diff options
| author | nectar <nectar@FreeBSD.org> | 2002-07-30 13:38:06 +0000 |
|---|---|---|
| committer | nectar <nectar@FreeBSD.org> | 2002-07-30 13:38:06 +0000 |
| commit | 9b2d8504539be7c47e0a668f28f683954960e251 (patch) | |
| tree | 452372b320a4ccc86f09651553392a2a8f3794be /crypto/openssl/ssl | |
| parent | 86b15117de99802621746d29e72559dfc406c288 (diff) | |
| parent | 2f13e0916590f8488178999aec4874ed5662a031 (diff) | |
| download | FreeBSD-src-9b2d8504539be7c47e0a668f28f683954960e251.zip FreeBSD-src-9b2d8504539be7c47e0a668f28f683954960e251.tar.gz | |
This commit was generated by cvs2svn to compensate for changes in r100936,
which included commits to RCS files with non-trunk default branches.
Diffstat (limited to 'crypto/openssl/ssl')
| -rw-r--r-- | crypto/openssl/ssl/Makefile.ssl | 91 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s3_clnt.c | 10 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s3_enc.c | 21 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s3_lib.c | 8 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s3_srvr.c | 2 | ||||
| -rw-r--r-- | crypto/openssl/ssl/ssl.h | 22 | ||||
| -rw-r--r-- | crypto/openssl/ssl/ssl_asn1.c | 2 | ||||
| -rw-r--r-- | crypto/openssl/ssl/ssl_err.c | 4 | ||||
| -rw-r--r-- | crypto/openssl/ssl/ssl_locl.h | 15 | ||||
| -rw-r--r-- | crypto/openssl/ssl/ssl_sess.c | 2 | ||||
| -rw-r--r-- | crypto/openssl/ssl/t1_enc.c | 21 |
11 files changed, 130 insertions, 68 deletions
diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl index b3f2a13..4b8053a 100644 --- a/crypto/openssl/ssl/Makefile.ssl +++ b/crypto/openssl/ssl/Makefile.ssl @@ -229,12 +229,13 @@ s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s23_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s23_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h s23_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h -s2_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h -s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s2_clnt.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +s2_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_clnt.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h @@ -274,12 +275,13 @@ s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_lib.o: ../include/openssl/des.h ../include/openssl/dh.h -s2_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s2_lib.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +s2_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_lib.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h @@ -340,12 +342,13 @@ s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h -s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s2_srvr.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +s2_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_srvr.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h @@ -386,12 +389,13 @@ s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h s3_both.o: ../include/openssl/x509_vfy.h ssl_locl.h -s3_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h -s3_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s3_clnt.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +s3_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s3_clnt.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h s3_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h @@ -497,12 +501,13 @@ s3_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s3_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h -s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s3_srvr.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +s3_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s3_srvr.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h s3_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h @@ -542,12 +547,13 @@ ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_asn1.o: ../include/openssl/asn1.h ../include/openssl/asn1_mac.h -ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/blowfish.h -ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ssl_asn1.o: ../include/openssl/cast.h ../include/openssl/comp.h -ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/des.h -ssl_asn1.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ssl_asn1.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +ssl_asn1.o: ../include/openssl/asn1_mac.h ../include/openssl/bio.h +ssl_asn1.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/cast.h +ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h +ssl_asn1.o: ../include/openssl/des.h ../include/openssl/dh.h +ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/e_os.h ssl_asn1.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/lhash.h @@ -700,12 +706,13 @@ ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_rsa.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_sess.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_sess.