summaryrefslogtreecommitdiffstats
path: root/crypto/openssl/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/openssl/ssl')
-rw-r--r--crypto/openssl/ssl/d1_lib.c2
-rw-r--r--crypto/openssl/ssl/d1_pkt.c6
-rw-r--r--crypto/openssl/ssl/kssl.c45
-rw-r--r--crypto/openssl/ssl/s23_clnt.c1
-rw-r--r--crypto/openssl/ssl/s23_srvr.c1
-rw-r--r--crypto/openssl/ssl/s2_enc.c9
-rw-r--r--crypto/openssl/ssl/s2_lib.c2
-rw-r--r--crypto/openssl/ssl/s3_clnt.c6
-rw-r--r--crypto/openssl/ssl/s3_enc.c7
-rw-r--r--crypto/openssl/ssl/s3_lib.c10
-rw-r--r--crypto/openssl/ssl/s3_pkt.c6
-rw-r--r--crypto/openssl/ssl/s3_srvr.c29
-rw-r--r--crypto/openssl/ssl/ssl.h26
-rw-r--r--crypto/openssl/ssl/ssl_ciph.c50
-rw-r--r--crypto/openssl/ssl/ssl_err.c11
-rw-r--r--crypto/openssl/ssl/ssl_lib.c4
-rw-r--r--crypto/openssl/ssl/ssl_sess.c71
-rw-r--r--crypto/openssl/ssl/t1_enc.c11
-rw-r--r--crypto/openssl/ssl/t1_lib.c2
19 files changed, 215 insertions, 84 deletions
diff --git a/crypto/openssl/ssl/d1_lib.c b/crypto/openssl/ssl/d1_lib.c
index 7830811..d07a212 100644
--- a/crypto/openssl/ssl/d1_lib.c
+++ b/crypto/openssl/ssl/d1_lib.c
@@ -61,7 +61,7 @@
#include <openssl/objects.h>
#include "ssl_locl.h"
-const char *dtls1_version_str="DTLSv1" OPENSSL_VERSION_PTEXT;
+const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT;
SSL3_ENC_METHOD DTLSv1_enc_data={
dtls1_enc,
diff --git a/crypto/openssl/ssl/d1_pkt.c b/crypto/openssl/ssl/d1_pkt.c
index f8f4516..8270419 100644
--- a/crypto/openssl/ssl/d1_pkt.c
+++ b/crypto/openssl/ssl/d1_pkt.c
@@ -533,11 +533,7 @@ again:
n2s(p,rr->length);
/* Lets check version */
- if (s->first_packet)
- {
- s->first_packet=0;
- }
- else
+ if (!s->first_packet)
{
if (version != s->version)
{
diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c
index ffa8d52..1064282 100644
--- a/crypto/openssl/ssl/kssl.c
+++ b/crypto/openssl/ssl/kssl.c
@@ -784,6 +784,25 @@ kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
}
#endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */
+
+/* memory allocation functions for non-temporary storage
+ * (e.g. stuff that gets saved into the kssl context) */
+static void* kssl_calloc(size_t nmemb, size_t size)
+{
+ void* p;
+
+ p=OPENSSL_malloc(nmemb*size);
+ if (p){
+ memset(p, 0, nmemb*size);
+ }
+ return p;
+}
+
+#define kssl_malloc(size) OPENSSL_malloc((size))
+#define kssl_realloc(ptr, size) OPENSSL_realloc(ptr, size)
+#define kssl_free(ptr) OPENSSL_free((ptr))
+
+
char
*kstring(char *string)
{
@@ -1548,7 +1567,7 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx,
KSSL_CTX *
kssl_ctx_new(void)
{
- return ((KSSL_CTX *) calloc(1, sizeof(KSSL_CTX)));
+ return ((KSSL_CTX *) kssl_calloc(1, sizeof(KSSL_CTX)));
}
@@ -1562,13 +1581,13 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx)
if (kssl_ctx->key) OPENSSL_cleanse(kssl_ctx->key,
kssl_ctx->length);
- if (kssl_ctx->key) free(kssl_ctx->key);
- if (kssl_ctx->client_princ) free(kssl_ctx->client_princ);
- if (kssl_ctx->service_host) free(kssl_ctx->service_host);
- if (kssl_ctx->service_name) free(kssl_ctx->service_name);
- if (kssl_ctx->keytab_file) free(kssl_ctx->keytab_file);
+ if (kssl_ctx->key) kssl_free(kssl_ctx->key);
+ if (kssl_ctx->client_princ) kssl_free(kssl_ctx->client_princ);
+ if (kssl_ctx->service_host) kssl_free(kssl_ctx->service_host);
+ if (kssl_ctx->service_name) kssl_free(kssl_ctx->service_name);
+ if (kssl_ctx->keytab_file) kssl_free(kssl_ctx->keytab_file);
- free(kssl_ctx);
+ kssl_free(kssl_ctx);
return (KSSL_CTX *) NULL;
}
@@ -1593,7 +1612,7 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
case KSSL_SERVER: princ = &kssl_ctx->service_host; break;
default: return KSSL_CTX_ERR; break;
}
- if (*princ) free(*princ);
+ if (*princ) kssl_free(*princ);
/* Add up all the entity->lengths */
length = 0;
@@ -1606,7 +1625,7 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
/* Space for the ('@'+realm+NULL | NULL) */
