diff options
author | markm <markm@FreeBSD.org> | 2003-01-28 21:43:22 +0000 |
---|---|---|
committer | markm <markm@FreeBSD.org> | 2003-01-28 21:43:22 +0000 |
commit | aad1d64cb5a8d9b503d9199642363dc1e92d2f9b (patch) | |
tree | 610a51c6e3965764fb0f1629c1376e2d23afffe8 /crypto/openssl/ssl | |
parent | eba366e36e93f5da8ae5c744eb337c3ef6872641 (diff) | |
download | FreeBSD-src-aad1d64cb5a8d9b503d9199642363dc1e92d2f9b.zip FreeBSD-src-aad1d64cb5a8d9b503d9199642363dc1e92d2f9b.tar.gz |
Vendor import of OpenSSL release 0.9.7. This release includes
support for AES and OpenBSD's hardware crypto.
Diffstat (limited to 'crypto/openssl/ssl')
45 files changed, 6249 insertions, 1643 deletions
diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl index 4b8053a..e36a79b 100644 --- a/crypto/openssl/ssl/Makefile.ssl +++ b/crypto/openssl/ssl/Makefile.ssl @@ -5,15 +5,18 @@ DIR= ssl TOP= .. CC= cc -INCLUDES= -I../crypto -I../include +INCLUDES= -I../crypto -I$(TOP) -I../include $(KRB5_INCLUDES) CFLAG=-g INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP=/usr/local/ssl MAKE= make -f Makefile.ssl -MAKEDEPEND= $(TOP)/util/domd $(TOP) +MAKEDEPPROG= makedepend +MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile.ssl AR= ar r +# KRB5 stuff +KRB5_INCLUDES= CFLAGS= $(INCLUDES) $(CFLAG) @@ -22,6 +25,7 @@ TEST=ssltest.c APPS= LIB=$(TOP)/libssl.a +SHARED_LIB= libssl$(SHLIB_EXT) LIBSRC= \ s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \ s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \ @@ -30,7 +34,7 @@ LIBSRC= \ ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \ ssl_ciph.c ssl_stat.c ssl_rsa.c \ ssl_asn1.c ssl_txt.c ssl_algs.c \ - bio_ssl.c ssl_err.c + bio_ssl.c ssl_err.c kssl.c LIBOBJ= \ s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \ @@ -39,26 +43,30 @@ LIBOBJ= \ ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \ ssl_ciph.o ssl_stat.o ssl_rsa.o \ ssl_asn1.o ssl_txt.o ssl_algs.o \ - bio_ssl.o ssl_err.o + bio_ssl.o ssl_err.o kssl.o SRC= $(LIBSRC) -EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h -HEADER= $(EXHEADER) ssl_locl.h +EXHEADER= ssl.h ssl2.h ssl3.h ssl23.h tls1.h kssl.h +HEADER= $(EXHEADER) ssl_locl.h kssl_lcl.h ALL= $(GENERAL) $(SRC) $(HEADER) top: (cd ..; $(MAKE) DIRS=$(DIR) all) -all: lib +all: lib shared lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - @echo You may get an error following this line. Please ignore. - - $(RANLIB) $(LIB) + $(RANLIB) $(LIB) || echo Never mind. @touch lib +shared: + if [ -n "$(SHARED_LIBS)" ]; then \ + (cd ..; $(MAKE) $(SHARED_LIB)); \ + fi + files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO @@ -84,7 +92,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -95,18 +103,20 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -bio_ssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h -bio_ssl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -bio_ssl.o: ../include/openssl/buffer.h ../include/openssl/cast.h -bio_ssl.o: ../include/openssl/comp.h ../include/openssl/crypto.h -bio_ssl.o: ../include/openssl/des.h ../include/openssl/dh.h +bio_ssl.o: ../include/openssl/aes.h ../include/openssl/asn1.h +bio_ssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +bio_ssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h +bio_ssl.o: ../include/openssl/cast.h ../include/openssl/comp.h +bio_ssl.o: ../include/openssl/crypto.h ../include/openssl/des.h +bio_ssl.o: ../include/openssl/des_old.h ../include/openssl/dh.h bio_ssl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h bio_ssl.o: ../include/openssl/err.h ../include/openssl/evp.h -bio_ssl.o: ../include/openssl/idea.h ../include/openssl/lhash.h -bio_ssl.o: ../include/openssl/md2.h ../include/openssl/md4.h -bio_ssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -bio_ssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -bio_ssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +bio_ssl.o: ../include/openssl/idea.h ../include/openssl/kssl.h +bio_ssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h +bio_ssl.o: ../include/openssl/md4.h ../include/openssl/md5.h +bio_ssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +bio_ssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +bio_ssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h bio_ssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h bio_ssl.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h bio_ssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h @@ -115,134 +125,176 @@ bio_ssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h bio_ssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h bio_ssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h bio_ssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h -bio_ssl.o: ../include/openssl/x509_vfy.h -s23_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s23_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s23_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s23_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s23_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h -s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s23_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s23_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h +bio_ssl.o: ../include/openssl/tls1.h ../include/openssl/ui.h +bio_ssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +bio_ssl.o: ../include/openssl/x509_vfy.h bio_ssl.c +kssl.o: ../include/openssl/aes.h ../include/openssl/asn1.h +kssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +kssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h +kssl.o: ../include/openssl/cast.h ../include/openssl/comp.h +kssl.o: ../include/openssl/crypto.h ../include/openssl/des.h +kssl.o: ../include/openssl/des_old.h ../include/openssl/dh.h +kssl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +kssl.o: ../include/openssl/evp.h ../include/openssl/idea.h +kssl.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h +kssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h +kssl.o: ../include/openssl/md4.h ../include/openssl/md5.h +kssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +kssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +kssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +kssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h +kssl.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +kssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +kssl.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +kssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h +kssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +kssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +kssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +kssl.o: ../include/openssl/tls1.h ../include/openssl/ui.h +kssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +kssl.o: ../include/openssl/x509_vfy.h kssl.c +s23_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s23_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s23_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s23_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s23_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s23_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s23_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s23_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h +s23_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h s23_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h s23_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h s23_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s23_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s23_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s23_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h -s23_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -s23_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -s23_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s23_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s23_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s23_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s23_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s23_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h -s23_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s23_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s23_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s23_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s23_lib.o: ../include/openssl/des.h ../include/openssl/dh.h -s23_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s23_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s23_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h +s23_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s23_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s23_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s23_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +s23_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +s23_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s23_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s23_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s23_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s23_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s23_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s23_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_clnt.c +s23_clnt.o: ssl_locl.h +s23_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s23_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s23_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s23_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h +s23_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h +s23_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s23_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s23_lib.o: ../include/openssl/err.h ../include/openssl/evp.h +s23_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h s23_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h s23_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h s23_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s23_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s23_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s23_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s23_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s23_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s23_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s23_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s23_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s23_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s23_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s23_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s23_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s23_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s23_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s23_meth.o: ../include/openssl/des.h ../include/openssl/dh.h -s23_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s23_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s23_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h +s23_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s23_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s23_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s23_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s23_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s23_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s23_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s23_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s23_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s23_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s23_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s23_lib.o: ../include/openssl/x509_vfy.h s23_lib.c ssl_locl.h +s23_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s23_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s23_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s23_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h +s23_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h +s23_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s23_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s23_meth.o: ../include/openssl/err.h ../include/openssl/evp.h +s23_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h s23_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h s23_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h s23_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s23_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s23_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s23_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s23_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s23_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s23_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s23_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s23_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s23_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s23_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s23_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s23_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s23_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s23_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s23_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h -s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s23_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s23_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h +s23_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s23_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s23_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s23_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s23_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s23_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s23_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s23_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s23_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s23_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s23_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s23_meth.o: ../include/openssl/x509_vfy.h s23_meth.c ssl_locl.h +s23_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s23_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s23_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s23_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s23_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s23_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s23_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s23_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h +s23_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h s23_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h s23_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h s23_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s23_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s23_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s23_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s23_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s23_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s23_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s23_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s23_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s23_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s23_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s23_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s23_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s23_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s23_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s23_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h -s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s23_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s23_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h +s23_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s23_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s23_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s23_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s23_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s23_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s23_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s23_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s23_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s23_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s23_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s23_pkt.o: ../include/openssl/x509_vfy.h s23_pkt.c ssl_locl.h +s23_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s23_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s23_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s23_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h +s23_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s23_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s23_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s23_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s23_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h s23_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h s23_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h s23_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s23_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s23_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s23_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h -s23_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -s23_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -s23_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s23_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s23_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s23_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s23_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h -s2_clnt.o: ../crypto/cryptlib.h ../include/openssl/asn1.h -s2_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h -s2_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s2_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h -s2_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s23_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s23_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s23_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s23_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +s23_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +s23_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s23_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s23_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s23_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s23_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s23_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s23_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_srvr.c +s23_srvr.o: ssl_locl.h +s2_clnt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h +s2_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h +s2_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h +s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_clnt.o: ../include/openssl/des.h ../include/openssl/des_old.h s2_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_clnt.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h -s2_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h -s2_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h +s2_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s2_clnt.o: ../include/openssl/md2.h ../include/openssl/md4.h +s2_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +s2_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h s2_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h @@ -251,21 +303,24 @@ s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s2_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h +s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s2_clnt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h +s2_enc.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h s2_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h s2_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h s2_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_enc.o: ../include/openssl/des.h ../include/openssl/dh.h -s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s2_enc.o: ../include/openssl/des.h ../include/openssl/des_old.h +s2_enc.o: ../include/openssl/dh.h ../include/openssl/dsa.h s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h -s2_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h -s2_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h +s2_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s2_enc.o: ../include/openssl/md2.h ../include/openssl/md4.h +s2_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +s2_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s2_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s2_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s2_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s2_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h @@ -274,21 +329,24 @@ s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s2_lib.o: ../crypto/cryptlib.h ../include/openssl/asn1.h -s2_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h -s2_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s2_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h -s2_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_enc.c +s2_enc.o: ssl_locl.h +s2_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h +s2_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h +s2_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +s2_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h +s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_lib.o: ../include/openssl/des.h ../include/openssl/des_old.h s2_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_lib.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h -s2_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h -s2_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h +s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s2_lib.o: ../include/openssl/md2.h ../include/openssl/md4.h +s2_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +s2_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s2_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s2_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s2_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s2_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h @@ -297,42 +355,49 @@ s2_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s2_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s2_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s2_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s2_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_meth.o: ../include/openssl/des.h ../include/openssl/dh.h -s2_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s2_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s2_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h +s2_lib.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s2_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_lib.c +s2_lib.o: ssl_locl.h +s2_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s2_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s2_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h +s2_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s2_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s2_meth.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h s2_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h s2_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h s2_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s2_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s2_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s2_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s2_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s2_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s2_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s2_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h +s2_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s2_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s2_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s2_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s2_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s2_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s2_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s2_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s2_meth.o: ../include/openssl/x509_vfy.h s2_meth.c ssl_locl.h +s2_pkt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h s2_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h s2_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s2_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h -s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h +s2_pkt.o: ../include/openssl/des.h ../include/openssl/des_old.h +s2_pkt.o: ../include/openssl/dh.h ../include/openssl/dsa.h s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h -s2_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h -s2_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h +s2_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s2_pkt.o: ../include/openssl/md2.h ../include/openssl/md4.h +s2_pkt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +s2_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s2_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s2_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s2_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h s2_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h @@ -341,21 +406,24 @@ s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s2_srvr.o: ../crypto/cryptlib.h ../include/openssl/asn1.h -s2_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h -s2_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s2_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h -s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s2_pkt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c +s2_pkt.o: ssl_locl.h +s2_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h +s2_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h +s2_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h +s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_srvr.o: ../include/openssl/des.h ../include/openssl/des_old.h s2_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s2_srvr.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h s2_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h -s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h -s2_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h -s2_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h +s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s2_srvr.o: ../include/openssl/md2.h ../include/openssl/md4.h +s2_srvr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h s2_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h @@ -364,45 +432,50 @@ s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s2_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h -s3_both.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_both.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_both.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_both.o: ../include/openssl/des.h ../include/openssl/dh.h -s3_both.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s3_both.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s3_both.o: ../include/openssl/evp.h ../include/openssl/idea.h +s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s2_srvr.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h +s3_both.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s3_both.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_both.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_both.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_both.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s3_both.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s3_both.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_both.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_both.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_both.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_both.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_both.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_both.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s3_both.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s3_both.o: ../include/openssl/rand.h ../include/openssl/rc2.h -s3_both.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -s3_both.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -s3_both.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s3_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s3_both.o: ../include/openssl/x509_vfy.h ssl_locl.h -s3_clnt.o: ../crypto/cryptlib.h ../include/openssl/asn1.h -s3_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h -s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s3_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h -s3_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_both.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s3_both.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s3_both.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s3_both.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +s3_both.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +s3_both.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s3_both.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s3_both.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s3_both.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s3_both.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s3_both.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s3_both.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_both.c +s3_both.o: ssl_locl.h +s3_clnt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h +s3_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h +s3_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h +s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s3_clnt.o: ../include/openssl/des.h ../include/openssl/des_old.h s3_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s3_clnt.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h s3_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h -s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h -s3_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h -s3_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -s3_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h +s3_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s3_clnt.o: ../include/openssl/md2.h ../include/openssl/md4.h +s3_clnt.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +s3_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s3_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s3_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s3_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h s3_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h @@ -411,156 +484,176 @@ s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s3_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h -s3_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_enc.o: ../include/openssl/des.h ../include/openssl/dh.h -s3_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s3_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s3_enc.o: ../include/openssl/evp.h ../include/openssl/idea.h +s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s3_clnt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s3_clnt.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_clnt.c ssl_locl.h +s3_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s3_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s3_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s3_enc.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_enc.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_enc.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s3_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s3_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s3_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s3_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s3_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s3_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s3_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s3_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s3_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s3_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_lib.o: ../include/openssl/des.h ../include/openssl/dh.h -s3_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s3_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s3_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h +s3_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s3_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s3_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s3_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s3_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s3_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s3_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s3_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s3_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s3_enc.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s3_enc.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s3_enc.o: ../include/openssl/x509_vfy.h s3_enc.c ssl_locl.h +s3_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s3_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s3_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s3_lib.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s3_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s3_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s3_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s3_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s3_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s3_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s3_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s3_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s3_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_meth.o: ../include/openssl/des.h ../include/openssl/dh.h -s3_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s3_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s3_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h +s3_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s3_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s3_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s3_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s3_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s3_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s3_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s3_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s3_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s3_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s3_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s3_lib.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_lib.c ssl_locl.h +s3_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s3_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s3_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s3_meth.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s3_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s3_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s3_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s3_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s3_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s3_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s3_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s3_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s3_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s3_pkt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -s3_pkt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -s3_pkt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -s3_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -s3_pkt.o: ../include/openssl/des.h ../include/openssl/dh.h -s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -s3_pkt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -s3_pkt.o: ../include/openssl/evp.h ../include/openssl/idea.h +s3_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s3_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s3_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s3_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s3_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s3_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s3_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s3_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s3_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s3_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s3_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s3_meth.o: ../include/openssl/x509_vfy.h s3_meth.c ssl_locl.h +s3_pkt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +s3_pkt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +s3_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_pkt.o: ../include/openssl/cast.h ../include/openssl/comp.h +s3_pkt.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_pkt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +s3_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +s3_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_pkt.o: ../include/openssl/idea.h ../include/openssl/kssl.h s3_pkt.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_pkt.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_pkt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s3_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s3_pkt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s3_pkt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s3_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s3_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s3_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s3_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s3_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -s3_srvr.o: ../crypto/cryptlib.h ../include/openssl/asn1.h -s3_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h -s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h -s3_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h -s3_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +s3_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s3_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s3_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +s3_pkt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s3_pkt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s3_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s3_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s3_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s3_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/ui.h +s3_pkt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +s3_pkt.o: ../include/openssl/x509_vfy.h s3_pkt.c ssl_locl.h +s3_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h +s3_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h +s3_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h +s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s3_srvr.o: ../include/openssl/des.h ../include/openssl/des_old.h s3_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h -s3_srvr.o: ../include/openssl/e_os.h ../include/openssl/e_os.h s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h s3_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h +s3_srvr.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h s3_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h s3_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -s3_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s3_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h -s3_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -s3_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -s3_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s3_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s3_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s3_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h -ssl_algs.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_algs.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_algs.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_algs.o: ../include/openssl/des.h ../include/openssl/dh.h -ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -ssl_algs.o: ../include/openssl/e_os2.h ../include/openssl/err.h -ssl_algs.o: ../include/openssl/evp.h ../include/openssl/idea.h +s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s3_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s3_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s3_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +s3_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +s3_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s3_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s3_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s3_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h +s3_srvr.o: s3_srvr.c ssl_locl.h +ssl_algs.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_algs.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_algs.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_algs.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_algs.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_algs.o: ../include/openssl/des_old.h ../include/openssl/dh.h +ssl_algs.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +ssl_algs.o: ../include/openssl/err.h ../include/openssl/evp.h +ssl_algs.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_algs.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_algs.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_algs.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_algs.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -ssl_algs.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl_algs.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -ssl_algs.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -ssl_algs.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssl_algs.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_asn1.o: ../crypto/cryptlib.h ../include/openssl/asn1.h -ssl_asn1.o: ../include/openssl/asn1_mac.h ../include/openssl/bio.h -ssl_asn1.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_asn1.o: ../include/openssl/des.h ../include/openssl/dh.h -ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -ssl_asn1.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h +ssl_algs.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ssl_algs.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ssl_algs.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +ssl_algs.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +ssl_algs.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +ssl_algs.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssl_algs.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl_algs.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl_algs.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl_algs.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssl_algs.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssl_algs.o: ../include/openssl/x509_vfy.h ssl_algs.c ssl_locl.h +ssl_asn1.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h +ssl_asn1.o: ../include/openssl/asn1.h ../include/openssl/asn1_mac.h +ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_asn1.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_asn1.o: ../include/openssl/des_old.h ../include/openssl/dh.h +ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/lhash.h -ssl_asn1.o: ../include/openssl/md2.h ../include/openssl/md4.h -ssl_asn1.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -ssl_asn1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_asn1.o: ../include/openssl/idea.h ../include/openssl/kssl.h +ssl_asn1.o: ../include/openssl/lhash.h ../include/openssl/md2.h +ssl_asn1.o: ../include/openssl/md4.h ../include/openssl/md5.h +ssl_asn1.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +ssl_asn1.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +ssl_asn1.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_asn1.o: ../include/openssl/rc4.h ../include/openssl/rc5.h @@ -569,22 +662,24 @@ ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/x509.h -ssl_asn1.o: ../include/openssl/x509_vfy.h ssl_locl.h -ssl_cert.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_cert.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_cert.o: ../include/openssl/comp.h ../include/openssl/conf.h -ssl_cert.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssl_asn1.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssl_asn1.o: ../include/openssl/x509_vfy.h ssl_asn1.c ssl_locl.h +ssl_cert.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_cert.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_cert.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_cert.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_cert.o: ../include/openssl/conf.h ../include/openssl/crypto.h +ssl_cert.o: ../include/openssl/des.h ../include/openssl/des_old.h ssl_cert.o: ../include/openssl/dh.h ../include/openssl/dsa.h -ssl_cert.o: ../include/openssl/e_os.h ../include/openssl/e_os.h ssl_cert.o: ../include/openssl/e_os2.h ../include/openssl/err.h ssl_cert.o: ../include/openssl/evp.h ../include/openssl/idea.h -ssl_cert.o: ../include/openssl/lhash.h ../include/openssl/md2.h -ssl_cert.o: ../include/openssl/md4.h ../include/openssl/md5.h -ssl_cert.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -ssl_cert.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_cert.o: ../include/openssl/opensslv.h ../include/openssl/pem.h +ssl_cert.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ssl_cert.o: ../include/openssl/md2.h ../include/openssl/md4.h +ssl_cert.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +ssl_cert.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ssl_cert.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_cert.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ssl_cert.