summaryrefslogtreecommitdiffstats
path: root/crypto/openssl/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssl/ssl')
-rw-r--r--crypto/openssl/ssl/s23_clnt.c43
-rw-r--r--crypto/openssl/ssl/s23_lib.c8
-rw-r--r--crypto/openssl/ssl/s23_srvr.c113
-rw-r--r--crypto/openssl/ssl/s2_clnt.c109
-rw-r--r--crypto/openssl/ssl/s2_enc.c20
-rw-r--r--crypto/openssl/ssl/s2_lib.c84
-rw-r--r--crypto/openssl/ssl/s2_meth.c25
-rw-r--r--crypto/openssl/ssl/s2_pkt.c9
-rw-r--r--crypto/openssl/ssl/s2_srvr.c94
9 files changed, 287 insertions, 218 deletions
diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
index 4a7aff5..64ee426 100644
--- a/crypto/openssl/ssl/s23_clnt.c
+++ b/crypto/openssl/ssl/s23_clnt.c
@@ -54,23 +54,21 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#include <stdio.h>
+#include "ssl_locl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
-#include "ssl_locl.h"
static SSL_METHOD *ssl23_get_client_method(int ver);
static int ssl23_client_hello(SSL *s);
static int ssl23_get_server_hello(SSL *s);
static SSL_METHOD *ssl23_get_client_method(int ver)
{
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_client_method());
#endif
@@ -89,20 +87,27 @@ SSL_METHOD *SSLv23_client_method(void)
if (init)
{
- memcpy((char *)&SSLv23_client_data,
- (char *)sslv23_base_method(),sizeof(SSL_METHOD));
- SSLv23_client_data.ssl_connect=ssl23_connect;
- SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv23_client_data,
+ (char *)sslv23_base_method(),sizeof(SSL_METHOD));
+ SSLv23_client_data.ssl_connect=ssl23_connect;
+ SSLv23_client_data.get_ssl_method=ssl23_get_client_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv23_client_data);
}
int ssl23_connect(SSL *s)
{
- BUF_MEM *buf;
+ BUF_MEM *buf=NULL;
unsigned long Time=time(NULL);
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state;
@@ -154,6 +159,7 @@ int ssl23_connect(SSL *s)
goto end;
}
s->init_buf=buf;
+ buf=NULL;
}
if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -202,6 +208,8 @@ int ssl23_connect(SSL *s)
}
end:
s->in_handshake--;
+ if (buf != NULL)
+ BUF_MEM_free(buf);
if (cb != NULL)
cb(s,SSL_CB_CONNECT_EXIT,ret);
return(ret);
@@ -213,6 +221,7 @@ static int ssl23_client_hello(SSL *s)
unsigned char *buf;
unsigned char *p,*d;
int i,ch_len;
+ int ret;
buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
@@ -304,7 +313,11 @@ static int ssl23_client_hello(SSL *s)
}
/* SSL3_ST_CW_CLNT_HELLO_B */
- return(ssl23_write_bytes(s));
+ ret = ssl23_write_bytes(s);
+ if (ret >= 2)
+ if (s->msg_callback)
+ s->msg_callback(1, SSL2_VERSION, 0, s->init_buf->data+2, ret-2, s, s->msg_callback_arg); /* CLIENT-HELLO */
+ return ret;
}
static int ssl23_get_server_hello(SSL *s)
@@ -324,7 +337,7 @@ static int ssl23_get_server_hello(SSL *s)
if ((p[0] & 0x80) && (p[2] == SSL2_MT_SERVER_HELLO) &&
(p[5] == 0x00) && (p[6] == 0x02))
{
-#ifdef NO_SSL2
+#ifdef OPENSSL_NO_SSL2
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
#else
@@ -360,7 +373,7 @@ static int ssl23_get_server_hello(SSL *s)
if (s->s3 != NULL) ssl3_free(s);
- if (!BUF_MEM_grow(s->init_buf,
+ if (!BUF_MEM_grow_clean(s->init_buf,
SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
{
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,ERR_R_BUF_LIB);
@@ -437,7 +450,7 @@ static int ssl23_get_server_hello(SSL *s)
(p[3] == 0) &&
(p[4] == 2))
{
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int j;
/* An alert */
diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c
index fe7e2d1..b70002a 100644
--- a/crypto/openssl/ssl/s23_lib.c
+++ b/crypto/openssl/ssl/s23_lib.c
@@ -54,8 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#include <stdio.h>
@@ -113,7 +111,7 @@ SSL_METHOD *sslv23_base_method(void)
static int ssl23_num_ciphers(void)
{
