summaryrefslogtreecommitdiffstats
path: root/crypto/openssl/ssl
diff options
context:
space:
mode:
authormarkm <markm@FreeBSD.org>2003-01-28 21:43:22 +0000
committermarkm <markm@FreeBSD.org>2003-01-28 21:43:22 +0000
commitaad1d64cb5a8d9b503d9199642363dc1e92d2f9b (patch)
tree610a51c6e3965764fb0f1629c1376e2d23afffe8 /crypto/openssl/ssl
parenteba366e36e93f5da8ae5c744eb337c3ef6872641 (diff)
downloadFreeBSD-src-aad1d64cb5a8d9b503d9199642363dc1e92d2f9b.zip
FreeBSD-src-aad1d64cb5a8d9b503d9199642363dc1e92d2f9b.tar.gz
Vendor import of OpenSSL release 0.9.7. This release includes
support for AES and OpenBSD's hardware crypto.
Diffstat (limited to 'crypto/openssl/ssl')
-rw-r--r--crypto/openssl/ssl/Makefile.ssl1261
-rw-r--r--crypto/openssl/ssl/bio_ssl.c8
-rw-r--r--crypto/openssl/ssl/kssl.c2157
-rw-r--r--crypto/openssl/ssl/kssl.h173
-rw-r--r--crypto/openssl/ssl/kssl_lcl.h87
-rw-r--r--crypto/openssl/ssl/s23_clnt.c41
-rw-r--r--crypto/openssl/ssl/s23_lib.c6
-rw-r--r--crypto/openssl/ssl/s23_meth.c19
-rw-r--r--crypto/openssl/ssl/s23_pkt.c55
-rw-r--r--crypto/openssl/ssl/s23_srvr.c111
-rw-r--r--crypto/openssl/ssl/s2_clnt.c108
-rw-r--r--crypto/openssl/ssl/s2_enc.c18
-rw-r--r--crypto/openssl/ssl/s2_lib.c82
-rw-r--r--crypto/openssl/ssl/s2_meth.c23
-rw-r--r--crypto/openssl/ssl/s2_pkt.c8
-rw-r--r--crypto/openssl/ssl/s2_srvr.c93
-rw-r--r--crypto/openssl/ssl/s3_both.c60
-rw-r--r--crypto/openssl/ssl/s3_clnt.c403
-rw-r--r--crypto/openssl/ssl/s3_enc.c160
-rw-r--r--crypto/openssl/ssl/s3_lib.c511
-rw-r--r--crypto/openssl/ssl/s3_meth.c19
-rw-r--r--crypto/openssl/ssl/s3_pkt.c39
-rw-r--r--crypto/openssl/ssl/s3_srvr.c310
-rw-r--r--crypto/openssl/ssl/ssl.h427
-rw-r--r--crypto/openssl/ssl/ssl2.h3
-rw-r--r--crypto/openssl/ssl/ssl3.h60
-rw-r--r--crypto/openssl/ssl/ssl_algs.c26
-rw-r--r--crypto/openssl/ssl/ssl_asn1.c53
-rw-r--r--crypto/openssl/ssl/ssl_cert.c153
-rw-r--r--crypto/openssl/ssl/ssl_ciph.c83
-rw-r--r--crypto/openssl/ssl/ssl_err.c21
-rw-r--r--crypto/openssl/ssl/ssl_err2.c2
-rw-r--r--crypto/openssl/ssl/ssl_lib.c416
-rw-r--r--crypto/openssl/ssl/ssl_locl.h88
-rw-r--r--crypto/openssl/ssl/ssl_rsa.c44
-rw-r--r--crypto/openssl/ssl/ssl_sess.c137
-rw-r--r--crypto/openssl/ssl/ssl_stat.c40
-rw-r--r--crypto/openssl/ssl/ssl_task.c4
-rw-r--r--crypto/openssl/ssl/ssl_txt.c14
-rw-r--r--crypto/openssl/ssl/ssltest.c311
-rw-r--r--crypto/openssl/ssl/t1_clnt.c19
-rw-r--r--crypto/openssl/ssl/t1_enc.c169
-rw-r--r--crypto/openssl/ssl/t1_meth.c20
-rw-r--r--crypto/openssl/ssl/t1_srvr.c19
-rw-r--r--crypto/openssl/ssl/tls1.h31
45 files changed, 6249 insertions, 1643 deletions
diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl
index 4b8053a..e36a79b 100644
--- a/crypto/openssl/ssl/Makefile.ssl
+++ b/crypto/openssl/ssl/Makefile.ssl
@@ -5,15 +5,18 @@
DIR= ssl
TOP= ..
CC= cc
-INCLUDES= -I../crypto -I../include
+INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES)
CFLAG=-g
INSTALL_PREFIX=
OPENSSLDIR= /usr/local/ssl
INSTALLTOP=/usr/local/ssl
MAKE= make -f Makefile.ssl
-MAKEDEPEND= $(TOP)/util/domd $(TOP)
+MAKEDEPPROG= makedepend
+MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
MAKEFILE= Makefile.ssl
AR= ar r
+# KRB5 stuff
+KRB5_INCLUDES=
CFLAGS= $(INCLUDES) $(CFLAG)
@@ -22,6 +25,7 @@ TEST=ssltest.c
APPS=
LIB=$(TOP)/libssl.a
+SHARED_LIB= libssl$(SHLIB_EXT)
LIBSRC= \
s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \
@@ -30,7 +34,7 @@ LIBSRC= \
ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
ssl_ciph.c ssl_stat.c ssl_rsa.c \
ssl_asn1.c ssl_txt.c ssl_algs.c \
- bio_ssl.c ssl_err.c
+ bio_ssl.c ssl_err.c kssl.c
LIBOBJ= \
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
@@ -39,26 +43,30 @@ LIBOBJ= \
ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
ssl_ciph.o ssl_stat.o ssl_rsa.o \
ssl_asn1.o ssl_txt.o ssl_algs.o \
- bio_ssl.o ssl_err.o
+ bio_ssl.o ssl_err.o kssl.o
SRC= $(LIBSRC)
-EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h
-HEADER= $(EXHEADER) ssl_locl.h
+EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h kssl.h
+HEADER= $(EXHEADER) ssl_locl.h kssl_lcl.h
ALL= $(GENERAL) $(SRC) $(HEADER)
top:
(cd ..; $(MAKE) DIRS=$(DIR) all)
-all: lib
+all: lib shared
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
- @echo You may get an error following this line. Please ignore.
- - $(RANLIB) $(LIB)
+ $(RANLIB) $(LIB) || echo Never mind.
@touch lib
+shared:
+ if [ -n "$(SHARED_LIBS)" ]; then \
+ (cd ..; $(MAKE) $(SHARED_LIB)); \
+ fi
+
files:
$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
@@ -84,7 +92,7 @@ lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
depend:
- $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+ $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -95,18 +103,20 @@ clean:
# DO NOT DELETE THIS LINE -- make depend depends on it.
-bio_ssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-bio_ssl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-bio_ssl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-bio_ssl.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-bio_ssl.o: ../include/openssl/des.h ../include/openssl/dh.h
+bio_ssl.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+bio_ssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+bio_ssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+bio_ssl.o: ../include/openssl/cast.h ../include/openssl/comp.h
+bio_ssl.o: ../include/openssl/crypto.h ../include/openssl/des.h
+bio_ssl.o: ../include/openssl/des_old.h ../include/openssl/dh.h
bio_ssl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
bio_ssl.o: ../include/openssl/err.h ../include/openssl/evp.h
-bio_ssl.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-bio_ssl.o: ../include/openssl/md2.h ../include/openssl/md4.h
-bio_ssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-bio_ssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-bio_ssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+bio_ssl.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+bio_ssl.o: ../include/openssl/md4.h ../include/openssl/md5.h
+bio_ssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+bio_ssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+bio_ssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
bio_ssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
bio_ssl.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
bio_ssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
@@ -115,134 +125,176 @@ bio_ssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
bio_ssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
bio_ssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
bio_ssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-bio_ssl.o: ../include/openssl/x509_vfy.h
-s23_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s23_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s23_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s23_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s23_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
-s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s23_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s23_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+bio_ssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+bio_ssl.o: ../include/openssl/x509_vfy.h bio_ssl.c
+kssl.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+kssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+kssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+kssl.o: ../include/openssl/cast.h ../include/openssl/comp.h
+kssl.o: ../include/openssl/crypto.h ../include/openssl/des.h
+kssl.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+kssl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+kssl.o: ../include/openssl/evp.h ../include/openssl/idea.h
+kssl.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h
+kssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+kssl.o: ../include/openssl/md4.h ../include/openssl/md5.h
+kssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+kssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+kssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+kssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+kssl.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+kssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+kssl.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+kssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+kssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+kssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+kssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+kssl.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+kssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+kssl.o: ../include/openssl/x509_vfy.h kssl.c
+s23_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s23_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s23_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s23_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s23_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s23_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s23_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
+s23_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s23_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s23_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h
s23_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s23_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s23_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s23_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-s23_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s23_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s23_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s23_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s23_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s23_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s23_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s23_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h
-s23_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s23_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s23_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s23_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s23_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
-s23_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s23_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s23_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s23_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s23_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+s23_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s23_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+s23_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_clnt.c
+s23_clnt.o: ssl_locl.h
+s23_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s23_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s23_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s23_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s23_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s23_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s23_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s23_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+s23_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s23_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s23_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
s23_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s23_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s23_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s23_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s23_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s23_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s23_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s23_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s23_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s23_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s23_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-s23_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s23_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s23_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s23_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s23_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
-s23_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s23_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s23_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s23_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s23_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s23_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s23_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s23_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s23_lib.o: ../include/openssl/x509_vfy.h s23_lib.c ssl_locl.h
+s23_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s23_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s23_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s23_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s23_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s23_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s23_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s23_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
+s23_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s23_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s23_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h
s23_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s23_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s23_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s23_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s23_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s23_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s23_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s23_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s23_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s23_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s23_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-s23_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s23_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s23_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s23_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s23_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
-s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s23_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s23_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s23_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s23_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s23_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s23_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s23_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s23_meth.o: ../include/openssl/x509_vfy.h s23_meth.c ssl_locl.h
+s23_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s23_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s23_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s23_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s23_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s23_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s23_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
+s23_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s23_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s23_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h
s23_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s23_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s23_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s23_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s23_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s23_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s23_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s23_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s23_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s23_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s23_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-s23_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s23_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s23_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s23_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s23_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
-s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s23_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s23_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s23_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s23_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s23_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s23_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s23_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s23_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s23_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s23_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s23_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s23_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s23_pkt.o: ../include/openssl/x509_vfy.h s23_pkt.c ssl_locl.h
+s23_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s23_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s23_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s23_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s23_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s23_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s23_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
+s23_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s23_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s23_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h
s23_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s23_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s23_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s23_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-s23_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s23_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s23_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s23_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s23_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s23_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s23_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h
-s2_clnt.o: ../crypto/cryptlib.h ../include/openssl/asn1.h
-s2_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-s2_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s23_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s23_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+s23_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s23_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s23_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s23_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s23_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s23_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s23_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s23_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_srvr.c
+s23_srvr.o: ssl_locl.h
+s2_clnt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+s2_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_clnt.o: ../include/openssl/des.h ../include/openssl/des_old.h
s2_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s2_clnt.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
s2_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
-s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_clnt.o: ../include/openssl/md2.h ../include/openssl/md4.h
+s2_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
s2_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
@@ -251,21 +303,24 @@ s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s2_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h
+s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s2_clnt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h
+s2_enc.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
s2_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
s2_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
s2_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s2_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
-s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_enc.o: ../include/openssl/des.h ../include/openssl/des_old.h
+s2_enc.o: ../include/openssl/dh.h ../include/openssl/dsa.h
s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
s2_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
-s2_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_enc.o: ../include/openssl/md2.h ../include/openssl/md4.h
+s2_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s2_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
s2_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
@@ -274,21 +329,24 @@ s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-s2_lib.o: ../crypto/cryptlib.h ../include/openssl/asn1.h
-s2_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-s2_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s2_enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_enc.c
+s2_enc.o: ssl_locl.h
+s2_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_lib.o: ../include/openssl/des.h ../include/openssl/des_old.h
s2_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s2_lib.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
s2_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
-s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_lib.o: ../include/openssl/md2.h ../include/openssl/md4.h
+s2_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s2_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
s2_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
@@ -297,42 +355,49 @@ s2_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s2_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-s2_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s2_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s2_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s2_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s2_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
-s2_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s2_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s2_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_lib.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+s2_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_lib.c
+s2_lib.o: ssl_locl.h
+s2_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s2_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s2_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s2_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s2_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s2_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s2_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s2_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
+s2_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s2_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s2_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h
s2_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s2_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s2_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s2_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s2_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s2_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s2_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s2_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s2_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s2_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s2_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s2_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s2_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s2_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s2_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s2_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s2_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s2_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s2_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s2_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s2_meth.o: ../include/openssl/x509_vfy.h s2_meth.c ssl_locl.h
+s2_pkt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
s2_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
s2_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s2_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
-s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
+s2_pkt.o: ../include/openssl/des.h ../include/openssl/des_old.h
+s2_pkt.o: ../include/openssl/dh.h ../include/openssl/dsa.h
s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
s2_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
-s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_pkt.o: ../include/openssl/md2.h ../include/openssl/md4.h
+s2_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s2_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
s2_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
@@ -341,21 +406,24 @@ s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-s2_srvr.o: ../crypto/cryptlib.h ../include/openssl/asn1.h
-s2_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-s2_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s2_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s2_pkt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c
+s2_pkt.o: ssl_locl.h
+s2_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s2_srvr.o: ../include/openssl/des.h ../include/openssl/des_old.h
s2_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s2_srvr.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
s2_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
-s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s2_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s2_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s2_srvr.o: ../include/openssl/md2.h ../include/openssl/md4.h
+s2_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
s2_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
@@ -364,45 +432,50 @@ s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s2_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h
-s3_both.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_both.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s3_both.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s3_both.o: ../include/openssl/des.h ../include/openssl/dh.h
-s3_both.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s3_both.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s3_both.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s2_srvr.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h
+s3_both.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s3_both.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s3_both.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s3_both.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s3_both.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s3_both.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s3_both.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_both.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s3_both.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s3_both.o: ../include/openssl/md4.h ../include/openssl/md5.h
s3_both.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s3_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_both.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s3_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_both.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-s3_both.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s3_both.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s3_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_both.o: ../include/openssl/x509_vfy.h ssl_locl.h
-s3_clnt.o: ../crypto/cryptlib.h ../include/openssl/asn1.h
-s3_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s3_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s3_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s3_both.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_both.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_both.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+s3_both.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_both.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_both.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_both.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_both.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_both.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_both.c
+s3_both.o: ssl_locl.h
+s3_clnt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+s3_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_clnt.o: ../include/openssl/des.h ../include/openssl/des_old.h
s3_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s3_clnt.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
s3_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
-s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-s3_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h
-s3_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-s3_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+s3_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s3_clnt.o: ../include/openssl/md2.h ../include/openssl/md4.h
+s3_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+s3_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s3_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s3_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
s3_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
s3_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
@@ -411,156 +484,176 @@ s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
s3_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h
-s3_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s3_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s3_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s3_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
-s3_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s3_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s3_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s3_clnt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s3_clnt.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_clnt.c ssl_locl.h
+s3_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s3_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s3_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s3_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s3_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s3_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s3_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_enc.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s3_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s3_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h
s3_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s3_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s3_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s3_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s3_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s3_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-s3_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s3_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s3_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s3_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
-s3_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s3_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s3_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s3_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_enc.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s3_enc.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s3_enc.o: ../include/openssl/x509_vfy.h s3_enc.c ssl_locl.h
+s3_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s3_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s3_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s3_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s3_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s3_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s3_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s3_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
s3_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s3_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s3_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s3_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-s3_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s3_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s3_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s3_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
-s3_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s3_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s3_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s3_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s3_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s3_lib.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_lib.c ssl_locl.h
+s3_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s3_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s3_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s3_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s3_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s3_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s3_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s3_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s3_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h
s3_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s3_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s3_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s3_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s3_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s3_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-s3_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s3_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s3_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s3_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-s3_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h
-s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-s3_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-s3_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s3_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s3_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s3_meth.o: ../include/openssl/x509_vfy.h s3_meth.c ssl_locl.h
+s3_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s3_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s3_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s3_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s3_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s3_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+s3_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h
+s3_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
s3_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s3_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h
s3_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s3_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s3_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-s3_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-s3_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-s3_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-s3_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s3_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s3_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-s3_srvr.o: ../crypto/cryptlib.h ../include/openssl/asn1.h
-s3_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s3_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h
-s3_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+s3_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+s3_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+s3_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+s3_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+s3_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+s3_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+s3_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s3_pkt.o: ../include/openssl/x509_vfy.h s3_pkt.c ssl_locl.h
+s3_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+s3_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+s3_srvr.o: ../include/openssl/des.h ../include/openssl/des_old.h
s3_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s3_srvr.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
s3_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_srvr.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h
s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
s3_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h
s3_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s3_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s3_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-s3_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s3_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s3_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s3_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s3_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s3_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_algs.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_algs.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ssl_algs.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_algs.o: ../include/openssl/des.h ../include/openssl/dh.h
-ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-ssl_algs.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ssl_algs.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s3_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s3_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+s3_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s3_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s3_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s3_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s3_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s3_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h
+s3_srvr.o: s3_srvr.c ssl_locl.h
+ssl_algs.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+ssl_algs.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_algs.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_algs.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_algs.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_algs.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_algs.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_algs.o: ../include/openssl/idea.h ../include/openssl/kssl.h
ssl_algs.o: ../include/openssl/lhash.h ../include/openssl/md2.h
ssl_algs.o: ../include/openssl/md4.h ../include/openssl/md5.h
ssl_algs.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
ssl_algs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-ssl_algs.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_algs.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssl_algs.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-ssl_algs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_algs.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_asn1.o: ../crypto/cryptlib.h ../include/openssl/asn1.h
-ssl_asn1.o: ../include/openssl/asn1_mac.h ../include/openssl/bio.h
-ssl_asn1.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_asn1.o: ../include/openssl/des.h ../include/openssl/dh.h
-ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-ssl_asn1.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_algs.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_algs.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_algs.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_algs.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_algs.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_algs.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_algs.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_algs.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_algs.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_algs.o: ../include/openssl/x509_vfy.h ssl_algs.c ssl_locl.h
+ssl_asn1.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+ssl_asn1.o: ../include/openssl/asn1.h ../include/openssl/asn1_mac.h
+ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_asn1.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_asn1.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-ssl_asn1.o: ../include/openssl/md2.h ../include/openssl/md4.h
-ssl_asn1.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-ssl_asn1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+ssl_asn1.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_asn1.o: ../include/openssl/md4.h ../include/openssl/md5.h
+ssl_asn1.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ssl_asn1.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_asn1.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h
ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
ssl_asn1.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
@@ -569,22 +662,24 @@ ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h
ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_asn1.o: ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_cert.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_cert.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_cert.o: ../include/openssl/comp.h ../include/openssl/conf.h
-ssl_cert.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_asn1.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_asn1.o: ../include/openssl/x509_vfy.h ssl_asn1.c ssl_locl.h
+ssl_cert.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+ssl_cert.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_cert.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_cert.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_cert.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ssl_cert.o: ../include/openssl/des.h ../include/openssl/des_old.h
ssl_cert.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ssl_cert.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
ssl_cert.o: ../include/openssl/e_os2.h ../include/openssl/err.h
ssl_cert.o: ../include/openssl/evp.h ../include/openssl/idea.h
-ssl_cert.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_cert.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_cert.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-ssl_cert.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_cert.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_cert.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_cert.o: ../include/openssl/md2.h ../include/openssl/md4.h
+ssl_cert.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_cert.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_cert.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_cert.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
ssl_cert.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
ssl_cert.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
ssl_cert.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
@@ -593,42 +688,48 @@ ssl_cert.o: ../include/openssl/sha.h ../include/openssl/ssl.h
ssl_cert.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
ssl_cert.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ssl_cert.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
ssl_cert.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ssl_cert.o: ../include/openssl/x509v3.h ssl_locl.h
-ssl_ciph.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_ciph.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ssl_ciph.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_ciph.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_ciph.o: ../include/openssl/des.h ../include/openssl/dh.h
-ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-ssl_ciph.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ssl_ciph.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_cert.o: ../include/openssl/x509v3.h ssl_cert.c ssl_locl.h
+ssl_ciph.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+ssl_ciph.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_ciph.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_ciph.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_ciph.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_ciph.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_ciph.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_ciph.o: ../include/openssl/idea.h ../include/openssl/kssl.h
ssl_ciph.o: ../include/openssl/lhash.h ../include/openssl/md2.h
ssl_ciph.o: ../include/openssl/md4.h ../include/openssl/md5.h
ssl_ciph.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
ssl_ciph.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-ssl_ciph.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_ciph.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssl_ciph.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-ssl_ciph.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_ciph.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_ciph.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_ciph.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_ciph.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_err.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ssl_err.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_err.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_err.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_ciph.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_ciph.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_ciph.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_ciph.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_ciph.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_ciph.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_ciph.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_ciph.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_ciph.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_ciph.o: ../include/openssl/x509_vfy.h ssl_ciph.c ssl_locl.h
+ssl_err.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+ssl_err.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_err.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_err.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_err.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_err.o: ../include/openssl/des_old.h ../include/openssl/dh.h
ssl_err.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
ssl_err.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_err.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-ssl_err.o: ../include/openssl/md2.h ../include/openssl/md4.h
-ssl_err.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-ssl_err.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_err.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_err.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+ssl_err.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_err.o: ../include/openssl/md4.h ../include/openssl/md5.h
+ssl_err.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ssl_err.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_err.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
ssl_err.o: ../include/openssl/pem.h ../include/openssl/pem2.h
ssl_err.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
ssl_err.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
@@ -637,20 +738,23 @@ ssl_err.o: ../include/openssl/safestack.h ../include/openssl/sha.h
ssl_err.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
ssl_err.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
ssl_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_err.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_err.o: ../include/openssl/x509_vfy.h
-ssl_err2.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_err2.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ssl_err2.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_err2.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_err2.o: ../include/openssl/des.h ../include/openssl/dh.h
+ssl_err.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_err.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_err.o: ../include/openssl/x509_vfy.h ssl_err.c
+ssl_err2.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+ssl_err2.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_err2.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_err2.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_err2.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_err2.o: ../include/openssl/des_old.h ../include/openssl/dh.h
ssl_err2.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
ssl_err2.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_err2.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-ssl_err2.o: ../include/openssl/md2.h ../include/openssl/md4.h
-ssl_err2.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-ssl_err2.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_err2.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_err2.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_err2.o: ../include/openssl/md4.h ../include/openssl/md5.h
+ssl_err2.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ssl_err2.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_err2.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
ssl_err2.o: ../include/openssl/pem.h ../include/openssl/pem2.h
ssl_err2.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
ssl_err2.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
@@ -659,21 +763,24 @@ ssl_err2.o: ../include/openssl/safestack.h ../include/openssl/sha.h
ssl_err2.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
ssl_err2.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
ssl_err2.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_err2.o: ../include/openssl/x509_vfy.h
+ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_err2.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_err2.o: ../include/openssl/x509_vfy.h ssl_err2.c
+ssl_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
ssl_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
ssl_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h
ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
-ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ssl_lib.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ssl_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
-ssl_lib.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-ssl_lib.o: ../include/openssl/md2.h ../include/openssl/md4.h
-ssl_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-ssl_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+ssl_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ssl_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
+ssl_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ssl_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ssl_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
ssl_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
@@ -682,44 +789,50 @@ ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h ssl_locl.h
-ssl_rsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_rsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_rsa.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_rsa.o: ../include/openssl/des.h ../include/openssl/dh.h
-ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-ssl_rsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ssl_rsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h kssl_lcl.h
+ssl_lib.o: ssl_lib.c ssl_locl.h
+ssl_rsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+ssl_rsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_rsa.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_rsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_rsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_rsa.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_rsa.o: ../include/openssl/idea.h ../include/openssl/kssl.h
ssl_rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
ssl_rsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
ssl_rsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
ssl_rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-ssl_rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssl_rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-ssl_rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_rsa.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_rsa.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_sess.o: ../crypto/cryptlib.h ../include/openssl/asn1.h
-ssl_sess.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-ssl_sess.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ssl_sess.o: ../include/openssl/cast.h ../include/openssl/comp.h
-ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_rsa.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_rsa.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_rsa.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_rsa.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_rsa.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_rsa.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_rsa.c
+ssl_sess.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
+ssl_sess.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+ssl_sess.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
+ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/cast.h
+ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h
+ssl_sess.o: ../include/openssl/des.h ../include/openssl/des_old.h
ssl_sess.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ssl_sess.o: ../include/openssl/e_os.h ../include/openssl/e_os.h
ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/err.h
ssl_sess.o: ../include/openssl/evp.h ../include/openssl/idea.h
-ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-ssl_sess.o: ../include/openssl/md4.h ../include/openssl/md5.h
-ssl_sess.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+ssl_sess.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+ssl_sess.o: ../include/openssl/md2.h ../include/openssl/md4.h
+ssl_sess.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+ssl_sess.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+ssl_sess.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ssl_sess.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rc2.h
ssl_sess.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
@@ -728,162 +841,184 @@ ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h
ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
ssl_sess.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ssl_sess.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ssl_sess.o: ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_stat.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_stat.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ssl_stat.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_stat.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_stat.o: ../include/openssl/des.h ../include/openssl/dh.h
-ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-ssl_stat.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ssl_stat.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_sess.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_sess.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_sess.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_sess.c
+ssl_stat.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+ssl_stat.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_stat.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_stat.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_stat.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_stat.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_stat.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_stat.o: ../include/openssl/idea.h ../include/openssl/kssl.h
ssl_stat.o: ../include/openssl/lhash.h ../include/openssl/md2.h
ssl_stat.o: ../include/openssl/md4.h ../include/openssl/md5.h
ssl_stat.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
ssl_stat.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-ssl_stat.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_stat.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssl_stat.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-ssl_stat.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_stat.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_stat.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_stat.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_stat.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-ssl_txt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ssl_txt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ssl_txt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ssl_txt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-ssl_txt.o: ../include/openssl/des.h ../include/openssl/dh.h
-ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-ssl_txt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-ssl_txt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_stat.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_stat.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_stat.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_stat.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_stat.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_stat.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_stat.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_stat.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_stat.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_stat.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_stat.c
+ssl_txt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+ssl_txt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ssl_txt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ssl_txt.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ssl_txt.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ssl_txt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ssl_txt.o: ../include/openssl/err.h ../include/openssl/evp.h
+ssl_txt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
ssl_txt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
ssl_txt.o: ../include/openssl/md4.h ../include/openssl/md5.h
ssl_txt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
ssl_txt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-ssl_txt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ssl_txt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-ssl_txt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-ssl_txt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ssl_txt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ssl_txt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ssl_txt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ssl_txt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-t1_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-t1_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-t1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-t1_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h
-t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-t1_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-t1_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ssl_txt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ssl_txt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ssl_txt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ssl_txt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ssl_txt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ssl_txt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ssl_txt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ssl_txt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+ssl_txt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ssl_txt.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_txt.c
+t1_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+t1_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+t1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h
+t1_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h
+t1_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+t1_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h
t1_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h
t1_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h
t1_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
t1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-t1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-t1_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-t1_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-t1_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-t1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-t1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h
-t1_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-t1_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-t1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-t1_enc.o: ../include/openssl/des.h ../include/openssl/dh.h
-t1_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-t1_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-t1_enc.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-t1_enc.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+t1_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+t1_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_clnt.o: t1_clnt.c
+t1_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+t1_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+t1_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h
+t1_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h
+t1_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+t1_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+t1_enc.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_enc.o: ../include/openssl/hmac.h ../include/openssl/idea.h
+t1_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
t1_enc.o: ../include/openssl/md2.h ../include/openssl/md4.h
t1_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
t1_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
t1_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-t1_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-t1_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-t1_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-t1_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-t1_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-t1_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h
-t1_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-t1_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-t1_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-t1_lib.o: ../include/openssl/des.h ../include/openssl/dh.h
-t1_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-t1_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-t1_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+t1_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+t1_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_enc.o: t1_enc.c
+t1_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+t1_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+t1_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h
+t1_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h
+t1_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+t1_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+t1_lib.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h
t1_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h
t1_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h
t1_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
t1_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-t1_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-t1_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-t1_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-t1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-t1_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-t1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-t1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-t1_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-t1_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-t1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-t1_meth.o: ../include/openssl/des.h ../include/openssl/dh.h
-t1_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-t1_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-t1_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+t1_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+t1_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+t1_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+t1_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_lib.c
+t1_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+t1_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+t1_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h
+t1_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h
+t1_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+t1_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+t1_meth.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h
t1_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h
t1_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h
t1_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
t1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-t1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-t1_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-t1_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-t1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-t1_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-t1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-t1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-t1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
-t1_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-t1_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-t1_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-t1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
-t1_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h
-t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-t1_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-t1_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h
+t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+t1_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+t1_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+t1_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+t1_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+t1_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+t1_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+t1_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+t1_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h
+t1_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+t1_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_meth.c
+t1_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+t1_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+t1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+t1_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h
+t1_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h
+t1_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+t1_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
+t1_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h
t1_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
t1_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h
t1_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
t1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-t1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-t1_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-t1_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-t1_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-t1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-t1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-t1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-t1_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h
+t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+t1_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+t1_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+t1_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+t1_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+t1_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+t1_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+t1_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+t1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+t1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+t1_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h
+t1_srvr.o: t1_srvr.c
diff --git a/crypto/openssl/ssl/bio_ssl.c b/crypto/openssl/ssl/bio_ssl.c
index d85555a..467e149 100644
--- a/crypto/openssl/ssl/bio_ssl.c
+++ b/crypto/openssl/ssl/bio_ssl.c
@@ -206,6 +206,10 @@ static int ssl_read(BIO *b, char *out, int outl)
BIO_set_retry_special(b);
retry_reason=BIO_RR_SSL_X509_LOOKUP;
break;
+ case SSL_ERROR_WANT_ACCEPT:
+ BIO_set_retry_special(b);
+ retry_reason=BIO_RR_ACCEPT;
+ break;
case SSL_ERROR_WANT_CONNECT:
BIO_set_retry_special(b);
retry_reason=BIO_RR_CONNECT;
@@ -482,7 +486,9 @@ static long ssl_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
{
case BIO_CTRL_SET_CALLBACK:
{
- SSL_set_info_callback(ssl,fp);
+ /* FIXME: setting this via a completely different prototype
+ seems like a crap idea */
+ SSL_set_info_callback(ssl,(void (*)(const SSL *,int,int))fp);
}
break;
default:
diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c
new file mode 100644
index 0000000..327b92f
--- /dev/null
+++ b/crypto/openssl/ssl/kssl.c
@@ -0,0 +1,2157 @@
+/* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+/* ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl
+**
+** 19990701 VRS Started.
+** 200011?? Jeffrey Altman, Richard Levitte
+** Generalized for Heimdal, Newer MIT, & Win32.
+** Integrated into main OpenSSL 0.9.7 snapshots.
+** 20010413 Simon Wilkinson, VRS
+** Real RFC2712 KerberosWrapper replaces AP_REQ.
+*/
+
+#include <openssl/opensslconf.h>
+
+#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */
+#include <time.h>
+#include <string.h>
+
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/krb5_asn.h>
+
+#ifndef OPENSSL_NO_KRB5
+
+/*
+ * When OpenSSL is built on Windows, we do not want to require that
+ * the Kerberos DLLs be available in order for the OpenSSL DLLs to
+ * work. Therefore, all Kerberos routines are loaded at run time
+ * and we do not link to a .LIB file.
+ */
+
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
+/*
+ * The purpose of the following pre-processor statements is to provide
+ * compatibility with different releases of MIT Kerberos for Windows.
+ * All versions up to 1.2 used macros. But macros do not allow for
+ * a binary compatible interface for DLLs. Therefore, all macros are
+ * being replaced by function calls. The following code will allow
+ * an OpenSSL DLL built on Windows to work whether or not the macro
+ * or function form of the routines are utilized.