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h ssl_cert.o: ../include/openssl/rc2.h ../include/openssl/rc4.h ssl_cert.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h @@ -593,42 +688,48 @@ ssl_cert.o: ../include/openssl/sha.h ../include/openssl/ssl.h ssl_cert.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_cert.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ssl_cert.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h ssl_cert.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ssl_cert.o: ../include/openssl/x509v3.h ssl_locl.h -ssl_ciph.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_ciph.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_ciph.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_ciph.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_ciph.o: ../include/openssl/des.h ../include/openssl/dh.h -ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -ssl_ciph.o: ../include/openssl/e_os2.h ../include/openssl/err.h -ssl_ciph.o: ../include/openssl/evp.h ../include/openssl/idea.h +ssl_cert.o: ../include/openssl/x509v3.h ssl_cert.c ssl_locl.h +ssl_ciph.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_ciph.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_ciph.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_ciph.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_ciph.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_ciph.o: ../include/openssl/des_old.h ../include/openssl/dh.h +ssl_ciph.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +ssl_ciph.o: ../include/openssl/err.h ../include/openssl/evp.h +ssl_ciph.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_ciph.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_ciph.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_ciph.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_ciph.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -ssl_ciph.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl_ciph.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -ssl_ciph.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -ssl_ciph.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssl_ciph.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ssl_ciph.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssl_ciph.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl_ciph.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_ciph.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_err.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_err.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_err.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_err.o: ../include/openssl/des.h ../include/openssl/dh.h +ssl_ciph.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ssl_ciph.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ssl_ciph.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +ssl_ciph.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +ssl_ciph.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +ssl_ciph.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssl_ciph.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl_ciph.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl_ciph.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssl_ciph.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssl_ciph.o: ../include/openssl/x509_vfy.h ssl_ciph.c ssl_locl.h +ssl_err.o: ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_err.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_err.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_err.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_err.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_err.o: ../include/openssl/des_old.h ../include/openssl/dh.h ssl_err.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_err.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl_err.o: ../include/openssl/idea.h ../include/openssl/lhash.h -ssl_err.o: ../include/openssl/md2.h ../include/openssl/md4.h -ssl_err.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -ssl_err.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ssl_err.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_err.o: ../include/openssl/idea.h ../include/openssl/kssl.h +ssl_err.o: ../include/openssl/lhash.h ../include/openssl/md2.h +ssl_err.o: ../include/openssl/md4.h ../include/openssl/md5.h +ssl_err.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +ssl_err.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +ssl_err.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_err.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_err.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_err.o: ../include/openssl/rc4.h ../include/openssl/rc5.h @@ -637,20 +738,23 @@ ssl_err.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_err.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_err.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_err.o: ../include/openssl/tls1.h ../include/openssl/x509.h -ssl_err.o: ../include/openssl/x509_vfy.h -ssl_err2.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_err2.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_err2.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_err2.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_err2.o: ../include/openssl/des.h ../include/openssl/dh.h +ssl_err.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssl_err.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssl_err.o: ../include/openssl/x509_vfy.h ssl_err.c +ssl_err2.o: ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_err2.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_err2.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_err2.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_err2.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_err2.o: ../include/openssl/des_old.h ../include/openssl/dh.h ssl_err2.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_err2.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl_err2.o: ../include/openssl/idea.h ../include/openssl/lhash.h -ssl_err2.o: ../include/openssl/md2.h ../include/openssl/md4.h -ssl_err2.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -ssl_err2.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ssl_err2.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_err2.o: ../include/openssl/idea.h ../include/openssl/kssl.h +ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/md2.h +ssl_err2.o: ../include/openssl/md4.h ../include/openssl/md5.h +ssl_err2.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +ssl_err2.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +ssl_err2.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_err2.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_err2.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_err2.o: ../include/openssl/rc4.h ../include/openssl/rc5.h @@ -659,21 +763,24 @@ ssl_err2.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_err2.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_err2.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_err2.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/x509.h -ssl_err2.o: ../include/openssl/x509_vfy.h +ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssl_err2.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssl_err2.o: ../include/openssl/x509_vfy.h ssl_err2.c +ssl_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h ssl_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h ssl_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h -ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h -ssl_lib.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h +ssl_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h +ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl_lib.o: ../include/openssl/idea.h ../include/openssl/lhash.h -ssl_lib.o: ../include/openssl/md2.h ../include/openssl/md4.h -ssl_lib.o: ../include/openssl/md5.h ../include/openssl/mdc2.h -ssl_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h +ssl_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h +ssl_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h +ssl_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h +ssl_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +ssl_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h ssl_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h @@ -682,44 +789,50 @@ ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h -ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h ssl_locl.h -ssl_rsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_rsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_rsa.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_rsa.o: ../include/openssl/des.h ../include/openssl/dh.h -ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -ssl_rsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h -ssl_rsa.o: ../include/openssl/evp.h ../include/openssl/idea.h +ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssl_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h kssl_lcl.h +ssl_lib.o: ssl_lib.c ssl_locl.h +ssl_rsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_rsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_rsa.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_rsa.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_rsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h +ssl_rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +ssl_rsa.o: ../include/openssl/err.h ../include/openssl/evp.h +ssl_rsa.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_rsa.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_rsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -ssl_rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl_rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -ssl_rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -ssl_rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssl_rsa.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl_rsa.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_sess.o: ../crypto/cryptlib.h ../include/openssl/asn1.h -ssl_sess.o: ../include/openssl/bio.h ../include/openssl/blowfish.h -ssl_sess.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ssl_sess.o: ../include/openssl/cast.h ../include/openssl/comp.h -ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ssl_rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ssl_rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +ssl_rsa.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +ssl_rsa.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +ssl_rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssl_rsa.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl_rsa.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl_rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl_rsa.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssl_rsa.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssl_rsa.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_rsa.c +ssl_sess.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h +ssl_sess.o: ../include/openssl/asn1.h ../include/openssl/bio.h +ssl_sess.o: ../include/openssl/blowfish.h ../include/openssl/bn.h +ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/cast.h +ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h +ssl_sess.o: ../include/openssl/des.h ../include/openssl/des_old.h ssl_sess.o: ../include/openssl/dh.h ../include/openssl/dsa.h -ssl_sess.o: ../include/openssl/e_os.h ../include/openssl/e_os.h ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/err.h ssl_sess.o: ../include/openssl/evp.h ../include/openssl/idea.h -ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/md2.h -ssl_sess.o: ../include/openssl/md4.h ../include/openssl/md5.h -ssl_sess.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h -ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/pem.h +ssl_sess.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ssl_sess.o: ../include/openssl/md2.h ../include/openssl/md4.h +ssl_sess.o: ../include/openssl/md5.h ../include/openssl/mdc2.h +ssl_sess.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ssl_sess.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_sess.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rc2.h ssl_sess.o: ../include/openssl/rc4.h ../include/openssl/rc5.h @@ -728,162 +841,184 @@ ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_sess.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl_sess.o: ../include/openssl/tls1.h ../include/openssl/x509.h -ssl_sess.o: ../include/openssl/x509_vfy.h ssl_locl.h -ssl_stat.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_stat.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_stat.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_stat.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_stat.o: ../include/openssl/des.h ../include/openssl/dh.h -ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -ssl_stat.o: ../include/openssl/e_os2.h ../include/openssl/err.h -ssl_stat.o: ../include/openssl/evp.h ../include/openssl/idea.h +ssl_sess.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssl_sess.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssl_sess.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_sess.c +ssl_stat.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_stat.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_stat.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_stat.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_stat.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_stat.o: ../include/openssl/des_old.h ../include/openssl/dh.h +ssl_stat.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +ssl_stat.o: ../include/openssl/err.h ../include/openssl/evp.h +ssl_stat.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_stat.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_stat.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_stat.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_stat.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -ssl_stat.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl_stat.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -ssl_stat.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -ssl_stat.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssl_stat.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ssl_stat.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl_stat.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_stat.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_txt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl_txt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -ssl_txt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -ssl_txt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_txt.o: ../include/openssl/des.h ../include/openssl/dh.h -ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -ssl_txt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -ssl_txt.o: ../include/openssl/evp.h ../include/openssl/idea.h +ssl_stat.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ssl_stat.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ssl_stat.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +ssl_stat.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +ssl_stat.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +ssl_stat.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssl_stat.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl_stat.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl_stat.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl_stat.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssl_stat.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssl_stat.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_stat.c +ssl_txt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +ssl_txt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +ssl_txt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_txt.o: ../include/openssl/cast.h ../include/openssl/comp.h +ssl_txt.o: ../include/openssl/crypto.h ../include/openssl/des.h +ssl_txt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +ssl_txt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +ssl_txt.o: ../include/openssl/err.h ../include/openssl/evp.h +ssl_txt.o: ../include/openssl/idea.h ../include/openssl/kssl.h ssl_txt.o: ../include/openssl/lhash.h ../include/openssl/md2.h ssl_txt.o: ../include/openssl/md4.h ../include/openssl/md5.h ssl_txt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h ssl_txt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -ssl_txt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl_txt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -ssl_txt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -ssl_txt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssl_txt.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ssl_txt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl_txt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_txt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -t1_clnt.o: ../include/openssl/asn1.h ../include/openssl/bio.h -t1_clnt.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -t1_clnt.o: ../include/openssl/buffer.h ../include/openssl/cast.h -t1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h -t1_clnt.o: ../include/openssl/des.h ../include/openssl/dh.h -t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -t1_clnt.o: ../include/openssl/e_os2.h ../include/openssl/err.h -t1_clnt.o: ../include/openssl/evp.h ../include/openssl/idea.h +ssl_txt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ssl_txt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ssl_txt.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +ssl_txt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +ssl_txt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +ssl_txt.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssl_txt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl_txt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl_txt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl_txt.o: ../include/openssl/tls1.h ../include/openssl/ui.h +ssl_txt.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +ssl_txt.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_txt.c +t1_clnt.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +t1_clnt.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +t1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +t1_clnt.o: ../include/openssl/cast.h ../include/openssl/comp.h +t1_clnt.o: ../include/openssl/crypto.h ../include/openssl/des.h +t1_clnt.o: ../include/openssl/des_old.h ../include/openssl/dh.h +t1_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +t1_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h +t1_clnt.o: ../include/openssl/idea.h ../include/openssl/kssl.h t1_clnt.o: ../include/openssl/lhash.h ../include/openssl/md2.h t1_clnt.o: ../include/openssl/md4.h ../include/openssl/md5.h t1_clnt.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h t1_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -t1_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -t1_clnt.o: ../include/openssl/rand.h ../include/openssl/rc2.h -t1_clnt.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -t1_clnt.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -t1_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h -t1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -t1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -t1_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -t1_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -t1_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h -t1_enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h -t1_enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -t1_enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h -t1_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h -t1_enc.o: ../include/openssl/des.h ../include/openssl/dh.h -t1_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -t1_enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h -t1_enc.o: ../include/openssl/evp.h ../include/openssl/hmac.h -t1_enc.o: ../include/openssl/idea.h ../include/openssl/lhash.h +t1_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +t1_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +t1_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +t1_clnt.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +t1_clnt.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +t1_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +t1_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h +t1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +t1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +t1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +t1_clnt.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +t1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h +t1_clnt.o: t1_clnt.c +t1_enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +t1_enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +t1_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h +t1_enc.o: ../include/openssl/cast.h ../include/openssl/comp.h +t1_enc.o: ../include/openssl/crypto.h ../include/openssl/des.h +t1_enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h +t1_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +t1_enc.o: ../include/openssl/err.h ../include/openssl/evp.h +t1_enc.o: ../include/openssl/hmac.h ../include/openssl/idea.h +t1_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h t1_enc.o: ../include/openssl/md2.h ../include/openssl/md4.h t1_enc.o: ../include/openssl/md5.h ../include/openssl/mdc2.h t1_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h t1_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -t1_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h -t1_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h -t1_enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -t1_enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -t1_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h -t1_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -t1_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -t1_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -t1_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h -t1_enc.o: ../include/openssl/x509_vfy.h ssl_locl.h -t1_lib.o: ../include/openssl/asn1.h ../include/openssl/bio.h -t1_lib.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -t1_lib.o: ../include/openssl/buffer.h ../include/openssl/cast.h -t1_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h -t1_lib.o: ../include/openssl/des.h ../include/openssl/dh.h -t1_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -t1_lib.o: ../include/openssl/e_os2.h ../include/openssl/err.h -t1_lib.o: ../include/openssl/evp.h ../include/openssl/idea.h +t1_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +t1_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +t1_enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +t1_enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +t1_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +t1_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h +t1_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +t1_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +t1_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +t1_enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h +t1_enc.o: t1_enc.c +t1_lib.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +t1_lib.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +t1_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +t1_lib.o: ../include/openssl/cast.h ../include/openssl/comp.h +t1_lib.o: ../include/openssl/crypto.h ../include/openssl/des.h +t1_lib.o: ../include/openssl/des_old.h ../include/openssl/dh.h +t1_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +t1_lib.o: ../include/openssl/err.h ../include/openssl/evp.h +t1_lib.o: ../include/openssl/idea.h ../include/openssl/kssl.h t1_lib.o: ../include/openssl/lhash.h ../include/openssl/md2.h t1_lib.o: ../include/openssl/md4.h ../include/openssl/md5.h t1_lib.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h t1_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -t1_lib.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -t1_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -t1_lib.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -t1_lib.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -t1_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -t1_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h -t1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -t1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -t1_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -t1_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -t1_meth.o: ../include/openssl/asn1.h ../include/openssl/bio.h -t1_meth.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -t1_meth.o: ../include/openssl/buffer.h ../include/openssl/cast.h -t1_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h -t1_meth.o: ../include/openssl/des.h ../include/openssl/dh.h -t1_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -t1_meth.o: ../include/openssl/e_os2.h ../include/openssl/err.h -t1_meth.o: ../include/openssl/evp.h ../include/openssl/idea.h +t1_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +t1_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h +t1_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +t1_lib.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +t1_lib.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +t1_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h +t1_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +t1_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +t1_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +t1_lib.o: ../include/openssl/tls1.h ../include/openssl/ui.h +t1_lib.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +t1_lib.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_lib.c +t1_meth.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +t1_meth.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +t1_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h +t1_meth.o: ../include/openssl/cast.h ../include/openssl/comp.h +t1_meth.o: ../include/openssl/crypto.h ../include/openssl/des.h +t1_meth.o: ../include/openssl/des_old.h ../include/openssl/dh.h +t1_meth.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +t1_meth.o: ../include/openssl/err.h ../include/openssl/evp.h +t1_meth.o: ../include/openssl/idea.h ../include/openssl/kssl.h t1_meth.o: ../include/openssl/lhash.h ../include/openssl/md2.h t1_meth.o: ../include/openssl/md4.h ../include/openssl/md5.h t1_meth.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h t1_meth.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -t1_meth.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -t1_meth.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -t1_meth.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -t1_meth.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -t1_meth.o: ../include/openssl/sha.h ../include/openssl/ssl.h -t1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -t1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -t1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -t1_srvr.o: ../include/openssl/asn1.h ../include/openssl/bio.h -t1_srvr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h -t1_srvr.o: ../include/openssl/buffer.h ../include/openssl/cast.h -t1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h -t1_srvr.o: ../include/openssl/des.h ../include/openssl/dh.h -t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os.h -t1_srvr.o: ../include/openssl/e_os2.h ../include/openssl/err.h -t1_srvr.o: ../include/openssl/evp.h ../include/openssl/idea.h +t1_meth.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +t1_meth.o: ../include/openssl/pem.h ../include/openssl/pem2.h +t1_meth.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h +t1_meth.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +t1_meth.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +t1_meth.o: ../include/openssl/safestack.h ../include/openssl/sha.h +t1_meth.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +t1_meth.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +t1_meth.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +t1_meth.o: ../include/openssl/tls1.h ../include/openssl/ui.h +t1_meth.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h +t1_meth.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_meth.c +t1_srvr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h +t1_srvr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h +t1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +t1_srvr.o: ../include/openssl/cast.h ../include/openssl/comp.h +t1_srvr.o: ../include/openssl/crypto.h ../include/openssl/des.h +t1_srvr.o: ../include/openssl/des_old.h ../include/openssl/dh.h +t1_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +t1_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +t1_srvr.o: ../include/openssl/idea.h ../include/openssl/kssl.h t1_srvr.o: ../include/openssl/lhash.h ../include/openssl/md2.h t1_srvr.o: ../include/openssl/md4.h ../include/openssl/md5.h t1_srvr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h t1_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/pem.h -t1_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -t1_srvr.o: ../include/openssl/rand.h ../include/openssl/rc2.h -t1_srvr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h -t1_srvr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h -t1_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h -t1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -t1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h -t1_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h +t1_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +t1_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h +t1_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +t1_srvr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h +t1_srvr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h +t1_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +t1_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h +t1_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +t1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +t1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +t1_srvr.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h +t1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h +t1_srvr.o: t1_srvr.c diff --git a/crypto/openssl/ssl/bio_ssl.c b/crypto/openssl/ssl/bio_ssl.c index d85555a..467e149 100644 --- a/crypto/openssl/ssl/bio_ssl.c +++ b/crypto/openssl/ssl/bio_ssl.c @@ -206,6 +206,10 @@ static int ssl_read(BIO *b, char *out, int outl) BIO_set_retry_special(b); retry_reason=BIO_RR_SSL_X509_LOOKUP; break; + case SSL_ERROR_WANT_ACCEPT: + BIO_set_retry_special(b); + retry_reason=BIO_RR_ACCEPT; + break; case SSL_ERROR_WANT_CONNECT: BIO_set_retry_special(b); retry_reason=BIO_RR_CONNECT; @@ -482,7 +486,9 @@ static long ssl_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp) { case BIO_CTRL_SET_CALLBACK: { - SSL_set_info_callback(ssl,fp); + /* FIXME: setting this via a completely different prototype + seems like a crap idea */ + SSL_set_info_callback(ssl,(void (*)(const SSL *,int,int))fp); } break; default: diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c new file mode 100644 index 0000000..327b92f --- /dev/null +++ b/crypto/openssl/ssl/kssl.c @@ -0,0 +1,2157 @@ +/* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */ +/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000. + */ +/* ==================================================================== + * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + +/* ssl/kssl.c -- Routines to support (& debug) Kerberos5 auth for openssl +** +** 19990701 VRS Started. +** 200011?? Jeffrey Altman, Richard Levitte +** Generalized for Heimdal, Newer MIT, & Win32. +** Integrated into main OpenSSL 0.9.7 snapshots. +** 20010413 Simon Wilkinson, VRS +** Real RFC2712 KerberosWrapper replaces AP_REQ. +*/ + +#include <openssl/opensslconf.h> + +#define _XOPEN_SOURCE /* glibc2 needs this to declare strptime() */ +#include <time.h> +#include <string.h> + +#include <openssl/ssl.h> +#include <openssl/evp.h> +#include <openssl/objects.h> +#include <openssl/krb5_asn.h> + +#ifndef OPENSSL_NO_KRB5 + +/* + * When OpenSSL is built on Windows, we do not want to require that + * the Kerberos DLLs be available in order for the OpenSSL DLLs to + * work. Therefore, all Kerberos routines are loaded at run time + * and we do not link to a .LIB file. + */ + +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) +/* + * The purpose of the following pre-processor statements is to provide + * compatibility with different releases of MIT Kerberos for Windows. + * All versions up to 1.2 used macros. But macros do not allow for + * a binary compatible interface for DLLs. Therefore, all macros are + * being replaced by function calls. The following code will allow + * an OpenSSL DLL built on Windows to work whether or not the macro + * or function form of the routines are utilized. + */ +#ifdef krb5_cc_get_principal +#define NO_DEF_KRB5_CCACHE +#undef krb5_cc_get_principal +#endif +#define krb5_cc_get_principal kssl_krb5_cc_get_principal + +#define krb5_free_data_contents kssl_krb5_free_data_contents +#define krb5_free_context kssl_krb5_free_context +#define krb5_auth_con_free kssl_krb5_auth_con_free +#define krb5_free_principal kssl_krb5_free_principal +#define krb5_mk_req_extended kssl_krb5_mk_req_extended +#define krb5_get_credentials kssl_krb5_get_credentials +#define krb5_cc_default kssl_krb5_cc_default +#define krb5_sname_to_principal kssl_krb5_sname_to_principal +#define krb5_init_context kssl_krb5_init_context +#define krb5_free_ticket kssl_krb5_free_ticket +#define krb5_rd_req kssl_krb5_rd_req +#define krb5_kt_default kssl_krb5_kt_default +#define krb5_kt_resolve kssl_krb5_kt_resolve +/* macros in mit 1.2.2 and earlier; functions in mit 1.2.3 and greater */ +#ifndef krb5_kt_close +#define krb5_kt_close kssl_krb5_kt_close +#endif /* krb5_kt_close */ +#ifndef krb5_kt_get_entry +#define krb5_kt_get_entry kssl_krb5_kt_get_entry +#endif /* krb5_kt_get_entry */ +#define krb5_auth_con_init kssl_krb5_auth_con_init + +#define krb5_principal_compare kssl_krb5_principal_compare +#define krb5_decrypt_tkt_part kssl_krb5_decrypt_tkt_part +#define krb5_timeofday kssl_krb5_timeofday +#define krb5_rc_default kssl_krb5_rc_default + +#ifdef krb5_rc_initialize +#undef krb5_rc_initialize +#endif +#define krb5_rc_initialize kssl_krb5_rc_initialize + +#ifdef krb5_rc_get_lifespan +#undef krb5_rc_get_lifespan +#endif +#define krb5_rc_get_lifespan kssl_krb5_rc_get_lifespan + +#ifdef krb5_rc_destroy +#undef krb5_rc_destroy +#endif +#define krb5_rc_destroy kssl_krb5_rc_destroy + +#define valid_cksumtype kssl_valid_cksumtype +#define krb5_checksum_size kssl_krb5_checksum_size +#define krb5_kt_free_entry kssl_krb5_kt_free_entry +#define krb5_auth_con_setrcache kssl_krb5_auth_con_setrcache +#define krb5_auth_con_getrcache kssl_krb5_auth_con_getrcache +#define krb5_get_server_rcache kssl_krb5_get_server_rcache + +/* Prototypes for built in stubs */ +void kssl_krb5_free_data_contents(krb5_context, krb5_data *); +void kssl_krb5_free_principal(krb5_context, krb5_principal ); +krb5_error_code kssl_krb5_kt_resolve(krb5_context, + krb5_const char *, + krb5_keytab *); +krb5_error_code kssl_krb5_kt_default(krb5_context, + krb5_keytab *); +krb5_error_code kssl_krb5_free_ticket(krb5_context, krb5_ticket *); +krb5_error_code kssl_krb5_rd_req(krb5_context, krb5_auth_context *, + krb5_const krb5_data *, + krb5_const_principal, krb5_keytab, + krb5_flags *,krb5_ticket **); + +krb5_boolean kssl_krb5_principal_compare(krb5_context, krb5_const_principal, + krb5_const_principal); +krb5_error_code kssl_krb5_mk_req_extended(krb5_context, + krb5_auth_context *, + krb5_const krb5_flags, + krb5_data *, + krb5_creds *, + krb5_data * ); +krb5_error_code kssl_krb5_init_context(krb5_context *); +void kssl_krb5_free_context(krb5_context); +krb5_error_code kssl_krb5_cc_default(krb5_context,krb5_ccache *); +krb5_error_code kssl_krb5_sname_to_principal(krb5_context, + krb5_const char *, + krb5_const char *, + krb5_int32, + krb5_principal *); +krb5_error_code kssl_krb5_get_credentials(krb5_context, + krb5_const krb5_flags, + krb5_ccache, + krb5_creds *, + krb5_creds * *); +krb5_error_code kssl_krb5_auth_con_init(krb5_context, + krb5_auth_context *); +krb5_error_code kssl_krb5_cc_get_principal(krb5_context context, + krb5_ccache cache, + krb5_principal *principal); +krb5_error_code kssl_krb5_auth_con_free(krb5_context,krb5_auth_context); +size_t kssl_krb5_checksum_size(krb5_context context,krb5_cksumtype ctype); +krb5_boolean kssl_valid_cksumtype(krb5_cksumtype ctype); +krb5_error_code krb5_kt_free_entry(krb5_context,krb5_keytab_entry FAR * ); +krb5_error_code kssl_krb5_auth_con_setrcache(krb5_context, + krb5_auth_context, + krb5_rcache); +krb5_error_code kssl_krb5_get_server_rcache(krb5_context, + krb5_const krb5_data *, + krb5_rcache *); +krb5_error_code kssl_krb5_auth_con_getrcache(krb5_context, + krb5_auth_context, + krb5_rcache *); + +/* Function pointers (almost all Kerberos functions are _stdcall) */ +static void (_stdcall *p_krb5_free_data_contents)(krb5_context, krb5_data *) + =NULL; +static void (_stdcall *p_krb5_free_principal)(krb5_context, krb5_principal ) + =NULL; +static krb5_error_code(_stdcall *p_krb5_kt_resolve) + (krb5_context, krb5_const char *, krb5_keytab *)=NULL; +static krb5_error_code (_stdcall *p_krb5_kt_default)(krb5_context, + krb5_keytab *)=NULL; +static krb5_error_code (_stdcall *p_krb5_free_ticket)(krb5_context, + krb5_ticket *)=NULL; +static krb5_error_code (_stdcall *p_krb5_rd_req)(krb5_context, + krb5_auth_context *, + krb5_const krb5_data *, + krb5_const_principal, + krb5_keytab, krb5_flags *, + krb5_ticket **)=NULL; +static krb5_error_code (_stdcall *p_krb5_mk_req_extended) + (krb5_context, krb5_auth_context *, + krb5_const krb5_flags, krb5_data *, krb5_creds *, + krb5_data * )=NULL; +static krb5_error_code (_stdcall *p_krb5_init_context)(krb5_context *)=NULL; +static void (_stdcall *p_krb5_free_context)(krb5_context)=NULL; +static krb5_error_code (_stdcall *p_krb5_cc_default)(krb5_context, + krb5_ccache *)=NULL; +static krb5_error_code (_stdcall *p_krb5_sname_to_principal) + (krb5_context, krb5_const char *, krb5_const char *, + krb5_int32, krb5_principal *)=NULL; +static krb5_error_code (_stdcall *p_krb5_get_credentials) + (krb5_context, krb5_const krb5_flags, krb5_ccache, + krb5_creds *, krb5_creds **)=NULL; +static krb5_error_code (_stdcall *p_krb5_auth_con_init) + (krb5_context, krb5_auth_context *)=NULL; +static krb5_error_code (_stdcall *p_krb5_cc_get_principal) + (krb5_context context, krb5_ccache cache, + krb5_principal *principal)=NULL; +static krb5_error_code (_stdcall *p_krb5_auth_con_free) + (krb5_context, krb5_auth_context)=NULL; +static krb5_error_code (_stdcall *p_krb5_decrypt_tkt_part) + (krb5_context, krb5_const krb5_keyblock *, + krb5_ticket *)=NULL; +static krb5_error_code (_stdcall *p_krb5_timeofday) + (krb5_context context, krb5_int32 *timeret)=NULL; +static krb5_error_code (_stdcall *p_krb5_rc_default) + (krb5_context context, krb5_rcache *rc)=NULL; +static krb5_error_code (_stdcall *p_krb5_rc_initialize) + (krb5_context context, krb5_rcache rc, + krb5_deltat lifespan)=NULL; +static krb5_error_code (_stdcall *p_krb5_rc_get_lifespan) + (krb5_context context, krb5_rcache rc, + krb5_deltat *lifespan)=NULL; +static krb5_error_code (_stdcall *p_krb5_rc_destroy) + (krb5_context context, krb5_rcache rc)=NULL; +static krb5_boolean (_stdcall *p_krb5_principal_compare) + (krb5_context, krb5_const_principal, krb5_const_principal)=NULL; +static size_t (_stdcall *p_krb5_checksum_size)(krb5_context context,krb5_cksumtype ctype)=NULL; +static krb5_boolean (_stdcall *p_valid_cksumtype)(krb5_cksumtype ctype)=NULL; +static krb5_error_code (_stdcall *p_krb5_kt_free_entry) + (krb5_context,krb5_keytab_entry * )=NULL; +static krb5_error_code (_stdcall * p_krb5_auth_con_setrcache)(krb5_context, + krb5_auth_context, + krb5_rcache)=NULL; +static krb5_error_code (_stdcall * p_krb5_get_server_rcache)(krb5_context, + krb5_const krb5_data *, + krb5_rcache *)=NULL; +static krb5_error_code (* p_krb5_auth_con_getrcache)(krb5_context, + krb5_auth_context, + krb5_rcache *)=NULL; +static krb5_error_code (_stdcall * p_krb5_kt_close)(krb5_context context, + krb5_keytab keytab)=NULL; +static krb5_error_code (_stdcall * p_krb5_kt_get_entry)(krb5_context context, + krb5_keytab keytab, + krb5_const_principal principal, krb5_kvno vno, + krb5_enctype enctype, krb5_keytab_entry *entry)=NULL; +static int krb5_loaded = 0; /* only attempt to initialize func ptrs once */ + +/* Function to Load the Kerberos 5 DLL and initialize function pointers */ +void +load_krb5_dll(void) + { + HANDLE hKRB5_32; + + krb5_loaded++; + hKRB5_32 = LoadLibrary("KRB5_32"); + if (!hKRB5_32) + return; + + (FARPROC) p_krb5_free_data_contents = + GetProcAddress( hKRB5_32, "krb5_free_data_contents" ); + (FARPROC) p_krb5_free_context = + GetProcAddress( hKRB5_32, "krb5_free_context" ); + (FARPROC) p_krb5_auth_con_free = + GetProcAddress( hKRB5_32, "krb5_auth_con_free" ); + (FARPROC) p_krb5_free_principal = + GetProcAddress( hKRB5_32, "krb5_free_principal" ); + (FARPROC) p_krb5_mk_req_extended = + GetProcAddress( hKRB5_32, "krb5_mk_req_extended" ); + (FARPROC) p_krb5_get_credentials = + GetProcAddress( hKRB5_32, "krb5_get_credentials" ); + (FARPROC) p_krb5_cc_get_principal = + GetProcAddress( hKRB5_32, "krb5_cc_get_principal" ); + (FARPROC) p_krb5_cc_default = + GetProcAddress( hKRB5_32, "krb5_cc_default" ); + (FARPROC) p_krb5_sname_to_principal = + GetProcAddress( hKRB5_32, "krb5_sname_to_principal" ); + (FARPROC) p_krb5_init_context = + GetProcAddress( hKRB5_32, "krb5_init_context" ); + (FARPROC) p_krb5_free_ticket = + GetProcAddress( hKRB5_32, "krb5_free_ticket" ); + (FARPROC) p_krb5_rd_req = + GetProcAddress( hKRB5_32, "krb5_rd_req" ); + (FARPROC) p_krb5_principal_compare = + GetProcAddress( hKRB5_32, "krb5_principal_compare" ); + (FARPROC) p_krb5_decrypt_tkt_part = + GetProcAddress( hKRB5_32, "krb5_decrypt_tkt_part" ); + (FARPROC) p_krb5_timeofday = + GetProcAddress( hKRB5_32, "krb5_timeofday" ); + (FARPROC) p_krb5_rc_default = + GetProcAddress( hKRB5_32, "krb5_rc_default" ); + (FARPROC) p_krb5_rc_initialize = + GetProcAddress( hKRB5_32, "krb5_rc_initialize" ); + (FARPROC) p_krb5_rc_get_lifespan = + GetProcAddress( hKRB5_32, "krb5_rc_get_lifespan" ); + (FARPROC) p_krb5_rc_destroy = + GetProcAddress( hKRB5_32, "krb5_rc_destroy" ); + (FARPROC) p_krb5_kt_default = + GetProcAddress( hKRB5_32, "krb5_kt_default" ); + (FARPROC) p_krb5_kt_resolve = + GetProcAddress( hKRB5_32, "krb5_kt_resolve" ); + (FARPROC) p_krb5_auth_con_init = + GetProcAddress( hKRB5_32, "krb5_auth_con_init" ); + (FARPROC) p_valid_cksumtype = + GetProcAddress( hKRB5_32, "valid_cksumtype" ); + (FARPROC) p_krb5_checksum_size = + GetProcAddress( hKRB5_32, "krb5_checksum_size" ); + (FARPROC) p_krb5_kt_free_entry = + GetProcAddress( hKRB5_32, "krb5_kt_free_entry" ); + (FARPROC) p_krb5_auth_con_setrcache = + GetProcAddress( hKRB5_32, "krb5_auth_con_setrcache" ); + (FARPROC) p_krb5_get_server_rcache = + GetProcAddress( hKRB5_32, "krb5_get_server_rcache" ); + (FARPROC) p_krb5_auth_con_getrcache = + GetProcAddress( hKRB5_32, "krb5_auth_con_getrcache" ); + (FARPROC) p_krb5_kt_close = + GetProcAddress( hKRB5_32, "krb5_kt_close" ); + (FARPROC) p_krb5_kt_get_entry = + GetProcAddress( hKRB5_32, "krb5_kt_get_entry" ); + } + +/* Stubs for each function to be dynamicly loaded */ +void +kssl_krb5_free_data_contents(krb5_context CO, krb5_data * data) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_free_data_contents ) + p_krb5_free_data_contents(CO,data); + } + +krb5_error_code +kssl_krb5_mk_req_extended (krb5_context CO, + krb5_auth_context * pACO, + krb5_const krb5_flags F, + krb5_data * pD1, + krb5_creds * pC, + krb5_data * pD2) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_mk_req_extended ) + return(p_krb5_mk_req_extended(CO,pACO,F,pD1,pC,pD2)); + else + return KRB5KRB_ERR_GENERIC; + } +krb5_error_code +kssl_krb5_auth_con_init(krb5_context CO, + krb5_auth_context * pACO) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_auth_con_init ) + return(p_krb5_auth_con_init(CO,pACO)); + else + return KRB5KRB_ERR_GENERIC; + } +krb5_error_code +kssl_krb5_auth_con_free (krb5_context CO, + krb5_auth_context ACO) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_auth_con_free ) + return(p_krb5_auth_con_free(CO,ACO)); + else + return KRB5KRB_ERR_GENERIC; + } +krb5_error_code +kssl_krb5_get_credentials(krb5_context CO, + krb5_const krb5_flags F, + krb5_ccache CC, + krb5_creds * pCR, + krb5_creds ** ppCR) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_get_credentials ) + return(p_krb5_get_credentials(CO,F,CC,pCR,ppCR)); + else + return KRB5KRB_ERR_GENERIC; + } +krb5_error_code +kssl_krb5_sname_to_principal(krb5_context CO, + krb5_const char * pC1, + krb5_const char * pC2, + krb5_int32 I, + krb5_principal * pPR) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_sname_to_principal ) + return(p_krb5_sname_to_principal(CO,pC1,pC2,I,pPR)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_cc_default(krb5_context CO, + krb5_ccache * pCC) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_cc_default ) + return(p_krb5_cc_default(CO,pCC)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_init_context(krb5_context * pCO) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_init_context ) + return(p_krb5_init_context(pCO)); + else + return KRB5KRB_ERR_GENERIC; + } + +void +kssl_krb5_free_context(krb5_context CO) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_free_context ) + p_krb5_free_context(CO); + } + +void +kssl_krb5_free_principal(krb5_context c, krb5_principal p) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_free_principal ) + p_krb5_free_principal(c,p); + } + +krb5_error_code +kssl_krb5_kt_resolve(krb5_context con, + krb5_const char * sz, + krb5_keytab * kt) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_kt_resolve ) + return(p_krb5_kt_resolve(con,sz,kt)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_kt_default(krb5_context con, + krb5_keytab * kt) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_kt_default ) + return(p_krb5_kt_default(con,kt)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_free_ticket(krb5_context con, + krb5_ticket * kt) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_free_ticket ) + return(p_krb5_free_ticket(con,kt)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_rd_req(krb5_context con, krb5_auth_context * pacon, + krb5_const krb5_data * data, + krb5_const_principal princ, krb5_keytab keytab, + krb5_flags * flags, krb5_ticket ** pptkt) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_rd_req ) + return(p_krb5_rd_req(con,pacon,data,princ,keytab,flags,pptkt)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_boolean +krb5_principal_compare(krb5_context con, krb5_const_principal princ1, + krb5_const_principal princ2) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_principal_compare ) + return(p_krb5_principal_compare(con,princ1,princ2)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +krb5_decrypt_tkt_part(krb5_context con, krb5_const krb5_keyblock *keys, + krb5_ticket *ticket) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_decrypt_tkt_part ) + return(p_krb5_decrypt_tkt_part(con,keys,ticket)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +krb5_timeofday(krb5_context con, krb5_int32 *timeret) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_timeofday ) + return(p_krb5_timeofday(con,timeret)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +krb5_rc_default(krb5_context con, krb5_rcache *rc) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_rc_default ) + return(p_krb5_rc_default(con,rc)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +krb5_rc_initialize(krb5_context con, krb5_rcache rc, krb5_deltat lifespan) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_rc_initialize ) + return(p_krb5_rc_initialize(con, rc, lifespan)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +krb5_rc_get_lifespan(krb5_context con, krb5_rcache rc, krb5_deltat *lifespanp) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_rc_get_lifespan ) + return(p_krb5_rc_get_lifespan(con, rc, lifespanp)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +krb5_rc_destroy(krb5_context con, krb5_rcache rc) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_rc_destroy ) + return(p_krb5_rc_destroy(con, rc)); + else + return KRB5KRB_ERR_GENERIC; + } + +size_t +krb5_checksum_size(krb5_context context,krb5_cksumtype ctype) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_checksum_size ) + return(p_krb5_checksum_size(context, ctype)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_boolean +valid_cksumtype(krb5_cksumtype ctype) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_valid_cksumtype ) + return(p_valid_cksumtype(ctype)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +krb5_kt_free_entry(krb5_context con,krb5_keytab_entry * entry) + { + if (!krb5_loaded) + load_krb5_dll(); + + if ( p_krb5_kt_free_entry ) + return(p_krb5_kt_free_entry(con,entry)); + else + return KRB5KRB_ERR_GENERIC; + } + +/* Structure definitions */ +#ifndef NO_DEF_KRB5_CCACHE +#ifndef krb5_x +#define krb5_x(ptr,args) ((ptr)?