,14 +428,11 @@ next_bit: goto err; } - *(d++)=SSL3_VERSION_MAJOR; - if (tls1) - *(d++)=TLS1_VERSION_MINOR; - else - *(d++)=SSL3_VERSION_MINOR; + *(d++) = SSL3_VERSION_MAJOR; /* == v[0] */ + *(d++) = v[1]; /* lets populate the random area */ - /* get the chalenge_length */ + /* get the challenge_length */ i=(cl > SSL3_RANDOM_SIZE)?SSL3_RANDOM_SIZE:cl; memset(d,0,SSL3_RANDOM_SIZE); memcpy(&(d[SSL3_RANDOM_SIZE-i]),&(p[csl+sil]),i); @@ -406,11 +466,14 @@ next_bit: s->s3->tmp.message_size=i; } + /* imaginary new state (for program structure): */ + /* s->state = SSL23_SR_CLNT_HELLO_C */ + if (type == 1) { #ifdef NO_SSL2 - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNKNOWN_PROTOCOL); - goto err; + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); + goto err; #else /* we are talking sslv2 */ /* we need to clean up the SSLv3/TLSv1 setup and put in the @@ -439,7 +502,7 @@ next_bit: else s->s2->ssl2_rollback=1; - /* setup the 5 bytes we have read so we get them from + /* setup the n bytes we have read so we get them from * the sslv2 buffer */ s->rstate=SSL_ST_READ_HEADER; s->packet_length=n; @@ -455,7 +518,7 @@ next_bit: if ((type == 2) || (type == 3)) { - /* we have SSLv3/TLSv1 */ + /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ if (!ssl_init_wbio_buffer(s,1)) goto err; @@ -480,17 +543,13 @@ next_bit: s->s3->rbuf.offset=0; } - if (tls1) - { - s->version=TLS1_VERSION; - s->method=TLSv1_server_method(); - } + if (s->version == TLS1_VERSION) + s->method = TLSv1_server_method(); else - { - s->version=SSL3_VERSION; - s->method=SSLv3_server_method(); - } + s->method = SSLv3_server_method(); +#if 0 /* ssl3_get_client_hello does this */ s->client_version=(v[0]<<8)|v[1]; +#endif s->handshake_func=s->method->ssl_accept; } @@ -509,4 +568,3 @@ err: if (buf != buf_space) Free(buf); return(-1); } - diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c index 74d76be..5781f98 100644 --- a/crypto/openssl/ssl/s2_clnt.c +++ b/crypto/openssl/ssl/s2_clnt.c @@ -58,12 +58,12 @@ * $FreeBSD$ */ +#include "ssl_locl.h" #ifndef NO_SSL2 #include <stdio.h> #include <openssl/rand.h> #include <openssl/buffer.h> #include <openssl/objects.h> -#include "ssl_locl.h" #include <openssl/evp.h> static SSL_METHOD *ssl2_get_client_method(int ver); @@ -110,7 +110,7 @@ int ssl2_connect(SSL *s) void (*cb)()=NULL; int new_state,state; - RAND_seed(&l,sizeof(l)); + RAND_add(&l,sizeof(l),0); ERR_clear_error(); clear_sys_error(); @@ -247,7 +247,7 @@ int ssl2_connect(SSL *s) /* ERR_clear_error();*/ /* If we want to cache session-ids in the client - * and we sucessfully add the session-id to the + * and we successfully add the session-id to the * cache, and there is a callback, then pass it out. * 26/11/96 - eay - only add if not a re-used session. */ @@ -312,7 +312,13 @@ static int get_server_hello(SSL *s) SSL_R_PEER_ERROR); return(-1); } +#ifdef __APPLE_CC__ + /* The Rhapsody 5.5 (a.k.a. MacOS X) compiler bug + * workaround. <appro@fy.chalmers.se> */ + s->hit=(i=*(p++))?1:0; +#else s->hit=(*(p++))?1:0; +#endif s->s2->tmp.cert_type= *(p++); n2s(p,i); if (i < s->version) s->version=i; @@ -364,7 +370,7 @@ static int get_server_hello(SSL *s) */ #endif - /* we need to do this incase we were trying to reuse a + /* we need to do this in case we were trying to reuse a * client session but others are already reusing it. * If this was a new 'blank' session ID, the