+ */
+#ifdef krb5_cc_get_principal
+#define NO_DEF_KRB5_CCACHE
+#undef krb5_cc_get_principal
+#endif
+#define krb5_cc_get_principal kssl_krb5_cc_get_principal
+
+#define krb5_free_data_contents kssl_krb5_free_data_contents
+#define krb5_free_context kssl_krb5_free_context
+#define krb5_auth_con_free kssl_krb5_auth_con_free
+#define krb5_free_principal kssl_krb5_free_principal
+#define krb5_mk_req_extended kssl_krb5_mk_req_extended
+#define krb5_get_credentials kssl_krb5_get_credentials
+#define krb5_cc_default kssl_krb5_cc_default
+#define krb5_sname_to_principal kssl_krb5_sname_to_principal
+#define krb5_init_context kssl_krb5_init_context
+#define krb5_free_ticket kssl_krb5_free_ticket
+#define krb5_rd_req kssl_krb5_rd_req
+#define krb5_kt_default kssl_krb5_kt_default
+#define krb5_kt_resolve kssl_krb5_kt_resolve
+/* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */
+#ifndef krb5_kt_close
+#define krb5_kt_close kssl_krb5_kt_close
+#endif /* krb5_kt_close */
+#ifndef krb5_kt_get_entry
+#define krb5_kt_get_entry kssl_krb5_kt_get_entry
+#endif /* krb5_kt_get_entry */
+#define krb5_auth_con_init kssl_krb5_auth_con_init
+
+#define krb5_principal_compare kssl_krb5_principal_compare
+#define krb5_decrypt_tkt_part kssl_krb5_decrypt_tkt_part
+#define krb5_timeofday kssl_krb5_timeofday
+#define krb5_rc_default kssl_krb5_rc_default
+
+#ifdef krb5_rc_initialize
+#undef krb5_rc_initialize
+#endif
+#define krb5_rc_initialize kssl_krb5_rc_initialize
+
+#ifdef krb5_rc_get_lifespan
+#undef krb5_rc_get_lifespan
+#endif
+#define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan
+
+#ifdef krb5_rc_destroy
+#undef krb5_rc_destroy
+#endif
+#define krb5_rc_destroy kssl_krb5_rc_destroy
+
+#define valid_cksumtype kssl_valid_cksumtype
+#define krb5_checksum_size kssl_krb5_checksum_size
+#define krb5_kt_free_entry kssl_krb5_kt_free_entry
+#define krb5_auth_con_setrcache kssl_krb5_auth_con_setrcache
+#define krb5_auth_con_getrcache kssl_krb5_auth_con_getrcache
+#define krb5_get_server_rcache kssl_krb5_get_server_rcache
+
+/* Prototypes for built in stubs */
+void kssl_krb5_free_data_contents(krb5_context, krb5_data *);
+void kssl_krb5_free_principal(krb5_context, krb5_principal );
+krb5_error_code kssl_krb5_kt_resolve(krb5_context,
+ krb5_const char *,
+ krb5_keytab *);
+krb5_error_code kssl_krb5_kt_default(krb5_context,
+ krb5_keytab *);
+krb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *);
+krb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *,
+ krb5_const krb5_data *,
+ krb5_const_principal, krb5_keytab,
+ krb5_flags *,krb5_ticket **);
+
+krb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal,
+ krb5_const_principal);
+krb5_error_code kssl_krb5_mk_req_extended(krb5_context,
+ krb5_auth_context *,
+ krb5_const krb5_flags,
+ krb5_data *,
+ krb5_creds *,
+ krb5_data * );
+krb5_error_code kssl_krb5_init_context(krb5_context *);
+void kssl_krb5_free_context(krb5_context);
+krb5_error_code kssl_krb5_cc_default(krb5_context,krb5_ccache *);
+krb5_error_code kssl_krb5_sname_to_principal(krb5_context,
+ krb5_const char *,
+ krb5_const char *,
+ krb5_int32,
+ krb5_principal *);
+krb5_error_code kssl_krb5_get_credentials(krb5_context,
+ krb5_const krb5_flags,
+ krb5_ccache,
+ krb5_creds *,
+ krb5_creds * *);
+krb5_error_code kssl_krb5_auth_con_init(krb5_context,
+ krb5_auth_context *);
+krb5_error_code kssl_krb5_cc_get_principal(krb5_context context,
+ krb5_ccache cache,
+ krb5_principal *principal);
+krb5_error_code kssl_krb5_auth_con_free(krb5_context,krb5_auth_context);
+size_t kssl_krb5_checksum_size(krb5_context context,krb5_cksumtype ctype);
+krb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype);
+krb5_error_code krb5_kt_free_entry(krb5_context,krb5_keytab_entry FAR * );
+krb5_error_code kssl_krb5_auth_con_setrcache(krb5_context,
+ krb5_auth_context,
+ krb5_rcache);
+krb5_error_code kssl_krb5_get_server_rcache(krb5_context,
+ krb5_const krb5_data *,
+ krb5_rcache *);
+krb5_error_code kssl_krb5_auth_con_getrcache(krb5_context,
+ krb5_auth_context,
+ krb5_rcache *);
+
+/* Function pointers (almost all Kerberos functions are _stdcall) */
+static void (_stdcall *p_krb5_free_data_contents)(krb5_context, krb5_data *)
+ =NULL;
+static void (_stdcall *p_krb5_free_principal)(krb5_context, krb5_principal )
+ =NULL;
+static krb5_error_code(_stdcall *p_krb5_kt_resolve)
+ (krb5_context, krb5_const char *, krb5_keytab *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_kt_default)(krb5_context,
+ krb5_keytab *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_free_ticket)(krb5_context,
+ krb5_ticket *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_rd_req)(krb5_context,
+ krb5_auth_context *,
+ krb5_const krb5_data *,
+ krb5_const_principal,
+ krb5_keytab, krb5_flags *,
+ krb5_ticket **)=NULL;
+static krb5_error_code (_stdcall *p_krb5_mk_req_extended)
+ (krb5_context, krb5_auth_context *,
+ krb5_const krb5_flags, krb5_data *, krb5_creds *,
+ krb5_data * )=NULL;
+static krb5_error_code (_stdcall *p_krb5_init_context)(krb5_context *)=NULL;
+static void (_stdcall *p_krb5_free_context)(krb5_context)=NULL;
+static krb5_error_code (_stdcall *p_krb5_cc_default)(krb5_context,
+ krb5_ccache *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_sname_to_principal)
+ (krb5_context, krb5_const char *, krb5_const char *,
+ krb5_int32, krb5_principal *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_get_credentials)
+ (krb5_context, krb5_const krb5_flags, krb5_ccache,
+ krb5_creds *, krb5_creds **)=NULL;
+static krb5_error_code (_stdcall *p_krb5_auth_con_init)
+ (krb5_context, krb5_auth_context *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_cc_get_principal)
+ (krb5_context context, krb5_ccache cache,
+ krb5_principal *principal)=NULL;
+static krb5_error_code (_stdcall *p_krb5_auth_con_free)
+ (krb5_context, krb5_auth_context)=NULL;
+static krb5_error_code (_stdcall *p_krb5_decrypt_tkt_part)
+ (krb5_context, krb5_const krb5_keyblock *,
+ krb5_ticket *)=NULL;
+static krb5_error_code (_stdcall *p_krb5_timeofday)
+ (krb5_context context, krb5_int32 *timeret)=NULL;
+static krb5_error_code (_stdcall *p_krb5_rc_default)
+ (krb5_context context, krb5_rcache *rc)=NULL;
+static krb5_error_code (_stdcall *p_krb5_rc_initialize)
+ (krb5_context context, krb5_rcache rc,
+ krb5_deltat lifespan)=NULL;
+static krb5_error_code (_stdcall *p_krb5_rc_get_lifespan)
+ (krb5_context context, krb5_rcache rc,
+ krb5_deltat *lifespan)=NULL;
+static krb5_error_code (_stdcall *p_krb5_rc_destroy)
+ (krb5_context context, krb5_rcache rc)=NULL;
+static krb5_boolean (_stdcall *p_krb5_principal_compare)
+ (krb5_context, krb5_const_principal, krb5_const_principal)=NULL;
+static size_t (_stdcall *p_krb5_checksum_size)(krb5_context context,krb5_cksumtype ctype)=NULL;
+static krb5_boolean (_stdcall *p_valid_cksumtype)(krb5_cksumtype ctype)=NULL;
+static krb5_error_code (_stdcall *p_krb5_kt_free_entry)
+ (krb5_context,krb5_keytab_entry * )=NULL;
+static krb5_error_code (_stdcall * p_krb5_auth_con_setrcache)(krb5_context,
+ krb5_auth_context,
+ krb5_rcache)=NULL;
+static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context,
+ krb5_const krb5_data *,
+ krb5_rcache *)=NULL;
+static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context,
+ krb5_auth_context,
+ krb5_rcache *)=NULL;
+static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context,
+ krb5_keytab keytab)=NULL;
+static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context,
+ krb5_keytab keytab,
+ krb5_const_principal principal, krb5_kvno vno,
+ krb5_enctype enctype, krb5_keytab_entry *entry)=NULL;
+static int krb5_loaded = 0; /* only attempt to initialize func ptrs once */
+
+/* Function to Load the Kerberos 5 DLL and initialize function pointers */
+void
+load_krb5_dll(void)
+ {
+ HANDLE hKRB5_32;
+
+ krb5_loaded++;
+ hKRB5_32 = LoadLibrary("KRB5_32");
+ if (!hKRB5_32)
+ return;
+
+ (FARPROC) p_krb5_free_data_contents =
+ GetProcAddress( hKRB5_32, "krb5_free_data_contents" );
+ (FARPROC) p_krb5_free_context =
+ GetProcAddress( hKRB5_32, "krb5_free_context" );
+ (FARPROC) p_krb5_auth_con_free =
+ GetProcAddress( hKRB5_32, "krb5_auth_con_free" );
+ (FARPROC) p_krb5_free_principal =
+ GetProcAddress( hKRB5_32, "krb5_free_principal" );
+ (FARPROC) p_krb5_mk_req_extended =
+ GetProcAddress( hKRB5_32, "krb5_mk_req_extended" );
+ (FARPROC) p_krb5_get_credentials =
+ GetProcAddress( hKRB5_32, "krb5_get_credentials" );
+ (FARPROC) p_krb5_cc_get_principal =
+ GetProcAddress( hKRB5_32, "krb5_cc_get_principal" );
+ (FARPROC) p_krb5_cc_default =
+ GetProcAddress( hKRB5_32, "krb5_cc_default" );
+ (FARPROC) p_krb5_sname_to_principal =
+ GetProcAddress( hKRB5_32, "krb5_sname_to_principal" );
+ (FARPROC) p_krb5_init_context =
+ GetProcAddress( hKRB5_32, "krb5_init_context" );
+ (FARPROC) p_krb5_free_ticket =
+ GetProcAddress( hKRB5_32, "krb5_free_ticket" );
+ (FARPROC) p_krb5_rd_req =
+ GetProcAddress( hKRB5_32, "krb5_rd_req" );
+ (FARPROC) p_krb5_principal_compare =
+ GetProcAddress( hKRB5_32, "krb5_principal_compare" );
+ (FARPROC) p_krb5_decrypt_tkt_part =
+ GetProcAddress( hKRB5_32, "krb5_decrypt_tkt_part" );
+ (FARPROC) p_krb5_timeofday =
+ GetProcAddress( hKRB5_32, "krb5_timeofday" );
+ (FARPROC) p_krb5_rc_default =
+ GetProcAddress( hKRB5_32, "krb5_rc_default" );
+ (FARPROC) p_krb5_rc_initialize =
+ GetProcAddress( hKRB5_32, "krb5_rc_initialize" );
+ (FARPROC) p_krb5_rc_get_lifespan =
+ GetProcAddress( hKRB5_32, "krb5_rc_get_lifespan" );
+ (FARPROC) p_krb5_rc_destroy =
+ GetProcAddress( hKRB5_32, "krb5_rc_destroy" );
+ (FARPROC) p_krb5_kt_default =
+ GetProcAddress( hKRB5_32, "krb5_kt_default" );
+ (FARPROC) p_krb5_kt_resolve =
+ GetProcAddress( hKRB5_32, "krb5_kt_resolve" );
+ (FARPROC) p_krb5_auth_con_init =
+ GetProcAddress( hKRB5_32, "krb5_auth_con_init" );
+ (FARPROC) p_valid_cksumtype =
+ GetProcAddress( hKRB5_32, "valid_cksumtype" );
+ (FARPROC) p_krb5_checksum_size =
+ GetProcAddress( hKRB5_32, "krb5_checksum_size" );
+ (FARPROC) p_krb5_kt_free_entry =
+ GetProcAddress( hKRB5_32, "krb5_kt_free_entry" );
+ (FARPROC) p_krb5_auth_con_setrcache =
+ GetProcAddress( hKRB5_32, "krb5_auth_con_setrcache" );
+ (FARPROC) p_krb5_get_server_rcache =
+ GetProcAddress( hKRB5_32, "krb5_get_server_rcache" );
+ (FARPROC) p_krb5_auth_con_getrcache =
+ GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" );
+ (FARPROC) p_krb5_kt_close =
+ GetProcAddress( hKRB5_32, "krb5_kt_close" );
+ (FARPROC) p_krb5_kt_get_entry =
+ GetProcAddress( hKRB5_32, "krb5_kt_get_entry" );
+ }
+
+/* Stubs for each function to be dynamicly loaded */
+void
+kssl_krb5_free_data_contents(krb5_context CO, krb5_data * data)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_free_data_contents )
+ p_krb5_free_data_contents(CO,data);
+ }
+
+krb5_error_code
+kssl_krb5_mk_req_extended (krb5_context CO,
+ krb5_auth_context * pACO,
+ krb5_const krb5_flags F,
+ krb5_data * pD1,
+ krb5_creds * pC,
+ krb5_data * pD2)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_mk_req_extended )
+ return(p_krb5_mk_req_extended(CO,pACO,F,pD1,pC,pD2));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+krb5_error_code
+kssl_krb5_auth_con_init(krb5_context CO,
+ krb5_auth_context * pACO)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_auth_con_init )
+ return(p_krb5_auth_con_init(CO,pACO));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+krb5_error_code
+kssl_krb5_auth_con_free (krb5_context CO,
+ krb5_auth_context ACO)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_auth_con_free )
+ return(p_krb5_auth_con_free(CO,ACO));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+krb5_error_code
+kssl_krb5_get_credentials(krb5_context CO,
+ krb5_const krb5_flags F,
+ krb5_ccache CC,
+ krb5_creds * pCR,
+ krb5_creds ** ppCR)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_get_credentials )
+ return(p_krb5_get_credentials(CO,F,CC,pCR,ppCR));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+krb5_error_code
+kssl_krb5_sname_to_principal(krb5_context CO,
+ krb5_const char * pC1,
+ krb5_const char * pC2,
+ krb5_int32 I,
+ krb5_principal * pPR)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_sname_to_principal )
+ return(p_krb5_sname_to_principal(CO,pC1,pC2,I,pPR));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+kssl_krb5_cc_default(krb5_context CO,
+ krb5_ccache * pCC)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_cc_default )
+ return(p_krb5_cc_default(CO,pCC));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+kssl_krb5_init_context(krb5_context * pCO)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_init_context )
+ return(p_krb5_init_context(pCO));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+void
+kssl_krb5_free_context(krb5_context CO)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_free_context )
+ p_krb5_free_context(CO);
+ }
+
+void
+kssl_krb5_free_principal(krb5_context c, krb5_principal p)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_free_principal )
+ p_krb5_free_principal(c,p);
+ }
+
+krb5_error_code
+kssl_krb5_kt_resolve(krb5_context con,
+ krb5_const char * sz,
+ krb5_keytab * kt)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_kt_resolve )
+ return(p_krb5_kt_resolve(con,sz,kt));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+kssl_krb5_kt_default(krb5_context con,
+ krb5_keytab * kt)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_kt_default )
+ return(p_krb5_kt_default(con,kt));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+kssl_krb5_free_ticket(krb5_context con,
+ krb5_ticket * kt)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_free_ticket )
+ return(p_krb5_free_ticket(con,kt));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+kssl_krb5_rd_req(krb5_context con, krb5_auth_context * pacon,
+ krb5_const krb5_data * data,
+ krb5_const_principal princ, krb5_keytab keytab,
+ krb5_flags * flags, krb5_ticket ** pptkt)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_rd_req )
+ return(p_krb5_rd_req(con,pacon,data,princ,keytab,flags,pptkt));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_boolean
+krb5_principal_compare(krb5_context con, krb5_const_principal princ1,
+ krb5_const_principal princ2)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_principal_compare )
+ return(p_krb5_principal_compare(con,princ1,princ2));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+krb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys,
+ krb5_ticket *ticket)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_decrypt_tkt_part )
+ return(p_krb5_decrypt_tkt_part(con,keys,ticket));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+krb5_timeofday(krb5_context con, krb5_int32 *timeret)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_timeofday )
+ return(p_krb5_timeofday(con,timeret));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+krb5_rc_default(krb5_context con, krb5_rcache *rc)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_rc_default )
+ return(p_krb5_rc_default(con,rc));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+krb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_rc_initialize )
+ return(p_krb5_rc_initialize(con, rc, lifespan));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+krb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_rc_get_lifespan )
+ return(p_krb5_rc_get_lifespan(con, rc, lifespanp));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+krb5_rc_destroy(krb5_context con, krb5_rcache rc)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_rc_destroy )
+ return(p_krb5_rc_destroy(con, rc));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+size_t
+krb5_checksum_size(krb5_context context,krb5_cksumtype ctype)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_checksum_size )
+ return(p_krb5_checksum_size(context, ctype));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_boolean
+valid_cksumtype(krb5_cksumtype ctype)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_valid_cksumtype )
+ return(p_valid_cksumtype(ctype));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+krb5_kt_free_entry(krb5_context con,krb5_keytab_entry * entry)
+ {
+ if (!krb5_loaded)
+ load_krb5_dll();
+
+ if ( p_krb5_kt_free_entry )
+ return(p_krb5_kt_free_entry(con,entry));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+/* Structure definitions */
+#ifndef NO_DEF_KRB5_CCACHE
+#ifndef krb5_x
+#define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1))
+#define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0))
+#endif
+
+typedef krb5_pointer krb5_cc_cursor; /* cursor for sequential lookup */
+
+typedef struct _krb5_ccache
+ {
+ krb5_magic magic;
+ struct _krb5_cc_ops FAR *ops;
+ krb5_pointer data;
+ } *krb5_ccache;
+
+typedef struct _krb5_cc_ops
+ {
+ krb5_magic magic;
+ char *prefix;
+ char * (KRB5_CALLCONV *get_name)
+ (krb5_context, krb5_ccache);
+ krb5_error_code (KRB5_CALLCONV *resolve)
+ (krb5_context, krb5_ccache *, const char *);
+ krb5_error_code (KRB5_CALLCONV *gen_new)
+ (krb5_context, krb5_ccache *);
+ krb5_error_code (KRB5_CALLCONV *init)
+ (krb5_context, krb5_ccache, krb5_principal);
+ krb5_error_code (KRB5_CALLCONV *destroy)
+ (krb5_context, krb5_ccache);
+ krb5_error_code (KRB5_CALLCONV *close)
+ (krb5_context, krb5_ccache);
+ krb5_error_code (KRB5_CALLCONV *store)
+ (krb5_context, krb5_ccache, krb5_creds *);
+ krb5_error_code (KRB5_CALLCONV *retrieve)
+ (krb5_context, krb5_ccache,
+ krb5_flags, krb5_creds *, krb5_creds *);
+ krb5_error_code (KRB5_CALLCONV *get_princ)
+ (krb5_context, krb5_ccache, krb5_principal *);
+ krb5_error_code (KRB5_CALLCONV *get_first)
+ (krb5_context, krb5_ccache, krb5_cc_cursor *);
+ krb5_error_code (KRB5_CALLCONV *get_next)
+ (krb5_context, krb5_ccache,
+ krb5_cc_cursor *, krb5_creds *);
+ krb5_error_code (KRB5_CALLCONV *end_get)
+ (krb5_context, krb5_ccache, krb5_cc_cursor *);
+ krb5_error_code (KRB5_CALLCONV *remove_cred)
+ (krb5_context, krb5_ccache,
+ krb5_flags, krb5_creds *);
+ krb5_error_code (KRB5_CALLCONV *set_flags)
+ (krb5_context, krb5_ccache, krb5_flags);
+ } krb5_cc_ops;
+#endif /* NO_DEF_KRB5_CCACHE */
+
+krb5_error_code
+kssl_krb5_cc_get_principal
+ (krb5_context context, krb5_ccache cache,
+ krb5_principal *principal)
+ {
+ if ( p_krb5_cc_get_principal )
+ return(p_krb5_cc_get_principal(context,cache,principal));
+ else
+ return(krb5_x
+ ((cache)->ops->get_princ,(context, cache, principal)));
+ }
+
+krb5_error_code
+kssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon,
+ krb5_rcache rcache)
+ {
+ if ( p_krb5_auth_con_setrcache )
+ return(p_krb5_auth_con_setrcache(con,acon,rcache));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data,
+ krb5_rcache * rcache)
+ {
+ if ( p_krb5_get_server_rcache )
+ return(p_krb5_get_server_rcache(con,data,rcache));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon,
+ krb5_rcache * prcache)
+ {
+ if ( p_krb5_auth_con_getrcache )
+ return(p_krb5_auth_con_getrcache(con,acon, prcache));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab)
+ {
+ if ( p_krb5_kt_close )
+ return(p_krb5_kt_close(context,keytab));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+krb5_error_code
+kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
+ krb5_const_principal principal, krb5_kvno vno,
+ krb5_enctype enctype, krb5_keytab_entry *entry)
+ {
+ if ( p_krb5_kt_get_entry )
+ return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry));
+ else
+ return KRB5KRB_ERR_GENERIC;
+ }
+#endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */
+
+char
+*kstring(char *string)
+ {
+ static char *null = "[NULL]";
+
+ return ((string == NULL)? null: string);
+ }
+
+/* Given KRB5 enctype (basically DES or 3DES),
+** return closest match openssl EVP_ encryption algorithm.
+** Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
+** Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
+*/
+const EVP_CIPHER *
+kssl_map_enc(krb5_enctype enctype)
+ {
+ switch (enctype)
+ {
+ case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_MD4:
+ case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_DES_CBC_RAW:
+ return EVP_des_cbc();
+ break;
+ case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */
+ case ENCTYPE_DES3_CBC_SHA:
+ case ENCTYPE_DES3_CBC_RAW:
+ return EVP_des_ede3_cbc();
+ break;
+ default: return NULL;
+ break;
+ }
+ }
+
+
+/* Return true:1 if p "looks like" the start of the real authenticator
+** described in kssl_skip_confound() below. The ASN.1 pattern is
+** "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
+** xx and yy are possibly multi-byte length fields.
+*/
+int kssl_test_confound(unsigned char *p)
+ {
+ int len = 2;
+ int xx = 0, yy = 0;
+
+ if (*p++ != 0x62) return 0;
+ if (*p > 0x82) return 0;
+ switch(*p) {
+ case 0x82: p++; xx = (*p++ << 8); xx += *p++; break;
+ case 0x81: p++; xx = *p++; break;
+ case 0x80: return 0;
+ default: xx = *p++; break;
+ }
+ if (*p++ != 0x30) return 0;
+ if (*p > 0x82) return 0;
+ switch(*p) {
+ case 0x82: p++; len+=2; yy = (*p++ << 8); yy += *p++; break;
+ case 0x81: p++; len++; yy = *p++; break;
+ case 0x80: return 0;
+ default: yy = *p++; break;
+ }
+
+ return (xx - len == yy)? 1: 0;
+ }
+
+/* Allocate, fill, and return cksumlens array of checksum lengths.
+** This array holds just the unique elements from the krb5_cksumarray[].
+** array[n] == 0 signals end of data.
+**
+** The krb5_cksumarray[] was an internal variable that has since been
+** replaced by a more general method for storing the data. It should
+** not be used. Instead we use real API calls and make a guess for
+** what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2
+** it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010.
+*/
+size_t *populate_cksumlens(void)
+ {
+ int i, j, n;
+ static size_t *cklens = NULL;
+
+#ifdef KRB5_MIT_OLD11
+ n = krb5_max_cksum;
+#else
+ n = 0x0010;
+#endif /* KRB5_MIT_OLD11 */
+
+#ifdef KRB5CHECKAUTH
+ if (!cklens && !(cklens = (size_t *) calloc(sizeof(int),n+1))) return NULL;
+
+ for (i=0; i < n; i++) {
+ if (!valid_cksumtype(i)) continue; /* array has holes */
+ for (j=0; j < n; j++) {
+ if (cklens[j] == 0) {
+ cklens[j] = krb5_checksum_size(NULL,i);
+ break; /* krb5 elem was new: add */
+ }
+ if (cklens[j] == krb5_checksum_size(NULL,i)) {
+ break; /* ignore duplicate elements */
+ }
+ }
+ }
+#endif /* KRB5CHECKAUTH */
+
+ return cklens;
+ }
+
+/* Return pointer to start of real authenticator within authenticator, or
+** return NULL on error.
+** Decrypted authenticator looks like this:
+** [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
+** This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
+** krb5_auth_con_getcksumtype() function advertised in its krb5.h.
+*/
+unsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a)
+ {
+ int i, conlen;
+ size_t cklen;
+ static size_t *cksumlens = NULL;
+ unsigned char *test_auth;
+
+ conlen = (etype)? 8: 0;
+
+ if (!cksumlens && !(cksumlens = populate_cksumlens())) return NULL;
+ for (i=0; (cklen = cksumlens[i]) != 0; i++)
+ {
+ test_auth = a + conlen + cklen;
+ if (kssl_test_confound(test_auth)) return test_auth;
+ }
+
+ return NULL;
+ }
+
+
+/* Set kssl_err error info when reason text is a simple string
+** kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; }
+*/
+void
+kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
+ {
+ if (kssl_err == NULL) return;
+
+ kssl_err->reason = reason;
+ BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, text);
+ return;
+ }
+
+
+/* Display contents of krb5_data struct, for debugging
+*/
+void
+print_krb5_data(char *label, krb5_data *kdata)
+ {
+ int i;
+
+ printf("%s[%d] ", label, kdata->length);
+ for (i=0; i < kdata->length; i++)
+ {
+ if (0 && isprint((int) kdata->data[i]))
+ printf( "%c ", kdata->data[i]);
+ else
+ printf( "%02x ", (unsigned char) kdata->data[i]);
+ }
+ printf("\n");
+ }
+
+
+/* Display contents of krb5_authdata struct, for debugging
+*/
+void
+print_krb5_authdata(char *label, krb5_authdata **adata)
+ {
+ if (adata == NULL)
+ {
+ printf("%s, authdata==0\n", label);
+ return;
+ }
+ printf("%s [%p]\n", label, adata);
+#if 0
+ {
+ int i;
+ printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
+ for (i=0; i < adata->length; i++)
+ {
+ printf((isprint(adata->contents[i]))? "%c ": "%02x",
+ adata->contents[i]);
+ }
+ printf("\n");
+ }
+#endif
+ }
+
+
+/* Display contents of krb5_keyblock struct, for debugging
+*/
+void
+print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
+ {
+ int i;
+
+ if (keyblk == NULL)
+ {
+ printf("%s, keyblk==0\n", label);
+ return;
+ }
+#ifdef KRB5_HEIMDAL
+ printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
+ keyblk->keyvalue->length);
+ for (i=0; i < keyblk->keyvalue->length; i++)
+ {
+ printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
+ }
+ printf("\n");
+#else
+ printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
+ for (i=0; i < keyblk->length; i++)
+ {
+ printf("%02x",keyblk->contents[i]);
+ }
+ printf("\n");
+#endif
+ }
+
+
+/* Display contents of krb5_principal_data struct, for debugging
+** (krb5_principal is typedef'd == krb5_principal_data *)
+*/
+void
+print_krb5_princ(char *label, krb5_principal_data *princ)
+ {
+ int i, ui, uj;
+
+ printf("%s principal Realm: ", label);
+ if (princ == NULL) return;
+ for (ui=0; ui < princ->realm.length; ui++) putchar(princ->realm.data[ui]);
+ printf(" (nametype %d) has %d strings:\n", princ->type,princ->length);
+ for (i=0; i < princ->length; i++)
+ {
+ printf("\t%d [%d]: ", i, princ->data[i].length);
+ for (uj=0; uj < princ->data[i].length; uj++) {
+ putchar(princ->data[i].data[uj]);
+ }
+ printf("\n");
+ }
+ return;
+ }
+
+
+/* Given krb5 service (typically "kssl") and hostname in kssl_ctx,
+** Return encrypted Kerberos ticket for service @ hostname.
+** If authenp is non-NULL, also return encrypted authenticator,
+** whose data should be freed by caller.
+** (Originally was: Create Kerberos AP_REQ message for SSL Client.)
+**
+** 19990628 VRS Started; Returns Kerberos AP_REQ message.
+** 20010409 VRS Modified for RFC2712; Returns enc tkt.
+** 20010606 VRS May also return optional authenticator.
+*/
+krb5_error_code
+kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
+ /* OUT */ krb5_data **enc_ticketp,
+ /* UPDATE */ krb5_data *authenp,
+ /* OUT */ KSSL_ERR *kssl_err)
+ {
+ krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
+ krb5_context krb5context = NULL;
+ krb5_auth_context krb5auth_context = NULL;
+ krb5_ccache krb5ccdef = NULL;
+ krb5_creds krb5creds, *krb5credsp = NULL;
+ krb5_data krb5_app_req;
+
+ kssl_err_set(kssl_err, 0, "");
+ memset((char *)&krb5creds, 0, sizeof(krb5creds));
+
+ if (!kssl_ctx)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "No kssl_ctx defined.\n");
+ goto err;
+ }
+ else if (!kssl_ctx->service_host)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "kssl_ctx service_host undefined.\n");
+ goto err;
+ }
+
+ if ((krb5rc = krb5_init_context(&krb5context)) != 0)
+ {
+ BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
+ "krb5_init_context() fails: %d\n", krb5rc);
+ kssl_err->reason = SSL_R_KRB5_C_INIT;
+ goto err;
+ }
+
+ if ((krb5rc = krb5_sname_to_principal(krb5context,
+ kssl_ctx->service_host,
+ (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
+ KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
+ {
+ BIO_snprintf(kssl_err->text,KSSL_ERR_MAX,
+ "krb5_sname_to_principal() fails for %s/%s\n",
+ kssl_ctx->service_host,
+ (kssl_ctx->service_name)? kssl_ctx->service_name:
+ KRB5SVC);
+ kssl_err->reason = SSL_R_KRB5_C_INIT;
+ goto err;
+ }
+
+ if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
+ "krb5_cc_default fails.\n");
+ goto err;
+ }
+
+ if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
+ &krb5creds.client)) != 0)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
+ "krb5_cc_get_principal() fails.\n");
+ goto err;
+ }
+
+ if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
+ &krb5creds, &krb5credsp)) != 0)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED,
+ "krb5_get_credentials() fails.\n");
+ goto err;
+ }
+
+ *enc_ticketp = &krb5credsp->ticket;
+#ifdef KRB5_HEIMDAL
+ kssl_ctx->enctype = krb5credsp->session.keytype;
+#else
+ kssl_ctx->enctype = krb5credsp->keyblock.enctype;
+#endif
+
+ krb5rc = KRB5KRB_ERR_GENERIC;
+ /* caller should free data of krb5_app_req */
+ /* 20010406 VRS deleted for real KerberosWrapper
+ ** 20010605 VRS reinstated to offer Authenticator to KerberosWrapper
+ */
+ krb5_app_req.length = 0;
+ if (authenp)
+ {
+ krb5_data krb5in_data;
+ unsigned char *p;
+ long arlen;
+ KRB5_APREQBODY *ap_req;
+
+ authenp->length = 0;
+ krb5in_data.data = NULL;
+ krb5in_data.length = 0;
+ if ((krb5rc = krb5_mk_req_extended(krb5context,
+ &krb5auth_context, 0, &krb5in_data, krb5credsp,
+ &krb5_app_req)) != 0)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ,
+ "krb5_mk_req_extended() fails.\n");
+ goto err;
+ }
+
+ arlen = krb5_app_req.length;
+ p = (unsigned char *)krb5_app_req.data;
+ ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen);
+ if (ap_req)
+ {
+ authenp->length = i2d_KRB5_ENCDATA(
+ ap_req->authenticator, NULL);
+ if (authenp->length &&
+ (authenp->data = malloc(authenp->length)))
+ {
+ unsigned char *adp = (unsigned char *)authenp->data;
+ authenp->length = i2d_KRB5_ENCDATA(
+ ap_req->authenticator, &adp);
+ }
+ }
+
+ if (ap_req) KRB5_APREQ_free((KRB5_APREQ *) ap_req);
+ if (krb5_app_req.length)
+ kssl_krb5_free_data_contents(krb5context,&krb5_app_req);
+ }
+#ifdef KRB5_HEIMDAL
+ if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
+ "kssl_ctx_setkey() fails.\n");
+ }
+#else
+ if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
+ "kssl_ctx_setkey() fails.\n");
+ }
+#endif
+ else krb5rc = 0;
+
+ err:
+#ifdef KSSL_DEBUG
+ kssl_ctx_show(kssl_ctx);
+#endif /* KSSL_DEBUG */
+
+ if (krb5creds.client) krb5_free_principal(krb5context,
+ krb5creds.client);
+ if (krb5creds.server) krb5_free_principal(krb5context,
+ krb5creds.server);
+ if (krb5auth_context) krb5_auth_con_free(krb5context,
+ krb5auth_context);
+ if (krb5context) krb5_free_context(krb5context);
+ return (krb5rc);
+ }
+
+
+/* Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
+** Return Kerberos error code and kssl_err struct on error.
+** Allocates krb5_ticket and krb5_principal; caller should free these.
+**
+** 20010410 VRS Implemented krb5_decode_ticket() as
+** old_krb5_decode_ticket(). Missing from MIT1.0.6.
+** 20010615 VRS Re-cast as openssl/asn1 d2i_*() functions.
+** Re-used some of the old krb5_decode_ticket()
+** code here. This tkt should alloc/free just
+** like the real thing.
+*/
+krb5_error_code
+kssl_TKT2tkt( /* IN */ krb5_context krb5context,
+ /* IN */ KRB5_TKTBODY *asn1ticket,
+ /* OUT */ krb5_ticket **krb5ticket,
+ /* OUT */ KSSL_ERR *kssl_err )
+ {
+ krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
+ krb5_ticket *new5ticket = NULL;
+ ASN1_GENERALSTRING *gstr_svc, *gstr_host;
+
+ *krb5ticket = NULL;
+
+ if (asn1ticket == NULL || asn1ticket->realm == NULL ||
+ asn1ticket->sname == NULL ||
+ sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2)
+ {
+ BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+ "Null field in asn1ticket.\n");
+ kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+ return KRB5KRB_ERR_GENERIC;
+ }
+
+ if ((new5ticket = (krb5_ticket *) calloc(1, sizeof(krb5_ticket)))==NULL)
+ {
+ BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+ "Unable to allocate new krb5_ticket.\n");
+ kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+ return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */
+ }
+
+ gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0);
+ gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1);
+
+ if ((krb5rc = kssl_build_principal_2(krb5context,
+ &new5ticket->server,
+ asn1ticket->realm->length, (char *)asn1ticket->realm->data,
+ gstr_svc->length, (char *)gstr_svc->data,
+ gstr_host->length, (char *)gstr_host->data)) != 0)
+ {
+ free(new5ticket);
+ BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+ "Error building ticket server principal.\n");
+ kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+ return krb5rc; /* or KRB5KRB_ERR_GENERIC; */
+ }
+
+ krb5_princ_type(krb5context, new5ticket->server) =
+ asn1ticket->sname->nametype->data[0];
+ new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0];
+ new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0];
+ new5ticket->enc_part.ciphertext.length =
+ asn1ticket->encdata->cipher->length;
+ if ((new5ticket->enc_part.ciphertext.data =
+ calloc(1, asn1ticket->encdata->cipher->length)) == NULL)
+ {
+ free(new5ticket);
+ BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+ "Error allocating cipher in krb5ticket.\n");
+ kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+ return KRB5KRB_ERR_GENERIC;
+ }
+ else
+ {
+ memcpy(new5ticket->enc_part.ciphertext.data,
+ asn1ticket->encdata->cipher->data,
+ asn1ticket->encdata->cipher->length);
+ }
+
+ *krb5ticket = new5ticket;
+ return 0;
+ }
+
+
+/* Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
+** and krb5 AP_REQ message & message length,
+** Return Kerberos session key and client principle
+** to SSL Server in KSSL_CTX *kssl_ctx.
+**
+** 19990702 VRS Started.
+*/
+krb5_error_code
+kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
+ /* IN */ krb5_data *indata,
+ /* OUT */ krb5_ticket_times *ttimes,
+ /* OUT */ KSSL_ERR *kssl_err )
+ {
+ krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
+ static krb5_context krb5context = NULL;
+ static krb5_auth_context krb5auth_context = NULL;
+ krb5_ticket *krb5ticket = NULL;
+ KRB5_TKTBODY *asn1ticket = NULL;
+ unsigned char *p;
+ krb5_keytab krb5keytab = NULL;
+ krb5_keytab_entry kt_entry;
+ krb5_principal krb5server;
+ krb5_rcache rcache = NULL;
+
+ kssl_err_set(kssl_err, 0, "");
+
+ if (!kssl_ctx)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "No kssl_ctx defined.\n");
+ goto err;
+ }
+
+#ifdef KSSL_DEBUG
+ printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
+#endif /* KSSL_DEBUG */
+
+ if (!krb5context && (krb5rc = krb5_init_context(&krb5context)))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_init_context() fails.\n");
+ goto err;
+ }
+ if (krb5auth_context &&
+ (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context)))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_auth_con_free() fails.\n");
+ goto err;
+ }
+ else krb5auth_context = NULL;
+ if (!krb5auth_context &&
+ (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context)))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_auth_con_init() fails.\n");
+ goto err;
+ }
+
+
+ if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context,
+ &rcache)))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_auth_con_getrcache() fails.\n");
+ goto err;
+ }
+
+ if ((krb5rc = krb5_sname_to_principal(krb5context, NULL,
+ (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
+ KRB5_NT_SRV_HST, &krb5server)) != 0)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_sname_to_principal() fails.\n");
+ goto err;
+ }
+
+ if (rcache == NULL)
+ {
+ if ((krb5rc = krb5_get_server_rcache(krb5context,
+ krb5_princ_component(krb5context, krb5server, 0),
+ &rcache)))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_get_server_rcache() fails.\n");
+ goto err;
+ }
+ }
+
+ if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache)))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_auth_con_setrcache() fails.\n");
+ goto err;
+ }
+
+
+ /* kssl_ctx->keytab_file == NULL ==> use Kerberos default
+ */
+ if (kssl_ctx->keytab_file)
+ {
+ krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
+ &krb5keytab);
+ if (krb5rc)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_kt_resolve() fails.\n");
+ goto err;
+ }
+ }
+ else
+ {
+ krb5rc = krb5_kt_default(krb5context,&krb5keytab);
+ if (krb5rc)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "krb5_kt_default() fails.\n");
+ goto err;
+ }
+ }
+
+ /* Actual Kerberos5 krb5_recvauth() has initial conversation here
+ ** o check KRB5_SENDAUTH_BADAUTHVERS
+ ** unless KRB5_RECVAUTH_SKIP_VERSION
+ ** o check KRB5_SENDAUTH_BADAPPLVERS
+ ** o send "0" msg if all OK
+ */
+
+ /* 20010411 was using AP_REQ instead of true KerberosWrapper
+ **
+ ** if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
+ ** &krb5in_data, krb5server, krb5keytab,
+ ** &ap_option, &krb5ticket)) != 0) { Error }
+ */
+
+ p = (unsigned char *)indata->data;
+ if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
+ (long) indata->length)) == NULL)
+ {
+ BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+ "d2i_KRB5_TICKET() ASN.1 decode failure.\n");
+ kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+ goto err;
+ }
+
+ /* Was: krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */
+ if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket,
+ kssl_err)) != 0)
+ {
+ BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+ "Error converting ASN.1 ticket to krb5_ticket.\n");
+ kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+ goto err;
+ }
+
+ if (! krb5_principal_compare(krb5context, krb5server,
+ krb5ticket->server)) {
+ krb5rc = KRB5_PRINC_NOMATCH;
+ BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+ "server principal != ticket principal\n");
+ kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+ goto err;
+ }
+ if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
+ krb5ticket->server, krb5ticket->enc_part.kvno,
+ krb5ticket->enc_part.enctype, &kt_entry)) != 0) {
+ BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+ "krb5_kt_get_entry() fails with %x.\n", krb5rc);
+ kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+ goto err;
+ }
+ if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key,
+ krb5ticket)) != 0) {
+ BIO_snprintf(kssl_err->text, KSSL_ERR_MAX,
+ "krb5_decrypt_tkt_part() failed.\n");
+ kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
+ goto err;
+ }
+ else {
+ krb5_kt_free_entry(krb5context, &kt_entry);
+#ifdef KSSL_DEBUG
+ {
+ int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs;
+ printf("Decrypted ticket fields:\n");
+ printf("\tflags: %X, transit-type: %X",
+ krb5ticket->enc_part2->flags,
+ krb5ticket->enc_part2->transited.tr_type);
+ print_krb5_data("\ttransit-data: ",
+ &(krb5ticket->enc_part2->transited.tr_contents));
+ printf("\tcaddrs: %p, authdata: %p\n",
+ krb5ticket->enc_part2->caddrs,
+ krb5ticket->enc_part2->authorization_data);
+ if (paddr)
+ {
+ printf("\tcaddrs:\n");
+ for (i=0; paddr[i] != NULL; i++)
+ {
+ krb5_data d;
+ d.length=paddr[i]->length;
+ d.data=paddr[i]->contents;
+ print_krb5_data("\t\tIP: ", &d);
+ }
+ }
+ printf("\tstart/auth/end times: %d / %d / %d\n",
+ krb5ticket->enc_part2->times.starttime,
+ krb5ticket->enc_part2->times.authtime,
+ krb5ticket->enc_part2->times.endtime);
+ }
+#endif /* KSSL_DEBUG */
+ }
+
+ krb5rc = KRB5_NO_TKT_SUPPLIED;
+ if (!krb5ticket || !krb5ticket->enc_part2 ||
+ !krb5ticket->enc_part2->client ||
+ !krb5ticket->enc_part2->client->data ||
+ !krb5ticket->enc_part2->session)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
+ "bad ticket from krb5_rd_req.\n");
+ }
+ else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
+ &krb5ticket->enc_part2->client->realm,
+ krb5ticket->enc_part2->client->data))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
+ "kssl_ctx_setprinc() fails.\n");
+ }
+ else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
+ "kssl_ctx_setkey() fails.\n");
+ }
+ else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID)
+ {
+ krb5rc = KRB5KRB_AP_ERR_TKT_INVALID;
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
+ "invalid ticket from krb5_rd_req.\n");
+ }
+ else krb5rc = 0;
+
+ kssl_ctx->enctype = krb5ticket->enc_part.enctype;
+ ttimes->authtime = krb5ticket->enc_part2->times.authtime;
+ ttimes->starttime = krb5ticket->enc_part2->times.starttime;
+ ttimes->endtime = krb5ticket->enc_part2->times.endtime;
+ ttimes->renew_till = krb5ticket->enc_part2->times.renew_till;
+
+ err:
+#ifdef KSSL_DEBUG
+ kssl_ctx_show(kssl_ctx);
+#endif /* KSSL_DEBUG */
+
+ if (asn1ticket) KRB5_TICKET_free((KRB5_TICKET *) asn1ticket);
+ if (krb5keytab) krb5_kt_close(krb5context, krb5keytab);
+ if (krb5ticket) krb5_free_ticket(krb5context, krb5ticket);
+ if (krb5server) krb5_free_principal(krb5context, krb5server);
+ return (krb5rc);
+ }
+
+
+/* Allocate & return a new kssl_ctx struct.
+*/
+KSSL_CTX *
+kssl_ctx_new(void)
+ {
+ return ((KSSL_CTX *) calloc(1, sizeof(KSSL_CTX)));
+ }
+
+
+/* Frees a kssl_ctx struct and any allocated memory it holds.
+** Returns NULL.
+*/
+KSSL_CTX *
+kssl_ctx_free(KSSL_CTX *kssl_ctx)
+ {
+ if (kssl_ctx == NULL) return kssl_ctx;
+
+ if (kssl_ctx->key) OPENSSL_cleanse(kssl_ctx->key,
+ kssl_ctx->length);
+ if (kssl_ctx->key) free(kssl_ctx->key);
+ if (kssl_ctx->client_princ) free(kssl_ctx->client_princ);
+ if (kssl_ctx->service_host) free(kssl_ctx->service_host);
+ if (kssl_ctx->service_name) free(kssl_ctx->service_name);
+ if (kssl_ctx->keytab_file) free(kssl_ctx->keytab_file);
+
+ free(kssl_ctx);
+ return (KSSL_CTX *) NULL;
+ }
+
+
+/* Given a (krb5_data *) entity (and optional realm),
+** set the plain (char *) client_princ or service_host member
+** of the kssl_ctx struct.
+*/
+krb5_error_code
+kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
+ krb5_data *realm, krb5_data *entity)
+ {
+ char **princ;
+ int length;
+
+ if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR;
+
+ switch (which)
+ {
+ case KSSL_CLIENT: princ = &kssl_ctx->client_princ; break;
+ case KSSL_SERVER: princ = &kssl_ctx->service_host; break;
+ default: return KSSL_CTX_ERR; break;
+ }
+ if (*princ) free(*princ);
+
+ length = entity->length + ((realm)? realm->length + 2: 1);
+ if ((*princ = calloc(1, length)) == NULL)
+ return KSSL_CTX_ERR;
+ else
+ {
+ strncpy(*princ, entity->data, entity->length);
+ (*princ)[entity->length]='\0';
+ if (realm)
+ {
+ strcat (*princ, "@");
+ (void) strncat(*princ, realm->data, realm->length);
+ (*princ)[entity->length+1+realm->length]='\0';
+ }
+ }
+
+ return KSSL_CTX_OK;
+ }
+
+
+/* Set one of the plain (char *) string members of the kssl_ctx struct.
+** Default values should be:
+** which == KSSL_SERVICE => "khost" (KRB5SVC)
+** which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB)
+*/
+krb5_error_code
+kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
+ {
+ char **string;
+
+ if (!kssl_ctx) return KSSL_CTX_ERR;
+
+ switch (which)
+ {
+ case KSSL_SERVICE: string = &kssl_ctx->service_name; break;
+ case KSSL_SERVER: string = &kssl_ctx->service_host; break;
+ case KSSL_CLIENT: string = &kssl_ctx->client_princ; break;
+ case KSSL_KEYTAB: string = &kssl_ctx->keytab_file; break;
+ default: return KSSL_CTX_ERR; break;
+ }
+ if (*string) free(*string);
+
+ if (!text)
+ {
+ *string = '\0';
+ return KSSL_CTX_OK;
+ }
+
+ if ((*string = calloc(1, strlen(text) + 1)) == NULL)
+ return KSSL_CTX_ERR;
+ else
+ strcpy(*string, text);
+
+ return KSSL_CTX_OK;
+ }
+
+
+/* Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx
+** struct. Clear kssl_ctx->key if Kerberos session key is NULL.
+*/
+krb5_error_code
+kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
+ {
+ int length;
+ krb5_enctype enctype;
+ krb5_octet FAR *contents = NULL;
+
+ if (!kssl_ctx) return KSSL_CTX_ERR;
+
+ if (kssl_ctx->key)
+ {
+ OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
+ free(kssl_ctx->key);
+ }
+
+ if (session)
+ {
+
+#ifdef KRB5_HEIMDAL
+ length = session->keyvalue->length;
+ enctype = session->keytype;
+ contents = session->keyvalue->contents;
+#else
+ length = session->length;
+ enctype = session->enctype;
+ contents = session->contents;
+#endif
+ kssl_ctx->enctype = enctype;
+ kssl_ctx->length = length;
+ }
+ else
+ {
+ kssl_ctx->enctype = ENCTYPE_UNKNOWN;
+ kssl_ctx->length = 0;
+ return KSSL_CTX_OK;
+ }
+
+ if ((kssl_ctx->key =
+ (krb5_octet FAR *) calloc(1, kssl_ctx->length)) == NULL)
+ {
+ kssl_ctx->length = 0;
+ return KSSL_CTX_ERR;
+ }
+ else
+ memcpy(kssl_ctx->key, contents, length);
+
+ return KSSL_CTX_OK;
+ }
+
+
+/* Display contents of kssl_ctx struct
+*/
+void
+kssl_ctx_show(KSSL_CTX *kssl_ctx)
+ {
+ int i;
+
+ printf("kssl_ctx: ");
+ if (kssl_ctx == NULL)
+ {
+ printf("NULL\n");
+ return;
+ }
+ else
+ printf("%p\n", kssl_ctx);
+
+ printf("\tservice:\t%s\n",
+ (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL");
+ printf("\tclient:\t%s\n",
+ (kssl_ctx->client_princ)? kssl_ctx->client_princ: "NULL");
+ printf("\tserver:\t%s\n",
+ (kssl_ctx->service_host)? kssl_ctx->service_host: "NULL");
+ printf("\tkeytab:\t%s\n",
+ (kssl_ctx->keytab_file)? kssl_ctx->keytab_file: "NULL");
+ printf("\tkey [%d:%d]:\t",
+ kssl_ctx->enctype, kssl_ctx->length);
+
+ for (i=0; i < kssl_ctx->length && kssl_ctx->key; i++)
+ {
+ printf("%02x", kssl_ctx->key[i]);
+ }
+ printf("\n");
+ return;
+ }
+
+ int
+ kssl_keytab_is_available(KSSL_CTX *kssl_ctx)
+{
+ krb5_context krb5context = NULL;
+ krb5_keytab krb5keytab = NULL;
+ krb5_keytab_entry entry;
+ krb5_principal princ = NULL;
+ krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
+ int rc = 0;
+
+ if ((krb5rc = krb5_init_context(&krb5context)))
+ return(0);
+
+ /* kssl_ctx->keytab_file == NULL ==> use Kerberos default
+ */
+ if (kssl_ctx->keytab_file)
+ {
+ krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
+ &krb5keytab);
+ if (krb5rc)
+ goto exit;
+ }
+ else
+ {
+ krb5rc = krb5_kt_default(krb5context,&krb5keytab);
+ if (krb5rc)
+ goto exit;
+ }
+
+ /* the host key we are looking for */
+ krb5rc = krb5_sname_to_principal(krb5context, NULL,
+ kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC,
+ KRB5_NT_SRV_HST, &princ);
+
+ krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
+ princ,
+ 0 /* IGNORE_VNO */,
+ 0 /* IGNORE_ENCTYPE */,
+ &entry);
+ if ( krb5rc == KRB5_KT_NOTFOUND ) {
+ rc = 1;
+ goto exit;
+ } else if ( krb5rc )
+ goto exit;
+
+ krb5_kt_free_entry(krb5context, &entry);
+ rc = 1;
+
+ exit:
+ if (krb5keytab) krb5_kt_close(krb5context, krb5keytab);
+ if (princ) krb5_free_principal(krb5context, princ);
+ if (krb5context) krb5_free_context(krb5context);
+ return(rc);
+}
+
+int
+kssl_tgt_is_available(KSSL_CTX *kssl_ctx)
+ {
+ krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC;
+ krb5_context krb5context = NULL;
+ krb5_ccache krb5ccdef = NULL;
+ krb5_creds krb5creds, *krb5credsp = NULL;
+ int rc = 0;
+
+ memset((char *)&krb5creds, 0, sizeof(krb5creds));
+
+ if (!kssl_ctx)
+ return(0);
+
+ if (!kssl_ctx->service_host)
+ return(0);
+
+ if ((krb5rc = krb5_init_context(&krb5context)) != 0)
+ goto err;
+
+ if ((krb5rc = krb5_sname_to_principal(krb5context,
+ kssl_ctx->service_host,
+ (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC,
+ KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
+ goto err;
+
+ if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
+ goto err;
+
+ if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
+ &krb5creds.client)) != 0)
+ goto err;
+
+ if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
+ &krb5creds, &krb5credsp)) != 0)
+ goto err;
+
+ rc = 1;
+
+ err:
+#ifdef KSSL_DEBUG
+ kssl_ctx_show(kssl_ctx);
+#endif /* KSSL_DEBUG */
+
+ if (krb5creds.client) krb5_free_principal(krb5context, krb5creds.client);
+ if (krb5creds.server) krb5_free_principal(krb5context, krb5creds.server);
+ if (krb5context) krb5_free_context(krb5context);
+ return(rc);
+ }
+
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32)
+void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
+ {
+#ifdef KRB5_HEIMDAL
+ data->length = 0;
+ if (data->data)
+ free(data->data);
+#elif defined(KRB5_MIT_OLD11)
+ if (data->data) {
+ krb5_xfree(data->data);
+ data->data = 0;
+ }
+#else
+ krb5_free_data_contents(NULL, data);
+#endif
+ }
+#endif /* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */
+
+
+/* Given pointers to KerberosTime and struct tm structs, convert the
+** KerberosTime string to struct tm. Note that KerberosTime is a
+** ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
+** seconds as defined in RFC 1510.