((*(ptr)) args):(abort(),1)) +#define krb5_xc(ptr,args) ((ptr)?((*(ptr)) args):(abort(),(char*)0)) +#endif + +typedef krb5_pointer krb5_cc_cursor; /* cursor for sequential lookup */ + +typedef struct _krb5_ccache + { + krb5_magic magic; + struct _krb5_cc_ops FAR *ops; + krb5_pointer data; + } *krb5_ccache; + +typedef struct _krb5_cc_ops + { + krb5_magic magic; + char *prefix; + char * (KRB5_CALLCONV *get_name) + (krb5_context, krb5_ccache); + krb5_error_code (KRB5_CALLCONV *resolve) + (krb5_context, krb5_ccache *, const char *); + krb5_error_code (KRB5_CALLCONV *gen_new) + (krb5_context, krb5_ccache *); + krb5_error_code (KRB5_CALLCONV *init) + (krb5_context, krb5_ccache, krb5_principal); + krb5_error_code (KRB5_CALLCONV *destroy) + (krb5_context, krb5_ccache); + krb5_error_code (KRB5_CALLCONV *close) + (krb5_context, krb5_ccache); + krb5_error_code (KRB5_CALLCONV *store) + (krb5_context, krb5_ccache, krb5_creds *); + krb5_error_code (KRB5_CALLCONV *retrieve) + (krb5_context, krb5_ccache, + krb5_flags, krb5_creds *, krb5_creds *); + krb5_error_code (KRB5_CALLCONV *get_princ) + (krb5_context, krb5_ccache, krb5_principal *); + krb5_error_code (KRB5_CALLCONV *get_first) + (krb5_context, krb5_ccache, krb5_cc_cursor *); + krb5_error_code (KRB5_CALLCONV *get_next) + (krb5_context, krb5_ccache, + krb5_cc_cursor *, krb5_creds *); + krb5_error_code (KRB5_CALLCONV *end_get) + (krb5_context, krb5_ccache, krb5_cc_cursor *); + krb5_error_code (KRB5_CALLCONV *remove_cred) + (krb5_context, krb5_ccache, + krb5_flags, krb5_creds *); + krb5_error_code (KRB5_CALLCONV *set_flags) + (krb5_context, krb5_ccache, krb5_flags); + } krb5_cc_ops; +#endif /* NO_DEF_KRB5_CCACHE */ + +krb5_error_code +kssl_krb5_cc_get_principal + (krb5_context context, krb5_ccache cache, + krb5_principal *principal) + { + if ( p_krb5_cc_get_principal ) + return(p_krb5_cc_get_principal(context,cache,principal)); + else + return(krb5_x + ((cache)->ops->get_princ,(context, cache, principal))); + } + +krb5_error_code +kssl_krb5_auth_con_setrcache(krb5_context con, krb5_auth_context acon, + krb5_rcache rcache) + { + if ( p_krb5_auth_con_setrcache ) + return(p_krb5_auth_con_setrcache(con,acon,rcache)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_get_server_rcache(krb5_context con, krb5_const krb5_data * data, + krb5_rcache * rcache) + { + if ( p_krb5_get_server_rcache ) + return(p_krb5_get_server_rcache(con,data,rcache)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_auth_con_getrcache(krb5_context con, krb5_auth_context acon, + krb5_rcache * prcache) + { + if ( p_krb5_auth_con_getrcache ) + return(p_krb5_auth_con_getrcache(con,acon, prcache)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_kt_close(krb5_context context, krb5_keytab keytab) + { + if ( p_krb5_kt_close ) + return(p_krb5_kt_close(context,keytab)); + else + return KRB5KRB_ERR_GENERIC; + } + +krb5_error_code +kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, + krb5_const_principal principal, krb5_kvno vno, + krb5_enctype enctype, krb5_keytab_entry *entry) + { + if ( p_krb5_kt_get_entry ) + return(p_krb5_kt_get_entry(context,keytab,principal,vno,enctype,entry)); + else + return KRB5KRB_ERR_GENERIC; + } +#endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */ + +char +*kstring(char *string) + { + static char *null = "[NULL]"; + + return ((string == NULL)? null: string); + } + +/* Given KRB5 enctype (basically DES or 3DES), +** return closest match openssl EVP_ encryption algorithm. +** Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes. +** Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK. +*/ +const EVP_CIPHER * +kssl_map_enc(krb5_enctype enctype) + { + switch (enctype) + { + case ENCTYPE_DES_HMAC_SHA1: /* EVP_des_cbc(); */ + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES_CBC_RAW: + return EVP_des_cbc(); + break; + case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ + case ENCTYPE_DES3_CBC_SHA: + case ENCTYPE_DES3_CBC_RAW: + return EVP_des_ede3_cbc(); + break; + default: return NULL; + break; + } + } + + +/* Return true:1 if p "looks like" the start of the real authenticator +** described in kssl_skip_confound() below. The ASN.1 pattern is +** "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and +** xx and yy are possibly multi-byte length fields. +*/ +int kssl_test_confound(unsigned char *p) + { + int len = 2; + int xx = 0, yy = 0; + + if (*p++ != 0x62) return 0; + if (*p > 0x82) return 0; + switch(*p) { + case 0x82: p++; xx = (*p++ << 8); xx += *p++; break; + case 0x81: p++; xx = *p++; break; + case 0x80: return 0; + default: xx = *p++; break; + } + if (*p++ != 0x30) return 0; + if (*p > 0x82) return 0; + switch(*p) { + case 0x82: p++; len+=2; yy = (*p++ << 8); yy += *p++; break; + case 0x81: p++; len++; yy = *p++; break; + case 0x80: return 0; + default: yy = *p++; break; + } + + return (xx - len == yy)? 1: 0; + } + +/* Allocate, fill, and return cksumlens array of checksum lengths. +** This array holds just the unique elements from the krb5_cksumarray[]. +** array[n] == 0 signals end of data. +** +** The krb5_cksumarray[] was an internal variable that has since been +** replaced by a more general method for storing the data. It should +** not be used. Instead we use real API calls and make a guess for +** what the highest assigned CKSUMTYPE_ constant is. As of 1.2.2 +** it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3). So we will use 0x0010. +*/ +size_t *populate_cksumlens(void) + { + int i, j, n; + static size_t *cklens = NULL; + +#ifdef KRB5_MIT_OLD11 + n = krb5_max_cksum; +#else + n = 0x0010; +#endif /* KRB5_MIT_OLD11 */ + +#ifdef KRB5CHECKAUTH + if (!cklens && !(cklens = (size_t *) calloc(sizeof(int),n+1))) return NULL; + + for (i=0; i < n; i++) { + if (!valid_cksumtype(i)) continue; /* array has holes */ + for (j=0; j < n; j++) { + if (cklens[j] == 0) { + cklens[j] = krb5_checksum_size(NULL,i); + break; /* krb5 elem was new: add */ + } + if (cklens[j] == krb5_checksum_size(NULL,i)) { + break; /* ignore duplicate elements */ + } + } + } +#endif /* KRB5CHECKAUTH */ + + return cklens; + } + +/* Return pointer to start of real authenticator within authenticator, or +** return NULL on error. +** Decrypted authenticator looks like this: +** [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r] +** This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the +** krb5_auth_con_getcksumtype() function advertised in its krb5.h. +*/ +unsigned char *kssl_skip_confound(krb5_enctype etype, unsigned char *a) + { + int i, conlen; + size_t cklen; + static size_t *cksumlens = NULL; + unsigned char *test_auth; + + conlen = (etype)? 8: 0; + + if (!cksumlens && !(cksumlens = populate_cksumlens())) return NULL; + for (i=0; (cklen = cksumlens[i]) != 0; i++) + { + test_auth = a + conlen + cklen; + if (kssl_test_confound(test_auth)) return test_auth; + } + + return NULL; + } + + +/* Set kssl_err error info when reason text is a simple string +** kssl_err = struct { int reason; char text[KSSL_ERR_MAX+1]; } +*/ +void +kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) + { + if (kssl_err == NULL) return; + + kssl_err->reason = reason; + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, text); + return; + } + + +/* Display contents of krb5_data struct, for debugging +*/ +void +print_krb5_data(char *label, krb5_data *kdata) + { + int i; + + printf("%s[%d] ", label, kdata->length); + for (i=0; i < kdata->length; i++) + { + if (0 && isprint((int) kdata->data[i])) + printf( "%c ", kdata->data[i]); + else + printf( "%02x ", (unsigned char) kdata->data[i]); + } + printf("\n"); + } + + +/* Display contents of krb5_authdata struct, for debugging +*/ +void +print_krb5_authdata(char *label, krb5_authdata **adata) + { + if (adata == NULL) + { + printf("%s, authdata==0\n", label); + return; + } + printf("%s [%p]\n", label, adata); +#if 0 + { + int i; + printf("%s[at%d:%d] ", label, adata->ad_type, adata->length); + for (i=0; i < adata->length; i++) + { + printf((isprint(adata->contents[i]))? "%c ": "%02x", + adata->contents[i]); + } + printf("\n"); + } +#endif + } + + +/* Display contents of krb5_keyblock struct, for debugging +*/ +void +print_krb5_keyblock(char *label, krb5_keyblock *keyblk) + { + int i; + + if (keyblk == NULL) + { + printf("%s, keyblk==0\n", label); + return; + } +#ifdef KRB5_HEIMDAL + printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype, + keyblk->keyvalue->length); + for (i=0; i < keyblk->keyvalue->length; i++) + { + printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]); + } + printf("\n"); +#else + printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length); + for (i=0; i < keyblk->length; i++) + { + printf("%02x",keyblk->contents[i]); + } + printf("\n"); +#endif + } + + +/* Display contents of krb5_principal_data struct, for debugging +** (krb5_principal is typedef'd == krb5_principal_data *) +*/ +void +print_krb5_princ(char *label, krb5_principal_data *princ) + { + int i, ui, uj; + + printf("%s principal Realm: ", label); + if (princ == NULL) return; + for (ui=0; ui < princ->realm.length; ui++) putchar(princ->realm.data[ui]); + printf(" (nametype %d) has %d strings:\n", princ->type,princ->length); + for (i=0; i < princ->length; i++) + { + printf("\t%d [%d]: ", i, princ->data[i].length); + for (uj=0; uj < princ->data[i].length; uj++) { + putchar(princ->data[i].data[uj]); + } + printf("\n"); + } + return; + } + + +/* Given krb5 service (typically "kssl") and hostname in kssl_ctx, +** Return encrypted Kerberos ticket for service @ hostname. +** If authenp is non-NULL, also return encrypted authenticator, +** whose data should be freed by caller. +** (Originally was: Create Kerberos AP_REQ message for SSL Client.) +** +** 19990628 VRS Started; Returns Kerberos AP_REQ message. +** 20010409 VRS Modified for RFC2712; Returns enc tkt. +** 20010606 VRS May also return optional authenticator. +*/ +krb5_error_code +kssl_cget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, + /* OUT */ krb5_data **enc_ticketp, + /* UPDATE */ krb5_data *authenp, + /* OUT */ KSSL_ERR *kssl_err) + { + krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; + krb5_context krb5context = NULL; + krb5_auth_context krb5auth_context = NULL; + krb5_ccache krb5ccdef = NULL; + krb5_creds krb5creds, *krb5credsp = NULL; + krb5_data krb5_app_req; + + kssl_err_set(kssl_err, 0, ""); + memset((char *)&krb5creds, 0, sizeof(krb5creds)); + + if (!kssl_ctx) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "No kssl_ctx defined.\n"); + goto err; + } + else if (!kssl_ctx->service_host) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "kssl_ctx service_host undefined.\n"); + goto err; + } + + if ((krb5rc = krb5_init_context(&krb5context)) != 0) + { + BIO_snprintf(kssl_err->text,KSSL_ERR_MAX, + "krb5_init_context() fails: %d\n", krb5rc); + kssl_err->reason = SSL_R_KRB5_C_INIT; + goto err; + } + + if ((krb5rc = krb5_sname_to_principal(krb5context, + kssl_ctx->service_host, + (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, + KRB5_NT_SRV_HST, &krb5creds.server)) != 0) + { + BIO_snprintf(kssl_err->text,KSSL_ERR_MAX, + "krb5_sname_to_principal() fails for %s/%s\n", + kssl_ctx->service_host, + (kssl_ctx->service_name)? kssl_ctx->service_name: + KRB5SVC); + kssl_err->reason = SSL_R_KRB5_C_INIT; + goto err; + } + + if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) + { + kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, + "krb5_cc_default fails.\n"); + goto err; + } + + if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, + &krb5creds.client)) != 0) + { + kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC, + "krb5_cc_get_principal() fails.\n"); + goto err; + } + + if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, + &krb5creds, &krb5credsp)) != 0) + { + kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED, + "krb5_get_credentials() fails.\n"); + goto err; + } + + *enc_ticketp = &krb5credsp->ticket; +#ifdef KRB5_HEIMDAL + kssl_ctx->enctype = krb5credsp->session.keytype; +#else + kssl_ctx->enctype = krb5credsp->keyblock.enctype; +#endif + + krb5rc = KRB5KRB_ERR_GENERIC; + /* caller should free data of krb5_app_req */ + /* 20010406 VRS deleted for real KerberosWrapper + ** 20010605 VRS reinstated to offer Authenticator to KerberosWrapper + */ + krb5_app_req.length = 0; + if (authenp) + { + krb5_data krb5in_data; + unsigned char *p; + long arlen; + KRB5_APREQBODY *ap_req; + + authenp->length = 0; + krb5in_data.data = NULL; + krb5in_data.length = 0; + if ((krb5rc = krb5_mk_req_extended(krb5context, + &krb5auth_context, 0, &krb5in_data, krb5credsp, + &krb5_app_req)) != 0) + { + kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ, + "krb5_mk_req_extended() fails.\n"); + goto err; + } + + arlen = krb5_app_req.length; + p = (unsigned char *)krb5_app_req.data; + ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen); + if (ap_req) + { + authenp->length = i2d_KRB5_ENCDATA( + ap_req->authenticator, NULL); + if (authenp->length && + (authenp->data = malloc(authenp->length))) + { + unsigned char *adp = (unsigned char *)authenp->data; + authenp->length = i2d_KRB5_ENCDATA( + ap_req->authenticator, &adp); + } + } + + if (ap_req) KRB5_APREQ_free((KRB5_APREQ *) ap_req); + if (krb5_app_req.length) + kssl_krb5_free_data_contents(krb5context,&krb5_app_req); + } +#ifdef KRB5_HEIMDAL + if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session)) + { + kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, + "kssl_ctx_setkey() fails.\n"); + } +#else + if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock)) + { + kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT, + "kssl_ctx_setkey() fails.\n"); + } +#endif + else krb5rc = 0; + + err: +#ifdef KSSL_DEBUG + kssl_ctx_show(kssl_ctx); +#endif /* KSSL_DEBUG */ + + if (krb5creds.client) krb5_free_principal(krb5context, + krb5creds.client); + if (krb5creds.server) krb5_free_principal(krb5context, + krb5creds.server); + if (krb5auth_context) krb5_auth_con_free(krb5context, + krb5auth_context); + if (krb5context) krb5_free_context(krb5context); + return (krb5rc); + } + + +/* Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket. +** Return Kerberos error code and kssl_err struct on error. +** Allocates krb5_ticket and krb5_principal; caller should free these. +** +** 20010410 VRS Implemented krb5_decode_ticket() as +** old_krb5_decode_ticket(). Missing from MIT1.0.6. +** 20010615 VRS Re-cast as openssl/asn1 d2i_*() functions. +** Re-used some of the old krb5_decode_ticket() +** code here. This tkt should alloc/free just +** like the real thing. +*/ +krb5_error_code +kssl_TKT2tkt( /* IN */ krb5_context krb5context, + /* IN */ KRB5_TKTBODY *asn1ticket, + /* OUT */ krb5_ticket **krb5ticket, + /* OUT */ KSSL_ERR *kssl_err ) + { + krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; + krb5_ticket *new5ticket = NULL; + ASN1_GENERALSTRING *gstr_svc, *gstr_host; + + *krb5ticket = NULL; + + if (asn1ticket == NULL || asn1ticket->realm == NULL || + asn1ticket->sname == NULL || + sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2) + { + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, + "Null field in asn1ticket.\n"); + kssl_err->reason = SSL_R_KRB5_S_RD_REQ; + return KRB5KRB_ERR_GENERIC; + } + + if ((new5ticket = (krb5_ticket *) calloc(1, sizeof(krb5_ticket)))==NULL) + { + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, + "Unable to allocate new krb5_ticket.\n"); + kssl_err->reason = SSL_R_KRB5_S_RD_REQ; + return ENOMEM; /* or KRB5KRB_ERR_GENERIC; */ + } + + gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0); + gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1); + + if ((krb5rc = kssl_build_principal_2(krb5context, + &new5ticket->server, + asn1ticket->realm->length, (char *)asn1ticket->realm->data, + gstr_svc->length, (char *)gstr_svc->data, + gstr_host->length, (char *)gstr_host->data)) != 0) + { + free(new5ticket); + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, + "Error building ticket server principal.\n"); + kssl_err->reason = SSL_R_KRB5_S_RD_REQ; + return krb5rc; /* or KRB5KRB_ERR_GENERIC; */ + } + + krb5_princ_type(krb5context, new5ticket->server) = + asn1ticket->sname->nametype->data[0]; + new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0]; + new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0]; + new5ticket->enc_part.ciphertext.length = + asn1ticket->encdata->cipher->length; + if ((new5ticket->enc_part.ciphertext.data = + calloc(1, asn1ticket->encdata->cipher->length)) == NULL) + { + free(new5ticket); + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, + "Error allocating cipher in krb5ticket.\n"); + kssl_err->reason = SSL_R_KRB5_S_RD_REQ; + return KRB5KRB_ERR_GENERIC; + } + else + { + memcpy(new5ticket->enc_part.ciphertext.data, + asn1ticket->encdata->cipher->data, + asn1ticket->encdata->cipher->length); + } + + *krb5ticket = new5ticket; + return 0; + } + + +/* Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"), +** and krb5 AP_REQ message & message length, +** Return Kerberos session key and client principle +** to SSL Server in KSSL_CTX *kssl_ctx. +** +** 19990702 VRS Started. +*/ +krb5_error_code +kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, + /* IN */ krb5_data *indata, + /* OUT */ krb5_ticket_times *ttimes, + /* OUT */ KSSL_ERR *kssl_err ) + { + krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; + static krb5_context krb5context = NULL; + static krb5_auth_context krb5auth_context = NULL; + krb5_ticket *krb5ticket = NULL; + KRB5_TKTBODY *asn1ticket = NULL; + unsigned char *p; + krb5_keytab krb5keytab = NULL; + krb5_keytab_entry kt_entry; + krb5_principal krb5server; + krb5_rcache rcache = NULL; + + kssl_err_set(kssl_err, 0, ""); + + if (!kssl_ctx) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "No kssl_ctx defined.\n"); + goto err; + } + +#ifdef KSSL_DEBUG + printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name)); +#endif /* KSSL_DEBUG */ + + if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "krb5_init_context() fails.\n"); + goto err; + } + if (krb5auth_context && + (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context))) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "krb5_auth_con_free() fails.\n"); + goto err; + } + else krb5auth_context = NULL; + if (!krb5auth_context && + (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context))) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "krb5_auth_con_init() fails.\n"); + goto err; + } + + + if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context, + &rcache))) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "krb5_auth_con_getrcache() fails.\n"); + goto err; + } + + if ((krb5rc = krb5_sname_to_principal(krb5context, NULL, + (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, + KRB5_NT_SRV_HST, &krb5server)) != 0) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "krb5_sname_to_principal() fails.\n"); + goto err; + } + + if (rcache == NULL) + { + if ((krb5rc = krb5_get_server_rcache(krb5context, + krb5_princ_component(krb5context, krb5server, 0), + &rcache))) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "krb5_get_server_rcache() fails.\n"); + goto err; + } + } + + if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context, rcache))) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "krb5_auth_con_setrcache() fails.\n"); + goto err; + } + + + /* kssl_ctx->keytab_file == NULL ==> use Kerberos default + */ + if (kssl_ctx->keytab_file) + { + krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, + &krb5keytab); + if (krb5rc) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "krb5_kt_resolve() fails.\n"); + goto err; + } + } + else + { + krb5rc = krb5_kt_default(krb5context,&krb5keytab); + if (krb5rc) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "krb5_kt_default() fails.\n"); + goto err; + } + } + + /* Actual Kerberos5 krb5_recvauth() has initial conversation here + ** o check KRB5_SENDAUTH_BADAUTHVERS + ** unless KRB5_RECVAUTH_SKIP_VERSION + ** o check KRB5_SENDAUTH_BADAPPLVERS + ** o send "0" msg if all OK + */ + + /* 20010411 was using AP_REQ instead of true KerberosWrapper + ** + ** if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context, + ** &krb5in_data, krb5server, krb5keytab, + ** &ap_option, &krb5ticket)) != 0) { Error } + */ + + p = (unsigned char *)indata->data; + if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p, + (long) indata->length)) == NULL) + { + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, + "d2i_KRB5_TICKET() ASN.1 decode failure.\n"); + kssl_err->reason = SSL_R_KRB5_S_RD_REQ; + goto err; + } + + /* Was: krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */ + if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket, + kssl_err)) != 0) + { + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, + "Error converting ASN.1 ticket to krb5_ticket.\n"); + kssl_err->reason = SSL_R_KRB5_S_RD_REQ; + goto err; + } + + if (! krb5_principal_compare(krb5context, krb5server, + krb5ticket->server)) { + krb5rc = KRB5_PRINC_NOMATCH; + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, + "server principal != ticket principal\n"); + kssl_err->reason = SSL_R_KRB5_S_RD_REQ; + goto err; + } + if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, + krb5ticket->server, krb5ticket->enc_part.kvno, + krb5ticket->enc_part.enctype, &kt_entry)) != 0) { + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, + "krb5_kt_get_entry() fails with %x.\n", krb5rc); + kssl_err->reason = SSL_R_KRB5_S_RD_REQ; + goto err; + } + if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key, + krb5ticket)) != 0) { + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, + "krb5_decrypt_tkt_part() failed.\n"); + kssl_err->reason = SSL_R_KRB5_S_RD_REQ; + goto err; + } + else { + krb5_kt_free_entry(krb5context, &kt_entry); +#ifdef KSSL_DEBUG + { + int i; krb5_address **paddr = krb5ticket->enc_part2->caddrs; + printf("Decrypted ticket fields:\n"); + printf("\tflags: %X, transit-type: %X", + krb5ticket->enc_part2->flags, + krb5ticket->enc_part2->transited.tr_type); + print_krb5_data("\ttransit-data: ", + &(krb5ticket->enc_part2->transited.tr_contents)); + printf("\tcaddrs: %p, authdata: %p\n", + krb5ticket->enc_part2->caddrs, + krb5ticket->enc_part2->authorization_data); + if (paddr) + { + printf("\tcaddrs:\n"); + for (i=0; paddr[i] != NULL; i++) + { + krb5_data d; + d.length=paddr[i]->length; + d.data=paddr[i]->contents; + print_krb5_data("\t\tIP: ", &d); + } + } + printf("\tstart/auth/end times: %d / %d / %d\n", + krb5ticket->enc_part2->times.starttime, + krb5ticket->enc_part2->times.authtime, + krb5ticket->enc_part2->times.endtime); + } +#endif /* KSSL_DEBUG */ + } + + krb5rc = KRB5_NO_TKT_SUPPLIED; + if (!krb5ticket || !krb5ticket->enc_part2 || + !krb5ticket->enc_part2->client || + !krb5ticket->enc_part2->client->data || + !krb5ticket->enc_part2->session) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, + "bad ticket from krb5_rd_req.\n"); + } + else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT, + &krb5ticket->enc_part2->client->realm, + krb5ticket->enc_part2->client->data)) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, + "kssl_ctx_setprinc() fails.\n"); + } + else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session)) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, + "kssl_ctx_setkey() fails.\n"); + } + else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID) + { + krb5rc = KRB5KRB_AP_ERR_TKT_INVALID; + kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET, + "invalid ticket from krb5_rd_req.\n"); + } + else krb5rc = 0; + + kssl_ctx->enctype = krb5ticket->enc_part.enctype; + ttimes->authtime = krb5ticket->enc_part2->times.authtime; + ttimes->starttime = krb5ticket->enc_part2->times.starttime; + ttimes->endtime = krb5ticket->enc_part2->times.endtime; + ttimes->renew_till = krb5ticket->enc_part2->times.renew_till; + + err: +#ifdef KSSL_DEBUG + kssl_ctx_show(kssl_ctx); +#endif /* KSSL_DEBUG */ + + if (asn1ticket) KRB5_TICKET_free((KRB5_TICKET *) asn1ticket); + if (krb5keytab) krb5_kt_close(krb5context, krb5keytab); + if (krb5ticket) krb5_free_ticket(krb5context, krb5ticket); + if (krb5server) krb5_free_principal(krb5context, krb5server); + return (krb5rc); + } + + +/* Allocate & return a new kssl_ctx struct. +*/ +KSSL_CTX * +kssl_ctx_new(void) + { + return ((KSSL_CTX *) calloc(1, sizeof(KSSL_CTX))); + } + + +/* Frees a kssl_ctx struct and any allocated memory it holds. +** Returns NULL. +*/ +KSSL_CTX * +kssl_ctx_free(KSSL_CTX *kssl_ctx) + { + if (kssl_ctx == NULL) return kssl_ctx; + + if (kssl_ctx->key) OPENSSL_cleanse(kssl_ctx->key, + kssl_ctx->length); + if (kssl_ctx->key) free(kssl_ctx->key); + if (kssl_ctx->client_princ) free(kssl_ctx->client_princ); + if (kssl_ctx->service_host) free(kssl_ctx->service_host); + if (kssl_ctx->service_name) free(kssl_ctx->service_name); + if (kssl_ctx->keytab_file) free(kssl_ctx->keytab_file); + + free(kssl_ctx); + return (KSSL_CTX *) NULL; + } + + +/* Given a (krb5_data *) entity (and optional realm), +** set the plain (char *) client_princ or service_host member +** of the kssl_ctx struct. +*/ +krb5_error_code +kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, + krb5_data *realm, krb5_data *entity) + { + char **princ; + int length; + + if (kssl_ctx == NULL || entity == NULL) return KSSL_CTX_ERR; + + switch (which) + { + case KSSL_CLIENT: princ = &kssl_ctx->client_princ; break; + case KSSL_SERVER: princ = &kssl_ctx->service_host; break; + default: return KSSL_CTX_ERR; break; + } + if (*princ) free(*princ); + + length = entity->length + ((realm)? realm->length + 2: 1); + if ((*princ = calloc(1, length)) == NULL) + return KSSL_CTX_ERR; + else + { + strncpy(*princ, entity->data, entity->length); + (*princ)[entity->length]='\0'; + if (realm) + { + strcat (*princ, "@"); + (void) strncat(*princ, realm->data, realm->length); + (*princ)[entity->length+1+realm->length]='\0'; + } + } + + return KSSL_CTX_OK; + } + + +/* Set one of the plain (char *) string members of the kssl_ctx struct. +** Default values should be: +** which == KSSL_SERVICE => "khost" (KRB5SVC) +** which == KSSL_KEYTAB => "/etc/krb5.keytab" (KRB5KEYTAB) +*/ +krb5_error_code +kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) + { + char **string; + + if (!kssl_ctx) return KSSL_CTX_ERR; + + switch (which) + { + case KSSL_SERVICE: string = &kssl_ctx->service_name; break; + case KSSL_SERVER: string = &kssl_ctx->service_host; break; + case KSSL_CLIENT: string = &kssl_ctx->client_princ; break; + case KSSL_KEYTAB: string = &kssl_ctx->keytab_file; break; + default: return KSSL_CTX_ERR; break; + } + if (*string) free(*string); + + if (!text) + { + *string = '\0'; + return KSSL_CTX_OK; + } + + if ((*string = calloc(1, strlen(text) + 1)) == NULL) + return KSSL_CTX_ERR; + else + strcpy(*string, text); + + return KSSL_CTX_OK; + } + + +/* Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx +** struct. Clear kssl_ctx->key if Kerberos session key is NULL. +*/ +krb5_error_code +kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) + { + int length; + krb5_enctype enctype; + krb5_octet FAR *contents = NULL; + + if (!kssl_ctx) return KSSL_CTX_ERR; + + if (kssl_ctx->key) + { + OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); + free(kssl_ctx->key); + } + + if (session) + { + +#ifdef KRB5_HEIMDAL + length = session->keyvalue->length; + enctype = session->keytype; + contents = session->keyvalue->contents; +#else + length = session->length; + enctype = session->enctype; + contents = session->contents; +#endif + kssl_ctx->enctype = enctype; + kssl_ctx->length = length; + } + else + { + kssl_ctx->enctype = ENCTYPE_UNKNOWN; + kssl_ctx->length = 0; + return KSSL_CTX_OK; + } + + if ((kssl_ctx->key = + (krb5_octet FAR *) calloc(1, kssl_ctx->length)) == NULL) + { + kssl_ctx->length = 0; + return KSSL_CTX_ERR; + } + else + memcpy(kssl_ctx->key, contents, length); + + return KSSL_CTX_OK; + } + + +/* Display contents of kssl_ctx struct +*/ +void +kssl_ctx_show(KSSL_CTX *kssl_ctx) + { + int i; + + printf("kssl_ctx: "); + if (kssl_ctx == NULL) + { + printf("NULL\n"); + return; + } + else + printf("%p\n", kssl_ctx); + + printf("\tservice:\t%s\n", + (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL"); + printf("\tclient:\t%s\n", + (kssl_ctx->client_princ)? kssl_ctx->client_princ: "NULL"); + printf("\tserver:\t%s\n", + (kssl_ctx->service_host)? kssl_ctx->service_host: "NULL"); + printf("\tkeytab:\t%s\n", + (kssl_ctx->keytab_file)? kssl_ctx->keytab_file: "NULL"); + printf("\tkey [%d:%d]:\t", + kssl_ctx->enctype, kssl_ctx->length); + + for (i=0; i < kssl_ctx->length && kssl_ctx->key; i++) + { + printf("%02x", kssl_ctx->key[i]); + } + printf("\n"); + return; + } + + int + kssl_keytab_is_available(KSSL_CTX *kssl_ctx) +{ + krb5_context krb5context = NULL; + krb5_keytab krb5keytab = NULL; + krb5_keytab_entry entry; + krb5_principal princ = NULL; + krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; + int rc = 0; + + if ((krb5rc = krb5_init_context(&krb5context))) + return(0); + + /* kssl_ctx->keytab_file == NULL ==> use Kerberos default + */ + if (kssl_ctx->keytab_file) + { + krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file, + &krb5keytab); + if (krb5rc) + goto exit; + } + else + { + krb5rc = krb5_kt_default(krb5context,&krb5keytab); + if (krb5rc) + goto exit; + } + + /* the host key we are looking for */ + krb5rc = krb5_sname_to_principal(krb5context, NULL, + kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC, + KRB5_NT_SRV_HST, &princ); + + krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, + princ, + 0 /* IGNORE_VNO */, + 0 /* IGNORE_ENCTYPE */, + &entry); + if ( krb5rc == KRB5_KT_NOTFOUND ) { + rc = 1; + goto exit; + } else if ( krb5rc ) + goto exit; + + krb5_kt_free_entry(krb5context, &entry); + rc = 1; + + exit: + if (krb5keytab) krb5_kt_close(krb5context, krb5keytab); + if (princ) krb5_free_principal(krb5context, princ); + if (krb5context) krb5_free_context(krb5context); + return(rc); +} + +int +kssl_tgt_is_available(KSSL_CTX *kssl_ctx) + { + krb5_error_code krb5rc = KRB5KRB_ERR_GENERIC; + krb5_context krb5context = NULL; + krb5_ccache krb5ccdef = NULL; + krb5_creds krb5creds, *krb5credsp = NULL; + int rc = 0; + + memset((char *)&krb5creds, 0, sizeof(krb5creds)); + + if (!kssl_ctx) + return(0); + + if (!kssl_ctx->service_host) + return(0); + + if ((krb5rc = krb5_init_context(&krb5context)) != 0) + goto err; + + if ((krb5rc = krb5_sname_to_principal(krb5context, + kssl_ctx->service_host, + (kssl_ctx->service_name)? kssl_ctx->service_name: KRB5SVC, + KRB5_NT_SRV_HST, &krb5creds.server)) != 0) + goto err; + + if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) + goto err; + + if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef, + &krb5creds.client)) != 0) + goto err; + + if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef, + &krb5creds, &krb5credsp)) != 0) + goto err; + + rc = 1; + + err: +#ifdef KSSL_DEBUG + kssl_ctx_show(kssl_ctx); +#endif /* KSSL_DEBUG */ + + if (krb5creds.client) krb5_free_principal(krb5context, krb5creds.client); + if (krb5creds.server) krb5_free_principal(krb5context, krb5creds.server); + if (krb5context) krb5_free_context(krb5context); + return(rc); + } + +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WIN32) +void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data) + { +#ifdef KRB5_HEIMDAL + data->length = 0; + if (data->data) + free(data->data); +#elif defined(KRB5_MIT_OLD11) + if (data->data) { + krb5_xfree(data->data); + data->data = 0; + } +#else + krb5_free_data_contents(NULL, data); +#endif + } +#endif /* !OPENSSL_SYS_WINDOWS && !OPENSSL_SYS_WIN32 */ + + +/* Given pointers to KerberosTime and struct tm structs, convert the +** KerberosTime string to struct tm. Note that KerberosTime is a +** ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional +** seconds as defined in RFC 1510. +** Return pointer to the (partially) filled in struct tm on success, +** return NULL on failure. +*/ +struct tm *k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm) + { + char c, *p; + + if (!k_tm) return NULL; + if (gtime == NULL || gtime->length < 14) return NULL; + if (gtime->data == NULL) return NULL; + + p = (char *)>ime->data[14]; + + c = *p; *p = '\0'; p -= 2; k_tm->tm_sec = atoi(p); *(p+2) = c; + c = *p; *p = '\0'; p -= 2; k_tm->tm_min = atoi(p); *(p+2) = c; + c = *p; *p = '\0'; p -= 2; k_tm->tm_hour = atoi(p); *(p+2) = c; + c = *p; *p = '\0'; p -= 2; k_tm->tm_mday = atoi(p); *(p+2) = c; + c = *p; *p = '\0'; p -= 2; k_tm->tm_mon = atoi(p)-1; *(p+2) = c; + c = *p; *p = '\0'; p -= 4; k_tm->tm_year = atoi(p)-1900; *(p+4) = c; + + return k_tm; + } + + +/* Helper function for kssl_validate_times(). +** We need context->clockskew, but krb5_context is an opaque struct. +** So we try to sneek the clockskew out through the replay cache. +** If that fails just return a likely default (300 seconds). +*/ +krb5_deltat get_rc_clockskew(krb5_context context) + { + krb5_rcache rc; + krb5_deltat clockskew; + + if (krb5_rc_default(context, &rc)) return KSSL_CLOCKSKEW; + if (krb5_rc_initialize(context, rc, 0)) return KSSL_CLOCKSKEW; + if (krb5_rc_get_lifespan(context, rc, &clockskew)) { + clockskew = KSSL_CLOCKSKEW; + } + (void) krb5_rc_destroy(context, rc); + return clockskew; + } + + +/* kssl_validate_times() combines (and more importantly exposes) +** the MIT KRB5 internal function krb5_validate_times() and the +** in_clock_skew() macro. The authenticator client time is checked +** to be within clockskew secs of the current time and the current +** time is checked to be within the ticket start and expire times. +** Either check may be omitted by supplying a NULL value. +** Returns 0 for valid times, SSL_R_KRB5* error codes otherwise. +** See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c +** 20010420 VRS +*/ +krb5_error_code kssl_validate_times( krb5_timestamp atime, + krb5_ticket_times *ttimes) + { + krb5_deltat skew; + krb5_timestamp start, now; + krb5_error_code rc; + krb5_context context; + + if ((rc = krb5_init_context(&context))) return SSL_R_KRB5_S_BAD_TICKET; + skew = get_rc_clockskew(context); + if ((rc = krb5_timeofday(context,&now))) return SSL_R_KRB5_S_BAD_TICKET; + krb5_free_context(context); + + if (atime && labs(atime - now) >= skew) return SSL_R_KRB5_S_TKT_SKEW; + + if (! ttimes) return 0; + + start = (ttimes->starttime != 0)? ttimes->starttime: ttimes->authtime; + if (start - now > skew) return SSL_R_KRB5_S_TKT_NYV; + if ((now - ttimes->endtime) > skew) return SSL_R_KRB5_S_TKT_EXPIRED; + +#ifdef KSSL_DEBUG + printf("kssl_validate_times: %d |<- | %d - %d | < %d ->| %d\n", + start, atime, now, skew, ttimes->endtime); +#endif /* KSSL_DEBUG */ + + return 0; + } + + +/* Decode and decrypt given DER-encoded authenticator, then pass +** authenticator ctime back in *atimep (or 0 if time unavailable). +** Returns krb5_error_code and kssl_err on error. A NULL +** authenticator (authentp->length == 0) is not considered an error. +** Note that kssl_check_authent() makes use of the KRB5 session key; +** you must call kssl_sget_tkt() to get the key before calling this routine. +*/ +krb5_error_code kssl_check_authent( + /* IN */ KSSL_CTX *kssl_ctx, + /* IN */ krb5_data *authentp, + /* OUT */ krb5_timestamp *atimep, + /* OUT */ KSSL_ERR *kssl_err ) + { + krb5_error_code krb5rc = 0; + KRB5_ENCDATA *dec_authent = NULL; + KRB5_AUTHENTBODY *auth = NULL; + krb5_enctype enctype; + EVP_CIPHER_CTX ciph_ctx; + const EVP_CIPHER *enc = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + unsigned char *p, *unenc_authent; + int outl, unencbufsize; + struct tm tm_time, *tm_l, *tm_g; + time_t now, tl, tg, tr, tz_offset; + + EVP_CIPHER_CTX_init(&ciph_ctx); + *atimep = 0; + kssl_err_set(kssl_err, 0, ""); + +#ifndef KRB5CHECKAUTH + authentp = NULL; +#else +#if KRB5CHECKAUTH == 0 + authentp = NULL; +#endif +#endif /* KRB5CHECKAUTH */ + + if (authentp == NULL || authentp->length == 0) return 0; + +#ifdef KSSL_DEBUG + { + unsigned int ui; + printf("kssl_check_authent: authenticator[%d]:\n",authentp->length); + p = authentp->data; + for (ui=0; ui < authentp->length; ui++) printf("%02x ",p[ui]); + printf("\n"); + } +#endif /* KSSL_DEBUG */ + + unencbufsize = 2 * authentp->length; + if ((unenc_authent = calloc(1, unencbufsize)) == NULL) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "Unable to allocate authenticator buffer.\n"); + krb5rc = KRB5KRB_ERR_GENERIC; + goto err; + } + + p = (unsigned char *)authentp->data; + if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p, + (long) authentp->length)) == NULL) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "Error decoding authenticator.\n"); + krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto err; + } + + enctype = dec_authent->etype->data[0]; /* should = kssl_ctx->enctype */ +#if !defined(KRB5_MIT_OLD11) + switch ( enctype ) { + case ENCTYPE_DES3_CBC_SHA1: /* EVP_des_ede3_cbc(); */ + case ENCTYPE_DES3_CBC_SHA: + case ENCTYPE_DES3_CBC_RAW: + krb5rc = 0; /* Skip, can't handle derived keys */ + goto err; + } +#endif + enc = kssl_map_enc(enctype); + memset(iv, 0, sizeof iv); /* per RFC 1510 */ + + if (enc == NULL) + { + /* Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1. + ** This enctype indicates the authenticator was encrypted + ** using key-usage derived keys which openssl cannot decrypt. + */ + goto err; + } + + if (!EVP_CipherInit(&ciph_ctx,enc,kssl_ctx->key,iv,0)) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "EVP_CipherInit error decrypting authenticator.\n"); + krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto err; + } + outl = dec_authent->cipher->length; + if (!EVP_Cipher(&ciph_ctx,unenc_authent,dec_authent->cipher->data,outl)) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "EVP_Cipher error decrypting authenticator.\n"); + krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto err; + } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + +#ifdef KSSL_DEBUG + printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl); + for (padl=0; padl < outl; padl++) printf("%02x ",unenc_authent[padl]); + printf("\n"); +#endif /* KSSL_DEBUG */ + + if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "confounded by authenticator.\n"); + krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto err; + } + outl -= p - unenc_authent; + + if ((auth = (KRB5_AUTHENTBODY *) d2i_KRB5_AUTHENT(NULL, &p, + (long) outl))==NULL) + { + kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT, + "Error decoding authenticator body.\n"); + krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto err; + } + + memset(&tm_time,0,sizeof(struct tm)); + if (k_gmtime(auth->ctime, &tm_time) && + ((tr = mktime(&tm_time)) != (time_t)(-1))) + { + now = time(&now); + tm_l = localtime(&now); tl = mktime(tm_l); + tm_g = gmtime(&now); tg = mktime(tm_g); + tz_offset = tg - tl; + + *atimep = tr - tz_offset; + } + +#ifdef KSSL_DEBUG + printf("kssl_check_authent: returns %d for client time ", *atimep); + if (auth && auth->ctime && auth->ctime->length && auth->ctime->data) + printf("%.