return(ssl3_num_ciphers()
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
+ ssl2_num_ciphers()
#endif
);
@@ -126,7 +124,7 @@ static SSL_CIPHER *ssl23_get_cipher(unsigned int u)
if (u < uu)
return(ssl3_get_cipher(u));
else
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
return(ssl2_get_cipher(u-uu));
#else
return(NULL);
@@ -146,7 +144,7 @@ static SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
((unsigned long)p[1]<<8L)|(unsigned long)p[2];
c.id=id;
cp=ssl3_get_cipher_by_char(p);
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
if (cp == NULL)
cp=ssl2_get_cipher_by_char(p);
#endif
diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
index b93f315..c5404ca 100644
--- a/crypto/openssl/ssl/s23_srvr.c
+++ b/crypto/openssl/ssl/s23_srvr.c
@@ -54,8 +54,6 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
@@ -112,17 +110,17 @@
*/
#include <stdio.h>
+#include "ssl_locl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
-#include "ssl_locl.h"
static SSL_METHOD *ssl23_get_server_method(int ver);
int ssl23_get_client_hello(SSL *s);
static SSL_METHOD *ssl23_get_server_method(int ver)
{
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
if (ver == SSL2_VERSION)
return(SSLv2_server_method());
#endif
@@ -141,11 +139,18 @@ SSL_METHOD *SSLv23_server_method(void)
if (init)
{
- memcpy((char *)&SSLv23_server_data,
- (char *)sslv23_base_method(),sizeof(SSL_METHOD));
- SSLv23_server_data.ssl_accept=ssl23_accept;
- SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv23_server_data,
+ (char *)sslv23_base_method(),sizeof(SSL_METHOD));
+ SSLv23_server_data.ssl_accept=ssl23_accept;
+ SSLv23_server_data.get_ssl_method=ssl23_get_server_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv23_server_data);
}
@@ -154,7 +159,7 @@ int ssl23_accept(SSL *s)
{
BUF_MEM *buf;
unsigned long Time=time(NULL);
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state;
@@ -257,13 +262,13 @@ int ssl23_get_client_hello(SSL *s)
* 9/10 client_version /
*/
char *buf= &(buf_space[0]);
- unsigned char *p,*d,*dd;
+ unsigned char *p,*d,*d_len,*dd;
unsigned int i;
unsigned int csl,sil,cl;
int n=0,j;
int type=0;
int v[2];
-#ifndef NO_RSA
+#ifndef OPENSSL_NO_RSA
int use_sslv2_strong=0;
#endif
@@ -325,72 +330,6 @@ int ssl23_get_client_hello(SSL *s)
else if (!(s->options & SSL_OP_NO_SSLv2))
type=1;
- if (s->options & SSL_OP_NON_EXPORT_FIRST)
- /* Not only utterly confusing, but broken
- * ('fractured programming'?) -- the details
- * of this block nearly make it work
- * as intended in this environment, but on one
- * of the fine points (w.r.t. restarts) it fails.
- * The obvious fix would be even more devastating
- * to program structure; if you want the functionality,
- * throw this away and implement it in a way
- * that makes sense */
- {
-#if 0
- STACK_OF(SSL_CIPHER) *sk;
- SSL_CIPHER *c;
- int ne2,ne3;
-
- j=((p[0]&0x7f)<<8)|p[1];
- if (j > (1024*4))
- {
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
- goto err;
- }
-
- n=ssl23_read_bytes(s,j+2);
- if (n <= 0) return(n);
- p=s->packet;
-
- if ((buf=OPENSSL_malloc(n)) == NULL)
- {
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
- goto err;
- }
- memcpy(buf,p,n);
-
- p+=5;
- n2s(p,csl);
- p+=4;
-
- sk=ssl_bytes_to_cipher_list(
- s,p,csl,NULL);
- if (sk != NULL)
- {
- ne2=ne3=0;
- for (j=0; j<sk_SSL_CIPHER_num(sk); j++)
- {
- c=sk_SSL_CIPHER_value(sk,j);
- if (!SSL_C_IS_EXPORT(c))
- {
- if ((c->id>>24L) == 2L)
- ne2=1;
- else
- ne3=1;
- }
- }
- if (ne2 && !ne3)
- {
- type=1;
- use_sslv2_strong=1;
- goto next_bit;
- }
- }
-#else
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_OPTION);
- goto err;
-#endif
- }
}
}
else if ((p[0] == SSL3_RT_HANDSHAKE) &&
@@ -488,7 +427,9 @@ int ssl23_get_client_hello(SSL *s)