length += ((realm)? realm->length + 2: 1);
- if ((*princ = calloc(1, length)) == NULL)
+ if ((*princ = kssl_calloc(1, length)) == NULL)
return KSSL_CTX_ERR;
else
{
@@ -1649,7 +1668,7 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
case KSSL_KEYTAB: string = &kssl_ctx->keytab_file; break;
default: return KSSL_CTX_ERR; break;
}
- if (*string) free(*string);
+ if (*string) kssl_free(*string);
if (!text)
{
@@ -1657,7 +1676,7 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
return KSSL_CTX_OK;
}
- if ((*string = calloc(1, strlen(text) + 1)) == NULL)
+ if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL)
return KSSL_CTX_ERR;
else
strcpy(*string, text);
@@ -1681,7 +1700,7 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
if (kssl_ctx->key)
{
OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
- free(kssl_ctx->key);
+ kssl_free(kssl_ctx->key);
}
if (session)
@@ -1707,7 +1726,7 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
}
if ((kssl_ctx->key =
- (krb5_octet FAR *) calloc(1, kssl_ctx->length)) == NULL)
+ (krb5_octet FAR *) kssl_calloc(1, kssl_ctx->length)) == NULL)
{
kssl_ctx->length = 0;
return KSSL_CTX_ERR;
diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
index ed4ee72..769dabd 100644
--- a/crypto/openssl/ssl/s23_clnt.c
+++ b/crypto/openssl/ssl/s23_clnt.c
@@ -574,7 +574,6 @@ static int ssl23_get_server_hello(SSL *s)
if (!ssl_get_new_session(s,0))
goto err;
- s->first_packet=1;
return(SSL_connect(s));
err:
return(-1);
diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
index da4f377..6637bb95 100644
--- a/crypto/openssl/ssl/s23_srvr.c
+++ b/crypto/openssl/ssl/s23_srvr.c
@@ -565,7 +565,6 @@ int ssl23_get_client_hello(SSL *s)
s->init_num=0;
if (buf != buf_space) OPENSSL_free(buf);
- s->first_packet=1;
return(SSL_accept(s));
err:
if (buf != buf_space) OPENSSL_free(buf);
diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c
index 18882bf..1f62acd 100644
--- a/crypto/openssl/ssl/s2_enc.c
+++ b/crypto/openssl/ssl/s2_enc.c
@@ -82,15 +82,18 @@ int ssl2_enc_init(SSL *s, int client)
((s->enc_read_ctx=(EVP_CIPHER_CTX *)
OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
goto err;
+
+ /* make sure it's intialized in case the malloc for enc_write_ctx fails
+ * and we exit with an error */
+ rs= s->enc_read_ctx;
+ EVP_CIPHER_CTX_init(rs);
+
if ((s->enc_write_ctx == NULL) &&
((s->enc_write_ctx=(EVP_CIPHER_CTX *)
OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
goto err;
- rs= s->enc_read_ctx;
ws= s->enc_write_ctx;
-
- EVP_CIPHER_CTX_init(rs);
EVP_CIPHER_CTX_init(ws);
num=c->key_len;
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
index def3a6e..10751b2 100644
--- a/crypto/openssl/ssl/s2_lib.c
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -63,7 +63,7 @@
#include <openssl/evp.h>
#include <openssl/md5.h>
-const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT;
+const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT;
#define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER))
diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c
index 2678885..278be82 100644
--- a/crypto/openssl/ssl/s3_clnt.c
+++ b/crypto/openssl/ssl/s3_clnt.c
@@ -1796,8 +1796,10 @@ int ssl3_send_client_key_exchange(SSL *s)
n+=2;
}
- if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
- goto err;
+ tmp_buf[0]=s->client_version>>8;
+ tmp_buf[1]=s->client_version&0xff;
+ if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
+ goto err;
/* 20010420 VRS. Tried it this way; failed.
** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c
index 561a984..2859351 100644
--- a/crypto/openssl/ssl/s3_enc.c
+++ b/crypto/openssl/ssl/s3_enc.c
@@ -221,6 +221,9 @@ int ssl3_change_cipher_state(SSL *s, int which)
reuse_dd = 1;
else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
goto err;
+ else
+ /* make sure it's intialized in case we exit later with an error */