+** Return pointer to the (partially) filled in struct tm on success,
+** return NULL on failure.
+*/
+struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
+ {
+ char c, *p;
+
+ if (!k_tm) return NULL;
+ if (gtime == NULL || gtime->length < 14) return NULL;
+ if (gtime->data == NULL) return NULL;
+
+ p = (char *)&gtime->data[14];
+
+ c = *p; *p = '\0'; p -= 2; k_tm->tm_sec = atoi(p); *(p+2) = c;
+ c = *p; *p = '\0'; p -= 2; k_tm->tm_min = atoi(p); *(p+2) = c;
+ c = *p; *p = '\0'; p -= 2; k_tm->tm_hour = atoi(p); *(p+2) = c;
+ c = *p; *p = '\0'; p -= 2; k_tm->tm_mday = atoi(p); *(p+2) = c;
+ c = *p; *p = '\0'; p -= 2; k_tm->tm_mon = atoi(p)-1; *(p+2) = c;
+ c = *p; *p = '\0'; p -= 4; k_tm->tm_year = atoi(p)-1900; *(p+4) = c;
+
+ return k_tm;
+ }
+
+
+/* Helper function for kssl_validate_times().
+** We need context->clockskew, but krb5_context is an opaque struct.
+** So we try to sneek the clockskew out through the replay cache.
+** If that fails just return a likely default (300 seconds).
+*/
+krb5_deltat get_rc_clockskew(krb5_context context)
+ {
+ krb5_rcache rc;
+ krb5_deltat clockskew;
+
+ if (krb5_rc_default(context, &rc)) return KSSL_CLOCKSKEW;
+ if (krb5_rc_initialize(context, rc, 0)) return KSSL_CLOCKSKEW;
+ if (krb5_rc_get_lifespan(context, rc, &clockskew)) {
+ clockskew = KSSL_CLOCKSKEW;
+ }
+ (void) krb5_rc_destroy(context, rc);
+ return clockskew;
+ }
+
+
+/* kssl_validate_times() combines (and more importantly exposes)
+** the MIT KRB5 internal function krb5_validate_times() and the
+** in_clock_skew() macro. The authenticator client time is checked
+** to be within clockskew secs of the current time and the current
+** time is checked to be within the ticket start and expire times.
+** Either check may be omitted by supplying a NULL value.
+** Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
+** See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
+** 20010420 VRS
+*/
+krb5_error_code kssl_validate_times( krb5_timestamp atime,
+ krb5_ticket_times *ttimes)
+ {
+ krb5_deltat skew;
+ krb5_timestamp start, now;
+ krb5_error_code rc;
+ krb5_context context;
+
+ if ((rc = krb5_init_context(&context))) return SSL_R_KRB5_S_BAD_TICKET;
+ skew = get_rc_clockskew(context);
+ if ((rc = krb5_timeofday(context,&now))) return SSL_R_KRB5_S_BAD_TICKET;
+ krb5_free_context(context);
+
+ if (atime && labs(atime - now) >= skew) return SSL_R_KRB5_S_TKT_SKEW;
+
+ if (! ttimes) return 0;
+
+ start = (ttimes->starttime != 0)? ttimes->starttime: ttimes->authtime;
+ if (start - now > skew) return SSL_R_KRB5_S_TKT_NYV;
+ if ((now - ttimes->endtime) > skew) return SSL_R_KRB5_S_TKT_EXPIRED;
+
+#ifdef KSSL_DEBUG
+ printf("kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n",
+ start, atime, now, skew, ttimes->endtime);
+#endif /* KSSL_DEBUG */
+
+ return 0;
+ }
+
+
+/* Decode and decrypt given DER-encoded authenticator, then pass
+** authenticator ctime back in *atimep (or 0 if time unavailable).
+** Returns krb5_error_code and kssl_err on error. A NULL
+** authenticator (authentp->length == 0) is not considered an error.
+** Note that kssl_check_authent() makes use of the KRB5 session key;
+** you must call kssl_sget_tkt() to get the key before calling this routine.
+*/
+krb5_error_code kssl_check_authent(
+ /* IN */ KSSL_CTX *kssl_ctx,
+ /* IN */ krb5_data *authentp,
+ /* OUT */ krb5_timestamp *atimep,
+ /* OUT */ KSSL_ERR *kssl_err )
+ {
+ krb5_error_code krb5rc = 0;
+ KRB5_ENCDATA *dec_authent = NULL;
+ KRB5_AUTHENTBODY *auth = NULL;
+ krb5_enctype enctype;
+ EVP_CIPHER_CTX ciph_ctx;
+ const EVP_CIPHER *enc = NULL;
+ unsigned char iv[EVP_MAX_IV_LENGTH];
+ unsigned char *p, *unenc_authent;
+ int outl, unencbufsize;
+ struct tm tm_time, *tm_l, *tm_g;
+ time_t now, tl, tg, tr, tz_offset;
+
+ EVP_CIPHER_CTX_init(&ciph_ctx);
+ *atimep = 0;
+ kssl_err_set(kssl_err, 0, "");
+
+#ifndef KRB5CHECKAUTH
+ authentp = NULL;
+#else
+#if KRB5CHECKAUTH == 0
+ authentp = NULL;
+#endif
+#endif /* KRB5CHECKAUTH */
+
+ if (authentp == NULL || authentp->length == 0) return 0;
+
+#ifdef KSSL_DEBUG
+ {
+ unsigned int ui;
+ printf("kssl_check_authent: authenticator[%d]:\n",authentp->length);
+ p = authentp->data;
+ for (ui=0; ui < authentp->length; ui++) printf("%02x ",p[ui]);
+ printf("\n");
+ }
+#endif /* KSSL_DEBUG */
+
+ unencbufsize = 2 * authentp->length;
+ if ((unenc_authent = calloc(1, unencbufsize)) == NULL)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "Unable to allocate authenticator buffer.\n");
+ krb5rc = KRB5KRB_ERR_GENERIC;
+ goto err;
+ }
+
+ p = (unsigned char *)authentp->data;
+ if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p,
+ (long) authentp->length)) == NULL)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "Error decoding authenticator.\n");
+ krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto err;
+ }
+
+ enctype = dec_authent->etype->data[0]; /* should = kssl_ctx->enctype */
+#if !defined(KRB5_MIT_OLD11)
+ switch ( enctype ) {
+ case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */
+ case ENCTYPE_DES3_CBC_SHA:
+ case ENCTYPE_DES3_CBC_RAW:
+ krb5rc = 0; /* Skip, can't handle derived keys */
+ goto err;
+ }
+#endif
+ enc = kssl_map_enc(enctype);
+ memset(iv, 0, sizeof iv); /* per RFC 1510 */
+
+ if (enc == NULL)
+ {
+ /* Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1.
+ ** This enctype indicates the authenticator was encrypted
+ ** using key-usage derived keys which openssl cannot decrypt.
+ */
+ goto err;
+ }
+
+ if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "EVP_CipherInit error decrypting authenticator.\n");
+ krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto err;
+ }
+ outl = dec_authent->cipher->length;
+ if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl))
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "EVP_Cipher error decrypting authenticator.\n");
+ krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto err;
+ }
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+#ifdef KSSL_DEBUG
+ printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
+ for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]);
+ printf("\n");
+#endif /* KSSL_DEBUG */
+
+ if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "confounded by authenticator.\n");
+ krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto err;
+ }
+ outl -= p - unenc_authent;
+
+ if ((auth = (KRB5_AUTHENTBODY *) d2i_KRB5_AUTHENT(NULL, &p,
+ (long) outl))==NULL)
+ {
+ kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
+ "Error decoding authenticator body.\n");
+ krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ goto err;
+ }
+
+ memset(&tm_time,0,sizeof(struct tm));
+ if (k_gmtime(auth->ctime, &tm_time) &&
+ ((tr = mktime(&tm_time)) != (time_t)(-1)))
+ {
+ now = time(&now);
+ tm_l = localtime(&now); tl = mktime(tm_l);
+ tm_g = gmtime(&now); tg = mktime(tm_g);
+ tz_offset = tg - tl;
+
+ *atimep = tr - tz_offset;
+ }
+
+#ifdef KSSL_DEBUG
+ printf("kssl_check_authent: returns %d for client time ", *atimep);
+ if (auth && auth->ctime && auth->ctime->length && auth->ctime->data)
+ printf("%.*s\n", auth->ctime->length, auth->ctime->data);
+ else printf("NULL\n");
+#endif /* KSSL_DEBUG */
+
+ err:
+ if (auth) KRB5_AUTHENT_free((KRB5_AUTHENT *) auth);
+ if (dec_authent) KRB5_ENCDATA_free(dec_authent);
+ if (unenc_authent) free(unenc_authent);
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+ return krb5rc;
+ }
+
+
+/* Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host),
+** because I dont't know how to stub varargs.
+** Returns krb5_error_code == ENOMEM on alloc error, otherwise
+** passes back newly constructed principal, which should be freed by caller.
+*/
+krb5_error_code kssl_build_principal_2(
+ /* UPDATE */ krb5_context context,
+ /* OUT */ krb5_principal *princ,
+ /* IN */ int rlen, const char *realm,
+ /* IN */ int slen, const char *svc,
+ /* IN */ int hlen, const char *host)
+ {
+ krb5_data *p_data = NULL;
+ krb5_principal new_p = NULL;
+ char *new_r = NULL;
+
+ if ((p_data = (krb5_data *) calloc(2, sizeof(krb5_data))) == NULL ||
+ (new_p = (krb5_principal) calloc(1, sizeof(krb5_principal_data)))
+ == NULL) goto err;
+ new_p->length = 2;
+ new_p->data = p_data;
+
+ if ((new_r = calloc(1, rlen + 1)) == NULL) goto err;
+ memcpy(new_r, realm, rlen);
+ krb5_princ_set_realm_length(context, new_p, rlen);
+ krb5_princ_set_realm_data(context, new_p, new_r);
+
+ if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL) goto err;
+ memcpy(new_p->data[0].data, svc, slen);
+ new_p->data[0].length = slen;
+
+ if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL) goto err;
+ memcpy(new_p->data[1].data, host, hlen);
+ new_p->data[1].length = hlen;
+
+ krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN;
+ *princ = new_p;
+ return 0;
+
+ err:
+ if (new_p && new_p[0].data) free(new_p[0].data);
+ if (new_p && new_p[1].data) free(new_p[1].data);
+ if (new_p) free(new_p);
+ if (new_r) free(new_r);
+ return ENOMEM;
+ }
+
+
+#else /* !OPENSSL_NO_KRB5 */
+
+#if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS)
+static int dummy=(int)&dummy;
+#endif
+
+#endif /* !OPENSSL_NO_KRB5 */
+
diff --git a/crypto/openssl/ssl/kssl.h b/crypto/openssl/ssl/kssl.h
new file mode 100644
index 0000000..cf7ebdd
--- /dev/null
+++ b/crypto/openssl/ssl/kssl.h
@@ -0,0 +1,173 @@
+/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*
+** 19990701 VRS Started.
+*/
+
+#ifndef KSSL_H
+#define KSSL_H
+
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_KRB5
+
+#include <stdio.h>
+#include <ctype.h>
+#include <krb5.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+** Depending on which KRB5 implementation used, some types from
+** the other may be missing. Resolve that here and now
+*/
+#ifdef KRB5_HEIMDAL
+typedef unsigned char krb5_octet;
+#define FAR
+#endif
+
+/* Uncomment this to debug kssl problems or
+** to trace usage of the Kerberos session key
+**
+** #define KSSL_DEBUG
+*/
+
+#ifndef KRB5SVC
+#define KRB5SVC "host"
+#endif
+
+#ifndef KRB5KEYTAB
+#define KRB5KEYTAB "/etc/krb5.keytab"
+#endif
+
+#ifndef KRB5SENDAUTH
+#define KRB5SENDAUTH 1
+#endif
+
+#ifndef KRB5CHECKAUTH
+#define KRB5CHECKAUTH 1
+#endif
+
+#ifndef KSSL_CLOCKSKEW
+#define KSSL_CLOCKSKEW 300;
+#endif
+
+#define KSSL_ERR_MAX 255
+typedef struct kssl_err_st {
+ int reason;
+ char text[KSSL_ERR_MAX+1];
+ } KSSL_ERR;
+
+
+/* Context for passing
+** (1) Kerberos session key to SSL, and
+** (2) Config data between application and SSL lib
+*/
+typedef struct kssl_ctx_st
+ {
+ /* used by: disposition: */
+ char *service_name; /* C,S default ok (kssl) */
+ char *service_host; /* C input, REQUIRED */
+ char *client_princ; /* S output from krb5 ticket */
+ char *keytab_file; /* S NULL (/etc/krb5.keytab) */
+ char *cred_cache; /* C NULL (default) */
+ krb5_enctype enctype;
+ int length;
+ krb5_octet FAR *key;
+ } KSSL_CTX;
+
+#define KSSL_CLIENT 1
+#define KSSL_SERVER 2
+#define KSSL_SERVICE 3
+#define KSSL_KEYTAB 4
+
+#define KSSL_CTX_OK 0
+#define KSSL_CTX_ERR 1
+#define KSSL_NOMEM 2
+
+/* Public (for use by applications that use OpenSSL with Kerberos 5 support */
+krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text);
+KSSL_CTX *kssl_ctx_new(void);
+KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
+void kssl_ctx_show(KSSL_CTX *kssl_ctx);
+krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
+ krb5_data *realm, krb5_data *entity);
+krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data **enc_tktp,
+ krb5_data *authenp, KSSL_ERR *kssl_err);
+krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data *indata,
+ krb5_ticket_times *ttimes, KSSL_ERR *kssl_err);
+krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session);
+void kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text);
+void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data);
+krb5_error_code kssl_build_principal_2(krb5_context context,
+ krb5_principal *princ, int rlen, const char *realm,
+ int slen, const char *svc, int hlen, const char *host);
+krb5_error_code kssl_validate_times(krb5_timestamp atime,
+ krb5_ticket_times *ttimes);
+krb5_error_code kssl_check_authent(KSSL_CTX *kssl_ctx, krb5_data *authentp,
+ krb5_timestamp *atimep, KSSL_ERR *kssl_err);
+unsigned char *kssl_skip_confound(krb5_enctype enctype, unsigned char *authn);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* OPENSSL_NO_KRB5 */
+#endif /* KSSL_H */
diff --git a/crypto/openssl/ssl/kssl_lcl.h b/crypto/openssl/ssl/kssl_lcl.h
new file mode 100644
index 0000000..4cd8dd2
--- /dev/null
+++ b/crypto/openssl/ssl/kssl_lcl.h
@@ -0,0 +1,87 @@
+/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */
+/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef KSSL_LCL_H
+#define KSSL_LCL_H
+
+#include <openssl/kssl.h>
+
+#ifndef OPENSSL_NO_KRB5
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Private (internal to OpenSSL) */
+void print_krb5_data(char *label, krb5_data *kdata);
+void print_krb5_authdata(char *label, krb5_authdata **adata);
+void print_krb5_keyblock(char *label, krb5_keyblock *keyblk);
+
+char *kstring(char *string);
+char *knumber(int len, krb5_octet *contents);
+
+EVP_CIPHER *kssl_map_enc(krb5_enctype enctype);
+
+int kssl_keytab_is_available(KSSL_CTX *kssl_ctx);
+int kssl_tgt_is_available(KSSL_CTX *kssl_ctx);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* OPENSSL_NO_KRB5 */
+#endif /* KSSL_LCL_H */
diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
index 2d0eb4a..64ee426 100644
--- a/crypto/openssl/ssl/s23_clnt.c
+++ b/crypto/openssl/ssl/s23_clnt.c
@@ -57,18 +57,18 @@
*/
#include <stdio.h>
+#include "ssl_locl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
-#include "ssl_locl.h"
static SSL_METHOD *ssl23_get_client_method(int ver);
static int ssl23_client_hello(SSL *s);
static int ssl23_get_server_hello(SSL *s);
static SSL_METHOD *ssl23_get_client_method(int ver)
{
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_client_method());
#endif
@@ -87,20 +87,27 @@ SSL_METHOD *SSLv23_client_method(void)
if (init)
{
- memcpy((char *)&SSLv23_client_data,
- (char *)sslv23_base_method(),sizeof(SSL_METHOD));
- SSLv23_client_data.ssl_connect=ssl23_connect;
- SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv23_client_data,
+ (char *)sslv23_base_method(),sizeof(SSL_METHOD));
+ SSLv23_client_data.ssl_connect=ssl23_connect;
+ SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv23_client_data);
}
int ssl23_connect(SSL *s)
{
- BUF_MEM *buf;
+ BUF_MEM *buf=NULL;
unsigned long Time=time(NULL);
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state;
@@ -152,6 +159,7 @@ int ssl23_connect(SSL *s)
goto end;
}
s->init_buf=buf;
+ buf=NULL;
}
if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -200,6 +208,8 @@ int ssl23_connect(SSL *s)
}
end:
s->in_handshake--;
+ if (buf != NULL)
+ BUF_MEM_free(buf);
if (cb != NULL)
cb(s,SSL_CB_CONNECT_EXIT,ret);
return(ret);
@@ -211,6 +221,7 @@ static int ssl23_client_hello(SSL *s)
unsigned char *buf;
unsigned char *p,*d;
int i,ch_len;
+ int ret;
buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
@@ -302,7 +313,11 @@ static int ssl23_client_hello(SSL *s)
}
/* SSL3_ST_CW_CLNT_HELLO_B */
- return(ssl23_write_bytes(s));
+ ret = ssl23_write_bytes(s);
+ if (ret >= 2)
+ if (s->msg_callback)
+ s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg); /* CLIENT-HELLO */
+ return ret;
}
static int ssl23_get_server_hello(SSL *s)
@@ -322,7 +337,7 @@ static int ssl23_get_server_hello(SSL *s)
if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
(p[5] == 0x00) && (p[6] == 0x02))
{
-#ifdef NO_SSL2
+#ifdef OPENSSL_NO_SSL2
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
#else
@@ -358,7 +373,7 @@ static int ssl23_get_server_hello(SSL *s)
if (s->s3 != NULL) ssl3_free(s);
- if (!BUF_MEM_grow(s->init_buf,
+ if (!BUF_MEM_grow_clean(s->init_buf,
SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
{
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB);
@@ -435,7 +450,7 @@ static int ssl23_get_server_hello(SSL *s)
(p[3] == 0) &&
(p[4] == 2))
{
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int j;
/* An alert */
diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c
index ad2d8da..b70002a 100644
--- a/crypto/openssl/ssl/s23_lib.c
+++ b/crypto/openssl/ssl/s23_lib.c
@@ -111,7 +111,7 @@ SSL_METHOD *sslv23_base_method(void)
static int ssl23_num_ciphers(void)
{
return(ssl3_num_ciphers()
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
+ ssl2_num_ciphers()
#endif
);
@@ -124,7 +124,7 @@ static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
if (u < uu)
return(ssl3_get_cipher(u));
else
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
return(ssl2_get_cipher(u-uu));
#else
return(NULL);
@@ -144,7 +144,7 @@ static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
((unsigned long)p[1]<<8L)|(unsigned long)p[2];
c.id=id;
cp=ssl3_get_cipher_by_char(p);
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
if (cp == NULL)
cp=ssl2_get_cipher_by_char(p);
#endif
diff --git a/crypto/openssl/ssl/s23_meth.c b/crypto/openssl/ssl/s23_meth.c
index 4068431..f207140 100644
--- a/crypto/openssl/ssl/s23_meth.c
+++ b/crypto/openssl/ssl/s23_meth.c
@@ -80,12 +80,19 @@ SSL_METHOD *SSLv23_method(void)
if (init)
{
- memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(),
- sizeof(SSL_METHOD));
- SSLv23_data.ssl_connect=ssl23_connect;
- SSLv23_data.ssl_accept=ssl23_accept;
- SSLv23_data.get_ssl_method=ssl23_get_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv23_data.ssl_connect=ssl23_connect;
+ SSLv23_data.ssl_accept=ssl23_accept;
+ SSLv23_data.get_ssl_method=ssl23_get_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv23_data);
}
diff --git a/crypto/openssl/ssl/s23_pkt.c b/crypto/openssl/ssl/s23_pkt.c
index a62599c..4ca6a1b 100644
--- a/crypto/openssl/ssl/s23_pkt.c
+++ b/crypto/openssl/ssl/s23_pkt.c
@@ -55,66 +55,13 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
#include <stdio.h>
#include <errno.h>
#define USE_SOCKETS
+#include "ssl_locl.h"
#include <openssl/evp.h>
#include <openssl/buffer.h>
-#include "ssl_locl.h"
int ssl23_write_bytes(SSL *s)
{
diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
index b40bb01..c5404ca 100644
--- a/crypto/openssl/ssl/s23_srvr.c
+++ b/crypto/openssl/ssl/s23_srvr.c
@@ -110,17 +110,17 @@
*/
#include <stdio.h>
+#include "ssl_locl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
-#include "ssl_locl.h"
static SSL_METHOD *ssl23_get_server_method(int ver);
int ssl23_get_client_hello(SSL *s);
static SSL_METHOD *ssl23_get_server_method(int ver)
{
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_server_method());
#endif
@@ -139,11 +139,18 @@ SSL_METHOD *SSLv23_server_method(void)
if (init)
{
- memcpy((char *)&SSLv23_server_data,
- (char *)sslv23_base_method(),sizeof(SSL_METHOD));
- SSLv23_server_data.ssl_accept=ssl23_accept;
- SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv23_server_data,
+ (char *)sslv23_base_method(),sizeof(SSL_METHOD));
+ SSLv23_server_data.ssl_accept=ssl23_accept;
+ SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv23_server_data);
}
@@ -152,7 +159,7 @@ int ssl23_accept(SSL *s)
{
BUF_MEM *buf;
unsigned long Time=time(NULL);
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state;
@@ -255,13 +262,13 @@ int ssl23_get_client_hello(SSL *s)
* 9/10 client_version /
*/
char *buf= &(buf_space[0]);
- unsigned char *p,*d,*dd;
+ unsigned char *p,*d,*d_len,*dd;
unsigned int i;
unsigned int csl,sil,cl;
int n=0,j;
int type=0;
int v[2];
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
int use_sslv2_strong=0;
#endif
@@ -323,72 +330,6 @@ int ssl23_get_client_hello(SSL *s)
else if (!(s->options & SSL_OP_NO_SSLv2))
type=1;
- if (s->options & SSL_OP_NON_EXPORT_FIRST)
- /* Not only utterly confusing, but broken
- * ('fractured programming'?) -- the details
- * of this block nearly make it work
- * as intended in this environment, but on one
- * of the fine points (w.r.t. restarts) it fails.
- * The obvious fix would be even more devastating
- * to program structure; if you want the functionality,
- * throw this away and implement it in a way
- * that makes sense */
- {
-#if 0
- STACK_OF(SSL_CIPHER) *sk;
- SSL_CIPHER *c;
- int ne2,ne3;
-
- j=((p[0]&0x7f)<<8)|p[1];
- if (j > (1024*4))
- {
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
- goto err;
- }
-
- n=ssl23_read_bytes(s,j+2);
- if (n <= 0) return(n);
- p=s->packet;
-
- if ((buf=OPENSSL_malloc(n)) == NULL)
- {
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
- goto err;
- }
- memcpy(buf,p,n);
-
- p+=5;
- n2s(p,csl);
- p+=4;
-
- sk=ssl_bytes_to_cipher_list(
- s,p,csl,NULL);
- if (sk != NULL)
- {
- ne2=ne3=0;
- for (j=0; j<sk_SSL_CIPHER_num(sk); j++)
- {
- c=sk_SSL_CIPHER_value(sk,j);
- if (!SSL_C_IS_EXPORT(c))
- {
- if ((c->id>>24L) == 2L)
- ne2=1;
- else
- ne3=1;
- }
- }
- if (ne2 && !ne3)
- {
- type=1;
- use_sslv2_strong=1;
- goto next_bit;
- }
- }
-#else
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_OPTION);
- goto err;
-#endif
- }
}
}
else if ((p[0] == SSL3_RT_HANDSHAKE) &&
@@ -486,7 +427,9 @@ int ssl23_get_client_hello(SSL *s)
j=ssl23_read_bytes(s,n+2);
if (j <= 0) return(j);
- ssl3_finish_mac(s,&(s->packet[2]),s->packet_length-2);
+ ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
+ if (s->msg_callback)
+ s->msg_callback(0, SSL2_VERSION, 0, s->packet+2, s->packet_length-2, s, s->msg_callback_arg); /* CLIENT-HELLO */
p=s->packet;
p+=5;
@@ -500,6 +443,13 @@ int ssl23_get_client_hello(SSL *s)
goto err;
}
+ /* record header: msg_type ... */
+ *(d++) = SSL3_MT_CLIENT_HELLO;
+ /* ... and length (actual value will be written later) */
+ d_len = d;
+ d += 3;
+
+ /* client_version */
*(d++) = SSL3_VERSION_MAJOR; /* == v[0] */
*(d++) = v[1];
@@ -530,7 +480,8 @@ int ssl23_get_client_hello(SSL *s)
*(d++)=1;
*(d++)=0;
- i=(d-(unsigned char *)s->init_buf->data);
+ i = (d-(unsigned char *)s->init_buf->data) - 4;
+ l2n3((long)i, d_len);
/* get the data reused from the init_buf */
s->s3->tmp.reuse_message=1;
@@ -543,7 +494,7 @@ int ssl23_get_client_hello(SSL *s)
if (type == 1)
{
-#ifdef NO_SSL2
+#ifdef OPENSSL_NO_SSL2
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
#else
@@ -561,7 +512,7 @@ int ssl23_get_client_hello(SSL *s)
if (s->s3 != NULL) ssl3_free(s);
- if (!BUF_MEM_grow(s->init_buf,
+ if (!BUF_MEM_grow_clean(s->init_buf,
SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
{
goto err;
diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c
index 236b394..c6319bb 100644
--- a/crypto/openssl/ssl/s2_clnt.c
+++ b/crypto/openssl/ssl/s2_clnt.c
@@ -110,7 +110,7 @@
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
#include <openssl/rand.h>
#include <openssl/buffer.h>
@@ -145,11 +145,18 @@ SSL_METHOD *SSLv2_client_method(void)
if (init)
{
- memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
- sizeof(SSL_METHOD));
- SSLv2_client_data.ssl_connect=ssl2_connect;
- SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv2_client_data.ssl_connect=ssl2_connect;
+ SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv2_client_data);
}
@@ -159,7 +166,7 @@ int ssl2_connect(SSL *s)
unsigned long l=time(NULL);
BUF_MEM *buf=NULL;
int ret= -1;
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int new_state,state;
RAND_add(&l,sizeof(l),0);
@@ -201,10 +208,13 @@ int ssl2_connect(SSL *s)
if (!BUF_MEM_grow(buf,
SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
{
+ if (buf == s->init_buf)
+ buf=NULL;
ret= -1;
goto end;
}
s->init_buf=buf;
+ buf=NULL;
s->init_num=0;
s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
s->ctx->stats.sess_connect++;
@@ -331,6 +341,8 @@ int ssl2_connect(SSL *s)
}
end:
s->in_handshake--;
+ if (buf != NULL)
+ BUF_MEM_free(buf);
if (cb != NULL)
cb(s,SSL_CB_CONNECT_EXIT,ret);
return(ret);
@@ -342,7 +354,7 @@ static int get_server_hello(SSL *s)
unsigned char *p;
int i,j;
unsigned long len;
- STACK_OF(SSL_CIPHER) *sk=NULL,*cl;
+ STACK_OF(SSL_CIPHER) *sk=NULL,*cl, *prio, *allow;
buf=(unsigned char *)s->init_buf->data;
p=buf;
@@ -392,6 +404,8 @@ static int get_server_hello(SSL *s)
j = (int)len - s->init_num;
i = ssl2_read(s,(char *)&(buf[s->init_num]),j);
if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, buf, (size_t)len, s, s->msg_callback_arg); /* SERVER-HELLO */
/* things are looking good */
@@ -474,33 +488,49 @@ static int get_server_hello(SSL *s)
sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp);
/* get the array of ciphers we will accept */
- cl=ssl_get_ciphers_by_id(s);
-
+ cl=SSL_get_ciphers(s);
+ sk_SSL_CIPHER_set_cmp_func(cl,ssl_cipher_ptr_id_cmp);
+
+ /*
+ * If server preference flag set, choose the first
+ * (highest priority) cipher the server sends, otherwise
+ * client preference has priority.
+ */
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ {
+ prio = sk;
+ allow = cl;
+ }
+ else
+ {
+ prio = cl;
+ allow = sk;
+ }
/* In theory we could have ciphers sent back that we
* don't want to use but that does not matter since we
* will check against the list we originally sent and
* for performance reasons we should not bother to match
* the two lists up just to check. */
- for (i=0; i<sk_SSL_CIPHER_num(cl); i++)
+ for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
{
- if (sk_SSL_CIPHER_find(sk,
- sk_SSL_CIPHER_value(cl,i)) >= 0)
+ if (sk_SSL_CIPHER_find(allow,
+ sk_SSL_CIPHER_value(prio,i)) >= 0)
break;
}
- if (i >= sk_SSL_CIPHER_num(cl))
+ if (i >= sk_SSL_CIPHER_num(prio))
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH);
return(-1);
}
- s->session->cipher=sk_SSL_CIPHER_value(cl,i);
+ s->session->cipher=sk_SSL_CIPHER_value(prio,i);
if (s->session->peer != NULL) /* can't happen*/
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
return(-1);
}
@@ -513,7 +543,7 @@ static int get_server_hello(SSL *s)
/* can't happen */
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
return(-1);
}
@@ -628,7 +658,7 @@ static int client_master_key(SSL *s)
if (i > SSL_MAX_KEY_ARG_LENGTH)
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
}
if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
@@ -641,7 +671,7 @@ static int client_master_key(SSL *s)
if (i > sizeof sess->master_key)
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
}
if (RAND_bytes(sess->master_key,i) <= 0)
@@ -690,7 +720,7 @@ static int client_master_key(SSL *s)
if (karg > sizeof sess->key_arg)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(d,sess->key_arg,(unsigned int)karg);
@@ -715,7 +745,7 @@ static int client_finished(SSL *s)
*(p++)=SSL2_MT_CLIENT_FINISHED;
if (s->s2->conn_id_length > sizeof s->s2->conn_id)
{
- SSLerr(SSL_F_CLIENT_FINISHED, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
@@ -745,10 +775,12 @@ static int client_certificate(SSL *s)
if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A)
{
i=ssl2_read(s,(char *)&(buf[s->init_num]),
- SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num);
- if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num))
+ SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num);
+ if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num))
return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i));
s->init_num += i;
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* REQUEST-CERTIFICATE */
/* type=buf[0]; */
/* type eq x509 */
@@ -841,9 +873,10 @@ static int client_certificate(SSL *s)
/* ok, now we calculate the checksum
* do it first so we can reuse buf :-) */
p=buf;
- EVP_SignInit(&ctx,s->ctx->rsa_md5);
+ EVP_MD_CTX_init(&ctx);
+ EVP_SignInit_ex(&ctx,s->ctx->rsa_md5, NULL);
EVP_SignUpdate(&ctx,s->s2->key_material,
- (unsigned int)s->s2->key_material_length);
+ s->s2->key_material_length);
EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len);
n=i2d_X509(s->session->sess_cert->peer_key->x509,&p);
EVP_SignUpdate(&ctx,buf,(unsigned int)n);
@@ -862,7 +895,7 @@ static int client_certificate(SSL *s)
* We will continue with a 0 length signature
*/
}
- memset(&ctx,0,sizeof(ctx));
+ EVP_MD_CTX_cleanup(&ctx);
s2n(n,p);
d+=n;
@@ -897,8 +930,12 @@ static int get_server_verify(SSL *s)
SSL_R_READ_WRONG_PACKET_TYPE);
}
else
- SSLerr(SSL_F_GET_SERVER_VERIFY,
- SSL_R_PEER_ERROR);
+ {
+ SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_PEER_ERROR);
+ /* try to read the error message */
+ i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
+ return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
+ }
return(-1);
}
}
@@ -909,9 +946,11 @@ static int get_server_verify(SSL *s)
i = ssl2_read(s,(char *)&(p[s->init_num]),n);
if (i < n)
return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
p += 1;
- if (memcmp(p,s->s2->challenge,(unsigned int)s->s2->challenge_length) != 0)
+ if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
@@ -948,7 +987,12 @@ static int get_server_finished(SSL *s)
SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
}
else
+ {
SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_PEER_ERROR);
+ /* try to read the error message */
+ i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
+ return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
+ }
return(-1);
}
s->state=SSL2_ST_GET_SERVER_FINISHED_B;
@@ -960,6 +1004,8 @@ static int get_server_finished(SSL *s)
if (i < n) /* XXX could be shorter than SSL2_SSL_SESSION_ID_LENGTH, that's the maximum */
return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
s->init_num += i;
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* SERVER-FINISHED */
if (!s->hit) /* new session */
{
@@ -968,7 +1014,7 @@ static int get_server_finished(SSL *s)
* or bad things can happen */
/* ZZZZZZZZZZZZZ */
s->session->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
- memcpy(s->session->session_id,p,SSL2_SSL_SESSION_ID_LENGTH);
+ memcpy(s->session->session_id,p+1,SSL2_SSL_SESSION_ID_LENGTH);
}
else
{
@@ -1083,7 +1129,7 @@ end:
EVP_PKEY_free(pkey);
return(i);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c
index 8e5975c..d3b144f 100644
--- a/crypto/openssl/ssl/s2_enc.c
+++ b/crypto/openssl/ssl/s2_enc.c
@@ -57,8 +57,9 @@
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
+#include "cryptlib.h"
int ssl2_enc_init(SSL *s, int client)
{
@@ -95,13 +96,15 @@ int ssl2_enc_init(SSL *s, int client)
num=c->key_len;
s->s2->key_material_length=num*2;
+ OPENSSL_assert(s->s2->key_material_length <= sizeof s->s2->key_material);
if (ssl2_generate_key_material(s) <= 0)
return 0;
- EVP_EncryptInit(ws,c,&(s->s2->key_material[(client)?num:0]),
+ OPENSSL_assert(c->iv_len <= sizeof s->session->key_arg);
+ EVP_EncryptInit_ex(ws,c,NULL,&(s->s2->key_material[(client)?num:0]),
s->session->key_arg);
- EVP_DecryptInit(rs,c,&(s->s2->key_material[(client)?0:num]),
+ EVP_DecryptInit_ex(rs,c,NULL,&(s->s2->key_material[(client)?0:num]),
s->session->key_arg);
s->s2->read_key= &(s->s2->key_material[(client)?0:num]);
s->s2->write_key= &(s->s2->key_material[(client)?num:0]);
@@ -170,16 +173,17 @@ void ssl2_mac(SSL *s, unsigned char *md, int send)
l2n(seq,p);
/* There has to be a MAC algorithm. */
- EVP_DigestInit(&c,s->read_hash);
+ EVP_MD_CTX_init(&c);
+ EVP_DigestInit_ex(&c, s->read_hash, NULL);
EVP_DigestUpdate(&c,sec,
EVP_CIPHER_CTX_key_length(s->enc_read_ctx));
EVP_DigestUpdate(&c,act,len);
/* the above line also does the pad data */
EVP_DigestUpdate(&c,sequence,4);
- EVP_DigestFinal(&c,md,NULL);
- /* some would say I should zero the md context */
+ EVP_DigestFinal_ex(&c,md,NULL);
+ EVP_MD_CTX_cleanup(&c);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
index 01d1e97..910b9fe 100644
--- a/crypto/openssl/ssl/s2_lib.c
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -57,10 +57,11 @@
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
#include <openssl/rsa.h>
#include <openssl/objects.h>
+#include <openssl/evp.h>
#include <openssl/md5.h>
#include "cryptlib.h"
@@ -307,7 +308,7 @@ void ssl2_free(SSL *s)
s2=s->s2;
if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
- memset(s2,0,sizeof *s2);
+ OPENSSL_cleanse(s2,sizeof *s2);
OPENSSL_free(s2);
s->s2=NULL;
}
@@ -332,7 +333,7 @@ void ssl2_clear(SSL *s)
s->packet_length=0;
}
-long ssl2_ctrl(SSL *s, int cmd, long larg, char *parg)
+long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg)
{
int ret=0;
@@ -352,7 +353,7 @@ long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)())
return(0);
}
-long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
+long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
{
return(0);
}
@@ -376,15 +377,19 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
{
CRYPTO_w_lock(CRYPTO_LOCK_SSL);
- for (i=0; i<SSL2_NUM_CIPHERS; i++)
- sorted[i]= &(ssl2_ciphers[i]);
+ if (init)
+ {
+ for (i=0; i<SSL2_NUM_CIPHERS; i++)
+ sorted[i]= &(ssl2_ciphers[i]);
- qsort( (char *)sorted,
- SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
- FP_ICC ssl_cipher_ptr_id_cmp);
+ qsort((char *)sorted,
+ SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+ FP_ICC ssl_cipher_ptr_id_cmp);
+ init=0;
+ }
+
CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
- init=0;
}
id=0x02000000L|((unsigned long)p[0]<<16L)|
@@ -418,43 +423,50 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
int ssl2_generate_key_material(SSL *s)
{
unsigned int i;
- MD5_CTX ctx;
+ EVP_MD_CTX ctx;
unsigned char *km;
unsigned char c='0';
+ const EVP_MD *md5;
+
+ md5 = EVP_md5();
#ifdef CHARSET_EBCDIC
c = os_toascii['0']; /* Must be an ASCII '0', not EBCDIC '0',
see SSLv2 docu */
#endif
-
+ EVP_MD_CTX_init(&ctx);
km=s->s2->key_material;
- if (s->session->master_key_length < 0 || s->session->master_key_length > sizeof s->session->master_key)
- {
- SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, SSL_R_INTERNAL_ERROR);
- return 0;
- }
+ if (s->session->master_key_length < 0 || s->session->master_key_length > sizeof s->session->master_key)
+ {
+ SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
- for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH)
+ for (i=0; i<s->s2->key_material_length; i += EVP_MD_size(md5))
{
- if (((km - s->s2->key_material) + MD5_DIGEST_LENGTH) > sizeof s->s2->key_material)
+ if (((km - s->s2->key_material) + EVP_MD_size(md5)) > sizeof s->s2->key_material)
{
- /* MD5_Final() below would write beyond buffer */
- SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, SSL_R_INTERNAL_ERROR);
+ /* EVP_DigestFinal_ex() below would write beyond buffer */
+ SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
return 0;
}
- MD5_Init(&ctx);
+ EVP_DigestInit_ex(&ctx, md5, NULL);
- MD5_Update(&ctx,s->session->master_key,s->session->master_key_length);
- MD5_Update(&ctx,&c,1);
+ OPENSSL_assert(s->session->master_key_length >= 0
+ && s->session->master_key_length
+ < sizeof s->session->master_key);
+ EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
+ EVP_DigestUpdate(&ctx,&c,1);
c++;
- MD5_Update(&ctx,s->s2->challenge,s->s2->challenge_length);
- MD5_Update(&ctx,s->s2->conn_id,s->s2->conn_id_length);
- MD5_Final(km,&ctx);
- km+=MD5_DIGEST_LENGTH;
+ EVP_DigestUpdate(&ctx,s->s2->challenge,s->s2->challenge_length);
+ EVP_DigestUpdate(&ctx,s->s2->conn_id,s->s2->conn_id_length);
+ EVP_DigestFinal_ex(&ctx,km,NULL);
+ km += EVP_MD_size(md5);
}
+ EVP_MD_CTX_cleanup(&ctx);
return 1;
}
@@ -483,17 +495,21 @@ void ssl2_write_error(SSL *s)
error=s->error; /* number of bytes left to write */
s->error=0;
- if (error < 0 || error > sizeof buf) /* can't happen */
- return;
-
+ OPENSSL_assert(error >= 0 && error <= sizeof buf);
i=ssl2_write(s,&(buf[3-error]),error);
/* if (i == error) s->rwstate=state; */
if (i < 0)
s->error=error;
- else if (i != s->error)
+ else
+ {
s->error=error-i;
+
+ if (s->error == 0)
+ if (s->msg_callback)
+ s->msg_callback(1, s->version, 0, buf, 3, s, s->msg_callback_arg); /* ERROR */
+ }
}
int ssl2_shutdown(SSL *s)
@@ -501,7 +517,7 @@ int ssl2_shutdown(SSL *s)
s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
return(1);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s2_meth.c b/crypto/openssl/ssl/s2_meth.c
index deb9e1d..8b6cbd0 100644
--- a/crypto/openssl/ssl/s2_meth.c
+++ b/crypto/openssl/ssl/s2_meth.c
@@ -57,7 +57,7 @@
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
#include <openssl/objects.h>
@@ -77,16 +77,23 @@ SSL_METHOD *SSLv2_method(void)
if (init)
{
- memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
- sizeof(SSL_METHOD));
- SSLv2_data.ssl_connect=ssl2_connect;
- SSLv2_data.ssl_accept=ssl2_accept;
- SSLv2_data.get_ssl_method=ssl2_get_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv2_data.ssl_connect=ssl2_connect;
+ SSLv2_data.ssl_accept=ssl2_accept;
+ SSLv2_data.get_ssl_method=ssl2_get_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv2_data);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c
index 3cd7597..d82f137 100644
--- a/crypto/openssl/ssl/s2_pkt.c
+++ b/crypto/openssl/ssl/s2_pkt.c
@@ -110,9 +110,10 @@
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
#include <errno.h>
+#include "cryptlib.h"
#define USE_SOCKETS
static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend);
@@ -247,6 +248,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
else
{
mac_size=EVP_MD_size(s->read_hash);
+ OPENSSL_assert(mac_size <= MAX_MAC_SIZE);
s->s2->mac_data=p;
s->s2->ract_data= &p[mac_size];
if (s->s2->padding + mac_size > s->s2->rlength)
@@ -692,6 +694,8 @@ int ssl2_do_write(SSL *s)
ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num);
if (ret == s->init_num)
{
+ if (s->msg_callback)
+ s->msg_callback(1, s->version, 0, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg);
return(1);
}
if (ret < 0)
@@ -725,7 +729,7 @@ static int ssl_mt_error(int n)
}
return(ret);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c
index d736f68..62859a2 100644
--- a/crypto/openssl/ssl/s2_srvr.c
+++ b/crypto/openssl/ssl/s2_srvr.c
@@ -110,7 +110,7 @@
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
#include <openssl/bio.h>
#include <openssl/rand.h>
@@ -145,11 +145,18 @@ SSL_METHOD *SSLv2_server_method(void)
if (init)
{
- memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
- sizeof(SSL_METHOD));
- SSLv2_server_data.ssl_accept=ssl2_accept;
- SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv2_server_data.ssl_accept=ssl2_accept;
+ SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv2_server_data);
}
@@ -160,7 +167,7 @@ int ssl2_accept(SSL *s)
BUF_MEM *buf=NULL;
int ret= -1;
long num1;
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int new_state,state;
RAND_add(&l,sizeof(l),0);
@@ -430,7 +437,7 @@ static int get_client_master_key(SSL *s)
if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
}
keya=s->session->key_arg_length;
@@ -444,6 +451,8 @@ static int get_client_master_key(SSL *s)
n = (int)len - s->init_num;
i = ssl2_read(s,(char *)&(p[s->init_num]),n);
if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-MASTER-KEY */
p += 10;
memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]),
@@ -518,7 +527,7 @@ static int get_client_master_key(SSL *s)
if (i > SSL_MAX_MASTER_KEY_LENGTH)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
}
s->session->master_key_length=i;
@@ -533,6 +542,7 @@ static int get_client_hello(SSL *s)
unsigned char *p;
STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */
STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */
+ STACK_OF(SSL_CIPHER) *prio, *allow;
int z;
/* This is a bit of a hack to check for the correct packet
@@ -589,6 +599,8 @@ static int get_client_hello(SSL *s)
n = (int)len - s->init_num;
i = ssl2_read(s,(char *)&(p[s->init_num]),n);
if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-HELLO */
p += 9;
/* get session-id before cipher stuff so we can get out session
@@ -646,21 +658,37 @@ static int get_client_hello(SSL *s)
&s->session->ciphers);
if (cs == NULL) goto mem_err;
- cl=ssl_get_ciphers_by_id(s);
+ cl=SSL_get_ciphers(s);
- for (z=0; z<sk_SSL_CIPHER_num(cs); z++)
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ {
+ prio=sk_SSL_CIPHER_dup(cl);
+ if (prio == NULL) goto mem_err;
+ allow = cs;
+ }
+ else
+ {
+ prio = cs;
+ allow = cl;
+ }
+ for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
{
- if (sk_SSL_CIPHER_find(cl,sk_SSL_CIPHER_value(cs,z)) < 0)
+ if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
{
- sk_SSL_CIPHER_delete(cs,z);
+ sk_SSL_CIPHER_delete(prio,z);
z--;
}
}
-
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ {
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
/* s->session->ciphers should now have a list of
* ciphers that are on both the client and server.