j=ssl23_read_bytes(s,n+2);
if (j <= 0) return(j);
- ssl3_finish_mac(s,&(s->packet[2]),s->packet_length-2);
+ ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
+ if (s->msg_callback)
+ s->msg_callback(0, SSL2_VERSION, 0, s->packet+2, s->packet_length-2, s, s->msg_callback_arg); /* CLIENT-HELLO */
p=s->packet;
p+=5;
@@ -502,6 +443,13 @@ int ssl23_get_client_hello(SSL *s)
goto err;
}
+ /* record header: msg_type ... */
+ *(d++) = SSL3_MT_CLIENT_HELLO;
+ /* ... and length (actual value will be written later) */
+ d_len = d;
+ d += 3;
+
+ /* client_version */
*(d++) = SSL3_VERSION_MAJOR; /* == v[0] */
*(d++) = v[1];
@@ -532,7 +480,8 @@ int ssl23_get_client_hello(SSL *s)
*(d++)=1;
*(d++)=0;
- i=(d-(unsigned char *)s->init_buf->data);
+ i = (d-(unsigned char *)s->init_buf->data) - 4;
+ l2n3((long)i, d_len);
/* get the data reused from the init_buf */
s->s3->tmp.reuse_message=1;
@@ -545,7 +494,7 @@ int ssl23_get_client_hello(SSL *s)
if (type == 1)
{
-#ifdef NO_SSL2
+#ifdef OPENSSL_NO_SSL2
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
#else
@@ -563,7 +512,7 @@ int ssl23_get_client_hello(SSL *s)
if (s->s3 != NULL) ssl3_free(s);
- if (!BUF_MEM_grow(s->init_buf,
+ if (!BUF_MEM_grow_clean(s->init_buf,
SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
{
goto err;
diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c
index 82b70c7..c6319bb 100644
--- a/crypto/openssl/ssl/s2_clnt.c
+++ b/crypto/openssl/ssl/s2_clnt.c
@@ -107,11 +107,10 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
- * $FreeBSD$
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
#include <openssl/rand.h>
#include <openssl/buffer.h>
@@ -146,11 +145,18 @@ SSL_METHOD *SSLv2_client_method(void)
if (init)
{
- memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
- sizeof(SSL_METHOD));
- SSLv2_client_data.ssl_connect=ssl2_connect;
- SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv2_client_data.ssl_connect=ssl2_connect;
+ SSLv2_client_data.get_ssl_method=ssl2_get_client_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv2_client_data);
}
@@ -160,7 +166,7 @@ int ssl2_connect(SSL *s)
unsigned long l=time(NULL);
BUF_MEM *buf=NULL;
int ret= -1;
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int new_state,state;
RAND_add(&l,sizeof(l),0);
@@ -202,10 +208,13 @@ int ssl2_connect(SSL *s)
if (!BUF_MEM_grow(buf,
SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
{
+ if (buf == s->init_buf)
+ buf=NULL;
ret= -1;
goto end;
}
s->init_buf=buf;
+ buf=NULL;
s->init_num=0;
s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
s->ctx->stats.sess_connect++;
@@ -332,6 +341,8 @@ int ssl2_connect(SSL *s)
}
end:
s->in_handshake--;
+ if (buf != NULL)
+ BUF_MEM_free(buf);
if (cb != NULL)
cb(s,SSL_CB_CONNECT_EXIT,ret);
return(ret);
@@ -343,7 +354,7 @@ static int get_server_hello(SSL *s)
unsigned char *p;
int i,j;
unsigned long len;
- STACK_OF(SSL_CIPHER) *sk=NULL,*cl;
+ STACK_OF(SSL_CIPHER) *sk=NULL,*cl, *prio, *allow;
buf=(unsigned char *)s->init_buf->data;
p=buf;
@@ -393,6 +404,8 @@ static int get_server_hello(SSL *s)
j = (int)len - s->init_num;
i = ssl2_read(s,(char *)&(buf[s->init_num]),j);
if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, buf, (size_t)len, s, s->msg_callback_arg); /* SERVER-HELLO */
/* things are looking good */
@@ -475,33 +488,49 @@ static int get_server_hello(SSL *s)
sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp);
/* get the array of ciphers we will accept */
- cl=ssl_get_ciphers_by_id(s);
-
+ cl=SSL_get_ciphers(s);
+ sk_SSL_CIPHER_set_cmp_func(cl,ssl_cipher_ptr_id_cmp);
+
+ /*
+ * If server preference flag set, choose the first
+ * (highest priority) cipher the server sends, otherwise
+ * client preference has priority.