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_sess.o: ../include/openssl/des.h ../include/openssl/dh.h -ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +ssl_sess.o: ../crypto/cryptlib.h ../include/openssl/asn1.h +ssl_sess.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_sess.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_sess.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_sess.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ssl_sess.o: ../include/openssl/e_os.h ../include/openssl/e_os.h ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/err.h ssl_sess.o: ../include/openssl/evp.h ../include/openssl/idea.h ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index 89ad45a..b921d9a 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -117,6 +117,7 @@ #include <openssl/sha.h> #include <openssl/evp.h> #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -545,6 +546,7 @@ static int ssl3_client_hello(SSL *s) *(p++)=i; if (i != 0) { + die(i <= sizeof s->session->session_id); memcpy(p,s->session->session_id,i); p+=i; } @@ -626,6 +628,14 @@ static int ssl3_get_server_hello(SSL *s) /* get the session-id */ j= *(p++); + if(j > sizeof s->session->session_id) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, + SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; + } + if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) { /* SSLref returns 16 :-( */ diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c index d9a161a..79fa4f9 100644 --- a/crypto/openssl/ssl/s3_enc.c +++ b/crypto/openssl/ssl/s3_enc.c @@ -361,13 +361,24 @@ int ssl3_setup_key_block(SSL *s) ssl3_generate_key_block(s,p,num); - /* enable vulnerability countermeasure for CBC ciphers with - * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ - s->s3->need_empty_fragments = 1; + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + { + /* enable vulnerability countermeasure for CBC ciphers with + * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) + */ + s->s3->need_empty_fragments = 1; + + if (s->session->cipher != NULL) + { + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) + s->s3->need_empty_fragments = 0; + #ifndef NO_RC4 - if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)) - s->s3->need_empty_fragments = 0; + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) + s->s3->need_empty_fragments = 0; #endif + } + } return(1); err: diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index 57a3fa4..9951ebb 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -129,7 +129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_MD5, SSL3_CK_RSA_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -490,7 +490,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_NULL_SHA, SSL3_CK_FZA_DMS_NULL_SHA, SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, @@ -504,7 +504,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_FZA_DMS_FZA_SHA, SSL3_CK_FZA_DMS_FZA_SHA, SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP, + SSL_NOT_EXP|SSL_STRONG_NONE, 0, 0, 0, diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index 2319737..d211fd4 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -122,6 +122,7 @@ #include <openssl/evp.h> #include <openssl/x509.h> #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -948,6 +949,7 @@ static int ssl3_send_server_hello(SSL *s) s->session->session_id_length=0; sl=s->session->session_id_length; + die(sl <= sizeof s->session->session_id); *(p++)=sl; memcpy(p,s->session->session_id,sl); p+=sl; diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index a638545..e0c0be7 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -350,6 +350,7 @@ typedef struct ssl_session_st struct ssl_session_st *prev,*next; } SSL_SESSION; + #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L @@ -361,11 +362,25 @@ typedef struct ssl_session_st #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L #define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L +/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added + * in OpenSSL 0.9.6d. Usually (depending on the application protocol) + * the workaround is not needed. Unfortunately some broken SSL/TLS + * implementations cannot handle it at all, which is why we include + * it in SSL_OP_ALL. */ +#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */ + +/* SSL_OP_ALL: various bug workarounds that should be rather harmless */ +#define SSL_OP_ALL 0x000FFFFFL + /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L /* Set to also use the tmp_rsa key when doing RSA operations. */ #define SSL_OP_EPHEMERAL_RSA 0x00200000L +#define SSL_OP_NO_SSLv2 0x01000000L +#define SSL_OP_NO_SSLv3 0x02000000L +#define SSL_OP_NO_TLSv1 0x04000000L + /* The next flag deliberately changes the ciphertest, this is a check * for the PKCS#1 attack */ #define