session-id * length will still be 0 */ @@ -414,7 +420,7 @@ static int get_server_hello(SSL *s) /* In theory we could have ciphers sent back that we * don't want to use but that does not matter since we - * will check against the list we origionally sent and + * will check against the list we originally sent and * for performance reasons we should not bother to match * the two lists up just to check. */ for (i=0; i<sk_SSL_CIPHER_num(cl); i++) @@ -431,26 +437,28 @@ static int get_server_hello(SSL *s) return(-1); } s->session->cipher=sk_SSL_CIPHER_value(cl,i); - } - if (s->session->peer != NULL) - X509_free(s->session->peer); - -#if 0 /* What is all this meant to accomplish?? */ - /* hmmm, can we have the problem of the other session with this - * cert, Free's it before we increment the reference count. */ - CRYPTO_w_lock(CRYPTO_LOCK_X509); - s->session->peer=s->session->sess_cert->key->x509; - /* Shouldn't do this: already locked */ - /*CRYPTO_add(&s->session->peer->references,1,CRYPTO_LOCK_X509);*/ - s->session->peer->references++; - CRYPTO_w_unlock(CRYPTO_LOCK_X509); -#else - s->session->peer = s->session->sess_cert->peer_key->x509; - /* peer_key->x509 has been set by ssl2_set_certificate. */ - CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509); -#endif + if (s->session->peer != NULL) /* can't happen*/ + { + ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); + SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR); + return(-1); + } + + s->session->peer = s->session->sess_cert->peer_key->x509; + /* peer_key->x509 has been set by ssl2_set_certificate. */ + CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509); + } + + if (s->session->peer != s->session->sess_cert->peer_key->x509) + /* can't happen */ + { + ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); + SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR); + return(-1); + } + s->s2->conn_id_length=s->s2->tmp.conn_id_length; memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length); return(1); @@ -511,7 +519,7 @@ static int client_hello(SSL *s) s->s2->challenge_length=SSL2_CHALLENGE_LENGTH; s2n(SSL2_CHALLENGE_LENGTH,p); /* challenge length */ /*challenge id data*/ - RAND_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH); + RAND_pseudo_bytes(s->s2->challenge,SSL2_CHALLENGE_LENGTH); memcpy(d,s->s2->challenge,SSL2_CHALLENGE_LENGTH); d+=SSL2_CHALLENGE_LENGTH; @@ -553,12 +561,19 @@ static int client_master_key(SSL *s) /* make key_arg data */ i=EVP_CIPHER_iv_length(c); sess->key_arg_length=i; - if (i > 0) RAND_bytes(sess->key_arg,i); + if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); /* make a master key */ i=EVP_CIPHER_key_length(c); sess->master_key_length=i; - if (i > 0) RAND_bytes(sess->master_key,i); + if (i > 0) + { + if (RAND_bytes(sess->master_key,i) <= 0) + { + ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); + return(-1); + } + } if (sess->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) enc=8; @@ -755,7 +770,7 @@ static int client_certificate(SSL *s) { /* this is not good. If things have failed it * means there so something wrong with the key. - * We will contiune with a 0 length signature + * We will continue with a 0 length signature */ } memset(&ctx,0,sizeof(ctx)); @@ -970,4 +985,10 @@ end: EVP_PKEY_free(pkey); return(i); } +#else /* !NO_SSL2 */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c