+ */
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ {
+ prio = sk;
+ allow = cl;
+ }
+ else
+ {
+ prio = cl;
+ allow = sk;
+ }
/* In theory we could have ciphers sent back that we
* don't want to use but that does not matter since we
* will check against the list we originally sent and
* for performance reasons we should not bother to match
* the two lists up just to check. */
- for (i=0; i<sk_SSL_CIPHER_num(cl); i++)
+ for (i=0; i<sk_SSL_CIPHER_num(prio); i++)
{
- if (sk_SSL_CIPHER_find(sk,
- sk_SSL_CIPHER_value(cl,i)) >= 0)
+ if (sk_SSL_CIPHER_find(allow,
+ sk_SSL_CIPHER_value(prio,i)) >= 0)
break;
}
- if (i >= sk_SSL_CIPHER_num(cl))
+ if (i >= sk_SSL_CIPHER_num(prio))
{
ssl2_return_error(s,SSL2_PE_NO_CIPHER);
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH);
return(-1);
}
- s->session->cipher=sk_SSL_CIPHER_value(cl,i);
+ s->session->cipher=sk_SSL_CIPHER_value(prio,i);
if (s->session->peer != NULL) /* can't happen*/
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
return(-1);
}
@@ -514,7 +543,7 @@ static int get_server_hello(SSL *s)
/* can't happen */
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
return(-1);
}
@@ -629,7 +658,7 @@ static int client_master_key(SSL *s)
if (i > SSL_MAX_KEY_ARG_LENGTH)
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
}
if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
@@ -642,7 +671,7 @@ static int client_master_key(SSL *s)
if (i > sizeof sess->master_key)
{
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
}
if (RAND_bytes(sess->master_key,i) <= 0)
@@ -691,7 +720,7 @@ static int client_master_key(SSL *s)
if (karg > sizeof sess->key_arg)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(d,sess->key_arg,(unsigned int)karg);
@@ -716,7 +745,7 @@ static int client_finished(SSL *s)
*(p++)=SSL2_MT_CLIENT_FINISHED;
if (s->s2->conn_id_length > sizeof s->s2->conn_id)
{
- SSLerr(SSL_F_CLIENT_FINISHED, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
@@ -746,10 +775,12 @@ static int client_certificate(SSL *s)
if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A)
{
i=ssl2_read(s,(char *)&(buf[s->init_num]),
- SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num);
- if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num))
+ SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num);
+ if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num))
return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i));
s->init_num += i;
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* REQUEST-CERTIFICATE */
/* type=buf[0]; */
/* type eq x509 */
@@ -842,9 +873,10 @@ static int client_certificate(SSL *s)
/* ok, now we calculate the checksum
* do it first so we can reuse buf :-) */
p=buf;
- EVP_SignInit(&ctx,s->ctx->rsa_md5);
+ EVP_MD_CTX_init(&ctx);
+ EVP_SignInit_ex(&ctx,s->ctx->rsa_md5, NULL);
EVP_SignUpdate(&ctx,s->s2->key_material,
- (unsigned int)s->s2->key_material_length);
+ s->s2->key_material_length);
EVP_SignUpdate(&ctx,cert_ch,(unsigned int)cert_ch_len);
n=i2d_X509(s->session->sess_cert->peer_key->x509,&p);
EVP_SignUpdate(&ctx,buf,(unsigned int)n);
@@ -863,7 +895,7 @@ static int client_certificate(SSL *s)
* We will continue with a 0 length signature
*/
}
- memset(&ctx,0,sizeof(ctx));
+ EVP_MD_CTX_cleanup(&ctx);
s2n(n,p);
d+=n;
@@ -898,8 +930,12 @@ static int get_server_verify(SSL *s)
SSL_R_READ_WRONG_PACKET_TYPE);
}
else
- SSLerr(SSL_F_GET_SERVER_VERIFY,
- SSL_R_PEER_ERROR);
+ {
+ SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_PEER_ERROR);
+ /* try to read the error message */
+ i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
+ return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
+ }
return(-1);
}
}
@@ -910,9 +946,11 @@ static int get_server_verify(SSL *s)
i = ssl2_read(s,(char *)&(p[s->init_num]),n);
if (i < n)
return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
p += 1;
- if (memcmp(p,s->s2->challenge,(unsigned int)s->s2->challenge_length) != 0)
+ if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
@@ -949,7 +987,12 @@ static int get_server_finished(SSL *s)
SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
}
else
+ {
SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_PEER_ERROR);
+ /* try to read the error message */
+ i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
+ return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
+ }
return(-1);
}
s->state=SSL2_ST_GET_SERVER_FINISHED_B;
@@ -961,6 +1004,8 @@ static int get_server_finished(SSL *s)
if (i < n) /* XXX could be shorter than SSL2_SSL_SESSION_ID_LENGTH, that's the maximum */
return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
s->init_num += i;
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, buf, (size_t)s->init_num, s, s->msg_callback_arg); /* SERVER-FINISHED */
if (!s->hit) /* new session */
{
@@ -969,7 +1014,7 @@ static int get_server_finished(SSL *s)
* or bad things can happen */
/* ZZZZZZZZZZZZZ */
s->session->session_id_length=SSL2_SSL_SESSION_ID_LENGTH;
- memcpy(s->session->session_id,p,SSL2_SSL_SESSION_ID_LENGTH);
+ memcpy(s->session->session_id,p+1,SSL2_SSL_SESSION_ID_LENGTH);
}
else
{
@@ -1084,7 +1129,7 @@ end:
EVP_PKEY_free(pkey);
return(i);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c
index 3917efb..d3b144f 100644
--- a/crypto/openssl/ssl/s2_enc.c
+++ b/crypto/openssl/ssl/s2_enc.c
@@ -54,13 +54,12 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
+#include "cryptlib.h"
int ssl2_enc_init(SSL *s, int client)
{
@@ -97,13 +96,15 @@ int ssl2_enc_init(SSL *s, int client)
num=c->key_len;
s->s2->key_material_length=num*2;
+ OPENSSL_assert(s->s2->key_material_length <= sizeof s->s2->key_material);
if (ssl2_generate_key_material(s) <= 0)
return 0;
- EVP_EncryptInit(ws,c,&(s->s2->key_material[(client)?num:0]),
+ OPENSSL_assert(c->iv_len <= sizeof s->session->key_arg);
+ EVP_EncryptInit_ex(ws,c,NULL,&(s->s2->key_material[(client)?num:0]),
s->session->key_arg);
- EVP_DecryptInit(rs,c,&(s->s2->key_material[(client)?0:num]),
+ EVP_DecryptInit_ex(rs,c,NULL,&(s->s2->key_material[(client)?0:num]),
s->session->key_arg);
s->s2->read_key= &(s->s2->key_material[(client)?0:num]);
s->s2->write_key= &(s->s2->key_material[(client)?num:0]);
@@ -172,16 +173,17 @@ void ssl2_mac(SSL *s, unsigned char *md, int send)
l2n(seq,p);
/* There has to be a MAC algorithm. */
- EVP_DigestInit(&c,s->read_hash);
+ EVP_MD_CTX_init(&c);
+ EVP_DigestInit_ex(&c, s->read_hash, NULL);
EVP_DigestUpdate(&c,sec,
EVP_CIPHER_CTX_key_length(s->enc_read_ctx));
EVP_DigestUpdate(&c,act,len);
/* the above line also does the pad data */
EVP_DigestUpdate(&c,sequence,4);
- EVP_DigestFinal(&c,md,NULL);
- /* some would say I should zero the md context */
+ EVP_DigestFinal_ex(&c,md,NULL);
+ EVP_MD_CTX_cleanup(&c);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
index 64c6575..910b9fe 100644
--- a/crypto/openssl/ssl/s2_lib.c
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -54,15 +54,14 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
#include <openssl/rsa.h>
#include <openssl/objects.h>
+#include <openssl/evp.h>
#include <openssl/md5.h>
#include "cryptlib.h"
@@ -309,7 +308,7 @@ void ssl2_free(SSL *s)
s2=s->s2;
if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
- memset(s2,0,sizeof *s2);
+ OPENSSL_cleanse(s2,sizeof *s2);
OPENSSL_free(s2);
s->s2=NULL;
}
@@ -334,7 +333,7 @@ void ssl2_clear(SSL *s)
s->packet_length=0;
}
-long ssl2_ctrl(SSL *s, int cmd, long larg, char *parg)
+long ssl2_ctrl(SSL *s, int cmd, long larg, void *parg)
{
int ret=0;
@@ -354,7 +353,7 @@ long ssl2_callback_ctrl(SSL *s, int cmd, void (*fp)())
return(0);
}
-long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg)
+long ssl2_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
{
return(0);
}
@@ -378,15 +377,19 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
{
CRYPTO_w_lock(CRYPTO_LOCK_SSL);
- for (i=0; i<SSL2_NUM_CIPHERS; i++)
- sorted[i]= &(ssl2_ciphers[i]);
+ if (init)
+ {
+ for (i=0; i<SSL2_NUM_CIPHERS; i++)
+ sorted[i]= &(ssl2_ciphers[i]);
- qsort( (char *)sorted,
- SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
- FP_ICC ssl_cipher_ptr_id_cmp);
+ qsort((char *)sorted,
+ SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
+ FP_ICC ssl_cipher_ptr_id_cmp);
+ init=0;
+ }
+
CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