+ EVP_CIPHER_CTX_init(s->enc_read_ctx);
dd= s->enc_read_ctx;
s->read_hash=m;
#ifndef OPENSSL_NO_COMP
@@ -254,6 +257,9 @@ int ssl3_change_cipher_state(SSL *s, int which)
reuse_dd = 1;
else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
goto err;
+ else
+ /* make sure it's intialized in case we exit later with an error */
+ EVP_CIPHER_CTX_init(s->enc_write_ctx);
dd= s->enc_write_ctx;
s->write_hash=m;
#ifndef OPENSSL_NO_COMP
@@ -279,7 +285,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
if (reuse_dd)
EVP_CIPHER_CTX_cleanup(dd);
- EVP_CIPHER_CTX_init(dd);
p=s->s3->tmp.key_block;
i=EVP_MD_size(m);
diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c
index 0eff243..28eaf9d 100644
--- a/crypto/openssl/ssl/s3_lib.c
+++ b/crypto/openssl/ssl/s3_lib.c
@@ -132,7 +132,7 @@
#endif
#include <openssl/pq_compat.h>
-const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
+const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT;
#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
@@ -568,7 +568,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
- 112,
+ 168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
@@ -624,7 +624,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
0,
- 112,
+ 168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
@@ -694,7 +694,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
- 128,
+ 40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
@@ -736,7 +736,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3,
SSL_EXPORT|SSL_EXP40,
0,
- 128,
+ 40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c
index d0f54e2..44c7c14 100644
--- a/crypto/openssl/ssl/s3_pkt.c
+++ b/crypto/openssl/ssl/s3_pkt.c
@@ -277,11 +277,7 @@ again:
n2s(p,rr->length);
/* Lets check version */
- if (s->first_packet)
- {
- s->first_packet=0;
- }
- else
+ if (!s->first_packet)
{
if (version != s->version)
{
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index 098eea1..9414cf0 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -300,8 +300,9 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SW_CERT_A:
case SSL3_ST_SW_CERT_B:
- /* Check if it is anon DH or anon ECDH */
- if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+ /* Check if it is anon DH or anon ECDH or KRB5 */
+ if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)
+ && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
{
ret=ssl3_send_server_certificate(s);
if (ret <= 0) goto end;
@@ -679,9 +680,9 @@ int ssl3_get_client_hello(SSL *s)
*/
if (s->state == SSL3_ST_SR_CLNT_HELLO_A)
{
- s->first_packet=1;
s->state=SSL3_ST_SR_CLNT_HELLO_B;
}
+ s->first_packet=1;
n=s->method->ssl_get_message(s,
SSL3_ST_SR_CLNT_HELLO_B,
SSL3_ST_SR_CLNT_HELLO_C,
@@ -690,6 +691,7 @@ int ssl3_get_client_hello(SSL *s)
&ok);
if (!ok) return((int)n);
+ s->first_packet=0;
d=p=(unsigned char *)s->init_msg;
/* use version from inside client hello, not from record header
@@ -1995,6 +1997,25 @@ int ssl3_get_client_key_exchange(SSL *s)
SSL_R_DATA_LENGTH_TOO_LONG);
goto err;
}
+ if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+ {
+ /* The premaster secret must contain the same version number as the
+ * ClientHello to detect version rollback attacks (strangely, the
+ * protocol does not offer such protection for DH ciphersuites).
+ * However, buggy clients exist that send random bytes instead of
+ * the protocol version.
+ * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
+ * (Perhaps we should have a separate BUG value for the Kerberos cipher)
+ */
+ if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&
+ (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_AD_DECODE_ERROR);
+ goto err;
+ }
+ }
+
EVP_CIPHER_CTX_cleanup(&ciph_ctx);
s->session->master_key_length=
@@ -2042,7 +2063,7 @@ int ssl3_get_client_key_exchange(SSL *s)
if (l & SSL_kECDH)
{
/* use the certificate */
- tkey = s->cert->key->privatekey->pkey.ec;
+ tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec;
}
else
{
diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h
index 83f1fee..2e067e7 100644
--- a/crypto/openssl/ssl/ssl.h
+++ b/crypto/openssl/ssl/ssl.h
@@ -319,7 +319,7 @@ extern "C" {
#ifdef OPENSSL_NO_CAMELLIA
# define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
#else
-# define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:-ECCdraft:ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
+# define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */
#endif
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
@@ -791,18 +791,18 @@ struct ssl_ctx_st
#define SSL_CTX_sess_cache_full(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
-#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb))
-#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb)
-#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb))
-#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb)
-#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb))
-#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb)
-#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb))
-#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback)
-#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb))
-#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb)
-#define SSL_CTX_set_cookie_generate_cb(ctx,cb) ((ctx)->app_gen_cookie_cb=(cb))
-#define SSL_CTX_set_cookie_verify_cb(ctx,cb) ((ctx)->app_verify_cookie_cb=(cb))
+void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess));
+int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
+void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess));
+void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
+void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy));
+SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *Data, int len, int *copy);
+void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,int val));
+void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
+void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
+int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
+void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
#define SSL_NOTHING 1
#define SSL_WRITING 2
diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c
index 933d487..9bb770d 100644
--- a/crypto/openssl/ssl/ssl_ciph.c
+++ b/crypto/openssl/ssl/ssl_ciph.c
@@ -432,9 +432,18 @@ static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
*tail=curr;
}
-static unsigned long ssl_cipher_get_disabled(void)
+struct disabled_masks { /* This is a kludge no longer needed with OpenSSL 0.9.9,
+ * where 128-bit and 256-bit algorithms simply will get
+ * separate bits. */
+ unsigned long mask; /* everything except m256 */
+ unsigned long m256; /* applies to 256-bit algorithms only */
+};
+
+struct disabled_masks ssl_cipher_get_disabled(void)
{
unsigned long mask;
+ unsigned long m256;
+ struct disabled_masks ret;
mask = SSL_kFZA;
#ifdef OPENSSL_NO_RSA
@@ -462,18 +471,26 @@ static unsigned long ssl_cipher_get_disabled(void)
mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0;
mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0;
mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0;
- mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0;
- mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0;
mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0;
mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0;
- return(mask);
+ /* finally consider algorithms where mask and m256 differ */
+ m256 = mask;
+ mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0;
+ mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0;
+ m256 |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES:0;
+ m256 |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA:0;
+
+ ret.mask = mask;
+ ret.m256 = m256;
+ return ret;