SSL_OP_PKCS1_CHECK_1 0x08000000L @@ -374,11 +389,7 @@ typedef struct ssl_session_st /* SSL_OP_NON_EXPORT_FIRST looks utterly broken .. */ #define SSL_OP_NON_EXPORT_FIRST 0x40000000L #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L -#define SSL_OP_ALL 0x000FFFFFL -#define SSL_OP_NO_SSLv2 0x01000000L -#define SSL_OP_NO_SSLv3 0x02000000L -#define SSL_OP_NO_TLSv1 0x04000000L /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success * when just a single record has been written): */ @@ -392,6 +403,7 @@ typedef struct ssl_session_st * is blocking: */ #define SSL_MODE_AUTO_RETRY 0x00000004L + /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ @@ -1478,6 +1490,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 #define SSL_R_INVALID_TRUST 279 +#define SSL_R_KEY_ARG_TOO_LONG 1112 #define SSL_R_LENGTH_MISMATCH 159 #define SSL_R_LENGTH_TOO_SHORT 160 #define SSL_R_LIBRARY_BUG 274 @@ -1546,6 +1559,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_SHORT_READ 219 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c index fa6456e..3de1dbc 100644 --- a/crypto/openssl/ssl/ssl_asn1.c +++ b/crypto/openssl/ssl/ssl_asn1.c @@ -62,6 +62,7 @@ #include <openssl/objects.h> #include <openssl/x509.h> #include "ssl_locl.h" +#include "cryptlib.h" typedef struct ssl_session_asn1_st { @@ -275,6 +276,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, os.length=i; ret->session_id_length=os.length; + die(os.length <= sizeof ret->session_id); memcpy(ret->session_id,os.data,os.length); M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c index 87a13db..b1b7c22 100644 --- a/crypto/openssl/ssl/ssl_err.c +++ b/crypto/openssl/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -275,6 +275,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_INVALID_COMMAND ,"invalid command"}, {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, {SSL_R_INVALID_TRUST ,"invalid trust"}, +{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, {SSL_R_LENGTH_MISMATCH ,"length mismatch"}, {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, {SSL_R_LIBRARY_BUG ,"library bug"}, @@ -343,6 +344,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_SHORT_READ ,"short read"}, {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, {SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, +{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"}, {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h index 516d3cc..9297cd2 100644 --- a/crypto/openssl/ssl/ssl_locl.h +++ b/crypto/openssl/ssl/ssl_locl.h @@ -283,16 +283,17 @@ #define SSL_NOT_EXP 0x00000001L #define SSL_EXPORT 0x00000002L -#define SSL_STRONG_MASK 0x0000007cL -#define SSL_EXP40 0x00000004L +#define SSL_STRONG_MASK 0x000000fcL +#define SSL_STRONG_NONE 0x00000004L +#define SSL_EXP40 0x00000008L #define SSL_MICRO (SSL_EXP40) -#define SSL_EXP56 0x00000008L +#define SSL_EXP56 0x00000010L #define SSL_MINI (SSL_EXP56) -#define SSL_LOW 0x00000010L -#define SSL_MEDIUM 0x00000020L -#define SSL_HIGH 0x00000040L +#define SSL_LOW 0x00000020L +#define SSL_MEDIUM 0x00000040L +#define SSL_HIGH 0x00000080L -/* we have used 0000007f - 25 bits left to go */ +/* we have used 000000ff - 24 bits left to go */ /* * Macros to check the export status and cipher strength for export ciphers. diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c index 8476f41..87cd8a9 100644 --- a/crypto/openssl/ssl/ssl_sess.c +++ b/crypto/openssl/ssl/ssl_sess.c @@ -60,6 +60,7 @@ #include <openssl/lhash.h> #include <openssl/rand.h> #include "ssl_locl.h" +#include "cryptlib.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); @@ -199,6 +200,7 @@ int ssl_get_new_session(SSL *s, int session) ss->session_id_length=0; } + die(s->sid_ctx_length <= sizeof ss->sid_ctx); memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); ss->sid_ctx_length=s->sid_ctx_length; s->session=ss; diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c index b752e89..f3ecc5f 100644 --- a/crypto/openssl/ssl/t1_enc.c +++ b/crypto/openssl/ssl/t1_enc.c @@ -433,13 +433,24 @@ printf("\nkey block\n"); { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } #endif - /* enable vulnerability countermeasure for CBC ciphers with - * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ - s->s3->need_empty_fragments = 1; + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + { + /* enable vulnerability countermeasure for CBC ciphers with + * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) + */ + s->s3->need_empty_fragments = 1; + + if (s->session->cipher != NULL) + { + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) + s->s3->need_empty_fragments = 0; + #ifndef NO_RC4 - if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)) - s->s3->need_empty_fragments = 0; + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) + s->s3->need_empty_fragments = 0; #endif + } + } return(1); err: |