- init=0;
}
id=0x02000000L|((unsigned long)p[0]<<16L)|
@@ -420,43 +423,50 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
int ssl2_generate_key_material(SSL *s)
{
unsigned int i;
- MD5_CTX ctx;
+ EVP_MD_CTX ctx;
unsigned char *km;
unsigned char c='0';
+ const EVP_MD *md5;
+
+ md5 = EVP_md5();
#ifdef CHARSET_EBCDIC
c = os_toascii['0']; /* Must be an ASCII '0', not EBCDIC '0',
see SSLv2 docu */
#endif
-
+ EVP_MD_CTX_init(&ctx);
km=s->s2->key_material;
- if (s->session->master_key_length < 0 || s->session->master_key_length > sizeof s->session->master_key)
- {
- SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, SSL_R_INTERNAL_ERROR);
- return 0;
- }
+ if (s->session->master_key_length < 0 || s->session->master_key_length > sizeof s->session->master_key)
+ {
+ SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
- for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH)
+ for (i=0; i<s->s2->key_material_length; i += EVP_MD_size(md5))
{
- if (((km - s->s2->key_material) + MD5_DIGEST_LENGTH) > sizeof s->s2->key_material)
+ if (((km - s->s2->key_material) + EVP_MD_size(md5)) > sizeof s->s2->key_material)
{
- /* MD5_Final() below would write beyond buffer */
- SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, SSL_R_INTERNAL_ERROR);
+ /* EVP_DigestFinal_ex() below would write beyond buffer */
+ SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, ERR_R_INTERNAL_ERROR);
return 0;
}
- MD5_Init(&ctx);
+ EVP_DigestInit_ex(&ctx, md5, NULL);
- MD5_Update(&ctx,s->session->master_key,s->session->master_key_length);
- MD5_Update(&ctx,&c,1);
+ OPENSSL_assert(s->session->master_key_length >= 0
+ && s->session->master_key_length
+ < sizeof s->session->master_key);
+ EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
+ EVP_DigestUpdate(&ctx,&c,1);
c++;
- MD5_Update(&ctx,s->s2->challenge,s->s2->challenge_length);
- MD5_Update(&ctx,s->s2->conn_id,s->s2->conn_id_length);
- MD5_Final(km,&ctx);
- km+=MD5_DIGEST_LENGTH;
+ EVP_DigestUpdate(&ctx,s->s2->challenge,s->s2->challenge_length);
+ EVP_DigestUpdate(&ctx,s->s2->conn_id,s->s2->conn_id_length);
+ EVP_DigestFinal_ex(&ctx,km,NULL);
+ km += EVP_MD_size(md5);
}
+ EVP_MD_CTX_cleanup(&ctx);
return 1;
}
@@ -485,17 +495,21 @@ void ssl2_write_error(SSL *s)
error=s->error; /* number of bytes left to write */
s->error=0;
- if (error < 0 || error > sizeof buf) /* can't happen */
- return;
-
+ OPENSSL_assert(error >= 0 && error <= sizeof buf);
i=ssl2_write(s,&(buf[3-error]),error);
/* if (i == error) s->rwstate=state; */
if (i < 0)
s->error=error;
- else if (i != s->error)
+ else
+ {
s->error=error-i;
+
+ if (s->error == 0)
+ if (s->msg_callback)
+ s->msg_callback(1, s->version, 0, buf, 3, s, s->msg_callback_arg); /* ERROR */
+ }
}
int ssl2_shutdown(SSL *s)
@@ -503,7 +517,7 @@ int ssl2_shutdown(SSL *s)
s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
return(1);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s2_meth.c b/crypto/openssl/ssl/s2_meth.c
index 01cc05f..8b6cbd0 100644
--- a/crypto/openssl/ssl/s2_meth.c
+++ b/crypto/openssl/ssl/s2_meth.c
@@ -54,12 +54,10 @@
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
- *
- * $FreeBSD$
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
#include <openssl/objects.h>
@@ -79,16 +77,23 @@ SSL_METHOD *SSLv2_method(void)
if (init)
{
- memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
- sizeof(SSL_METHOD));
- SSLv2_data.ssl_connect=ssl2_connect;
- SSLv2_data.ssl_accept=ssl2_accept;
- SSLv2_data.get_ssl_method=ssl2_get_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv2_data.ssl_connect=ssl2_connect;
+ SSLv2_data.ssl_accept=ssl2_accept;
+ SSLv2_data.get_ssl_method=ssl2_get_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv2_data);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c
index 067d9df..d82f137 100644
--- a/crypto/openssl/ssl/s2_pkt.c
+++ b/crypto/openssl/ssl/s2_pkt.c
@@ -107,13 +107,13 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
- * $FreeBSD$
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
#include <errno.h>
+#include "cryptlib.h"
#define USE_SOCKETS