}
static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
- int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list,
- CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
+ int num_of_ciphers, unsigned long mask, unsigned long m256,
+ CIPHER_ORDER *co_list, CIPHER_ORDER **head_p,
+ CIPHER_ORDER **tail_p)
{
int i, co_list_num;
SSL_CIPHER *c;
@@ -490,8 +507,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
for (i = 0; i < num_of_ciphers; i++)
{
c = ssl_method->get_cipher(i);
+#define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask))
/* drop those that use any of that is not available */
- if ((c != NULL) && c->valid && !(c->algorithms & mask))
+ if ((c != NULL) && c->valid && !IS_MASKED(c))
{
co_list[co_list_num].cipher = c;
co_list[co_list_num].next = NULL;
@@ -898,7 +916,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
* rest of the command, if any left, until
* end or ':' is found.
*/
- while ((*l != '\0') && ITEM_SEP(*l))
+ while ((*l != '\0') && !ITEM_SEP(*l))
l++;
}
else if (found)
@@ -909,7 +927,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
}
else
{
- while ((*l != '\0') && ITEM_SEP(*l))
+ while ((*l != '\0') && !ITEM_SEP(*l))
l++;
}
if (*l == '\0') break; /* done */
@@ -925,6 +943,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
{
int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
unsigned long disabled_mask;
+ unsigned long disabled_m256;
STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
const char *rule_p;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
@@ -940,7 +959,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
* To reduce the work to do we only want to process the compiled
* in algorithms, so we first get the mask of disabled ciphers.
*/
- disabled_mask = ssl_cipher_get_disabled();
+ {
+ struct disabled_masks d;
+ d = ssl_cipher_get_disabled();
+ disabled_mask = d.mask;
+ disabled_m256 = d.m256;
+ }
/*
* Now we have to collect the available ciphers from the compiled
@@ -959,7 +983,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask,
- co_list, &head, &tail);
+ disabled_m256, co_list, &head, &tail);
/*
* We also need cipher aliases for selecting based on the rule_str.
@@ -979,8 +1003,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
return(NULL); /* Failure */
}
- ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask,
- head);
+ ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
+ (disabled_mask & disabled_m256), head);
/*
* If the rule_string begins with DEFAULT, apply the default rule
diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c
index 4a4ba68..e7f4d93 100644
--- a/crypto/openssl/ssl/ssl_err.c
+++ b/crypto/openssl/ssl/ssl_err.c
@@ -204,7 +204,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"},
{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"},
{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
-{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_LOAD_CLIENT_CA_FILE"},
+{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
@@ -486,15 +486,12 @@ static ERR_STRING_DATA SSL_str_reasons[]=
void ERR_load_SSL_strings(void)
{
- static int init=1;
+#ifndef OPENSSL_NO_ERR
- if (init)
+ if (ERR_func_error_string(SSL_str_functs[0].error) == NULL)
{
- init=0;
-#ifndef OPENSSL_NO_ERR
ERR_load_strings(0,SSL_str_functs);
ERR_load_strings(0,SSL_str_reasons);
-#endif
-
}
+#endif
}
diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c
index 4971b34..4e81922 100644
--- a/crypto/openssl/ssl/ssl_lib.c
+++ b/crypto/openssl/ssl/ssl_lib.c
@@ -2416,14 +2416,14 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
#endif
void SSL_set_info_callback(SSL *ssl,
- void (*cb)(const SSL *ssl,int type,int val))
+ void (*cb)(const SSL *ssl,int type,int val))
{
ssl->info_callback=cb;
}
/* One compiler (Diab DCC) doesn't like argument names in returned
function pointer. */