index b3b2218..204acd7 100644 --- a/crypto/openssl/ssl/s2_enc.c +++ b/crypto/openssl/ssl/s2_enc.c @@ -58,10 +58,9 @@ * $FreeBSD$ */ +#include "ssl_locl.h" #ifndef NO_SSL2 - #include <stdio.h> -#include "ssl_locl.h" int ssl2_enc_init(SSL *s, int client) { @@ -181,5 +180,10 @@ void ssl2_mac(SSL *s, unsigned char *md, int send) EVP_DigestFinal(&c,md,NULL); /* some would say I should zero the md context */ } +#else /* !NO_SSL2 */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif #endif diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c index c0ed7ec..8230f3b 100644 --- a/crypto/openssl/ssl/s2_lib.c +++ b/crypto/openssl/ssl/s2_lib.c @@ -58,12 +58,12 @@ * $FreeBSD$ */ +#include "ssl_locl.h" #ifndef NO_SSL2 #include <stdio.h> #include <openssl/rsa.h> #include <openssl/objects.h> #include <openssl/md5.h> -#include "ssl_locl.h" static long ssl2_default_timeout(void ); const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; @@ -77,9 +77,12 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_NULL_WITH_MD5, SSL2_CK_NULL_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_EXP40|SSL_SSLV2, + SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5|SSL_SSLV2, + SSL_EXPORT|SSL_EXP40, + 0, 0, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, }, #endif /* RC4_128_EXPORT40_WITH_MD5 */ @@ -87,63 +90,91 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_RC4_128_EXPORT40_WITH_MD5, SSL2_CK_RC4_128_EXPORT40_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_EXP40|SSL_SSLV2, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2, + SSL_EXPORT|SSL_EXP40, SSL2_CF_5_BYTE_ENC, + 40, + 128, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, }, /* RC4_128_WITH_MD5 */ { 1, SSL2_TXT_RC4_128_WITH_MD5, SSL2_CK_RC4_128_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2, + SSL_NOT_EXP|SSL_MEDIUM, 0, + 128, + 128, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, }, /* RC2_128_CBC_EXPORT40_WITH_MD5 */ { 1, SSL2_TXT_RC2_128_CBC_EXPORT40_WITH_MD5, SSL2_CK_RC2_128_CBC_EXPORT40_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_EXP40|SSL_SSLV2, + SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2, + SSL_EXPORT|SSL_EXP40, SSL2_CF_5_BYTE_ENC, + 40, + 128, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, }, /* RC2_128_CBC_WITH_MD5 */ { 1, SSL2_TXT_RC2_128_CBC_WITH_MD5, SSL2_CK_RC2_128_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM, + SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5|SSL_SSLV2, + SSL_NOT_EXP|SSL_MEDIUM, 0, + 128, + 128, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, }, /* IDEA_128_CBC_WITH_MD5 */ { 1, SSL2_TXT_IDEA_128_CBC_WITH_MD5, SSL2_CK_IDEA_128_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_MEDIUM, + SSL_kRSA|SSL_aRSA|SSL_IDEA|SSL_MD5|SSL_SSLV2, + SSL_NOT_EXP|SSL_MEDIUM, 0, + 128, + 128, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, }, /* DES_64_CBC_WITH_MD5 */ { 1, SSL2_TXT_DES_64_CBC_WITH_MD5, SSL2_CK_DES_64_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_LOW, + SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5|SSL_SSLV2, + SSL_NOT_EXP|SSL_LOW, 0, + 56, + 56, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, }, /* DES_192_EDE3_CBC_WITH_MD5 */ { 1, SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5, SSL2_CK_DES_192_EDE3_CBC_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_NOT_EXP|SSL_SSLV2|SSL_HIGH, + SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5|SSL_SSLV2, + SSL_NOT_EXP|SSL_HIGH, 