static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend);
@@ -248,6 +248,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
else
{
mac_size=EVP_MD_size(s->read_hash);
+ OPENSSL_assert(mac_size <= MAX_MAC_SIZE);
s->s2->mac_data=p;
s->s2->ract_data= &p[mac_size];
if (s->s2->padding + mac_size > s->s2->rlength)
@@ -693,6 +694,8 @@ int ssl2_do_write(SSL *s)
ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num);
if (ret == s->init_num)
{
+ if (s->msg_callback)
+ s->msg_callback(1, s->version, 0, s->init_buf->data, (size_t)(s->init_off + s->init_num), s, s->msg_callback_arg);
return(1);
}
if (ret < 0)
@@ -726,7 +729,7 @@ static int ssl_mt_error(int n)
}
return(ret);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c
index 32519a7c..62859a2 100644
--- a/crypto/openssl/ssl/s2_srvr.c
+++ b/crypto/openssl/ssl/s2_srvr.c
@@ -107,11 +107,10 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
- * $FreeBSD$
*/
#include "ssl_locl.h"
-#ifndef NO_SSL2
+#ifndef OPENSSL_NO_SSL2
#include <stdio.h>
#include <openssl/bio.h>
#include <openssl/rand.h>
@@ -146,11 +145,18 @@ SSL_METHOD *SSLv2_server_method(void)
if (init)
{
- memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
- sizeof(SSL_METHOD));
- SSLv2_server_data.ssl_accept=ssl2_accept;
- SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
- init=0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
+
+ if (init)
+ {
+ memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(),
+ sizeof(SSL_METHOD));
+ SSLv2_server_data.ssl_accept=ssl2_accept;
+ SSLv2_server_data.get_ssl_method=ssl2_get_server_method;
+ init=0;
+ }
+
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
}
return(&SSLv2_server_data);
}
@@ -161,7 +167,7 @@ int ssl2_accept(SSL *s)
BUF_MEM *buf=NULL;
int ret= -1;
long num1;
- void (*cb)()=NULL;
+ void (*cb)(const SSL *ssl,int type,int val)=NULL;
int new_state,state;
RAND_add(&l,sizeof(l),0);
@@ -431,7 +437,7 @@ static int get_client_master_key(SSL *s)
if (s->init_buf->length < SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
}
keya=s->session->key_arg_length;
@@ -445,6 +451,8 @@ static int get_client_master_key(SSL *s)
n = (int)len - s->init_num;
i = ssl2_read(s,(char *)&(p[s->init_num]),n);
if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i));
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-MASTER-KEY */
p += 10;
memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]),
@@ -519,7 +527,7 @@ static int get_client_master_key(SSL *s)
if (i > SSL_MAX_MASTER_KEY_LENGTH)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR);
return -1;
}
s->session->master_key_length=i;
@@ -534,6 +542,7 @@ static int get_client_hello(SSL *s)
unsigned char *p;
STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */
STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */
+ STACK_OF(SSL_CIPHER) *prio, *allow;
int z;
/* This is a bit of a hack to check for the correct packet
@@ -590,6 +599,8 @@ static int get_client_hello(SSL *s)
n = (int)len - s->init_num;
i = ssl2_read(s,(char *)&(p[s->init_num]),n);
if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i));
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, (size_t)len, s, s->msg_callback_arg); /* CLIENT-HELLO */
p += 9;
/* get session-id before cipher stuff so we can get out session
@@ -647,21 +658,37 @@ static int get_client_hello(SSL *s)
&s->session->ciphers);
if (cs == NULL) goto mem_err;
- cl=ssl_get_ciphers_by_id(s);
+ cl=SSL_get_ciphers(s);
- for (z=0; z<sk_SSL_CIPHER_num(cs); z++)
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ {
+ prio=sk_SSL_CIPHER_dup(cl);
+ if (prio == NULL) goto mem_err;
+ allow = cs;
+ }
+ else
+ {
+ prio = cs;
+ allow = cl;
+ }
+ for (z=0; z<sk_SSL_CIPHER_num(prio); z++)
{
- if (sk_SSL_CIPHER_find(cl,sk_SSL_CIPHER_value(cs,z)) < 0)
+ if (sk_SSL_CIPHER_find(allow,sk_SSL_CIPHER_value(prio,z)) < 0)
{
- sk_SSL_CIPHER_delete(cs,z);
+ sk_SSL_CIPHER_delete(prio,z);
z--;
}
}
-
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ {
+ sk_SSL_CIPHER_free(s->session->ciphers);
+ s->session->ciphers = prio;
+ }
/* s->session->ciphers should now have a list of
* ciphers that are on both the client and server.