* This list is ordered by the order the client sent
- * the ciphers.
+ * the ciphers or in the order of the server's preference
+ * if SSL_OP_CIPHER_SERVER_PREFERENCE was set.
*/
}
p+=s->s2->tmp.cipher_spec_length;
@@ -673,7 +701,7 @@ static int get_client_hello(SSL *s)
if (s->s2->challenge_length > sizeof s->s2->challenge)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
@@ -820,7 +848,12 @@ static int get_client_finished(SSL *s)
SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
}
else
+ {
SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR);
+ /* try to read the error message */
+ i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
+ return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
+ }
return(-1);
}
s->state=SSL2_ST_GET_CLIENT_FINISHED_B;
@@ -830,7 +863,7 @@ static int get_client_finished(SSL *s)
if (s->s2->conn_id_length > sizeof s->s2->conn_id)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
return -1;
}
len = 1 + (unsigned long)s->s2->conn_id_length;
@@ -840,8 +873,10 @@ static int get_client_finished(SSL *s)
{
return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
}
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */
p += 1;
- if (memcmp(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length) != 0)
+ if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT);
@@ -860,7 +895,7 @@ static int server_verify(SSL *s)
*(p++)=SSL2_MT_SERVER_VERIFY;
if (s->s2->challenge_length > sizeof s->s2->challenge)
{
- SSLerr(SSL_F_SERVER_VERIFY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
@@ -884,7 +919,7 @@ static int server_finish(SSL *s)
if (s->session->session_id_length > sizeof s->session->session_id)
{
- SSLerr(SSL_F_SERVER_FINISH, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
@@ -959,6 +994,9 @@ static int request_certificate(SSL *s)
goto end;
}
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, 3, s, s->msg_callback_arg); /* ERROR */
+
/* this is the one place where we can recover from an SSL 2.0 error */
if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
@@ -978,7 +1016,7 @@ static int request_certificate(SSL *s)
}
if (s->init_num != 6)
{
- SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR);
goto end;
}
@@ -1001,7 +1039,7 @@ static int request_certificate(SSL *s)
len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
{
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
+ SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG);
goto end;
}
j = (int)len - s->init_num;
@@ -1011,6 +1049,8 @@ static int request_certificate(SSL *s)
ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
goto end;
}
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */
p += 6;
x509=(X509 *)d2i_X509(NULL,&p,(long)s->s2->tmp.clen);
@@ -1033,9 +1073,10 @@ static int request_certificate(SSL *s)
EVP_MD_CTX ctx;
EVP_PKEY *pkey=NULL;
- EVP_VerifyInit(&ctx,s->ctx->rsa_md5);
+ EVP_MD_CTX_init(&ctx);
+ EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL);
EVP_VerifyUpdate(&ctx,s->s2->key_material,
- (unsigned int)s->s2->key_material_length);
+ s->s2->key_material_length);
EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
@@ -1054,7 +1095,7 @@ static int request_certificate(SSL *s)
if (pkey == NULL) goto end;
i=EVP_VerifyFinal(&ctx,p,s->s2->tmp.rlen,pkey);
EVP_PKEY_free(pkey);
- memset(&ctx,0,sizeof(ctx));
+ EVP_MD_CTX_cleanup(&ctx);
if (i)
{
@@ -1107,7 +1148,7 @@ static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB);
return(i);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s3_both.c b/crypto/openssl/ssl/s3_both.c
index beb5628..38a7152 100644
--- a/crypto/openssl/ssl/s3_both.c
+++ b/crypto/openssl/ssl/s3_both.c
@@ -109,16 +109,17 @@
*
*/
+#include <limits.h>
#include <string.h>
#include <stdio.h>
+#include "ssl_locl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
-/* send s->init_buf in records of type 'type' */
+/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
int ssl3_do_write(SSL *s, int type)
{
int ret;
@@ -132,7 +133,11 @@ int ssl3_do_write(SSL *s, int type)
ssl3_finish_mac(s,(unsigned char *)&s->init_buf->data[s->init_off],ret);
if (ret == s->init_num)
+ {
+ if (s->msg_callback)
+ s->msg_callback(1, s->version, type, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg);
return(1);
+ }
s->init_off+=ret;
s->init_num-=ret;
return(0);
@@ -158,7 +163,7 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
p+=i;
l=i;
-#ifdef WIN16
+#ifdef OPENSSL_SYS_WIN16
/* MSVC 1.5 does not clear the top bytes of the word unless
* I do this.
*/
@@ -205,7 +210,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
}
s->s3->change_cipher_spec=0;
- p = (unsigned char *)s->init_buf->data;
+ p = (unsigned char *)s->init_msg;
i = s->s3->tmp.peer_finish_md_len;
if (i != n)
@@ -265,19 +270,23 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
/* TLSv1 sends a chain with nothing in it, instead of an alert */
buf=s->init_buf;
- if (!BUF_MEM_grow(buf,(int)(10)))
+ if (!BUF_MEM_grow_clean(buf,10))
{
SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
return(0);
}
if (x != NULL)
{
- X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL);
+ if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
+ {
+ SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
+ return(0);
+ }
for (;;)
{
n=i2d_X509(x,NULL);
- if (!BUF_MEM_grow(buf,(int)(n+l+3)))
+ if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
{
SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
return(0);
@@ -307,7 +316,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x)
{
x=sk_X509_value(s->ctx->extra_certs,i);
n=i2d_X509(x,NULL);
- if (!BUF_MEM_grow(buf,(int)(n+l+3)))
+ if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
{
SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
return(0);
@@ -351,7 +360,9 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
goto f_err;
}
*ok=1;
- return((int)s->s3->tmp.message_size);
+ s->init_msg = s->init_buf->data + 4;
+ s->init_num = (int)s->s3->tmp.message_size;
+ return s->init_num;
}
p=(unsigned char *)s->init_buf->data;
@@ -386,8 +397,10 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
{
s->init_num = 0;
skip_message = 1;
+
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, 4, s, s->msg_callback_arg);
}
-
}
while (skip_message);
@@ -411,8 +424,6 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
ssl3_init_finished_mac(s);
}
- ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 4);
-
s->s3->tmp.message_type= *(p++);
n2l3(p,l);
@@ -422,7 +433,13 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
goto f_err;
}
- if (l && !BUF_MEM_grow(s->init_buf,(int)l))
+ if (l > (INT_MAX-4)) /* BUF_MEM_grow takes an 'int' parameter */
+ {
+ al=SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+ goto f_err;
+ }
+ if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4))
{
SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
goto err;
@@ -430,13 +447,13 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
s->s3->tmp.message_size=l;
s->state=stn;
- s->init_num=0;
+ s->init_msg = s->init_buf->data + 4;
+ s->init_num = 0;
}
/* next state (stn) */
- p=(unsigned char *)s->init_buf->data;
- n=s->s3->tmp.message_size;
- n -= s->init_num;
+ p = s->init_msg;
+ n = s->s3->tmp.message_size - s->init_num;
while (n > 0)
{
i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0);
@@ -449,7 +466,9 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
s->init_num += i;
n -= i;
}
- ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num);
+ ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg);
*ok=1;
return s->init_num;
f_err:
@@ -517,6 +536,7 @@ int ssl_verify_alarm_type(long type)
{
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
case X509_V_ERR_UNABLE_TO_GET_CRL:
+ case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
al=SSL_AD_UNKNOWN_CA;
break;
case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
@@ -584,7 +604,7 @@ int ssl3_setup_buffers(SSL *s)
if ((p=OPENSSL_malloc(len)) == NULL)
goto err;
s->s3->rbuf.buf = p;
- s->s3->rbuf_len = len;
+ s->s3->rbuf.len = len;
}
if (s->s3->wbuf.buf == NULL)
@@ -594,7 +614,7 @@ int ssl3_setup_buffers(SSL *s)
if ((p=OPENSSL_malloc(len)) == NULL)
goto err;
s->s3->wbuf.buf = p;
- s->s3->wbuf_len = len;
+ s->s3->wbuf.len = len;
}
s->packet= &(s->s3->rbuf.buf[0]);
return(1);
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index 32b9cea..fae8ead 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -110,13 +110,13 @@
*/
#include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
#include <openssl/evp.h>
-#include "ssl_locl.h"
+#include <openssl/md5.h>
#include "cryptlib.h"
static SSL_METHOD *ssl3_get_client_method(int ver);
@@ -146,21 +146,28 @@ SSL_METHOD *SSLv3_client_method(void)
if (init)
{
- init=0;
- memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
- sizeof(SSL_METHOD));
- SSLv3_client_data.ssl_connect=ssl3_connect;
- SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv3_client_data.ssl_connect=ssl3_connect;
+ SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv3_client_data);
}
int ssl3_connect(SSL *s)
{
- BUF_MEM *buf;
+ BUF_MEM *buf=NULL;
unsigned long Time=time(NULL),l;
long num1;
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state,skip=0;;
@@ -197,7 +204,7 @@ int ssl3_connect(SSL *s)
if ((s->version & 0xff00 ) != 0x0300)
{
- SSLerr(SSL_F_SSL3_CONNECT, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
ret = -1;
goto end;
}
@@ -218,6 +225,7 @@ int ssl3_connect(SSL *s)
goto end;
}
s->init_buf=buf;
+ buf=NULL;
}
if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -496,6 +504,8 @@ int ssl3_connect(SSL *s)
}
end:
s->in_handshake--;
+ if (buf != NULL)
+ BUF_MEM_free(buf);
if (cb != NULL)
cb(s,SSL_CB_CONNECT_EXIT,ret);
return(ret);
@@ -548,7 +558,7 @@ static int ssl3_client_hello(SSL *s)
{
if (i > sizeof s->session->session_id)
{
- SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
memcpy(p,s->session->session_id,i);
@@ -613,7 +623,7 @@ static int ssl3_get_server_hello(SSL *s)
&ok);
if (!ok) return((int)n);
- d=p=(unsigned char *)s->init_buf->data;
+ d=p=(unsigned char *)s->init_msg;
if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff)))
{
@@ -632,30 +642,20 @@ static int ssl3_get_server_hello(SSL *s)
/* get the session-id */
j= *(p++);
- if(j > sizeof s->session->session_id)
- {
- al=SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
- SSL_R_SSL3_SESSION_ID_TOO_LONG);
- goto f_err;
- }
-
- if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
+ if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))
{
- /* SSLref returns 16 :-( */
- if (j < SSL2_SSL_SESSION_ID_LENGTH)
- {
- al=SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);
- goto f_err;
- }
+ al=SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);
+ goto f_err;
}
+
if (j != 0 && j == s->session->session_id_length
&& memcmp(p,s->session->session_id,j) == 0)
{
if(s->sid_ctx_length != s->session->sid_ctx_length
|| memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))
{
+ /* actually a client application bug */
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err;
@@ -699,7 +699,12 @@ static int ssl3_get_server_hello(SSL *s)
goto f_err;
}
- if (s->hit && (s->session->cipher != c))
+ /* Depending on the session caching (internal/external), the cipher
+ and/or cipher_id values may not be set. Make sure that
+ cipher_id is set and use it for comparison. */
+ if (s->session->cipher)
+ s->session->cipher_id = s->session->cipher->id;
+ if (s->hit && (s->session->cipher_id != c->id))
{
if (!(s->options &
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
@@ -754,16 +759,13 @@ static int ssl3_get_server_certificate(SSL *s)
STACK_OF(X509) *sk=NULL;
SESS_CERT *sc;
EVP_PKEY *pkey=NULL;
+ int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
n=ssl3_get_message(s,
SSL3_ST_CR_CERT_A,
SSL3_ST_CR_CERT_B,
-1,
-#if defined(MSDOS) && !defined(WIN32)
- 1024*30, /* 30k max cert list :-) */
-#else
- 1024*100, /* 100k max cert list :-) */
-#endif
+ s->max_cert_list,
&ok);
if (!ok) return((int)n);
@@ -780,7 +782,7 @@ static int ssl3_get_server_certificate(SSL *s)
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE);
goto f_err;
}
- d=p=(unsigned char *)s->init_buf->data;
+ d=p=(unsigned char *)s->init_msg;
if ((sk=sk_X509_new_null()) == NULL)
{
@@ -830,7 +832,12 @@ static int ssl3_get_server_certificate(SSL *s)
}
i=ssl_verify_cert_chain(s,sk);
- if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
+ if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
+#ifndef OPENSSL_NO_KRB5
+ && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
+ != (SSL_aKRB5|SSL_kKRB5)
+#endif /* OPENSSL_NO_KRB5 */
+ )
{
al=ssl_verify_alarm_type(s->verify_result);
SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
@@ -849,39 +856,66 @@ static int ssl3_get_server_certificate(SSL *s)
* certificate, which we don't include in s3_srvr.c */
x=sk_X509_value(sk,0);
sk=NULL;
+ /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/
pkey=X509_get_pubkey(x);
- if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
+ /* VRS: allow null cert if auth == KRB5 */
+ need_cert = ((s->s3->tmp.new_cipher->algorithms
+ & (SSL_MKEY_MASK|SSL_AUTH_MASK))
+ == (SSL_aKRB5|SSL_kKRB5))? 0: 1;
+
+#ifdef KSSL_DEBUG
+ printf("pkey,x = %p, %p\n", pkey,x);
+ printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
+ printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name,
+ s->s3->tmp.new_cipher->algorithms, need_cert);
+#endif /* KSSL_DEBUG */
+
+ if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
{
x=NULL;
al=SSL3_AL_FATAL;
- SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
+ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+ SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
goto f_err;
}
i=ssl_cert_type(x,pkey);
- if (i < 0)
+ if (need_cert && i < 0)
{
x=NULL;
al=SSL3_AL_FATAL;
- SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNKNOWN_CERTIFICATE_TYPE);
+ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
+ SSL_R_UNKNOWN_CERTIFICATE_TYPE);
goto f_err;
}
- sc->peer_cert_type=i;
- CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
- if (sc->peer_pkeys[i].x509 != NULL) /* Why would this ever happen?
- * We just created sc a couple of
- * lines ago. */
- X509_free(sc->peer_pkeys[i].x509);
- sc->peer_pkeys[i].x509=x;
- sc->peer_key= &(sc->peer_pkeys[i]);
-
- if (s->session->peer != NULL)
- X509_free(s->session->peer);
- CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
- s->session->peer=x;
+ if (need_cert)
+ {
+ sc->peer_cert_type=i;
+ CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+ /* Why would the following ever happen?
+ * We just created sc a couple of lines ago. */
+ if (sc->peer_pkeys[i].x509 != NULL)
+ X509_free(sc->peer_pkeys[i].x509);
+ sc->peer_pkeys[i].x509=x;
+ sc->peer_key= &(sc->peer_pkeys[i]);
+
+ if (s->session->peer != NULL)
+ X509_free(s->session->peer);
+ CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+ s->session->peer=x;
+ }
+ else
+ {
+ sc->peer_cert_type=i;
+ sc->peer_key= NULL;
+
+ if (s->session->peer != NULL)
+ X509_free(s->session->peer);
+ s->session->peer=NULL;
+ }
s->session->verify_result = s->verify_result;
x=NULL;
@@ -901,7 +935,7 @@ err:
static int ssl3_get_key_exchange(SSL *s)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2];
#endif
EVP_MD_CTX md_ctx;
@@ -909,10 +943,10 @@ static int ssl3_get_key_exchange(SSL *s)
int al,i,j,param_len,ok;
long n,alg;
EVP_PKEY *pkey=NULL;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
RSA *rsa=NULL;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
DH *dh=NULL;
#endif
@@ -922,11 +956,7 @@ static int ssl3_get_key_exchange(SSL *s)
SSL3_ST_CR_KEY_EXCH_A,
SSL3_ST_CR_KEY_EXCH_B,
-1,
-#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
- 1024*30, /* 30k max cert list :-) */
-#else
- 1024*100, /* 100k max cert list :-) */
-#endif
+ s->max_cert_list,
&ok);
if (!ok) return((int)n);
@@ -937,18 +967,18 @@ static int ssl3_get_key_exchange(SSL *s)
return(1);
}
- param=p=(unsigned char *)s->init_buf->data;
+ param=p=(unsigned char *)s->init_msg;
if (s->session->sess_cert != NULL)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (s->session->sess_cert->peer_rsa_tmp != NULL)
{
RSA_free(s->session->sess_cert->peer_rsa_tmp);
s->session->sess_cert->peer_rsa_tmp=NULL;
}
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (s->session->sess_cert->peer_dh_tmp)
{
DH_free(s->session->sess_cert->peer_dh_tmp);
@@ -963,8 +993,9 @@ static int ssl3_get_key_exchange(SSL *s)
param_len=0;
alg=s->s3->tmp.new_cipher->algorithms;
+ EVP_MD_CTX_init(&md_ctx);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (alg & SSL_kRSA)
{
if ((rsa=RSA_new()) == NULL)
@@ -1008,17 +1039,17 @@ static int ssl3_get_key_exchange(SSL *s)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
else
{
- SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
goto err;
}
s->session->sess_cert->peer_rsa_tmp=rsa;
rsa=NULL;
}
-#else /* NO_RSA */
+#else /* OPENSSL_NO_RSA */
if (0)
;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
else if (alg & SSL_kEDH)
{
if ((dh=DH_new()) == NULL)
@@ -1072,14 +1103,14 @@ static int ssl3_get_key_exchange(SSL *s)
p+=i;
n-=param_len;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (alg & SSL_aRSA)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
#else
if (0)
;
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
else if (alg & SSL_aDSS)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509);
#endif
@@ -1094,7 +1125,7 @@ static int ssl3_get_key_exchange(SSL *s)
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
goto f_err;
}
-#endif /* !NO_DH */
+#endif /* !OPENSSL_NO_DH */
if (alg & SSL_aFZA)
{
al=SSL_AD_HANDSHAKE_FAILURE;
@@ -1121,7 +1152,7 @@ static int ssl3_get_key_exchange(SSL *s)
goto f_err;
}
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
{
int num;
@@ -1130,12 +1161,12 @@ static int ssl3_get_key_exchange(SSL *s)
q=md_buf;
for (num=2; num > 0; num--)
{
- EVP_DigestInit(&md_ctx,(num == 2)
- ?s->ctx->md5:s->ctx->sha1);
+ EVP_DigestInit_ex(&md_ctx,(num == 2)
+ ?s->ctx->md5:s->ctx->sha1, NULL);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md_ctx,param,param_len);
- EVP_DigestFinal(&md_ctx,q,(unsigned int *)&i);
+ EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i);
q+=i;
j+=i;
}
@@ -1157,11 +1188,11 @@ static int ssl3_get_key_exchange(SSL *s)
}
else
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
{
/* lets do DSS */
- EVP_VerifyInit(&md_ctx,EVP_dss1());
+ EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL);
EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
EVP_VerifyUpdate(&md_ctx,param,param_len);
@@ -1176,7 +1207,7 @@ static int ssl3_get_key_exchange(SSL *s)
else
#endif
{
- SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
goto err;
}
}
@@ -1185,7 +1216,7 @@ static int ssl3_get_key_exchange(SSL *s)
/* still data left over */
if (!(alg & SSL_aNULL))
{
- SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
goto err;
}
if (n != 0)
@@ -1196,19 +1227,21 @@ static int ssl3_get_key_exchange(SSL *s)
}
}
EVP_PKEY_free(pkey);
+ EVP_MD_CTX_cleanup(&md_ctx);
return(1);
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
err:
EVP_PKEY_free(pkey);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (rsa != NULL)
RSA_free(rsa);
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (dh != NULL)
DH_free(dh);
#endif
+ EVP_MD_CTX_cleanup(&md_ctx);
return(-1);
}
@@ -1225,11 +1258,7 @@ static int ssl3_get_certificate_request(SSL *s)
SSL3_ST_CR_CERT_REQ_A,
SSL3_ST_CR_CERT_REQ_B,
-1,
-#if defined(MSDOS) && !defined(WIN32)
- 1024*30, /* 30k max cert list :-) */
-#else
- 1024*100, /* 100k max cert list :-) */
-#endif
+ s->max_cert_list,
&ok);
if (!ok) return((int)n);
@@ -1261,7 +1290,7 @@ static int ssl3_get_certificate_request(SSL *s)
}
}
- d=p=(unsigned char *)s->init_buf->data;
+ d=p=(unsigned char *)s->init_msg;
if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL)
{
@@ -1392,10 +1421,13 @@ static int ssl3_send_client_key_exchange(SSL *s)
unsigned char *p,*d;
int n;
unsigned long l;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
unsigned char *q;
EVP_PKEY *pkey=NULL;
#endif
+#ifndef OPENSSL_NO_KRB5
+ KSSL_ERR kssl_err;
+#endif /* OPENSSL_NO_KRB5 */
if (s->state == SSL3_ST_CW_KEY_EXCH_A)
{
@@ -1404,8 +1436,10 @@ static int ssl3_send_client_key_exchange(SSL *s)
l=s->s3->tmp.new_cipher->algorithms;
-#ifndef NO_RSA
- if (l & SSL_kRSA)
+ /* Fool emacs indentation */
+ if (0) {}
+#ifndef OPENSSL_NO_RSA
+ else if (l & SSL_kRSA)
{
RSA *rsa;
unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -1419,7 +1453,7 @@ static int ssl3_send_client_key_exchange(SSL *s)
(pkey->type != EVP_PKEY_RSA) ||
(pkey->pkey.rsa == NULL))
{
- SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
goto err;
}
rsa=pkey->pkey.rsa;
@@ -1428,16 +1462,16 @@ static int ssl3_send_client_key_exchange(SSL *s)
tmp_buf[0]=s->client_version>>8;
tmp_buf[1]=s->client_version&0xff;
- if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
+ if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
goto err;
- s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
+ s->session->master_key_length=sizeof tmp_buf;
q=p;
/* Fix buf for TLS and beyond */
if (s->version > SSL3_VERSION)
p+=2;
- n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH,
+ n=RSA_public_encrypt(sizeof tmp_buf,
tmp_buf,p,rsa,RSA_PKCS1_PADDING);
#ifdef PKCS1_CHECK
if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
@@ -1459,13 +1493,144 @@ static int ssl3_send_client_key_exchange(SSL *s)
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,
- tmp_buf,SSL_MAX_MASTER_KEY_LENGTH);
- memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH);
+ tmp_buf,sizeof tmp_buf);
+ OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
}
- else
#endif
-#ifndef NO_DH
- if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+#ifndef OPENSSL_NO_KRB5
+ else if (l & SSL_kKRB5)
+ {
+ krb5_error_code krb5rc;
+ KSSL_CTX *kssl_ctx = s->kssl_ctx;
+ /* krb5_data krb5_ap_req; */
+ krb5_data *enc_ticket;
+ krb5_data authenticator, *authp = NULL;
+ EVP_CIPHER_CTX ciph_ctx;
+ EVP_CIPHER *enc = NULL;
+ unsigned char iv[EVP_MAX_IV_LENGTH];
+ unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
+ unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
+ + EVP_MAX_IV_LENGTH];
+ int padl, outl = sizeof(epms);
+
+ EVP_CIPHER_CTX_init(&ciph_ctx);
+
+#ifdef KSSL_DEBUG
+ printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
+ l, SSL_kKRB5);
+#endif /* KSSL_DEBUG */
+
+ authp = NULL;
+#ifdef KRB5SENDAUTH
+ if (KRB5SENDAUTH) authp = &authenticator;
+#endif /* KRB5SENDAUTH */
+
+ krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
+ &kssl_err);
+ enc = kssl_map_enc(kssl_ctx->enctype);
+ if (enc == NULL)
+ goto err;
+#ifdef KSSL_DEBUG
+ {
+ printf("kssl_cget_tkt rtn %d\n", krb5rc);
+ if (krb5rc && kssl_err.text)
+ printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
+ }
+#endif /* KSSL_DEBUG */
+
+ if (krb5rc)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,
+ SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ kssl_err.reason);
+ goto err;
+ }
+
+ /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
+ ** in place of RFC 2712 KerberosWrapper, as in:
+ **
+ ** Send ticket (copy to *p, set n = length)
+ ** n = krb5_ap_req.length;
+ ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
+ ** if (krb5_ap_req.data)
+ ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
+ **
+ ** Now using real RFC 2712 KerberosWrapper
+ ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
+ ** Note: 2712 "opaque" types are here replaced
+ ** with a 2-byte length followed by the value.
+ ** Example:
+ ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
+ ** Where "xx xx" = length bytes. Shown here with
+ ** optional authenticator omitted.
+ */
+
+ /* KerberosWrapper.Ticket */
+ s2n(enc_ticket->length,p);
+ memcpy(p, enc_ticket->data, enc_ticket->length);
+ p+= enc_ticket->length;
+ n = enc_ticket->length + 2;
+
+ /* KerberosWrapper.Authenticator */
+ if (authp && authp->length)
+ {
+ s2n(authp->length,p);
+ memcpy(p, authp->data, authp->length);
+ p+= authp->length;
+ n+= authp->length + 2;
+
+ free(authp->data);
+ authp->data = NULL;
+ authp->length = 0;
+ }
+ else
+ {
+ s2n(0,p);/* null authenticator length */
+ n+=2;
+ }
+
+ if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
+ goto err;
+
+ /* 20010420 VRS. Tried it this way; failed.
+ ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
+ ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
+ ** kssl_ctx->length);
+ ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
+ */
+
+ memset(iv, 0, sizeof iv); /* per RFC 1510 */
+ EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
+ kssl_ctx->key,iv);
+ EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
+ sizeof tmp_buf);
+ EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
+ outl += padl;
+ if (outl > sizeof epms)
+ {
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+ /* KerberosWrapper.EncryptedPreMasterSecret */
+ s2n(outl,p);
+ memcpy(p, epms, outl);
+ p+=outl;
+ n+=outl + 2;
+
+ s->session->master_key_length=
+ s->method->ssl3_enc->generate_master_secret(s,
+ s->session->master_key,
+ tmp_buf, sizeof tmp_buf);
+
+ OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
+ OPENSSL_cleanse(epms, outl);
+ }
+#endif
+#ifndef OPENSSL_NO_DH
+ else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
DH *dh_srvr,*dh_clnt;
@@ -1519,11 +1684,11 @@ static int ssl3_send_client_key_exchange(SSL *s)
/* perhaps clean things up a bit EAY EAY EAY EAY*/
}
- else
#endif
+ else
{
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
- SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
goto err;
}
@@ -1547,11 +1712,11 @@ static int ssl3_send_client_verify(SSL *s)
unsigned char *p,*d;
unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
EVP_PKEY *pkey;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
unsigned u=0;
#endif
unsigned long n;
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
int j;
#endif
@@ -1564,7 +1729,7 @@ static int ssl3_send_client_verify(SSL *s)
s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
&(data[MD5_DIGEST_LENGTH]));
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
{
s->method->ssl3_enc->cert_verify_mac(s,
@@ -1581,7 +1746,7 @@ static int ssl3_send_client_verify(SSL *s)
}
else
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
{
if (!DSA_sign(pkey->save_type,
@@ -1598,7 +1763,7 @@ static int ssl3_send_client_verify(SSL *s)
else
#endif
{
- SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
goto err;
}
*(d++)=SSL3_MT_CERTIFICATE_VERIFY;
@@ -1697,10 +1862,10 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
long algs;
EVP_PKEY *pkey=NULL;
SESS_CERT *sc;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
RSA *rsa;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
DH *dh;
#endif
@@ -1708,20 +1873,20 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
if (sc == NULL)
{
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
goto err;
}
algs=s->s3->tmp.new_cipher->algorithms;
/* we don't have a certificate */
- if (algs & (SSL_aDH|SSL_aNULL))
+ if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5))
return(1);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
rsa=s->session->sess_cert->peer_rsa_tmp;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
dh=s->session->sess_cert->peer_dh_tmp;
#endif
@@ -1739,14 +1904,14 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT);
goto f_err;
}
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT);
goto f_err;
}
#endif
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if ((algs & SSL_kRSA) &&
!(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL)))
{
@@ -1754,7 +1919,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
goto f_err;
}
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if ((algs & SSL_kEDH) &&
!(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
{
@@ -1766,7 +1931,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
goto f_err;
}
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
@@ -1777,7 +1942,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (algs & SSL_kRSA)
{
if (rsa == NULL
@@ -1789,7 +1954,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
}
else
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
if (dh == NULL
diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c
index 79fa4f9..35fde29 100644
--- a/crypto/openssl/ssl/s3_enc.c
+++ b/crypto/openssl/ssl/s3_enc.c
@@ -110,10 +110,9 @@
*/
#include <stdio.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
-#include <openssl/evp.h>
#include "ssl_locl.h"
+#include <openssl/evp.h>
+#include <openssl/md5.h>
static unsigned char ssl3_pad_1[48]={
0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
@@ -134,11 +133,11 @@ static unsigned char ssl3_pad_2[48]={
static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
const char *sender, int len, unsigned char *p);
-static void ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
+static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
{
- MD5_CTX m5;
- SHA_CTX s1;
- unsigned char buf[8],smd[SHA_DIGEST_LENGTH];
+ EVP_MD_CTX m5;
+ EVP_MD_CTX s1;
+ unsigned char buf[16],smd[SHA_DIGEST_LENGTH];
unsigned char c='A';
int i,j,k;
@@ -146,49 +145,62 @@ static void ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
c = os_toascii[c]; /*'A' in ASCII */
#endif
k=0;
+ EVP_MD_CTX_init(&m5);
+ EVP_MD_CTX_init(&s1);
for (i=0; i<num; i+=MD5_DIGEST_LENGTH)
{
k++;
+ if (k > sizeof buf)
+ {
+ /* bug: 'buf' is too small for this ciphersuite */
+ SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
for (j=0; j<k; j++)
buf[j]=c;
c++;
- SHA1_Init( &s1);
- SHA1_Update(&s1,buf,k);
- SHA1_Update(&s1,s->session->master_key,
+ EVP_DigestInit_ex(&s1,EVP_sha1(), NULL);
+ EVP_DigestUpdate(&s1,buf,k);
+ EVP_DigestUpdate(&s1,s->session->master_key,
s->session->master_key_length);
- SHA1_Update(&s1,s->s3->server_random,SSL3_RANDOM_SIZE);
- SHA1_Update(&s1,s->s3->client_random,SSL3_RANDOM_SIZE);
- SHA1_Final( smd,&s1);
+ EVP_DigestUpdate(&s1,s->s3->server_random,SSL3_RANDOM_SIZE);
+ EVP_DigestUpdate(&s1,s->s3->client_random,SSL3_RANDOM_SIZE);
+ EVP_DigestFinal_ex(&s1,smd,NULL);
- MD5_Init( &m5);
- MD5_Update(&m5,s->session->master_key,
+ EVP_DigestInit_ex(&m5,EVP_md5(), NULL);
+ EVP_DigestUpdate(&m5,s->session->master_key,
s->session->master_key_length);
- MD5_Update(&m5,smd,SHA_DIGEST_LENGTH);
+ EVP_DigestUpdate(&m5,smd,SHA_DIGEST_LENGTH);
if ((i+MD5_DIGEST_LENGTH) > num)
{
- MD5_Final(smd,&m5);
+ EVP_DigestFinal_ex(&m5,smd,NULL);
memcpy(km,smd,(num-i));
}
else
- MD5_Final(km,&m5);
+ EVP_DigestFinal_ex(&m5,km,NULL);
km+=MD5_DIGEST_LENGTH;
}
- memset(smd,0,SHA_DIGEST_LENGTH);
+ OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
+ EVP_MD_CTX_cleanup(&m5);
+ EVP_MD_CTX_cleanup(&s1);
+ return 1;
}
int ssl3_change_cipher_state(SSL *s, int which)
{
unsigned char *p,*key_block,*mac_secret;
unsigned char exp_key[EVP_MAX_KEY_LENGTH];
- unsigned char exp_iv[EVP_MAX_KEY_LENGTH];
+ unsigned char exp_iv[EVP_MAX_IV_LENGTH];
unsigned char *ms,*key,*iv,*er1,*er2;
EVP_CIPHER_CTX *dd;
const EVP_CIPHER *c;
COMP_METHOD *comp;
const EVP_MD *m;
- MD5_CTX md;
+ EVP_MD_CTX md;
int exp,n,i,j,k,cl;
+ int reuse_dd = 0;
exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
c=s->s3->tmp.new_sym_enc;
@@ -201,9 +213,9 @@ int ssl3_change_cipher_state(SSL *s, int which)
if (which & SSL3_CC_READ)
{
- if ((s->enc_read_ctx == NULL) &&
- ((s->enc_read_ctx=(EVP_CIPHER_CTX *)
- OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+ if (s->enc_read_ctx != NULL)
+ reuse_dd = 1;
+ else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
goto err;
dd= s->enc_read_ctx;
s->read_hash=m;
@@ -232,9 +244,9 @@ int ssl3_change_cipher_state(SSL *s, int which)
}
else
{
- if ((s->enc_write_ctx == NULL) &&
- ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
- OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+ if (s->enc_write_ctx != NULL)
+ reuse_dd = 1;
+ else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
goto err;
dd= s->enc_write_ctx;
s->write_hash=m;
@@ -257,6 +269,8 @@ int ssl3_change_cipher_state(SSL *s, int which)
mac_secret= &(s->s3->write_mac_secret[0]);
}
+ if (reuse_dd)
+ EVP_CIPHER_CTX_cleanup(dd);
EVP_CIPHER_CTX_init(dd);
p=s->s3->tmp.key_block;
@@ -287,39 +301,41 @@ int ssl3_change_cipher_state(SSL *s, int which)
if (n > s->s3->tmp.key_block_length)
{
- SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
goto err2;
}
+ EVP_MD_CTX_init(&md);
memcpy(mac_secret,ms,i);
if (exp)
{
/* In here I set both the read and write key/iv to the
* same value since only the correct one will be used :-).