*s\n", auth->ctime->length, auth->ctime->data); + else printf("NULL\n"); +#endif /* KSSL_DEBUG */ + + err: + if (auth) KRB5_AUTHENT_free((KRB5_AUTHENT *) auth); + if (dec_authent) KRB5_ENCDATA_free(dec_authent); + if (unenc_authent) free(unenc_authent); + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + return krb5rc; + } + + +/* Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host), +** because I dont't know how to stub varargs. +** Returns krb5_error_code == ENOMEM on alloc error, otherwise +** passes back newly constructed principal, which should be freed by caller. +*/ +krb5_error_code kssl_build_principal_2( + /* UPDATE */ krb5_context context, + /* OUT */ krb5_principal *princ, + /* IN */ int rlen, const char *realm, + /* IN */ int slen, const char *svc, + /* IN */ int hlen, const char *host) + { + krb5_data *p_data = NULL; + krb5_principal new_p = NULL; + char *new_r = NULL; + + if ((p_data = (krb5_data *) calloc(2, sizeof(krb5_data))) == NULL || + (new_p = (krb5_principal) calloc(1, sizeof(krb5_principal_data))) + == NULL) goto err; + new_p->length = 2; + new_p->data = p_data; + + if ((new_r = calloc(1, rlen + 1)) == NULL) goto err; + memcpy(new_r, realm, rlen); + krb5_princ_set_realm_length(context, new_p, rlen); + krb5_princ_set_realm_data(context, new_p, new_r); + + if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL) goto err; + memcpy(new_p->data[0].data, svc, slen); + new_p->data[0].length = slen; + + if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL) goto err; + memcpy(new_p->data[1].data, host, hlen); + new_p->data[1].length = hlen; + + krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN; + *princ = new_p; + return 0; + + err: + if (new_p && new_p[0].data) free(new_p[0].data); + if (new_p && new_p[1].data) free(new_p[1].data); + if (new_p) free(new_p); + if (new_r) free(new_r); + return ENOMEM; + } + + +#else /* !OPENSSL_NO_KRB5 */ + +#if defined(PEDANTIC) || defined(OPENSSL_SYS_VMS) +static int dummy=(int)&dummy; +#endif + +#endif /* !OPENSSL_NO_KRB5 */ + diff --git a/crypto/openssl/ssl/kssl.h b/crypto/openssl/ssl/kssl.h new file mode 100644 index 0000000..cf7ebdd --- /dev/null +++ b/crypto/openssl/ssl/kssl.h @@ -0,0 +1,173 @@ +/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */ +/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000. + * project 2000. + */ +/* ==================================================================== + * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/* +** 19990701 VRS Started. +*/ + +#ifndef KSSL_H +#define KSSL_H + +#include <openssl/opensslconf.h> + +#ifndef OPENSSL_NO_KRB5 + +#include <stdio.h> +#include <ctype.h> +#include <krb5.h> + +#ifdef __cplusplus +extern "C" { +#endif + +/* +** Depending on which KRB5 implementation used, some types from +** the other may be missing. Resolve that here and now +*/ +#ifdef KRB5_HEIMDAL +typedef unsigned char krb5_octet; +#define FAR +#endif + +/* Uncomment this to debug kssl problems or +** to trace usage of the Kerberos session key +** +** #define KSSL_DEBUG +*/ + +#ifndef KRB5SVC +#define KRB5SVC "host" +#endif + +#ifndef KRB5KEYTAB +#define KRB5KEYTAB "/etc/krb5.keytab" +#endif + +#ifndef KRB5SENDAUTH +#define KRB5SENDAUTH 1 +#endif + +#ifndef KRB5CHECKAUTH +#define KRB5CHECKAUTH 1 +#endif + +#ifndef KSSL_CLOCKSKEW +#define KSSL_CLOCKSKEW 300; +#endif + +#define KSSL_ERR_MAX 255 +typedef struct kssl_err_st { + int reason; + char text[KSSL_ERR_MAX+1]; + } KSSL_ERR; + + +/* Context for passing +** (1) Kerberos session key to SSL, and +** (2) Config data between application and SSL lib +*/ +typedef struct kssl_ctx_st + { + /* used by: disposition: */ + char *service_name; /* C,S default ok (kssl) */ + char *service_host; /* C input, REQUIRED */ + char *client_princ; /* S output from krb5 ticket */ + char *keytab_file; /* S NULL (/etc/krb5.keytab) */ + char *cred_cache; /* C NULL (default) */ + krb5_enctype enctype; + int length; + krb5_octet FAR *key; + } KSSL_CTX; + +#define KSSL_CLIENT 1 +#define KSSL_SERVER 2 +#define KSSL_SERVICE 3 +#define KSSL_KEYTAB 4 + +#define KSSL_CTX_OK 0 +#define KSSL_CTX_ERR 1 +#define KSSL_NOMEM 2 + +/* Public (for use by applications that use OpenSSL with Kerberos 5 support */ +krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text); +KSSL_CTX *kssl_ctx_new(void); +KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx); +void kssl_ctx_show(KSSL_CTX *kssl_ctx); +krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, + krb5_data *realm, krb5_data *entity); +krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data **enc_tktp, + krb5_data *authenp, KSSL_ERR *kssl_err); +krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data *indata, + krb5_ticket_times *ttimes, KSSL_ERR *kssl_err); +krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session); +void kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text); +void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data); +krb5_error_code kssl_build_principal_2(krb5_context context, + krb5_principal *princ, int rlen, const char *realm, + int slen, const char *svc, int hlen, const char *host); +krb5_error_code kssl_validate_times(krb5_timestamp atime, + krb5_ticket_times *ttimes); +krb5_error_code kssl_check_authent(KSSL_CTX *kssl_ctx, krb5_data *authentp, + krb5_timestamp *atimep, KSSL_ERR *kssl_err); +unsigned char *kssl_skip_confound(krb5_enctype enctype, unsigned char *authn); + +#ifdef __cplusplus +} +#endif +#endif /* OPENSSL_NO_KRB5 */ +#endif /* KSSL_H */ diff --git a/crypto/openssl/ssl/kssl_lcl.h b/crypto/openssl/ssl/kssl_lcl.h new file mode 100644 index 0000000..4cd8dd2 --- /dev/null +++ b/crypto/openssl/ssl/kssl_lcl.h @@ -0,0 +1,87 @@ +/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */ +/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000. + * project 2000. + */ +/* ==================================================================== + * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#ifndef KSSL_LCL_H +#define KSSL_LCL_H + +#include <openssl/kssl.h> + +#ifndef OPENSSL_NO_KRB5 + +#ifdef __cplusplus +extern "C" { +#endif + +/* Private (internal to OpenSSL) */ +void print_krb5_data(char *label, krb5_data *kdata); +void print_krb5_authdata(char *label, krb5_authdata **adata); +void print_krb5_keyblock(char *label, krb5_keyblock *keyblk); + +char *kstring(char *string); +char *knumber(int len, krb5_octet *contents); + +EVP_CIPHER *kssl_map_enc(krb5_enctype enctype); + +int kssl_keytab_is_available(KSSL_CTX *kssl_ctx); +int kssl_tgt_is_available(KSSL_CTX *kssl_ctx); + +#ifdef __cplusplus +} +#endif +#endif /* OPENSSL_NO_KRB5 */ +#endif /* KSSL_LCL_H */ diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c index 2d0eb4a..64ee426 100644 --- a/crypto/openssl/ssl/s23_clnt.c +++ b/crypto/openssl/ssl/s23_clnt.c @@ -57,18 +57,18 @@ */ #include <stdio.h> +#include "ssl_locl.h" #include <openssl/buffer.h> #include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> -#include "ssl_locl.h" static SSL_METHOD *ssl23_get_client_method(int ver); static int ssl23_client_hello(SSL *s); static int ssl23_get_server_hello(SSL *s); static SSL_METHOD *ssl23_get_client_method(int ver) { -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 if (ver == SSL2_VERSION) return(SSLv2_client_method()); #endif @@ -87,20 +87,27 @@ SSL_METHOD *SSLv23_client_method(void) if (init) { - memcpy((char *)&SSLv23_client_data, - (char *)sslv23_base_method(),sizeof(SSL_METHOD)); - SSLv23_client_data.ssl_connect=ssl23_connect; - SSLv23_client_data.get_ssl_method=ssl23_get_client_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv23_client_data, + (char *)sslv23_base_method(),sizeof(SSL_METHOD)); + SSLv23_client_data.ssl_connect=ssl23_connect; + SSLv23_client_data.get_ssl_method=ssl23_get_client_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv23_client_data); } int ssl23_connect(SSL *s) { - BUF_MEM *buf; + BUF_MEM *buf=NULL; unsigned long Time=time(NULL); - void (*cb)()=NULL; + void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; int new_state,state; @@ -152,6 +159,7 @@ int ssl23_connect(SSL *s) goto end; } s->init_buf=buf; + buf=NULL; } if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } @@ -200,6 +208,8 @@ int ssl23_connect(SSL *s) } end: s->in_handshake--; + if (buf != NULL) + BUF_MEM_free(buf); if (cb != NULL) cb(s,SSL_CB_CONNECT_EXIT,ret); return(ret); @@ -211,6 +221,7 @@ static int ssl23_client_hello(SSL *s) unsigned char *buf; unsigned char *p,*d; int i,ch_len; + int ret; buf=(unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) @@ -302,7 +313,11 @@ static int ssl23_client_hello(SSL *s) } /* SSL3_ST_CW_CLNT_HELLO_B */ - return(ssl23_write_bytes(s)); + ret = ssl23_write_bytes(s); + if (ret >= 2) + if (s->msg_callback) + s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg); /* CLIENT-HELLO */ + return ret; } static int ssl23_get_server_hello(SSL *s) @@ -322,7 +337,7 @@ static int ssl23_get_server_hello(SSL *s) if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) && (p[5] == 0x00) && (p[6] == 0x02)) { -#ifdef NO_SSL2 +#ifdef OPENSSL_NO_SSL2 SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); goto err; #else @@ -358,7 +373,7 @@ static int ssl23_get_server_hello(SSL *s) if (s->s3 != NULL) ssl3_free(s); - if (!BUF_MEM_grow(s->init_buf, + if (!BUF_MEM_grow_clean(s->init_buf, SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB); @@ -435,7 +450,7 @@ static int ssl23_get_server_hello(SSL *s) (p[3] == 0) && (p[4] == 2)) { - void (*cb)()=NULL; + void (*cb)(const SSL *ssl,int type,int val)=NULL; int j; /* An alert */ diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c index ad2d8da..b70002a 100644 --- a/crypto/openssl/ssl/s23_lib.c +++ b/crypto/openssl/ssl/s23_lib.c @@ -111,7 +111,7 @@ SSL_METHOD *sslv23_base_method(void) static int ssl23_num_ciphers(void) { return(ssl3_num_ciphers() -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 + ssl2_num_ciphers() #endif ); @@ -124,7 +124,7 @@ static SSL_CIPHER *ssl23_get_cipher(unsigned int u) if (u < uu) return(ssl3_get_cipher(u)); else -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 return(ssl2_get_cipher(u-uu)); #else return(NULL); @@ -144,7 +144,7 @@ static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p) ((unsigned long)p[1]<<8L)|(unsigned long)p[2]; c.id=id; cp=ssl3_get_cipher_by_char(p); -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 if (cp == NULL) cp=ssl2_get_cipher_by_char(p); #endif diff --git a/crypto/openssl/ssl/s23_meth.c b/crypto/openssl/ssl/s23_meth.c index 4068431..f207140 100644 --- a/crypto/openssl/ssl/s23_meth.c +++ b/crypto/openssl/ssl/s23_meth.c @@ -80,12 +80,19 @@ SSL_METHOD *SSLv23_method(void) if (init) { - memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(), - sizeof(SSL_METHOD)); - SSLv23_data.ssl_connect=ssl23_connect; - SSLv23_data.ssl_accept=ssl23_accept; - SSLv23_data.get_ssl_method=ssl23_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(), + sizeof(SSL_METHOD)); + SSLv23_data.ssl_connect=ssl23_connect; + SSLv23_data.ssl_accept=ssl23_accept; + SSLv23_data.get_ssl_method=ssl23_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv23_data); } diff --git a/crypto/openssl/ssl/s23_pkt.c b/crypto/openssl/ssl/s23_pkt.c index a62599c..4ca6a1b 100644 --- a/crypto/openssl/ssl/s23_pkt.c +++ b/crypto/openssl/ssl/s23_pkt.c @@ -55,66 +55,13 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ -/* ==================================================================== - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ #include <stdio.h> #include <errno.h> #define USE_SOCKETS +#include "ssl_locl.h" #include <openssl/evp.h> #include <openssl/buffer.h> -#include "ssl_locl.h" int ssl23_write_bytes(SSL *s) { diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c index b40bb01..c5404ca 100644 --- a/crypto/openssl/ssl/s23_srvr.c +++ b/crypto/openssl/ssl/s23_srvr.c @@ -110,17 +110,17 @@ */ #include <stdio.h> +#include "ssl_locl.h" #include <openssl/buffer.h> #include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> -#include "ssl_locl.h" static SSL_METHOD *ssl23_get_server_method(int ver); int ssl23_get_client_hello(SSL *s); static SSL_METHOD *ssl23_get_server_method(int ver) { -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 if (ver == SSL2_VERSION) return(SSLv2_server_method()); #endif @@ -139,11 +139,18 @@ SSL_METHOD *SSLv23_server_method(void) if (init) { - memcpy((char *)&SSLv23_server_data, - (char *)sslv23_base_method(),sizeof(SSL_METHOD)); - SSLv23_server_data.ssl_accept=ssl23_accept; - SSLv23_server_data.get_ssl_method=ssl23_get_server_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv23_server_data, + (char *)sslv23_base_method(),sizeof(SSL_METHOD)); + SSLv23_server_data.ssl_accept=ssl23_accept; + SSLv23_server_data.get_ssl_method=ssl23_get_server_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv23_server_data); } @@ -152,7 +159,7 @@ int ssl23_accept(SSL *s) { BUF_MEM *buf; unsigned long Time=time(NULL); - void (*cb)()=NULL; + void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; int new_state,state; @@ -255,13 +262,13 @@ int ssl23_get_client_hello(SSL *s) * 9/10 client_version / */ char *buf= &(buf_space[0]); - unsigned char *p,*d,*dd; + unsigned char *p,*d,*d_len,*dd; unsigned int i; unsigned int csl,sil,cl; int n=0,j; int type=0; int v[2]; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA int use_sslv2_strong=0; #endif @@ -323,72 +330,6 @@ int ssl23_get_client_hello(SSL *s) else if (!(s->options & SSL_OP_NO_SSLv2)) type=1; - if (s->options & SSL_OP_NON_EXPORT_FIRST) - /* Not only utterly confusing, but broken - * ('fractured programming'?) -- the details - * of this block nearly make it work - * as intended in this environment, but on one - * of the fine points (w.r.t. restarts) it fails. - * The obvious fix would be even more devastating - * to program structure; if you want the functionality, - * throw this away and implement it in a way - * that makes sense */ - { -#if 0 - STACK_OF(SSL_CIPHER) *sk; - SSL_CIPHER *c; - int ne2,ne3; - - j=((p[0]&0x7f)<<8)|p[1]; - if (j > (1024*4)) - { - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE); - goto err; - } - - n=ssl23_read_bytes(s,j+2); - if (n <= 0) return(n); - p=s->packet; - - if ((buf=OPENSSL_malloc(n)) == NULL) - { - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE); - goto err; - } - memcpy(buf,p,n); - - p+=5; - n2s(p,csl); - p+=4; - - sk=ssl_bytes_to_cipher_list( - s,p,csl,NULL); - if (sk != NULL) - { - ne2=ne3=0; - for (j=0; j<sk_SSL_CIPHER_num(sk); j++) - { - c=sk_SSL_CIPHER_value(sk,j); - if (!SSL_C_IS_EXPORT(c)) - { - if ((c->id>>24L) == 2L) - ne2=1; - else - ne3=1; - } - } - if (ne2 && !ne3) - { - type=1; - use_sslv2_strong=1; - goto next_bit; - } - } -#else - SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_OPTION); - goto err; -#endif - } } } else if ((p[0] == SSL3_RT_HANDSHAKE) && @@ -486,7 +427,9 @@ int ssl23_get_client_hello(SSL *s) j=ssl23_read_bytes(s,n+2); if (j <= 0) return(j); - ssl3_finish_mac(s,&(s->packet[2]),s->packet_length-2); + ssl3_finish_mac(s, s->packet+2, s->packet_length-2); + if (s->msg_callback) + s->msg_callback(0, SSL2_VERSION, 0, s->packet+2, s->packet_length-2, s, s->msg_callback_arg); /* CLIENT-HELLO */ p=s->packet; p+=5; @@ -500,6 +443,13 @@ int ssl23_get_client_hello(SSL *s) goto err; } + /* record header: msg_type ... */ + *(d++) = SSL3_MT_CLIENT_HELLO; + /* ... and length (actual value will be written later) */ + d_len = d; + d += 3; + + /* client_version */ *(d++) = SSL3_VERSION_MAJOR; /* == v[0] */ *(d++) = v[1]; @@ -530,7 +480,8 @@ int ssl23_get_client_hello(SSL *s) *(d++)=1; *(d++)=0; - i=(d-(unsigned char *)s->init_buf->data); + i = (d-(unsigned char *)s->init_buf->data) - 4; + l2n3((long)i, d_len); /* get the data reused from the init_buf */ s->s3->tmp.reuse_message=1; @@ -543,7 +494,7 @@ int ssl23_get_client_hello(SSL *s) if (type == 1) { -#ifdef NO_SSL2 +#ifdef OPENSSL_NO_SSL2 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); goto err; #else @@ -561,7 +512,7 @@ int ssl23_get_client_hello(SSL *s) if (s->s3 != NULL) ssl3_free(s); - if (!BUF_MEM_grow(s->init_buf, + if (!BUF_MEM_grow_clean(s->init_buf, SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { goto err; diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c index 236b394..c6319bb 100644 --- a/crypto/openssl/ssl/s2_clnt.c +++ b/crypto/openssl/ssl/s2_clnt.c @@ -110,7 +110,7 @@ */ #include "ssl_locl.h" -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 #include <stdio.h> #include <openssl/rand.h> #include <openssl/buffer.h> @@ -145,11 +145,18 @@ SSL_METHOD *SSLv2_client_method(void) if (init) { - memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(), - sizeof(SSL_METHOD)); - SSLv2_client_data.ssl_connect=ssl2_connect; - SSLv2_client_data.get_ssl_method=ssl2_get_client_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(), + sizeof(SSL_METHOD)); + SSLv2_client_data.ssl_connect=ssl2_connect; + SSLv2_client_data.get_ssl_method=ssl2_get_client_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_client_data); } @@ -159,7 +166,7 @@ int ssl2_connect(SSL *s) unsigned long l=time(NULL); BUF_MEM *buf=NULL; int ret= -1; - void (*cb)()=NULL; + void (*cb)(const SSL *ssl,int type,int val)=NULL; int new_state,state; RAND_add(&l,sizeof(l),0); @@ -201,10 +208,13 @@ int ssl2_connect(SSL *s) if (!BUF_MEM_grow(buf, SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { + if (buf == s->init_buf) + buf=NULL; ret= -1; goto end; } s->init_buf=buf; + buf=NULL; s->init_num=0; s->state=SSL2_ST_SEND_CLIENT_HELLO_A; s->ctx->stats.sess_connect++; @@ -331,6 +341,8 @@ int ssl2_connect(SSL *s) } end: s->in_handshake--; + if (buf != NULL) + BUF_MEM_free(buf); if (cb != NULL) cb(s,SSL_CB_CONNECT_EXIT,ret); return(ret); @@ -342,7 +354,7 @@ static int get_server_hello(SSL *s) unsigned char *p; int i,j; unsigned long len; - STACK_OF(SSL_CIPHER) *sk=NULL,*cl; + STACK_OF(SSL_CIPHER) *sk=NULL,*cl, *prio, *allow; buf=(unsigned char *)s->init_buf->data; p=buf; @@ -392,6 +404,8 @@ static int get_server_hello(SSL *s) j = (int)len - s->init_num; i = ssl2_read(s,(char *)&(buf[s->init_num]),j); if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i)); + if (s->msg_callback) + s->msg_callback(0, s->version, 0, buf, (size_t)len, s, s->msg_callback_arg); /* SERVER-HELLO */ /* things are looking good */ @@ -474,33 +488,49 @@ static int get_server_hello(SSL *s) sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp); /* get the array of ciphers we will accept */ - cl=ssl_get_ciphers_by_id(s); - + cl=SSL_get_ciphers(s); + sk_SSL_CIPHER_set_cmp_func(cl,ssl_cipher_ptr_id_cmp); + + /* + * If server preference flag set, choose the first + * (highest priority) cipher the server sends, otherwise + * client preference has priority. + */ + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) + { + prio = sk; + allow = cl; + } + else + { + prio = cl; + allow = sk; + } /* In theory we could have ciphers sent back that we * don't want to use but that does not matter since we * will check against the list we originally sent and * for performance reasons we should not bother to match * the two lists up just to check. */ - for (i=0; i<sk_SSL_CIPHER_num(cl); i++) + for (i=0; i<sk_SSL_CIPHER_num(prio); i++) { - if (sk_SSL_CIPHER_find(sk, - sk_SSL_CIPHER_value(cl,i)) >= 0) + if (sk_SSL_CIPHER_find(allow, + sk_SSL_CIPHER_value(prio,i)) >= 0) break; } - if (i >= sk_SSL_CIPHER_num(cl)) + if (i >= sk_SSL_CIPHER_num(prio)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH); return(-1); } - s->session->cipher=sk_SSL_CIPHER_value(cl,i); + s->session->cipher=sk_SSL_CIPHER_value(prio,i); if (s->session->peer != NULL) /* can't happen*/ { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return(-1); } @@ -513,7 +543,7 @@ static int get_server_hello(SSL *s) /* can't happen */ { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return(-1); } @@ -628,7 +658,7 @@ static int client_master_key(SSL *s) if (i > SSL_MAX_KEY_ARG_LENGTH) { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); @@ -641,7 +671,7 @@ static int client_master_key(SSL *s) if (i > sizeof sess->master_key) { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } if (RAND_bytes(sess->master_key,i) <= 0) @@ -690,7 +720,7 @@ static int client_master_key(SSL *s) if (karg > sizeof sess->key_arg) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } memcpy(d,sess->key_arg,(unsigned int)karg); @@ -715,7 +745,7 @@ static int client_finished(SSL *s) *(p++)=SSL2_MT_CLIENT_FINISHED; if (s->s2->conn_id_length > sizeof s->s2->conn_id) { - SSLerr(SSL_F_CLIENT_FINISHED, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR); return -1; } memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length); @@ -745,10 +775,12 @@ static int client_certificate(SSL *s) if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A) { i=ssl2_read(s,(char *)&(buf[s->init_num]), - SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num); - if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num)) + SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num); + if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num)) return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i)); s->init_num += i; + if (s->msg_callback) + s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* REQUEST-CERTIFICATE */ /* type=buf[0]; */ /* type eq x509 */ @@ -841,9 +873,10 @@ static int client_certificate(SSL *s) /* ok, now we calculate the checksum * do it first so we can reuse buf :-) */ p=buf; - EVP_SignInit(&ctx,s->ctx->rsa_md5); + EVP_MD_CTX_init(&ctx); + EVP_SignInit_ex(&ctx,s->ctx->rsa_md5, NULL); EVP_SignUpdate(&ctx,s->s2->key_material, - (unsigned int)s->s2->key_material_length); + s->s2->key_material_length); EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len); n=i2d_X509(s->session->sess_cert->peer_key->x509,&p); EVP_SignUpdate(&ctx,buf,(unsigned int)n); @@ -862,7 +895,7 @@ static int client_certificate(SSL *s) * We will continue with a 0 length signature */ } - memset(&ctx,0,sizeof(ctx)); + EVP_MD_CTX_cleanup(&ctx); s2n(n,p); d+=n; @@ -897,8 +930,12 @@ static int get_server_verify(SSL *s) SSL_R_READ_WRONG_PACKET_TYPE); } else - SSLerr(SSL_F_GET_SERVER_VERIFY, - SSL_R_PEER_ERROR); + { + SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_PEER_ERROR); + /* try to read the error message */ + i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num); + return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i); + } return(-1); } } @@ -909,9 +946,11 @@ static int get_server_verify(SSL *s) i = ssl2_read(s,(char *)&(p[s->init_num]),n); if (i < n) return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i)); + if (s->msg_callback) + s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */ p += 1; - if (memcmp(p,s->s2->challenge,(unsigned int)s->s2->challenge_length) != 0) + if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT); @@ -948,7 +987,12 @@ static int get_server_finished(SSL *s) SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE); } else + { SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_PEER_ERROR); + /* try to read the error message */ + i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num); + return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i); + } return(-1); } s->state=SSL2_ST_GET_SERVER_FINISHED_B; @@ -960,6 +1004,8 @@ static int get_server_finished(SSL *s) if (i < n) /* XXX could be shorter than SSL2_SSL_SESSION_ID_LENGTH, that's the maximum */ return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i)); s->init_num += i; + if (s->msg_callback) + s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* SERVER-FINISHED */ if (!s->hit) /* new session */ { @@ -968,7 +1014,7 @@ static int get_server_finished(SSL *s) * or bad things can happen */ /* ZZZZZZZZZZZZZ */ s->session->session_id_length=SSL2_SSL_SESSION_ID_LENGTH; - memcpy(s->session->session_id,p,SSL2_SSL_SESSION_ID_LENGTH); + memcpy(s->session->session_id,p+1,SSL2_SSL_SESSION_ID_LENGTH); } else { @@ -1083,7 +1129,7 @@ end: EVP_PKEY_free(pkey); return(i); } -#else /* !NO_SSL2 */ +#else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c index 8e5975c..d3b144f 100644 --- a/crypto/openssl/ssl/s2_enc.c +++ b/crypto/openssl/ssl/s2_enc.c @@ -57,8 +57,9 @@ */ #include "ssl_locl.h" -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 #include <stdio.h> +#include "cryptlib.h" int ssl2_enc_init(SSL *s, int client) { @@ -95,13 +96,15 @@ int ssl2_enc_init(SSL *s, int client) num=c->key_len; s->s2->key_material_length=num*2; + OPENSSL_assert(s->s2->key_material_length <= sizeof s->s2->key_material); if (ssl2_generate_key_material(s) <= 0) return 0; - EVP_EncryptInit(ws,c,&(s->s2->key_material[(client)?num:0]), + OPENSSL_assert(c->iv_len <= sizeof s->session->key_arg); + EVP_EncryptInit_ex(ws,c,NULL,&(s->s2->key_material[(client)?num:0]), s->session->key_arg); - EVP_DecryptInit(rs,c,&(s->s2->key_material[(client)?0:num]), + EVP_DecryptInit_ex(rs,c,NULL,&(s->s2->key_material[(client)?0:num]), s->session->key_arg); s->s2->read_key= &(s->s2->key_material[(client)?0:num]); s->s2->write_key= &(s->s2->key_material[(client)?num:0]); @@ -170,16 +173,17 @@ void ssl2_mac(SSL *s, unsigned char *md, int send) l2n(seq,p); /* There has to be a MAC algorithm. */ - EVP_DigestInit(&c,s->read_hash); + EVP_MD_CTX_init(&c); + EVP_DigestInit_ex(&c, s->read_hash, NULL); EVP_DigestUpdate(&c,sec, EVP_CIPHER_CTX_key_length(s->enc_read_ctx)); EVP_DigestUpdate(&c,act,len); /* the above line also does the pad data */ EVP_DigestUpdate(&c,sequence,4); - EVP_DigestFinal(&c,md,NULL); - /* some would say I should zero the md context */ + EVP_DigestFinal_ex(&c,md,NULL); + EVP_MD_CTX_cleanup(&c); } -#else /* !NO_SSL2 */ +#else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c index 01d1e97..910b9fe 100644 --- a/crypto/openssl/ssl/s2_lib.c +++ b/crypto/openssl/ssl/s2_lib.c @@ -57,10 +57,11 @@ */ #include "ssl_locl.h" -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 #include <stdio.h> #include <openssl/rsa.h> #include <openssl/objects.h> +#include <openssl/evp.h> #include <openssl/md5.h> #include "cryptlib.h" @@ -307,7 +308,7 @@ void ssl2_free(SSL *s) s2=s->s2; if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf); if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf); - memset(s2,0,sizeof *s2); + OPENSSL_cleanse(s2,sizeof *s2); OPENSSL_free(s2); s->s2=NULL; } @@ -332,7 +333,7 @@ void ssl2_clear(SSL *s) s->packet_length=0; } -long ssl2_ctrl(SSL *s, int cmd, long larg, char *parg) +long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg) { int ret=0; @@ -352,7 +353,7 @@ long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)()) return(0); } -long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) +long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { return(0); } @@ -376,15 +377,19 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); - for (i=0; i<SSL2_NUM_CIPHERS; i++) - sorted[i]= &(ssl2_ciphers[i]); + if (init) + { + for (i=0; i<SSL2_NUM_CIPHERS; i++) + sorted[i]= &(ssl2_ciphers[i]); - qsort( (char *)sorted, - SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *), - FP_ICC ssl_cipher_ptr_id_cmp); + qsort((char *)sorted, + SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *), + FP_ICC ssl_cipher_ptr_id_cmp); + init=0; + } + CRYPTO_w_unlock(CRYPTO_LOCK_SSL); - init=0; } id=0x02000000L|((unsigned long)p[0]<<16L)| @@ -418,43 +423,50 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) int ssl2_generate_key_material(SSL *s) { unsigned int i; - MD5_CTX ctx; + EVP_MD_CTX ctx; unsigned char *km; unsigned char c='0'; + const EVP_MD *md5; + + md5 = EVP_md5(); #ifdef CHARSET_EBCDIC c = os_toascii['0']; /* Must be an ASCII '0', not EBCDIC '0', see SSLv2 docu */ #endif - + EVP_MD_CTX_init(&ctx); km=s->s2->key_material; - if (s->session->master_key_length < 0 || s->session->master_key_length > sizeof s->session->master_key) - { - SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, SSL_R_INTERNAL_ERROR); - return 0; - } + if (s->session->master_key_length < 0 || s->session->master_key_length > sizeof s->session->master_key) + { + SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR); + return 0; + } - for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH) + for (i=0; i<s->s2->key_material_length; i += EVP_MD_size(md5)) { - if (((km - s->s2->key_material) + MD5_DIGEST_LENGTH) > sizeof s->s2->key_material) + if (((km - s->s2->key_material) + EVP_MD_size(md5)) > sizeof s->s2->key_material) { - /* MD5_Final() below would write beyond buffer */ - SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, SSL_R_INTERNAL_ERROR); + /* EVP_DigestFinal_ex() below would write beyond buffer */ + SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR); return 0; } - MD5_Init(&ctx); + EVP_DigestInit_ex(&ctx, md5, NULL); - MD5_Update(&ctx,s->session->master_key,s->session->master_key_length); - MD5_Update(&ctx,&c,1); + OPENSSL_assert(s->session->master_key_length >= 0 + && s->session->master_key_length + < sizeof s->session->master_key); + EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length); + EVP_DigestUpdate(&ctx,&c,1); c++; - MD5_Update(&ctx,s->s2->challenge,s->s2->challenge_length); - MD5_Update(&ctx,s->s2->conn_id,s->s2->conn_id_length); - MD5_Final(km,&ctx); - km+=MD5_DIGEST_LENGTH; + EVP_DigestUpdate(&ctx,s->s2->challenge,s->s2->challenge_length); + EVP_DigestUpdate(&ctx,s->s2->conn_id,s->s2->conn_id_length); + EVP_DigestFinal_ex(&ctx,km,NULL); + km += EVP_MD_size(md5); } + EVP_MD_CTX_cleanup(&ctx); return 1; } @@ -483,17 +495,21 @@ void ssl2_write_error(SSL *s) error=s->error; /* number of bytes left to write */ s->error=0; - if (error < 0 || error > sizeof buf) /* can't happen */ - return; - + OPENSSL_assert(error >= 0 && error <= sizeof buf); i=ssl2_write(s,&(buf[3-error]),error); /* if (i == error) s->rwstate=state; */ if (i < 0) s->error=error; - else if (i != s->error) + else + { s->error=error-i; + + if (s->error == 0) + if (s->msg_callback) + s->msg_callback(1, s->version, 0, buf, 3, s, s->msg_callback_arg); /* ERROR */ + } } int ssl2_shutdown(SSL *s) @@ -501,7 +517,7 @@ int ssl2_shutdown(SSL *s) s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); return(1); } -#else /* !NO_SSL2 */ +#else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; diff --git a/crypto/openssl/ssl/s2_meth.c b/crypto/openssl/ssl/s2_meth.c index deb9e1d..8b6cbd0 100644 --- a/crypto/openssl/ssl/s2_meth.c +++ b/crypto/openssl/ssl/s2_meth.c @@ -57,7 +57,7 @@ */ #include "ssl_locl.h" -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 #include <stdio.h> #include <openssl/objects.h> @@ -77,16 +77,23 @@ SSL_METHOD *SSLv2_method(void) if (init) { - memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(), - sizeof(SSL_METHOD)); - SSLv2_data.ssl_connect=ssl2_connect; - SSLv2_data.ssl_accept=ssl2_accept; - SSLv2_data.get_ssl_method=ssl2_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(), + sizeof(SSL_METHOD)); + SSLv2_data.ssl_connect=ssl2_connect; + SSLv2_data.ssl_accept=ssl2_accept; + SSLv2_data.get_ssl_method=ssl2_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_data); } -#else /* !NO_SSL2 */ +#else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c index 3cd7597..d82f137 100644 --- a/crypto/openssl/ssl/s2_pkt.c +++ b/crypto/openssl/ssl/s2_pkt.c @@ -110,9 +110,10 @@ */ #include "ssl_locl.h" -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 #include <stdio.h> #include <errno.h> +#include "cryptlib.h" #define USE_SOCKETS static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend); @@ -247,6 +248,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) else { mac_size=EVP_MD_size(s->read_hash); + OPENSSL_assert(mac_size <= MAX_MAC_SIZE); s->s2->mac_data=p; s->s2->ract_data= &p[mac_size]; if (s->s2->padding + mac_size > s->s2->rlength) @@ -692,6 +694,8 @@ int ssl2_do_write(SSL *s) ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num); if (ret == s->init_num) { + if (s->msg_callback) + s->msg_callback(1, s->version, 0, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg); return(1); } if (ret < 0) @@ -725,7 +729,7 @@ static int ssl_mt_error(int n) } return(ret); } -#else /* !NO_SSL2 */ +#else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c index d736f68..62859a2 100644 --- a/crypto/openssl/ssl/s2_srvr.c +++ b/crypto/openssl/ssl/s2_srvr.c @@ -110,7 +110,7 @@ */ #include "ssl_locl.h" -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 #include <stdio.h> #include <openssl/bio.h> #include <openssl/rand.h> @@ -145,11 +145,18 @@ SSL_METHOD *SSLv2_server_method(void) if (init) { - memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(), - sizeof(SSL_METHOD)); - SSLv2_server_data.ssl_accept=ssl2_accept; - SSLv2_server_data.get_ssl_method=ssl2_get_server_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(), + sizeof(SSL_METHOD)); + SSLv2_server_data.ssl_accept=ssl2_accept; + SSLv2_server_data.get_ssl_method=ssl2_get_server_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_server_data); } @@ -160,7 +167,7 @@ int ssl2_accept(SSL *s) BUF_MEM *buf=NULL; int ret= -1; long num1; - void (*cb)()=NULL; + void (*cb)(const SSL *ssl,int type,int val)=NULL; int new_state,state; RAND_add(&l,sizeof(l),0); @@ -430,7 +437,7 @@ static int get_client_master_key(SSL *s) if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } keya=s->session->key_arg_length; @@ -444,6 +451,8 @@ static int get_client_master_key(SSL *s) n = (int)len - s->init_num; i = ssl2_read(s,(char *)&(p[s->init_num]),n); if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i)); + if (s->msg_callback) + s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-MASTER-KEY */ p += 10; memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]), @@ -518,7 +527,7 @@ static int get_client_master_key(SSL *s) if (i > SSL_MAX_MASTER_KEY_LENGTH) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); return -1; } s->session->master_key_length=i; @@ -533,6 +542,7 @@ static int get_client_hello(SSL *s) unsigned char *p; STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */ STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */ + STACK_OF(SSL_CIPHER) *prio, *allow; int z; /* This is a bit of a hack to check for the correct packet @@ -589,6 +599,8 @@ static int get_client_hello(SSL *s) n = (int)len - s->init_num; i = ssl2_read(s,(char *)&(p[s->init_num]),n); if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i)); + if (s->msg_callback) + s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-HELLO */ p += 9; /* get session-id before cipher stuff so we can get out session @@ -646,21 +658,37 @@ static int get_client_hello(SSL *s) &s->session->ciphers); if (cs == NULL) goto mem_err; - cl=ssl_get_ciphers_by_id(s); + cl=SSL_get_ciphers(s); - for (z=0; z<sk_SSL_CIPHER_num(cs); z++) + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) + { + prio=sk_SSL_CIPHER_dup(cl); + if (prio == NULL) goto mem_err; + allow = cs; + } + else + { + prio = cs; + allow = cl; + } + for (z=0; z<sk_SSL_CIPHER_num(prio); z++) { - if (sk_SSL_CIPHER_find(cl,sk_SSL_CIPHER_value(cs,z)) < 0) + if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0) { - sk_SSL_CIPHER_delete(cs,z); + sk_SSL_CIPHER_delete(prio,z); z--; } } - + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) + { + sk_SSL_CIPHER_free(s->session->ciphers); + s->session->ciphers = prio; + } /* s->session->ciphers should now have a list of * ciphers that are on both the client and server. * This list is ordered by the order the client sent - * the ciphers. + * the ciphers or in the order of the server's preference + * if SSL_OP_CIPHER_SERVER_PREFERENCE was set. */ } p+=s->s2->tmp.cipher_spec_length; @@ -673,7 +701,7 @@ static int get_client_hello(SSL *s) if (s->s2->challenge_length > sizeof s->s2->challenge) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); return -1; } memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); @@ -820,7 +848,12 @@ static int get_client_finished(SSL *s) SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE); } else + { SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR); + /* try to read the error message */ + i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num); + return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i); + } return(-1); } s->state=SSL2_ST_GET_CLIENT_FINISHED_B; @@ -830,7 +863,7 @@ static int get_client_finished(SSL *s) if (s->s2->conn_id_length > sizeof s->s2->conn_id) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR); return -1; } len = 1 + (unsigned long)s->s2->conn_id_length; @@ -840,8 +873,10 @@ static int get_client_finished(SSL *s) { return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i)); } + if (s->msg_callback) + s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */ p += 1; - if (memcmp(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length) != 0) + if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT); @@ -860,7 +895,7 @@ static int server_verify(SSL *s) *(p++)=SSL2_MT_SERVER_VERIFY; if (s->s2->challenge_length > sizeof s->s2->challenge) { - SSLerr(SSL_F_SERVER_VERIFY, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR); return -1; } memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); @@ -884,7 +919,7 @@ static int server_finish(SSL *s) if (s->session->session_id_length > sizeof s->session->session_id) { - SSLerr(SSL_F_SERVER_FINISH, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR); return -1; } memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length); @@ -959,6 +994,9 @@ static int request_certificate(SSL *s) goto end; } + if (s->msg_callback) + s->msg_callback(0, s->version, 0, p, 3, s, s->msg_callback_arg); /* ERROR */ + /* this is the one place where we can recover from an SSL 2.0 error */ if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) @@ -978,7 +1016,7 @@ static int request_certificate(SSL *s) } if (s->init_num != 6) { - SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR); goto end; } @@ -1001,7 +1039,7 @@ static int request_certificate(SSL *s) len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen; if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG); + SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG); goto end; } j = (int)len - s->init_num; @@ -1011,6 +1049,8 @@ static int request_certificate(SSL *s) ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i); goto end; } + if (s->msg_callback) + s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */ p += 6; x509=(X509 *)d2i_X509(NULL,&p,(long)s->s2->tmp.clen); @@ -1033,9 +1073,10 @@ static int request_certificate(SSL *s) EVP_MD_CTX ctx; EVP_PKEY *pkey=NULL; - EVP_VerifyInit(&ctx,s->ctx->rsa_md5); + EVP_MD_CTX_init(&ctx); + EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL); EVP_VerifyUpdate(&ctx,s->s2->key_material, - (unsigned int)s->s2->key_material_length); + s->s2->key_material_length); EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); @@ -1054,7 +1095,7 @@ static int request_certificate(SSL *s) if (pkey == NULL) goto end; i=EVP_VerifyFinal(&ctx,p,s->s2->tmp.rlen,pkey); EVP_PKEY_free(pkey); - memset(&ctx,0,sizeof(ctx)); + EVP_MD_CTX_cleanup(&ctx); if (i) { @@ -1107,7 +1148,7 @@ static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from, SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB); return(i); } -#else /* !NO_SSL2 */ +#else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy; diff --git a/crypto/openssl/ssl/s3_both.c b/crypto/openssl/ssl/s3_both.c index beb5628..38a7152 100644 --- a/crypto/openssl/ssl/s3_both.c +++ b/crypto/openssl/ssl/s3_both.c @@ -109,16 +109,17 @@ * */ +#include <limits.h> #include <string.h> #include <stdio.h> +#include "ssl_locl.h" #include <openssl/buffer.h> #include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> -#include "ssl_locl.h" -/* send s->init_buf in records of type 'type' */ +/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ int ssl3_do_write(SSL *s, int type) { int ret; @@ -132,7 +133,11 @@ int ssl3_do_write(SSL *s, int type) ssl3_finish_mac(s,(unsigned char *)&s->init_buf->data[s->init_off],ret); if (ret == s->init_num) + { + if (s->msg_callback) + s->msg_callback(1, s->version, type, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg); return(1); + } s->init_off+=ret; s->init_num-=ret; return(0); @@ -158,7 +163,7 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) p+=i; l=i; -#ifdef WIN16 +#ifdef OPENSSL_SYS_WIN16 /* MSVC 1.5 does not clear the top bytes of the word unless * I do this. */ @@ -205,7 +210,7 @@ int ssl3_get_finished(SSL *s, int a, int b) } s->s3->change_cipher_spec=0; - p = (unsigned char *)s->init_buf->data; + p = (unsigned char *)s->init_msg; i = s->s3->tmp.peer_finish_md_len; if (i != n) @@ -265,19 +270,23 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) /* TLSv1 sends a chain with nothing in it, instead of an alert */ buf=s->init_buf; - if (!BUF_MEM_grow(buf,(int)(10))) + if (!BUF_MEM_grow_clean(buf,10)) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB); return(0); } if (x != NULL) { - X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL); + if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL)) + { + SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); + return(0); + } for (;;) { n=i2d_X509(x,NULL); - if (!BUF_MEM_grow(buf,(int)(n+l+3))) + if (!BUF_MEM_grow_clean(buf,(int)(n+l+3))) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB); return(0); @@ -307,7 +316,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, X509 *x) { x=sk_X509_value(s->ctx->extra_certs,i); n=i2d_X509(x,NULL); - if (!BUF_MEM_grow(buf,(int)(n+l+3))) + if (!BUF_MEM_grow_clean(buf,(int)(n+l+3))) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB); return(0); @@ -351,7 +360,9 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) goto f_err; } *ok=1; - return((int)s->s3->tmp.message_size); + s->init_msg = s->init_buf->data + 4; + s->init_num = (int)s->s3->tmp.message_size; + return s->init_num; } p=(unsigned char *)s->init_buf->data; @@ -386,8 +397,10 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) { s->init_num = 0; skip_message = 1; + + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, 4, s, s->msg_callback_arg); } - } while (skip_message); @@ -411,8 +424,6 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) ssl3_init_finished_mac(s); } - ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, 4); - s->s3->tmp.message_type= *(p++); n2l3(p,l); @@ -422,7 +433,13 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE); goto f_err; } - if (l && !BUF_MEM_grow(s->init_buf,(int)l)) + if (l > (INT_MAX-4)) /* BUF_MEM_grow takes an 'int' parameter */ + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE); + goto f_err; + } + if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4)) { SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB); goto err; @@ -430,13 +447,13 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) s->s3->tmp.message_size=l; s->state=stn; - s->init_num=0; + s->init_msg = s->init_buf->data + 4; + s->init_num = 0; } /* next state (stn) */ - p=(unsigned char *)s->init_buf->data; - n=s->s3->tmp.message_size; - n -= s->init_num; + p = s->init_msg; + n = s->s3->tmp.message_size - s->init_num; while (n > 0) { i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0); @@ -449,7 +466,9 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) s->init_num += i; n -= i; } - ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num); + ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg); *ok=1; return s->init_num; f_err: @@ -517,6 +536,7 @@ int ssl_verify_alarm_type(long type) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: case X509_V_ERR_UNABLE_TO_GET_CRL: + case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: al=SSL_AD_UNKNOWN_CA; break; case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: @@ -584,7 +604,7 @@ int ssl3_setup_buffers(SSL *s) if ((p=OPENSSL_malloc(len)) == NULL) goto err; s->s3->rbuf.buf = p; - s->s3->rbuf_len = len; + s->s3->rbuf.len = len; } if (s->s3->wbuf.buf == NULL) @@ -594,7 +614,7 @@ int ssl3_setup_buffers(SSL *s) if ((p=OPENSSL_malloc(len)) == NULL) goto err; s->s3->wbuf.buf = p; - s->s3->wbuf_len = len; + s->s3->wbuf.len = len; } s->packet= &(s->s3->rbuf.buf[0]); return(1); diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index 32b9cea..fae8ead 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -110,13 +110,13 @@ */ #include <stdio.h> +#include "ssl_locl.h" +#include "kssl_lcl.h" #include <openssl/buffer.h> #include <openssl/rand.h> #include <openssl/objects.h> -#include <openssl/md5.h> -#include <openssl/sha.h> #include <openssl/evp.h> -#include "ssl_locl.h" +#include <openssl/md5.h> #include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); @@ -146,21 +146,28 @@ SSL_METHOD *SSLv3_client_method(void) if (init) { - init=0; - memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(), - sizeof(SSL_METHOD)); - SSLv3_client_data.ssl_connect=ssl3_connect; - SSLv3_client_data.get_ssl_method=ssl3_get_client_method; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(), + sizeof(SSL_METHOD)); + SSLv3_client_data.ssl_connect=ssl3_connect; + SSLv3_client_data.get_ssl_method=ssl3_get_client_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_client_data); } int ssl3_connect(SSL *s) { - BUF_MEM *buf; + BUF_MEM *buf=NULL; unsigned long Time=time(NULL),l; long num1; - void (*cb)()=NULL; + void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; int new_state,state,skip=0;; @@ -197,7 +204,7 @@ int ssl3_connect(SSL *s) if ((s->version & 0xff00 ) != 0x0300) { - SSLerr(SSL_F_SSL3_CONNECT, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); ret = -1; goto end; } @@ -218,6 +225,7 @@ int ssl3_connect(SSL *s) goto end; } s->init_buf=buf; + buf=NULL; } if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } @@ -496,6 +504,8 @@ int ssl3_connect(SSL *s) } end: s->in_handshake--; + if (buf != NULL) + BUF_MEM_free(buf); if (cb != NULL) cb(s,SSL_CB_CONNECT_EXIT,ret); return(ret); @@ -548,7 +558,7 @@ static int ssl3_client_hello(SSL *s) { if (i > sizeof s->session->session_id) { - SSLerr(SSL_F_SSL3_CLIENT_HELLO, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto err; } memcpy(p,s->session->session_id,i); @@ -613,7 +623,7 @@ static int ssl3_get_server_hello(SSL *s) &ok); if (!ok) return((int)n); - d=p=(unsigned char *)s->init_buf->data; + d=p=(unsigned char *)s->init_msg; if ((p[0] != (s->version>>8)) || (p[1] != (s->version&0xff))) { @@ -632,30 +642,20 @@ static int ssl3_get_server_hello(SSL *s) /* get the session-id */ j= *(p++); - if(j > sizeof s->session->session_id) - { - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_SSL3_SESSION_ID_TOO_LONG); - goto f_err; - } - - if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) + if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) { - /* SSLref returns 16 :-( */ - if (j < SSL2_SSL_SESSION_ID_LENGTH) - { - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT); - goto f_err; - } + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; } + if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) { if(s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) { + /* actually a client application bug */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); goto f_err; @@ -699,7 +699,12 @@ static int ssl3_get_server_hello(SSL *s) goto f_err; } - if (s->hit && (s->session->cipher != c)) + /* Depending on the session caching (internal/external), the cipher + and/or cipher_id values may not be set. Make sure that + cipher_id is set and use it for comparison. */ + if (s->session->cipher) + s->session->cipher_id = s->session->cipher->id; + if (s->hit && (s->session->cipher_id != c->id)) { if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) @@ -754,16 +759,13 @@ static int ssl3_get_server_certificate(SSL *s) STACK_OF(X509) *sk=NULL; SESS_CERT *sc; EVP_PKEY *pkey=NULL; + int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */ n=ssl3_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B, -1, -#if defined(MSDOS) && !defined(WIN32) - 1024*30, /* 30k max cert list :-) */ -#else - 1024*100, /* 100k max cert list :-) */ -#endif + s->max_cert_list, &ok); if (!ok) return((int)n); @@ -780,7 +782,7 @@ static int ssl3_get_server_certificate(SSL *s) SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); goto f_err; } - d=p=(unsigned char *)s->init_buf->data; + d=p=(unsigned char *)s->init_msg; if ((sk=sk_X509_new_null()) == NULL) { @@ -830,7 +832,12 @@ static int ssl3_get_server_certificate(SSL *s) } i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) + if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) +#ifndef OPENSSL_NO_KRB5 + && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) + != (SSL_aKRB5|SSL_kKRB5) +#endif /* OPENSSL_NO_KRB5 */ + ) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); @@ -849,39 +856,66 @@ static int ssl3_get_server_certificate(SSL *s) * certificate, which we don't include in s3_srvr.c */ x=sk_X509_value(sk,0); sk=NULL; + /* VRS 19990621: possible memory leak; sk=null ==> !sk_pop_free() @end*/ pkey=X509_get_pubkey(x); - if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)) + /* VRS: allow null cert if auth == KRB5 */ + need_cert = ((s->s3->tmp.new_cipher->algorithms + & (SSL_MKEY_MASK|SSL_AUTH_MASK)) + == (SSL_aKRB5|SSL_kKRB5))? 