0, + 168, + 168, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, }, /* RC4_64_WITH_MD5 */ #if 1 @@ -151,9 +182,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ 1, SSL2_TXT_RC4_64_WITH_MD5, SSL2_CK_RC4_64_WITH_MD5, - SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2|SSL_LOW, + SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5|SSL_SSLV2, + SSL_NOT_EXP|SSL_LOW, SSL2_CF_8_BYTE_ENC, + 64, + 64, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, }, #endif /* NULL SSLeay (testing) */ @@ -163,7 +198,11 @@ OPENSSL_GLOBAL SSL_CIPHER ssl2_ciphers[]={ SSL2_TXT_NULL, SSL2_CK_NULL, 0, + 0, + 0, + 0, SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, }, #endif @@ -193,6 +232,9 @@ static SSL_METHOD SSLv2_data= { ssl_bad_method, ssl2_default_timeout, &ssl3_undef_enc_method, + ssl_undefined_function, + ssl2_callback_ctrl, /* local */ + ssl2_ctx_callback_ctrl, /* local */ }; static long ssl2_default_timeout(void) @@ -225,14 +267,14 @@ int ssl2_pending(SSL *s) int ssl2_new(SSL *s) { - SSL2_CTX *s2; + SSL2_STATE *s2; - if ((s2=(SSL2_CTX *)Malloc(sizeof(SSL2_CTX))) == NULL) goto err; - memset(s2,0,sizeof(SSL2_CTX)); + if ((s2=Malloc(sizeof *s2)) == NULL) goto err; + memset(s2,0,sizeof *s2); - if ((s2->rbuf=(unsigned char *)Malloc( + if ((s2->rbuf=Malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; - if ((s2->wbuf=(unsigned char *)Malloc( + if ((s2->wbuf=Malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; s->s2=s2; @@ -250,7 +292,7 @@ err: void ssl2_free(SSL *s) { - SSL2_CTX *s2; + SSL2_STATE *s2; if(s == NULL) return; @@ -258,14 +300,14 @@ void ssl2_free(SSL *s) s2=s->s2; if (s2->rbuf != NULL) Free(s2->rbuf); if (s2->wbuf != NULL) Free(s2->wbuf); - memset(s2,0,sizeof(SSL2_CTX)); + memset(s2,0,sizeof *s2); Free(s2); s->s2=NULL; } void ssl2_clear(SSL *s) { - SSL2_CTX *s2; + SSL2_STATE *s2; unsigned char *rbuf,*wbuf; s2=s->s2; @@ -273,7 +315,7 @@ void ssl2_clear(SSL *s) rbuf=s2->rbuf; wbuf=s2->wbuf; - memset(s2,0,sizeof(SSL2_CTX)); + memset(s2,0,sizeof *s2); s2->rbuf=rbuf; s2->wbuf=wbuf; @@ -298,11 +340,21 @@ long ssl2_ctrl(SSL *s, int cmd, long larg, char *parg) return(ret); } +long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)()) + { + return(0); + } + long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) { return(0); } +long ssl2_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) + { + return(0); + } + /* This function needs to check if the ciphers required are actually * available */ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p) @@ -374,7 +426,7 @@ void ssl2_generate_key_material(SSL *s) MD5_Init(&ctx); MD5_Update(&ctx,s->session->master_key,s->session->master_key_length); - MD5_Update(&ctx,(unsigned char *)&c,1); + MD5_Update(&ctx,&c,1); c++; MD5_Update(&ctx,s->s2->challenge,s->s2->challenge_length); MD5_Update(&ctx,s->s2->conn_id,s->s2->conn_id_length); @@ -423,4 +475,10 @@ int ssl2_shutdown(SSL *s) s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); return(1); } +#else /* !NO_SSL2 */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/ssl/s2_meth.c b/crypto/openssl/ssl/s2_meth.c index 0e93c99..01cc05f 100644 --- a/crypto/openssl/ssl/s2_meth.c +++ b/crypto/openssl/ssl/s2_meth.c @@ -58,10 +58,10 @@ * $FreeBSD$ */ +#include "ssl_locl.h" #ifndef NO_SSL2 #include <stdio.h> #include <openssl/objects.h> -#include "ssl_locl.h" static SSL_METHOD *ssl2_get_method(int ver); static SSL_METHOD *ssl2_get_method(int ver) @@ -88,4 +88,10 @@ SSL_METHOD *SSLv2_method(void) } return(&SSLv2_data); } +#else /* !NO_SSL2 */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c index 5330d79..7eb4673 100644 --- a/crypto/openssl/ssl/s2_pkt.c +++ b/crypto/openssl/ssl/s2_pkt.c @@ -58,12 +58,11 @@ * $FreeBSD$ */ +#include "ssl_locl.h" #ifndef NO_SSL2 - #include <stdio.h> #include <errno.h> #define USE_SOCKETS -#include "ssl_locl.h" static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend); static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len); @@ -642,5 +641,10 @@ static int ssl_mt_error(int n) } return(ret); } +#else /* !NO_SSL2 */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif #endif diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c index 8dd19f9..51c70df 100644 --- a/crypto/openssl/ssl/s2_srvr.c +++ b/crypto/openssl/ssl/s2_srvr.c @@ -58,12 +58,12 @@ * $FreeBSD$ */ +#include "ssl_locl.h" #ifndef NO_SSL2 #include <stdio.h> #include <openssl/bio.h> #include <openssl/rand.h> #include <openssl/objects.h> -#include "ssl_locl.h" #include <openssl/evp.h> static SSL_METHOD *ssl2_get_server_method(int ver); @@ -111,7 +111,7 @@ int ssl2_accept(SSL *s) void (*cb)()=NULL; int new_state,state; - RAND_seed(&l,sizeof(l)); + RAND_add(&l,sizeof(l),0); ERR_clear_error(); clear_sys_error(); @@ -417,7 +417,7 @@ static int get_client_master_key(SSL *s) i=ek; else i=EVP_CIPHER_key_length(c); - RAND_bytes(p,i); + RAND_pseudo_bytes(p,i); } #else if (i < 0) @@ -682,7 +682,7 @@ static int server_hello(SSL *s) /* make and send conn_id */ s2n(SSL2_CONNECTION_ID_LENGTH,p); /* add conn_id length */ s->s2->conn_id_length=SSL2_CONNECTION_ID_LENGTH; - RAND_bytes(s->s2->conn_id,(int)s->s2->conn_id_length); + RAND_pseudo_bytes(s->s2->conn_id,(int)s->s2->conn_id_length); memcpy(d,s->s2->conn_id,SSL2_CONNECTION_ID_LENGTH); d+=SSL2_CONNECTION_ID_LENGTH; @@ -691,7 +691,7 @@ static int server_hello(SSL *s) s->init_off=0; } /* SSL2_ST_SEND_SERVER_HELLO_B */ - /* If we are using TCP/IP, the performace is bad if we do 2 + /* If we are using TCP/IP, the performance is bad if we do 2 * writes without a read between them. This occurs when * Session-id reuse is used, so I will put in a buffering module */ @@ -800,7 +800,7 @@ static int request_certificate(SSL *s) p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_REQUEST_CERTIFICATE; *(p++)=SSL2_AT_MD5_WITH_RSA_ENCRYPTION; - RAND_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); + RAND_pseudo_bytes(ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); memcpy(p,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_B; @@ -900,7 +900,7 @@ static int request_certificate(SSL *s) EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); - buf2=(unsigned char *)Malloc((unsigned int)i); + buf2=Malloc((unsigned int)i); if (buf2 == NULL) { SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE); @@ -923,6 +923,7 @@ static int request_certificate(SSL *s) X509_free(s->session->peer); s->session->peer=x509; CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); + s->session->verify_result = s->verify_result; ret=1; goto end; } @@ -967,4 +968,10 @@ static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB); return(i); } +#else /* !NO_SSL2 */ + +# if PEDANTIC +static void *dummy=&dummy; +# endif + #endif |