-void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/)
{
return ssl->info_callback;
}
diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c
index 2f26593..f80eee6 100644
--- a/crypto/openssl/ssl/ssl_sess.c
+++ b/crypto/openssl/ssl/ssl_sess.c
@@ -580,7 +580,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
session->krb5_client_princ_len > 0)
{
- s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1);
+ s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
session->krb5_client_princ_len);
s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
@@ -765,3 +765,72 @@ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s)
}
}
+void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
+ int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess))
+ {
+ ctx->new_session_cb=cb;
+ }
+
+int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess)
+ {
+ return ctx->new_session_cb;
+ }
+
+void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
+ void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess))
+ {
+ ctx->remove_session_cb=cb;
+ }
+
+void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess)
+ {
+ return ctx->remove_session_cb;
+ }
+
+void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
+ SSL_SESSION *(*cb)(struct ssl_st *ssl,
+ unsigned char *data,int len,int *copy))
+ {
+ ctx->get_session_cb=cb;
+ }
+
+SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,
+ unsigned char *data,int len,int *copy)
+ {
+ return ctx->get_session_cb;
+ }
+
+void SSL_CTX_set_info_callback(SSL_CTX *ctx,
+ void (*cb)(const SSL *ssl,int type,int val))
+ {
+ ctx->info_callback=cb;
+ }
+
+void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val)
+ {
+ return ctx->info_callback;
+ }
+
+void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
+ int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey))
+ {
+ ctx->client_cert_cb=cb;
+ }
+
+int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey)
+ {
+ return ctx->client_cert_cb;
+ }
+
+void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
+ int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
+ {
+ ctx->app_gen_cookie_cb=cb;
+ }
+
+void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
+ int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len))
+ {
+ ctx->app_verify_cookie_cb=cb;
+ }
+
diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c
index e0ce681..68448b9 100644
--- a/crypto/openssl/ssl/t1_enc.c
+++ b/crypto/openssl/ssl/t1_enc.c
@@ -267,6 +267,9 @@ int tls1_change_cipher_state(SSL *s, int which)
reuse_dd = 1;
else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
goto err;
+ else
+ /* make sure it's intialized in case we exit later with an error */
+ EVP_CIPHER_CTX_init(s->enc_read_ctx);
dd= s->enc_read_ctx;
s->read_hash=m;
#ifndef OPENSSL_NO_COMP
@@ -301,10 +304,9 @@ int tls1_change_cipher_state(SSL *s, int which)
reuse_dd = 1;
else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
goto err;
- if ((s->enc_write_ctx == NULL) &&
- ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
- OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
- goto err;
+ else
+ /* make sure it's intialized in case we exit later with an error */
+ EVP_CIPHER_CTX_init(s->enc_write_ctx);
dd= s->enc_write_ctx;
s->write_hash=m;
#ifndef OPENSSL_NO_COMP
@@ -331,7 +333,6 @@ int tls1_change_cipher_state(SSL *s, int which)
if (reuse_dd)
EVP_CIPHER_CTX_cleanup(dd);
- EVP_CIPHER_CTX_init(dd);
p=s->s3->tmp.key_block;
i=EVP_MD_size(m);
diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c
index d4516eb..1ecbbcb 100644
--- a/crypto/openssl/ssl/t1_lib.c
+++ b/crypto/openssl/ssl/t1_lib.c
@@ -60,7 +60,7 @@
#include <openssl/objects.h>
#include "ssl_locl.h"
-const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT;
+const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
SSL3_ENC_METHOD TLSv1_enc_data={
tls1_enc,
OpenPOWER on IntegriCloud