0: 1; + +#ifdef KSSL_DEBUG + printf("pkey,x = %p, %p\n", pkey,x); + printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); + printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name, + s->s3->tmp.new_cipher->algorithms, need_cert); +#endif /* KSSL_DEBUG */ + + if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))) { x=NULL; al=SSL3_AL_FATAL; - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); + SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, + SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); goto f_err; } i=ssl_cert_type(x,pkey); - if (i < 0) + if (need_cert && i < 0) { x=NULL; al=SSL3_AL_FATAL; - SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNKNOWN_CERTIFICATE_TYPE); + SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, + SSL_R_UNKNOWN_CERTIFICATE_TYPE); goto f_err; } - sc->peer_cert_type=i; - CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); - if (sc->peer_pkeys[i].x509 != NULL) /* Why would this ever happen? - * We just created sc a couple of - * lines ago. */ - X509_free(sc->peer_pkeys[i].x509); - sc->peer_pkeys[i].x509=x; - sc->peer_key= &(sc->peer_pkeys[i]); - - if (s->session->peer != NULL) - X509_free(s->session->peer); - CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); - s->session->peer=x; + if (need_cert) + { + sc->peer_cert_type=i; + CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); + /* Why would the following ever happen? + * We just created sc a couple of lines ago. */ + if (sc->peer_pkeys[i].x509 != NULL) + X509_free(sc->peer_pkeys[i].x509); + sc->peer_pkeys[i].x509=x; + sc->peer_key= &(sc->peer_pkeys[i]); + + if (s->session->peer != NULL) + X509_free(s->session->peer); + CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); + s->session->peer=x; + } + else + { + sc->peer_cert_type=i; + sc->peer_key= NULL; + + if (s->session->peer != NULL) + X509_free(s->session->peer); + s->session->peer=NULL; + } s->session->verify_result = s->verify_result; x=NULL; @@ -901,7 +935,7 @@ err: static int ssl3_get_key_exchange(SSL *s) { -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA unsigned char *q,md_buf[EVP_MAX_MD_SIZE*2]; #endif EVP_MD_CTX md_ctx; @@ -909,10 +943,10 @@ static int ssl3_get_key_exchange(SSL *s) int al,i,j,param_len,ok; long n,alg; EVP_PKEY *pkey=NULL; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA RSA *rsa=NULL; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH DH *dh=NULL; #endif @@ -922,11 +956,7 @@ static int ssl3_get_key_exchange(SSL *s) SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, -#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) - 1024*30, /* 30k max cert list :-) */ -#else - 1024*100, /* 100k max cert list :-) */ -#endif + s->max_cert_list, &ok); if (!ok) return((int)n); @@ -937,18 +967,18 @@ static int ssl3_get_key_exchange(SSL *s) return(1); } - param=p=(unsigned char *)s->init_buf->data; + param=p=(unsigned char *)s->init_msg; if (s->session->sess_cert != NULL) { -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (s->session->sess_cert->peer_rsa_tmp != NULL) { RSA_free(s->session->sess_cert->peer_rsa_tmp); s->session->sess_cert->peer_rsa_tmp=NULL; } #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (s->session->sess_cert->peer_dh_tmp) { DH_free(s->session->sess_cert->peer_dh_tmp); @@ -963,8 +993,9 @@ static int ssl3_get_key_exchange(SSL *s) param_len=0; alg=s->s3->tmp.new_cipher->algorithms; + EVP_MD_CTX_init(&md_ctx); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (alg & SSL_kRSA) { if ((rsa=RSA_new()) == NULL) @@ -1008,17 +1039,17 @@ static int ssl3_get_key_exchange(SSL *s) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); else { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } s->session->sess_cert->peer_rsa_tmp=rsa; rsa=NULL; } -#else /* NO_RSA */ +#else /* OPENSSL_NO_RSA */ if (0) ; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH else if (alg & SSL_kEDH) { if ((dh=DH_new()) == NULL) @@ -1072,14 +1103,14 @@ static int ssl3_get_key_exchange(SSL *s) p+=i; n-=param_len; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (alg & SSL_aRSA) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); #else if (0) ; #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA else if (alg & SSL_aDSS) pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_DSA_SIGN].x509); #endif @@ -1094,7 +1125,7 @@ static int ssl3_get_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER); goto f_err; } -#endif /* !NO_DH */ +#endif /* !OPENSSL_NO_DH */ if (alg & SSL_aFZA) { al=SSL_AD_HANDSHAKE_FAILURE; @@ -1121,7 +1152,7 @@ static int ssl3_get_key_exchange(SSL *s) goto f_err; } -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) { int num; @@ -1130,12 +1161,12 @@ static int ssl3_get_key_exchange(SSL *s) q=md_buf; for (num=2; num > 0; num--) { - EVP_DigestInit(&md_ctx,(num == 2) - ?s->ctx->md5:s->ctx->sha1); + EVP_DigestInit_ex(&md_ctx,(num == 2) + ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,param,param_len); - EVP_DigestFinal(&md_ctx,q,(unsigned int *)&i); + EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); q+=i; j+=i; } @@ -1157,11 +1188,11 @@ static int ssl3_get_key_exchange(SSL *s) } else #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) { /* lets do DSS */ - EVP_VerifyInit(&md_ctx,EVP_dss1()); + EVP_VerifyInit_ex(&md_ctx,EVP_dss1(), NULL); EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); @@ -1176,7 +1207,7 @@ static int ssl3_get_key_exchange(SSL *s) else #endif { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } } @@ -1185,7 +1216,7 @@ static int ssl3_get_key_exchange(SSL *s) /* still data left over */ if (!(alg & SSL_aNULL)) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } if (n != 0) @@ -1196,19 +1227,21 @@ static int ssl3_get_key_exchange(SSL *s) } } EVP_PKEY_free(pkey); + EVP_MD_CTX_cleanup(&md_ctx); return(1); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: EVP_PKEY_free(pkey); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (rsa != NULL) RSA_free(rsa); #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (dh != NULL) DH_free(dh); #endif + EVP_MD_CTX_cleanup(&md_ctx); return(-1); } @@ -1225,11 +1258,7 @@ static int ssl3_get_certificate_request(SSL *s) SSL3_ST_CR_CERT_REQ_A, SSL3_ST_CR_CERT_REQ_B, -1, -#if defined(MSDOS) && !defined(WIN32) - 1024*30, /* 30k max cert list :-) */ -#else - 1024*100, /* 100k max cert list :-) */ -#endif + s->max_cert_list, &ok); if (!ok) return((int)n); @@ -1261,7 +1290,7 @@ static int ssl3_get_certificate_request(SSL *s) } } - d=p=(unsigned char *)s->init_buf->data; + d=p=(unsigned char *)s->init_msg; if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) { @@ -1392,10 +1421,13 @@ static int ssl3_send_client_key_exchange(SSL *s) unsigned char *p,*d; int n; unsigned long l; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA unsigned char *q; EVP_PKEY *pkey=NULL; #endif +#ifndef OPENSSL_NO_KRB5 + KSSL_ERR kssl_err; +#endif /* OPENSSL_NO_KRB5 */ if (s->state == SSL3_ST_CW_KEY_EXCH_A) { @@ -1404,8 +1436,10 @@ static int ssl3_send_client_key_exchange(SSL *s) l=s->s3->tmp.new_cipher->algorithms; -#ifndef NO_RSA - if (l & SSL_kRSA) + /* Fool emacs indentation */ + if (0) {} +#ifndef OPENSSL_NO_RSA + else if (l & SSL_kRSA) { RSA *rsa; unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; @@ -1419,7 +1453,7 @@ static int ssl3_send_client_key_exchange(SSL *s) (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } rsa=pkey->pkey.rsa; @@ -1428,16 +1462,16 @@ static int ssl3_send_client_key_exchange(SSL *s) tmp_buf[0]=s->client_version>>8; tmp_buf[1]=s->client_version&0xff; - if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0) + if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) goto err; - s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH; + s->session->master_key_length=sizeof tmp_buf; q=p; /* Fix buf for TLS and beyond */ if (s->version > SSL3_VERSION) p+=2; - n=RSA_public_encrypt(SSL_MAX_MASTER_KEY_LENGTH, + n=RSA_public_encrypt(sizeof tmp_buf, tmp_buf,p,rsa,RSA_PKCS1_PADDING); #ifdef PKCS1_CHECK if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; @@ -1459,13 +1493,144 @@ static int ssl3_send_client_key_exchange(SSL *s) s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, - tmp_buf,SSL_MAX_MASTER_KEY_LENGTH); - memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH); + tmp_buf,sizeof tmp_buf); + OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); } - else #endif -#ifndef NO_DH - if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) +#ifndef OPENSSL_NO_KRB5 + else if (l & SSL_kKRB5) + { + krb5_error_code krb5rc; + KSSL_CTX *kssl_ctx = s->kssl_ctx; + /* krb5_data krb5_ap_req; */ + krb5_data *enc_ticket; + krb5_data authenticator, *authp = NULL; + EVP_CIPHER_CTX ciph_ctx; + EVP_CIPHER *enc = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; + unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH + + EVP_MAX_IV_LENGTH]; + int padl, outl = sizeof(epms); + + EVP_CIPHER_CTX_init(&ciph_ctx); + +#ifdef KSSL_DEBUG + printf("ssl3_send_client_key_exchange(%lx & %lx)\n", + l, SSL_kKRB5); +#endif /* KSSL_DEBUG */ + + authp = NULL; +#ifdef KRB5SENDAUTH + if (KRB5SENDAUTH) authp = &authenticator; +#endif /* KRB5SENDAUTH */ + + krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, + &kssl_err); + enc = kssl_map_enc(kssl_ctx->enctype); + if (enc == NULL) + goto err; +#ifdef KSSL_DEBUG + { + printf("kssl_cget_tkt rtn %d\n", krb5rc); + if (krb5rc && kssl_err.text) + printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); + } +#endif /* KSSL_DEBUG */ + + if (krb5rc) + { + ssl3_send_alert(s,SSL3_AL_FATAL, + SSL_AD_HANDSHAKE_FAILURE); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + kssl_err.reason); + goto err; + } + + /* 20010406 VRS - Earlier versions used KRB5 AP_REQ + ** in place of RFC 2712 KerberosWrapper, as in: + ** + ** Send ticket (copy to *p, set n = length) + ** n = krb5_ap_req.length; + ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); + ** if (krb5_ap_req.data) + ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); + ** + ** Now using real RFC 2712 KerberosWrapper + ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) + ** Note: 2712 "opaque" types are here replaced + ** with a 2-byte length followed by the value. + ** Example: + ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms + ** Where "xx xx" = length bytes. Shown here with + ** optional authenticator omitted. + */ + + /* KerberosWrapper.Ticket */ + s2n(enc_ticket->length,p); + memcpy(p, enc_ticket->data, enc_ticket->length); + p+= enc_ticket->length; + n = enc_ticket->length + 2; + + /* KerberosWrapper.Authenticator */ + if (authp && authp->length) + { + s2n(authp->length,p); + memcpy(p, authp->data, authp->length); + p+= authp->length; + n+= authp->length + 2; + + free(authp->data); + authp->data = NULL; + authp->length = 0; + } + else + { + s2n(0,p);/* null authenticator length */ + n+=2; + } + + if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0) + goto err; + + /* 20010420 VRS. Tried it this way; failed. + ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); + ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, + ** kssl_ctx->length); + ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); + */ + + memset(iv, 0, sizeof iv); /* per RFC 1510 */ + EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, + kssl_ctx->key,iv); + EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, + sizeof tmp_buf); + EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); + outl += padl; + if (outl > sizeof epms) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto err; + } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + /* KerberosWrapper.EncryptedPreMasterSecret */ + s2n(outl,p); + memcpy(p, epms, outl); + p+=outl; + n+=outl + 2; + + s->session->master_key_length= + s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, + tmp_buf, sizeof tmp_buf); + + OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); + OPENSSL_cleanse(epms, outl); + } +#endif +#ifndef OPENSSL_NO_DH + else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { DH *dh_srvr,*dh_clnt; @@ -1519,11 +1684,11 @@ static int ssl3_send_client_key_exchange(SSL *s) /* perhaps clean things up a bit EAY EAY EAY EAY*/ } - else #endif + else { ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); goto err; } @@ -1547,11 +1712,11 @@ static int ssl3_send_client_verify(SSL *s) unsigned char *p,*d; unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; EVP_PKEY *pkey; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA unsigned u=0; #endif unsigned long n; -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA int j; #endif @@ -1564,7 +1729,7 @@ static int ssl3_send_client_verify(SSL *s) s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2), &(data[MD5_DIGEST_LENGTH])); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) { s->method->ssl3_enc->cert_verify_mac(s, @@ -1581,7 +1746,7 @@ static int ssl3_send_client_verify(SSL *s) } else #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) { if (!DSA_sign(pkey->save_type, @@ -1598,7 +1763,7 @@ static int ssl3_send_client_verify(SSL *s) else #endif { - SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); goto err; } *(d++)=SSL3_MT_CERTIFICATE_VERIFY; @@ -1697,10 +1862,10 @@ static int ssl3_check_cert_and_algorithm(SSL *s) long algs; EVP_PKEY *pkey=NULL; SESS_CERT *sc; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA RSA *rsa; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH DH *dh; #endif @@ -1708,20 +1873,20 @@ static int ssl3_check_cert_and_algorithm(SSL *s) if (sc == NULL) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); goto err; } algs=s->s3->tmp.new_cipher->algorithms; /* we don't have a certificate */ - if (algs & (SSL_aDH|SSL_aNULL)) + if (algs & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) return(1); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA rsa=s->session->sess_cert->peer_rsa_tmp; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH dh=s->session->sess_cert->peer_dh_tmp; #endif @@ -1739,14 +1904,14 @@ static int ssl3_check_cert_and_algorithm(SSL *s) SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_RSA_SIGNING_CERT); goto f_err; } -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA else if ((algs & SSL_aDSS) && !has_bits(i,EVP_PK_DSA|EVP_PKT_SIGN)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DSA_SIGNING_CERT); goto f_err; } #endif -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if ((algs & SSL_kRSA) && !(has_bits(i,EVP_PK_RSA|EVP_PKT_ENC) || (rsa != NULL))) { @@ -1754,7 +1919,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s) goto f_err; } #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if ((algs & SSL_kEDH) && !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) { @@ -1766,7 +1931,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s) SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); goto f_err; } -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA else if ((algs & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); @@ -1777,7 +1942,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s) if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) { -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (algs & SSL_kRSA) { if (rsa == NULL @@ -1789,7 +1954,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s) } else #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { if (dh == NULL diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c index 79fa4f9..35fde29 100644 --- a/crypto/openssl/ssl/s3_enc.c +++ b/crypto/openssl/ssl/s3_enc.c @@ -110,10 +110,9 @@ */ #include <stdio.h> -#include <openssl/md5.h> -#include <openssl/sha.h> -#include <openssl/evp.h> #include "ssl_locl.h" +#include <openssl/evp.h> +#include <openssl/md5.h> static unsigned char ssl3_pad_1[48]={ 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36, @@ -134,11 +133,11 @@ static unsigned char ssl3_pad_2[48]={ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx, const char *sender, int len, unsigned char *p); -static void ssl3_generate_key_block(SSL *s, unsigned char *km, int num) +static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) { - MD5_CTX m5; - SHA_CTX s1; - unsigned char buf[8],smd[SHA_DIGEST_LENGTH]; + EVP_MD_CTX m5; + EVP_MD_CTX s1; + unsigned char buf[16],smd[SHA_DIGEST_LENGTH]; unsigned char c='A'; int i,j,k; @@ -146,49 +145,62 @@ static void ssl3_generate_key_block(SSL *s, unsigned char *km, int num) c = os_toascii[c]; /*'A' in ASCII */ #endif k=0; + EVP_MD_CTX_init(&m5); + EVP_MD_CTX_init(&s1); for (i=0; i<num; i+=MD5_DIGEST_LENGTH) { k++; + if (k > sizeof buf) + { + /* bug: 'buf' is too small for this ciphersuite */ + SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); + return 0; + } + for (j=0; j<k; j++) buf[j]=c; c++; - SHA1_Init( &s1); - SHA1_Update(&s1,buf,k); - SHA1_Update(&s1,s->session->master_key, + EVP_DigestInit_ex(&s1,EVP_sha1(), NULL); + EVP_DigestUpdate(&s1,buf,k); + EVP_DigestUpdate(&s1,s->session->master_key, s->session->master_key_length); - SHA1_Update(&s1,s->s3->server_random,SSL3_RANDOM_SIZE); - SHA1_Update(&s1,s->s3->client_random,SSL3_RANDOM_SIZE); - SHA1_Final( smd,&s1); + EVP_DigestUpdate(&s1,s->s3->server_random,SSL3_RANDOM_SIZE); + EVP_DigestUpdate(&s1,s->s3->client_random,SSL3_RANDOM_SIZE); + EVP_DigestFinal_ex(&s1,smd,NULL); - MD5_Init( &m5); - MD5_Update(&m5,s->session->master_key, + EVP_DigestInit_ex(&m5,EVP_md5(), NULL); + EVP_DigestUpdate(&m5,s->session->master_key, s->session->master_key_length); - MD5_Update(&m5,smd,SHA_DIGEST_LENGTH); + EVP_DigestUpdate(&m5,smd,SHA_DIGEST_LENGTH); if ((i+MD5_DIGEST_LENGTH) > num) { - MD5_Final(smd,&m5); + EVP_DigestFinal_ex(&m5,smd,NULL); memcpy(km,smd,(num-i)); } else - MD5_Final(km,&m5); + EVP_DigestFinal_ex(&m5,km,NULL); km+=MD5_DIGEST_LENGTH; } - memset(smd,0,SHA_DIGEST_LENGTH); + OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH); + EVP_MD_CTX_cleanup(&m5); + EVP_MD_CTX_cleanup(&s1); + return 1; } int ssl3_change_cipher_state(SSL *s, int which) { unsigned char *p,*key_block,*mac_secret; unsigned char exp_key[EVP_MAX_KEY_LENGTH]; - unsigned char exp_iv[EVP_MAX_KEY_LENGTH]; + unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms,*key,*iv,*er1,*er2; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; COMP_METHOD *comp; const EVP_MD *m; - MD5_CTX md; + EVP_MD_CTX md; int exp,n,i,j,k,cl; + int reuse_dd = 0; exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; @@ -201,9 +213,9 @@ int ssl3_change_cipher_state(SSL *s, int which) if (which & SSL3_CC_READ) { - if ((s->enc_read_ctx == NULL) && - ((s->enc_read_ctx=(EVP_CIPHER_CTX *) - OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) + if (s->enc_read_ctx != NULL) + reuse_dd = 1; + else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; dd= s->enc_read_ctx; s->read_hash=m; @@ -232,9 +244,9 @@ int ssl3_change_cipher_state(SSL *s, int which) } else { - if ((s->enc_write_ctx == NULL) && - ((s->enc_write_ctx=(EVP_CIPHER_CTX *) - OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) + if (s->enc_write_ctx != NULL) + reuse_dd = 1; + else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; dd= s->enc_write_ctx; s->write_hash=m; @@ -257,6 +269,8 @@ int ssl3_change_cipher_state(SSL *s, int which) mac_secret= &(s->s3->write_mac_secret[0]); } + if (reuse_dd) + EVP_CIPHER_CTX_cleanup(dd); EVP_CIPHER_CTX_init(dd); p=s->s3->tmp.key_block; @@ -287,39 +301,41 @@ int ssl3_change_cipher_state(SSL *s, int which) if (n > s->s3->tmp.key_block_length) { - SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); goto err2; } + EVP_MD_CTX_init(&md); memcpy(mac_secret,ms,i); if (exp) { /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). */ - MD5_Init(&md); - MD5_Update(&md,key,j); - MD5_Update(&md,er1,SSL3_RANDOM_SIZE); - MD5_Update(&md,er2,SSL3_RANDOM_SIZE); - MD5_Final(&(exp_key[0]),&md); + EVP_DigestInit_ex(&md,EVP_md5(), NULL); + EVP_DigestUpdate(&md,key,j); + EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE); + EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE); + EVP_DigestFinal_ex(&md,&(exp_key[0]),NULL); key= &(exp_key[0]); if (k > 0) { - MD5_Init(&md); - MD5_Update(&md,er1,SSL3_RANDOM_SIZE); - MD5_Update(&md,er2,SSL3_RANDOM_SIZE); - MD5_Final(&(exp_iv[0]),&md); + EVP_DigestInit_ex(&md,EVP_md5(), NULL); + EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE); + EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE); + EVP_DigestFinal_ex(&md,&(exp_iv[0]),NULL); iv= &(exp_iv[0]); } } s->session->key_arg_length=0; - EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE)); + EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); - memset(&(exp_key[0]),0,sizeof(exp_key)); - memset(&(exp_iv[0]),0,sizeof(exp_iv)); + OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key)); + OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv)); + EVP_MD_CTX_cleanup(&md); return(1); err: SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); @@ -333,6 +349,7 @@ int ssl3_setup_key_block(SSL *s) const EVP_CIPHER *c; const EVP_MD *hash; int num; + int ret = 0; SSL_COMP *comp; if (s->s3->tmp.key_block_length != 0) @@ -358,9 +375,9 @@ int ssl3_setup_key_block(SSL *s) s->s3->tmp.key_block_length=num; s->s3->tmp.key_block=p; - - ssl3_generate_key_block(s,p,num); - + + ret = ssl3_generate_key_block(s,p,num); + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { /* enable vulnerability countermeasure for CBC ciphers with @@ -368,19 +385,20 @@ int ssl3_setup_key_block(SSL *s) */ s->s3->need_empty_fragments = 1; - if (s->session->cipher != NULL) + if (s->session->cipher != NULL) { if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) - s->s3->need_empty_fragments = 0; - -#ifndef NO_RC4 - if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) - s->s3->need_empty_fragments = 0; + s->s3->need_empty_fragments = 0; + +#ifndef OPENSSL_NO_RC4 + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) + s->s3->need_empty_fragments = 0; #endif - } - } + } + } + + return ret; - return(1); err: SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); return(0); @@ -390,7 +408,7 @@ void ssl3_cleanup_key_block(SSL *s) { if (s->s3->tmp.key_block != NULL) { - memset(s->s3->tmp.key_block,0, + OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length); OPENSSL_free(s->s3->tmp.key_block); s->s3->tmp.key_block=NULL; @@ -481,8 +499,8 @@ int ssl3_enc(SSL *s, int send) void ssl3_init_finished_mac(SSL *s) { - EVP_DigestInit(&(s->s3->finish_dgst1),s->ctx->md5); - EVP_DigestInit(&(s->s3->finish_dgst2),s->ctx->sha1); + EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL); + EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL); } void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len) @@ -516,7 +534,8 @@ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char md_buf[EVP_MAX_MD_SIZE]; EVP_MD_CTX ctx; - EVP_MD_CTX_copy(&ctx,in_ctx); + EVP_MD_CTX_init(&ctx); + EVP_MD_CTX_copy_ex(&ctx,in_ctx); n=EVP_MD_CTX_size(&ctx); npad=(48/n)*n; @@ -526,16 +545,16 @@ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx, EVP_DigestUpdate(&ctx,s->session->master_key, s->session->master_key_length); EVP_DigestUpdate(&ctx,ssl3_pad_1,npad); - EVP_DigestFinal(&ctx,md_buf,&i); + EVP_DigestFinal_ex(&ctx,md_buf,&i); - EVP_DigestInit(&ctx,EVP_MD_CTX_md(&ctx)); + EVP_DigestInit_ex(&ctx,EVP_MD_CTX_md(&ctx), NULL); EVP_DigestUpdate(&ctx,s->session->master_key, s->session->master_key_length); EVP_DigestUpdate(&ctx,ssl3_pad_2,npad); EVP_DigestUpdate(&ctx,md_buf,i); - EVP_DigestFinal(&ctx,p,&ret); + EVP_DigestFinal_ex(&ctx,p,&ret); - memset(&ctx,0,sizeof(EVP_MD_CTX)); + EVP_MD_CTX_cleanup(&ctx); return((int)ret); } @@ -569,8 +588,9 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send) npad=(48/md_size)*md_size; /* Chop the digest off the end :-) */ + EVP_MD_CTX_init(&md_ctx); - EVP_DigestInit( &md_ctx,hash); + EVP_DigestInit_ex( &md_ctx,hash, NULL); EVP_DigestUpdate(&md_ctx,mac_sec,md_size); EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad); EVP_DigestUpdate(&md_ctx,seq,8); @@ -580,13 +600,15 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send) s2n(rec->length,p); EVP_DigestUpdate(&md_ctx,md,2); EVP_DigestUpdate(&md_ctx,rec->input,rec->length); - EVP_DigestFinal( &md_ctx,md,NULL); + EVP_DigestFinal_ex( &md_ctx,md,NULL); - EVP_DigestInit( &md_ctx,hash); + EVP_DigestInit_ex( &md_ctx,hash, NULL); EVP_DigestUpdate(&md_ctx,mac_sec,md_size); EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad); EVP_DigestUpdate(&md_ctx,md,md_size); - EVP_DigestFinal( &md_ctx,md,&md_size); + EVP_DigestFinal_ex( &md_ctx,md,&md_size); + + EVP_MD_CTX_cleanup(&md_ctx); for (i=7; i>=0; i--) { @@ -616,24 +638,26 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, int i,ret=0; unsigned int n; + EVP_MD_CTX_init(&ctx); for (i=0; i<3; i++) { - EVP_DigestInit(&ctx,s->ctx->sha1); + EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL); EVP_DigestUpdate(&ctx,salt[i],strlen((const char *)salt[i])); EVP_DigestUpdate(&ctx,p,len); EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]), SSL3_RANDOM_SIZE); EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]), SSL3_RANDOM_SIZE); - EVP_DigestFinal(&ctx,buf,&n); + EVP_DigestFinal_ex(&ctx,buf,&n); - EVP_DigestInit(&ctx,s->ctx->md5); + EVP_DigestInit_ex(&ctx,s->ctx->md5, NULL); EVP_DigestUpdate(&ctx,p,len); EVP_DigestUpdate(&ctx,buf,n); - EVP_DigestFinal(&ctx,out,&n); + EVP_DigestFinal_ex(&ctx,out,&n); out+=n; ret+=n; } + EVP_MD_CTX_cleanup(&ctx); return(ret); } diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index 9951ebb..896b12f 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -110,10 +110,10 @@ */ #include <stdio.h> -#include <openssl/md5.h> -#include <openssl/sha.h> #include <openssl/objects.h> #include "ssl_locl.h" +#include "kssl_lcl.h" +#include <openssl/md5.h> const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; @@ -512,6 +512,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS, }, +#if 0 /* Cipher 1E */ { 0, @@ -525,6 +526,210 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, }, +#endif + +#ifndef OPENSSL_NO_KRB5 +/* The Kerberos ciphers +** 20000107 VRS: And the first shall be last, +** in hopes of avoiding the lynx ssl renegotiation problem. +*/ +/* Cipher 1E VRS */ + { + 1, + SSL3_TXT_KRB5_DES_64_CBC_SHA, + SSL3_CK_KRB5_DES_64_CBC_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, + SSL_NOT_EXP|SSL_LOW, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 1F VRS */ + { + 1, + SSL3_TXT_KRB5_DES_192_CBC3_SHA, + SSL3_CK_KRB5_DES_192_CBC3_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, + SSL_NOT_EXP|SSL_HIGH, + 0, + 112, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 20 VRS */ + { + 1, + SSL3_TXT_KRB5_RC4_128_SHA, + SSL3_CK_KRB5_RC4_128_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 21 VRS */ + { + 1, + SSL3_TXT_KRB5_IDEA_128_CBC_SHA, + SSL3_CK_KRB5_IDEA_128_CBC_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_SHA1 |SSL_SSLV3, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 22 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_64_CBC_MD5, + SSL3_CK_KRB5_DES_64_CBC_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_LOW, + 0, + 56, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 23 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_192_CBC3_MD5, + SSL3_CK_KRB5_DES_192_CBC3_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_HIGH, + 0, + 112, + 168, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 24 VRS */ + { + 1, + SSL3_TXT_KRB5_RC4_128_MD5, + SSL3_CK_KRB5_RC4_128_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 25 VRS */ + { + 1, + SSL3_TXT_KRB5_IDEA_128_CBC_MD5, + SSL3_CK_KRB5_IDEA_128_CBC_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_IDEA|SSL_MD5 |SSL_SSLV3, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 26 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_40_CBC_SHA, + SSL3_CK_KRB5_DES_40_CBC_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_SHA1 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 27 VRS */ + { + 1, + SSL3_TXT_KRB5_RC2_40_CBC_SHA, + SSL3_CK_KRB5_RC2_40_CBC_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_SHA1 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 28 VRS */ + { + 1, + SSL3_TXT_KRB5_RC4_40_SHA, + SSL3_CK_KRB5_RC4_40_SHA, + SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 29 VRS */ + { + 1, + SSL3_TXT_KRB5_DES_40_CBC_MD5, + SSL3_CK_KRB5_DES_40_CBC_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_DES|SSL_MD5 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 56, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 2A VRS */ + { + 1, + SSL3_TXT_KRB5_RC2_40_CBC_MD5, + SSL3_CK_KRB5_RC2_40_CBC_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_RC2|SSL_MD5 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 40, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + +/* Cipher 2B VRS */ + { + 1, + SSL3_TXT_KRB5_RC4_40_MD5, + SSL3_CK_KRB5_RC4_40_MD5, + SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, + SSL_EXPORT|SSL_EXP40, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, +#endif /* OPENSSL_NO_KRB5 */ + #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES /* New TLS Export CipherSuites */ @@ -620,6 +825,165 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_ALL_STRENGTHS }, #endif + /* New AES ciphersuites */ + + /* Cipher 2F */ + { + 1, + TLS1_TXT_RSA_WITH_AES_128_SHA, + TLS1_CK_RSA_WITH_AES_128_SHA, + SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 30 */ + { + 0, + TLS1_TXT_DH_DSS_WITH_AES_128_SHA, + TLS1_CK_DH_DSS_WITH_AES_128_SHA, + SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 31 */ + { + 0, + TLS1_TXT_DH_RSA_WITH_AES_128_SHA, + TLS1_CK_DH_RSA_WITH_AES_128_SHA, + SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 32 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, + TLS1_CK_DHE_DSS_WITH_AES_128_SHA, + SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 33 */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, + TLS1_CK_DHE_RSA_WITH_AES_128_SHA, + SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 34 */ + { + 1, + TLS1_TXT_ADH_WITH_AES_128_SHA, + TLS1_CK_ADH_WITH_AES_128_SHA, + SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_MEDIUM, + 0, + 128, + 128, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + + /* Cipher 35 */ + { + 1, + TLS1_TXT_RSA_WITH_AES_256_SHA, + TLS1_CK_RSA_WITH_AES_256_SHA, + SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 36 */ + { + 0, + TLS1_TXT_DH_DSS_WITH_AES_256_SHA, + TLS1_CK_DH_DSS_WITH_AES_256_SHA, + SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 37 */ + { + 0, + TLS1_TXT_DH_RSA_WITH_AES_256_SHA, + TLS1_CK_DH_RSA_WITH_AES_256_SHA, + SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 38 */ + { + 1, + TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, + TLS1_CK_DHE_DSS_WITH_AES_256_SHA, + SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 39 */ + { + 1, + TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, + TLS1_CK_DHE_RSA_WITH_AES_256_SHA, + SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, + /* Cipher 3A */ + { + 1, + TLS1_TXT_ADH_WITH_AES_256_SHA, + TLS1_CK_ADH_WITH_AES_256_SHA, + SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, + SSL_NOT_EXP|SSL_HIGH, + 0, + 256, + 256, + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, /* end of list */ }; @@ -705,6 +1069,8 @@ int ssl3_new(SSL *s) if ((s3=OPENSSL_malloc(sizeof *s3)) == NULL) goto err; memset(s3,0,sizeof *s3); + EVP_MD_CTX_init(&s3->finish_dgst1); + EVP_MD_CTX_init(&s3->finish_dgst2); s->s3=s3; @@ -726,13 +1092,15 @@ void ssl3_free(SSL *s) OPENSSL_free(s->s3->wbuf.buf); if (s->s3->rrec.comp != NULL) OPENSSL_free(s->s3->rrec.comp); -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); #endif if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); - memset(s->s3,0,sizeof *s->s3); + EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); + EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); + OPENSSL_cleanse(s->s3,sizeof *s->s3); OPENSSL_free(s->s3); s->s3=NULL; } @@ -751,21 +1119,24 @@ void ssl3_clear(SSL *s) OPENSSL_free(s->s3->rrec.comp); s->s3->rrec.comp=NULL; } -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) DH_free(s->s3->tmp.dh); #endif rp = s->s3->rbuf.buf; wp = s->s3->wbuf.buf; - rlen = s->s3->rbuf_len; - wlen = s->s3->wbuf_len; + rlen = s->s3->rbuf.len; + wlen = s->s3->wbuf.len; + + EVP_MD_CTX_cleanup(&s->s3->finish_dgst1); + EVP_MD_CTX_cleanup(&s->s3->finish_dgst2); memset(s->s3,0,sizeof *s->s3); s->s3->rbuf.buf = rp; s->s3->wbuf.buf = wp; - s->s3->rbuf_len = rlen; - s->s3->wbuf_len = wlen; + s->s3->rbuf.len = rlen; + s->s3->wbuf.len = wlen; ssl_free_wbio_buffer(s); @@ -777,17 +1148,17 @@ void ssl3_clear(SSL *s) s->version=SSL3_VERSION; } -long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg) +long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) { int ret=0; -#if !defined(NO_DSA) || !defined(NO_RSA) +#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) if ( -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB || #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB || #endif @@ -821,7 +1192,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg) case SSL_CTRL_GET_FLAGS: ret=(int)(s->s3->flags); break; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA case SSL_CTRL_NEED_TMP_RSA: if ((s->cert != NULL) && (s->cert->rsa_tmp == NULL) && ((s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || @@ -854,7 +1225,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, char *parg) } break; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *dh = (DH *)parg; @@ -900,12 +1271,12 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)()) { int ret=0; -#if !defined(NO_DSA) || !defined(NO_RSA) +#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_RSA) if ( -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA cmd == SSL_CTRL_SET_TMP_RSA_CB || #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA cmd == SSL_CTRL_SET_TMP_DH_CB || #endif 0) @@ -920,14 +1291,14 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)()) switch (cmd) { -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA case SSL_CTRL_SET_TMP_RSA_CB: { s->cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; } break; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -940,7 +1311,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)()) return(ret); } -long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) +long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) { CERT *cert; @@ -948,7 +1319,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) switch (cmd) { -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA case SSL_CTRL_NEED_TMP_RSA: if ( (cert->rsa_tmp == NULL) && ((cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL) || @@ -993,7 +1364,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg) } break; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH: { DH *new=NULL,*dh; @@ -1050,14 +1421,14 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) switch (cmd) { -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA case SSL_CTRL_SET_TMP_RSA_CB: { cert->rsa_tmp_cb = (RSA *(*)(SSL *, int, int))fp; } break; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH case SSL_CTRL_SET_TMP_DH_CB: { cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp; @@ -1084,16 +1455,19 @@ SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); - for (i=0; i<SSL3_NUM_CIPHERS; i++) - sorted[i]= &(ssl3_ciphers[i]); + if (init) + { + for (i=0; i<SSL3_NUM_CIPHERS; i++) + sorted[i]= &(ssl3_ciphers[i]); - qsort( (char *)sorted, - SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *), - FP_ICC ssl_cipher_ptr_id_cmp); + qsort(sorted, + SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *), + FP_ICC ssl_cipher_ptr_id_cmp); + init=0; + } + CRYPTO_w_unlock(CRYPTO_LOCK_SSL); - - init=0; } id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1]; @@ -1122,10 +1496,11 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p) return(2); } -SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, - STACK_OF(SSL_CIPHER) *pref) +SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, + STACK_OF(SSL_CIPHER) *srvr) { SSL_CIPHER *c,*ret=NULL; + STACK_OF(SSL_CIPHER) *prio, *allow; int i,j,ok; CERT *cert; unsigned long alg,mask,emask; @@ -1133,26 +1508,62 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, /* Let's see which ciphers we can support */ cert=s->cert; - sk_SSL_CIPHER_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); +#if 0 + /* Do not set the compare functions, because this may lead to a + * reordering by "id". We want to keep the original ordering. + * We may pay a price in performance during sk_SSL_CIPHER_find(), + * but would have to pay with the price of sk_SSL_CIPHER_dup(). + */ + sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp); + sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp); +#endif #ifdef CIPHER_DEBUG - printf("Have:\n"); - for(i=0 ; i < sk_num(pref) ; ++i) + printf("Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr), srvr); + for(i=0 ; i < sk_SSL_CIPHER_num(srvr) ; ++i) + { + c=sk_SSL_CIPHER_value(srvr,i); + printf("%p:%s\n",c,c->name); + } + printf("Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt), clnt); + for(i=0 ; i < sk_SSL_CIPHER_num(clnt) ; ++i) { - c=(SSL_CIPHER *)sk_value(pref,i); + c=sk_SSL_CIPHER_value(clnt,i); printf("%p:%s\n",c,c->name); } #endif - for (i=0; i<sk_SSL_CIPHER_num(have); i++) + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) + { + prio = srvr; + allow = clnt; + } + else + { + prio = clnt; + allow = srvr; + } + + for (i=0; i<sk_SSL_CIPHER_num(prio); i++) { - c=sk_SSL_CIPHER_value(have,i); + c=sk_SSL_CIPHER_value(prio,i); ssl_set_cert_masks(cert,c); mask=cert->mask; emask=cert->export_mask; +#ifdef KSSL_DEBUG + printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms); +#endif /* KSSL_DEBUG */ + alg=c->algorithms&(SSL_MKEY_MASK|SSL_AUTH_MASK); +#ifndef OPENSSL_NO_KRB5 + if (alg & SSL_KRB5) + { + if ( !kssl_keytab_is_available(s->kssl_ctx) ) + continue; + } +#endif /* OPENSSL_NO_KRB5 */ if (SSL_C_IS_EXPORT(c)) { ok=((alg & emask) == alg)?1:0; @@ -1172,10 +1583,10 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *have, if (!ok) continue; - j=sk_SSL_CIPHER_find(pref,c); + j=sk_SSL_CIPHER_find(allow,c); if (j >= 0) { - ret=sk_SSL_CIPHER_value(pref,j); + ret=sk_SSL_CIPHER_value(allow,j); break; } } @@ -1189,31 +1600,31 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) alg=s->s3->tmp.new_cipher->algorithms; -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (alg & (SSL_kDHr|SSL_kEDH)) { -# ifndef NO_RSA +# ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_FIXED_DH; # endif -# ifndef NO_DSA +# ifndef OPENSSL_NO_DSA p[ret++]=SSL3_CT_DSS_FIXED_DH; # endif } if ((s->version == SSL3_VERSION) && (alg & (SSL_kEDH|SSL_kDHd|SSL_kDHr))) { -# ifndef NO_RSA +# ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_EPHEMERAL_DH; # endif -# ifndef NO_DSA +# ifndef OPENSSL_NO_DSA p[ret++]=SSL3_CT_DSS_EPHEMERAL_DH; # endif } -#endif /* !NO_DH */ -#ifndef NO_RSA +#endif /* !OPENSSL_NO_DH */ +#ifndef OPENSSL_NO_RSA p[ret++]=SSL3_CT_RSA_SIGN; #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA p[ret++]=SSL3_CT_DSS_SIGN; #endif return(ret); diff --git a/crypto/openssl/ssl/s3_meth.c b/crypto/openssl/ssl/s3_meth.c index 81bcad8..1fd7a96 100644 --- a/crypto/openssl/ssl/s3_meth.c +++ b/crypto/openssl/ssl/s3_meth.c @@ -76,12 +76,19 @@ SSL_METHOD *SSLv3_method(void) if (init) { - memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(), - sizeof(SSL_METHOD)); - SSLv3_data.ssl_connect=ssl3_connect; - SSLv3_data.ssl_accept=ssl3_accept; - SSLv3_data.get_ssl_method=ssl3_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(), + sizeof(SSL_METHOD)); + SSLv3_data.ssl_connect=ssl3_connect; + SSLv3_data.ssl_accept=ssl3_accept; + SSLv3_data.get_ssl_method=ssl3_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_data); } diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c index f52303c..6ccea9a 100644 --- a/crypto/openssl/ssl/s3_pkt.c +++ b/crypto/openssl/ssl/s3_pkt.c @@ -112,9 +112,9 @@ #include <stdio.h> #include <errno.h> #define USE_SOCKETS +#include "ssl_locl.h" #include <openssl/evp.h> #include <openssl/buffer.h> -#include "ssl_locl.h" static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment); @@ -162,13 +162,13 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend) { /* avoid buffer overflow */ - int max_max = s->s3->rbuf_len - s->packet_length; + int max_max = s->s3->rbuf.len - s->packet_length; if (max > max_max) max = max_max; } if (n > max) /* does not happen */ { - SSLerr(SSL_F_SSL3_READ_N,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_READ_N,ERR_R_INTERNAL_ERROR); return -1; } @@ -246,11 +246,11 @@ static int ssl3_get_record(SSL *s) extra=SSL3_RT_MAX_EXTRA; else extra=0; - if (extra != s->s3->rbuf_len - SSL3_RT_MAX_PACKET_SIZE) + if (extra != s->s3->rbuf.len - SSL3_RT_MAX_PACKET_SIZE) { /* actually likely an application error: SLS_OP_MICROSOFT_BIG_SSLV3_BUFFER * set after ssl3_setup_buffers() was done */ - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); return -1; } @@ -259,7 +259,7 @@ again: if ( (s->rstate != SSL_ST_READ_BODY) || (s->packet_length < SSL3_RT_HEADER_LENGTH)) { - n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf_len, 0); + n=ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); if (n <= 0) return(n); /* error or non-blocking */ s->rstate=SSL_ST_READ_BODY; @@ -604,10 +604,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if (prefix_len <= 0) goto err; - if (s->s3->wbuf_len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) + if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) { /* insufficient space */ - SSLerr(SSL_F_DO_SSL3_WRITE, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); goto err; } } @@ -776,7 +776,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) int al,i,j,ret; unsigned int n; SSL3_RECORD *rr; - void (*cb)()=NULL; + void (*cb)(const SSL *ssl,int type2,int val)=NULL; if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ if (!ssl3_setup_buffers(s)) @@ -785,7 +785,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); return -1; } @@ -957,6 +957,9 @@ start: goto err; } + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->s3->handshake_fragment, 4, s, s->msg_callback_arg); + if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && !s->s3->renegotiate) @@ -1002,6 +1005,9 @@ start: s->s3->alert_fragment_len = 0; + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_ALERT, s->s3->alert_fragment, 2, s, s->msg_callback_arg); + if (s->info_callback != NULL) cb=s->info_callback; else if (s->ctx->info_callback != NULL) @@ -1065,6 +1071,10 @@ start: } rr->length=0; + + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s, s->msg_callback_arg); + s->s3->change_cipher_spec=1; if (!do_change_cipher_spec(s)) goto err; @@ -1119,7 +1129,7 @@ start: switch (rr->type) { default: -#ifndef NO_TLS +#ifndef OPENSSL_NO_TLS /* TLS just ignores unknown message types */ if (s->version == TLS1_VERSION) { @@ -1137,7 +1147,7 @@ start: * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that * should not happen when type != rr->type */ al=SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR); goto f_err; case SSL3_RT_APPLICATION_DATA: /* At this point, we were expecting handshake data, @@ -1243,7 +1253,7 @@ void ssl3_send_alert(SSL *s, int level, int desc) int ssl3_dispatch_alert(SSL *s) { int i,j; - void (*cb)()=NULL; + void (*cb)(const SSL *ssl,int type,int val)=NULL; s->s3->alert_dispatch=0; i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0); @@ -1259,6 +1269,9 @@ int ssl3_dispatch_alert(SSL *s) if (s->s3->send_alert[0] == SSL3_AL_FATAL) (void)BIO_flush(s->wbio); + if (s->msg_callback) + s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s, s->msg_callback_arg); + if (s->info_callback != NULL) cb=s->info_callback; else if (s->ctx->info_callback != NULL) diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index fe1e689..7643877 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -114,14 +114,15 @@ #include <stdio.h> +#include "ssl_locl.h" +#include "kssl_lcl.h" #include <openssl/buffer.h> #include <openssl/rand.h> #include <openssl/objects.h> -#include <openssl/md5.h> -#include <openssl/sha.h> #include <openssl/evp.h> #include <openssl/x509.h> -#include "ssl_locl.h" +#include <openssl/krb5_asn.h> +#include <openssl/md5.h> #include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); @@ -151,11 +152,18 @@ SSL_METHOD *SSLv3_server_method(void) if (init) { - memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), - sizeof(SSL_METHOD)); - SSLv3_server_data.ssl_accept=ssl3_accept; - SSLv3_server_data.get_ssl_method=ssl3_get_server_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), + sizeof(SSL_METHOD)); + SSLv3_server_data.ssl_accept=ssl3_accept; + SSLv3_server_data.get_ssl_method=ssl3_get_server_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_server_data); } @@ -164,7 +172,7 @@ int ssl3_accept(SSL *s) { BUF_MEM *buf; unsigned long l,Time=time(NULL); - void (*cb)()=NULL; + void (*cb)(const SSL *ssl,int type,int val)=NULL; long num1; int ret= -1; int new_state,state,skip=0; @@ -208,7 +216,7 @@ int ssl3_accept(SSL *s) if ((s->version>>8) != 3) { - SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); return -1; } s->type=SSL_ST_ACCEPT; @@ -317,7 +325,15 @@ int ssl3_accept(SSL *s) /* clear this, it may get reset by * send_server_key_exchange */ - if (s->options & SSL_OP_EPHEMERAL_RSA) + if ((s->options & SSL_OP_EPHEMERAL_RSA) +#ifndef OPENSSL_NO_KRB5 + && !(l & SSL_KRB5) +#endif /* OPENSSL_NO_KRB5 */ + ) + /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key + * even when forbidden by protocol specs + * (handshake may fail as clients are not required to + * be able to handle this) */ s->s3->tmp.use_rsa_tmp=1; else s->s3->tmp.use_rsa_tmp=0; @@ -359,7 +375,9 @@ int ssl3_accept(SSL *s) ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && /* ... except when the application insists on verification * (against the specs, but s3_clnt.c accepts this for SSL 3) */ - !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) + !