*/
- MD5_Init(&md);
- MD5_Update(&md,key,j);
- MD5_Update(&md,er1,SSL3_RANDOM_SIZE);
- MD5_Update(&md,er2,SSL3_RANDOM_SIZE);
- MD5_Final(&(exp_key[0]),&md);
+ EVP_DigestInit_ex(&md,EVP_md5(), NULL);
+ EVP_DigestUpdate(&md,key,j);
+ EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
+ EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
+ EVP_DigestFinal_ex(&md,&(exp_key[0]),NULL);
key= &(exp_key[0]);
if (k > 0)
{
- MD5_Init(&md);
- MD5_Update(&md,er1,SSL3_RANDOM_SIZE);
- MD5_Update(&md,er2,SSL3_RANDOM_SIZE);
- MD5_Final(&(exp_iv[0]),&md);
+ EVP_DigestInit_ex(&md,EVP_md5(), NULL);
+ EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
+ EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
+ EVP_DigestFinal_ex(&md,&(exp_iv[0]),NULL);
iv= &(exp_iv[0]);
}
}
s->session->key_arg_length=0;
- EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
+ EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
- memset(&(exp_key[0]),0,sizeof(exp_key));
- memset(&(exp_iv[0]),0,sizeof(exp_iv));
+ OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
+ OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
+ EVP_MD_CTX_cleanup(&md);
return(1);
err:
SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
@@ -333,6 +349,7 @@ int ssl3_setup_key_block(SSL *s)
const EVP_CIPHER *c;
const EVP_MD *hash;
int num;
+ int ret = 0;
SSL_COMP *comp;
if (s->s3->tmp.key_block_length != 0)
@@ -358,9 +375,9 @@ int ssl3_setup_key_block(SSL *s)
s->s3->tmp.key_block_length=num;
s->s3->tmp.key_block=p;
-
- ssl3_generate_key_block(s,p,num);
-
+
+ ret = ssl3_generate_key_block(s,p,num);
+
if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
{
/* enable vulnerability countermeasure for CBC ciphers with
@@ -368,19 +385,20 @@ int ssl3_setup_key_block(SSL *s)
*/
s->s3->need_empty_fragments = 1;
- if (s->session->cipher != NULL)
+ if (s->session->cipher != NULL)
{
if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
- s->s3->need_empty_fragments = 0;
-
-#ifndef NO_RC4
- if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
- s->s3->need_empty_fragments = 0;
+ s->s3->need_empty_fragments = 0;
+
+#ifndef OPENSSL_NO_RC4
+ if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
+ s->s3->need_empty_fragments = 0;
#endif
- }
- }
+ }
+ }
+
+ return ret;
- return(1);
err:
SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
return(0);
@@ -390,7 +408,7 @@ void ssl3_cleanup_key_block(SSL *s)
{
if (s->s3->tmp.key_block != NULL)
{
- memset(s->s3->tmp.key_block,0,
+ OPENSSL_cleanse(s->s3->tmp.key_block,
s->s3->tmp.key_block_length);
OPENSSL_free(s->s3->tmp.key_block);
s->s3->tmp.key_block=NULL;
@@ -481,8 +499,8 @@ int ssl3_enc(SSL *s, int send)
void ssl3_init_finished_mac(SSL *s)
{
- EVP_DigestInit(&(s->s3->finish_dgst1),s->ctx->md5);
- EVP_DigestInit(&(s->s3->finish_dgst2),s->ctx->sha1);
+ EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
+ EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
}
void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
@@ -516,7 +534,8 @@ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
unsigned char md_buf[EVP_MAX_MD_SIZE];
EVP_MD_CTX ctx;
- EVP_MD_CTX_copy(&ctx,in_ctx);
+ EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_copy_ex(&ctx,in_ctx);
n=EVP_MD_CTX_size(&ctx);
npad=(48/n)*n;
@@ -526,16 +545,16 @@ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
EVP_DigestUpdate(&ctx,s->session->master_key,
s->session->master_key_length);
EVP_DigestUpdate(&ctx,ssl3_pad_1,npad);
- EVP_DigestFinal(&ctx,md_buf,&i);
+ EVP_DigestFinal_ex(&ctx,md_buf,&i);
- EVP_DigestInit(&ctx,EVP_MD_CTX_md(&ctx));
+ EVP_DigestInit_ex(&ctx,EVP_MD_CTX_md(&ctx), NULL);
EVP_DigestUpdate(&ctx,s->session->master_key,
s->session->master_key_length);
EVP_DigestUpdate(&ctx,ssl3_pad_2,npad);
EVP_DigestUpdate(&ctx,md_buf,i);
- EVP_DigestFinal(&ctx,p,&ret);
+ EVP_DigestFinal_ex(&ctx,p,&ret);
- memset(&ctx,0,sizeof(EVP_MD_CTX));
+ EVP_MD_CTX_cleanup(&ctx);
return((int)ret);
}
@@ -569,8 +588,9 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
npad=(48/md_size)*md_size;
/* Chop the digest off the end :-) */
+ EVP_MD_CTX_init(&md_ctx);
- EVP_DigestInit( &md_ctx,hash);
+ EVP_DigestInit_ex( &md_ctx,hash, NULL);
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
EVP_DigestUpdate(&md_ctx,seq,8);
@@ -580,13 +600,15 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
s2n(rec->length,p);
EVP_DigestUpdate(&md_ctx,md,2);
EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
- EVP_DigestFinal( &md_ctx,md,NULL);
+ EVP_DigestFinal_ex( &md_ctx,md,NULL);
- EVP_DigestInit( &md_ctx,hash);
+ EVP_DigestInit_ex( &md_ctx,hash, NULL);
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
EVP_DigestUpdate(&md_ctx,md,md_size);
- EVP_DigestFinal( &md_ctx,md,&md_size);
+ EVP_DigestFinal_ex( &md_ctx,md,&md_size);
+
+ EVP_MD_CTX_cleanup(&md_ctx);
for (i=7; i>=0; i--)
{
@@ -616,24 +638,26 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
int i,ret=0;
unsigned int n;
+ EVP_MD_CTX_init(&ctx);
for (i=0; i<3; i++)
{
- EVP_DigestInit(&ctx,s->ctx->sha1);
+ EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL);
EVP_DigestUpdate(&ctx,salt[i],strlen((const char *)salt[i]));
EVP_DigestUpdate(&ctx,p,len);
EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]),
SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]),
SSL3_RANDOM_SIZE);
- EVP_DigestFinal(&ctx,buf,&n);
+ EVP_DigestFinal_ex(&ctx,buf,&n);
- EVP_DigestInit(&ctx,s->ctx->md5);
+ EVP_DigestInit_ex(&ctx,s->ctx->md5, NULL);
EVP_DigestUpdate(&ctx,p,len);
EVP_DigestUpdate(&ctx,buf,n);
- EVP_DigestFinal(&ctx,out,&n);
+ EVP_DigestFinal_ex(&ctx,out,&n);
out+=n;
ret+=n;
}
+ EVP_MD_CTX_cleanup(&ctx);
return(ret);
}
diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c
index 9951ebb..896b12f 100644
--- a/crypto/openssl/ssl/s3_lib.c
+++ b/crypto/openssl/ssl/s3_lib.c
@@ -110,10 +110,10 @@
*/
#include <stdio.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
#include <openssl/objects.h>
#include "ssl_locl.h"
+#include "kssl_lcl.h"
+#include <openssl/md5.h>
const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
@@ -512,6 +512,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
+#if 0
/* Cipher 1E */
{
0,
@@ -525,6 +526,210 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
+#endif
+
+#ifndef OPENSSL_NO_KRB5
+/* The Kerberos ciphers
+** 20000107 VRS: And the first shall be last,
+** in hopes of avoiding the lynx ssl renegotiation problem.
+*/
+/* Cipher 1E VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_64_CBC_SHA,
+ SSL3_CK_KRB5_DES_64_CBC_SHA,
+ SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
+ SSL_NOT_EXP|SSL_LOW,
+ 0,
+ 56,
+ 56,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 1F VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_192_CBC3_SHA,
+ SSL3_CK_KRB5_DES_192_CBC3_SHA,
+ SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH,
+ 0,
+ 112,
+ 168,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 20 VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_RC4_128_SHA,
+ SSL3_CK_KRB5_RC4_128_SHA,
+ SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 21 VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
+ SSL3_CK_KRB5_IDEA_128_CBC_SHA,
+ SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_SHA1 |SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 22 VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_64_CBC_MD5,
+ SSL3_CK_KRB5_DES_64_CBC_MD5,
+ SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3,
+ SSL_NOT_EXP|SSL_LOW,
+ 0,
+ 56,
+ 56,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 23 VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_192_CBC3_MD5,
+ SSL3_CK_KRB5_DES_192_CBC3_MD5,
+ SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH,
+ 0,
+ 112,
+ 168,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 24 VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_RC4_128_MD5,
+ SSL3_CK_KRB5_RC4_128_MD5,
+ SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 25 VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
+ SSL3_CK_KRB5_IDEA_128_CBC_MD5,
+ SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_MD5 |SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 26 VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_40_CBC_SHA,
+ SSL3_CK_KRB5_DES_40_CBC_SHA,
+ SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
+ 0,
+ 40,
+ 56,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 27 VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_RC2_40_CBC_SHA,
+ SSL3_CK_KRB5_RC2_40_CBC_SHA,
+ SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_SHA1 |SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
+ 0,
+ 40,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 28 VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_RC4_40_SHA,
+ SSL3_CK_KRB5_RC4_40_SHA,
+ SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 29 VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_DES_40_CBC_MD5,
+ SSL3_CK_KRB5_DES_40_CBC_MD5,
+ SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
+ 0,
+ 40,
+ 56,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 2A VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_RC2_40_CBC_MD5,
+ SSL3_CK_KRB5_RC2_40_CBC_MD5,
+ SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_MD5 |SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
+ 0,
+ 40,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+/* Cipher 2B VRS */
+ {
+ 1,
+ SSL3_TXT_KRB5_RC4_40_MD5,
+ SSL3_CK_KRB5_RC4_40_MD5,
+ SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3,
+ SSL_EXPORT|SSL_EXP40,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+#endif /* OPENSSL_NO_KRB5 */
+
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
/* New TLS Export CipherSuites */
@@ -620,6 +825,165 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS
},
#endif
+ /* New AES ciphersuites */
+
+ /* Cipher 2F */
+ {
+ 1,
+ TLS1_TXT_RSA_WITH_AES_128_SHA,
+ TLS1_CK_RSA_WITH_AES_128_SHA,
+ SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 30 */
+ {
+ 0,
+ TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
+ TLS1_CK_DH_DSS_WITH_AES_128_SHA,
+ SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 31 */
+ {
+ 0,
+ TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
+ TLS1_CK_DH_RSA_WITH_AES_128_SHA,
+ SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 32 */
+ {
+ 1,
+ TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
+ TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
+ SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 33 */
+ {
+ 1,
+ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
+ TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
+ SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 34 */
+ {
+ 1,
+ TLS1_TXT_ADH_WITH_AES_128_SHA,
+ TLS1_CK_ADH_WITH_AES_128_SHA,
+ SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+ 128,
+ 128,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+
+ /* Cipher 35 */
+ {
+ 1,
+ TLS1_TXT_RSA_WITH_AES_256_SHA,
+ TLS1_CK_RSA_WITH_AES_256_SHA,
+ SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH,
+ 0,
+ 256,
+ 256,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 36 */
+ {
+ 0,
+ TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
+ TLS1_CK_DH_DSS_WITH_AES_256_SHA,
+ SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH,
+ 0,
+ 256,
+ 256,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 37 */
+ {
+ 0,
+ TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
+ TLS1_CK_DH_RSA_WITH_AES_256_SHA,
+ SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH,
+ 0,
+ 256,
+ 256,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 38 */
+ {
+ 1,
+ TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
+ TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
+ SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH,
+ 0,
+ 256,
+ 256,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 39 */
+ {
+ 1,
+ TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
+ TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
+ SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH,
+ 0,
+ 256,
+ 256,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
+ /* Cipher 3A */
+ {
+ 1,
+ TLS1_TXT_ADH_WITH_AES_256_SHA,
+ TLS1_CK_ADH_WITH_AES_256_SHA,
+ SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH,
+ 0,
+ 256,
+ 256,
+ SSL_ALL_CIPHERS,
+ SSL_ALL_STRENGTHS,
+ },
/* end of list */
};
@@ -705,6 +1069,8 @@ int ssl3_new(SSL *s)
if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err;
memset(s3,0,sizeof *s3);
+ EVP_MD_CTX_init(&s3->finish_dgst1);
+ EVP_MD_CTX_init(&s3->finish_dgst2);
s->s3=s3;
@@ -726,13 +1092,15 @@ void ssl3_free(SSL *s)
OPENSSL_free(s->s3->wbuf.buf);
if (s->s3->rrec.comp != NULL)
OPENSSL_free(s->s3->rrec.comp);
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
DH_free(s->s3->tmp.dh);
#endif
if (s->s3->tmp.ca_names != NULL)
sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
- memset(s->s3,0,sizeof *s->s3);
+ EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
+ EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
+ OPENSSL_cleanse(s->s3,sizeof *s->s3);
OPENSSL_free(s->s3);
s->s3=NULL;
}
@@ -751,21 +1119,24 @@ void ssl3_clear(SSL *s)
OPENSSL_free(s->s3->rrec.comp);
s->s3->rrec.comp=NULL;
}
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
DH_free(s->s3->tmp.dh);
#endif
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
- rlen = s->s3->rbuf_len;
- wlen = s->s3->wbuf_len;
+ rlen = s->s3->rbuf.len;
+ wlen = s->s3->wbuf.len;
+
+ EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
+ EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
memset(s->s3,0,sizeof *s->s3);
s->s3->rbuf.buf = rp;
s->s3->wbuf.buf = wp;
- s->s3->rbuf_len = rlen;
- s->s3->wbuf_len = wlen;
+ s->s3->rbuf.len = rlen;
+ s->s3->wbuf.len = wlen;
ssl_free_wbio_buffer(s);
@@ -777,17 +1148,17 @@ void ssl3_clear(SSL *s)
s->version=SSL3_VERSION;
}
-long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
+long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
{
int ret=0;
-#if !defined(NO_DSA) || !defined(NO_RSA)
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
if (
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
cmd == SSL_CTRL_SET_TMP_RSA ||
cmd == SSL_CTRL_SET_TMP_RSA_CB ||
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
cmd == SSL_CTRL_SET_TMP_DH ||
cmd == SSL_CTRL_SET_TMP_DH_CB ||
#endif
@@ -821,7 +1192,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
case SSL_CTRL_GET_FLAGS:
ret=(int)(s->s3->flags);
break;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_NEED_TMP_RSA:
if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) &&
((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
@@ -854,7 +1225,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg)
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *dh = (DH *)parg;
@@ -900,12 +1271,12 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
{
int ret=0;
-#if !defined(NO_DSA) || !defined(NO_RSA)
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA)
if (
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
cmd == SSL_CTRL_SET_TMP_RSA_CB ||
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
cmd == SSL_CTRL_SET_TMP_DH_CB ||
#endif
0)
@@ -920,14 +1291,14 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
switch (cmd)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_SET_TMP_RSA_CB:
{
s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@@ -940,7 +1311,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)())
return(ret);
}
-long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
+long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
{
CERT *cert;
@@ -948,7 +1319,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
switch (cmd)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_NEED_TMP_RSA:
if ( (cert->rsa_tmp == NULL) &&
((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) ||
@@ -993,7 +1364,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *new=NULL,*dh;
@@ -1050,14 +1421,14 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
switch (cmd)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
case SSL_CTRL_SET_TMP_RSA_CB:
{
cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp;
}
break;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
@@ -1084,16 +1455,19 @@ SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
{
CRYPTO_w_lock(CRYPTO_LOCK_SSL);
- for (i=0; i<SSL3_NUM_CIPHERS; i++)
- sorted[i]= &(ssl3_ciphers[i]);
+ if (init)
+ {
+ for (i=0; i<SSL3_NUM_CIPHERS; i++)
+ sorted[i]= &(ssl3_ciphers[i]);
- qsort( (char *)sorted,
- SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
- FP_ICC ssl_cipher_ptr_id_cmp);
+ qsort(sorted,
+ SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+ FP_ICC ssl_cipher_ptr_id_cmp);
+ init=0;
+ }
+
CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
-
- init=0;
}
id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1];
@@ -1122,10 +1496,11 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
return(2);
}
-SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
- STACK_OF(SSL_CIPHER) *pref)
+SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
+ STACK_OF(SSL_CIPHER) *srvr)
{
SSL_CIPHER *c,*ret=NULL;
+ STACK_OF(SSL_CIPHER) *prio, *allow;
int i,j,ok;
CERT *cert;
unsigned long alg,mask,emask;
@@ -1133,26 +1508,62 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
/* Let's see which ciphers we can support */
cert=s->cert;
- sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
+#if 0
+ /* Do not set the compare functions, because this may lead to a
+ * reordering by "id". We want to keep the original ordering.
+ * We may pay a price in performance during sk_SSL_CIPHER_find(),
+ * but would have to pay with the price of sk_SSL_CIPHER_dup().
+ */
+ sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
+ sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
+#endif
#ifdef CIPHER_DEBUG
- printf("Have:\n");
- for(i=0 ; i < sk_num(pref) ; ++i)
+ printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr);
+ for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i)
+ {
+ c=sk_SSL_CIPHER_value(srvr,i);
+ printf("%p:%s\n",c,c->name);
+ }
+ printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt);
+ for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i)
{
- c=(SSL_CIPHER *)sk_value(pref,i);
+ c=sk_SSL_CIPHER_value(clnt,i);
printf("%p:%s\n",c,c->name);
}
#endif
- for (i=0; i<sk_SSL_CIPHER_num(have); i++)
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ {
+ prio = srvr;
+ allow = clnt;
+ }
+ else
+ {
+ prio = clnt;
+ allow = srvr;
+ }
+
+ for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
{
- c=sk_SSL_CIPHER_value(have,i);
+ c=sk_SSL_CIPHER_value(prio,i);
ssl_set_cert_masks(cert,c);
mask=cert->mask;
emask=cert->export_mask;
+#ifdef KSSL_DEBUG
+ printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);
+#endif /* KSSL_DEBUG */
+
alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK);
+#ifndef OPENSSL_NO_KRB5
+ if (alg & SSL_KRB5)
+ {
+ if ( !kssl_keytab_is_available(s->kssl_ctx) )
+ continue;
+ }
+#endif /* OPENSSL_NO_KRB5 */
if (SSL_C_IS_EXPORT(c))
{
ok=((alg & emask) == alg)?1:0;
@@ -1172,10 +1583,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have,
if (!ok) continue;
- j=sk_SSL_CIPHER_find(pref,c);
+ j=sk_SSL_CIPHER_find(allow,c);
if (j >= 0)
{
- ret=sk_SSL_CIPHER_value(pref,j);
+ ret=sk_SSL_CIPHER_value(allow,j);
break;
}
}
@@ -1189,31 +1600,31 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p)
alg=s->s3->tmp.new_cipher->algorithms;
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (alg & (SSL_kDHr|SSL_kEDH))
{
-# ifndef NO_RSA
+# ifndef OPENSSL_NO_RSA
p[ret++]=SSL3_CT_RSA_FIXED_DH;
# endif
-# ifndef NO_DSA
+# ifndef OPENSSL_NO_DSA
p[ret++]=SSL3_CT_DSS_FIXED_DH;
# endif
}
if ((s->version == SSL3_VERSION) &&
(alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr)))
{
-# ifndef NO_RSA
+# ifndef OPENSSL_NO_RSA
p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH;
# endif
-# ifndef NO_DSA
+# ifndef OPENSSL_NO_DSA
p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH;
# endif
}
-#endif /* !NO_DH */
-#ifndef NO_RSA
+#endif /* !OPENSSL_NO_DH */
+#ifndef OPENSSL_NO_RSA
p[ret++]=SSL3_CT_RSA_SIGN;
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
p[ret++]=SSL3_CT_DSS_SIGN;
#endif
return(ret);
diff --git a/crypto/openssl/ssl/s3_meth.c b/crypto/openssl/ssl/s3_meth.c
index 81bcad8..1fd7a96 100644
--- a/crypto/openssl/ssl/s3_meth.c
+++ b/crypto/openssl/ssl/s3_meth.c
@@ -76,12 +76,19 @@ SSL_METHOD *SSLv3_method(void)
if (init)
{
- memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(),
- sizeof(SSL_METHOD));
- SSLv3_data.ssl_connect=ssl3_connect;
- SSLv3_data.ssl_accept=ssl3_accept;
- SSLv3_data.get_ssl_method=ssl3_get_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv3_data.ssl_connect=ssl3_connect;
+ SSLv3_data.ssl_accept=ssl3_accept;
+ SSLv3_data.get_ssl_method=ssl3_get_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv3_data);
}
diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c
index f52303c..6ccea9a 100644
--- a/crypto/openssl/ssl/s3_pkt.c
+++ b/crypto/openssl/ssl/s3_pkt.c
@@ -112,9 +112,9 @@
#include <stdio.h>
#include <errno.h>
#define USE_SOCKETS
+#include "ssl_locl.h"
#include <openssl/evp.h>
#include <openssl/buffer.h>
-#include "ssl_locl.h"
static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
unsigned int len, int create_empty_fragment);
@@ -162,13 +162,13 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend)
{
/* avoid buffer overflow */
- int max_max = s->s3->rbuf_len - s->packet_length;
+ int max_max = s->s3->rbuf.len - s->packet_length;
if (max > max_max)
max = max_max;
}
if (n > max) /* does not happen */
{
- SSLerr(SSL_F_SSL3_READ_N,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR);
return -1;
}
@@ -246,11 +246,11 @@ static int ssl3_get_record(SSL *s)
extra=SSL3_RT_MAX_EXTRA;
else
extra=0;
- if (extra != s->s3->rbuf_len - SSL3_RT_MAX_PACKET_SIZE)
+ if (extra != s->s3->rbuf.len - SSL3_RT_MAX_PACKET_SIZE)
{
/* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER
* set after ssl3_setup_buffers() was done */
- SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
return -1;
}
@@ -259,7 +259,7 @@ again:
if ( (s->rstate != SSL_ST_READ_BODY) ||
(s->packet_length < SSL3_RT_HEADER_LENGTH))
{
- n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf_len, 0);
+ n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
if (n <= 0) return(n); /* error or non-blocking */
s->rstate=SSL_ST_READ_BODY;
@@ -604,10 +604,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
if (prefix_len <= 0)
goto err;
- if (s->s3->wbuf_len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
+ if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
{
/* insufficient space */
- SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
}
@@ -776,7 +776,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
int al,i,j,ret;
unsigned int n;
SSL3_RECORD *rr;
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type2,int val)=NULL;
if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
if (!ssl3_setup_buffers(s))
@@ -785,7 +785,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
(peek && (type != SSL3_RT_APPLICATION_DATA)))
{
- SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
return -1;
}
@@ -957,6 +957,9 @@ start:
goto err;
}
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg);
+
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
!s->s3->renegotiate)
@@ -1002,6 +1005,9 @@ start:
s->s3->alert_fragment_len = 0;
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg);
+
if (s->info_callback != NULL)
cb=s->info_callback;
else if (s->ctx->info_callback != NULL)
@@ -1065,6 +1071,10 @@ start:
}
rr->length=0;
+
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg);
+
s->s3->change_cipher_spec=1;
if (!do_change_cipher_spec(s))
goto err;
@@ -1119,7 +1129,7 @@ start:
switch (rr->type)
{
default:
-#ifndef NO_TLS
+#ifndef OPENSSL_NO_TLS
/* TLS just ignores unknown message types */
if (s->version == TLS1_VERSION)
{
@@ -1137,7 +1147,7 @@ start:
* of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
* should not happen when type != rr->type */
al=SSL_AD_UNEXPECTED_MESSAGE;
- SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
goto f_err;
case SSL3_RT_APPLICATION_DATA:
/* At this point, we were expecting handshake data,
@@ -1243,7 +1253,7 @@ void ssl3_send_alert(SSL *s, int level, int desc)
int ssl3_dispatch_alert(SSL *s)
{
int i,j;
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
s->s3->alert_dispatch=0;
i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
@@ -1259,6 +1269,9 @@ int ssl3_dispatch_alert(SSL *s)
if (s->s3->send_alert[0] == SSL3_AL_FATAL)
(void)BIO_flush(s->wbio);
+ if (s->msg_callback)
+ s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg);
+
if (s->info_callback != NULL)
cb=s->info_callback;
else if (s->ctx->info_callback != NULL)
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index fe1e689..7643877 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -114,14 +114,15 @@
#include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
+#include <openssl/krb5_asn.h>
+#include <openssl/md5.h>
#include "cryptlib.h"
static SSL_METHOD *ssl3_get_server_method(int ver);
@@ -151,11 +152,18 @@ SSL_METHOD *SSLv3_server_method(void)
if (init)
{
- memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
- sizeof(SSL_METHOD));
- SSLv3_server_data.ssl_accept=ssl3_accept;
- SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv3_server_data.ssl_accept=ssl3_accept;
+ SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv3_server_data);
}
@@ -164,7 +172,7 @@ int ssl3_accept(SSL *s)
{
BUF_MEM *buf;
unsigned long l,Time=time(NULL);
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
long num1;
int ret= -1;
int new_state,state,skip=0;
@@ -208,7 +216,7 @@ int ssl3_accept(SSL *s)
if ((s->version>>8) != 3)
{
- SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
return -1;
}
s->type=SSL_ST_ACCEPT;
@@ -317,7 +325,15 @@ int ssl3_accept(SSL *s)
/* clear this, it may get reset by
* send_server_key_exchange */
- if (s->options & SSL_OP_EPHEMERAL_RSA)
+ if ((s->options & SSL_OP_EPHEMERAL_RSA)
+#ifndef OPENSSL_NO_KRB5
+ && !(l & SSL_KRB5)
+#endif /* OPENSSL_NO_KRB5 */
+ )
+ /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
+ * even when forbidden by protocol specs
+ * (handshake may fail as clients are not required to
+ * be able to handle this) */
s->s3->tmp.use_rsa_tmp=1;
else
s->s3->tmp.use_rsa_tmp=0;
@@ -359,7 +375,9 @@ int ssl3_accept(SSL *s)
((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
/* ... except when the application insists on verification
* (against the specs, but s3_clnt.c accepts this for SSL 3) */
- !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
+ !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
+ /* never request cert in Kerberos ciphersuites */
+ (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
{
/* no cert request */
skip=1;
@@ -515,7 +533,8 @@ int ssl3_accept(SSL *s)
if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
{
- /* actually not necessarily a 'new' session */
+ /* actually not necessarily a 'new' session unless
+ * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
s->new_session=0;
@@ -600,11 +619,7 @@ static int ssl3_check_client_hello(SSL *s)
SSL3_ST_SR_CERT_A,
SSL3_ST_SR_CERT_B,
-1,
-#if defined(MSDOS) && !defined(WIN32)
- 1024*30, /* 30k max cert list :-) */
-#else
- 1024*100, /* 100k max cert list :-) */
-#endif
+ s->max_cert_list,
&ok);
if (!ok) return((int)n);
s->s3->tmp.reuse_message = 1;
@@ -614,7 +629,7 @@ static int ssl3_check_client_hello(SSL *s)
* which will now be aborted. (A full SSL_clear would be too much.)
* I hope that tmp.dh is the only thing that may need to be cleared
* when a handshake is not completed ... */
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (s->s3->tmp.dh != NULL)
{
DH_free(s->s3->tmp.dh);
@@ -655,7 +670,7 @@ static int ssl3_get_client_hello(SSL *s)
&ok);
if (!ok) return((int)n);
- d=p=(unsigned char *)s->init_buf->data;
+ d=p=(unsigned char *)s->init_msg;
/* use version from inside client hello, not from record header
* (may differ: see RFC 2246, Appendix E, second paragraph) */
@@ -682,7 +697,15 @@ static int ssl3_get_client_hello(SSL *s)
j= *(p++);
s->hit=0;
- if (j == 0)
+ /* Versions before 0.9.7 always allow session reuse during renegotiation
+ * (i.e. when s->new_session is true), option
+ * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7.
+ * Maybe this optional behaviour should always have been the default,
+ * but we cannot safely change the default behaviour (or new applications
+ * might be written that become totally unsecure when compiled with
+ * an earlier library version)
+ */
+ if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)))
{
if (!ssl_get_new_session(s,1))
goto err;
@@ -833,7 +856,7 @@ static int ssl3_get_client_hello(SSL *s)
}
}
- /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must
+ /* Given s->session->ciphers and SSL_get_ciphers, we must
* pick a cipher */
if (!s->hit)
@@ -850,7 +873,7 @@ static int ssl3_get_client_hello(SSL *s)
}
ciphers=NULL;
c=ssl3_choose_cipher(s,s->session->ciphers,
- ssl_get_ciphers_by_id(s));
+ SSL_get_ciphers(s));
if (c == NULL)
{
@@ -951,7 +974,7 @@ static int ssl3_send_server_hello(SSL *s)
sl=s->session->session_id_length;
if (sl > sizeof s->session->session_id)
{
- SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
}
*(p++)=sl;
@@ -1010,14 +1033,14 @@ static int ssl3_send_server_done(SSL *s)
static int ssl3_send_server_key_exchange(SSL *s)
{
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
unsigned char *q;
int j,num;
RSA *rsa;
unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
unsigned int u;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
DH *dh=NULL,*dhp;
#endif
EVP_PKEY *pkey;
@@ -1031,6 +1054,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
BUF_MEM *buf;
EVP_MD_CTX md_ctx;
+ EVP_MD_CTX_init(&md_ctx);
if (s->state == SSL3_ST_SW_KEY_EXCH_A)
{
type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
@@ -1040,7 +1064,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
r[0]=r[1]=r[2]=r[3]=NULL;
n=0;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (type & SSL_kRSA)
{
rsa=cert->rsa_tmp;
@@ -1055,7 +1079,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
goto f_err;
}
- CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
+ RSA_up_ref(rsa);
cert->rsa_tmp=rsa;
}
if (rsa == NULL)
@@ -1070,7 +1094,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
}
else
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (type & SSL_kEDH)
{
dhp=cert->dh_tmp;
@@ -1088,7 +1112,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
if (s->s3->tmp.dh != NULL)
{
DH_free(dh);
- SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err;
}
@@ -1154,7 +1178,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
kn=0;
}
- if (!BUF_MEM_grow(buf,n+4+kn))
+ if (!BUF_MEM_grow_clean(buf,n+4+kn))
{
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
goto err;
@@ -1174,19 +1198,19 @@ static int ssl3_send_server_key_exchange(SSL *s)
{
/* n is the length of the params, they start at &(d[4])
* and p points to the space at the end. */
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
{
q=md_buf;
j=0;
for (num=2; num > 0; num--)
{
- EVP_DigestInit(&md_ctx,(num == 2)
- ?s->ctx->md5:s->ctx->sha1);
+ EVP_DigestInit_ex(&md_ctx,(num == 2)
+ ?s->ctx->md5:s->ctx->sha1, NULL);
EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
EVP_DigestUpdate(&md_ctx,&(d[4]),n);
- EVP_DigestFinal(&md_ctx,q,
+ EVP_DigestFinal_ex(&md_ctx,q,
(unsigned int *)&i);
q+=i;
j+=i;
@@ -1202,11 +1226,11 @@ static int ssl3_send_server_key_exchange(SSL *s)
}
else
#endif
-#if !defined(NO_DSA)
+#if !defined(OPENSSL_NO_DSA)
if (pkey->type == EVP_PKEY_DSA)
{
/* lets do DSS */
- EVP_SignInit(&md_ctx,EVP_dss1());
+ EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
EVP_SignUpdate(&md_ctx,&(d[4]),n);
@@ -1239,10 +1263,12 @@ static int ssl3_send_server_key_exchange(SSL *s)
}
s->state = SSL3_ST_SW_KEY_EXCH_B;
+ EVP_MD_CTX_cleanup(&md_ctx);
return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
err:
+ EVP_MD_CTX_cleanup(&md_ctx);
return(-1);
}
@@ -1279,7 +1305,7 @@ static int ssl3_send_certificate_request(SSL *s)
{
name=sk_X509_NAME_value(sk,i);
j=i2d_X509_NAME(name,NULL);
- if (!BUF_MEM_grow(buf,4+n+j+2))
+ if (!BUF_MEM_grow_clean(buf,4+n+j+2))
{
SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
goto err;
@@ -1340,28 +1366,31 @@ static int ssl3_get_client_key_exchange(SSL *s)
long n;
unsigned long l;
unsigned char *p;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
RSA *rsa=NULL;
EVP_PKEY *pkey=NULL;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
BIGNUM *pub=NULL;
DH *dh_srvr;
#endif
+#ifndef OPENSSL_NO_KRB5
+ KSSL_ERR kssl_err;
+#endif /* OPENSSL_NO_KRB5 */
n=ssl3_get_message(s,
SSL3_ST_SR_KEY_EXCH_A,
SSL3_ST_SR_KEY_EXCH_B,
SSL3_MT_CLIENT_KEY_EXCHANGE,
- 2048, /* ???? */
+ 2048, /* ??? */
&ok);
if (!ok) return((int)n);
- p=(unsigned char *)s->init_buf->data;
+ p=(unsigned char *)s->init_msg;
l=s->s3->tmp.new_cipher->algorithms;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (l & SSL_kRSA)
{
/* FIX THIS UP EAY EAY EAY EAY */
@@ -1464,11 +1493,11 @@ static int ssl3_get_client_key_exchange(SSL *s)
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,
p,i);
- memset(p,0,i);
+ OPENSSL_cleanse(p,i);
}
else
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
{
n2s(p,i);
@@ -1527,20 +1556,179 @@ static int ssl3_get_client_key_exchange(SSL *s)
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,p,i);
- memset(p,0,i);
+ OPENSSL_cleanse(p,i);
}
else
#endif
+#ifndef OPENSSL_NO_KRB5
+ if (l & SSL_kKRB5)
+ {
+ krb5_error_code krb5rc;
+ krb5_data enc_ticket;
+ krb5_data authenticator;
+ krb5_data enc_pms;
+ KSSL_CTX *kssl_ctx = s->kssl_ctx;
+ EVP_CIPHER_CTX ciph_ctx;
+ EVP_CIPHER *enc = NULL;
+ unsigned char iv[EVP_MAX_IV_LENGTH];
+ unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH
+ + EVP_MAX_BLOCK_LENGTH];
+ int padl, outl;
+ krb5_timestamp authtime = 0;
+ krb5_ticket_times ttimes;
+
+ EVP_CIPHER_CTX_init(&ciph_ctx);
+
+ if (!kssl_ctx) kssl_ctx = kssl_ctx_new();
+
+ n2s(p,i);
+ enc_ticket.length = i;
+ enc_ticket.data = (char *)p;
+ p+=enc_ticket.length;
+
+ n2s(p,i);
+ authenticator.length = i;
+ authenticator.data = (char *)p;
+ p+=authenticator.length;
+
+ n2s(p,i);
+ enc_pms.length = i;
+ enc_pms.data = (char *)p;
+ p+=enc_pms.length;
+
+ /* Note that the length is checked again below,
+ ** after decryption
+ */
+ if(enc_pms.length > sizeof pms)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+
+ if (n != enc_ticket.length + authenticator.length +
+ enc_pms.length + 6)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+
+ if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
+ &kssl_err)) != 0)
+ {
+#ifdef KSSL_DEBUG
+ printf("kssl_sget_tkt rtn %d [%d]\n",
+ krb5rc, kssl_err.reason);
+ if (kssl_err.text)
+ printf("kssl_err text= %s\n", kssl_err.text);
+#endif /* KSSL_DEBUG */
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ kssl_err.reason);
+ goto err;
+ }
+
+ /* Note: no authenticator is not considered an error,
+ ** but will return authtime == 0.
+ */
+ if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
+ &authtime, &kssl_err)) != 0)
+ {
+#ifdef KSSL_DEBUG
+ printf("kssl_check_authent rtn %d [%d]\n",
+ krb5rc, kssl_err.reason);
+ if (kssl_err.text)
+ printf("kssl_err text= %s\n", kssl_err.text);
+#endif /* KSSL_DEBUG */
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ kssl_err.reason);
+ goto err;
+ }
+
+ if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0)
+ {
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc);
+ goto err;
+ }
+
+#ifdef KSSL_DEBUG
+ kssl_ctx_show(kssl_ctx);
+#endif /* KSSL_DEBUG */
+
+ enc = kssl_map_enc(kssl_ctx->enctype);
+ if (enc == NULL)
+ goto err;
+
+ memset(iv, 0, sizeof iv); /* per RFC 1510 */
+
+ if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DECRYPTION_FAILED);
+ goto err;
+ }
+ if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl,
+ (unsigned char *)enc_pms.data, enc_pms.length))
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DECRYPTION_FAILED);
+ goto err;
+ }
+ if (outl > SSL_MAX_MASTER_KEY_LENGTH)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+ if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl))
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DECRYPTION_FAILED);
+ goto err;
+ }
+ outl += padl;
+ if (outl > SSL_MAX_MASTER_KEY_LENGTH)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+ EVP_CIPHER_CTX_cleanup(&ciph_ctx);
+
+ s->session->master_key_length=
+ s->method->ssl3_enc->generate_master_secret(s,
+ s->session->master_key, pms, outl);
+
+ if (kssl_ctx->client_princ)
+ {
+ int len = strlen(kssl_ctx->client_princ);
+ if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
+ {
+ s->session->krb5_client_princ_len = len;
+ memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len);
+ }
+ }
+
+
+ /* Was doing kssl_ctx_free() here,
+ ** but it caused problems for apache.
+ ** kssl_ctx = kssl_ctx_free(kssl_ctx);
+ ** if (s->kssl_ctx) s->kssl_ctx = NULL;
+ */
+ }
+ else
+#endif /* OPENSSL_NO_KRB5 */
{
al=SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE);
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_UNKNOWN_CIPHER_TYPE);
goto f_err;
}
return(1);
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
-#if !defined(NO_DH) || !defined(NO_RSA)
+#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA)
err:
#endif
return(-1);
@@ -1559,7 +1747,7 @@ static int ssl3_get_cert_verify(SSL *s)
SSL3_ST_SR_CERT_VRFY_A,
SSL3_ST_SR_CERT_VRFY_B,
-1,
- 512, /* 512? */
+ 514, /* 514? */
&ok);
if (!ok) return((int)n);
@@ -1611,7 +1799,7 @@ static int ssl3_get_cert_verify(SSL *s)
}
/* we now have a signature that we need to verify */
- p=(unsigned char *)s->init_buf->data;
+ p=(unsigned char *)s->init_msg;
n2s(p,i);
n-=2;
if (i > n)
@@ -1629,7 +1817,7 @@ static int ssl3_get_cert_verify(SSL *s)
goto f_err;
}
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (pkey->type == EVP_PKEY_RSA)
{
i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md,
@@ -1650,7 +1838,7 @@ static int ssl3_get_cert_verify(SSL *s)
}
else
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
if (pkey->type == EVP_PKEY_DSA)
{
j=DSA_verify(pkey->save_type,
@@ -1667,7 +1855,7 @@ static int ssl3_get_cert_verify(SSL *s)
else
#endif
{
- SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR);
al=SSL_AD_UNSUPPORTED_CERTIFICATE;
goto f_err;
}
@@ -1696,11 +1884,7 @@ static int ssl3_get_client_certificate(SSL *s)
SSL3_ST_SR_CERT_A,
SSL3_ST_SR_CERT_B,
-1,
-#if defined(MSDOS) && !defined(WIN32)
- 1024*30, /* 30k max cert list :-) */
-#else
- 1024*100, /* 100k max cert list :-) */
-#endif
+ s->max_cert_list,
&ok);
if (!ok) return((int)n);
@@ -1731,7 +1915,7 @@ static int ssl3_get_client_certificate(SSL *s)
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE);
goto f_err;
}
- d=p=(unsigned char *)s->init_buf->data;
+ d=p=(unsigned char *)s->init_msg;
if ((sk=sk_X509_new_null()) == NULL)
{
@@ -1851,9 +2035,13 @@ int ssl3_send_server_certificate(SSL *s)
if (s->state == SSL3_ST_SW_CERT_A)
{
x=ssl_get_server_send_cert(s);
- if (x == NULL)
+ if (x == NULL &&
+ /* VRS: allow null cert if auth == KRB5 */
+ (s->s3->tmp.new_cipher->algorithms
+ & (SSL_MKEY_MASK|SSL_AUTH_MASK))
+ != (SSL_aKRB5|SSL_kKRB5))
{
- SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
return(0);
}
diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h
index 3eecead..f8e400d 100644
--- a/crypto/openssl/ssl/ssl.h
+++ b/crypto/openssl/ssl/ssl.h
@@ -56,6 +56,59 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -112,16 +165,20 @@
#ifndef HEADER_SSL_H
#define HEADER_SSL_H
-#ifndef NO_COMP
+#include <openssl/e_os2.h>
+
+#ifndef OPENSSL_NO_COMP
#include <openssl/comp.h>
#endif
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
#include <openssl/bio.h>
#endif
-#ifndef NO_X509
+#ifndef OPENSSL_NO_X509
#include <openssl/x509.h>
#endif
+#include <openssl/kssl.h>
#include <openssl/safestack.h>
+#include <openssl/symhacks.h>
#ifdef __cplusplus
extern "C" {
@@ -145,6 +202,32 @@ extern "C" {
#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
+/* VRS Additional Kerberos5 entries
+ */
+#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
+#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
+#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA
+#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
+#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
+#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
+#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5
+#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
+
+#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
+#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA
+#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA
+#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
+#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5
+#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5
+
+#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
+#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
+#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
+#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
+#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
+#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
+#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256
+
#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
#define SSL_MAX_SID_CTX_LENGTH 32
@@ -165,6 +248,10 @@ extern "C" {
#define SSL_TXT_eNULL "eNULL"
#define SSL_TXT_NULL "NULL"
+#define SSL_TXT_kKRB5 "kKRB5"
+#define SSL_TXT_aKRB5 "aKRB5"
+#define SSL_TXT_KRB5 "KRB5"
+
#define SSL_TXT_kRSA "kRSA"
#define SSL_TXT_kDHr "kDHr"
#define SSL_TXT_kDHd "kDHd"
@@ -182,6 +269,7 @@ extern "C" {
#define SSL_TXT_RC4 "RC4"
#define SSL_TXT_RC2 "RC2"
#define SSL_TXT_IDEA "IDEA"
+#define SSL_TXT_AES "AES"
#define SSL_TXT_MD5 "MD5"
#define SSL_TXT_SHA1 "SHA1"
#define SSL_TXT_SHA "SHA"
@@ -194,9 +282,27 @@ extern "C" {
#define SSL_TXT_TLSV1 "TLSv1"
#define SSL_TXT_ALL "ALL"
-/* 'DEFAULT' at the start of the cipher list insert the following string
- * in addition to this being the default cipher string */
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"
+/*
+ * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
+ * ciphers normally not being used.
+ * Example: "RC4" will activate all ciphers using RC4 including ciphers
+ * without authentication, which would normally disabled by DEFAULT (due
+ * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
+ * will make sure that it is also disabled in the specific selection.
+ * COMPLEMENTOF* identifiers are portable between version, as adjustments
+ * to the default cipher setup will also be included here.
+ *
+ * COMPLEMENTOFDEFAULT does not experience the same special treatment that
+ * DEFAULT gets, as only selection is being done and no sorting as needed
+ * for DEFAULT.
+ */
+#define SSL_TXT_CMPALL "COMPLEMENTOFALL"
+#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT"
+
+/* The following cipher list is used by default.