* This list is ordered by the order the client sent
- * the ciphers.
+ * the ciphers or in the order of the server's preference
+ * if SSL_OP_CIPHER_SERVER_PREFERENCE was set.
*/
}
p+=s->s2->tmp.cipher_spec_length;
@@ -674,7 +701,7 @@ static int get_client_hello(SSL *s)
if (s->s2->challenge_length > sizeof s->s2->challenge)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
@@ -821,7 +848,12 @@ static int get_client_finished(SSL *s)
SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_READ_WRONG_PACKET_TYPE);
}
else
+ {
SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR);
+ /* try to read the error message */
+ i=ssl2_read(s,(char *)&(p[s->init_num]),3-s->init_num);
+ return ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i);
+ }
return(-1);
}
s->state=SSL2_ST_GET_CLIENT_FINISHED_B;
@@ -831,7 +863,7 @@ static int get_client_finished(SSL *s)
if (s->s2->conn_id_length > sizeof s->s2->conn_id)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_CLIENT_FINISHED, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_FINISHED, ERR_R_INTERNAL_ERROR);
return -1;
}
len = 1 + (unsigned long)s->s2->conn_id_length;
@@ -841,8 +873,10 @@ static int get_client_finished(SSL *s)
{
return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i));
}
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-FINISHED */
p += 1;
- if (memcmp(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length) != 0)
+ if (memcmp(p,s->s2->conn_id,s->s2->conn_id_length) != 0)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_CONNECTION_ID_IS_DIFFERENT);
@@ -861,7 +895,7 @@ static int server_verify(SSL *s)
*(p++)=SSL2_MT_SERVER_VERIFY;
if (s->s2->challenge_length > sizeof s->s2->challenge)
{
- SSLerr(SSL_F_SERVER_VERIFY, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SERVER_VERIFY, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
@@ -885,7 +919,7 @@ static int server_finish(SSL *s)
if (s->session->session_id_length > sizeof s->session->session_id)
{
- SSLerr(SSL_F_SERVER_FINISH, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SERVER_FINISH, ERR_R_INTERNAL_ERROR);
return -1;
}
memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
@@ -960,6 +994,9 @@ static int request_certificate(SSL *s)
goto end;
}
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, 3, s, s->msg_callback_arg); /* ERROR */
+
/* this is the one place where we can recover from an SSL 2.0 error */
if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
@@ -979,7 +1016,7 @@ static int request_certificate(SSL *s)
}
if (s->init_num != 6)
{
- SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_REQUEST_CERTIFICATE, ERR_R_INTERNAL_ERROR);
goto end;
}
@@ -1002,7 +1039,7 @@ static int request_certificate(SSL *s)
len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen;
if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
{
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG);
+ SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG);
goto end;
}
j = (int)len - s->init_num;
@@ -1012,6 +1049,8 @@ static int request_certificate(SSL *s)
ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i);
goto end;
}
+ if (s->msg_callback)
+ s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */
p += 6;
x509=(X509 *)d2i_X509(NULL,&p,(long)s->s2->tmp.clen);
@@ -1034,9 +1073,10 @@ static int request_certificate(SSL *s)
EVP_MD_CTX ctx;
EVP_PKEY *pkey=NULL;
- EVP_VerifyInit(&ctx,s->ctx->rsa_md5);
+ EVP_MD_CTX_init(&ctx);
+ EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL);
EVP_VerifyUpdate(&ctx,s->s2->key_material,
- (unsigned int)s->s2->key_material_length);
+ s->s2->key_material_length);
EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
@@ -1055,7 +1095,7 @@ static int request_certificate(SSL *s)
if (pkey == NULL) goto end;
i=EVP_VerifyFinal(&ctx,p,s->s2->tmp.rlen,pkey);
EVP_PKEY_free(pkey);
- memset(&ctx,0,sizeof(ctx));
+ EVP_MD_CTX_cleanup(&ctx);
if (i)
{
@@ -1108,7 +1148,7 @@ static int ssl_rsa_private_decrypt(CERT *c, int len, unsigned char *from,
SSLerr(SSL_F_SSL_RSA_PRIVATE_DECRYPT,ERR_R_RSA_LIB);
return(i);
}
-#else /* !NO_SSL2 */
+#else /* !OPENSSL_NO_SSL2 */
# if PEDANTIC
static void *dummy=&dummy;
OpenPOWER on IntegriCloud