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || + /* never request cert in Kerberos ciphersuites */ + (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) { /* no cert request */ skip=1; @@ -515,7 +533,8 @@ int ssl3_accept(SSL *s) if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ { - /* actually not necessarily a 'new' session */ + /* actually not necessarily a 'new' session unless + * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ s->new_session=0; @@ -600,11 +619,7 @@ static int ssl3_check_client_hello(SSL *s) SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1, -#if defined(MSDOS) && !defined(WIN32) - 1024*30, /* 30k max cert list :-) */ -#else - 1024*100, /* 100k max cert list :-) */ -#endif + s->max_cert_list, &ok); if (!ok) return((int)n); s->s3->tmp.reuse_message = 1; @@ -614,7 +629,7 @@ static int ssl3_check_client_hello(SSL *s) * which will now be aborted. (A full SSL_clear would be too much.) * I hope that tmp.dh is the only thing that may need to be cleared * when a handshake is not completed ... */ -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (s->s3->tmp.dh != NULL) { DH_free(s->s3->tmp.dh); @@ -655,7 +670,7 @@ static int ssl3_get_client_hello(SSL *s) &ok); if (!ok) return((int)n); - d=p=(unsigned char *)s->init_buf->data; + d=p=(unsigned char *)s->init_msg; /* use version from inside client hello, not from record header * (may differ: see RFC 2246, Appendix E, second paragraph) */ @@ -682,7 +697,15 @@ static int ssl3_get_client_hello(SSL *s) j= *(p++); s->hit=0; - if (j == 0) + /* Versions before 0.9.7 always allow session reuse during renegotiation + * (i.e. when s->new_session is true), option + * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is new with 0.9.7. + * Maybe this optional behaviour should always have been the default, + * but we cannot safely change the default behaviour (or new applications + * might be written that become totally unsecure when compiled with + * an earlier library version) + */ + if (j == 0 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { if (!ssl_get_new_session(s,1)) goto err; @@ -833,7 +856,7 @@ static int ssl3_get_client_hello(SSL *s) } } - /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must + /* Given s->session->ciphers and SSL_get_ciphers, we must * pick a cipher */ if (!s->hit) @@ -850,7 +873,7 @@ static int ssl3_get_client_hello(SSL *s) } ciphers=NULL; c=ssl3_choose_cipher(s,s->session->ciphers, - ssl_get_ciphers_by_id(s)); + SSL_get_ciphers(s)); if (c == NULL) { @@ -951,7 +974,7 @@ static int ssl3_send_server_hello(SSL *s) sl=s->session->session_id_length; if (sl > sizeof s->session->session_id) { - SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return -1; } *(p++)=sl; @@ -1010,14 +1033,14 @@ static int ssl3_send_server_done(SSL *s) static int ssl3_send_server_key_exchange(SSL *s) { -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA unsigned char *q; int j,num; RSA *rsa; unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; unsigned int u; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH DH *dh=NULL,*dhp; #endif EVP_PKEY *pkey; @@ -1031,6 +1054,7 @@ static int ssl3_send_server_key_exchange(SSL *s) BUF_MEM *buf; EVP_MD_CTX md_ctx; + EVP_MD_CTX_init(&md_ctx); if (s->state == SSL3_ST_SW_KEY_EXCH_A) { type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; @@ -1040,7 +1064,7 @@ static int ssl3_send_server_key_exchange(SSL *s) r[0]=r[1]=r[2]=r[3]=NULL; n=0; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (type & SSL_kRSA) { rsa=cert->rsa_tmp; @@ -1055,7 +1079,7 @@ static int ssl3_send_server_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); goto f_err; } - CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); + RSA_up_ref(rsa); cert->rsa_tmp=rsa; } if (rsa == NULL) @@ -1070,7 +1094,7 @@ static int ssl3_send_server_key_exchange(SSL *s) } else #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (type & SSL_kEDH) { dhp=cert->dh_tmp; @@ -1088,7 +1112,7 @@ static int ssl3_send_server_key_exchange(SSL *s) if (s->s3->tmp.dh != NULL) { DH_free(dh); - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } @@ -1154,7 +1178,7 @@ static int ssl3_send_server_key_exchange(SSL *s) kn=0; } - if (!BUF_MEM_grow(buf,n+4+kn)) + if (!BUF_MEM_grow_clean(buf,n+4+kn)) { SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); goto err; @@ -1174,19 +1198,19 @@ static int ssl3_send_server_key_exchange(SSL *s) { /* n is the length of the params, they start at &(d[4]) * and p points to the space at the end. */ -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) { q=md_buf; j=0; for (num=2; num > 0; num--) { - EVP_DigestInit(&md_ctx,(num == 2) - ?s->ctx->md5:s->ctx->sha1); + EVP_DigestInit_ex(&md_ctx,(num == 2) + ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(d[4]),n); - EVP_DigestFinal(&md_ctx,q, + EVP_DigestFinal_ex(&md_ctx,q, (unsigned int *)&i); q+=i; j+=i; @@ -1202,11 +1226,11 @@ static int ssl3_send_server_key_exchange(SSL *s) } else #endif -#if !defined(NO_DSA) +#if !defined(OPENSSL_NO_DSA) if (pkey->type == EVP_PKEY_DSA) { /* lets do DSS */ - EVP_SignInit(&md_ctx,EVP_dss1()); + EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_SignUpdate(&md_ctx,&(d[4]),n); @@ -1239,10 +1263,12 @@ static int ssl3_send_server_key_exchange(SSL *s) } s->state = SSL3_ST_SW_KEY_EXCH_B; + EVP_MD_CTX_cleanup(&md_ctx); return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: + EVP_MD_CTX_cleanup(&md_ctx); return(-1); } @@ -1279,7 +1305,7 @@ static int ssl3_send_certificate_request(SSL *s) { name=sk_X509_NAME_value(sk,i); j=i2d_X509_NAME(name,NULL); - if (!BUF_MEM_grow(buf,4+n+j+2)) + if (!BUF_MEM_grow_clean(buf,4+n+j+2)) { SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); goto err; @@ -1340,28 +1366,31 @@ static int ssl3_get_client_key_exchange(SSL *s) long n; unsigned long l; unsigned char *p; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA RSA *rsa=NULL; EVP_PKEY *pkey=NULL; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH BIGNUM *pub=NULL; DH *dh_srvr; #endif +#ifndef OPENSSL_NO_KRB5 + KSSL_ERR kssl_err; +#endif /* OPENSSL_NO_KRB5 */ n=ssl3_get_message(s, SSL3_ST_SR_KEY_EXCH_A, SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, - 2048, /* ???? */ + 2048, /* ??? */ &ok); if (!ok) return((int)n); - p=(unsigned char *)s->init_buf->data; + p=(unsigned char *)s->init_msg; l=s->s3->tmp.new_cipher->algorithms; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (l & SSL_kRSA) { /* FIX THIS UP EAY EAY EAY EAY */ @@ -1464,11 +1493,11 @@ static int ssl3_get_client_key_exchange(SSL *s) s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, p,i); - memset(p,0,i); + OPENSSL_cleanse(p,i); } else #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { n2s(p,i); @@ -1527,20 +1556,179 @@ static int ssl3_get_client_key_exchange(SSL *s) s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,p,i); - memset(p,0,i); + OPENSSL_cleanse(p,i); } else #endif +#ifndef OPENSSL_NO_KRB5 + if (l & SSL_kKRB5) + { + krb5_error_code krb5rc; + krb5_data enc_ticket; + krb5_data authenticator; + krb5_data enc_pms; + KSSL_CTX *kssl_ctx = s->kssl_ctx; + EVP_CIPHER_CTX ciph_ctx; + EVP_CIPHER *enc = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + unsigned char pms[SSL_MAX_MASTER_KEY_LENGTH + + EVP_MAX_BLOCK_LENGTH]; + int padl, outl; + krb5_timestamp authtime = 0; + krb5_ticket_times ttimes; + + EVP_CIPHER_CTX_init(&ciph_ctx); + + if (!kssl_ctx) kssl_ctx = kssl_ctx_new(); + + n2s(p,i); + enc_ticket.length = i; + enc_ticket.data = (char *)p; + p+=enc_ticket.length; + + n2s(p,i); + authenticator.length = i; + authenticator.data = (char *)p; + p+=authenticator.length; + + n2s(p,i); + enc_pms.length = i; + enc_pms.data = (char *)p; + p+=enc_pms.length; + + /* Note that the length is checked again below, + ** after decryption + */ + if(enc_pms.length > sizeof pms) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + + if (n != enc_ticket.length + authenticator.length + + enc_pms.length + 6) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + + if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes, + &kssl_err)) != 0) + { +#ifdef KSSL_DEBUG + printf("kssl_sget_tkt rtn %d [%d]\n", + krb5rc, kssl_err.reason); + if (kssl_err.text) + printf("kssl_err text= %s\n", kssl_err.text); +#endif /* KSSL_DEBUG */ + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + kssl_err.reason); + goto err; + } + + /* Note: no authenticator is not considered an error, + ** but will return authtime == 0. + */ + if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator, + &authtime, &kssl_err)) != 0) + { +#ifdef KSSL_DEBUG + printf("kssl_check_authent rtn %d [%d]\n", + krb5rc, kssl_err.reason); + if (kssl_err.text) + printf("kssl_err text= %s\n", kssl_err.text); +#endif /* KSSL_DEBUG */ + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, + kssl_err.reason); + goto err; + } + + if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) + { + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, krb5rc); + goto err; + } + +#ifdef KSSL_DEBUG + kssl_ctx_show(kssl_ctx); +#endif /* KSSL_DEBUG */ + + enc = kssl_map_enc(kssl_ctx->enctype); + if (enc == NULL) + goto err; + + memset(iv, 0, sizeof iv); /* per RFC 1510 */ + + if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv)) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DECRYPTION_FAILED); + goto err; + } + if (!EVP_DecryptUpdate(&ciph_ctx, pms,&outl, + (unsigned char *)enc_pms.data, enc_pms.length)) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DECRYPTION_FAILED); + goto err; + } + if (outl > SSL_MAX_MASTER_KEY_LENGTH) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + if (!EVP_DecryptFinal_ex(&ciph_ctx,&(pms[outl]),&padl)) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DECRYPTION_FAILED); + goto err; + } + outl += padl; + if (outl > SSL_MAX_MASTER_KEY_LENGTH) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); + + s->session->master_key_length= + s->method->ssl3_enc->generate_master_secret(s, + s->session->master_key, pms, outl); + + if (kssl_ctx->client_princ) + { + int len = strlen(kssl_ctx->client_princ); + if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) + { + s->session->krb5_client_princ_len = len; + memcpy(s->session->krb5_client_princ,kssl_ctx->client_princ,len); + } + } + + + /* Was doing kssl_ctx_free() here, + ** but it caused problems for apache. + ** kssl_ctx = kssl_ctx_free(kssl_ctx); + ** if (s->kssl_ctx) s->kssl_ctx = NULL; + */ + } + else +#endif /* OPENSSL_NO_KRB5 */ { al=SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_UNKNOWN_CIPHER_TYPE); + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_UNKNOWN_CIPHER_TYPE); goto f_err; } return(1); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); -#if !defined(NO_DH) || !defined(NO_RSA) +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) err: #endif return(-1); @@ -1559,7 +1747,7 @@ static int ssl3_get_cert_verify(SSL *s) SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B, -1, - 512, /* 512? */ + 514, /* 514? */ &ok); if (!ok) return((int)n); @@ -1611,7 +1799,7 @@ static int ssl3_get_cert_verify(SSL *s) } /* we now have a signature that we need to verify */ - p=(unsigned char *)s->init_buf->data; + p=(unsigned char *)s->init_msg; n2s(p,i); n-=2; if (i > n) @@ -1629,7 +1817,7 @@ static int ssl3_get_cert_verify(SSL *s) goto f_err; } -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) { i=RSA_verify(NID_md5_sha1, s->s3->tmp.cert_verify_md, @@ -1650,7 +1838,7 @@ static int ssl3_get_cert_verify(SSL *s) } else #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) { j=DSA_verify(pkey->save_type, @@ -1667,7 +1855,7 @@ static int ssl3_get_cert_verify(SSL *s) else #endif { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,ERR_R_INTERNAL_ERROR); al=SSL_AD_UNSUPPORTED_CERTIFICATE; goto f_err; } @@ -1696,11 +1884,7 @@ static int ssl3_get_client_certificate(SSL *s) SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1, -#if defined(MSDOS) && !defined(WIN32) - 1024*30, /* 30k max cert list :-) */ -#else - 1024*100, /* 100k max cert list :-) */ -#endif + s->max_cert_list, &ok); if (!ok) return((int)n); @@ -1731,7 +1915,7 @@ static int ssl3_get_client_certificate(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); goto f_err; } - d=p=(unsigned char *)s->init_buf->data; + d=p=(unsigned char *)s->init_msg; if ((sk=sk_X509_new_null()) == NULL) { @@ -1851,9 +2035,13 @@ int ssl3_send_server_certificate(SSL *s) if (s->state == SSL3_ST_SW_CERT_A) { x=ssl_get_server_send_cert(s); - if (x == NULL) + if (x == NULL && + /* VRS: allow null cert if auth == KRB5 */ + (s->s3->tmp.new_cipher->algorithms + & (SSL_MKEY_MASK|SSL_AUTH_MASK)) + != (SSL_aKRB5|SSL_kKRB5)) { - SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); return(0); } diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index 3eecead..f8e400d 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -56,6 +56,59 @@ * [including the GNU Public Licence.] */ /* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ +/* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -112,16 +165,20 @@ #ifndef HEADER_SSL_H #define HEADER_SSL_H -#ifndef NO_COMP +#include <openssl/e_os2.h> + +#ifndef OPENSSL_NO_COMP #include <openssl/comp.h> #endif -#ifndef NO_BIO +#ifndef OPENSSL_NO_BIO #include <openssl/bio.h> #endif -#ifndef NO_X509 +#ifndef OPENSSL_NO_X509 #include <openssl/x509.h> #endif +#include <openssl/kssl.h> #include <openssl/safestack.h> +#include <openssl/symhacks.h> #ifdef __cplusplus extern "C" { @@ -145,6 +202,32 @@ extern "C" { #define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5 #define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA +/* VRS Additional Kerberos5 entries + */ +#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA +#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA +#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA +#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA +#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 +#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 +#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5 +#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5 + +#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA +#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA +#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA +#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 +#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5 +#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5 + +#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA +#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5 +#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA +#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5 +#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA +#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5 +#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256 + #define SSL_MAX_SSL_SESSION_ID_LENGTH 32 #define SSL_MAX_SID_CTX_LENGTH 32 @@ -165,6 +248,10 @@ extern "C" { #define SSL_TXT_eNULL "eNULL" #define SSL_TXT_NULL "NULL" +#define SSL_TXT_kKRB5 "kKRB5" +#define SSL_TXT_aKRB5 "aKRB5" +#define SSL_TXT_KRB5 "KRB5" + #define SSL_TXT_kRSA "kRSA" #define SSL_TXT_kDHr "kDHr" #define SSL_TXT_kDHd "kDHd" @@ -182,6 +269,7 @@ extern "C" { #define SSL_TXT_RC4 "RC4" #define SSL_TXT_RC2 "RC2" #define SSL_TXT_IDEA "IDEA" +#define SSL_TXT_AES "AES" #define SSL_TXT_MD5 "MD5" #define SSL_TXT_SHA1 "SHA1" #define SSL_TXT_SHA "SHA" @@ -194,9 +282,27 @@ extern "C" { #define SSL_TXT_TLSV1 "TLSv1" #define SSL_TXT_ALL "ALL" -/* 'DEFAULT' at the start of the cipher list insert the following string - * in addition to this being the default cipher string */ -#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH" +/* + * COMPLEMENTOF* definitions. These identifiers are used to (de-select) + * ciphers normally not being used. + * Example: "RC4" will activate all ciphers using RC4 including ciphers + * without authentication, which would normally disabled by DEFAULT (due + * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT" + * will make sure that it is also disabled in the specific selection. + * COMPLEMENTOF* identifiers are portable between version, as adjustments + * to the default cipher setup will also be included here. + * + * COMPLEMENTOFDEFAULT does not experience the same special treatment that + * DEFAULT gets, as only selection is being done and no sorting as needed + * for DEFAULT. + */ +#define SSL_TXT_CMPALL "COMPLEMENTOFALL" +#define SSL_TXT_CMPDEF "COMPLEMENTOFDEFAULT" + +/* The following cipher list is used by default. + * It also is substituted when an application-defined cipher list string + * starts with 'DEFAULT'. */ +#define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ #define SSL_SENT_SHUTDOWN 1 @@ -209,16 +315,14 @@ extern "C" { #include <openssl/crypto.h> #include <openssl/lhash.h> #include <openssl/buffer.h> -#include <openssl/bio.h> #include <openssl/pem.h> -#include <openssl/x509.h> #ifdef __cplusplus extern "C" { #endif -#if (defined(NO_RSA) || defined(NO_MD5)) && !defined(NO_SSL2) -#define NO_SSL2 +#if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2) +#define OPENSSL_NO_SSL2 #endif #define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 @@ -264,8 +368,8 @@ typedef struct ssl_method_st int (*ssl_shutdown)(SSL *s); int (*ssl_renegotiate)(SSL *s); int (*ssl_renegotiate_check)(SSL *s); - long (*ssl_ctrl)(SSL *s,int cmd,long larg,char *parg); - long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,char *parg); + long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg); + long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg); SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr); int (*ssl_pending)(SSL *s); @@ -286,6 +390,7 @@ typedef struct ssl_method_st * Cipher OCTET_STRING, -- the 3 byte cipher ID * Session_ID OCTET_STRING, -- the Session ID * Master_key OCTET_STRING, -- the master key + * KRB5_principal OCTET_STRING -- optional Kerberos principal * Key_Arg [ 0 ] IMPLICIT OCTET_STRING, -- the optional Key argument * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds @@ -316,6 +421,11 @@ typedef struct ssl_session_st unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; +#ifndef OPENSSL_NO_KRB5 + unsigned int krb5_client_princ_len; + unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH]; +#endif /* OPENSSL_NO_KRB5 */ + int not_resumable; /* The cert is the certificate used to establish this connection */ @@ -360,7 +470,6 @@ typedef struct ssl_session_st #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L -#define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) @@ -369,13 +478,25 @@ typedef struct ssl_session_st * it in SSL_OP_ALL. */ #define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0x00000800L /* added in 0.9.6e */ -/* SSL_OP_ALL: various bug workarounds that should be rather harmless */ -#define SSL_OP_ALL 0x000FFFFFL +/* SSL_OP_ALL: various bug workarounds that should be rather harmless. + * This used to be 0x000FFFFFL before 0.9.7. */ +#define SSL_OP_ALL 0x00000FFFL +/* As server, disallow session resumption on renegotiation */ +#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L -/* Set to also use the tmp_rsa key when doing RSA operations. */ +/* Set to always use the tmp_rsa key when doing RSA operations, + * even when this violates protocol specs */ #define SSL_OP_EPHEMERAL_RSA 0x00200000L +/* Set on servers to choose the cipher according to the server's + * preferences */ +#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L +/* If set, a server will allow a client to issue a SSLv3.0 version number + * as latest version supported in the premaster secret, even when TLSv1.0 + * (version 3.1) was announced in the client hello. Normally this is + * forbidden to prevent version rollback attacks. */ +#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L #define SSL_OP_NO_SSLv2 0x01000000L #define SSL_OP_NO_SSLv3 0x02000000L @@ -386,9 +507,7 @@ typedef struct ssl_session_st #define SSL_OP_PKCS1_CHECK_1 0x08000000L #define SSL_OP_PKCS1_CHECK_2 0x10000000L #define SSL_OP_NETSCAPE_CA_DN_BUG 0x20000000L -/* SSL_OP_NON_EXPORT_FIRST looks utterly broken .. */ -#define SSL_OP_NON_EXPORT_FIRST 0x40000000L -#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L +#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x40000000L /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success @@ -408,30 +527,60 @@ typedef struct ssl_session_st * they cannot be used to clear bits. */ #define SSL_CTX_set_options(ctx,op) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,op,NULL) + SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL) #define SSL_CTX_get_options(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL) + SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL) #define SSL_set_options(ssl,op) \ - SSL_ctrl(ssl,SSL_CTRL_OPTIONS,op,NULL) + SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL) #define SSL_get_options(ssl) \ - SSL_ctrl(ssl,SSL_CTRL_OPTIONS,0,NULL) + SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL) #define SSL_CTX_set_mode(ctx,op) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,op,NULL) + SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL) #define SSL_CTX_get_mode(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_MODE,0,NULL) + SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL) #define SSL_set_mode(ssl,op) \ - SSL_ctrl(ssl,SSL_CTRL_MODE,op,NULL) + SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL) #define SSL_get_mode(ssl) \ - SSL_ctrl(ssl,SSL_CTRL_MODE,0,NULL) + SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL) + + +void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); +void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); +#define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) +#define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg)) + + + +#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) +#define SSL_MAX_CERT_LIST_DEFAULT 1024*30 /* 30k max cert list :-) */ +#else +#define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */ +#endif #define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20) +/* This callback type is used inside SSL_CTX, SSL, and in the functions that set + * them. It is used to override the generation of SSL/TLS session IDs in a + * server. Return value should be zero on an error, non-zero to proceed. Also, + * callbacks should themselves check if the id they generate is unique otherwise + * the SSL handshake will fail with an error - callbacks can do this using the + * 'ssl' value they're passed by; + * SSL_has_matching_session_id(ssl, id, *id_len) + * The length value passed in is set at the maximum size the session ID can be. + * In SSLv2 this is 16 bytes, whereas SSLv3/TLSv1 it is 32 bytes. The callback + * can alter this length to be less if desired, but under SSLv2 session IDs are + * supposed to be fixed at 16 bytes so the id will be padded after the callback + * returns in this case. It is also an error for the callback to set the size to + * zero. */ +typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id, + unsigned int *id_len); + typedef struct ssl_comp_st { int id; char *name; -#ifndef NO_COMP +#ifndef OPENSSL_NO_COMP COMP_METHOD *method; #else char *method; @@ -443,8 +592,6 @@ DECLARE_STACK_OF(SSL_COMP) struct ssl_ctx_st { SSL_METHOD *method; - unsigned long options; - unsigned long mode; STACK_OF(SSL_CIPHER) *cipher_list; /* same as above but sorted for lookup */ @@ -482,6 +629,7 @@ struct ssl_ctx_st void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess); SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy); + struct { int sess_connect; /* SSL new conn - started */ @@ -504,37 +652,20 @@ struct ssl_ctx_st int references; -/**/ void (*info_callback)(); - /* if defined, these override the X509_verify_cert() calls */ -/**/ int (*app_verify_callback)(); -/**/ char *app_verify_arg; /* never used; should be void * */ - - /* default values to use in SSL structures */ -/**/ struct cert_st /* CERT */ *cert; -/**/ int read_ahead; -/**/ int verify_mode; -/**/ int verify_depth; -/**/ unsigned int sid_ctx_length; -/**/ unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; -/**/ int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); - - int purpose; /* Purpose setting */ - int trust; /* Trust setting */ + int (*app_verify_callback)(X509_STORE_CTX *, void *); + void *app_verify_arg; + /* before OpenSSL 0.9.7, 'app_verify_arg' was ignored + * ('app_verify_callback' was called with just one argument) */ /* Default password callback. */ -/**/ pem_password_cb *default_passwd_callback; + pem_password_cb *default_passwd_callback; /* Default password callback user data. */ -/**/ void *default_passwd_callback_userdata; + void *default_passwd_callback_userdata; /* get client cert callback */ -/**/ int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */); - - /* what we put in client cert requests */ - STACK_OF(X509_NAME) *client_CA; - -/**/ int quiet_shutdown; + int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); CRYPTO_EX_DATA ex_data; @@ -543,7 +674,43 @@ struct ssl_ctx_st const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ STACK_OF(X509) *extra_certs; - STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ + STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ + + + /* Default values used when no per-SSL value is defined follow */ + + void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */ + + /* what we put in client cert requests */ + STACK_OF(X509_NAME) *client_CA; + + + /* Default values to use in SSL structures follow (these are copied by SSL_new) */ + + unsigned long options; + unsigned long mode; + long max_cert_list; + + struct cert_st /* CERT */ *cert; + int read_ahead; + + /* callback that allows applications to peek at protocol messages */ + void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); + void *msg_callback_arg; + + int verify_mode; + int verify_depth; + unsigned int sid_ctx_length; + unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; + int (*default_verify_callback)(int ok,X509_STORE_CTX *ctx); /* called 'verify_callback' in the SSL */ + + /* Default generate session ID callback. */ + GEN_SESSION_CB generate_session_id; + + int purpose; /* Purpose setting */ + int trust; /* Trust setting */ + + int quiet_shutdown; }; #define SSL_SESS_CACHE_OFF 0x0000 @@ -551,10 +718,11 @@ struct ssl_ctx_st #define SSL_SESS_CACHE_SERVER 0x0002 #define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER) #define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080 -/* This one, when set, makes the server session-id lookup not look - * in the cache. If there is an application get_session callback - * defined, this will still get called. */ +/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */ #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 +#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200 +#define SSL_SESS_CACHE_NO_INTERNAL \ + (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE) struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx); #define SSL_CTX_sess_number(ctx) \ @@ -618,7 +786,7 @@ struct ssl_st * same. This is so data can be read and written to different * handlers */ -#ifndef NO_BIO +#ifndef OPENSSL_NO_BIO BIO *rbio; /* used by SSL_read */ BIO *wbio; /* used by SSL_write */ BIO *bbio; /* used during session-id reuse to concatenate @@ -652,7 +820,8 @@ struct ssl_st * 2 if we are a server and are inside a handshake * (i.e. not just sending a HelloRequest) * NB: For servers, the 'new' session may actually be a previously - * cached session or even the previous session */ + * cached session or even the previous session unless + * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ int quiet_shutdown;/* don't send shutdown packets */ int shutdown; /* we have shut things down, 0x01 sent, 0x02 * for received */ @@ -660,6 +829,7 @@ struct ssl_st int rstate; /* where we are when reading */ BUF_MEM *init_buf; /* buffer used during init */ + void *init_msg; /* pointer to handshake message body, set by ssl3_get_message() */ int init_num; /* amount read/written */ int init_off; /* amount read/written */ @@ -672,6 +842,11 @@ struct ssl_st int read_ahead; /* Read as many input bytes as possible * (for non-blocking reads) */ + + /* callback that allows applications to peek at protocol messages */ + void (*msg_callback)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); + void *msg_callback_arg; + int hit; /* reusing a previous session */ int purpose; /* Purpose setting */ @@ -686,7 +861,7 @@ struct ssl_st EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */ const EVP_MD *read_hash; /* used for mac generation */ -#ifndef NO_COMP +#ifndef OPENSSL_NO_COMP COMP_CTX *expand; /* uncompress */ #else char *expand; @@ -694,7 +869,7 @@ struct ssl_st EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ const EVP_MD *write_hash; /* used for mac generation */ -#ifndef NO_COMP +#ifndef OPENSSL_NO_COMP COMP_CTX *compress; /* compression */ #else char *compress; @@ -714,16 +889,24 @@ struct ssl_st /* This can also be in the session once a session is established */ SSL_SESSION *session; + /* Default generate session ID callback. */ + GEN_SESSION_CB generate_session_id; + /* Used in SSL2 and SSL3 */ int verify_mode; /* 0 don't care about verify failure. * 1 fail if verify fails */ int verify_depth; int (*verify_callback)(int ok,X509_STORE_CTX *ctx); /* fail if callback returns 0 */ - void (*info_callback)(); /* optional informational callback */ + + void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ int error; /* error bytes to be written */ int error_code; /* actual code */ +#ifndef OPENSSL_NO_KRB5 + KSSL_CTX *kssl_ctx; /* Kerberos 5 context */ +#endif /* OPENSSL_NO_KRB5 */ + SSL_CTX *ctx; /* set this flag to 1 and a sleep(1) is put into all SSL_read() * and SSL_write() calls, good for nbio debuging :-) */ @@ -739,6 +922,7 @@ struct ssl_st int references; unsigned long options; /* protocol behaviour */ unsigned long mode; /* API behaviour */ + long max_cert_list; int first_packet; int client_version; /* what was passed, used for * SSLv3/TLS rollback check */ @@ -900,13 +1084,14 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count); #define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */ #define SSL_ERROR_ZERO_RETURN 6 #define SSL_ERROR_WANT_CONNECT 7 +#define SSL_ERROR_WANT_ACCEPT 8 #define SSL_CTRL_NEED_TMP_RSA 1 #define SSL_CTRL_SET_TMP_RSA 2 #define SSL_CTRL_SET_TMP_DH 3 #define SSL_CTRL_SET_TMP_RSA_CB 4 #define SSL_CTRL_SET_TMP_DH_CB 5 -/* Add these ones */ + #define SSL_CTRL_GET_SESSION_REUSED 6 #define SSL_CTRL_GET_CLIENT_CERT_REQUEST 7 #define SSL_CTRL_GET_NUM_RENEGOTIATIONS 8 @@ -915,6 +1100,9 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count); #define SSL_CTRL_GET_FLAGS 11 #define SSL_CTRL_EXTRA_CHAIN_CERT 12 +#define SSL_CTRL_SET_MSG_CALLBACK 13 +#define SSL_CTRL_SET_MSG_CALLBACK_ARG 14 + /* Stats */ #define SSL_CTRL_SESS_NUMBER 20 #define SSL_CTRL_SESS_CONNECT 21 @@ -929,7 +1117,7 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count); #define SSL_CTRL_SESS_TIMEOUTS 30 #define SSL_CTRL_SESS_CACHE_FULL 31 #define SSL_CTRL_OPTIONS 32 -#define SSL_CTRL_MODE 33 +#define SSL_CTRL_MODE 33 #define SSL_CTRL_GET_READ_AHEAD 40 #define SSL_CTRL_SET_READ_AHEAD 41 @@ -938,6 +1126,9 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count); #define SSL_CTRL_SET_SESS_CACHE_MODE 44 #define SSL_CTRL_GET_SESS_CACHE_MODE 45 +#define SSL_CTRL_GET_MAX_CERT_LIST 50 +#define SSL_CTRL_SET_MAX_CERT_LIST 51 + #define SSL_session_reused(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL) #define SSL_num_renegotiations(ssl) \ @@ -964,23 +1155,7 @@ size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count); #define SSL_CTX_add_extra_chain_cert(ctx,x509) \ SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) -/* VMS uses only 31 characters for symbols. */ -#ifdef VMS -#undef SSL_CTX_set_cert_verify_callback -#define SSL_CTX_set_cert_verify_callback SSL_CTX_set_cert_verify_cb -#undef SSL_CTX_use_certificate_chain_file -#define SSL_CTX_use_certificate_chain_file SSL_CTX_use_cert_chain_file -#undef SSL_CTX_set_default_verify_paths -#define SSL_CTX_set_default_verify_paths SSL_CTX_set_def_verify_paths -#undef SSL_get_ex_data_X509_STORE_CTX_idx -#define SSL_get_ex_data_X509_STORE_CTX_idx SSL_get_ex_data_X509_STOR_CTX_i -#undef SSL_add_file_cert_subjects_to_stack -#define SSL_add_file_cert_subjects_to_stack SSL_add_file_cert_sub_to_stack -#undef SSL_add_dir_cert_subjects_to_stack -#define SSL_add_dir_cert_subjects_to_stack SSL_add_dir_cert_sub_to_stack -#endif - -#ifndef NO_BIO +#ifndef OPENSSL_NO_BIO BIO_METHOD *BIO_f_ssl(void); BIO *BIO_new_ssl(SSL_CTX *ctx,int client); BIO *BIO_new_ssl_connect(SSL_CTX *ctx); @@ -1014,12 +1189,12 @@ const char * SSL_get_cipher_list(SSL *s,int n); char * SSL_get_shared_ciphers(SSL *s, char *buf, int len); int SSL_get_read_ahead(SSL * s); int SSL_pending(SSL *s); -#ifndef NO_SOCK +#ifndef OPENSSL_NO_SOCK int SSL_set_fd(SSL *s, int fd); int SSL_set_rfd(SSL *s, int fd); int SSL_set_wfd(SSL *s, int fd); #endif -#ifndef NO_BIO +#ifndef OPENSSL_NO_BIO void SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio); BIO * SSL_get_rbio(SSL *s); BIO * SSL_get_wbio(SSL *s); @@ -1032,7 +1207,7 @@ int (*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *); void SSL_set_verify(SSL *s, int mode, int (*callback)(int ok,X509_STORE_CTX *ctx)); void SSL_set_verify_depth(SSL *s, int depth); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); #endif int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); @@ -1041,7 +1216,7 @@ int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len); int SSL_use_certificate(SSL *ssl, X509 *x); int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len); -#ifndef NO_STDIO +#ifndef OPENSSL_NO_STDIO int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); int SSL_use_certificate_file(SSL *ssl, const char *file, int type); @@ -1052,15 +1227,22 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); /* PEM t STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, const char *file); +#ifndef OPENSSL_SYS_WIN32 +#ifndef OPENSSL_SYS_VMS +#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! [was: #ifndef MAC_OS_pre_X] */ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs, const char *dir); #endif +#endif +#endif + +#endif void SSL_load_error_strings(void ); -char * SSL_state_string(SSL *s); -char * SSL_rstate_string(SSL *s); -char * SSL_state_string_long(SSL *s); -char * SSL_rstate_string_long(SSL *s); +const char *SSL_state_string(const SSL *s); +const char *SSL_rstate_string(const SSL *s); +const char *SSL_state_string_long(const SSL *s); +const char *SSL_rstate_string_long(const SSL *s); long SSL_SESSION_get_time(SSL_SESSION *s); long SSL_SESSION_set_time(SSL_SESSION *s, long t); long SSL_SESSION_get_timeout(SSL_SESSION *s); @@ -1070,10 +1252,10 @@ void SSL_copy_session_id(SSL *to,SSL *from); SSL_SESSION *SSL_SESSION_new(void); unsigned long SSL_SESSION_hash(SSL_SESSION *a); int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b); -#ifndef NO_FP_API +#ifndef OPENSSL_NO_FP_API int SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses); #endif -#ifndef NO_BIO +#ifndef OPENSSL_NO_BIO int SSL_SESSION_print(BIO *fp,SSL_SESSION *ses); #endif void SSL_SESSION_free(SSL_SESSION *ses); @@ -1081,6 +1263,10 @@ int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp); int SSL_set_session(SSL *to, SSL_SESSION *session); int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c); int SSL_CTX_remove_session(SSL_CTX *,SSL_SESSION *c); +int SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB); +int SSL_set_generate_session_id(SSL *, GEN_SESSION_CB); +int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, + unsigned int id_len); SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length); #ifdef HEADER_X509_H @@ -1089,18 +1275,14 @@ X509 * SSL_get_peer_certificate(SSL *s); STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s); -#ifdef VMS -#define SSL_CTX_set_default_passwd_cb_userdata SSL_CTX_set_def_passwd_cb_ud -#endif - int SSL_CTX_get_verify_mode(SSL_CTX *ctx); int SSL_CTX_get_verify_depth(SSL_CTX *ctx); int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *); void SSL_CTX_set_verify(SSL_CTX *ctx,int mode, int (*callback)(int, X509_STORE_CTX *)); void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); -void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(),char *arg); -#ifndef NO_RSA +void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg); +#ifndef OPENSSL_NO_RSA int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); #endif int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); @@ -1134,9 +1316,9 @@ int SSL_connect(SSL *ssl); int SSL_read(SSL *ssl,void *buf,int num); int SSL_peek(SSL *ssl,void *buf,int num); int SSL_write(SSL *ssl,const void *buf,int num); -long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg); +long SSL_ctrl(SSL *ssl,int cmd, long larg, void *parg); long SSL_callback_ctrl(SSL *, int, void (*)()); -long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg); +long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg); long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)()); int SSL_get_error(SSL *s,int ret_code); @@ -1165,14 +1347,15 @@ STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s); int SSL_do_handshake(SSL *s); int SSL_renegotiate(SSL *s); +int SSL_renegotiate_pending(SSL *s); int SSL_shutdown(SSL *s); SSL_METHOD *SSL_get_ssl_method(SSL *s); int SSL_set_ssl_method(SSL *s,SSL_METHOD *method); -char *SSL_alert_type_string_long(int value); -char *SSL_alert_type_string(int value); -char *SSL_alert_desc_string_long(int value); -char *SSL_alert_desc_string(int value); +const char *SSL_alert_type_string_long(int value); +const char *SSL_alert_type_string(int value); +const char *SSL_alert_desc_string_long(int value); +const char *SSL_alert_desc_string(int value); void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); @@ -1210,8 +1393,9 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, SSL_SESSION *SSL_get_session(SSL *ssl); SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */ SSL_CTX *SSL_get_SSL_CTX(SSL *ssl); -void SSL_set_info_callback(SSL *ssl,void (*cb)()); -void (*SSL_get_info_callback(SSL *ssl))(); +void SSL_set_info_callback(SSL *ssl, + void (*cb)(const SSL *ssl,int type,int val)); +void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val); int SSL_state(SSL *ssl); void SSL_set_verify_result(SSL *ssl,long v); @@ -1249,9 +1433,17 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void ); SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) #define SSL_CTX_set_read_ahead(ctx,m) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL) +#define SSL_CTX_get_max_cert_list(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL) +#define SSL_CTX_set_max_cert_list(ctx,m) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL) +#define SSL_get_max_cert_list(ssl) \ + SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL) +#define SSL_set_max_cert_list(ssl,m) \ + SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL) /* NB: the keylength is only applicable when is_export is true */ -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl,int is_export, int keylength)); @@ -1260,7 +1452,7 @@ void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl,int is_export, int keylength)); #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*dh)(SSL *ssl,int is_export, int keylength)); @@ -1269,7 +1461,7 @@ void SSL_set_tmp_dh_callback(SSL *ssl, int keylength)); #endif -#ifndef NO_COMP +#ifndef OPENSSL_NO_COMP int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm); #else int SSL_COMP_add_compression_method(int id,char *cm); @@ -1328,6 +1520,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL3_CTRL 213 #define SSL_F_SSL3_CTX_CTRL 133 #define SSL_F_SSL3_ENC 134 +#define SSL_F_SSL3_GENERATE_KEY_BLOCK 238 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135 #define SSL_F_SSL3_GET_CERT_VERIFY 136 #define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137 @@ -1490,16 +1683,27 @@ void ERR_load_SSL_strings(void); #define SSL_R_HTTPS_PROXY_REQUEST 155 #define SSL_R_HTTP_REQUEST 156 #define SSL_R_ILLEGAL_PADDING 1110 -#define SSL_R_INTERNAL_ERROR 157 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 #define SSL_R_INVALID_TRUST 279 #define SSL_R_KEY_ARG_TOO_LONG 1112 +#define SSL_R_KRB5 1104 +#define SSL_R_KRB5_C_CC_PRINC 1094 +#define SSL_R_KRB5_C_GET_CRED 1095 +#define SSL_R_KRB5_C_INIT 1096 +#define SSL_R_KRB5_C_MK_REQ 1097 +#define SSL_R_KRB5_S_BAD_TICKET 1098 +#define SSL_R_KRB5_S_INIT 1099 +#define SSL_R_KRB5_S_RD_REQ 1108 +#define SSL_R_KRB5_S_TKT_EXPIRED 1105 +#define SSL_R_KRB5_S_TKT_NYV 1106 +#define SSL_R_KRB5_S_TKT_SKEW 1107 #define SSL_R_LENGTH_MISMATCH 159 #define SSL_R_LENGTH_TOO_SHORT 160 #define SSL_R_LIBRARY_BUG 274 #define SSL_R_LIBRARY_HAS_NO_CIPHERS 161 +#define SSL_R_MASTER_KEY_TOO_LONG 1112 #define SSL_R_MESSAGE_TOO_LONG 1111 #define SSL_R_MISSING_DH_DSA_CERT 162 #define SSL_R_MISSING_DH_KEY 163 @@ -1586,7 +1790,10 @@ void ERR_load_SSL_strings(void); #define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 #define SSL_R_SSL_HANDSHAKE_FAILURE 229 #define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230 +#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 1102 +#define SSL_R_SSL_SESSION_ID_CONFLICT 1103 #define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 +#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 1101 #define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 diff --git a/crypto/openssl/ssl/ssl2.h b/crypto/openssl/ssl/ssl2.h index 70aae1e..99a52ea 100644 --- a/crypto/openssl/ssl/ssl2.h +++ b/crypto/openssl/ssl/ssl2.h @@ -133,7 +133,7 @@ extern "C" { /* Upper/Lower Bounds */ #define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 -#ifdef MPE +#ifdef OPENSSL_SYS_MPE #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u #else #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */ @@ -189,7 +189,6 @@ typedef struct ssl2_state_st unsigned char *ract_data; unsigned char *wact_data; unsigned char *mac_data; - unsigned char *pad_data_UNUSED; /* only for binary compatibility with 0.9.6b */ unsigned char *read_key; unsigned char *write_key; diff --git a/crypto/openssl/ssl/ssl3.h b/crypto/openssl/ssl/ssl3.h index b45effe..1153aed 100644 --- a/crypto/openssl/ssl/ssl3.h +++ b/crypto/openssl/ssl/ssl3.h @@ -112,7 +112,7 @@ #ifndef HEADER_SSL3_H #define HEADER_SSL3_H -#ifndef NO_COMP +#ifndef OPENSSL_NO_COMP #include <openssl/comp.h> #endif #include <openssl/buffer.h> @@ -156,7 +156,29 @@ extern "C" { #define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C #define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D +#if 0 /* Because it clashes with KRB5, is never used any more, and is safe + to remove according to David Hopwood <david.hopwood@zetnet.co.uk> + of the ietf-tls list */ #define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E +#endif + +/* VRS Additional Kerberos5 entries + */ +#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0300001E +#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0300001F +#define SSL3_CK_KRB5_RC4_128_SHA 0x03000020 +#define SSL3_CK_KRB5_IDEA_128_CBC_SHA 0x03000021 +#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000022 +#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000023 +#define SSL3_CK_KRB5_RC4_128_MD5 0x03000024 +#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 0x03000025 + +#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000026 +#define SSL3_CK_KRB5_RC2_40_CBC_SHA 0x03000027 +#define SSL3_CK_KRB5_RC4_40_SHA 0x03000028 +#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000029 +#define SSL3_CK_KRB5_RC2_40_CBC_MD5 0x0300002A +#define SSL3_CK_KRB5_RC4_40_MD5 0x0300002B #define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5" #define SSL3_TXT_RSA_NULL_SHA "NULL-SHA" @@ -193,6 +215,22 @@ extern "C" { #define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA" #define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA" +#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA" +#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA" +#define SSL3_TXT_KRB5_RC4_128_SHA "KRB5-RC4-SHA" +#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA "KRB5-IDEA-CBC-SHA" +#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5" +#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5" +#define SSL3_TXT_KRB5_RC4_128_MD5 "KRB5-RC4-MD5" +#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 "KRB5-IDEA-CBC-MD5" + +#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA" +#define SSL3_TXT_KRB5_RC2_40_CBC_SHA "EXP-KRB5-RC2-CBC-SHA" +#define SSL3_TXT_KRB5_RC4_40_SHA "EXP-KRB5-RC4-SHA" +#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5" +#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 "EXP-KRB5-RC2-CBC-MD5" +#define SSL3_TXT_KRB5_RC4_40_MD5 "EXP-KRB5-RC4-MD5" + #define SSL3_SSL_SESSION_ID_LENGTH 32 #define SSL3_MAX_SSL_SESSION_ID_LENGTH 32 @@ -202,7 +240,8 @@ extern "C" { #define SSL3_RT_HEADER_LENGTH 5 /* Due to MS stuffing up, this can change.... */ -#if defined(WIN16) || (defined(MSDOS) && !defined(WIN32)) +#if defined(OPENSSL_SYS_WIN16) || \ + (defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)) #define SSL3_RT_MAX_EXTRA (14000) #else #define SSL3_RT_MAX_EXTRA (16384) @@ -256,9 +295,7 @@ typedef struct ssl3_buffer_st { unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, * see ssl3_setup_buffers() */ -#if 0 /* put directly into SSL3_STATE for best possible binary compatibility within 0.9.6 series */ size_t len; /* buffer size */ -#endif int offset; /* where to 'copy from' */ int left; /* how many bytes left */ } SSL3_BUFFER; @@ -290,6 +327,10 @@ typedef struct ssl3_state_st unsigned char server_random[SSL3_RANDOM_SIZE]; unsigned char client_random[SSL3_RANDOM_SIZE]; + /* flags for countermeasure against known-IV weakness */ + int need_empty_fragments; + int empty_fragment_done; + SSL3_BUFFER rbuf; /* read IO goes into here */ SSL3_BUFFER wbuf; /* write IO goes into here */ @@ -348,7 +389,7 @@ typedef struct ssl3_state_st /* used to hold the new cipher we are going to use */ SSL_CIPHER *new_cipher; -#ifndef NO_DH +#ifndef OPENSSL_NO_DH DH *dh; #endif /* used when SSL_ST_FLUSH_DATA is entered */ @@ -369,7 +410,7 @@ typedef struct ssl3_state_st const EVP_CIPHER *new_sym_enc; const EVP_MD *new_hash; -#ifndef NO_COMP +#ifndef OPENSSL_NO_COMP const SSL_COMP *new_compression; #else char *new_compression; @@ -377,13 +418,6 @@ typedef struct ssl3_state_st int cert_request; } tmp; - /* flags for countermeasure against known-IV weakness */ - int need_empty_fragments; - int empty_fragment_done; - - size_t rbuf_len; /* substitute for rbuf.len */ - size_t wbuf_len; /* substitute for wbuf.len */ - } SSL3_STATE; /* SSLv3 */ diff --git a/crypto/openssl/ssl/ssl_algs.c b/crypto/openssl/ssl/ssl_algs.c index dde8918..3d1299e 100644 --- a/crypto/openssl/ssl/ssl_algs.c +++ b/crypto/openssl/ssl/ssl_algs.c @@ -63,40 +63,44 @@ int SSL_library_init(void) { -#ifndef NO_DES + +#ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cbc()); EVP_add_cipher(EVP_des_ede3_cbc()); #endif -#ifndef NO_IDEA +#ifndef OPENSSL_NO_IDEA EVP_add_cipher(EVP_idea_cbc()); #endif -#ifndef NO_RC4 +#ifndef OPENSSL_NO_RC4 EVP_add_cipher(EVP_rc4()); #endif -#ifndef NO_RC2 +#ifndef OPENSSL_NO_RC2 EVP_add_cipher(EVP_rc2_cbc()); -#endif - -#ifndef NO_MD2 +#endif +#ifndef OPENSSL_NO_AES + EVP_add_cipher(EVP_aes_128_cbc()); + EVP_add_cipher(EVP_aes_192_cbc()); + EVP_add_cipher(EVP_aes_256_cbc()); +#endif +#ifndef OPENSSL_NO_MD2 EVP_add_digest(EVP_md2()); #endif -#ifndef NO_MD5 +#ifndef OPENSSL_NO_MD5 EVP_add_digest(EVP_md5()); EVP_add_digest_alias(SN_md5,"ssl2-md5"); EVP_add_digest_alias(SN_md5,"ssl3-md5"); #endif -#ifndef NO_SHA +#ifndef OPENSSL_NO_SHA EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); #endif -#if !defined(NO_SHA) && !defined(NO_DSA) +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); #endif - /* If you want support for phased out ciphers, add the following */ #if 0 EVP_add_digest(EVP_sha()); diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c index 00f9fda..16bc11b 100644 --- a/crypto/openssl/ssl/ssl_asn1.c +++ b/crypto/openssl/ssl/ssl_asn1.c @@ -58,10 +58,10 @@ #include <stdio.h> #include <stdlib.h> +#include "ssl_locl.h" #include <openssl/asn1_mac.h> #include <openssl/objects.h> #include <openssl/x509.h> -#include "ssl_locl.h" #include "cryptlib.h" typedef struct ssl_session_asn1_st @@ -73,6 +73,9 @@ typedef struct ssl_session_asn1_st ASN1_OCTET_STRING session_id; ASN1_OCTET_STRING session_id_context; ASN1_OCTET_STRING key_arg; +#ifndef OPENSSL_NO_KRB5 + ASN1_OCTET_STRING krb5_princ; +#endif /* OPENSSL_NO_KRB5 */ ASN1_INTEGER time; ASN1_INTEGER timeout; ASN1_INTEGER verify_result; @@ -143,6 +146,15 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.key_arg.type=V_ASN1_OCTET_STRING; a.key_arg.data=in->key_arg; +#ifndef OPENSSL_NO_KRB5 + if (in->krb5_client_princ_len) + { + a.krb5_princ.length=in->krb5_client_princ_len; + a.krb5_princ.type=V_ASN1_OCTET_STRING; + a.krb5_princ.data=in->krb5_client_princ; + } +#endif /* OPENSSL_NO_KRB5 */ + if (in->time != 0L) { a.time.length=LSIZE2; @@ -167,11 +179,16 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) ASN1_INTEGER_set(&a.verify_result,in->verify_result); } + M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER); M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER); M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING); M_ASN1_I2D_len(&(a.session_id), i2d_ASN1_OCTET_STRING); M_ASN1_I2D_len(&(a.master_key), i2d_ASN1_OCTET_STRING); +#ifndef OPENSSL_NO_KRB5 + if (in->krb5_client_princ_len) + M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); +#endif /* OPENSSL_NO_KRB5 */ if (in->key_arg_length > 0) M_ASN1_I2D_len_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING); if (in->time != 0L) @@ -191,6 +208,10 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) M_ASN1_I2D_put(&(a.cipher), i2d_ASN1_OCTET_STRING); M_ASN1_I2D_put(&(a.session_id), i2d_ASN1_OCTET_STRING); M_ASN1_I2D_put(&(a.master_key), i2d_ASN1_OCTET_STRING); +#ifndef OPENSSL_NO_KRB5 + if (in->krb5_client_princ_len) + M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); +#endif /* OPENSSL_NO_KRB5 */ if (in->key_arg_length > 0) M_ASN1_I2D_put_IMP_opt(&(a.key_arg),i2d_ASN1_OCTET_STRING,0); if (in->time != 0L) @@ -278,6 +299,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, os.length = sizeof ret->session_id; ret->session_id_length=os.length; + OPENSSL_assert(os.length <= sizeof ret->session_id); memcpy(ret->session_id,os.data,os.length); M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); @@ -288,6 +310,25 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, memcpy(ret->master_key,os.data,ret->master_key_length); os.length=0; + +#ifndef OPENSSL_NO_KRB5 + os.length=0; + M_ASN1_D2I_get_opt(osp,d2i_ASN1_OCTET_STRING,V_ASN1_OCTET_STRING); + if (os.data) + { + if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH) + ret->krb5_client_princ_len=0; + else + ret->krb5_client_princ_len=os.length; + memcpy(ret->krb5_client_princ,os.data,ret->krb5_client_princ_len); + OPENSSL_free(os.data); + os.data = NULL; + os.length = 0; + } + else + ret->krb5_client_princ_len=0; +#endif /* OPENSSL_NO_KRB5 */ + M_ASN1_D2I_get_IMP_opt(osp,d2i_ASN1_OCTET_STRING,0,V_ASN1_OCTET_STRING); if (os.length > SSL_MAX_KEY_ARG_LENGTH) ret->key_arg_length=SSL_MAX_KEY_ARG_LENGTH; @@ -330,9 +371,15 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, if(os.data != NULL) { if (os.length > SSL_MAX_SID_CTX_LENGTH) + { + ret->sid_ctx_length=os.length; SSLerr(SSL_F_D2I_SSL_SESSION,SSL_R_BAD_LENGTH); - ret->sid_ctx_length=os.length; - memcpy(ret->sid_ctx,os.data,os.length); + } + else + { + ret->sid_ctx_length=os.length; + memcpy(ret->sid_ctx,os.data,os.length); + } OPENSSL_free(os.data); os.data=NULL; os.length=0; } else diff --git a/crypto/openssl/ssl/ssl_cert.c b/crypto/openssl/ssl/ssl_cert.c index bb4cb2f..1f12255 100644 --- a/crypto/openssl/ssl/ssl_cert.c +++ b/crypto/openssl/ssl/ssl_cert.c @@ -106,16 +106,19 @@ #include <stdio.h> -#include "openssl/e_os.h" - +#include "e_os.h" #ifndef NO_SYS_TYPES_H # include <sys/types.h> #endif -#if !defined(WIN32) && !defined(VSM) && !defined(NeXT) && !defined(MAC_OS_pre_X) +#if !