+ * It also is substituted when an application-defined cipher list string
+ * starts with 'DEFAULT'. */
+#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
#define SSL_SENT_SHUTDOWN 1
@@ -209,16 +315,14 @@ extern "C" {
#include <openssl/crypto.h>
#include <openssl/lhash.h>
#include <openssl/buffer.h>
-#include <openssl/bio.h>
#include <openssl/pem.h>
-#include <openssl/x509.h>
#ifdef __cplusplus
extern "C" {
#endif
-#if (defined(NO_RSA) || defined(NO_MD5)) && !defined(NO_SSL2)
-#define NO_SSL2
+#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
+#define OPENSSL_NO_SSL2
#endif
#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
@@ -264,8 +368,8 @@ typedef struct ssl_method_st
int (*ssl_shutdown)(SSL *s);
int (*ssl_renegotiate)(SSL *s);
int (*ssl_renegotiate_check)(SSL *s);
- long (*ssl_ctrl)(SSL *s,int cmd,long larg,char *parg);
- long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,char *parg);
+ long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg);
+ long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
int (*ssl_pending)(SSL *s);
@@ -286,6 +390,7 @@ typedef struct ssl_method_st
* Cipher OCTET_STRING, -- the 3 byte cipher ID
* Session_ID OCTET_STRING, -- the Session ID
* Master_key OCTET_STRING, -- the master key
+ * KRB5_principal OCTET_STRING -- optional Kerberos principal
* Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument
* Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
* Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
@@ -316,6 +421,11 @@ typedef struct ssl_session_st
unsigned int sid_ctx_length;
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+#ifndef OPENSSL_NO_KRB5
+ unsigned int krb5_client_princ_len;
+ unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
+#endif /* OPENSSL_NO_KRB5 */
+
int not_resumable;
/* The cert is the certificate used to establish this connection */
@@ -360,7 +470,6 @@ typedef struct ssl_session_st
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
-#define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L
/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
@@ -369,13 +478,25 @@ typedef struct ssl_session_st
* it in SSL_OP_ALL. */
#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */
-/* SSL_OP_ALL: various bug workarounds that should be rather harmless */
-#define SSL_OP_ALL 0x000FFFFFL
+/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
+ * This used to be 0x000FFFFFL before 0.9.7. */
+#define SSL_OP_ALL 0x00000FFFL
+/* As server, disallow session resumption on renegotiation */
+#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
/* If set, always create a new key when using tmp_dh parameters */
#define SSL_OP_SINGLE_DH_USE 0x00100000L
-/* Set to also use the tmp_rsa key when doing RSA operations. */
+/* Set to always use the tmp_rsa key when doing RSA operations,
+ * even when this violates protocol specs */
#define SSL_OP_EPHEMERAL_RSA 0x00200000L
+/* Set on servers to choose the cipher according to the server's
+ * preferences */
+#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
+/* If set, a server will allow a client to issue a SSLv3.0 version number
+ * as latest version supported in the premaster secret, even when TLSv1.0
+ * (version 3.1) was announced in the client hello. Normally this is
+ * forbidden to prevent version rollback attacks. */
+#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L
#define SSL_OP_NO_SSLv2 0x01000000L
#define SSL_OP_NO_SSLv3 0x02000000L
@@ -386,9 +507,7 @@ typedef struct ssl_session_st
#define SSL_OP_PKCS1_CHECK_1 0x08000000L
#define SSL_OP_PKCS1_CHECK_2 0x10000000L
#define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L
-/* SSL_OP_NON_EXPORT_FIRST looks utterly broken .. */
-#define SSL_OP_NON_EXPORT_FIRST 0x40000000L
-#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L
+#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L
/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
@@ -408,30 +527,60 @@ typedef struct ssl_session_st
* they cannot be used to clear bits. */
#define SSL_CTX_set_options(ctx,op) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,op,NULL)
+ SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
#define SSL_CTX_get_options(ctx) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL)
+ SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
#define SSL_set_options(ssl,op) \
- SSL_ctrl(ssl,SSL_CTRL_OPTIONS,op,NULL)
+ SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
#define SSL_get_options(ssl) \
- SSL_ctrl(ssl,SSL_CTRL_OPTIONS,0,NULL)
+ SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
#define SSL_CTX_set_mode(ctx,op) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,op,NULL)
+ SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
#define SSL_CTX_get_mode(ctx) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,0,NULL)
+ SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
#define SSL_set_mode(ssl,op) \
- SSL_ctrl(ssl,SSL_CTRL_MODE,op,NULL)
+ SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
#define SSL_get_mode(ssl) \
- SSL_ctrl(ssl,SSL_CTRL_MODE,0,NULL)
+ SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
+
+
+void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
+void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
+#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
+#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
+
+
+
+#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
+#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */
+#else
+#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
+#endif
#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20)
+/* This callback type is used inside SSL_CTX, SSL, and in the functions that set
+ * them. It is used to override the generation of SSL/TLS session IDs in a
+ * server. Return value should be zero on an error, non-zero to proceed. Also,
+ * callbacks should themselves check if the id they generate is unique otherwise
+ * the SSL handshake will fail with an error - callbacks can do this using the
+ * 'ssl' value they're passed by;
+ * SSL_has_matching_session_id(ssl, id, *id_len)
+ * The length value passed in is set at the maximum size the session ID can be.
+ * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback
+ * can alter this length to be less if desired, but under SSLv2 session IDs are
+ * supposed to be fixed at 16 bytes so the id will be padded after the callback
+ * returns in this case. It is also an error for the callback to set the size to
+ * zero. */
+typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
+ unsigned int *id_len);
+
typedef struct ssl_comp_st
{
int id;
char *name;
-#ifndef NO_COMP
+#ifndef OPENSSL_NO_COMP
COMP_METHOD *method;
#else
char *method;
@@ -443,8 +592,6 @@ DECLARE_STACK_OF(SSL_COMP)
struct ssl_ctx_st
{
SSL_METHOD *method;
- unsigned long options;
- unsigned long mode;
STACK_OF(SSL_CIPHER) *cipher_list;
/* same as above but sorted for lookup */
@@ -482,6 +629,7 @@ struct ssl_ctx_st
void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess);
SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl,
unsigned char *data,int len,int *copy);
+
struct
{
int sess_connect; /* SSL new conn - started */
@@ -504,37 +652,20 @@ struct ssl_ctx_st
int references;
-/**/ void (*info_callback)();
-
/* if defined, these override the X509_verify_cert() calls */
-/**/ int (*app_verify_callback)();
-/**/ char *app_verify_arg; /* never used; should be void * */
-
- /* default values to use in SSL structures */
-/**/ struct cert_st /* CERT */ *cert;
-/**/ int read_ahead;
-/**/ int verify_mode;
-/**/ int verify_depth;
-/**/ unsigned int sid_ctx_length;
-/**/ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
-/**/ int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx);
-
- int purpose; /* Purpose setting */
- int trust; /* Trust setting */
+ int (*app_verify_callback)(X509_STORE_CTX *, void *);
+ void *app_verify_arg;
+ /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored
+ * ('app_verify_callback' was called with just one argument) */
/* Default password callback. */
-/**/ pem_password_cb *default_passwd_callback;
+ pem_password_cb *default_passwd_callback;
/* Default password callback user data. */
-/**/ void *default_passwd_callback_userdata;
+ void *default_passwd_callback_userdata;
/* get client cert callback */
-/**/ int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */);
-
- /* what we put in client cert requests */
- STACK_OF(X509_NAME) *client_CA;
-
-/**/ int quiet_shutdown;
+ int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
CRYPTO_EX_DATA ex_data;
@@ -543,7 +674,43 @@ struct ssl_ctx_st
const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */
STACK_OF(X509) *extra_certs;
- STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
+ STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
+
+
+ /* Default values used when no per-SSL value is defined follow */
+
+ void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */
+
+ /* what we put in client cert requests */
+ STACK_OF(X509_NAME) *client_CA;
+
+
+ /* Default values to use in SSL structures follow (these are copied by SSL_new) */
+
+ unsigned long options;
+ unsigned long mode;
+ long max_cert_list;
+
+ struct cert_st /* CERT */ *cert;
+ int read_ahead;
+
+ /* callback that allows applications to peek at protocol messages */
+ void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
+ void *msg_callback_arg;
+
+ int verify_mode;
+ int verify_depth;
+ unsigned int sid_ctx_length;
+ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
+ int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */
+
+ /* Default generate session ID callback. */
+ GEN_SESSION_CB generate_session_id;
+
+ int purpose; /* Purpose setting */
+ int trust; /* Trust setting */
+
+ int quiet_shutdown;
};
#define SSL_SESS_CACHE_OFF 0x0000
@@ -551,10 +718,11 @@ struct ssl_ctx_st
#define SSL_SESS_CACHE_SERVER 0x0002
#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
-/* This one, when set, makes the server session-id lookup not look
- * in the cache. If there is an application get_session callback
- * defined, this will still get called. */
+/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
+#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
+#define SSL_SESS_CACHE_NO_INTERNAL \
+ (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
#define SSL_CTX_sess_number(ctx) \
@@ -618,7 +786,7 @@ struct ssl_st
* same. This is so data can be read and written to different
* handlers */
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
BIO *rbio; /* used by SSL_read */
BIO *wbio; /* used by SSL_write */
BIO *bbio; /* used during session-id reuse to concatenate
@@ -652,7 +820,8 @@ struct ssl_st
* 2 if we are a server and are inside a handshake
* (i.e. not just sending a HelloRequest)
* NB: For servers, the 'new' session may actually be a previously
- * cached session or even the previous session */
+ * cached session or even the previous session unless
+ * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
int quiet_shutdown;/* don't send shutdown packets */
int shutdown; /* we have shut things down, 0x01 sent, 0x02
* for received */
@@ -660,6 +829,7 @@ struct ssl_st
int rstate; /* where we are when reading */
BUF_MEM *init_buf; /* buffer used during init */
+ void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */
int init_num; /* amount read/written */
int init_off; /* amount read/written */
@@ -672,6 +842,11 @@ struct ssl_st
int read_ahead; /* Read as many input bytes as possible
* (for non-blocking reads) */
+
+ /* callback that allows applications to peek at protocol messages */
+ void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
+ void *msg_callback_arg;
+
int hit; /* reusing a previous session */
int purpose; /* Purpose setting */
@@ -686,7 +861,7 @@ struct ssl_st
EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
const EVP_MD *read_hash; /* used for mac generation */
-#ifndef NO_COMP
+#ifndef OPENSSL_NO_COMP
COMP_CTX *expand; /* uncompress */
#else
char *expand;
@@ -694,7 +869,7 @@ struct ssl_st
EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
const EVP_MD *write_hash; /* used for mac generation */
-#ifndef NO_COMP
+#ifndef OPENSSL_NO_COMP
COMP_CTX *compress; /* compression */
#else
char *compress;
@@ -714,16 +889,24 @@ struct ssl_st
/* This can also be in the session once a session is established */
SSL_SESSION *session;
+ /* Default generate session ID callback. */
+ GEN_SESSION_CB generate_session_id;
+
/* Used in SSL2 and SSL3 */
int verify_mode; /* 0 don't care about verify failure.
* 1 fail if verify fails */
int verify_depth;
int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */
- void (*info_callback)(); /* optional informational callback */
+
+ void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
int error; /* error bytes to be written */
int error_code; /* actual code */
+#ifndef OPENSSL_NO_KRB5
+ KSSL_CTX *kssl_ctx; /* Kerberos 5 context */
+#endif /* OPENSSL_NO_KRB5 */
+
SSL_CTX *ctx;
/* set this flag to 1 and a sleep(1) is put into all SSL_read()
* and SSL_write() calls, good for nbio debuging :-) */
@@ -739,6 +922,7 @@ struct ssl_st
int references;
unsigned long options; /* protocol behaviour */
unsigned long mode; /* API behaviour */
+ long max_cert_list;
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
@@ -900,13 +1084,14 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */
#define SSL_ERROR_ZERO_RETURN 6
#define SSL_ERROR_WANT_CONNECT 7
+#define SSL_ERROR_WANT_ACCEPT 8
#define SSL_CTRL_NEED_TMP_RSA 1
#define SSL_CTRL_SET_TMP_RSA 2
#define SSL_CTRL_SET_TMP_DH 3
#define SSL_CTRL_SET_TMP_RSA_CB 4
#define SSL_CTRL_SET_TMP_DH_CB 5
-/* Add these ones */
+
#define SSL_CTRL_GET_SESSION_REUSED 6
#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 7
#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 8
@@ -915,6 +1100,9 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
#define SSL_CTRL_GET_FLAGS 11
#define SSL_CTRL_EXTRA_CHAIN_CERT 12
+#define SSL_CTRL_SET_MSG_CALLBACK 13
+#define SSL_CTRL_SET_MSG_CALLBACK_ARG 14
+
/* Stats */
#define SSL_CTRL_SESS_NUMBER 20
#define SSL_CTRL_SESS_CONNECT 21
@@ -929,7 +1117,7 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
#define SSL_CTRL_SESS_TIMEOUTS 30
#define SSL_CTRL_SESS_CACHE_FULL 31
#define SSL_CTRL_OPTIONS 32
-#define SSL_CTRL_MODE 33
+#define SSL_CTRL_MODE 33
#define SSL_CTRL_GET_READ_AHEAD 40
#define SSL_CTRL_SET_READ_AHEAD 41
@@ -938,6 +1126,9 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
#define SSL_CTRL_SET_SESS_CACHE_MODE 44
#define SSL_CTRL_GET_SESS_CACHE_MODE 45
+#define SSL_CTRL_GET_MAX_CERT_LIST 50
+#define SSL_CTRL_SET_MAX_CERT_LIST 51
+
#define SSL_session_reused(ssl) \
SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)
#define SSL_num_renegotiations(ssl) \
@@ -964,23 +1155,7 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
-/* VMS uses only 31 characters for symbols. */
-#ifdef VMS
-#undef SSL_CTX_set_cert_verify_callback
-#define SSL_CTX_set_cert_verify_callback SSL_CTX_set_cert_verify_cb
-#undef SSL_CTX_use_certificate_chain_file
-#define SSL_CTX_use_certificate_chain_file SSL_CTX_use_cert_chain_file
-#undef SSL_CTX_set_default_verify_paths
-#define SSL_CTX_set_default_verify_paths SSL_CTX_set_def_verify_paths
-#undef SSL_get_ex_data_X509_STORE_CTX_idx
-#define SSL_get_ex_data_X509_STORE_CTX_idx SSL_get_ex_data_X509_STOR_CTX_i
-#undef SSL_add_file_cert_subjects_to_stack
-#define SSL_add_file_cert_subjects_to_stack SSL_add_file_cert_sub_to_stack
-#undef SSL_add_dir_cert_subjects_to_stack
-#define SSL_add_dir_cert_subjects_to_stack SSL_add_dir_cert_sub_to_stack
-#endif
-
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
BIO_METHOD *BIO_f_ssl(void);
BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
@@ -1014,12 +1189,12 @@ const char * SSL_get_cipher_list(SSL *s,int n);
char * SSL_get_shared_ciphers(SSL *s, char *buf, int len);
int SSL_get_read_ahead(SSL * s);
int SSL_pending(SSL *s);
-#ifndef NO_SOCK
+#ifndef OPENSSL_NO_SOCK
int SSL_set_fd(SSL *s, int fd);
int SSL_set_rfd(SSL *s, int fd);
int SSL_set_wfd(SSL *s, int fd);
#endif
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
BIO * SSL_get_rbio(SSL *s);
BIO * SSL_get_wbio(SSL *s);
@@ -1032,7 +1207,7 @@ int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *);
void SSL_set_verify(SSL *s, int mode,
int (*callback)(int ok,X509_STORE_CTX *ctx));
void SSL_set_verify_depth(SSL *s, int depth);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
#endif
int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
@@ -1041,7 +1216,7 @@ int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len);
int SSL_use_certificate(SSL *ssl, X509 *x);
int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
@@ -1052,15 +1227,22 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM t
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
const char *file);
+#ifndef OPENSSL_SYS_WIN32
+#ifndef OPENSSL_SYS_VMS
+#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
const char *dir);
#endif
+#endif
+#endif
+
+#endif
void SSL_load_error_strings(void );
-char * SSL_state_string(SSL *s);
-char * SSL_rstate_string(SSL *s);
-char * SSL_state_string_long(SSL *s);
-char * SSL_rstate_string_long(SSL *s);
+const char *SSL_state_string(const SSL *s);
+const char *SSL_rstate_string(const SSL *s);
+const char *SSL_state_string_long(const SSL *s);
+const char *SSL_rstate_string_long(const SSL *s);
long SSL_SESSION_get_time(SSL_SESSION *s);
long SSL_SESSION_set_time(SSL_SESSION *s, long t);
long SSL_SESSION_get_timeout(SSL_SESSION *s);
@@ -1070,10 +1252,10 @@ void SSL_copy_session_id(SSL *to,SSL *from);
SSL_SESSION *SSL_SESSION_new(void);
unsigned long SSL_SESSION_hash(SSL_SESSION *a);
int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b);
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
int SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses);
#endif
-#ifndef NO_BIO
+#ifndef OPENSSL_NO_BIO
int SSL_SESSION_print(BIO *fp,SSL_SESSION *ses);
#endif
void SSL_SESSION_free(SSL_SESSION *ses);
@@ -1081,6 +1263,10 @@ int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
int SSL_set_session(SSL *to, SSL_SESSION *session);
int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c);
+int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
+int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
+int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
+ unsigned int id_len);
SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
#ifdef HEADER_X509_H
@@ -1089,18 +1275,14 @@ X509 * SSL_get_peer_certificate(SSL *s);
STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s);
-#ifdef VMS
-#define SSL_CTX_set_default_passwd_cb_userdata SSL_CTX_set_def_passwd_cb_ud
-#endif
-
int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
int (*callback)(int, X509_STORE_CTX *));
void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
-void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(),char *arg);
-#ifndef NO_RSA
+void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg);
+#ifndef OPENSSL_NO_RSA
int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
#endif
int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
@@ -1134,9 +1316,9 @@ int SSL_connect(SSL *ssl);
int SSL_read(SSL *ssl,void *buf,int num);
int SSL_peek(SSL *ssl,void *buf,int num);
int SSL_write(SSL *ssl,const void *buf,int num);
-long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
+long SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg);
long SSL_callback_ctrl(SSL *, int, void (*)());
-long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg);
+long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
int SSL_get_error(SSL *s,int ret_code);
@@ -1165,14 +1347,15 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s);
int SSL_do_handshake(SSL *s);
int SSL_renegotiate(SSL *s);
+int SSL_renegotiate_pending(SSL *s);
int SSL_shutdown(SSL *s);
SSL_METHOD *SSL_get_ssl_method(SSL *s);
int SSL_set_ssl_method(SSL *s,SSL_METHOD *method);
-char *SSL_alert_type_string_long(int value);
-char *SSL_alert_type_string(int value);
-char *SSL_alert_desc_string_long(int value);
-char *SSL_alert_desc_string(int value);
+const char *SSL_alert_type_string_long(int value);
+const char *SSL_alert_type_string(int value);
+const char *SSL_alert_desc_string_long(int value);
+const char *SSL_alert_desc_string(int value);
void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
@@ -1210,8 +1393,9 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
SSL_SESSION *SSL_get_session(SSL *ssl);
SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
-void SSL_set_info_callback(SSL *ssl,void (*cb)());
-void (*SSL_get_info_callback(SSL *ssl))();
+void SSL_set_info_callback(SSL *ssl,
+ void (*cb)(const SSL *ssl,int type,int val));
+void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val);
int SSL_state(SSL *ssl);
void SSL_set_verify_result(SSL *ssl,long v);
@@ -1249,9 +1433,17 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void );
SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
#define SSL_CTX_set_read_ahead(ctx,m) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
+#define SSL_CTX_get_max_cert_list(ctx) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
+#define SSL_CTX_set_max_cert_list(ctx,m) \
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
+#define SSL_get_max_cert_list(ssl) \
+ SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
+#define SSL_set_max_cert_list(ssl,m) \
+ SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
/* NB: the keylength is only applicable when is_export is true */
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
RSA *(*cb)(SSL *ssl,int is_export,
int keylength));
@@ -1260,7 +1452,7 @@ void SSL_set_tmp_rsa_callback(SSL *ssl,
RSA *(*cb)(SSL *ssl,int is_export,
int keylength));
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
DH *(*dh)(SSL *ssl,int is_export,
int keylength));
@@ -1269,7 +1461,7 @@ void SSL_set_tmp_dh_callback(SSL *ssl,
int keylength));
#endif
-#ifndef NO_COMP
+#ifndef OPENSSL_NO_COMP
int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm);
#else
int SSL_COMP_add_compression_method(int id,char *cm);
@@ -1328,6 +1520,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL3_CTRL 213
#define SSL_F_SSL3_CTX_CTRL 133
#define SSL_F_SSL3_ENC 134
+#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
#define SSL_F_SSL3_GET_CERT_VERIFY 136
#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
@@ -1490,16 +1683,27 @@ void ERR_load_SSL_strings(void);
#define SSL_R_HTTPS_PROXY_REQUEST 155
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_ILLEGAL_PADDING 1110
-#define SSL_R_INTERNAL_ERROR 157
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
#define SSL_R_INVALID_COMMAND 280
#define SSL_R_INVALID_PURPOSE 278
#define SSL_R_INVALID_TRUST 279
#define SSL_R_KEY_ARG_TOO_LONG 1112
+#define SSL_R_KRB5 1104
+#define SSL_R_KRB5_C_CC_PRINC 1094
+#define SSL_R_KRB5_C_GET_CRED 1095
+#define SSL_R_KRB5_C_INIT 1096
+#define SSL_R_KRB5_C_MK_REQ 1097
+#define SSL_R_KRB5_S_BAD_TICKET 1098
+#define SSL_R_KRB5_S_INIT 1099
+#define SSL_R_KRB5_S_RD_REQ 1108
+#define SSL_R_KRB5_S_TKT_EXPIRED 1105
+#define SSL_R_KRB5_S_TKT_NYV 1106
+#define SSL_R_KRB5_S_TKT_SKEW 1107
#define SSL_R_LENGTH_MISMATCH 159
#define SSL_R_LENGTH_TOO_SHORT 160
#define SSL_R_LIBRARY_BUG 274
#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
+#define SSL_R_MASTER_KEY_TOO_LONG 1112
#define SSL_R_MESSAGE_TOO_LONG 1111
#define SSL_R_MISSING_DH_DSA_CERT 162
#define SSL_R_MISSING_DH_KEY 163
@@ -1586,7 +1790,10 @@ void ERR_load_SSL_strings(void);
#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
#define SSL_R_SSL_HANDSHAKE_FAILURE 229
#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
+#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 1102
+#define SSL_R_SSL_SESSION_ID_CONFLICT 1103
#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
+#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 1101
#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
diff --git a/crypto/openssl/ssl/ssl2.h b/crypto/openssl/ssl/ssl2.h
index 70aae1e..99a52ea 100644
--- a/crypto/openssl/ssl/ssl2.h
+++ b/crypto/openssl/ssl/ssl2.h
@@ -133,7 +133,7 @@ extern "C" {
/* Upper/Lower Bounds */
#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
-#ifdef MPE
+#ifdef OPENSSL_SYS_MPE
#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u
#else
#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */
@@ -189,7 +189,6 @@ typedef struct ssl2_state_st
unsigned char *ract_data;
unsigned char *wact_data;
unsigned char *mac_data;
- unsigned char *pad_data_UNUSED; /* only for binary compatibility with 0.9.6b */
unsigned char *read_key;
unsigned char *write_key;
diff --git a/crypto/openssl/ssl/ssl3.h b/crypto/openssl/ssl/ssl3.h
index b45effe..1153aed 100644
--- a/crypto/openssl/ssl/ssl3.h
+++ b/crypto/openssl/ssl/ssl3.h
@@ -112,7 +112,7 @@
#ifndef HEADER_SSL3_H
#define HEADER_SSL3_H
-#ifndef NO_COMP
+#ifndef OPENSSL_NO_COMP
#include <openssl/comp.h>
#endif
#include <openssl/buffer.h>
@@ -156,7 +156,29 @@ extern "C" {
#define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C
#define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
+#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
+ to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
+ of the ietf-tls list */
#define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
+#endif
+
+/* VRS Additional Kerberos5 entries
+ */
+#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0300001E
+#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0300001F
+#define SSL3_CK_KRB5_RC4_128_SHA 0x03000020
+#define SSL3_CK_KRB5_IDEA_128_CBC_SHA 0x03000021
+#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000022
+#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000023
+#define SSL3_CK_KRB5_RC4_128_MD5 0x03000024
+#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 0x03000025
+
+#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000026
+#define SSL3_CK_KRB5_RC2_40_CBC_SHA 0x03000027
+#define SSL3_CK_KRB5_RC4_40_SHA 0x03000028
+#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000029
+#define SSL3_CK_KRB5_RC2_40_CBC_MD5 0x0300002A
+#define SSL3_CK_KRB5_RC4_40_MD5 0x0300002B
#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
@@ -193,6 +215,22 @@ extern "C" {
#define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA"
#define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA"
+#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
+#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
+#define SSL3_TXT_KRB5_RC4_128_SHA "KRB5-RC4-SHA"
+#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA "KRB5-IDEA-CBC-SHA"
+#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5"
+#define SSL3_TXT_KRB5_RC4_128_MD5 "KRB5-RC4-MD5"
+#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 "KRB5-IDEA-CBC-MD5"
+
+#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA"
+#define SSL3_TXT_KRB5_RC2_40_CBC_SHA "EXP-KRB5-RC2-CBC-SHA"
+#define SSL3_TXT_KRB5_RC4_40_SHA "EXP-KRB5-RC4-SHA"
+#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 "EXP-KRB5-RC2-CBC-MD5"
+#define SSL3_TXT_KRB5_RC4_40_MD5 "EXP-KRB5-RC4-MD5"
+
#define SSL3_SSL_SESSION_ID_LENGTH 32
#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32
@@ -202,7 +240,8 @@ extern "C" {
#define SSL3_RT_HEADER_LENGTH 5
/* Due to MS stuffing up, this can change.... */
-#if defined(WIN16) || (defined(MSDOS) && !defined(WIN32))
+#if defined(OPENSSL_SYS_WIN16) || \
+ (defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32))
#define SSL3_RT_MAX_EXTRA (14000)
#else
#define SSL3_RT_MAX_EXTRA (16384)
@@ -256,9 +295,7 @@ typedef struct ssl3_buffer_st
{
unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
* see ssl3_setup_buffers() */
-#if 0 /* put directly into SSL3_STATE for best possible binary compatibility within 0.9.6 series */
size_t len; /* buffer size */
-#endif
int offset; /* where to 'copy from' */
int left; /* how many bytes left */
} SSL3_BUFFER;
@@ -290,6 +327,10 @@ typedef struct ssl3_state_st
unsigned char server_random[SSL3_RANDOM_SIZE];
unsigned char client_random[SSL3_RANDOM_SIZE];
+ /* flags for countermeasure against known-IV weakness */
+ int need_empty_fragments;
+ int empty_fragment_done;
+
SSL3_BUFFER rbuf; /* read IO goes into here */
SSL3_BUFFER wbuf; /* write IO goes into here */
@@ -348,7 +389,7 @@ typedef struct ssl3_state_st
/* used to hold the new cipher we are going to use */
SSL_CIPHER *new_cipher;
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
DH *dh;
#endif
/* used when SSL_ST_FLUSH_DATA is entered */
@@ -369,7 +410,7 @@ typedef struct ssl3_state_st
const EVP_CIPHER *new_sym_enc;
const EVP_MD *new_hash;
-#ifndef NO_COMP
+#ifndef OPENSSL_NO_COMP
const SSL_COMP *new_compression;
#else
char *new_compression;
@@ -377,13 +418,6 @@ typedef struct ssl3_state_st
int cert_request;
} tmp;
- /* flags for countermeasure against known-IV weakness */
- int need_empty_fragments;
- int empty_fragment_done;
-
- size_t rbuf_len; /* substitute for rbuf.len */
- size_t wbuf_len; /* substitute for wbuf.len */
-
} SSL3_STATE;
/* SSLv3 */
diff --git a/crypto/openssl/ssl/ssl_algs.c b/crypto/openssl/ssl/ssl_algs.c
index dde8918..3d1299e 100644
--- a/crypto/openssl/ssl/ssl_algs.c
+++ b/crypto/openssl/ssl/ssl_algs.c
@@ -63,40 +63,44 @@
int SSL_library_init(void)
{
-#ifndef NO_DES
+
+#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cbc());
EVP_add_cipher(EVP_des_ede3_cbc());
#endif
-#ifndef NO_IDEA
+#ifndef OPENSSL_NO_IDEA
EVP_add_cipher(EVP_idea_cbc());
#endif
-#ifndef NO_RC4
+#ifndef OPENSSL_NO_RC4
EVP_add_cipher(EVP_rc4());
#endif
-#ifndef NO_RC2
+#ifndef OPENSSL_NO_RC2
EVP_add_cipher(EVP_rc2_cbc());
-#endif
-
-#ifndef NO_MD2
+#endif
+#ifndef OPENSSL_NO_AES
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_256_cbc());
+#endif
+#ifndef OPENSSL_NO_MD2
EVP_add_digest(EVP_md2());
#endif
-#ifndef NO_MD5
+#ifndef OPENSSL_NO_MD5
EVP_add_digest(EVP_md5());
EVP_add_digest_alias(SN_md5,"ssl2-md5");
EVP_add_digest_alias(SN_md5,"ssl3-md5");
#endif
-#ifndef NO_SHA
+#ifndef OPENSSL_NO_SHA
EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
#endif
-#if !defined(NO_SHA) && !defined(NO_DSA)
+#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
#endif
-
/* If you want support for phased out ciphers, add the following */
#if 0
EVP_add_digest(EVP_sha());
diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c
index 00f9fda..16bc11b 100644
--- a/crypto/openssl/ssl/ssl_asn1.c
+++ b/crypto/openssl/ssl/ssl_asn1.c
@@ -58,10 +58,10 @@
#include <stdio.h>
#include <stdlib.h>
+#include "ssl_locl.h"
#include <openssl/asn1_mac.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
#include "cryptlib.h"
typedef struct ssl_session_asn1_st
@@ -73,6 +73,9 @@ typedef struct ssl_session_asn1_st
ASN1_OCTET_STRING session_id;
ASN1_OCTET_STRING session_id_context;
ASN1_OCTET_STRING key_arg;
+#ifndef OPENSSL_NO_KRB5
+ ASN1_OCTET_STRING krb5_princ;
+#endif /* OPENSSL_NO_KRB5 */
ASN1_INTEGER time;
ASN1_INTEGER timeout;
ASN1_INTEGER verify_result;
@@ -143,6 +146,15 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
a.key_arg.type=V_ASN1_OCTET_STRING;
a.key_arg.data=in->key_arg;
+#ifndef OPENSSL_NO_KRB5
+ if (in->krb5_client_princ_len)
+ {
+ a.krb5_princ.length=in->krb5_client_princ_len;
+ a.krb5_princ.type=V_ASN1_OCTET_STRING;
+ a.krb5_princ.data=in->krb5_client_princ;
+ }
+#endif /* OPENSSL_NO_KRB5 */
+
if (in->time != 0L)
{
a.time.length=LSIZE2;
@@ -167,11 +179,16 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
ASN1_INTEGER_set(&a.verify_result,in->verify_result);
}
+
M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER);
M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING);
M_ASN1_I2D_len(&(a.session_id), i2d_ASN1_OCTET_STRING);
M_ASN1_I2D_len(&(a.master_key), i2d_ASN1_OCTET_STRING);
+#ifndef OPENSSL_NO_KRB5
+ if (in->krb5_client_princ_len)
+ M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
+#endif /* OPENSSL_NO_KRB5 */
if (in->key_arg_length > 0)
M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING);
if (in->time != 0L)
@@ -191,6 +208,10 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
M_ASN1_I2D_put(&(a.cipher), i2d_ASN1_OCTET_STRING);
M_ASN1_I2D_put(&(a.session_id), i2d_ASN1_OCTET_STRING);
M_ASN1_I2D_put(&(a.master_key), i2d_ASN1_OCTET_STRING);
+#ifndef OPENSSL_NO_KRB5
+ if (in->krb5_client_princ_len)
+ M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
+#endif /* OPENSSL_NO_KRB5 */
if (in->key_arg_length > 0)
M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0);
if (in->time != 0L)
@@ -278,6 +299,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
os.length = sizeof ret->session_id;
ret->session_id_length=os.length;
+ OPENSSL_assert(os.length <= sizeof ret->session_id);
memcpy(ret->session_id,os.data,os.length);
M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
@@ -288,6 +310,25 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
memcpy(ret->master_key,os.data,ret->master_key_length);
os.length=0;
+
+#ifndef OPENSSL_NO_KRB5
+ os.length=0;
+ M_ASN1_D2I_get_opt(osp,d2i_ASN1_OCTET_STRING,V_ASN1_OCTET_STRING);
+ if (os.data)
+ {
+ if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH)
+ ret->krb5_client_princ_len=0;
+ else
+ ret->krb5_client_princ_len=os.length;
+ memcpy(ret->krb5_client_princ,os.data,ret->krb5_client_princ_len);
+ OPENSSL_free(os.data);
+ os.data = NULL;
+ os.length = 0;
+ }
+ else
+ ret->krb5_client_princ_len=0;
+#endif /* OPENSSL_NO_KRB5 */
+
M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING);
if (os.length > SSL_MAX_KEY_ARG_LENGTH)
ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH;
@@ -330,9 +371,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
if(os.data != NULL)
{
if (os.length > SSL_MAX_SID_CTX_LENGTH)
+ {
+ ret->sid_ctx_length=os.length;
SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH);
- ret->sid_ctx_length=os.length;
- memcpy(ret->sid_ctx,os.data,os.length);
+ }
+ else
+ {
+ ret->sid_ctx_length=os.length;
+ memcpy(ret->sid_ctx,os.data,os.length);
+ }
OPENSSL_free(os.data); os.data=NULL; os.length=0;
}
else
diff --git a/crypto/openssl/ssl/ssl_cert.c b/crypto/openssl/ssl/ssl_cert.c
index bb4cb2f..1f12255 100644
--- a/crypto/openssl/ssl/ssl_cert.c
+++ b/crypto/openssl/ssl/ssl_cert.c
@@ -106,16 +106,19 @@
#include <stdio.h>
-#include "openssl/e_os.h"
-
+#include "e_os.h"
#ifndef NO_SYS_TYPES_H
# include <sys/types.h>
#endif
-#if !defined(WIN32) && !defined(VSM) && !defined(NeXT) && !defined(MAC_OS_pre_X)
+#if !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) && !defined(NeXT) && !defined(MAC_OS_pre_X)
#include <dirent.h>
#endif
+#if defined(WIN32)
+#include <windows.h>
+#endif
+
#ifdef NeXT
#include <sys/dir.h>
#define dirent direct
@@ -129,14 +132,23 @@
int SSL_get_ex_data_X509_STORE_CTX_idx(void)
{
- static int ssl_x509_store_ctx_idx= -1;
+ static volatile int ssl_x509_store_ctx_idx= -1;
if (ssl_x509_store_ctx_idx < 0)
{
- ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
- 0,"SSL for verify callback",NULL,NULL,NULL);
+ /* any write lock will do; usually this branch
+ * will only be taken once anyway */
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+
+ if (ssl_x509_store_ctx_idx < 0)
+ {
+ ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index(
+ 0,"SSL for verify callback",NULL,NULL,NULL);
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
}
- return(ssl_x509_store_ctx_idx);
+ return ssl_x509_store_ctx_idx;
}
CERT *ssl_cert_new(void)
@@ -179,16 +191,16 @@ CERT *ssl_cert_dup(CERT *cert)
ret->mask = cert->mask;
ret->export_mask = cert->export_mask;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (cert->rsa_tmp != NULL)
{
+ RSA_up_ref(cert->rsa_tmp);
ret->rsa_tmp = cert->rsa_tmp;
- CRYPTO_add(&ret->rsa_tmp->references, 1, CRYPTO_LOCK_RSA);
}
ret->rsa_tmp_cb = cert->rsa_tmp_cb;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (cert->dh_tmp != NULL)
{
/* DH parameters don't have a reference count */
@@ -271,14 +283,14 @@ CERT *ssl_cert_dup(CERT *cert)
return(ret);
-#ifndef NO_DH /* avoid 'unreferenced label' warning if NO_DH is defined */
+#ifndef OPENSSL_NO_DH /* avoid 'unreferenced label' warning if OPENSSL_NO_DH is defined */
err:
#endif
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (ret->rsa_tmp != NULL)
RSA_free(ret->rsa_tmp);
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (ret->dh_tmp != NULL)
DH_free(ret->dh_tmp);
#endif
@@ -315,10 +327,10 @@ void ssl_cert_free(CERT *c)
}
#endif
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (c->rsa_tmp) RSA_free(c->rsa_tmp);
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (c->dh_tmp) DH_free(c->dh_tmp);
#endif
@@ -419,11 +431,11 @@ void ssl_sess_cert_free(SESS_CERT *sc)
#endif
}
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
if (sc->peer_rsa_tmp != NULL)
RSA_free(sc->peer_rsa_tmp);
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (sc->peer_dh_tmp != NULL)
DH_free(sc->peer_dh_tmp);
#endif
@@ -447,17 +459,23 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
return(0);
x=sk_X509_value(sk,0);
- X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk);
+ if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk))
+ {
+ SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB);
+ return(0);
+ }
if (SSL_get_verify_depth(s) >= 0)
X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
+
/* We need to set the verify purpose. The purpose can be determined by
* the context: if its a server it will verify SSL client certificates
* or vice versa.
- */
-
- if(s->server) i = X509_PURPOSE_SSL_CLIENT;
- else i = X509_PURPOSE_SSL_SERVER;
+ */
+ if (s->server)
+ i = X509_PURPOSE_SSL_CLIENT;
+ else
+ i = X509_PURPOSE_SSL_SERVER;
X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust);
@@ -465,10 +483,14 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk)
X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);
if (s->ctx->app_verify_callback != NULL)
+#if 1 /* new with OpenSSL 0.9.7 */
+ i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg);
+#else
i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */
+#endif
else
{
-#ifndef NO_X509_VERIFY
+#ifndef OPENSSL_NO_X509_VERIFY
i=X509_verify_cert(&ctx);
#else
i=0;
@@ -578,7 +600,7 @@ static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
return(X509_NAME_cmp(*a,*b));
}
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
/*!
* Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed;
* it doesn't really have anything to do with clients (except that a common use
@@ -708,9 +730,9 @@ err:
* certs may have been added to \c stack.
*/
-#ifndef WIN32
-#ifndef VMS /* XXXX This may be fixed in the future */
-#ifndef MAC_OS_pre_X
+#ifndef OPENSSL_SYS_WIN32
+#ifndef OPENSSL_SYS_VMS /* XXXX This may be fixed in the future */
+#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! */
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *dir)
@@ -758,4 +780,81 @@ err:
#endif
#endif
+
+#else
+
+int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+ const char *dir)
+ {
+ WIN32_FIND_DATA FindFileData;
+ HANDLE hFind;
+ int ret = 0;
+#ifdef OPENSSL_SYS_WINCE
+ WCHAR* wdir = NULL;
+#endif
+
+ CRYPTO_w_lock(CRYPTO_LOCK_READDIR);
+
+#ifdef OPENSSL_SYS_WINCE
+ /* convert strings to UNICODE */
+ {
+ BOOL result = FALSE;
+ int i;
+ wdir = malloc((strlen(dir)+1)*2);
+ if (wdir == NULL)
+ goto err_noclose;
+ for (i=0; i<(int)strlen(dir)+1; i++)
+ wdir[i] = (short)dir[i];
+ }
+#endif
+
+#ifdef OPENSSL_SYS_WINCE
+ hFind = FindFirstFile(wdir, &FindFileData);
+#else
+ hFind = FindFirstFile(dir, &FindFileData);
+#endif
+ /* Note that a side effect is that the CAs will be sorted by name */
+ if(hFind == INVALID_HANDLE_VALUE)
+ {
+ SYSerr(SYS_F_OPENDIR, get_last_sys_error());
+ ERR_add_error_data(3, "opendir('", dir, "')");
+ SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
+ goto err_noclose;
+ }
+
+ do
+ {
+ char buf[1024];
+ int r;
+
+#ifdef OPENSSL_SYS_WINCE
+ if(strlen(dir)+_tcslen(FindFileData.cFileName)+2 > sizeof buf)
+#else
+ if(strlen(dir)+strlen(FindFileData.cFileName)+2 > sizeof buf)
+#endif
+ {
+ SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG);
+ goto err;
+ }
+
+ r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,FindFileData.cFileName);
+ if (r <= 0 || r >= sizeof buf)
+ goto err;
+ if(!SSL_add_file_cert_subjects_to_stack(stack,buf))
+ goto err;
+ }
+ while (FindNextFile(hFind, &FindFileData) != FALSE);
+ ret = 1;
+
+err:
+ FindClose(hFind);
+err_noclose:
+#ifdef OPENSSL_SYS_WINCE
+ if (wdir != NULL)
+ free(wdir);
+#endif
+ CRYPTO_w_unlock(CRYPTO_LOCK_READDIR);
+ return ret;
+ }
+
#endif
diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c
index f63163f..c72be89 100644
--- a/crypto/openssl/ssl/ssl_ciph.c
+++ b/crypto/openssl/ssl/ssl_ciph.c
@@ -68,7 +68,9 @@
#define SSL_ENC_IDEA_IDX 4
#define SSL_ENC_eFZA_IDX 5
#define SSL_ENC_NULL_IDX 6
-#define SSL_ENC_NUM_IDX 7
+#define SSL_ENC_AES128_IDX 7
+#define SSL_ENC_AES256_IDX 8
+#define SSL_ENC_NUM_IDX 9
static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={
NULL,NULL,NULL,NULL,NULL,NULL,
@@ -98,8 +100,11 @@ typedef struct cipher_order_st
} CIPHER_ORDER;
static const SSL_CIPHER cipher_aliases[]={
- /* Don't include eNULL unless specifically enabled */
+ /* Don't include eNULL unless specifically enabled. */
{0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
+ {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */
+ {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0},
+ {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */
{0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0},
@@ -108,6 +113,7 @@ static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0},
{0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0},
+ {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */
{0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0},
{0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0},
@@ -122,12 +128,14 @@ static const SSL_CIPHER cipher_aliases[]={
{0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0},
+ {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0},
{0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0},
{0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0},
+ {0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0},
{0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0},
@@ -160,6 +168,10 @@ static void load_ciphers(void)
EVP_get_cipherbyname(SN_rc2_cbc);
ssl_cipher_methods[SSL_ENC_IDEA_IDX]=
EVP_get_cipherbyname(SN_idea_cbc);
+ ssl_cipher_methods[SSL_ENC_AES128_IDX]=
+ EVP_get_cipherbyname(SN_aes_128_cbc);
+ ssl_cipher_methods[SSL_ENC_AES256_IDX]=
+ EVP_get_cipherbyname(SN_aes_256_cbc);
ssl_digest_methods[SSL_MD_MD5_IDX]=
EVP_get_digestbyname(SN_md5);
@@ -220,6 +232,14 @@ int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc,
case SSL_eNULL:
i=SSL_ENC_NULL_IDX;
break;
+ case SSL_AES:
+ switch(c->alg_bits)
+ {
+ case 128: i=SSL_ENC_AES128_IDX; break;
+ case 256: i=SSL_ENC_AES256_IDX; break;
+ default: i=-1; break;
+ }
+ break;
default:
i= -1;
break;
@@ -282,15 +302,18 @@ static unsigned long ssl_cipher_get_disabled(void)
unsigned long mask;
mask = SSL_kFZA;
-#ifdef NO_RSA
+#ifdef OPENSSL_NO_RSA
mask |= SSL_aRSA|SSL_kRSA;
#endif
-#ifdef NO_DSA
+#ifdef OPENSSL_NO_DSA
mask |= SSL_aDSS;
#endif
-#ifdef NO_DH
+#ifdef OPENSSL_NO_DH
mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH;
#endif
+#ifdef OPENSSL_NO_KRB5
+ mask |= SSL_kKRB5|SSL_aKRB5;
+#endif
#ifdef SSL_FORBID_ENULL
mask |= SSL_eNULL;
@@ -302,6 +325,7 @@ static unsigned long ssl_cipher_get_disabled(void)
mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
+ mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0;
mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
@@ -336,6 +360,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
list[list_num].prev = NULL;
list[list_num].active = 0;
list_num++;
+#ifdef KSSL_DEBUG
+ printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms);
+#endif /* KSSL_DEBUG */
/*
if (!sk_push(ca_list,(char *)c)) goto err;
*/
@@ -724,7 +751,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
*/
if (rule_str == NULL) return(NULL);
- if (init_ciphers) load_ciphers();
+ if (init_ciphers)
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL);
+ if (init_ciphers) load_ciphers();
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
+ }
/*
* To reduce the work to do we only want to process the compiled
@@ -738,6 +770,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* it is used for allocation.
*/
num_of_ciphers = ssl_method->num_ciphers();
+#ifdef KSSL_DEBUG
+ printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers);
+#endif /* KSSL_DEBUG */
list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers);
if (list == NULL)
{
@@ -872,8 +907,12 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
char *ver,*exp;
char *kx,*au,*enc,*mac;
unsigned long alg,alg2,alg_s;
+#ifdef KSSL_DEBUG
+ static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n";
+#else
static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
-
+#endif /* KSSL_DEBUG */
+
alg=cipher->algorithms;
alg_s=cipher->algo_strength;
alg2=cipher->algorithm2;
@@ -901,6 +940,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
case SSL_kDHd:
kx="DH/DSS";
break;
+ case SSL_kKRB5: /* VRS */
+ case SSL_KRB5: /* VRS */
+ kx="KRB5";
+ break;
case SSL_kFZA:
kx="Fortezza";
break;
@@ -922,6 +965,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
case SSL_aDH:
au="DH";
break;
+ case SSL_aKRB5: /* VRS */
+ case SSL_KRB5: /* VRS */
+ au="KRB5";
+ break;
case SSL_aFZA:
case SSL_aNULL:
au="None";
@@ -955,6 +1002,15 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
case SSL_eNULL:
enc="None";
break;
+ case SSL_AES:
+ switch(cipher->strength_bits)
+ {
+ case 128: enc="AES(128)"; break;
+ case 192: enc="AES(192)"; break;
+ case 256: enc="AES(256)"; break;
+ default: enc="AES(?""?""?)"; break;
+ }
+ break;
default:
enc="unknown";
break;
@@ -982,7 +1038,11 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
else if (len < 128)
return("Buffer too small");
+#ifdef KSSL_DEBUG
+ BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp,alg);
+#else
BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp);
+#endif /* KSSL_DEBUG */
return(buf);
}
@@ -1053,6 +1113,10 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
SSL_COMP *comp;
STACK_OF(SSL_COMP) *sk;
+ if (cm == NULL || cm->type == NID_undef)
+ return 1;
+
+ MemCheck_off();
comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
comp->id=id;
comp->method=cm;
@@ -1062,10 +1126,13 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
sk=ssl_comp_methods;
if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp))
{
+ MemCheck_on();
SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
return(0);
}
else
+ {
+ MemCheck_on();
return(1);
+ }
}
-
diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c
index b77b35f..d2cb181 100644
--- a/crypto/openssl/ssl/ssl_err.c
+++ b/crypto/openssl/ssl/ssl_err.c
@@ -63,7 +63,7 @@
#include <openssl/ssl.h>
/* BEGIN ERROR CODES */
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
static ERR_STRING_DATA SSL_str_functs[]=
{
{ERR_PACK(0,SSL_F_CLIENT_CERTIFICATE,0), "CLIENT_CERTIFICATE"},
@@ -110,6 +110,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL3_CTRL,0), "SSL3_CTRL"},
{ERR_PACK(0,SSL_F_SSL3_CTX_CTRL,0), "SSL3_CTX_CTRL"},
{ERR_PACK(0,SSL_F_SSL3_ENC,0), "SSL3_ENC"},
+{ERR_PACK(0,SSL_F_SSL3_GENERATE_KEY_BLOCK,0), "SSL3_GENERATE_KEY_BLOCK"},
{ERR_PACK(0,SSL_F_SSL3_GET_CERTIFICATE_REQUEST,0), "SSL3_GET_CERTIFICATE_REQUEST"},
{ERR_PACK(0,SSL_F_SSL3_GET_CERT_VERIFY,0), "SSL3_GET_CERT_VERIFY"},
{ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_CERTIFICATE,0), "SSL3_GET_CLIENT_CERTIFICATE"},
@@ -275,16 +276,27 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_HTTPS_PROXY_REQUEST ,"https proxy request"},
{SSL_R_HTTP_REQUEST ,"http request"},
{SSL_R_ILLEGAL_PADDING ,"illegal padding"},
-{SSL_R_INTERNAL_ERROR ,"internal error"},
{SSL_R_INVALID_CHALLENGE_LENGTH ,"invalid challenge length"},
{SSL_R_INVALID_COMMAND ,"invalid command"},
{SSL_R_INVALID_PURPOSE ,"invalid purpose"},
{SSL_R_INVALID_TRUST ,"invalid trust"},
{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"},
+{SSL_R_KRB5 ,"krb5"},
+{SSL_R_KRB5_C_CC_PRINC ,"krb5 client cc principal (no tkt?)"},
+{SSL_R_KRB5_C_GET_CRED ,"krb5 client get cred"},
+{SSL_R_KRB5_C_INIT ,"krb5 client init"},
+{SSL_R_KRB5_C_MK_REQ ,"krb5 client mk_req (expired tkt?)"},
+{SSL_R_KRB5_S_BAD_TICKET ,"krb5 server bad ticket"},
+{SSL_R_KRB5_S_INIT ,"krb5 server init"},
+{SSL_R_KRB5_S_RD_REQ ,"krb5 server rd_req (keytab perms?)"},
+{SSL_R_KRB5_S_TKT_EXPIRED ,"krb5 server tkt expired"},
+{SSL_R_KRB5_S_TKT_NYV ,"krb5 server tkt not yet valid"},
+{SSL_R_KRB5_S_TKT_SKEW ,"krb5 server tkt skew"},
{SSL_R_LENGTH_MISMATCH ,"length mismatch"},
{SSL_R_LENGTH_TOO_SHORT ,"length too short"},
{SSL_R_LIBRARY_BUG ,"library bug"},
{SSL_R_LIBRARY_HAS_NO_CIPHERS ,"library has no ciphers"},
+{SSL_R_MASTER_KEY_TOO_LONG ,"master key too long"},
{SSL_R_MESSAGE_TOO_LONG ,"message too long"},
{SSL_R_MISSING_DH_DSA_CERT ,"missing dh dsa cert"},
{SSL_R_MISSING_DH_KEY ,"missing dh key"},
@@ -371,7 +383,10 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION,"ssl ctx has no default ssl version"},
{SSL_R_SSL_HANDSHAKE_FAILURE ,"ssl handshake failure"},
{SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS ,"ssl library has no ciphers"},
+{SSL_R_SSL_SESSION_ID_CALLBACK_FAILED ,"ssl session id callback failed"},
+{SSL_R_SSL_SESSION_ID_CONFLICT ,"ssl session id conflict"},
{SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG ,"ssl session id context too long"},
+{SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH ,"ssl session id has bad length"},
{SSL_R_SSL_SESSION_ID_IS_DIFFERENT ,"ssl session id is different"},
{SSL_R_TLSV1_ALERT_ACCESS_DENIED ,"tlsv1 alert access denied"},
{SSL_R_TLSV1_ALERT_DECODE_ERROR ,"tlsv1 alert decode error"},
@@ -437,7 +452,7 @@ void ERR_load_SSL_strings(void)
if (init)
{
init=0;
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
ERR_load_strings(ERR_LIB_SSL,SSL_str_functs);
ERR_load_strings(ERR_LIB_SSL,SSL_str_reasons);
#endif
diff --git a/crypto/openssl/ssl/ssl_err2.c b/crypto/openssl/ssl/ssl_err2.c
index cc089a6..ea95a5f 100644
--- a/crypto/openssl/ssl/ssl_err2.c
+++ b/crypto/openssl/ssl/ssl_err2.c
@@ -62,7 +62,7 @@
void SSL_load_error_strings(void)
{
-#ifndef NO_ERR
+#ifndef OPENSSL_NO_ERR
ERR_load_crypto_strings();
ERR_load_SSL_strings();
#endif
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index 4f84a34..091326f 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -57,22 +57,74 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
-#include <assert.h>
+#ifdef REF_CHECK
+# include <assert.h>
+#endif
#include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
#include <openssl/objects.h>
#include <openssl/lhash.h>
#include <openssl/x509v3.h>
-#include "ssl_locl.h"
+#include "cryptlib.h"
const char *SSL_version_str=OPENSSL_VERSION_TEXT;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL;
-static int ssl_meth_num=0;
-static int ssl_ctx_meth_num=0;
-
OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={
/* evil casts, but these functions are only called if there's a library bug */
(int (*)(SSL *,int))ssl_undefined_function,
@@ -110,7 +162,7 @@ int SSL_clear(SSL *s)
#else
if (s->new_session)
{
- SSLerr(SSL_F_SSL_CLEAR,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR);
return 0;
}
#endif
@@ -189,6 +241,14 @@ SSL *SSL_new(SSL_CTX *ctx)
if (s == NULL) goto err;
memset(s,0,sizeof(SSL));
+#ifndef OPENSSL_NO_KRB5
+ s->kssl_ctx = kssl_ctx_new();
+#endif /* OPENSSL_NO_KRB5 */
+
+ s->options=ctx->options;
+ s->mode=ctx->mode;
+ s->max_cert_list=ctx->max_cert_list;
+
if (ctx->cert != NULL)
{
/* Earlier library versions used to copy the pointer to
@@ -207,13 +267,21 @@ SSL *SSL_new(SSL_CTX *ctx)
}
else
s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */
- s->sid_ctx_length=ctx->sid_ctx_length;
- memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
+
+ s->read_ahead=ctx->read_ahead;
+ s->msg_callback=ctx->msg_callback;
+ s->msg_callback_arg=ctx->msg_callback_arg;
s->verify_mode=ctx->verify_mode;
s->verify_depth=ctx->verify_depth;
+ s->sid_ctx_length=ctx->sid_ctx_length;
+ OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
+ memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx));
s->verify_callback=ctx->default_verify_callback;
+ s->generate_session_id=ctx->generate_session_id;
s->purpose = ctx->purpose;
s->trust = ctx->trust;
+ s->quiet_shutdown=ctx->quiet_shutdown;
+
CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
s->ctx=ctx;
@@ -224,15 +292,12 @@ SSL *SSL_new(SSL_CTX *ctx)
if (!s->method->ssl_new(s))
goto err;
- s->quiet_shutdown=ctx->quiet_shutdown;
s->references=1;
s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
- s->options=ctx->options;
- s->mode=ctx->mode;
- s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */
+
SSL_clear(s);
- CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data);
+ CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
return(s);
err:
@@ -251,7 +316,7 @@ err:
int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
unsigned int sid_ctx_len)
{
- if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH)
+ if(sid_ctx_len > sizeof ctx->sid_ctx)
{
SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);
return 0;
@@ -276,45 +341,75 @@ int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx,
return 1;
}
-int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
-{
- if(X509_PURPOSE_get_by_id(purpose) == -1) {
- SSLerr(SSL_F_SSL_CTX_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
- return 0;
+int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb)
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+ ctx->generate_session_id = cb;
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+ return 1;
}
- s->purpose = purpose;
+
+int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb)
+ {
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL);
+ ssl->generate_session_id = cb;
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
return 1;
-}
+ }
-int SSL_set_purpose(SSL *s, int purpose)
-{
- if(X509_PURPOSE_get_by_id(purpose) == -1) {
- SSLerr(SSL_F_SSL_SET_PURPOSE, SSL_R_INVALID_PURPOSE);
+int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
+ unsigned int id_len)
+ {
+ /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how
+ * we can "construct" a session to give us the desired check - ie. to
+ * find if there's a session in the hash table that would conflict with
+ * any new session built out of this id/id_len and the ssl_version in
+ * use by this SSL. */
+ SSL_SESSION r, *p;
+
+ if(id_len > sizeof r.session_id)
return 0;
+
+ r.ssl_version = ssl->version;
+ r.session_id_length = id_len;
+ memcpy(r.session_id, id, id_len);
+ /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a
+ * callback is calling us to check the uniqueness of a shorter ID, it
+ * must be compared as a padded-out ID because that is what it will be
+ * converted to when the callback has finished choosing it. */
+ if((r.ssl_version == SSL2_VERSION) &&
+ (id_len < SSL2_SSL_SESSION_ID_LENGTH))
+ {
+ memset(r.session_id + id_len, 0,
+ SSL2_SSL_SESSION_ID_LENGTH - id_len);
+ r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH;
+ }
+
+ CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
+ p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r);
+ CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+ return (p != NULL);
}
- s->purpose = purpose;
- return 1;
-}
-
+
+int SSL_CTX_set_purpose(SSL_CTX *s, int purpose)
+ {
+ return X509_PURPOSE_set(&s->purpose, purpose);
+ }
+
+int SSL_set_purpose(SSL *s, int purpose)
+ {
+ return X509_PURPOSE_set(&s->purpose, purpose);
+ }
+
int SSL_CTX_set_trust(SSL_CTX *s, int trust)
-{
- if(X509_TRUST_get_by_id(trust) == -1) {
- SSLerr(SSL_F_SSL_CTX_SET_TRUST, SSL_R_INVALID_TRUST);
- return 0;
+ {
+ return X509_TRUST_set(&s->trust, trust);
}
- s->trust = trust;
- return 1;
-}
int SSL_set_trust(SSL *s, int trust)
-{
- if(X509_TRUST_get_by_id(trust) == -1) {
- SSLerr(SSL_F_SSL_SET_TRUST, SSL_R_INVALID_TRUST);
- return 0;
+ {
+ return X509_TRUST_set(&s->trust, trust);
}
- s->trust = trust;
- return 1;
-}
void SSL_free(SSL *s)
{
@@ -336,7 +431,7 @@ void SSL_free(SSL *s)
}
#endif
- CRYPTO_free_ex_data(ssl_meth,(char *)s,&s->ex_data);
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
if (s->bbio != NULL)
{
@@ -436,7 +531,7 @@ int SSL_get_wfd(SSL *s)
return(ret);
}
-#ifndef NO_SOCK
+#ifndef OPENSSL_NO_SOCK
int SSL_set_fd(SSL *s,int fd)
{
int ret=0;
@@ -591,6 +686,13 @@ int SSL_get_read_ahead(SSL *s)
int SSL_pending(SSL *s)
{
+ /* SSL_pending cannot work properly if read-ahead is enabled
+ * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)),
+ * and it is impossible to fix since SSL_pending cannot report
+ * errors that may be observed while scanning the new data.
+ * (Note that SSL_pending() is often used as a boolean value,
+ * so we'd better not return -1.)
+ */
return(s->method->ssl_pending(s));
}
@@ -800,7 +902,14 @@ int SSL_renegotiate(SSL *s)
return(s->method->ssl_renegotiate(s));
}
-long SSL_ctrl(SSL *s,int cmd,long larg,char *parg)
+int SSL_renegotiate_pending(SSL *s)
+ {
+ /* becomes true when negotiation is requested;
+ * false again once a handshake has finished */
+ return (s->new_session != 0);
+ }
+
+long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
{
long l;
@@ -812,10 +921,21 @@ long SSL_ctrl(SSL *s,int cmd,long larg,char *parg)
l=s->read_ahead;
s->read_ahead=larg;
return(l);
+
+ case SSL_CTRL_SET_MSG_CALLBACK_ARG:
+ s->msg_callback_arg = parg;
+ return 1;
+
case SSL_CTRL_OPTIONS:
return(s->options|=larg);
case SSL_CTRL_MODE:
return(s->mode|=larg);
+ case SSL_CTRL_GET_MAX_CERT_LIST:
+ return(s->max_cert_list);
+ case SSL_CTRL_SET_MAX_CERT_LIST:
+ l=s->max_cert_list;
+ s->max_cert_list=larg;
+ return(l);
default:
return(s->method->ssl_ctrl(s,cmd,larg,parg));
}
@@ -825,6 +945,10 @@ long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)())
{
switch(cmd)
{
+ case SSL_CTRL_SET_MSG_CALLBACK:
+ s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
+ return 1;
+
default:
return(s->method->ssl_callback_ctrl(s,cmd,fp));
}
@@ -835,7 +959,7 @@ struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx)
return ctx->sessions;
}
-long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg)
+long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
{
long l;
@@ -847,6 +971,17 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg)
l=ctx->read_ahead;
ctx->read_ahead=larg;
return(l);
+
+ case SSL_CTRL_SET_MSG_CALLBACK_ARG:
+ ctx->msg_callback_arg = parg;
+ return 1;
+
+ case SSL_CTRL_GET_MAX_CERT_LIST:
+ return(ctx->max_cert_list);
+ case SSL_CTRL_SET_MAX_CERT_LIST:
+ l=ctx->max_cert_list;
+ ctx->max_cert_list=larg;
+ return(l);
case SSL_CTRL_SET_SESS_CACHE_SIZE:
l=ctx->session_cache_size;
@@ -898,6 +1033,10 @@ long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)())
{
switch(cmd)
{
+ case SSL_CTRL_SET_MSG_CALLBACK:
+ ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp);
+ return 1;
+
default:
return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp));
}
@@ -1036,6 +1175,9 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
int i,j=0;
SSL_CIPHER *c;
unsigned char *q;
+#ifndef OPENSSL_NO_KRB5
+ int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
+#endif /* OPENSSL_NO_KRB5 */
if (sk == NULL) return(0);
q=p;
@@ -1043,6 +1185,10 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p)
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
c=sk_SSL_CIPHER_value(sk,i);
+#ifndef OPENSSL_NO_KRB5
+ if ((c->algorithms & SSL_KRB5) && nokrb5)
+ continue;
+#endif /* OPENSSL_NO_KRB5 */
j=ssl_put_cipher_by_char(s,c,p);
p+=j;
}
@@ -1105,6 +1251,11 @@ unsigned long SSL_SESSION_hash(SSL_SESSION *a)
return(l);
}
+/* NB: If this function (or indeed the hash function which uses a sort of
+ * coarser function than this one) is changed, ensure
+ * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
+ * able to construct an SSL_SESSION that will collide with any existing session
+ * with a matching session ID. */
int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
{
if (a->ssl_version != b->ssl_version)
@@ -1114,6 +1265,13 @@ int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b)
return(memcmp(a->session_id,b->session_id,a->session_id_length));
}
+/* These wrapper functions should remain rather than redeclaring
+ * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each
+ * variable. The reason is that the functions aren't static, they're exposed via
+ * ssl.h. */
+static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *)
+static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *)
+
SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
{
SSL_CTX *ret=NULL;
@@ -1146,9 +1304,10 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
/* We take the system default */
ret->session_timeout=meth->get_timeout();
- ret->new_session_cb=NULL;
- ret->remove_session_cb=NULL;
- ret->get_session_cb=NULL;
+ ret->new_session_cb=0;
+ ret->remove_session_cb=0;
+ ret->get_session_cb=0;
+ ret->generate_session_id=0;
memset((char *)&ret->stats,0,sizeof(ret->stats));
@@ -1163,21 +1322,26 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
ret->info_callback=NULL;
- ret->app_verify_callback=NULL;
+ ret->app_verify_callback=0;
ret->app_verify_arg=NULL;
+ ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT;
ret->read_ahead=0;
+ ret->msg_callback=0;
+ ret->msg_callback_arg=NULL;
ret->verify_mode=SSL_VERIFY_NONE;
ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
+ ret->sid_ctx_length=0;
ret->default_verify_callback=NULL;
if ((ret->cert=ssl_cert_new()) == NULL)
goto err;
- ret->default_passwd_callback=NULL;
+ ret->default_passwd_callback=0;
ret->default_passwd_callback_userdata=NULL;
- ret->client_cert_cb=NULL;
+ ret->client_cert_cb=0;
- ret->sessions=lh_new(SSL_SESSION_hash,SSL_SESSION_cmp);
+ ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash),
+ LHASH_COMP_FN(SSL_SESSION_cmp));
if (ret->sessions == NULL) goto err;
ret->cert_store=X509_STORE_new();
if (ret->cert_store == NULL) goto err;
@@ -1211,7 +1375,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL)
goto err;
- CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data);
+ CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
ret->extra_certs=NULL;
ret->comp_methods=SSL_COMP_get_compression_methods();
@@ -1224,8 +1388,10 @@ err2:
return(NULL);
}
+#if 0
static void SSL_COMP_free(SSL_COMP *comp)
{ OPENSSL_free(comp); }
+#endif
void SSL_CTX_free(SSL_CTX *a)
{
@@ -1245,13 +1411,24 @@ void SSL_CTX_free(SSL_CTX *a)
abort(); /* ok */
}
#endif
- CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data);
+ /*
+ * Free internal session cache. However: the remove_cb() may reference
+ * the ex_data of SSL_CTX, thus the ex_data store can only be removed
+ * after the sessions were flushed.
+ * As the ex_data handling routines might also touch the session cache,
+ * the most secure solution seems to be: empty (flush) the cache, then
+ * free ex_data, then finally free the cache.
+ * (See ticket [openssl.org #212].)
+ */
if (a->sessions != NULL)
- {
SSL_CTX_flush_sessions(a,0);
+
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
+
+ if (a->sessions != NULL)
lh_free(a->sessions);
- }
+
if (a->cert_store != NULL)
X509_STORE_free(a->cert_store);
if (a->cipher_list != NULL)
@@ -1264,8 +1441,12 @@ void SSL_CTX_free(SSL_CTX *a)
sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free);
if (a->extra_certs != NULL)
sk_X509_pop_free(a->extra_certs,X509_free);
+#if 0 /* This should never be done, since it removes a global database */
if (a->comp_methods != NULL)
sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
+#else
+ a->comp_methods = NULL;
+#endif
OPENSSL_free(a);
}
@@ -1279,15 +1460,10 @@ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u)
ctx->default_passwd_callback_userdata=u;
}
-void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,int (*cb)(),char *arg)
+void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg)
{
- /* now
- * int (*cb)(X509_STORE_CTX *),
- * but should be
- * int (*cb)(X509_STORE_CTX *, void *arg)
- */
ctx->app_verify_callback=cb;
- ctx->app_verify_arg=arg; /* never used */
+ ctx->app_verify_arg=arg;
}
void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
@@ -1313,14 +1489,14 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
(rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
#else
rsa_tmp=rsa_tmp_export=0;
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
dh_tmp_export=(c->dh_tmp_cb != NULL ||
(dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
@@ -1394,6 +1570,11 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher)
mask|=SSL_aNULL;
emask|=SSL_aNULL;
+#ifndef OPENSSL_NO_KRB5
+ mask|=SSL_kKRB5|SSL_aKRB5;
+ emask|=SSL_kKRB5|SSL_aKRB5;
+#endif
+
c->mask=mask;
c->export_mask=emask;
c->valid=1;
@@ -1426,9 +1607,14 @@ X509 *ssl_get_server_send_cert(SSL *s)
else
i=SSL_PKEY_RSA_ENC;
}
+ else if (kalg & SSL_aKRB5)
+ {
+ /* VRS something else here? */
+ return(NULL);
+ }
else /* if (kalg & SSL_aNULL) */
{
- SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
return(NULL);
}
if (c->pkeys[i].x509 == NULL) return(NULL);
@@ -1457,7 +1643,7 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
}
else /* if (alg & SSL_aNULL) */
{
- SSLerr(SSL_F_SSL_GET_SIGN_PKEY,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR);
return(NULL);
}
}
@@ -1472,7 +1658,7 @@ void ssl_update_cache(SSL *s,int mode)
i=s->ctx->session_cache_mode;
if ((i & mode) && (!s->hit)
- && ((i & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)
+ && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
|| SSL_CTX_add_session(s->ctx,s->session))
&& (s->ctx->new_session_cb != NULL))
{
@@ -1565,6 +1751,8 @@ int SSL_get_error(SSL *s,int i)
reason=BIO_get_retry_reason(bio);
if (reason == BIO_RR_CONNECT)
return(SSL_ERROR_WANT_CONNECT);
+ else if (reason == BIO_RR_ACCEPT)
+ return(SSL_ERROR_WANT_ACCEPT);
else
return(SSL_ERROR_SYSCALL); /* unknown */
}
@@ -1583,6 +1771,8 @@ int SSL_get_error(SSL *s,int i)
reason=BIO_get_retry_reason(bio);
if (reason == BIO_RR_CONNECT)
return(SSL_ERROR_WANT_CONNECT);
+ else if (reason == BIO_RR_ACCEPT)
+ return(SSL_ERROR_WANT_ACCEPT);
else
return(SSL_ERROR_SYSCALL);
}
@@ -1683,7 +1873,11 @@ SSL *SSL_dup(SSL *s)
if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL)
return(NULL);
-
+
+ ret->version = s->version;
+ ret->type = s->type;
+ ret->method = s->method;
+
if (s->session != NULL)
{
/* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */
@@ -1714,18 +1908,23 @@ SSL *SSL_dup(SSL *s)
s->sid_ctx, s->sid_ctx_length);
}
+ ret->options=s->options;
+ ret->mode=s->mode;
+ SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s));
SSL_set_read_ahead(ret,SSL_get_read_ahead(s));
+ ret->msg_callback = s->msg_callback;
+ ret->msg_callback_arg = s->msg_callback_arg;
SSL_set_verify(ret,SSL_get_verify_mode(s),
SSL_get_verify_callback(s));
SSL_set_verify_depth(ret,SSL_get_verify_depth(s));
+ ret->generate_session_id = s->generate_session_id;
SSL_set_info_callback(ret,SSL_get_info_callback(s));
ret->debug=s->debug;
- ret->options=s->options;
/* copy app data, a little dangerous perhaps */
- if (!CRYPTO_dup_ex_data(ssl_meth,&ret->ex_data,&s->ex_data))
+ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
goto err;
/* setup rbio, and wbio */
@@ -1744,6 +1943,19 @@ SSL *SSL_dup(SSL *s)
else
ret->wbio=ret->rbio;
}
+ ret->rwstate = s->rwstate;
+ ret->in_handshake = s->in_handshake;
+ ret->handshake_func = s->handshake_func;
+ ret->server = s->server;
+ ret->new_session = s->new_session;
+ ret->quiet_shutdown = s->quiet_shutdown;
+ ret->shutdown=s->shutdown;
+ ret->state=s->state; /* SSL_dup does not really work at any state, though */
+ ret->rstate=s->rstate;
+ ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */
+ ret->hit=s->hit;
+ ret->purpose=s->purpose;
+ ret->trust=s->trust;
/* dup the cipher_list and cipher_list_by_id stacks */
if (s->cipher_list != NULL)
@@ -1772,11 +1984,6 @@ SSL *SSL_dup(SSL *s)
}
}
- ret->shutdown=s->shutdown;
- ret->state=s->state;
- ret->handshake_func=s->handshake_func;
- ret->server=s->server;
-
if (0)
{
err:
@@ -1929,7 +2136,7 @@ SSL_CTX *SSL_get_SSL_CTX(SSL *ssl)
return(ssl->ctx);
}
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
{
return(X509_STORE_set_default_paths(ctx->cert_store));
@@ -1942,14 +2149,15 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
}
#endif
-void SSL_set_info_callback(SSL *ssl,void (*cb)())
+void SSL_set_info_callback(SSL *ssl,
+ void (*cb)(const SSL *ssl,int type,int val))
{
ssl->info_callback=cb;
}
-void (*SSL_get_info_callback(SSL *ssl))(void)
+void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val)
{
- return((void (*)())ssl->info_callback);
+ return ssl->info_callback;
}
int SSL_state(SSL *ssl)
@@ -1970,9 +2178,8 @@ long SSL_get_verify_result(SSL *ssl)
int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
{
- ssl_meth_num++;
- return(CRYPTO_get_ex_new_index(ssl_meth_num-1,
- &ssl_meth,argl,argp,new_func,dup_func,free_func));
+ return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp,
+ new_func, dup_func, free_func);
}
int SSL_set_ex_data(SSL *s,int idx,void *arg)
@@ -1988,9 +2195,8 @@ void *SSL_get_ex_data(SSL *s,int idx)
int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func)
{
- ssl_ctx_meth_num++;
- return(CRYPTO_get_ex_new_index(ssl_ctx_meth_num-1,
- &ssl_ctx_meth,argl,argp,new_func,dup_func,free_func));
+ return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp,
+ new_func, dup_func, free_func);
}
int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg)
@@ -2031,7 +2237,7 @@ int SSL_want(SSL *s)
* \param cb the callback
*/
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,
int is_export,
int keylength))
@@ -2068,21 +2274,33 @@ RSA *cb(SSL *ssl,int is_export,int keylength)
* \param dh the callback
*/
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export,
int keylength))
- {
- SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
- }
+ {
+ SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+ }
void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export,
int keylength))
- {
- SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
- }
+ {
+ SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh);
+ }
#endif
-#if defined(_WINDLL) && defined(WIN16)
+
+void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
+ {
+ SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
+ }
+void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))
+ {
+ SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb);
+ }
+
+
+
+#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)
#include "../crypto/bio/bss_file.c"
#endif
diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h
index d15b330..dd6c7a7 100644
--- a/crypto/openssl/ssl/ssl_locl.h
+++ b/crypto/openssl/ssl/ssl_locl.h
@@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -116,7 +116,7 @@
#include <string.h>
#include <errno.h>
-#include "openssl/e_os.h"
+#include "e_os.h"
#include <openssl/buffer.h>
#include <openssl/comp.h>
@@ -127,6 +127,12 @@
#include <openssl/x509.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
+#include <openssl/symhacks.h>
+
+#ifdef OPENSSL_BUILD_SHLIBSSL
+# undef OPENSSL_EXTERN
+# define OPENSSL_EXTERN OPENSSL_EXPORT
+#endif
#define PKCS1_CHECK
@@ -221,48 +227,52 @@
* that the different entities within are mutually exclusive:
* ONLY ONE BIT PER MASK CAN BE SET AT A TIME.
*/
-#define SSL_MKEY_MASK 0x0000001FL
+#define SSL_MKEY_MASK 0x0000003FL
#define SSL_kRSA 0x00000001L /* RSA key exchange */
#define SSL_kDHr 0x00000002L /* DH cert RSA CA cert */
#define SSL_kDHd 0x00000004L /* DH cert DSA CA cert */
#define SSL_kFZA 0x00000008L
#define SSL_kEDH 0x00000010L /* tmp DH key no DH cert */
+#define SSL_kKRB5 0x00000020L /* Kerberos5 key exchange */
#define SSL_EDH (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL))
-#define SSL_AUTH_MASK 0x000003e0L
-#define SSL_aRSA 0x00000020L /* Authenticate with RSA */
-#define SSL_aDSS 0x00000040L /* Authenticate with DSS */
+#define SSL_AUTH_MASK 0x00000FC0L
+#define SSL_aRSA 0x00000040L /* Authenticate with RSA */
+#define SSL_aDSS 0x00000080L /* Authenticate with DSS */
#define SSL_DSS SSL_aDSS
-#define SSL_aFZA 0x00000080L
-#define SSL_aNULL 0x00000100L /* no Authenticate, ADH */
-#define SSL_aDH 0x00000200L /* no Authenticate, ADH */
+#define SSL_aFZA 0x00000100L
+#define SSL_aNULL 0x00000200L /* no Authenticate, ADH */
+#define SSL_aDH 0x00000400L /* no Authenticate, ADH */
+#define SSL_aKRB5 0x00000800L /* Authenticate with KRB5 */
#define SSL_NULL (SSL_eNULL)
#define SSL_ADH (SSL_kEDH|SSL_aNULL)
#define SSL_RSA (SSL_kRSA|SSL_aRSA)
#define SSL_DH (SSL_kDHr|SSL_kDHd|SSL_kEDH)
#define SSL_FZA (SSL_aFZA|SSL_kFZA|SSL_eFZA)
-
-#define SSL_ENC_MASK 0x0001Fc00L
-#define SSL_DES 0x00000400L
-#define SSL_3DES 0x00000800L
-#define SSL_RC4 0x00001000L
-#define SSL_RC2 0x00002000L
-#define SSL_IDEA 0x00004000L
-#define SSL_eFZA 0x00008000L
-#define SSL_eNULL 0x00010000L
-
-#define SSL_MAC_MASK 0x00060000L
-#define SSL_MD5 0x00020000L
-#define SSL_SHA1 0x00040000L
+#define SSL_KRB5 (SSL_kKRB5|SSL_aKRB5)
+
+#define SSL_ENC_MASK 0x0087F000L
+#define SSL_DES 0x00001000L
+#define SSL_3DES 0x00002000L
+#define SSL_RC4 0x00004000L
+#define SSL_RC2 0x00008000L
+#define SSL_IDEA 0x00010000L
+#define SSL_eFZA 0x00020000L
+#define SSL_eNULL 0x00040000L
+#define SSL_AES 0x00800000L
+
+#define SSL_MAC_MASK 0x00180000L
+#define SSL_MD5 0x00080000L
+#define SSL_SHA1 0x00100000L
#define SSL_SHA (SSL_SHA1)
-#define SSL_SSL_MASK 0x00180000L
-#define SSL_SSLV2 0x00080000L
-#define SSL_SSLV3 0x00100000L
+#define SSL_SSL_MASK 0x00600000L
+#define SSL_SSLV2 0x00200000L
+#define SSL_SSLV3 0x00400000L
#define SSL_TLSV1 SSL_SSLV3 /* for now */
-/* we have used 001fffff - 11 bits left to go */
+/* we have used 007fffff - 9 bits left to go */
/*
* Export and cipher strength information. For each cipher we have to decide
@@ -368,11 +378,11 @@ typedef struct cert_st
int valid;
unsigned long mask;
unsigned long export_mask;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
RSA *rsa_tmp;
RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize);
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
DH *dh_tmp;
DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize);
#endif
@@ -395,10 +405,10 @@ typedef struct sess_cert_st
/* Obviously we don't have the private keys of these,
* so maybe we shouldn't even use the CERT_PKEY type here. */
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
RSA *peer_rsa_tmp; /* not used for SSL 2 */
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
DH *peer_dh_tmp; /* not used for SSL 2 */
#endif
@@ -455,9 +465,9 @@ OPENSSL_EXTERN SSL3_ENC_METHOD ssl3_undef_enc_method;
OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[];
OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[];
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
#undef SSL_COMP_get_compression_methods
-#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods
+#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods
#endif
@@ -521,8 +531,8 @@ int ssl2_peek(SSL *s, void *buf, int len);
int ssl2_write(SSL *s, const void *buf, int len);
int ssl2_shutdown(SSL *s);
void ssl2_clear(SSL *s);
-long ssl2_ctrl(SSL *s,int cmd, long larg, char *parg);
-long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
+long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
+long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
int ssl2_pending(SSL *s);
@@ -557,8 +567,8 @@ void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len);
int ssl3_enc(SSL *s, int send_data);
int ssl3_mac(SSL *ssl, unsigned char *md, int send_data);
unsigned long ssl3_output_cert_chain(SSL *s, X509 *x);
-SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *have,
- STACK_OF(SSL_CIPHER) *pref);
+SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt,
+ STACK_OF(SSL_CIPHER) *srvr);
int ssl3_setup_buffers(SSL *s);
int ssl3_new(SSL *s);
void ssl3_free(SSL *s);
@@ -569,8 +579,8 @@ int ssl3_peek(SSL *s, void *buf, int len);
int ssl3_write(SSL *s, const void *buf, int len);
int ssl3_shutdown(SSL *s);
void ssl3_clear(SSL *s);
-long ssl3_ctrl(SSL *s,int cmd, long larg, char *parg);
-long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg);
+long ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
+long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
int ssl3_pending(SSL *s);
@@ -583,7 +593,7 @@ int ssl23_write_bytes(SSL *s);
int tls1_new(SSL *s);
void tls1_free(SSL *s);
void tls1_clear(SSL *s);
-long tls1_ctrl(SSL *s,int cmd, long larg, char *parg);
+long tls1_ctrl(SSL *s,int cmd, long larg, void *parg);
long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)());
SSL_METHOD *tlsv1_base_method(void );
diff --git a/crypto/openssl/ssl/ssl_rsa.c b/crypto/openssl/ssl/ssl_rsa.c
index 6ec7a5c..03828b6 100644
--- a/crypto/openssl/ssl/ssl_rsa.c
+++ b/crypto/openssl/ssl/ssl_rsa.c
@@ -57,12 +57,12 @@
*/
#include <stdio.h>
+#include "ssl_locl.h"
#include <openssl/bio.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
-#include "ssl_locl.h"
static int ssl_set_cert(CERT *c, X509 *x509);
static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
@@ -81,7 +81,7 @@ int SSL_use_certificate(SSL *ssl, X509 *x)
return(ssl_set_cert(ssl->cert,x));
}
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
{
int j;
@@ -148,7 +148,7 @@ int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len)
return(ret);
}
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
{
EVP_PKEY *pkey;
@@ -170,7 +170,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
return(0);
}
- CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
+ RSA_up_ref(rsa);
EVP_PKEY_assign_RSA(pkey,rsa);
ret=ssl_set_pkey(ssl->cert,pkey);
@@ -198,7 +198,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
EVP_PKEY_free(pktmp);
ERR_clear_error();
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
/* Don't check the public/private key, this is mostly
* for smart cards. */
if ((pkey->type == EVP_PKEY_RSA) &&
@@ -251,8 +251,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
return(1);
}
-#ifndef NO_RSA
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_RSA
+#ifndef OPENSSL_NO_STDIO
int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
{
int j,ret=0;
@@ -303,7 +303,7 @@ end:
int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
{
int ret;
- unsigned char *p;
+ const unsigned char *p;
RSA *rsa;
p=d;
@@ -317,7 +317,7 @@ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
RSA_free(rsa);
return(ret);
}
-#endif /* !NO_RSA */
+#endif /* !OPENSSL_NO_RSA */
int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
{
@@ -337,7 +337,7 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
return(ret);
}
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
{
int j,ret=0;
@@ -438,7 +438,7 @@ static int ssl_set_cert(CERT *c, X509 *x)
EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey);
ERR_clear_error();
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
/* Don't check the public/private key, this is mostly
* for smart cards. */
if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
@@ -471,7 +471,7 @@ static int ssl_set_cert(CERT *c, X509 *x)
}
else
ok=1;
- } /* NO_RSA */
+ } /* OPENSSL_NO_RSA */
}
else
ok=1;
@@ -493,7 +493,7 @@ static int ssl_set_cert(CERT *c, X509 *x)
return(1);
}
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
{
int j;
@@ -560,7 +560,7 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d)
return(ret);
}
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
{
int ret;
@@ -582,7 +582,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
return(0);
}
- CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
+ RSA_up_ref(rsa);
EVP_PKEY_assign_RSA(pkey,rsa);
ret=ssl_set_pkey(ctx->cert, pkey);
@@ -590,7 +590,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
return(ret);
}
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
{
int j,ret=0;
@@ -641,7 +641,7 @@ end:
int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len)
{
int ret;
- unsigned char *p;
+ const unsigned char *p;
RSA *rsa;
p=d;
@@ -655,7 +655,7 @@ int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len)
RSA_free(rsa);
return(ret);
}
-#endif /* !NO_RSA */
+#endif /* !OPENSSL_NO_RSA */
int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
{
@@ -672,7 +672,7 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
return(ssl_set_pkey(ctx->cert,pkey));
}
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
{
int j,ret=0;
@@ -735,7 +735,7 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d,
}
-#ifndef NO_STDIO
+#ifndef OPENSSL_NO_STDIO
/* Read a file that contains our certificate in "PEM" format,
* possibly followed by a sequence of CA certificates that should be
* sent to the peer in the Certificate message.