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) && !defined(NeXT) && !defined(MAC_OS_pre_X) #include <dirent.h> #endif +#if defined(WIN32) +#include <windows.h> +#endif + #ifdef NeXT #include <sys/dir.h> #define dirent direct @@ -129,14 +132,23 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void) { - static int ssl_x509_store_ctx_idx= -1; + static volatile int ssl_x509_store_ctx_idx= -1; if (ssl_x509_store_ctx_idx < 0) { - ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index( - 0,"SSL for verify callback",NULL,NULL,NULL); + /* any write lock will do; usually this branch + * will only be taken once anyway */ + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + + if (ssl_x509_store_ctx_idx < 0) + { + ssl_x509_store_ctx_idx=X509_STORE_CTX_get_ex_new_index( + 0,"SSL for verify callback",NULL,NULL,NULL); + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); } - return(ssl_x509_store_ctx_idx); + return ssl_x509_store_ctx_idx; } CERT *ssl_cert_new(void) @@ -179,16 +191,16 @@ CERT *ssl_cert_dup(CERT *cert) ret->mask = cert->mask; ret->export_mask = cert->export_mask; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (cert->rsa_tmp != NULL) { + RSA_up_ref(cert->rsa_tmp); ret->rsa_tmp = cert->rsa_tmp; - CRYPTO_add(&ret->rsa_tmp->references, 1, CRYPTO_LOCK_RSA); } ret->rsa_tmp_cb = cert->rsa_tmp_cb; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (cert->dh_tmp != NULL) { /* DH parameters don't have a reference count */ @@ -271,14 +283,14 @@ CERT *ssl_cert_dup(CERT *cert) return(ret); -#ifndef NO_DH /* avoid 'unreferenced label' warning if NO_DH is defined */ +#ifndef OPENSSL_NO_DH /* avoid 'unreferenced label' warning if OPENSSL_NO_DH is defined */ err: #endif -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (ret->rsa_tmp != NULL) RSA_free(ret->rsa_tmp); #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (ret->dh_tmp != NULL) DH_free(ret->dh_tmp); #endif @@ -315,10 +327,10 @@ void ssl_cert_free(CERT *c) } #endif -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (c->rsa_tmp) RSA_free(c->rsa_tmp); #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (c->dh_tmp) DH_free(c->dh_tmp); #endif @@ -419,11 +431,11 @@ void ssl_sess_cert_free(SESS_CERT *sc) #endif } -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA if (sc->peer_rsa_tmp != NULL) RSA_free(sc->peer_rsa_tmp); #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (sc->peer_dh_tmp != NULL) DH_free(sc->peer_dh_tmp); #endif @@ -447,17 +459,23 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) return(0); x=sk_X509_value(sk,0); - X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk); + if(!X509_STORE_CTX_init(&ctx,s->ctx->cert_store,x,sk)) + { + SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN,ERR_R_X509_LIB); + return(0); + } if (SSL_get_verify_depth(s) >= 0) X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s)); X509_STORE_CTX_set_ex_data(&ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s); + /* We need to set the verify purpose. The purpose can be determined by * the context: if its a server it will verify SSL client certificates * or vice versa. - */ - - if(s->server) i = X509_PURPOSE_SSL_CLIENT; - else i = X509_PURPOSE_SSL_SERVER; + */ + if (s->server) + i = X509_PURPOSE_SSL_CLIENT; + else + i = X509_PURPOSE_SSL_SERVER; X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust); @@ -465,10 +483,14 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); if (s->ctx->app_verify_callback != NULL) +#if 1 /* new with OpenSSL 0.9.7 */ + i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); +#else i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */ +#endif else { -#ifndef NO_X509_VERIFY +#ifndef OPENSSL_NO_X509_VERIFY i=X509_verify_cert(&ctx); #else i=0; @@ -578,7 +600,7 @@ static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b) return(X509_NAME_cmp(*a,*b)); } -#ifndef NO_STDIO +#ifndef OPENSSL_NO_STDIO /*! * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed; * it doesn't really have anything to do with clients (except that a common use @@ -708,9 +730,9 @@ err: * certs may have been added to \c stack. */ -#ifndef WIN32 -#ifndef VMS /* XXXX This may be fixed in the future */ -#ifndef MAC_OS_pre_X +#ifndef OPENSSL_SYS_WIN32 +#ifndef OPENSSL_SYS_VMS /* XXXX This may be fixed in the future */ +#ifndef OPENSSL_SYS_MACINTOSH_CLASSIC /* XXXXX: Better scheme needed! */ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, const char *dir) @@ -758,4 +780,81 @@ err: #endif #endif + +#else + +int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, + const char *dir) + { + WIN32_FIND_DATA FindFileData; + HANDLE hFind; + int ret = 0; +#ifdef OPENSSL_SYS_WINCE + WCHAR* wdir = NULL; +#endif + + CRYPTO_w_lock(CRYPTO_LOCK_READDIR); + +#ifdef OPENSSL_SYS_WINCE + /* convert strings to UNICODE */ + { + BOOL result = FALSE; + int i; + wdir = malloc((strlen(dir)+1)*2); + if (wdir == NULL) + goto err_noclose; + for (i=0; i<(int)strlen(dir)+1; i++) + wdir[i] = (short)dir[i]; + } +#endif + +#ifdef OPENSSL_SYS_WINCE + hFind = FindFirstFile(wdir, &FindFileData); +#else + hFind = FindFirstFile(dir, &FindFileData); +#endif + /* Note that a side effect is that the CAs will be sorted by name */ + if(hFind == INVALID_HANDLE_VALUE) + { + SYSerr(SYS_F_OPENDIR, get_last_sys_error()); + ERR_add_error_data(3, "opendir('", dir, "')"); + SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB); + goto err_noclose; + } + + do + { + char buf[1024]; + int r; + +#ifdef OPENSSL_SYS_WINCE + if(strlen(dir)+_tcslen(FindFileData.cFileName)+2 > sizeof buf) +#else + if(strlen(dir)+strlen(FindFileData.cFileName)+2 > sizeof buf) +#endif + { + SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,SSL_R_PATH_TOO_LONG); + goto err; + } + + r = BIO_snprintf(buf,sizeof buf,"%s/%s",dir,FindFileData.cFileName); + if (r <= 0 || r >= sizeof buf) + goto err; + if(!SSL_add_file_cert_subjects_to_stack(stack,buf)) + goto err; + } + while (FindNextFile(hFind, &FindFileData) != FALSE); + ret = 1; + +err: + FindClose(hFind); +err_noclose: +#ifdef OPENSSL_SYS_WINCE + if (wdir != NULL) + free(wdir); +#endif + CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); + return ret; + } + #endif diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c index f63163f..c72be89 100644 --- a/crypto/openssl/ssl/ssl_ciph.c +++ b/crypto/openssl/ssl/ssl_ciph.c @@ -68,7 +68,9 @@ #define SSL_ENC_IDEA_IDX 4 #define SSL_ENC_eFZA_IDX 5 #define SSL_ENC_NULL_IDX 6 -#define SSL_ENC_NUM_IDX 7 +#define SSL_ENC_AES128_IDX 7 +#define SSL_ENC_AES256_IDX 8 +#define SSL_ENC_NUM_IDX 9 static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ NULL,NULL,NULL,NULL,NULL,NULL, @@ -98,8 +100,11 @@ typedef struct cipher_order_st } CIPHER_ORDER; static const SSL_CIPHER cipher_aliases[]={ - /* Don't include eNULL unless specifically enabled */ + /* Don't include eNULL unless specifically enabled. */ {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */ + {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, /* COMPLEMENT OF ALL */ + {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0}, + {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0}, /* VRS Kerberos5 */ {0,SSL_TXT_kRSA,0,SSL_kRSA, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kDHr,0,SSL_kDHr, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_kDHd,0,SSL_kDHd, 0,0,0,0,SSL_MKEY_MASK,0}, @@ -108,6 +113,7 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_DH, 0,SSL_DH, 0,0,0,0,SSL_MKEY_MASK,0}, {0,SSL_TXT_EDH, 0,SSL_EDH, 0,0,0,0,SSL_MKEY_MASK|SSL_AUTH_MASK,0}, + {0,SSL_TXT_aKRB5,0,SSL_aKRB5,0,0,0,0,SSL_AUTH_MASK,0}, /* VRS Kerberos5 */ {0,SSL_TXT_aRSA,0,SSL_aRSA, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_aDSS,0,SSL_aDSS, 0,0,0,0,SSL_AUTH_MASK,0}, {0,SSL_TXT_aFZA,0,SSL_aFZA, 0,0,0,0,SSL_AUTH_MASK,0}, @@ -122,12 +128,14 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_IDEA,0,SSL_IDEA, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_eNULL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_eFZA,0,SSL_eFZA, 0,0,0,0,SSL_ENC_MASK,0}, + {0,SSL_TXT_AES, 0,SSL_AES, 0,0,0,0,SSL_ENC_MASK,0}, {0,SSL_TXT_MD5, 0,SSL_MD5, 0,0,0,0,SSL_MAC_MASK,0}, {0,SSL_TXT_SHA1,0,SSL_SHA1, 0,0,0,0,SSL_MAC_MASK,0}, {0,SSL_TXT_SHA, 0,SSL_SHA, 0,0,0,0,SSL_MAC_MASK,0}, {0,SSL_TXT_NULL,0,SSL_NULL, 0,0,0,0,SSL_ENC_MASK,0}, + {0,SSL_TXT_KRB5,0,SSL_KRB5, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, {0,SSL_TXT_RSA, 0,SSL_RSA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, {0,SSL_TXT_ADH, 0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK,0}, {0,SSL_TXT_FZA, 0,SSL_FZA, 0,0,0,0,SSL_AUTH_MASK|SSL_MKEY_MASK|SSL_ENC_MASK,0}, @@ -160,6 +168,10 @@ static void load_ciphers(void) EVP_get_cipherbyname(SN_rc2_cbc); ssl_cipher_methods[SSL_ENC_IDEA_IDX]= EVP_get_cipherbyname(SN_idea_cbc); + ssl_cipher_methods[SSL_ENC_AES128_IDX]= + EVP_get_cipherbyname(SN_aes_128_cbc); + ssl_cipher_methods[SSL_ENC_AES256_IDX]= + EVP_get_cipherbyname(SN_aes_256_cbc); ssl_digest_methods[SSL_MD_MD5_IDX]= EVP_get_digestbyname(SN_md5); @@ -220,6 +232,14 @@ int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc, case SSL_eNULL: i=SSL_ENC_NULL_IDX; break; + case SSL_AES: + switch(c->alg_bits) + { + case 128: i=SSL_ENC_AES128_IDX; break; + case 256: i=SSL_ENC_AES256_IDX; break; + default: i=-1; break; + } + break; default: i= -1; break; @@ -282,15 +302,18 @@ static unsigned long ssl_cipher_get_disabled(void) unsigned long mask; mask = SSL_kFZA; -#ifdef NO_RSA +#ifdef OPENSSL_NO_RSA mask |= SSL_aRSA|SSL_kRSA; #endif -#ifdef NO_DSA +#ifdef OPENSSL_NO_DSA mask |= SSL_aDSS; #endif -#ifdef NO_DH +#ifdef OPENSSL_NO_DH mask |= SSL_kDHr|SSL_kDHd|SSL_kEDH|SSL_aDH; #endif +#ifdef OPENSSL_NO_KRB5 + mask |= SSL_kKRB5|SSL_aKRB5; +#endif #ifdef SSL_FORBID_ENULL mask |= SSL_eNULL; @@ -302,6 +325,7 @@ static unsigned long ssl_cipher_get_disabled(void) mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0; + mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; @@ -336,6 +360,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, list[list_num].prev = NULL; list[list_num].active = 0; list_num++; +#ifdef KSSL_DEBUG + printf("\t%d: %s %lx %lx\n",i,c->name,c->id,c->algorithms); +#endif /* KSSL_DEBUG */ /* if (!sk_push(ca_list,(char *)c)) goto err; */ @@ -724,7 +751,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ if (rule_str == NULL) return(NULL); - if (init_ciphers) load_ciphers(); + if (init_ciphers) + { + CRYPTO_w_lock(CRYPTO_LOCK_SSL); + if (init_ciphers) load_ciphers(); + CRYPTO_w_unlock(CRYPTO_LOCK_SSL); + } /* * To reduce the work to do we only want to process the compiled @@ -738,6 +770,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, * it is used for allocation. */ num_of_ciphers = ssl_method->num_ciphers(); +#ifdef KSSL_DEBUG + printf("ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); +#endif /* KSSL_DEBUG */ list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); if (list == NULL) { @@ -872,8 +907,12 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) char *ver,*exp; char *kx,*au,*enc,*mac; unsigned long alg,alg2,alg_s; +#ifdef KSSL_DEBUG + static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx\n"; +#else static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n"; - +#endif /* KSSL_DEBUG */ + alg=cipher->algorithms; alg_s=cipher->algo_strength; alg2=cipher->algorithm2; @@ -901,6 +940,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) case SSL_kDHd: kx="DH/DSS"; break; + case SSL_kKRB5: /* VRS */ + case SSL_KRB5: /* VRS */ + kx="KRB5"; + break; case SSL_kFZA: kx="Fortezza"; break; @@ -922,6 +965,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) case SSL_aDH: au="DH"; break; + case SSL_aKRB5: /* VRS */ + case SSL_KRB5: /* VRS */ + au="KRB5"; + break; case SSL_aFZA: case SSL_aNULL: au="None"; @@ -955,6 +1002,15 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) case SSL_eNULL: enc="None"; break; + case SSL_AES: + switch(cipher->strength_bits) + { + case 128: enc="AES(128)"; break; + case 192: enc="AES(192)"; break; + case 256: enc="AES(256)"; break; + default: enc="AES(?""?""?)"; break; + } + break; default: enc="unknown"; break; @@ -982,7 +1038,11 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) else if (len < 128) return("Buffer too small"); +#ifdef KSSL_DEBUG + BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp,alg); +#else BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp); +#endif /* KSSL_DEBUG */ return(buf); } @@ -1053,6 +1113,10 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) SSL_COMP *comp; STACK_OF(SSL_COMP) *sk; + if (cm == NULL || cm->type == NID_undef) + return 1; + + MemCheck_off(); comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); comp->id=id; comp->method=cm; @@ -1062,10 +1126,13 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) sk=ssl_comp_methods; if ((sk == NULL) || !sk_SSL_COMP_push(sk,comp)) { + MemCheck_on(); SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); return(0); } else + { + MemCheck_on(); return(1); + } } - diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c index b77b35f..d2cb181 100644 --- a/crypto/openssl/ssl/ssl_err.c +++ b/crypto/openssl/ssl/ssl_err.c @@ -63,7 +63,7 @@ #include <openssl/ssl.h> /* BEGIN ERROR CODES */ -#ifndef NO_ERR +#ifndef OPENSSL_NO_ERR static ERR_STRING_DATA SSL_str_functs[]= { {ERR_PACK(0,SSL_F_CLIENT_CERTIFICATE,0), "CLIENT_CERTIFICATE"}, @@ -110,6 +110,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL3_CTRL,0), "SSL3_CTRL"}, {ERR_PACK(0,SSL_F_SSL3_CTX_CTRL,0), "SSL3_CTX_CTRL"}, {ERR_PACK(0,SSL_F_SSL3_ENC,0), "SSL3_ENC"}, +{ERR_PACK(0,SSL_F_SSL3_GENERATE_KEY_BLOCK,0), "SSL3_GENERATE_KEY_BLOCK"}, {ERR_PACK(0,SSL_F_SSL3_GET_CERTIFICATE_REQUEST,0), "SSL3_GET_CERTIFICATE_REQUEST"}, {ERR_PACK(0,SSL_F_SSL3_GET_CERT_VERIFY,0), "SSL3_GET_CERT_VERIFY"}, {ERR_PACK(0,SSL_F_SSL3_GET_CLIENT_CERTIFICATE,0), "SSL3_GET_CLIENT_CERTIFICATE"}, @@ -275,16 +276,27 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_HTTPS_PROXY_REQUEST ,"https proxy request"}, {SSL_R_HTTP_REQUEST ,"http request"}, {SSL_R_ILLEGAL_PADDING ,"illegal padding"}, -{SSL_R_INTERNAL_ERROR ,"internal error"}, {SSL_R_INVALID_CHALLENGE_LENGTH ,"invalid challenge length"}, {SSL_R_INVALID_COMMAND ,"invalid command"}, {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, {SSL_R_INVALID_TRUST ,"invalid trust"}, {SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, +{SSL_R_KRB5 ,"krb5"}, +{SSL_R_KRB5_C_CC_PRINC ,"krb5 client cc principal (no tkt?)"}, +{SSL_R_KRB5_C_GET_CRED ,"krb5 client get cred"}, +{SSL_R_KRB5_C_INIT ,"krb5 client init"}, +{SSL_R_KRB5_C_MK_REQ ,"krb5 client mk_req (expired tkt?)"}, +{SSL_R_KRB5_S_BAD_TICKET ,"krb5 server bad ticket"}, +{SSL_R_KRB5_S_INIT ,"krb5 server init"}, +{SSL_R_KRB5_S_RD_REQ ,"krb5 server rd_req (keytab perms?)"}, +{SSL_R_KRB5_S_TKT_EXPIRED ,"krb5 server tkt expired"}, +{SSL_R_KRB5_S_TKT_NYV ,"krb5 server tkt not yet valid"}, +{SSL_R_KRB5_S_TKT_SKEW ,"krb5 server tkt skew"}, {SSL_R_LENGTH_MISMATCH ,"length mismatch"}, {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, {SSL_R_LIBRARY_BUG ,"library bug"}, {SSL_R_LIBRARY_HAS_NO_CIPHERS ,"library has no ciphers"}, +{SSL_R_MASTER_KEY_TOO_LONG ,"master key too long"}, {SSL_R_MESSAGE_TOO_LONG ,"message too long"}, {SSL_R_MISSING_DH_DSA_CERT ,"missing dh dsa cert"}, {SSL_R_MISSING_DH_KEY ,"missing dh key"}, @@ -371,7 +383,10 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION,"ssl ctx has no default ssl version"}, {SSL_R_SSL_HANDSHAKE_FAILURE ,"ssl handshake failure"}, {SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS ,"ssl library has no ciphers"}, +{SSL_R_SSL_SESSION_ID_CALLBACK_FAILED ,"ssl session id callback failed"}, +{SSL_R_SSL_SESSION_ID_CONFLICT ,"ssl session id conflict"}, {SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG ,"ssl session id context too long"}, +{SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH ,"ssl session id has bad length"}, {SSL_R_SSL_SESSION_ID_IS_DIFFERENT ,"ssl session id is different"}, {SSL_R_TLSV1_ALERT_ACCESS_DENIED ,"tlsv1 alert access denied"}, {SSL_R_TLSV1_ALERT_DECODE_ERROR ,"tlsv1 alert decode error"}, @@ -437,7 +452,7 @@ void ERR_load_SSL_strings(void) if (init) { init=0; -#ifndef NO_ERR +#ifndef OPENSSL_NO_ERR ERR_load_strings(ERR_LIB_SSL,SSL_str_functs); ERR_load_strings(ERR_LIB_SSL,SSL_str_reasons); #endif diff --git a/crypto/openssl/ssl/ssl_err2.c b/crypto/openssl/ssl/ssl_err2.c index cc089a6..ea95a5f 100644 --- a/crypto/openssl/ssl/ssl_err2.c +++ b/crypto/openssl/ssl/ssl_err2.c @@ -62,7 +62,7 @@ void SSL_load_error_strings(void) { -#ifndef NO_ERR +#ifndef OPENSSL_NO_ERR ERR_load_crypto_strings(); ERR_load_SSL_strings(); #endif diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 4f84a34..091326f 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -57,22 +57,74 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ -#include <assert.h> +#ifdef REF_CHECK +# include <assert.h> +#endif #include <stdio.h> +#include "ssl_locl.h" +#include "kssl_lcl.h" #include <openssl/objects.h> #include <openssl/lhash.h> #include <openssl/x509v3.h> -#include "ssl_locl.h" +#include "cryptlib.h" const char *SSL_version_str=OPENSSL_VERSION_TEXT; -static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL; -static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL; -static int ssl_meth_num=0; -static int ssl_ctx_meth_num=0; - OPENSSL_GLOBAL SSL3_ENC_METHOD ssl3_undef_enc_method={ /* evil casts, but these functions are only called if there's a library bug */ (int (*)(SSL *,int))ssl_undefined_function, @@ -110,7 +162,7 @@ int SSL_clear(SSL *s) #else if (s->new_session) { - SSLerr(SSL_F_SSL_CLEAR,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL_CLEAR,ERR_R_INTERNAL_ERROR); return 0; } #endif @@ -189,6 +241,14 @@ SSL *SSL_new(SSL_CTX *ctx) if (s == NULL) goto err; memset(s,0,sizeof(SSL)); +#ifndef OPENSSL_NO_KRB5 + s->kssl_ctx = kssl_ctx_new(); +#endif /* OPENSSL_NO_KRB5 */ + + s->options=ctx->options; + s->mode=ctx->mode; + s->max_cert_list=ctx->max_cert_list; + if (ctx->cert != NULL) { /* Earlier library versions used to copy the pointer to @@ -207,13 +267,21 @@ SSL *SSL_new(SSL_CTX *ctx) } else s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ - s->sid_ctx_length=ctx->sid_ctx_length; - memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); + + s->read_ahead=ctx->read_ahead; + s->msg_callback=ctx->msg_callback; + s->msg_callback_arg=ctx->msg_callback_arg; s->verify_mode=ctx->verify_mode; s->verify_depth=ctx->verify_depth; + s->sid_ctx_length=ctx->sid_ctx_length; + OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); + memcpy(&s->sid_ctx,&ctx->sid_ctx,sizeof(s->sid_ctx)); s->verify_callback=ctx->default_verify_callback; + s->generate_session_id=ctx->generate_session_id; s->purpose = ctx->purpose; s->trust = ctx->trust; + s->quiet_shutdown=ctx->quiet_shutdown; + CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); s->ctx=ctx; @@ -224,15 +292,12 @@ SSL *SSL_new(SSL_CTX *ctx) if (!s->method->ssl_new(s)) goto err; - s->quiet_shutdown=ctx->quiet_shutdown; s->references=1; s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; - s->options=ctx->options; - s->mode=ctx->mode; - s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */ + SSL_clear(s); - CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data); + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); return(s); err: @@ -251,7 +316,7 @@ err: int SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx, unsigned int sid_ctx_len) { - if(sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) + if(sid_ctx_len > sizeof ctx->sid_ctx) { SSLerr(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT,SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; @@ -276,45 +341,75 @@ int SSL_set_session_id_context(SSL *ssl,const unsigned char *sid_ctx, return 1; } -int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) -{ - if(X509_PURPOSE_get_by_id(purpose) == -1) { - SSLerr(SSL_F_SSL_CTX_SET_PURPOSE, SSL_R_INVALID_PURPOSE); - return 0; +int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) + { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + ctx->generate_session_id = cb; + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + return 1; } - s->purpose = purpose; + +int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) + { + CRYPTO_w_lock(CRYPTO_LOCK_SSL); + ssl->generate_session_id = cb; + CRYPTO_w_unlock(CRYPTO_LOCK_SSL); return 1; -} + } -int SSL_set_purpose(SSL *s, int purpose) -{ - if(X509_PURPOSE_get_by_id(purpose) == -1) { - SSLerr(SSL_F_SSL_SET_PURPOSE, SSL_R_INVALID_PURPOSE); +int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, + unsigned int id_len) + { + /* A quick examination of SSL_SESSION_hash and SSL_SESSION_cmp shows how + * we can "construct" a session to give us the desired check - ie. to + * find if there's a session in the hash table that would conflict with + * any new session built out of this id/id_len and the ssl_version in + * use by this SSL. */ + SSL_SESSION r, *p; + + if(id_len > sizeof r.session_id) return 0; + + r.ssl_version = ssl->version; + r.session_id_length = id_len; + memcpy(r.session_id, id, id_len); + /* NB: SSLv2 always uses a fixed 16-byte session ID, so even if a + * callback is calling us to check the uniqueness of a shorter ID, it + * must be compared as a padded-out ID because that is what it will be + * converted to when the callback has finished choosing it. */ + if((r.ssl_version == SSL2_VERSION) && + (id_len < SSL2_SSL_SESSION_ID_LENGTH)) + { + memset(r.session_id + id_len, 0, + SSL2_SSL_SESSION_ID_LENGTH - id_len); + r.session_id_length = SSL2_SSL_SESSION_ID_LENGTH; + } + + CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); + p = (SSL_SESSION *)lh_retrieve(ssl->ctx->sessions, &r); + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); + return (p != NULL); } - s->purpose = purpose; - return 1; -} - + +int SSL_CTX_set_purpose(SSL_CTX *s, int purpose) + { + return X509_PURPOSE_set(&s->purpose, purpose); + } + +int SSL_set_purpose(SSL *s, int purpose) + { + return X509_PURPOSE_set(&s->purpose, purpose); + } + int SSL_CTX_set_trust(SSL_CTX *s, int trust) -{ - if(X509_TRUST_get_by_id(trust) == -1) { - SSLerr(SSL_F_SSL_CTX_SET_TRUST, SSL_R_INVALID_TRUST); - return 0; + { + return X509_TRUST_set(&s->trust, trust); } - s->trust = trust; - return 1; -} int SSL_set_trust(SSL *s, int trust) -{ - if(X509_TRUST_get_by_id(trust) == -1) { - SSLerr(SSL_F_SSL_SET_TRUST, SSL_R_INVALID_TRUST); - return 0; + { + return X509_TRUST_set(&s->trust, trust); } - s->trust = trust; - return 1; -} void SSL_free(SSL *s) { @@ -336,7 +431,7 @@ void SSL_free(SSL *s) } #endif - CRYPTO_free_ex_data(ssl_meth,(char *)s,&s->ex_data); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); if (s->bbio != NULL) { @@ -436,7 +531,7 @@ int SSL_get_wfd(SSL *s) return(ret); } -#ifndef NO_SOCK +#ifndef OPENSSL_NO_SOCK int SSL_set_fd(SSL *s,int fd) { int ret=0; @@ -591,6 +686,13 @@ int SSL_get_read_ahead(SSL *s) int SSL_pending(SSL *s) { + /* SSL_pending cannot work properly if read-ahead is enabled + * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), + * and it is impossible to fix since SSL_pending cannot report + * errors that may be observed while scanning the new data. + * (Note that SSL_pending() is often used as a boolean value, + * so we'd better not return -1.) + */ return(s->method->ssl_pending(s)); } @@ -800,7 +902,14 @@ int SSL_renegotiate(SSL *s) return(s->method->ssl_renegotiate(s)); } -long SSL_ctrl(SSL *s,int cmd,long larg,char *parg) +int SSL_renegotiate_pending(SSL *s) + { + /* becomes true when negotiation is requested; + * false again once a handshake has finished */ + return (s->new_session != 0); + } + +long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) { long l; @@ -812,10 +921,21 @@ long SSL_ctrl(SSL *s,int cmd,long larg,char *parg) l=s->read_ahead; s->read_ahead=larg; return(l); + + case SSL_CTRL_SET_MSG_CALLBACK_ARG: + s->msg_callback_arg = parg; + return 1; + case SSL_CTRL_OPTIONS: return(s->options|=larg); case SSL_CTRL_MODE: return(s->mode|=larg); + case SSL_CTRL_GET_MAX_CERT_LIST: + return(s->max_cert_list); + case SSL_CTRL_SET_MAX_CERT_LIST: + l=s->max_cert_list; + s->max_cert_list=larg; + return(l); default: return(s->method->ssl_ctrl(s,cmd,larg,parg)); } @@ -825,6 +945,10 @@ long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)()) { switch(cmd) { + case SSL_CTRL_SET_MSG_CALLBACK: + s->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); + return 1; + default: return(s->method->ssl_callback_ctrl(s,cmd,fp)); } @@ -835,7 +959,7 @@ struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx) return ctx->sessions; } -long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg) +long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg) { long l; @@ -847,6 +971,17 @@ long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,char *parg) l=ctx->read_ahead; ctx->read_ahead=larg; return(l); + + case SSL_CTRL_SET_MSG_CALLBACK_ARG: + ctx->msg_callback_arg = parg; + return 1; + + case SSL_CTRL_GET_MAX_CERT_LIST: + return(ctx->max_cert_list); + case SSL_CTRL_SET_MAX_CERT_LIST: + l=ctx->max_cert_list; + ctx->max_cert_list=larg; + return(l); case SSL_CTRL_SET_SESS_CACHE_SIZE: l=ctx->session_cache_size; @@ -898,6 +1033,10 @@ long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)()) { switch(cmd) { + case SSL_CTRL_SET_MSG_CALLBACK: + ctx->msg_callback = (void (*)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg))(fp); + return 1; + default: return(ctx->method->ssl_ctx_callback_ctrl(ctx,cmd,fp)); } @@ -1036,6 +1175,9 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p) int i,j=0; SSL_CIPHER *c; unsigned char *q; +#ifndef OPENSSL_NO_KRB5 + int nokrb5 = !kssl_tgt_is_available(s->kssl_ctx); +#endif /* OPENSSL_NO_KRB5 */ if (sk == NULL) return(0); q=p; @@ -1043,6 +1185,10 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p) for (i=0; i<sk_SSL_CIPHER_num(sk); i++) { c=sk_SSL_CIPHER_value(sk,i); +#ifndef OPENSSL_NO_KRB5 + if ((c->algorithms & SSL_KRB5) && nokrb5) + continue; +#endif /* OPENSSL_NO_KRB5 */ j=ssl_put_cipher_by_char(s,c,p); p+=j; } @@ -1105,6 +1251,11 @@ unsigned long SSL_SESSION_hash(SSL_SESSION *a) return(l); } +/* NB: If this function (or indeed the hash function which uses a sort of + * coarser function than this one) is changed, ensure + * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being + * able to construct an SSL_SESSION that will collide with any existing session + * with a matching session ID. */ int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b) { if (a->ssl_version != b->ssl_version) @@ -1114,6 +1265,13 @@ int SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b) return(memcmp(a->session_id,b->session_id,a->session_id_length)); } +/* These wrapper functions should remain rather than redeclaring + * SSL_SESSION_hash and SSL_SESSION_cmp for void* types and casting each + * variable. The reason is that the functions aren't static, they're exposed via + * ssl.h. */ +static IMPLEMENT_LHASH_HASH_FN(SSL_SESSION_hash, SSL_SESSION *) +static IMPLEMENT_LHASH_COMP_FN(SSL_SESSION_cmp, SSL_SESSION *) + SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) { SSL_CTX *ret=NULL; @@ -1146,9 +1304,10 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) /* We take the system default */ ret->session_timeout=meth->get_timeout(); - ret->new_session_cb=NULL; - ret->remove_session_cb=NULL; - ret->get_session_cb=NULL; + ret->new_session_cb=0; + ret->remove_session_cb=0; + ret->get_session_cb=0; + ret->generate_session_id=0; memset((char *)&ret->stats,0,sizeof(ret->stats)); @@ -1163,21 +1322,26 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) ret->info_callback=NULL; - ret->app_verify_callback=NULL; + ret->app_verify_callback=0; ret->app_verify_arg=NULL; + ret->max_cert_list=SSL_MAX_CERT_LIST_DEFAULT; ret->read_ahead=0; + ret->msg_callback=0; + ret->msg_callback_arg=NULL; ret->verify_mode=SSL_VERIFY_NONE; ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */ + ret->sid_ctx_length=0; ret->default_verify_callback=NULL; if ((ret->cert=ssl_cert_new()) == NULL) goto err; - ret->default_passwd_callback=NULL; + ret->default_passwd_callback=0; ret->default_passwd_callback_userdata=NULL; - ret->client_cert_cb=NULL; + ret->client_cert_cb=0; - ret->sessions=lh_new(SSL_SESSION_hash,SSL_SESSION_cmp); + ret->sessions=lh_new(LHASH_HASH_FN(SSL_SESSION_hash), + LHASH_COMP_FN(SSL_SESSION_cmp)); if (ret->sessions == NULL) goto err; ret->cert_store=X509_STORE_new(); if (ret->cert_store == NULL) goto err; @@ -1211,7 +1375,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) if ((ret->client_CA=sk_X509_NAME_new_null()) == NULL) goto err; - CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data); + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); ret->extra_certs=NULL; ret->comp_methods=SSL_COMP_get_compression_methods(); @@ -1224,8 +1388,10 @@ err2: return(NULL); } +#if 0 static void SSL_COMP_free(SSL_COMP *comp) { OPENSSL_free(comp); } +#endif void SSL_CTX_free(SSL_CTX *a) { @@ -1245,13 +1411,24 @@ void SSL_CTX_free(SSL_CTX *a) abort(); /* ok */ } #endif - CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data); + /* + * Free internal session cache. However: the remove_cb() may reference + * the ex_data of SSL_CTX, thus the ex_data store can only be removed + * after the sessions were flushed. + * As the ex_data handling routines might also touch the session cache, + * the most secure solution seems to be: empty (flush) the cache, then + * free ex_data, then finally free the cache. + * (See ticket [openssl.org #212].) + */ if (a->sessions != NULL) - { SSL_CTX_flush_sessions(a,0); + + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data); + + if (a->sessions != NULL) lh_free(a->sessions); - } + if (a->cert_store != NULL) X509_STORE_free(a->cert_store); if (a->cipher_list != NULL) @@ -1264,8 +1441,12 @@ void SSL_CTX_free(SSL_CTX *a) sk_X509_NAME_pop_free(a->client_CA,X509_NAME_free); if (a->extra_certs != NULL) sk_X509_pop_free(a->extra_certs,X509_free); +#if 0 /* This should never be done, since it removes a global database */ if (a->comp_methods != NULL) sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); +#else + a->comp_methods = NULL; +#endif OPENSSL_free(a); } @@ -1279,15 +1460,10 @@ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,void *u) ctx->default_passwd_callback_userdata=u; } -void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,int (*cb)(),char *arg) +void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg) { - /* now - * int (*cb)(X509_STORE_CTX *), - * but should be - * int (*cb)(X509_STORE_CTX *, void *arg) - */ ctx->app_verify_callback=cb; - ctx->app_verify_arg=arg; /* never used */ + ctx->app_verify_arg=arg; } void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) @@ -1313,14 +1489,14 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) kl=SSL_C_EXPORT_PKEYLENGTH(cipher); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); rsa_tmp_export=(c->rsa_tmp_cb != NULL || (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); #else rsa_tmp=rsa_tmp_export=0; #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); dh_tmp_export=(c->dh_tmp_cb != NULL || (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); @@ -1394,6 +1570,11 @@ void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher) mask|=SSL_aNULL; emask|=SSL_aNULL; +#ifndef OPENSSL_NO_KRB5 + mask|=SSL_kKRB5|SSL_aKRB5; + emask|=SSL_kKRB5|SSL_aKRB5; +#endif + c->mask=mask; c->export_mask=emask; c->valid=1; @@ -1426,9 +1607,14 @@ X509 *ssl_get_server_send_cert(SSL *s) else i=SSL_PKEY_RSA_ENC; } + else if (kalg & SSL_aKRB5) + { + /* VRS something else here? */ + return(NULL); + } else /* if (kalg & SSL_aNULL) */ { - SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); return(NULL); } if (c->pkeys[i].x509 == NULL) return(NULL); @@ -1457,7 +1643,7 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher) } else /* if (alg & SSL_aNULL) */ { - SSLerr(SSL_F_SSL_GET_SIGN_PKEY,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL_GET_SIGN_PKEY,ERR_R_INTERNAL_ERROR); return(NULL); } } @@ -1472,7 +1658,7 @@ void ssl_update_cache(SSL *s,int mode) i=s->ctx->session_cache_mode; if ((i & mode) && (!s->hit) - && ((i & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP) + && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) || SSL_CTX_add_session(s->ctx,s->session)) && (s->ctx->new_session_cb != NULL)) { @@ -1565,6 +1751,8 @@ int SSL_get_error(SSL *s,int i) reason=BIO_get_retry_reason(bio); if (reason == BIO_RR_CONNECT) return(SSL_ERROR_WANT_CONNECT); + else if (reason == BIO_RR_ACCEPT) + return(SSL_ERROR_WANT_ACCEPT); else return(SSL_ERROR_SYSCALL); /* unknown */ } @@ -1583,6 +1771,8 @@ int SSL_get_error(SSL *s,int i) reason=BIO_get_retry_reason(bio); if (reason == BIO_RR_CONNECT) return(SSL_ERROR_WANT_CONNECT); + else if (reason == BIO_RR_ACCEPT) + return(SSL_ERROR_WANT_ACCEPT); else return(SSL_ERROR_SYSCALL); } @@ -1683,7 +1873,11 @@ SSL *SSL_dup(SSL *s) if ((ret=SSL_new(SSL_get_SSL_CTX(s))) == NULL) return(NULL); - + + ret->version = s->version; + ret->type = s->type; + ret->method = s->method; + if (s->session != NULL) { /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ @@ -1714,18 +1908,23 @@ SSL *SSL_dup(SSL *s) s->sid_ctx, s->sid_ctx_length); } + ret->options=s->options; + ret->mode=s->mode; + SSL_set_max_cert_list(ret,SSL_get_max_cert_list(s)); SSL_set_read_ahead(ret,SSL_get_read_ahead(s)); + ret->msg_callback = s->msg_callback; + ret->msg_callback_arg = s->msg_callback_arg; SSL_set_verify(ret,SSL_get_verify_mode(s), SSL_get_verify_callback(s)); SSL_set_verify_depth(ret,SSL_get_verify_depth(s)); + ret->generate_session_id = s->generate_session_id; SSL_set_info_callback(ret,SSL_get_info_callback(s)); ret->debug=s->debug; - ret->options=s->options; /* copy app data, a little dangerous perhaps */ - if (!CRYPTO_dup_ex_data(ssl_meth,&ret->ex_data,&s->ex_data)) + if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data)) goto err; /* setup rbio, and wbio */ @@ -1744,6 +1943,19 @@ SSL *SSL_dup(SSL *s) else ret->wbio=ret->rbio; } + ret->rwstate = s->rwstate; + ret->in_handshake = s->in_handshake; + ret->handshake_func = s->handshake_func; + ret->server = s->server; + ret->new_session = s->new_session; + ret->quiet_shutdown = s->quiet_shutdown; + ret->shutdown=s->shutdown; + ret->state=s->state; /* SSL_dup does not really work at any state, though */ + ret->rstate=s->rstate; + ret->init_num = 0; /* would have to copy ret->init_buf, ret->init_msg, ret->init_num, ret->init_off */ + ret->hit=s->hit; + ret->purpose=s->purpose; + ret->trust=s->trust; /* dup the cipher_list and cipher_list_by_id stacks */ if (s->cipher_list != NULL) @@ -1772,11 +1984,6 @@ SSL *SSL_dup(SSL *s) } } - ret->shutdown=s->shutdown; - ret->state=s->state; - ret->handshake_func=s->handshake_func; - ret->server=s->server; - if (0) { err: @@ -1929,7 +2136,7 @@ SSL_CTX *SSL_get_SSL_CTX(SSL *ssl) return(ssl->ctx); } -#ifndef NO_STDIO +#ifndef OPENSSL_NO_STDIO int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) { return(X509_STORE_set_default_paths(ctx->cert_store)); @@ -1942,14 +2149,15 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, } #endif -void SSL_set_info_callback(SSL *ssl,void (*cb)()) +void SSL_set_info_callback(SSL *ssl, + void (*cb)(const SSL *ssl,int type,int val)) { ssl->info_callback=cb; } -void (*SSL_get_info_callback(SSL *ssl))(void) +void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val) { - return((void (*)())ssl->info_callback); + return ssl->info_callback; } int SSL_state(SSL *ssl) @@ -1970,9 +2178,8 @@ long SSL_get_verify_result(SSL *ssl) int SSL_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) { - ssl_meth_num++; - return(CRYPTO_get_ex_new_index(ssl_meth_num-1, - &ssl_meth,argl,argp,new_func,dup_func,free_func)); + return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, + new_func, dup_func, free_func); } int SSL_set_ex_data(SSL *s,int idx,void *arg) @@ -1988,9 +2195,8 @@ void *SSL_get_ex_data(SSL *s,int idx) int SSL_CTX_get_ex_new_index(long argl,void *argp,CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,CRYPTO_EX_free *free_func) { - ssl_ctx_meth_num++; - return(CRYPTO_get_ex_new_index(ssl_ctx_meth_num-1, - &ssl_ctx_meth,argl,argp,new_func,dup_func,free_func)); + return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, + new_func, dup_func, free_func); } int SSL_CTX_set_ex_data(SSL_CTX *s,int idx,void *arg) @@ -2031,7 +2237,7 @@ int SSL_want(SSL *s) * \param cb the callback */ -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl, int is_export, int keylength)) @@ -2068,21 +2274,33 @@ RSA *cb(SSL *ssl,int is_export,int keylength) * \param dh the callback */ -#ifndef NO_DH +#ifndef OPENSSL_NO_DH void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int is_export, int keylength)) - { - SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); - } + { + SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); + } void SSL_set_tmp_dh_callback(SSL *ssl,DH *(*dh)(SSL *ssl,int is_export, int keylength)) - { - SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); - } + { + SSL_callback_ctrl(ssl,SSL_CTRL_SET_TMP_DH_CB,(void (*)())dh); + } #endif -#if defined(_WINDLL) && defined(WIN16) + +void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) + { + SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb); + } +void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)) + { + SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)())cb); + } + + + +#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) #include "../crypto/bio/bss_file.c" #endif diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h index d15b330..dd6c7a7 100644 --- a/crypto/openssl/ssl/ssl_locl.h +++ b/crypto/openssl/ssl/ssl_locl.h @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -116,7 +116,7 @@ #include <string.h> #include <errno.h> -#include "openssl/e_os.h" +#include "e_os.h" #include <openssl/buffer.h> #include <openssl/comp.h> @@ -127,6 +127,12 @@ #include <openssl/x509.h> #include <openssl/err.h> #include <openssl/ssl.h> +#include <openssl/symhacks.h> + +#ifdef OPENSSL_BUILD_SHLIBSSL +# undef OPENSSL_EXTERN +# define OPENSSL_EXTERN OPENSSL_EXPORT +#endif #define PKCS1_CHECK @@ -221,48 +227,52 @@ * that the different entities within are mutually exclusive: * ONLY ONE BIT PER MASK CAN BE SET AT A TIME. */ -#define SSL_MKEY_MASK 0x0000001FL +#define SSL_MKEY_MASK 0x0000003FL #define SSL_kRSA 0x00000001L /* RSA key exchange */ #define SSL_kDHr 0x00000002L /* DH cert RSA CA cert */ #define SSL_kDHd 0x00000004L /* DH cert DSA CA cert */ #define SSL_kFZA 0x00000008L #define SSL_kEDH 0x00000010L /* tmp DH key no DH cert */ +#define SSL_kKRB5 0x00000020L /* Kerberos5 key exchange */ #define SSL_EDH (SSL_kEDH|(SSL_AUTH_MASK^SSL_aNULL)) -#define SSL_AUTH_MASK 0x000003e0L -#define SSL_aRSA 0x00000020L /* Authenticate with RSA */ -#define SSL_aDSS 0x00000040L /* Authenticate with DSS */ +#define SSL_AUTH_MASK 0x00000FC0L +#define SSL_aRSA 0x00000040L /* Authenticate with RSA */ +#define SSL_aDSS 0x00000080L /* Authenticate with DSS */ #define SSL_DSS SSL_aDSS -#define SSL_aFZA 0x00000080L -#define SSL_aNULL 0x00000100L /* no Authenticate, ADH */ -#define SSL_aDH 0x00000200L /* no Authenticate, ADH */ +#define SSL_aFZA 0x00000100L +#define SSL_aNULL 0x00000200L /* no Authenticate, ADH */ +#define SSL_aDH 0x00000400L /* no Authenticate, ADH */ +#define SSL_aKRB5 0x00000800L /* Authenticate with KRB5 */ #define SSL_NULL (SSL_eNULL) #define SSL_ADH (SSL_kEDH|SSL_aNULL) #define SSL_RSA (SSL_kRSA|SSL_aRSA) #define SSL_DH (SSL_kDHr|SSL_kDHd|SSL_kEDH) #define SSL_FZA (SSL_aFZA|SSL_kFZA|SSL_eFZA) - -#define SSL_ENC_MASK 0x0001Fc00L -#define SSL_DES 0x00000400L -#define SSL_3DES 0x00000800L -#define SSL_RC4 0x00001000L -#define SSL_RC2 0x00002000L -#define SSL_IDEA 0x00004000L -#define SSL_eFZA 0x00008000L -#define SSL_eNULL 0x00010000L - -#define SSL_MAC_MASK 0x00060000L -#define SSL_MD5 0x00020000L -#define SSL_SHA1 0x00040000L +#define SSL_KRB5 (SSL_kKRB5|SSL_aKRB5) + +#define SSL_ENC_MASK 0x0087F000L +#define SSL_DES 0x00001000L +#define SSL_3DES 0x00002000L +#define SSL_RC4 0x00004000L +#define SSL_RC2 0x00008000L +#define SSL_IDEA 0x00010000L +#define SSL_eFZA 0x00020000L +#define SSL_eNULL 0x00040000L +#define SSL_AES 0x00800000L + +#define SSL_MAC_MASK 0x00180000L +#define SSL_MD5 0x00080000L +#define SSL_SHA1 0x00100000L #define SSL_SHA (SSL_SHA1) -#define SSL_SSL_MASK 0x00180000L -#define SSL_SSLV2 0x00080000L -#define SSL_SSLV3 0x00100000L +#define SSL_SSL_MASK 0x00600000L +#define SSL_SSLV2 0x00200000L +#define SSL_SSLV3 0x00400000L #define SSL_TLSV1 SSL_SSLV3 /* for now */ -/* we have used 001fffff - 11 bits left to go */ +/* we have used 007fffff - 9 bits left to go */ /* * Export and cipher strength information. For each cipher we have to decide @@ -368,11 +378,11 @@ typedef struct cert_st int valid; unsigned long mask; unsigned long export_mask; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA RSA *rsa_tmp; RSA *(*rsa_tmp_cb)(SSL *ssl,int is_export,int keysize); #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH DH *dh_tmp; DH *(*dh_tmp_cb)(SSL *ssl,int is_export,int keysize); #endif @@ -395,10 +405,10 @@ typedef struct sess_cert_st /* Obviously we don't have the private keys of these, * so maybe we shouldn't even use the CERT_PKEY type here. */ -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA RSA *peer_rsa_tmp; /* not used for SSL 2 */ #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH DH *peer_dh_tmp; /* not used for SSL 2 */ #endif @@ -455,9 +465,9 @@ OPENSSL_EXTERN SSL3_ENC_METHOD ssl3_undef_enc_method; OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[]; OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[]; -#ifdef VMS +#ifdef OPENSSL_SYS_VMS #undef SSL_COMP_get_compression_methods -#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods +#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods #endif @@ -521,8 +531,8 @@ int ssl2_peek(SSL *s, void *buf, int len); int ssl2_write(SSL *s, const void *buf, int len); int ssl2_shutdown(SSL *s); void ssl2_clear(SSL *s); -long ssl2_ctrl(SSL *s,int cmd, long larg, char *parg); -long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg); +long ssl2_ctrl(SSL *s,int cmd, long larg, void *parg); +long ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg); long ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)()); long ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)()); int ssl2_pending(SSL *s); @@ -557,8 +567,8 @@ void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len); int ssl3_enc(SSL *s, int send_data); int ssl3_mac(SSL *ssl, unsigned char *md, int send_data); unsigned long ssl3_output_cert_chain(SSL *s, X509 *x); -SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *have, - STACK_OF(SSL_CIPHER) *pref); +SSL_CIPHER *ssl3_choose_cipher(SSL *ssl,STACK_OF(SSL_CIPHER) *clnt, + STACK_OF(SSL_CIPHER) *srvr); int ssl3_setup_buffers(SSL *s); int ssl3_new(SSL *s); void ssl3_free(SSL *s); @@ -569,8 +579,8 @@ int ssl3_peek(SSL *s, void *buf, int len); int ssl3_write(SSL *s, const void *buf, int len); int ssl3_shutdown(SSL *s); void ssl3_clear(SSL *s); -long ssl3_ctrl(SSL *s,int cmd, long larg, char *parg); -long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, char *parg); +long ssl3_ctrl(SSL *s,int cmd, long larg, void *parg); +long ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg); long ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)()); long ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)()); int ssl3_pending(SSL *s); @@ -583,7 +593,7 @@ int ssl23_write_bytes(SSL *s); int tls1_new(SSL *s); void tls1_free(SSL *s); void tls1_clear(SSL *s); -long tls1_ctrl(SSL *s,int cmd, long larg, char *parg); +long tls1_ctrl(SSL *s,int cmd, long larg, void *parg); long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)()); SSL_METHOD *tlsv1_base_method(void ); diff --git a/crypto/openssl/ssl/ssl_rsa.c b/crypto/openssl/ssl/ssl_rsa.c index 6ec7a5c..03828b6 100644 --- a/crypto/openssl/ssl/ssl_rsa.c +++ b/crypto/openssl/ssl/ssl_rsa.c @@ -57,12 +57,12 @@ */ #include <stdio.h> +#include "ssl_locl.h" #include <openssl/bio.