@@ -800,9 +800,9 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
* by SSL_CTX_use_certificate). */
}
/* When the while loop ends, it's usually just EOF. */
- err = ERR_peek_error();
+ err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
- (void) ERR_get_error();
+ (void)ERR_get_error();
else
ret = 0; /* some real error */
}
diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c
index 2f2d5bc..fbc30b9 100644
--- a/crypto/openssl/ssl/ssl_sess.c
+++ b/crypto/openssl/ssl/ssl_sess.c
@@ -65,8 +65,6 @@
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
-static int ssl_session_num=0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_session_meth=NULL;
SSL_SESSION *SSL_get_session(SSL *ssl)
/* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
@@ -92,10 +90,8 @@ SSL_SESSION *SSL_get1_session(SSL *ssl)
int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
{
- ssl_session_num++;
- return(CRYPTO_get_ex_new_index(ssl_session_num-1,
- &ssl_session_meth,
- argl,argp,new_func,dup_func,free_func));
+ return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
+ new_func, dup_func, free_func);
}
int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
@@ -127,15 +123,49 @@ SSL_SESSION *SSL_SESSION_new(void)
ss->prev=NULL;
ss->next=NULL;
ss->compress_meth=0;
- CRYPTO_new_ex_data(ssl_session_meth,ss,&ss->ex_data);
+ CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
return(ss);
}
+/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1
+ * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly
+ * until we have no conflict is going to complete in one iteration pretty much
+ * "most" of the time (btw: understatement). So, if it takes us 10 iterations
+ * and we still can't avoid a conflict - well that's a reasonable point to call
+ * it quits. Either the RAND code is broken or someone is trying to open roughly
+ * very close to 2^128 (or 2^256) SSL sessions to our server. How you might
+ * store that many sessions is perhaps a more interesting question ... */
+
+#define MAX_SESS_ID_ATTEMPTS 10
+static int def_generate_session_id(const SSL *ssl, unsigned char *id,
+ unsigned int *id_len)
+{
+ unsigned int retry = 0;
+ do
+ RAND_pseudo_bytes(id, *id_len);
+ while(SSL_has_matching_session_id(ssl, id, *id_len) &&
+ (++retry < MAX_SESS_ID_ATTEMPTS));
+ if(retry < MAX_SESS_ID_ATTEMPTS)
+ return 1;
+ /* else - woops a session_id match */
+ /* XXX We should also check the external cache --
+ * but the probability of a collision is negligible, and
+ * we could not prevent the concurrent creation of sessions
+ * with identical IDs since we currently don't have means
+ * to atomically check whether a session ID already exists
+ * and make a reservation for it if it does not
+ * (this problem applies to the internal cache as well).
+ */
+ return 0;
+}
+
int ssl_get_new_session(SSL *s, int session)
{
/* This gets used by clients and servers. */
+ unsigned int tmp;
SSL_SESSION *ss=NULL;
+ GEN_SESSION_CB cb = def_generate_session_id;
if ((ss=SSL_SESSION_new()) == NULL) return(0);
@@ -174,25 +204,46 @@ int ssl_get_new_session(SSL *s, int session)
SSL_SESSION_free(ss);
return(0);
}
-
- for (;;)
+ /* Choose which callback will set the session ID */
+ CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
+ if(s->generate_session_id)
+ cb = s->generate_session_id;
+ else if(s->ctx->generate_session_id)
+ cb = s->ctx->generate_session_id;
+ CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
+ /* Choose a session ID */
+ tmp = ss->session_id_length;
+ if(!cb(s, ss->session_id, &tmp))
{
- SSL_SESSION *r;
-
- RAND_pseudo_bytes(ss->session_id,ss->session_id_length);
- CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
- r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions, ss);
- CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
- if (r == NULL) break;
- /* else - woops a session_id match */
- /* XXX We should also check the external cache --
- * but the probability of a collision is negligible, and
- * we could not prevent the concurrent creation of sessions
- * with identical IDs since we currently don't have means
- * to atomically check whether a session ID already exists
- * and make a reservation for it if it does not
- * (this problem applies to the internal cache as well).
- */
+ /* The callback failed */
+ SSLerr(SSL_F_SSL_GET_NEW_SESSION,
+ SSL_R_SSL_SESSION_ID_CALLBACK_FAILED);
+ SSL_SESSION_free(ss);
+ return(0);
+ }
+ /* Don't allow the callback to set the session length to zero.
+ * nor set it higher than it was. */
+ if(!tmp || (tmp > ss->session_id_length))
+ {
+ /* The callback set an illegal length */
+ SSLerr(SSL_F_SSL_GET_NEW_SESSION,
+ SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH);
+ SSL_SESSION_free(ss);
+ return(0);
+ }
+ /* If the session length was shrunk and we're SSLv2, pad it */
+ if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION))
+ memset(ss->session_id + tmp, 0, ss->session_id_length - tmp);
+ else
+ ss->session_id_length = tmp;
+ /* Finally, check for a conflict */
+ if(SSL_has_matching_session_id(s, ss->session_id,
+ ss->session_id_length))
+ {
+ SSLerr(SSL_F_SSL_GET_NEW_SESSION,
+ SSL_R_SSL_SESSION_ID_CONFLICT);
+ SSL_SESSION_free(ss);
+ return(0);
}
}
else
@@ -202,7 +253,7 @@ int ssl_get_new_session(SSL *s, int session)
if (s->sid_ctx_length > sizeof ss->sid_ctx)
{
- SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
SSL_SESSION_free(ss);
return 0;
}
@@ -258,9 +309,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
if (copy)
CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
- /* The following should not return 1, otherwise,
- * things are very strange */
- SSL_CTX_add_session(s->ctx,ret);
+ /* Add the externally cached session to the internal
+ * cache as well if and only if we are supposed to. */
+ if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE))
+ /* The following should not return 1, otherwise,
+ * things are very strange */
+ SSL_CTX_add_session(s->ctx,ret);
}
if (ret == NULL)
goto err;
@@ -472,15 +526,15 @@ void SSL_SESSION_free(SSL_SESSION *ss)
}
#endif
- CRYPTO_free_ex_data(ssl_session_meth,ss,&ss->ex_data);
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
- memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH);
- memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH);
- memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH);
+ OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg);
+ OPENSSL_cleanse(ss->master_key,sizeof ss->master_key);
+ OPENSSL_cleanse(ss->session_id,sizeof ss->session_id);
if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert);
if (ss->peer != NULL) X509_free(ss->peer);
if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers);
- memset(ss,0,sizeof(*ss));
+ OPENSSL_cleanse(ss,sizeof(*ss));
OPENSSL_free(ss);
}
@@ -510,6 +564,17 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
session->timeout=s->ctx->session_timeout;
}
+#ifndef OPENSSL_NO_KRB5
+ if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
+ session->krb5_client_princ_len > 0)
+ {
+ s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1);
+ memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
+ session->krb5_client_princ_len);
+ s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
+ }
+#endif /* OPENSSL_NO_KRB5 */
+
/* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION);
if (s->session != NULL)
@@ -601,6 +666,8 @@ static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p)
}
}
+static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION *, TIMEOUT_PARAM *)
+
void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
{
unsigned long i;
@@ -613,7 +680,7 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
i=tp.cache->down_load;
tp.cache->down_load=0;
- lh_doall_arg(tp.cache,(void (*)())timeout,&tp);
+ lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp);
tp.cache->down_load=i;
CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
}
diff --git a/crypto/openssl/ssl/ssl_stat.c b/crypto/openssl/ssl/ssl_stat.c
index 893c98e..b16d253 100644
--- a/crypto/openssl/ssl/ssl_stat.c
+++ b/crypto/openssl/ssl/ssl_stat.c
@@ -59,9 +59,9 @@
#include <stdio.h>
#include "ssl_locl.h"
-char *SSL_state_string_long(SSL *s)
+const char *SSL_state_string_long(const SSL *s)
{
- char *str;
+ const char *str;
switch (s->state)
{
@@ -74,7 +74,7 @@ case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break;
case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break;
@@ -115,7 +115,7 @@ case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificat
case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break;
#endif
-#ifndef NO_SSL3
+#ifndef OPENSSL_NO_SSL3
/* SSLv3 additions */
case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break;
case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break;
@@ -182,7 +182,7 @@ case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
#endif
-#if !defined(NO_SSL2) && !defined(NO_SSL3)
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
/* SSLv2/v3 compatibility states */
/* client */
case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break;
@@ -199,9 +199,9 @@ default: str="unknown state"; break;
return(str);
}
-char *SSL_rstate_string_long(SSL *s)
+const char *SSL_rstate_string_long(const SSL *s)
{
- char *str;
+ const char *str;
switch (s->rstate)
{
@@ -213,9 +213,9 @@ char *SSL_rstate_string_long(SSL *s)
return(str);
}
-char *SSL_state_string(SSL *s)
+const char *SSL_state_string(const SSL *s)
{
- char *str;
+ const char *str;
switch (s->state)
{
@@ -223,7 +223,7 @@ case SSL_ST_BEFORE: str="PINIT "; break;
case SSL_ST_ACCEPT: str="AINIT "; break;
case SSL_ST_CONNECT: str="CINIT "; break;
case SSL_ST_OK: str="SSLOK "; break;
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
case SSL2_ST_CLIENT_START_ENCRYPTION: str="2CSENC"; break;
case SSL2_ST_SERVER_START_ENCRYPTION: str="2SSENC"; break;
case SSL2_ST_SEND_CLIENT_HELLO_A: str="2SCH_A"; break;
@@ -264,7 +264,7 @@ case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="2X9GSC"; break;
case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="2X9GCC"; break;
#endif
-#ifndef NO_SSL3
+#ifndef OPENSSL_NO_SSL3
/* SSLv3 additions */
case SSL3_ST_SW_FLUSH:
case SSL3_ST_CW_FLUSH: str="3FLUSH"; break;
@@ -330,7 +330,7 @@ case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break;
case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break;
#endif
-#if !defined(NO_SSL2) && !defined(NO_SSL3)
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
/* SSLv2/v3 compatibility states */
/* client */
case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break;
@@ -347,7 +347,7 @@ default: str="UNKWN "; break;
return(str);
}
-char *SSL_alert_type_string_long(int value)
+const char *SSL_alert_type_string_long(int value)
{
value>>=8;
if (value == SSL3_AL_WARNING)
@@ -358,7 +358,7 @@ char *SSL_alert_type_string_long(int value)
return("unknown");
}
-char *SSL_alert_type_string(int value)
+const char *SSL_alert_type_string(int value)
{
value>>=8;
if (value == SSL3_AL_WARNING)
@@ -369,9 +369,9 @@ char *SSL_alert_type_string(int value)
return("U");
}
-char *SSL_alert_desc_string(int value)
+const char *SSL_alert_desc_string(int value)
{
- char *str;
+ const char *str;
switch (value & 0xff)
{
@@ -404,9 +404,9 @@ char *SSL_alert_desc_string(int value)
return(str);
}
-char *SSL_alert_desc_string_long(int value)
+const char *SSL_alert_desc_string_long(int value)
{
- char *str;
+ const char *str;
switch (value & 0xff)
{
@@ -487,9 +487,9 @@ char *SSL_alert_desc_string_long(int value)
return(str);
}
-char *SSL_rstate_string(SSL *s)
+const char *SSL_rstate_string(const SSL *s)
{
- char *str;
+ const char *str;
switch (s->rstate)
{
diff --git a/crypto/openssl/ssl/ssl_task.c b/crypto/openssl/ssl/ssl_task.c
index cac701a..b5ce44b 100644
--- a/crypto/openssl/ssl/ssl_task.c
+++ b/crypto/openssl/ssl/ssl_task.c
@@ -124,7 +124,7 @@ int LIB$INIT_TIMER(), LIB$SHOW_TIMER();
#include <string.h> /* from ssltest.c */
#include <errno.h>
-#include "openssl/e_os.h"
+#include "e_os.h"
#include <openssl/buffer.h>
#include <openssl/x509.h>
@@ -258,7 +258,7 @@ int doit(io_channel chan, SSL_CTX *s_ctx )
{
int status, length, link_state;
struct rpc_msg msg;
- static char cbuf[200],sbuf[200];
+
SSL *s_ssl=NULL;
BIO *c_to_s=NULL;
BIO *s_to_c=NULL;
diff --git a/crypto/openssl/ssl/ssl_txt.c b/crypto/openssl/ssl/ssl_txt.c
index 6e33eec..40b76b1 100644
--- a/crypto/openssl/ssl/ssl_txt.c
+++ b/crypto/openssl/ssl/ssl_txt.c
@@ -60,7 +60,7 @@
#include <openssl/buffer.h>
#include "ssl_locl.h"
-#ifndef NO_FP_API
+#ifndef OPENSSL_NO_FP_API
int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x)
{
BIO *b;
@@ -139,6 +139,18 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x)
{
if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err;
}
+#ifndef OPENSSL_NO_KRB5
+ if (BIO_puts(bp,"\n Krb5 Principal: ") <= 0) goto err;
+ if (x->krb5_client_princ_len == 0)
+ {
+ if (BIO_puts(bp,"None") <= 0) goto err;
+ }
+ else
+ for (i=0; i<x->krb5_client_princ_len; i++)
+ {
+ if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err;
+ }
+#endif /* OPENSSL_NO_KRB5 */
if (x->compress_meth != 0)
{
SSL_COMP *comp;
diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c
index 5f91ed1..4fa9d41 100644
--- a/crypto/openssl/ssl/ssltest.c
+++ b/crypto/openssl/ssl/ssltest.c
@@ -55,6 +55,62 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
+/* ====================================================================
+ * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
+ on Linux and GNU platforms. */
#include <assert.h>
#include <errno.h>
@@ -64,33 +120,57 @@
#include <string.h>
#include <time.h>
-#include "openssl/e_os.h"
+#define USE_SOCKETS
+#include "e_os.h"
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/ssl.h>
+#include <openssl/engine.h>
#include <openssl/err.h>
#include <openssl/rand.h>
-#ifdef WINDOWS
+
+#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
+ on Compaq platforms (at least with DEC C).
+ Do not try to put it earlier, or IPv6 includes
+ get screwed...
+ */
+
+#ifdef OPENSSL_SYS_WINDOWS
+#include <winsock.h>
#include "../crypto/bio/bss_file.c"
+#else
+#include OPENSSL_UNISTD
#endif
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
+#elif defined(OPENSSL_SYS_WINCE)
+# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
+# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
#else
# define TEST_SERVER_CERT "../apps/server.pem"
# define TEST_CLIENT_CERT "../apps/client.pem"
#endif
+/* There is really no standard for this, so let's assign some tentative
+ numbers. In any case, these numbers are only for this test */
+#define COMP_RLE 1
+#define COMP_ZLIB 2
+
static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
static void free_tmp_rsa(void);
#endif
-#ifndef NO_DH
+static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
+#define APP_CALLBACK "Test Callback Argument"
+static char *app_verify_arg = APP_CALLBACK;
+
+#ifndef OPENSSL_NO_DH
static DH *get_dh512(void);
static DH *get_dh1024(void);
static DH *get_dh1024dsa(void);
@@ -124,18 +204,18 @@ static void sv_usage(void)
fprintf(stderr," -reuse - use session-id reuse\n");
fprintf(stderr," -num <val> - number of connections to perform\n");
fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
fprintf(stderr," -no_dhe - disable DHE\n");
#endif
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
fprintf(stderr," -ssl2 - use SSLv2\n");
#endif
-#ifndef NO_SSL3
+#ifndef OPENSSL_NO_SSL3
fprintf(stderr," -ssl3 - use SSLv3\n");
#endif
-#ifndef NO_TLS1
+#ifndef OPENSSL_NO_TLS1
fprintf(stderr," -tls1 - use TLSv1\n");
#endif
fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
@@ -148,6 +228,8 @@ static void sv_usage(void)
fprintf(stderr," -bio_pair - Use BIO pairs\n");
fprintf(stderr," -f - Test even cases that can't work\n");
fprintf(stderr," -time - measure processor time used by client and server\n");
+ fprintf(stderr," -zlib - use zlib compression\n");
+ fprintf(stderr," -time - use rle compression\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
@@ -169,7 +251,7 @@ static void print_details(SSL *c_ssl, const char *prefix)
{
if (0)
;
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
&& pkey->pkey.rsa->n != NULL)
{
@@ -177,7 +259,7 @@ static void print_details(SSL *c_ssl, const char *prefix)
BN_num_bits(pkey->pkey.rsa->n));
}
#endif
-#ifndef NO_DSA
+#ifndef OPENSSL_NO_DSA
else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
&& pkey->pkey.dsa->p != NULL)
{
@@ -194,6 +276,69 @@ static void print_details(SSL *c_ssl, const char *prefix)
BIO_printf(bio_stdout,"\n");
}
+static void lock_dbg_cb(int mode, int type, const char *file, int line)
+ {
+ static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
+ const char *errstr = NULL;
+ int rw;
+
+ rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
+ if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
+ {
+ errstr = "invalid mode";
+ goto err;
+ }
+
+ if (type < 0 || type > CRYPTO_NUM_LOCKS)
+ {
+ errstr = "type out of bounds";
+ goto err;
+ }
+
+ if (mode & CRYPTO_LOCK)
+ {
+ if (modes[type])
+ {
+ errstr = "already locked";
+ /* must not happen in a single-threaded program
+ * (would deadlock) */
+ goto err;
+ }
+
+ modes[type] = rw;
+ }
+ else if (mode & CRYPTO_UNLOCK)
+ {
+ if (!modes[type])
+ {
+ errstr = "not locked";
+ goto err;
+ }
+
+ if (modes[type] != rw)
+ {
+ errstr = (rw == CRYPTO_READ) ?
+ "CRYPTO_r_unlock on write lock" :
+ "CRYPTO_w_unlock on read lock";
+ }
+
+ modes[type] = 0;
+ }
+ else
+ {
+ errstr = "invalid mode";
+ goto err;
+ }
+
+ err:
+ if (errstr)
+ {
+ /* we cannot use bio_err here */
+ fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
+ errstr, mode, type, file, line);
+ }
+ }
+
int main(int argc, char *argv[])
{
char *CApath=NULL,*CAfile=NULL;
@@ -203,6 +348,7 @@ int main(int argc, char *argv[])
int tls1=0,ssl2=0,ssl3=0,ret=1;
int client_auth=0;
int server_auth=0,i;
+ int app_verify=0;
char *server_cert=TEST_SERVER_CERT;
char *server_key=NULL;
char *client_cert=TEST_CLIENT_CERT;
@@ -213,23 +359,39 @@ int main(int argc, char *argv[])
SSL *c_ssl,*s_ssl;
int number=1,reuse=0;
long bytes=1L;
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
DH *dh;
int dhe1024 = 0, dhe1024dsa = 0;
#endif
int no_dhe = 0;
int print_time = 0;
clock_t s_time = 0, c_time = 0;
+ int comp = 0;
+ COMP_METHOD *cm = NULL;
verbose = 0;
debug = 0;
cipher = 0;
-
+
+ bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+
+ CRYPTO_set_locking_callback(lock_dbg_cb);
+
+ /* enable memory leak checking unless explicitly disabled */
+ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
+ {
+ CRYPTO_malloc_debug_init();
+ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+ }
+ else
+ {
+ /* OPENSSL_DEBUG_MEMORY=off */
+ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
+ }
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
RAND_seed(rnd_seed, sizeof rnd_seed);
- bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
argc--;
@@ -247,12 +409,22 @@ int main(int argc, char *argv[])
debug=1;
else if (strcmp(*argv,"-reuse") == 0)
reuse=1;
-#ifndef NO_DH
else if (strcmp(*argv,"-dhe1024") == 0)
+ {
+#ifndef OPENSSL_NO_DH
dhe1024=1;
+#else
+ fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
+#endif
+ }
else if (strcmp(*argv,"-dhe1024dsa") == 0)
+ {
+#ifndef OPENSSL_NO_DH
dhe1024dsa=1;
+#else
+ fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
#endif
+ }
else if (strcmp(*argv,"-no_dhe") == 0)
no_dhe=1;
else if (strcmp(*argv,"-ssl2") == 0)
@@ -333,6 +505,18 @@ int main(int argc, char *argv[])
{
print_time = 1;
}
+ else if (strcmp(*argv,"-zlib") == 0)
+ {
+ comp = COMP_ZLIB;
+ }
+ else if (strcmp(*argv,"-rle") == 0)
+ {
+ comp = COMP_RLE;
+ }
+ else if (strcmp(*argv,"-app_verify") == 0)
+ {
+ app_verify = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
@@ -355,7 +539,7 @@ bad:
"the test anyway (and\n-d to see what happens), "
"or add one of -ssl2, -ssl3, -tls1, -reuse\n"
"to avoid protocol mismatch.\n");
- exit(1);
+ EXIT(1);
}
if (print_time)
@@ -374,7 +558,24 @@ bad:
SSL_library_init();
SSL_load_error_strings();
-#if !defined(NO_SSL2) && !defined(NO_SSL3)
+ if (comp == COMP_ZLIB) cm = COMP_zlib();
+ if (comp == COMP_RLE) cm = COMP_rle();
+ if (cm != NULL)
+ {
+ if (cm->type != NID_undef)
+ SSL_COMP_add_compression_method(comp, cm);
+ else
+ {
+ fprintf(stderr,
+ "Warning: %s compression not supported\n",
+ (comp == COMP_RLE ? "rle" :
+ (comp == COMP_ZLIB ? "zlib" :
+ "unknown")));
+ ERR_print_errors_fp(stderr);
+ }
+ }
+
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
if (ssl2)
meth=SSLv2_method();
else
@@ -386,7 +587,7 @@ bad:
else
meth=SSLv23_method();
#else
-#ifdef NO_SSL2
+#ifdef OPENSSL_NO_SSL2
meth=SSLv3_method();
#else
meth=SSLv2_method();
@@ -407,7 +608,7 @@ bad:
SSL_CTX_set_cipher_list(s_ctx,cipher);
}
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
if (!no_dhe)
{
if (dhe1024dsa)
@@ -427,7 +628,7 @@ bad:
(void)no_dhe;
#endif
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
#endif
@@ -467,12 +668,20 @@ bad:
SSL_CTX_set_verify(s_ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
+ if (app_verify)
+ {
+ SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
+ }
}
if (server_auth)
{
BIO_printf(bio_err,"server authentication\n");
SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
verify_callback);
+ if (app_verify)
+ {
+ SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
+ }
}
{
@@ -483,6 +692,25 @@ bad:
c_ssl=SSL_new(c_ctx);
s_ssl=SSL_new(s_ctx);
+#ifndef OPENSSL_NO_KRB5
+ if (c_ssl && c_ssl->kssl_ctx)
+ {
+ char localhost[MAXHOSTNAMELEN+2];
+
+ if (gethostname(localhost, sizeof localhost-1) == 0)
+ {
+ localhost[sizeof localhost-1]='\0';
+ if(strlen(localhost) == sizeof localhost-1)
+ {
+ BIO_printf(bio_err,"localhost name too long\n");
+ goto end;
+ }
+ kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
+ localhost);
+ }
+ }
+#endif /* OPENSSL_NO_KRB5 */
+
for (i=0; i<number; i++)
{
if (!reuse) SSL_set_session(c_ssl,NULL);
@@ -529,9 +757,11 @@ end:
if (bio_stdout != NULL) BIO_free(bio_stdout);
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
free_tmp_rsa();
#endif
+ ENGINE_cleanup();
+ CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
ERR_remove_state(0);
EVP_cleanup();
@@ -620,6 +850,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
int i, r;
clock_t c_clock = clock();
+ memset(cbuf, 0, sizeof(cbuf));
+
if (debug)
if (SSL_in_init(c_ssl))
printf("client waiting in SSL_connect - %s\n",
@@ -704,6 +936,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
int i, r;
clock_t s_clock = clock();
+ memset(sbuf, 0, sizeof(sbuf));
+
if (debug)
if (SSL_in_init(s_ssl))
printf("server waiting in SSL_accept - %s\n",
@@ -947,6 +1181,9 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
int c_write,s_write;
int do_server=0,do_client=0;
+ memset(cbuf,0,sizeof(cbuf));
+ memset(sbuf,0,sizeof(sbuf));
+
c_to_s=BIO_new(BIO_s_mem());
s_to_c=BIO_new(BIO_s_mem());
if ((s_to_c == NULL) || (c_to_s == NULL))
@@ -1228,7 +1465,8 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
{
char *s,buf[256];
- s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,256);
+ s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
+ sizeof buf);
if (s != NULL)
{
if (ok)
@@ -1252,7 +1490,26 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
return(ok);
}
-#ifndef NO_RSA
+static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
+ {
+ char *s = NULL,buf[256];
+ int ok=1;
+
+ fprintf(stderr, "In app_verify_callback, allowing cert. ");
+ fprintf(stderr, "Arg is: %s\n", (char *)arg);
+ fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
+ (unsigned int)ctx, (unsigned int)ctx->cert);
+ if (ctx->cert)
+ s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
+ if (s != NULL)
+ {
+ fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
+ }
+
+ return(ok);
+ }
+
+#ifndef OPENSSL_NO_RSA
static RSA *rsa_tmp=NULL;
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
@@ -1278,14 +1535,14 @@ static void free_tmp_rsa(void)
}
#endif
-#ifndef NO_DH
+#ifndef OPENSSL_NO_DH
/* These DH parameters have been generated as follows:
* $ openssl dhparam -C -noout 512
* $ openssl dhparam -C -noout 1024
* $ openssl dhparam -C -noout -dsaparam 1024
* (The third function has been renamed to avoid name conflicts.)
*/
-DH *get_dh512()
+static DH *get_dh512()
{
static unsigned char dh512_p[]={
0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
@@ -1308,7 +1565,7 @@ DH *get_dh512()
return(dh);
}
-DH *get_dh1024()
+static DH *get_dh1024()
{
static unsigned char dh1024_p[]={
0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
@@ -1336,7 +1593,7 @@ DH *get_dh1024()
return(dh);
}
-DH *get_dh1024dsa()
+static DH *get_dh1024dsa()
{
static unsigned char dh1024_p[]={
0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
diff --git a/crypto/openssl/ssl/t1_clnt.c b/crypto/openssl/ssl/t1_clnt.c
index 9745630..57205fb 100644
--- a/crypto/openssl/ssl/t1_clnt.c
+++ b/crypto/openssl/ssl/t1_clnt.c
@@ -57,11 +57,11 @@
*/
#include <stdio.h>
+#include "ssl_locl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
-#include "ssl_locl.h"
static SSL_METHOD *tls1_get_client_method(int ver);
static SSL_METHOD *tls1_get_client_method(int ver)
@@ -79,11 +79,18 @@ SSL_METHOD *TLSv1_client_method(void)
if (init)
{
- memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
- sizeof(SSL_METHOD));
- TLSv1_client_data.ssl_connect=ssl3_connect;
- TLSv1_client_data.get_ssl_method=tls1_get_client_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(),
+ sizeof(SSL_METHOD));
+ TLSv1_client_data.ssl_connect=ssl3_connect;
+ TLSv1_client_data.get_ssl_method=tls1_get_client_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&TLSv1_client_data);
}
diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c
index f3ecc5f..271e247 100644
--- a/crypto/openssl/ssl/t1_enc.c
+++ b/crypto/openssl/ssl/t1_enc.c
@@ -110,12 +110,11 @@
*/
#include <stdio.h>
+#include "ssl_locl.h"
#include <openssl/comp.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
-#include "ssl_locl.h"
+#include <openssl/md5.h>
static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
int sec_len, unsigned char *seed, int seed_len,
@@ -125,21 +124,25 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
unsigned int j;
HMAC_CTX ctx;
HMAC_CTX ctx_tmp;
- unsigned char A1[HMAC_MAX_MD_CBLOCK];
+ unsigned char A1[EVP_MAX_MD_SIZE];
unsigned int A1_len;
chunk=EVP_MD_size(md);
- HMAC_Init(&ctx,sec,sec_len,md);
+ HMAC_CTX_init(&ctx);
+ HMAC_CTX_init(&ctx_tmp);
+ HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
+ HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
HMAC_Update(&ctx,seed,seed_len);
HMAC_Final(&ctx,A1,&A1_len);
n=0;
for (;;)
{
- HMAC_Init(&ctx,NULL,0,NULL); /* re-init */
+ HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */
+ HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */
HMAC_Update(&ctx,A1,A1_len);
- memcpy(&ctx_tmp,&ctx,sizeof(ctx)); /* Copy for A2 */ /* not needed for last one */
+ HMAC_Update(&ctx_tmp,A1,A1_len);
HMAC_Update(&ctx,seed,seed_len);
if (olen > chunk)
@@ -156,9 +159,9 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
break;
}
}
- HMAC_cleanup(&ctx);
- HMAC_cleanup(&ctx_tmp);
- memset(A1,0,sizeof(A1));
+ HMAC_CTX_cleanup(&ctx);
+ HMAC_CTX_cleanup(&ctx_tmp);
+ OPENSSL_cleanse(A1,sizeof(A1));
}
static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
@@ -201,6 +204,17 @@ static void tls1_generate_key_block(SSL *s, unsigned char *km,
tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
s->session->master_key,s->session->master_key_length,
km,tmp,num);
+#ifdef KSSL_DEBUG
+ printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
+ s->session->master_key_length);
+ {
+ int i;
+ for (i=0; i < s->session->master_key_length; i++)
+ {
+ printf("%02X", s->session->master_key[i]);
+ }
+ printf("\n"); }
+#endif /* KSSL_DEBUG */
}
int tls1_change_cipher_state(SSL *s, int which)
@@ -219,19 +233,35 @@ int tls1_change_cipher_state(SSL *s, int which)
const EVP_CIPHER *c;
const SSL_COMP *comp;
const EVP_MD *m;
- int _exp,n,i,j,k,exp_label_len,cl;
+ int is_export,n,i,j,k,exp_label_len,cl;
+ int reuse_dd = 0;
- _exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
+ is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
c=s->s3->tmp.new_sym_enc;
m=s->s3->tmp.new_hash;
comp=s->s3->tmp.new_compression;
key_block=s->s3->tmp.key_block;
+#ifdef KSSL_DEBUG
+ printf("tls1_change_cipher_state(which= %d) w/\n", which);
+ printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms,
+ comp);
+ printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
+ printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
+ c->nid,c->block_size,c->key_len,c->iv_len);
+ printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
+ {
+ int i;
+ for (i=0; i<s->s3->tmp.key_block_length; i++)
+ printf("%02x", key_block[i]); printf("\n");
+ }
+#endif /* KSSL_DEBUG */
+
if (which & SSL3_CC_READ)
{
- if ((s->enc_read_ctx == NULL) &&
- ((s->enc_read_ctx=(EVP_CIPHER_CTX *)
- OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+ if (s->enc_read_ctx != NULL)
+ reuse_dd = 1;
+ else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
goto err;
dd= s->enc_read_ctx;
s->read_hash=m;
@@ -259,6 +289,10 @@ int tls1_change_cipher_state(SSL *s, int which)
}
else
{
+ if (s->enc_write_ctx != NULL)
+ reuse_dd = 1;
+ else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
+ goto err;
if ((s->enc_write_ctx == NULL) &&
((s->enc_write_ctx=(EVP_CIPHER_CTX *)
OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
@@ -283,13 +317,15 @@ int tls1_change_cipher_state(SSL *s, int which)
mac_secret= &(s->s3->write_mac_secret[0]);
}
+ if (reuse_dd)
+ EVP_CIPHER_CTX_cleanup(dd);
EVP_CIPHER_CTX_init(dd);
p=s->s3->tmp.key_block;
i=EVP_MD_size(m);
cl=EVP_CIPHER_key_length(c);
- j=_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
- cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
+ j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
+ cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
k=EVP_CIPHER_iv_length(c);
er1= &(s->s3->client_random[0]);
@@ -317,7 +353,7 @@ int tls1_change_cipher_state(SSL *s, int which)
if (n > s->s3->tmp.key_block_length)
{
- SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
goto err2;
}
@@ -326,7 +362,7 @@ int tls1_change_cipher_state(SSL *s, int which)
printf("which = %04X\nmac key=",which);
{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
#endif
- if (_exp)
+ if (is_export)
{
/* In here I set both the read and write key/iv to the
* same value since only the correct one will be used :-).
@@ -362,8 +398,18 @@ printf("which = %04X\nmac key=",which);
}
s->session->key_arg_length=0;
+#ifdef KSSL_DEBUG
+ {
+ int i;
+ printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
+ printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
+ printf("\n");
+ printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
+ printf("\n");
+ }
+#endif /* KSSL_DEBUG */
- EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
+ EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
#ifdef TLS_DEBUG
printf("which = %04X\nkey=",which);
{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
@@ -372,10 +418,10 @@ printf("\niv=");
printf("\n");
#endif
- memset(tmp1,0,sizeof(tmp1));
- memset(tmp2,0,sizeof(tmp1));
- memset(iv1,0,sizeof(iv1));
- memset(iv2,0,sizeof(iv2));
+ OPENSSL_cleanse(tmp1,sizeof(tmp1));
+ OPENSSL_cleanse(tmp2,sizeof(tmp1));
+ OPENSSL_cleanse(iv1,sizeof(iv1));
+ OPENSSL_cleanse(iv2,sizeof(iv2));
return(1);
err:
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
@@ -391,6 +437,10 @@ int tls1_setup_key_block(SSL *s)
int num;
SSL_COMP *comp;
+#ifdef KSSL_DEBUG
+ printf ("tls1_setup_key_block()\n");
+#endif /* KSSL_DEBUG */
+
if (s->s3->tmp.key_block_length != 0)
return(1);
@@ -426,7 +476,7 @@ printf("pre-master\n");
{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
#endif
tls1_generate_key_block(s,p1,p2,num);
- memset(p2,0,num);
+ OPENSSL_cleanse(p2,num);
OPENSSL_free(p2);
#ifdef TLS_DEBUG
printf("\nkey block\n");
@@ -445,13 +495,13 @@ printf("\nkey block\n");
if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
s->s3->need_empty_fragments = 0;
-#ifndef NO_RC4
+#ifndef OPENSSL_NO_RC4
if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
s->s3->need_empty_fragments = 0;
#endif
}
}
-
+
return(1);
err:
SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
@@ -489,6 +539,10 @@ int tls1_enc(SSL *s, int send)
enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
}
+#ifdef KSSL_DEBUG
+ printf("tls1_enc(%d)\n", send);
+#endif /* KSSL_DEBUG */
+
if ((s->session == NULL) || (ds == NULL) ||
(enc == NULL))
{
@@ -519,6 +573,24 @@ int tls1_enc(SSL *s, int send)
rec->length+=i;
}
+#ifdef KSSL_DEBUG
+ {
+ unsigned long ui;
+ printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
+ ds,rec->data,rec->input,l);
+ printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
+ ds->buf_len, ds->cipher->key_len,
+ DES_KEY_SZ, DES_SCHEDULE_SZ,
+ ds->cipher->iv_len);
+ printf("\t\tIV: ");
+ for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
+ printf("\n");
+ printf("\trec->input=");
+ for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
+ printf("\n");
+ }
+#endif /* KSSL_DEBUG */
+
if (!send)
{
if (l == 0 || l%bs != 0)
@@ -531,6 +603,15 @@ int tls1_enc(SSL *s, int send)
EVP_Cipher(ds,rec->data,rec->input,l);
+#ifdef KSSL_DEBUG
+ {
+ unsigned long i;
+ printf("\trec->data=");
+ for (i=0; i<l; i++)
+ printf(" %02x", rec->data[i]); printf("\n");
+ }
+#endif /* KSSL_DEBUG */
+
if ((bs != 1) && !send)
{
ii=i=rec->data[l-1]; /* padding_length */
@@ -573,8 +654,10 @@ int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
unsigned int ret;
EVP_MD_CTX ctx;
- EVP_MD_CTX_copy(&ctx,in_ctx);
- EVP_DigestFinal(&ctx,out,&ret);
+ EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_copy_ex(&ctx,in_ctx);
+ EVP_DigestFinal_ex(&ctx,out,&ret);
+ EVP_MD_CTX_cleanup(&ctx);
return((int)ret);
}
@@ -590,19 +673,20 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
memcpy(q,str,slen);
q+=slen;
- EVP_MD_CTX_copy(&ctx,in1_ctx);
- EVP_DigestFinal(&ctx,q,&i);
+ EVP_MD_CTX_init(&ctx);
+ EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
+ EVP_DigestFinal_ex(&ctx,q,&i);
q+=i;
- EVP_MD_CTX_copy(&ctx,in2_ctx);
- EVP_DigestFinal(&ctx,q,&i);
+ EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
+ EVP_DigestFinal_ex(&ctx,q,&i);
q+=i;
tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
s->session->master_key,s->session->master_key_length,
- out,buf2,12);
- memset(&ctx,0,sizeof(EVP_MD_CTX));
+ out,buf2,sizeof buf2);
+ EVP_MD_CTX_cleanup(&ctx);
- return((int)12);
+ return sizeof buf2;
}
int tls1_mac(SSL *ssl, unsigned char *md, int send)
@@ -639,11 +723,13 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
buf[4]=rec->length&0xff;
/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
- HMAC_Init(&hmac,mac_sec,EVP_MD_size(hash),hash);
+ HMAC_CTX_init(&hmac);
+ HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
HMAC_Update(&hmac,seq,8);
HMAC_Update(&hmac,buf,5);
HMAC_Update(&hmac,rec->input,rec->length);
HMAC_Final(&hmac,md,&md_size);
+ HMAC_CTX_cleanup(&hmac);
#ifdef TLS_DEBUG
printf("sec=");
@@ -674,6 +760,10 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
+#ifdef KSSL_DEBUG
+ printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
+#endif /* KSSL_DEBUG */
+
/* Setup the stuff to munge */
memcpy(buf,TLS_MD_MASTER_SECRET_CONST,
TLS_MD_MASTER_SECRET_CONST_SIZE);
@@ -683,7 +773,10 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
s->s3->server_random,SSL3_RANDOM_SIZE);
tls1_PRF(s->ctx->md5,s->ctx->sha1,
buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
- s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE);
+ s->session->master_key,buff,sizeof buff);
+#ifdef KSSL_DEBUG
+ printf ("tls1_generate_master_secret() complete\n");
+#endif /* KSSL_DEBUG */
return(SSL3_MASTER_SECRET_SIZE);
}
diff --git a/crypto/openssl/ssl/t1_meth.c b/crypto/openssl/ssl/t1_meth.c
index 9bb36a7..fcc243f 100644
--- a/crypto/openssl/ssl/t1_meth.c
+++ b/crypto/openssl/ssl/t1_meth.c
@@ -76,13 +76,21 @@ SSL_METHOD *TLSv1_method(void)
if (init)
{
- memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
- sizeof(SSL_METHOD));
- TLSv1_data.ssl_connect=ssl3_connect;
- TLSv1_data.ssl_accept=ssl3_accept;
- TLSv1_data.get_ssl_method=tls1_get_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(),
+ sizeof(SSL_METHOD));
+ TLSv1_data.ssl_connect=ssl3_connect;
+ TLSv1_data.ssl_accept=ssl3_accept;
+ TLSv1_data.get_ssl_method=tls1_get_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
+
return(&TLSv1_data);
}
diff --git a/crypto/openssl/ssl/t1_srvr.c b/crypto/openssl/ssl/t1_srvr.c
index 996b7ca..1c1149e 100644
--- a/crypto/openssl/ssl/t1_srvr.c
+++ b/crypto/openssl/ssl/t1_srvr.c
@@ -57,12 +57,12 @@
*/
#include <stdio.h>
+#include "ssl_locl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
static SSL_METHOD *tls1_get_server_method(int ver);
static SSL_METHOD *tls1_get_server_method(int ver)
@@ -80,11 +80,18 @@ SSL_METHOD *TLSv1_server_method(void)
if (init)
{
- memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
- sizeof(SSL_METHOD));
- TLSv1_server_data.ssl_accept=ssl3_accept;
- TLSv1_server_data.get_ssl_method=tls1_get_server_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(),
+ sizeof(SSL_METHOD));
+ TLSv1_server_data.ssl_accept=ssl3_accept;
+ TLSv1_server_data.get_ssl_method=tls1_get_server_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&TLSv1_server_data);
}
diff --git a/crypto/openssl/ssl/tls1.h b/crypto/openssl/ssl/tls1.h
index cf92ae0..38838ea 100644
--- a/crypto/openssl/ssl/tls1.h
+++ b/crypto/openssl/ssl/tls1.h
@@ -96,6 +96,22 @@ extern "C" {
#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065
#define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066
+/* AES ciphersuites from RFC3268 */
+
+#define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F
+#define TLS1_CK_DH_DSS_WITH_AES_128_SHA 0x03000030
+#define TLS1_CK_DH_RSA_WITH_AES_128_SHA 0x03000031
+#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA 0x03000032
+#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA 0x03000033
+#define TLS1_CK_ADH_WITH_AES_128_SHA 0x03000034
+
+#define TLS1_CK_RSA_WITH_AES_256_SHA 0x03000035
+#define TLS1_CK_DH_DSS_WITH_AES_256_SHA 0x03000036
+#define TLS1_CK_DH_RSA_WITH_AES_256_SHA 0x03000037
+#define TLS1_CK_DHE_DSS_WITH_AES_256_SHA 0x03000038
+#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA 0x03000039
+#define TLS1_CK_ADH_WITH_AES_256_SHA 0x0300003A
+
/* XXX
* Inconsistency alert:
* The OpenSSL names of ciphers with ephemeral DH here include the string
@@ -111,6 +127,21 @@ extern "C" {
#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA "EXP1024-DHE-DSS-RC4-SHA"
#define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA "DHE-DSS-RC4-SHA"
+/* AES ciphersuites from RFC3268 */
+#define TLS1_TXT_RSA_WITH_AES_128_SHA "AES128-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA "DH-DSS-AES128-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA "DH-RSA-AES128-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA "DHE-DSS-AES128-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA "DHE-RSA-AES128-SHA"
+#define TLS1_TXT_ADH_WITH_AES_128_SHA "ADH-AES128-SHA"
+
+#define TLS1_TXT_RSA_WITH_AES_256_SHA "AES256-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA "DH-DSS-AES256-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA "DH-RSA-AES256-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA "DHE-DSS-AES256-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AES256-SHA"
+#define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AES256-SHA"
+
#define TLS_CT_RSA_SIGN 1
#define TLS_CT_DSS_SIGN 2
OpenPOWER on IntegriCloud