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/pem.h> -#include "ssl_locl.h" static int ssl_set_cert(CERT *c, X509 *x509); static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); @@ -81,7 +81,7 @@ int SSL_use_certificate(SSL *ssl, X509 *x) return(ssl_set_cert(ssl->cert,x)); } -#ifndef NO_STDIO +#ifndef OPENSSL_NO_STDIO int SSL_use_certificate_file(SSL *ssl, const char *file, int type) { int j; @@ -148,7 +148,7 @@ int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len) return(ret); } -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) { EVP_PKEY *pkey; @@ -170,7 +170,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) return(0); } - CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); + RSA_up_ref(rsa); EVP_PKEY_assign_RSA(pkey,rsa); ret=ssl_set_pkey(ssl->cert,pkey); @@ -198,7 +198,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) EVP_PKEY_free(pktmp); ERR_clear_error(); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA /* Don't check the public/private key, this is mostly * for smart cards. */ if ((pkey->type == EVP_PKEY_RSA) && @@ -251,8 +251,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) return(1); } -#ifndef NO_RSA -#ifndef NO_STDIO +#ifndef OPENSSL_NO_RSA +#ifndef OPENSSL_NO_STDIO int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) { int j,ret=0; @@ -303,7 +303,7 @@ end: int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) { int ret; - unsigned char *p; + const unsigned char *p; RSA *rsa; p=d; @@ -317,7 +317,7 @@ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) RSA_free(rsa); return(ret); } -#endif /* !NO_RSA */ +#endif /* !OPENSSL_NO_RSA */ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) { @@ -337,7 +337,7 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) return(ret); } -#ifndef NO_STDIO +#ifndef OPENSSL_NO_STDIO int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) { int j,ret=0; @@ -438,7 +438,7 @@ static int ssl_set_cert(CERT *c, X509 *x) EVP_PKEY_copy_parameters(pkey,c->pkeys[i].privatekey); ERR_clear_error(); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA /* Don't check the public/private key, this is mostly * for smart cards. */ if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) && @@ -471,7 +471,7 @@ static int ssl_set_cert(CERT *c, X509 *x) } else ok=1; - } /* NO_RSA */ + } /* OPENSSL_NO_RSA */ } else ok=1; @@ -493,7 +493,7 @@ static int ssl_set_cert(CERT *c, X509 *x) return(1); } -#ifndef NO_STDIO +#ifndef OPENSSL_NO_STDIO int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) { int j; @@ -560,7 +560,7 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d) return(ret); } -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) { int ret; @@ -582,7 +582,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) return(0); } - CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); + RSA_up_ref(rsa); EVP_PKEY_assign_RSA(pkey,rsa); ret=ssl_set_pkey(ctx->cert, pkey); @@ -590,7 +590,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) return(ret); } -#ifndef NO_STDIO +#ifndef OPENSSL_NO_STDIO int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) { int j,ret=0; @@ -641,7 +641,7 @@ end: int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len) { int ret; - unsigned char *p; + const unsigned char *p; RSA *rsa; p=d; @@ -655,7 +655,7 @@ int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len) RSA_free(rsa); return(ret); } -#endif /* !NO_RSA */ +#endif /* !OPENSSL_NO_RSA */ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { @@ -672,7 +672,7 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) return(ssl_set_pkey(ctx->cert,pkey)); } -#ifndef NO_STDIO +#ifndef OPENSSL_NO_STDIO int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) { int j,ret=0; @@ -735,7 +735,7 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d, } -#ifndef NO_STDIO +#ifndef OPENSSL_NO_STDIO /* Read a file that contains our certificate in "PEM" format, * possibly followed by a sequence of CA certificates that should be * sent to the peer in the Certificate message. @@ -800,9 +800,9 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) * by SSL_CTX_use_certificate). */ } /* When the while loop ends, it's usually just EOF. */ - err = ERR_peek_error(); + err = ERR_peek_last_error(); if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) - (void) ERR_get_error(); + (void)ERR_get_error(); else ret = 0; /* some real error */ } diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c index 2f2d5bc..fbc30b9 100644 --- a/crypto/openssl/ssl/ssl_sess.c +++ b/crypto/openssl/ssl/ssl_sess.c @@ -65,8 +65,6 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); -static int ssl_session_num=0; -static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_session_meth=NULL; SSL_SESSION *SSL_get_session(SSL *ssl) /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */ @@ -92,10 +90,8 @@ SSL_SESSION *SSL_get1_session(SSL *ssl) int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) { - ssl_session_num++; - return(CRYPTO_get_ex_new_index(ssl_session_num-1, - &ssl_session_meth, - argl,argp,new_func,dup_func,free_func)); + return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp, + new_func, dup_func, free_func); } int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg) @@ -127,15 +123,49 @@ SSL_SESSION *SSL_SESSION_new(void) ss->prev=NULL; ss->next=NULL; ss->compress_meth=0; - CRYPTO_new_ex_data(ssl_session_meth,ss,&ss->ex_data); + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); return(ss); } +/* Even with SSLv2, we have 16 bytes (128 bits) of session ID space. SSLv3/TLSv1 + * has 32 bytes (256 bits). As such, filling the ID with random gunk repeatedly + * until we have no conflict is going to complete in one iteration pretty much + * "most" of the time (btw: understatement). So, if it takes us 10 iterations + * and we still can't avoid a conflict - well that's a reasonable point to call + * it quits. Either the RAND code is broken or someone is trying to open roughly + * very close to 2^128 (or 2^256) SSL sessions to our server. How you might + * store that many sessions is perhaps a more interesting question ... */ + +#define MAX_SESS_ID_ATTEMPTS 10 +static int def_generate_session_id(const SSL *ssl, unsigned char *id, + unsigned int *id_len) +{ + unsigned int retry = 0; + do + RAND_pseudo_bytes(id, *id_len); + while(SSL_has_matching_session_id(ssl, id, *id_len) && + (++retry < MAX_SESS_ID_ATTEMPTS)); + if(retry < MAX_SESS_ID_ATTEMPTS) + return 1; + /* else - woops a session_id match */ + /* XXX We should also check the external cache -- + * but the probability of a collision is negligible, and + * we could not prevent the concurrent creation of sessions + * with identical IDs since we currently don't have means + * to atomically check whether a session ID already exists + * and make a reservation for it if it does not + * (this problem applies to the internal cache as well). + */ + return 0; +} + int ssl_get_new_session(SSL *s, int session) { /* This gets used by clients and servers. */ + unsigned int tmp; SSL_SESSION *ss=NULL; + GEN_SESSION_CB cb = def_generate_session_id; if ((ss=SSL_SESSION_new()) == NULL) return(0); @@ -174,25 +204,46 @@ int ssl_get_new_session(SSL *s, int session) SSL_SESSION_free(ss); return(0); } - - for (;;) + /* Choose which callback will set the session ID */ + CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); + if(s->generate_session_id) + cb = s->generate_session_id; + else if(s->ctx->generate_session_id) + cb = s->ctx->generate_session_id; + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); + /* Choose a session ID */ + tmp = ss->session_id_length; + if(!cb(s, ss->session_id, &tmp)) { - SSL_SESSION *r; - - RAND_pseudo_bytes(ss->session_id,ss->session_id_length); - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - r=(SSL_SESSION *)lh_retrieve(s->ctx->sessions, ss); - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - if (r == NULL) break; - /* else - woops a session_id match */ - /* XXX We should also check the external cache -- - * but the probability of a collision is negligible, and - * we could not prevent the concurrent creation of sessions - * with identical IDs since we currently don't have means - * to atomically check whether a session ID already exists - * and make a reservation for it if it does not - * (this problem applies to the internal cache as well). - */ + /* The callback failed */ + SSLerr(SSL_F_SSL_GET_NEW_SESSION, + SSL_R_SSL_SESSION_ID_CALLBACK_FAILED); + SSL_SESSION_free(ss); + return(0); + } + /* Don't allow the callback to set the session length to zero. + * nor set it higher than it was. */ + if(!tmp || (tmp > ss->session_id_length)) + { + /* The callback set an illegal length */ + SSLerr(SSL_F_SSL_GET_NEW_SESSION, + SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); + SSL_SESSION_free(ss); + return(0); + } + /* If the session length was shrunk and we're SSLv2, pad it */ + if((tmp < ss->session_id_length) && (s->version == SSL2_VERSION)) + memset(ss->session_id + tmp, 0, ss->session_id_length - tmp); + else + ss->session_id_length = tmp; + /* Finally, check for a conflict */ + if(SSL_has_matching_session_id(s, ss->session_id, + ss->session_id_length)) + { + SSLerr(SSL_F_SSL_GET_NEW_SESSION, + SSL_R_SSL_SESSION_ID_CONFLICT); + SSL_SESSION_free(ss); + return(0); } } else @@ -202,7 +253,7 @@ int ssl_get_new_session(SSL *s, int session) if (s->sid_ctx_length > sizeof ss->sid_ctx) { - SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR); SSL_SESSION_free(ss); return 0; } @@ -258,9 +309,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len) if (copy) CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); - /* The following should not return 1, otherwise, - * things are very strange */ - SSL_CTX_add_session(s->ctx,ret); + /* Add the externally cached session to the internal + * cache as well if and only if we are supposed to. */ + if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE)) + /* The following should not return 1, otherwise, + * things are very strange */ + SSL_CTX_add_session(s->ctx,ret); } if (ret == NULL) goto err; @@ -472,15 +526,15 @@ void SSL_SESSION_free(SSL_SESSION *ss) } #endif - CRYPTO_free_ex_data(ssl_session_meth,ss,&ss->ex_data); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); - memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH); - memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH); - memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH); + OPENSSL_cleanse(ss->key_arg,sizeof ss->key_arg); + OPENSSL_cleanse(ss->master_key,sizeof ss->master_key); + OPENSSL_cleanse(ss->session_id,sizeof ss->session_id); if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert); if (ss->peer != NULL) X509_free(ss->peer); if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); - memset(ss,0,sizeof(*ss)); + OPENSSL_cleanse(ss,sizeof(*ss)); OPENSSL_free(ss); } @@ -510,6 +564,17 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) session->timeout=s->ctx->session_timeout; } +#ifndef OPENSSL_NO_KRB5 + if (s->kssl_ctx && !s->kssl_ctx->client_princ && + session->krb5_client_princ_len > 0) + { + s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1); + memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ, + session->krb5_client_princ_len); + s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0'; + } +#endif /* OPENSSL_NO_KRB5 */ + /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ CRYPTO_add(&session->references,1,CRYPTO_LOCK_SSL_SESSION); if (s->session != NULL) @@ -601,6 +666,8 @@ static void timeout(SSL_SESSION *s, TIMEOUT_PARAM *p) } } +static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION *, TIMEOUT_PARAM *) + void SSL_CTX_flush_sessions(SSL_CTX *s, long t) { unsigned long i; @@ -613,7 +680,7 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t) CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); i=tp.cache->down_load; tp.cache->down_load=0; - lh_doall_arg(tp.cache,(void (*)())timeout,&tp); + lh_doall_arg(tp.cache, LHASH_DOALL_ARG_FN(timeout), &tp); tp.cache->down_load=i; CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); } diff --git a/crypto/openssl/ssl/ssl_stat.c b/crypto/openssl/ssl/ssl_stat.c index 893c98e..b16d253 100644 --- a/crypto/openssl/ssl/ssl_stat.c +++ b/crypto/openssl/ssl/ssl_stat.c @@ -59,9 +59,9 @@ #include <stdio.h> #include "ssl_locl.h" -char *SSL_state_string_long(SSL *s) +const char *SSL_state_string_long(const SSL *s) { - char *str; + const char *str; switch (s->state) { @@ -74,7 +74,7 @@ case SSL_ST_BEFORE|SSL_ST_CONNECT: str="before/connect initialization"; break; case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break; case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break; case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break; -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break; case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break; case SSL2_ST_SEND_CLIENT_HELLO_A: str="SSLv2 write client hello A"; break; @@ -115,7 +115,7 @@ case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="SSLv2 X509 read server certificat case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="SSLv2 X509 read client certificate"; break; #endif -#ifndef NO_SSL3 +#ifndef OPENSSL_NO_SSL3 /* SSLv3 additions */ case SSL3_ST_CW_CLNT_HELLO_A: str="SSLv3 write client hello A"; break; case SSL3_ST_CW_CLNT_HELLO_B: str="SSLv3 write client hello B"; break; @@ -182,7 +182,7 @@ case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break; case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break; #endif -#if !defined(NO_SSL2) && !defined(NO_SSL3) +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) /* SSLv2/v3 compatibility states */ /* client */ case SSL23_ST_CW_CLNT_HELLO_A: str="SSLv2/v3 write client hello A"; break; @@ -199,9 +199,9 @@ default: str="unknown state"; break; return(str); } -char *SSL_rstate_string_long(SSL *s) +const char *SSL_rstate_string_long(const SSL *s) { - char *str; + const char *str; switch (s->rstate) { @@ -213,9 +213,9 @@ char *SSL_rstate_string_long(SSL *s) return(str); } -char *SSL_state_string(SSL *s) +const char *SSL_state_string(const SSL *s) { - char *str; + const char *str; switch (s->state) { @@ -223,7 +223,7 @@ case SSL_ST_BEFORE: str="PINIT "; break; case SSL_ST_ACCEPT: str="AINIT "; break; case SSL_ST_CONNECT: str="CINIT "; break; case SSL_ST_OK: str="SSLOK "; break; -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 case SSL2_ST_CLIENT_START_ENCRYPTION: str="2CSENC"; break; case SSL2_ST_SERVER_START_ENCRYPTION: str="2SSENC"; break; case SSL2_ST_SEND_CLIENT_HELLO_A: str="2SCH_A"; break; @@ -264,7 +264,7 @@ case SSL2_ST_X509_GET_SERVER_CERTIFICATE: str="2X9GSC"; break; case SSL2_ST_X509_GET_CLIENT_CERTIFICATE: str="2X9GCC"; break; #endif -#ifndef NO_SSL3 +#ifndef OPENSSL_NO_SSL3 /* SSLv3 additions */ case SSL3_ST_SW_FLUSH: case SSL3_ST_CW_FLUSH: str="3FLUSH"; break; @@ -330,7 +330,7 @@ case SSL3_ST_SR_CERT_VRFY_A: str="3RCV_A"; break; case SSL3_ST_SR_CERT_VRFY_B: str="3RCV_B"; break; #endif -#if !defined(NO_SSL2) && !defined(NO_SSL3) +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) /* SSLv2/v3 compatibility states */ /* client */ case SSL23_ST_CW_CLNT_HELLO_A: str="23WCHA"; break; @@ -347,7 +347,7 @@ default: str="UNKWN "; break; return(str); } -char *SSL_alert_type_string_long(int value) +const char *SSL_alert_type_string_long(int value) { value>>=8; if (value == SSL3_AL_WARNING) @@ -358,7 +358,7 @@ char *SSL_alert_type_string_long(int value) return("unknown"); } -char *SSL_alert_type_string(int value) +const char *SSL_alert_type_string(int value) { value>>=8; if (value == SSL3_AL_WARNING) @@ -369,9 +369,9 @@ char *SSL_alert_type_string(int value) return("U"); } -char *SSL_alert_desc_string(int value) +const char *SSL_alert_desc_string(int value) { - char *str; + const char *str; switch (value & 0xff) { @@ -404,9 +404,9 @@ char *SSL_alert_desc_string(int value) return(str); } -char *SSL_alert_desc_string_long(int value) +const char *SSL_alert_desc_string_long(int value) { - char *str; + const char *str; switch (value & 0xff) { @@ -487,9 +487,9 @@ char *SSL_alert_desc_string_long(int value) return(str); } -char *SSL_rstate_string(SSL *s) +const char *SSL_rstate_string(const SSL *s) { - char *str; + const char *str; switch (s->rstate) { diff --git a/crypto/openssl/ssl/ssl_task.c b/crypto/openssl/ssl/ssl_task.c index cac701a..b5ce44b 100644 --- a/crypto/openssl/ssl/ssl_task.c +++ b/crypto/openssl/ssl/ssl_task.c @@ -124,7 +124,7 @@ int LIB$INIT_TIMER(), LIB$SHOW_TIMER(); #include <string.h> /* from ssltest.c */ #include <errno.h> -#include "openssl/e_os.h" +#include "e_os.h" #include <openssl/buffer.h> #include <openssl/x509.h> @@ -258,7 +258,7 @@ int doit(io_channel chan, SSL_CTX *s_ctx ) { int status, length, link_state; struct rpc_msg msg; - static char cbuf[200],sbuf[200]; + SSL *s_ssl=NULL; BIO *c_to_s=NULL; BIO *s_to_c=NULL; diff --git a/crypto/openssl/ssl/ssl_txt.c b/crypto/openssl/ssl/ssl_txt.c index 6e33eec..40b76b1 100644 --- a/crypto/openssl/ssl/ssl_txt.c +++ b/crypto/openssl/ssl/ssl_txt.c @@ -60,7 +60,7 @@ #include <openssl/buffer.h> #include "ssl_locl.h" -#ifndef NO_FP_API +#ifndef OPENSSL_NO_FP_API int SSL_SESSION_print_fp(FILE *fp, SSL_SESSION *x) { BIO *b; @@ -139,6 +139,18 @@ int SSL_SESSION_print(BIO *bp, SSL_SESSION *x) { if (BIO_printf(bp,"%02X",x->key_arg[i]) <= 0) goto err; } +#ifndef OPENSSL_NO_KRB5 + if (BIO_puts(bp,"\n Krb5 Principal: ") <= 0) goto err; + if (x->krb5_client_princ_len == 0) + { + if (BIO_puts(bp,"None") <= 0) goto err; + } + else + for (i=0; i<x->krb5_client_princ_len; i++) + { + if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err; + } +#endif /* OPENSSL_NO_KRB5 */ if (x->compress_meth != 0) { SSL_COMP *comp; diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c index 5f91ed1..4fa9d41 100644 --- a/crypto/openssl/ssl/ssltest.c +++ b/crypto/openssl/ssl/ssltest.c @@ -55,6 +55,62 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly + on Linux and GNU platforms. */ #include <assert.h> #include <errno.h> @@ -64,33 +120,57 @@ #include <string.h> #include <time.h> -#include "openssl/e_os.h" +#define USE_SOCKETS +#include "e_os.h" #include <openssl/bio.h> #include <openssl/crypto.h> #include <openssl/evp.h> #include <openssl/x509.h> #include <openssl/ssl.h> +#include <openssl/engine.h> #include <openssl/err.h> #include <openssl/rand.h> -#ifdef WINDOWS + +#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly + on Compaq platforms (at least with DEC C). + Do not try to put it earlier, or IPv6 includes + get screwed... + */ + +#ifdef OPENSSL_SYS_WINDOWS +#include <winsock.h> #include "../crypto/bio/bss_file.c" +#else +#include OPENSSL_UNISTD #endif -#ifdef VMS +#ifdef OPENSSL_SYS_VMS # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" +#elif defined(OPENSSL_SYS_WINCE) +# define TEST_SERVER_CERT "\\OpenSSL\\server.pem" +# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" #else # define TEST_SERVER_CERT "../apps/server.pem" # define TEST_CLIENT_CERT "../apps/client.pem" #endif +/* There is really no standard for this, so let's assign some tentative + numbers. In any case, these numbers are only for this test */ +#define COMP_RLE 1 +#define COMP_ZLIB 2 + static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength); static void free_tmp_rsa(void); #endif -#ifndef NO_DH +static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg); +#define APP_CALLBACK "Test Callback Argument" +static char *app_verify_arg = APP_CALLBACK; + +#ifndef OPENSSL_NO_DH static DH *get_dh512(void); static DH *get_dh1024(void); static DH *get_dh1024dsa(void); @@ -124,18 +204,18 @@ static void sv_usage(void) fprintf(stderr," -reuse - use session-id reuse\n"); fprintf(stderr," -num <val> - number of connections to perform\n"); fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n"); -#ifndef NO_DH +#ifndef OPENSSL_NO_DH fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); fprintf(stderr," -no_dhe - disable DHE\n"); #endif -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 fprintf(stderr," -ssl2 - use SSLv2\n"); #endif -#ifndef NO_SSL3 +#ifndef OPENSSL_NO_SSL3 fprintf(stderr," -ssl3 - use SSLv3\n"); #endif -#ifndef NO_TLS1 +#ifndef OPENSSL_NO_TLS1 fprintf(stderr," -tls1 - use TLSv1\n"); #endif fprintf(stderr," -CApath arg - PEM format directory of CA's\n"); @@ -148,6 +228,8 @@ static void sv_usage(void) fprintf(stderr," -bio_pair - Use BIO pairs\n"); fprintf(stderr," -f - Test even cases that can't work\n"); fprintf(stderr," -time - measure processor time used by client and server\n"); + fprintf(stderr," -zlib - use zlib compression\n"); + fprintf(stderr," -time - use rle compression\n"); } static void print_details(SSL *c_ssl, const char *prefix) @@ -169,7 +251,7 @@ static void print_details(SSL *c_ssl, const char *prefix) { if (0) ; -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL && pkey->pkey.rsa->n != NULL) { @@ -177,7 +259,7 @@ static void print_details(SSL *c_ssl, const char *prefix) BN_num_bits(pkey->pkey.rsa->n)); } #endif -#ifndef NO_DSA +#ifndef OPENSSL_NO_DSA else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL && pkey->pkey.dsa->p != NULL) { @@ -194,6 +276,69 @@ static void print_details(SSL *c_ssl, const char *prefix) BIO_printf(bio_stdout,"\n"); } +static void lock_dbg_cb(int mode, int type, const char *file, int line) + { + static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */ + const char *errstr = NULL; + int rw; + + rw = mode & (CRYPTO_READ|CRYPTO_WRITE); + if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) + { + errstr = "invalid mode"; + goto err; + } + + if (type < 0 || type > CRYPTO_NUM_LOCKS) + { + errstr = "type out of bounds"; + goto err; + } + + if (mode & CRYPTO_LOCK) + { + if (modes[type]) + { + errstr = "already locked"; + /* must not happen in a single-threaded program + * (would deadlock) */ + goto err; + } + + modes[type] = rw; + } + else if (mode & CRYPTO_UNLOCK) + { + if (!modes[type]) + { + errstr = "not locked"; + goto err; + } + + if (modes[type] != rw) + { + errstr = (rw == CRYPTO_READ) ? + "CRYPTO_r_unlock on write lock" : + "CRYPTO_w_unlock on read lock"; + } + + modes[type] = 0; + } + else + { + errstr = "invalid mode"; + goto err; + } + + err: + if (errstr) + { + /* we cannot use bio_err here */ + fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n", + errstr, mode, type, file, line); + } + } + int main(int argc, char *argv[]) { char *CApath=NULL,*CAfile=NULL; @@ -203,6 +348,7 @@ int main(int argc, char *argv[]) int tls1=0,ssl2=0,ssl3=0,ret=1; int client_auth=0; int server_auth=0,i; + int app_verify=0; char *server_cert=TEST_SERVER_CERT; char *server_key=NULL; char *client_cert=TEST_CLIENT_CERT; @@ -213,23 +359,39 @@ int main(int argc, char *argv[]) SSL *c_ssl,*s_ssl; int number=1,reuse=0; long bytes=1L; -#ifndef NO_DH +#ifndef OPENSSL_NO_DH DH *dh; int dhe1024 = 0, dhe1024dsa = 0; #endif int no_dhe = 0; int print_time = 0; clock_t s_time = 0, c_time = 0; + int comp = 0; + COMP_METHOD *cm = NULL; verbose = 0; debug = 0; cipher = 0; - + + bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); + + CRYPTO_set_locking_callback(lock_dbg_cb); + + /* enable memory leak checking unless explicitly disabled */ + if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) + { + CRYPTO_malloc_debug_init(); + CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); + } + else + { + /* OPENSSL_DEBUG_MEMORY=off */ + CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); + } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); RAND_seed(rnd_seed, sizeof rnd_seed); - bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE); argc--; @@ -247,12 +409,22 @@ int main(int argc, char *argv[]) debug=1; else if (strcmp(*argv,"-reuse") == 0) reuse=1; -#ifndef NO_DH else if (strcmp(*argv,"-dhe1024") == 0) + { +#ifndef OPENSSL_NO_DH dhe1024=1; +#else + fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); +#endif + } else if (strcmp(*argv,"-dhe1024dsa") == 0) + { +#ifndef OPENSSL_NO_DH dhe1024dsa=1; +#else + fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); #endif + } else if (strcmp(*argv,"-no_dhe") == 0) no_dhe=1; else if (strcmp(*argv,"-ssl2") == 0) @@ -333,6 +505,18 @@ int main(int argc, char *argv[]) { print_time = 1; } + else if (strcmp(*argv,"-zlib") == 0) + { + comp = COMP_ZLIB; + } + else if (strcmp(*argv,"-rle") == 0) + { + comp = COMP_RLE; + } + else if (strcmp(*argv,"-app_verify") == 0) + { + app_verify = 1; + } else { fprintf(stderr,"unknown option %s\n",*argv); @@ -355,7 +539,7 @@ bad: "the test anyway (and\n-d to see what happens), " "or add one of -ssl2, -ssl3, -tls1, -reuse\n" "to avoid protocol mismatch.\n"); - exit(1); + EXIT(1); } if (print_time) @@ -374,7 +558,24 @@ bad: SSL_library_init(); SSL_load_error_strings(); -#if !defined(NO_SSL2) && !defined(NO_SSL3) + if (comp == COMP_ZLIB) cm = COMP_zlib(); + if (comp == COMP_RLE) cm = COMP_rle(); + if (cm != NULL) + { + if (cm->type != NID_undef) + SSL_COMP_add_compression_method(comp, cm); + else + { + fprintf(stderr, + "Warning: %s compression not supported\n", + (comp == COMP_RLE ? "rle" : + (comp == COMP_ZLIB ? "zlib" : + "unknown"))); + ERR_print_errors_fp(stderr); + } + } + +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) if (ssl2) meth=SSLv2_method(); else @@ -386,7 +587,7 @@ bad: else meth=SSLv23_method(); #else -#ifdef NO_SSL2 +#ifdef OPENSSL_NO_SSL2 meth=SSLv3_method(); #else meth=SSLv2_method(); @@ -407,7 +608,7 @@ bad: SSL_CTX_set_cipher_list(s_ctx,cipher); } -#ifndef NO_DH +#ifndef OPENSSL_NO_DH if (!no_dhe) { if (dhe1024dsa) @@ -427,7 +628,7 @@ bad: (void)no_dhe; #endif -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb); #endif @@ -467,12 +668,20 @@ bad: SSL_CTX_set_verify(s_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); + if (app_verify) + { + SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); + } } if (server_auth) { BIO_printf(bio_err,"server authentication\n"); SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, verify_callback); + if (app_verify) + { + SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); + } } { @@ -483,6 +692,25 @@ bad: c_ssl=SSL_new(c_ctx); s_ssl=SSL_new(s_ctx); +#ifndef OPENSSL_NO_KRB5 + if (c_ssl && c_ssl->kssl_ctx) + { + char localhost[MAXHOSTNAMELEN+2]; + + if (gethostname(localhost, sizeof localhost-1) == 0) + { + localhost[sizeof localhost-1]='\0'; + if(strlen(localhost) == sizeof localhost-1) + { + BIO_printf(bio_err,"localhost name too long\n"); + goto end; + } + kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, + localhost); + } + } +#endif /* OPENSSL_NO_KRB5 */ + for (i=0; i<number; i++) { if (!reuse) SSL_set_session(c_ssl,NULL); @@ -529,9 +757,11 @@ end: if (bio_stdout != NULL) BIO_free(bio_stdout); -#ifndef NO_RSA +#ifndef OPENSSL_NO_RSA free_tmp_rsa(); #endif + ENGINE_cleanup(); + CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); EVP_cleanup(); @@ -620,6 +850,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, int i, r; clock_t c_clock = clock(); + memset(cbuf, 0, sizeof(cbuf)); + if (debug) if (SSL_in_init(c_ssl)) printf("client waiting in SSL_connect - %s\n", @@ -704,6 +936,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, int i, r; clock_t s_clock = clock(); + memset(sbuf, 0, sizeof(sbuf)); + if (debug) if (SSL_in_init(s_ssl)) printf("server waiting in SSL_accept - %s\n", @@ -947,6 +1181,9 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) int c_write,s_write; int do_server=0,do_client=0; + memset(cbuf,0,sizeof(cbuf)); + memset(sbuf,0,sizeof(sbuf)); + c_to_s=BIO_new(BIO_s_mem()); s_to_c=BIO_new(BIO_s_mem()); if ((s_to_c == NULL) || (c_to_s == NULL)) @@ -1228,7 +1465,8 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) { char *s,buf[256]; - s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,256); + s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf, + sizeof buf); if (s != NULL) { if (ok) @@ -1252,7 +1490,26 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) return(ok); } -#ifndef NO_RSA +static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg) + { + char *s = NULL,buf[256]; + int ok=1; + + fprintf(stderr, "In app_verify_callback, allowing cert. "); + fprintf(stderr, "Arg is: %s\n", (char *)arg); + fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n", + (unsigned int)ctx, (unsigned int)ctx->cert); + if (ctx->cert) + s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256); + if (s != NULL) + { + fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf); + } + + return(ok); + } + +#ifndef OPENSSL_NO_RSA static RSA *rsa_tmp=NULL; static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) @@ -1278,14 +1535,14 @@ static void free_tmp_rsa(void) } #endif -#ifndef NO_DH +#ifndef OPENSSL_NO_DH /* These DH parameters have been generated as follows: * $ openssl dhparam -C -noout 512 * $ openssl dhparam -C -noout 1024 * $ openssl dhparam -C -noout -dsaparam 1024 * (The third function has been renamed to avoid name conflicts.) */ -DH *get_dh512() +static DH *get_dh512() { static unsigned char dh512_p[]={ 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6, @@ -1308,7 +1565,7 @@ DH *get_dh512() return(dh); } -DH *get_dh1024() +static DH *get_dh1024() { static unsigned char dh1024_p[]={ 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A, @@ -1336,7 +1593,7 @@ DH *get_dh1024() return(dh); } -DH *get_dh1024dsa() +static DH *get_dh1024dsa() { static unsigned char dh1024_p[]={ 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00, diff --git a/crypto/openssl/ssl/t1_clnt.c b/crypto/openssl/ssl/t1_clnt.c index 9745630..57205fb 100644 --- a/crypto/openssl/ssl/t1_clnt.c +++ b/crypto/openssl/ssl/t1_clnt.c @@ -57,11 +57,11 @@ */ #include <stdio.h> +#include "ssl_locl.h" #include <openssl/buffer.h> #include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> -#include "ssl_locl.h" static SSL_METHOD *tls1_get_client_method(int ver); static SSL_METHOD *tls1_get_client_method(int ver) @@ -79,11 +79,18 @@ SSL_METHOD *TLSv1_client_method(void) if (init) { - memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(), - sizeof(SSL_METHOD)); - TLSv1_client_data.ssl_connect=ssl3_connect; - TLSv1_client_data.get_ssl_method=tls1_get_client_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(), + sizeof(SSL_METHOD)); + TLSv1_client_data.ssl_connect=ssl3_connect; + TLSv1_client_data.get_ssl_method=tls1_get_client_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&TLSv1_client_data); } diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c index f3ecc5f..271e247 100644 --- a/crypto/openssl/ssl/t1_enc.c +++ b/crypto/openssl/ssl/t1_enc.c @@ -110,12 +110,11 @@ */ #include <stdio.h> +#include "ssl_locl.h" #include <openssl/comp.h> -#include <openssl/md5.h> -#include <openssl/sha.h> #include <openssl/evp.h> #include <openssl/hmac.h> -#include "ssl_locl.h" +#include <openssl/md5.h> static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, unsigned char *seed, int seed_len, @@ -125,21 +124,25 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, unsigned int j; HMAC_CTX ctx; HMAC_CTX ctx_tmp; - unsigned char A1[HMAC_MAX_MD_CBLOCK]; + unsigned char A1[EVP_MAX_MD_SIZE]; unsigned int A1_len; chunk=EVP_MD_size(md); - HMAC_Init(&ctx,sec,sec_len,md); + HMAC_CTX_init(&ctx); + HMAC_CTX_init(&ctx_tmp); + HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); + HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); HMAC_Update(&ctx,seed,seed_len); HMAC_Final(&ctx,A1,&A1_len); n=0; for (;;) { - HMAC_Init(&ctx,NULL,0,NULL); /* re-init */ + HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */ + HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */ HMAC_Update(&ctx,A1,A1_len); - memcpy(&ctx_tmp,&ctx,sizeof(ctx)); /* Copy for A2 */ /* not needed for last one */ + HMAC_Update(&ctx_tmp,A1,A1_len); HMAC_Update(&ctx,seed,seed_len); if (olen > chunk) @@ -156,9 +159,9 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, break; } } - HMAC_cleanup(&ctx); - HMAC_cleanup(&ctx_tmp); - memset(A1,0,sizeof(A1)); + HMAC_CTX_cleanup(&ctx); + HMAC_CTX_cleanup(&ctx_tmp); + OPENSSL_cleanse(A1,sizeof(A1)); } static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, @@ -201,6 +204,17 @@ static void tls1_generate_key_block(SSL *s, unsigned char *km, tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf), s->session->master_key,s->session->master_key_length, km,tmp,num); +#ifdef KSSL_DEBUG + printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", + s->session->master_key_length); + { + int i; + for (i=0; i < s->session->master_key_length; i++) + { + printf("%02X", s->session->master_key[i]); + } + printf("\n"); } +#endif /* KSSL_DEBUG */ } int tls1_change_cipher_state(SSL *s, int which) @@ -219,19 +233,35 @@ int tls1_change_cipher_state(SSL *s, int which) const EVP_CIPHER *c; const SSL_COMP *comp; const EVP_MD *m; - int _exp,n,i,j,k,exp_label_len,cl; + int is_export,n,i,j,k,exp_label_len,cl; + int reuse_dd = 0; - _exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); + is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; comp=s->s3->tmp.new_compression; key_block=s->s3->tmp.key_block; +#ifdef KSSL_DEBUG + printf("tls1_change_cipher_state(which= %d) w/\n", which); + printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms, + comp); + printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); + printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", + c->nid,c->block_size,c->key_len,c->iv_len); + printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); + { + int i; + for (i=0; i<s->s3->tmp.key_block_length; i++) + printf("%02x", key_block[i]); printf("\n"); + } +#endif /* KSSL_DEBUG */ + if (which & SSL3_CC_READ) { - if ((s->enc_read_ctx == NULL) && - ((s->enc_read_ctx=(EVP_CIPHER_CTX *) - OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) + if (s->enc_read_ctx != NULL) + reuse_dd = 1; + else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; dd= s->enc_read_ctx; s->read_hash=m; @@ -259,6 +289,10 @@ int tls1_change_cipher_state(SSL *s, int which) } else { + if (s->enc_write_ctx != NULL) + reuse_dd = 1; + else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) + goto err; if ((s->enc_write_ctx == NULL) && ((s->enc_write_ctx=(EVP_CIPHER_CTX *) OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) @@ -283,13 +317,15 @@ int tls1_change_cipher_state(SSL *s, int which) mac_secret= &(s->s3->write_mac_secret[0]); } + if (reuse_dd) + EVP_CIPHER_CTX_cleanup(dd); EVP_CIPHER_CTX_init(dd); p=s->s3->tmp.key_block; i=EVP_MD_size(m); cl=EVP_CIPHER_key_length(c); - j=_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? - cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; + j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); er1= &(s->s3->client_random[0]); @@ -317,7 +353,7 @@ int tls1_change_cipher_state(SSL *s, int which) if (n > s->s3->tmp.key_block_length) { - SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); goto err2; } @@ -326,7 +362,7 @@ int tls1_change_cipher_state(SSL *s, int which) printf("which = %04X\nmac key=",which); { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } #endif - if (_exp) + if (is_export) { /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). @@ -362,8 +398,18 @@ printf("which = %04X\nmac key=",which); } s->session->key_arg_length=0; +#ifdef KSSL_DEBUG + { + int i; + printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); + printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]); + printf("\n"); + printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]); + printf("\n"); + } +#endif /* KSSL_DEBUG */ - EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE)); + EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); #ifdef TLS_DEBUG printf("which = %04X\nkey=",which); { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } @@ -372,10 +418,10 @@ printf("\niv="); printf("\n"); #endif - memset(tmp1,0,sizeof(tmp1)); - memset(tmp2,0,sizeof(tmp1)); - memset(iv1,0,sizeof(iv1)); - memset(iv2,0,sizeof(iv2)); + OPENSSL_cleanse(tmp1,sizeof(tmp1)); + OPENSSL_cleanse(tmp2,sizeof(tmp1)); + OPENSSL_cleanse(iv1,sizeof(iv1)); + OPENSSL_cleanse(iv2,sizeof(iv2)); return(1); err: SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); @@ -391,6 +437,10 @@ int tls1_setup_key_block(SSL *s) int num; SSL_COMP *comp; +#ifdef KSSL_DEBUG + printf ("tls1_setup_key_block()\n"); +#endif /* KSSL_DEBUG */ + if (s->s3->tmp.key_block_length != 0) return(1); @@ -426,7 +476,7 @@ printf("pre-master\n"); { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } #endif tls1_generate_key_block(s,p1,p2,num); - memset(p2,0,num); + OPENSSL_cleanse(p2,num); OPENSSL_free(p2); #ifdef TLS_DEBUG printf("\nkey block\n"); @@ -445,13 +495,13 @@ printf("\nkey block\n"); if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) s->s3->need_empty_fragments = 0; -#ifndef NO_RC4 +#ifndef OPENSSL_NO_RC4 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) s->s3->need_empty_fragments = 0; #endif } } - + return(1); err: SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); @@ -489,6 +539,10 @@ int tls1_enc(SSL *s, int send) enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); } +#ifdef KSSL_DEBUG + printf("tls1_enc(%d)\n", send); +#endif /* KSSL_DEBUG */ + if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { @@ -519,6 +573,24 @@ int tls1_enc(SSL *s, int send) rec->length+=i; } +#ifdef KSSL_DEBUG + { + unsigned long ui; + printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", + ds,rec->data,rec->input,l); + printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", + ds->buf_len, ds->cipher->key_len, + DES_KEY_SZ, DES_SCHEDULE_SZ, + ds->cipher->iv_len); + printf("\t\tIV: "); + for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); + printf("\n"); + printf("\trec->input="); + for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]); + printf("\n"); + } +#endif /* KSSL_DEBUG */ + if (!send) { if (l == 0 || l%bs != 0) @@ -531,6 +603,15 @@ int tls1_enc(SSL *s, int send) EVP_Cipher(ds,rec->data,rec->input,l); +#ifdef KSSL_DEBUG + { + unsigned long i; + printf("\trec->data="); + for (i=0; i<l; i++) + printf(" %02x", rec->data[i]); printf("\n"); + } +#endif /* KSSL_DEBUG */ + if ((bs != 1) && !send) { ii=i=rec->data[l-1]; /* padding_length */ @@ -573,8 +654,10 @@ int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out) unsigned int ret; EVP_MD_CTX ctx; - EVP_MD_CTX_copy(&ctx,in_ctx); - EVP_DigestFinal(&ctx,out,&ret); + EVP_MD_CTX_init(&ctx); + EVP_MD_CTX_copy_ex(&ctx,in_ctx); + EVP_DigestFinal_ex(&ctx,out,&ret); + EVP_MD_CTX_cleanup(&ctx); return((int)ret); } @@ -590,19 +673,20 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx, memcpy(q,str,slen); q+=slen; - EVP_MD_CTX_copy(&ctx,in1_ctx); - EVP_DigestFinal(&ctx,q,&i); + EVP_MD_CTX_init(&ctx); + EVP_MD_CTX_copy_ex(&ctx,in1_ctx); + EVP_DigestFinal_ex(&ctx,q,&i); q+=i; - EVP_MD_CTX_copy(&ctx,in2_ctx); - EVP_DigestFinal(&ctx,q,&i); + EVP_MD_CTX_copy_ex(&ctx,in2_ctx); + EVP_DigestFinal_ex(&ctx,q,&i); q+=i; tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf), s->session->master_key,s->session->master_key_length, - out,buf2,12); - memset(&ctx,0,sizeof(EVP_MD_CTX)); + out,buf2,sizeof buf2); + EVP_MD_CTX_cleanup(&ctx); - return((int)12); + return sizeof buf2; } int tls1_mac(SSL *ssl, unsigned char *md, int send) @@ -639,11 +723,13 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) buf[4]=rec->length&0xff; /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ - HMAC_Init(&hmac,mac_sec,EVP_MD_size(hash),hash); + HMAC_CTX_init(&hmac); + HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); HMAC_Update(&hmac,seq,8); HMAC_Update(&hmac,buf,5); HMAC_Update(&hmac,rec->input,rec->length); HMAC_Final(&hmac,md,&md_size); + HMAC_CTX_cleanup(&hmac); #ifdef TLS_DEBUG printf("sec="); @@ -674,6 +760,10 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE]; unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; +#ifdef KSSL_DEBUG + printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len); +#endif /* KSSL_DEBUG */ + /* Setup the stuff to munge */ memcpy(buf,TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE); @@ -683,7 +773,10 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, s->s3->server_random,SSL3_RANDOM_SIZE); tls1_PRF(s->ctx->md5,s->ctx->sha1, buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len, - s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE); + s->session->master_key,buff,sizeof buff); +#ifdef KSSL_DEBUG + printf ("tls1_generate_master_secret() complete\n"); +#endif /* KSSL_DEBUG */ return(SSL3_MASTER_SECRET_SIZE); } diff --git a/crypto/openssl/ssl/t1_meth.c b/crypto/openssl/ssl/t1_meth.c index 9bb36a7..fcc243f 100644 --- a/crypto/openssl/ssl/t1_meth.c +++ b/crypto/openssl/ssl/t1_meth.c @@ -76,13 +76,21 @@ SSL_METHOD *TLSv1_method(void) if (init) { - memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(), - sizeof(SSL_METHOD)); - TLSv1_data.ssl_connect=ssl3_connect; - TLSv1_data.ssl_accept=ssl3_accept; - TLSv1_data.get_ssl_method=tls1_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(), + sizeof(SSL_METHOD)); + TLSv1_data.ssl_connect=ssl3_connect; + TLSv1_data.ssl_accept=ssl3_accept; + TLSv1_data.get_ssl_method=tls1_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } + return(&TLSv1_data); } diff --git a/crypto/openssl/ssl/t1_srvr.c b/crypto/openssl/ssl/t1_srvr.c index 996b7ca..1c1149e 100644 --- a/crypto/openssl/ssl/t1_srvr.c +++ b/crypto/openssl/ssl/t1_srvr.c @@ -57,12 +57,12 @@ */ #include <stdio.h> +#include "ssl_locl.h" #include <openssl/buffer.h> #include <openssl/rand.h> #include <openssl/objects.h> #include <openssl/evp.h> #include <openssl/x509.h> -#include "ssl_locl.h" static SSL_METHOD *tls1_get_server_method(int ver); static SSL_METHOD *tls1_get_server_method(int ver) @@ -80,11 +80,18 @@ SSL_METHOD *TLSv1_server_method(void) if (init) { - memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(), - sizeof(SSL_METHOD)); - TLSv1_server_data.ssl_accept=ssl3_accept; - TLSv1_server_data.get_ssl_method=tls1_get_server_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(), + sizeof(SSL_METHOD)); + TLSv1_server_data.ssl_accept=ssl3_accept; + TLSv1_server_data.get_ssl_method=tls1_get_server_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&TLSv1_server_data); } diff --git a/crypto/openssl/ssl/tls1.h b/crypto/openssl/ssl/tls1.h index cf92ae0..38838ea 100644 --- a/crypto/openssl/ssl/tls1.h +++ b/crypto/openssl/ssl/tls1.h @@ -96,6 +96,22 @@ extern "C" { #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065 #define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066 +/* AES ciphersuites from RFC3268 */ + +#define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F +#define TLS1_CK_DH_DSS_WITH_AES_128_SHA 0x03000030 +#define TLS1_CK_DH_RSA_WITH_AES_128_SHA 0x03000031 +#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA 0x03000032 +#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA 0x03000033 +#define TLS1_CK_ADH_WITH_AES_128_SHA 0x03000034 + +#define TLS1_CK_RSA_WITH_AES_256_SHA 0x03000035 +#define TLS1_CK_DH_DSS_WITH_AES_256_SHA 0x03000036 +#define TLS1_CK_DH_RSA_WITH_AES_256_SHA 0x03000037 +#define TLS1_CK_DHE_DSS_WITH_AES_256_SHA 0x03000038 +#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA 0x03000039 +#define TLS1_CK_ADH_WITH_AES_256_SHA 0x0300003A + /* XXX * Inconsistency alert: * The OpenSSL names of ciphers with ephemeral DH here include the string @@ -111,6 +127,21 @@ extern "C" { #define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA "EXP1024-DHE-DSS-RC4-SHA" #define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA "DHE-DSS-RC4-SHA" +/* AES ciphersuites from RFC3268 */ +#define TLS1_TXT_RSA_WITH_AES_128_SHA "AES128-SHA" +#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA "DH-DSS-AES128-SHA" +#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA "DH-RSA-AES128-SHA" +#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA "DHE-DSS-AES128-SHA" +#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA "DHE-RSA-AES128-SHA" +#define TLS1_TXT_ADH_WITH_AES_128_SHA "ADH-AES128-SHA" + +#define TLS1_TXT_RSA_WITH_AES_256_SHA "AES256-SHA" +#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA "DH-DSS-AES256-SHA" +#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA "DH-RSA-AES256-SHA" +#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA "DHE-DSS-AES256-SHA" +#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AES256-SHA" +#define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AES256-SHA" + #define TLS_CT_RSA_SIGN 1 #define TLS_CT_DSS_SIGN 2 |