diff --git a/CHANGES b/CHANGES index 043c7552a..470435fe8 100644 --- a/CHANGES +++ b/CHANGES @@ -5,6 +5,15 @@ Changes between 0.9.1c and 0.9.2 + *) Updates to the new SSL compression code + [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] + + *) Fix so that the version number in the master secret, when passed + via RSA, checks that if TLS was proposed, but we roll back to SSLv3 + (because the server will not accept higher), that the version number + is 0x03,0x01, not 0x03,0x00 + [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] + *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes in apps/ and an unrellated leak in crypto/dsa/dsa_vrf.c diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 1b4c06838..c0948fd2d 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -136,6 +136,13 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_CONNECT: case SSL_ST_OK|SSL_ST_CONNECT: + if (s->session != NULL) + { + SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE); + ret= -1; + goto end; + } + s->server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); /* s->version=TLS1_VERSION; */ @@ -161,7 +168,7 @@ SSL *s; ssl3_init_finished_mac(s); s->state=SSL23_ST_CW_CLNT_HELLO_A; - s->ctx->sess_connect++; + s->ctx->stats.sess_connect++; s->init_num=0; break; @@ -238,16 +245,19 @@ SSL *s; { *(d++)=TLS1_VERSION_MAJOR; *(d++)=TLS1_VERSION_MINOR; + s->client_version=TLS1_VERSION; } else if (!(s->options & SSL_OP_NO_SSLv3)) { *(d++)=SSL3_VERSION_MAJOR; *(d++)=SSL3_VERSION_MINOR; + s->client_version=SSL3_VERSION; } else if (!(s->options & SSL_OP_NO_SSLv2)) { *(d++)=SSL2_VERSION_MAJOR; *(d++)=SSL2_VERSION_MINOR; + s->client_version=SSL2_VERSION; } else { diff --git a/ssl/s23_pkt.c b/ssl/s23_pkt.c index c25c31277..99f909d50 100644 --- a/ssl/s23_pkt.c +++ b/ssl/s23_pkt.c @@ -76,7 +76,7 @@ SSL *s; { s->rwstate=SSL_WRITING; i=BIO_write(s->wbio,&(buf[tot]),num); - if (i < 0) + if (i <= 0) { s->init_off=tot; s->init_num=num; diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 6c8afeb85..d1f49e5ac 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -134,6 +134,7 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: + s->server=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); /* s->version=SSL3_VERSION; */ @@ -157,7 +158,7 @@ SSL *s; ssl3_init_finished_mac(s); s->state=SSL23_ST_SR_CLNT_HELLO_A; - s->ctx->sess_accept++; + s->ctx->stats.sess_accept++; s->init_num=0; break; @@ -203,8 +204,10 @@ SSL *s; unsigned int csl,sil,cl; int n=0,j,tls1=0; int type=0,use_sslv2_strong=0; + int v[2]; /* read the initial header */ + v[0]=v[1]=0; if (s->state == SSL23_ST_SR_CLNT_HELLO_A) { if (!ssl3_setup_buffers(s)) goto err; @@ -221,12 +224,14 @@ SSL *s; /* SSLv2 header */ if ((p[3] == 0x00) && (p[4] == 0x02)) { + v[0]=p[3]; v[1]=p[4]; /* SSLv2 */ if (!(s->options & SSL_OP_NO_SSLv2)) type=1; } else if (p[3] == SSL3_VERSION_MAJOR) { + v[0]=p[3]; v[1]=p[4]; /* SSLv3/TLSv1 */ if (p[4] >= TLS1_VERSION_MINOR) { @@ -307,6 +312,7 @@ SSL *s; (p[1] == SSL3_VERSION_MAJOR) && (p[5] == SSL3_MT_CLIENT_HELLO)) { + v[0]=p[1]; v[1]=p[2]; /* true SSLv3 or tls1 */ if (p[2] >= TLS1_VERSION_MINOR) { @@ -486,6 +492,7 @@ next_bit: s->version=SSL3_VERSION; s->method=SSLv3_server_method(); } + s->client_version=(v[0]<<8)|v[1]; s->handshake_func=s->method->ssl_accept; } diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 9c8037b48..bbac33cf3 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -146,6 +146,7 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_CONNECT: case SSL_ST_OK|SSL_ST_CONNECT: + s->server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); s->version=SSL2_VERSION; @@ -166,7 +167,7 @@ SSL *s; s->init_buf=buf; s->init_num=0; s->state=SSL2_ST_SEND_CLIENT_HELLO_A; - s->ctx->sess_connect++; + s->ctx->stats.sess_connect++; s->handshake_func=ssl2_connect; BREAK; @@ -249,8 +250,11 @@ SSL *s; break; case SSL_ST_OK: - BUF_MEM_free(s->init_buf); - s->init_buf=NULL; + if (s->init_buf != NULL) + { + BUF_MEM_free(s->init_buf); + s->init_buf=NULL; + } s->init_num=0; /* ERR_clear_error();*/ @@ -261,11 +265,11 @@ SSL *s; */ ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); - if (s->hit) s->ctx->sess_hit++; + if (s->hit) s->ctx->stats.sess_hit++; ret=1; /* s->server=0; */ - s->ctx->sess_connect_good++; + s->ctx->stats.sess_connect_good++; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); @@ -538,7 +542,7 @@ SSL *s; if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A) { - if (!ssl_cipher_get_evp(s->session->cipher,&c,&md)) + if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); diff --git a/ssl/s2_enc.c b/ssl/s2_enc.c index b43056fa1..63ebf2874 100644 --- a/ssl/s2_enc.c +++ b/ssl/s2_enc.c @@ -69,7 +69,7 @@ int client; EVP_MD *md; int num; - if (!ssl_cipher_get_evp(s->session->cipher,&c,&md)) + if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 8580ac6a8..814e38f48 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -155,6 +155,7 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: + s->server=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); s->version=SSL2_VERSION; @@ -168,7 +169,7 @@ SSL *s; { ret= -1; goto end; } s->init_buf=buf; s->init_num=0; - s->ctx->sess_accept++; + s->ctx->stats.sess_accept++; s->handshake_func=ssl2_accept; s->state=SSL2_ST_GET_CLIENT_HELLO_A; BREAK; @@ -295,13 +296,14 @@ SSL *s; case SSL_ST_OK: BUF_MEM_free(s->init_buf); + ssl_free_wbio_buffer(s); s->init_buf=NULL; s->init_num=0; /* ERR_clear_error();*/ ssl_update_cache(s,SSL_SESS_CACHE_SERVER); - s->ctx->sess_accept_good++; + s->ctx->stats.sess_accept_good++; /* s->server=1; */ ret=1; @@ -336,9 +338,6 @@ static int get_client_master_key(s) SSL *s; { int export,i,n,keya,ek; -#if 0 - int error=0; -#endif unsigned char *p; SSL_CIPHER *cp; EVP_CIPHER *c; @@ -404,7 +403,7 @@ SSL *s; export=(s->session->cipher->algorithms & SSL_EXP)?1:0; - if (!ssl_cipher_get_evp(s->session->cipher,&c,&md)) + if (!ssl_cipher_get_evp(s->session,&c,&md,NULL)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 363118835..b2649ed99 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -134,7 +134,6 @@ SSL *s; long num1; void (*cb)()=NULL; int ret= -1; - BIO *under; int new_state,state,skip=0;; RAND_seed(&Time,sizeof(Time)); @@ -158,13 +157,14 @@ SSL *s; case SSL_ST_RENEGOTIATE: s->new_session=1; s->state=SSL_ST_CONNECT; - s->ctx->sess_connect_renegotiate++; + s->ctx->stats.sess_connect_renegotiate++; /* break */ case SSL_ST_BEFORE: case SSL_ST_CONNECT: case SSL_ST_BEFORE|SSL_ST_CONNECT: case SSL_ST_OK|SSL_ST_CONNECT: + s->server=0; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version & 0xff00 ) != 0x0300) @@ -197,7 +197,7 @@ SSL *s; ssl3_init_finished_mac(s); s->state=SSL3_ST_CW_CLNT_HELLO_A; - s->ctx->sess_connect++; + s->ctx->stats.sess_connect++; s->init_num=0; break; @@ -326,6 +326,11 @@ SSL *s; s->init_num=0; s->session->cipher=s->s3->tmp.new_cipher; + if (s->s3->tmp.new_compression == NULL) + s->session->compress_meth=0; + else + s->session->compress_meth= + s->s3->tmp.new_compression->id; if (!s->method->ssl3_enc->setup_key_block(s)) { ret= -1; @@ -401,33 +406,28 @@ SSL *s; /* clean a few things up */ ssl3_cleanup_key_block(s); - BUF_MEM_free(s->init_buf); - s->init_buf=NULL; - - if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) + if (s->init_buf != NULL) { - /* remove buffering */ - under=BIO_pop(s->wbio); - if (under != NULL) - s->wbio=under; - else - abort(); /* ok */ - - BIO_free(s->bbio); - s->bbio=NULL; + BUF_MEM_free(s->init_buf); + s->init_buf=NULL; } - /* else do it later */ + + /* If we are not 'joining' the last two packets, + * remove the buffering now */ + if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) + ssl_free_wbio_buffer(s); + /* else do it later in ssl3_write */ s->init_num=0; s->new_session=0; ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); - if (s->hit) s->ctx->sess_hit++; + if (s->hit) s->ctx->stats.sess_hit++; ret=1; /* s->server=0; */ s->handshake_func=ssl3_connect; - s->ctx->sess_connect_good++; + s->ctx->stats.sess_connect_good++; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); @@ -473,8 +473,9 @@ SSL *s; { unsigned char *buf; unsigned char *p,*d; - int i; + int i,j; unsigned long Time,l; + SSL_COMP *comp; buf=(unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) @@ -498,6 +499,7 @@ SSL *s; *(p++)=s->version>>8; *(p++)=s->version&0xff; + s->client_version=s->version; /* Random stuff */ memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); @@ -525,10 +527,18 @@ SSL *s; s2n(i,p); p+=i; - /* hardwire in the NULL compression algorithm. */ /* COMPRESSION */ - *(p++)=1; - *(p++)=0; + if (s->ctx->comp_methods == NULL) + j=0; + else + j=sk_num(s->ctx->comp_methods); + *(p++)=1+j; + for (i=0; ictx->comp_methods,i); + *(p++)=comp->id; + } + *(p++)=0; /* Add the NULL method */ l=(p-d); d=buf; @@ -556,6 +566,7 @@ SSL *s; int i,al,ok; unsigned int j; long n; + SSL_COMP *comp; n=ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, @@ -649,12 +660,21 @@ SSL *s; /* lets get the compression algorithm */ /* COMPRESSION */ j= *(p++); - if (j != 0) + if (j == 0) + comp=NULL; + else + comp=ssl3_comp_find(s->ctx->comp_methods,j); + + if ((j != 0) && (comp == NULL)) { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); goto f_err; } + else + { + s->s3->tmp.new_compression=comp; + } if (p != (d+n)) { @@ -996,6 +1016,7 @@ SSL *s; /* else anonymous DH, so no certificate or pkey. */ s->session->cert->dh_tmp=dh; + dh=NULL; } else if ((alg & SSL_kDHr) || (alg & SSL_kDHd)) { @@ -1326,8 +1347,8 @@ SSL *s; rsa=pkey->pkey.rsa; } - tmp_buf[0]=s->version>>8; - tmp_buf[1]=s->version&0xff; + tmp_buf[0]=s->client_version>>8; + tmp_buf[1]=s->client_version&0xff; RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2); s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH; diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index c5c9a3be4..a655e12be 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -144,7 +144,10 @@ int which; exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0; c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; - comp=s->s3->tmp.new_compression; + if (s->s3->tmp.new_compression == NULL) + comp=NULL; + else + comp=s->s3->tmp.new_compression->method; key_block=s->s3->tmp.key_block; if (which & SSL3_CC_READ) @@ -169,8 +172,9 @@ int which; SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } - s->s3->rrec.comp=(unsigned char *) - Malloc(SSL3_RT_MAX_PLAIN_LENGTH); + if (s->s3->rrec.comp == NULL) + s->s3->rrec.comp=(unsigned char *) + Malloc(SSL3_RT_MAX_PLAIN_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } @@ -280,11 +284,12 @@ SSL *s; EVP_CIPHER *c; EVP_MD *hash; int num,exp; + SSL_COMP *comp; if (s->s3->tmp.key_block_length != 0) return(1); - if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash)) + if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) { SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return(0); @@ -292,11 +297,7 @@ SSL *s; s->s3->tmp.new_sym_enc=c; s->s3->tmp.new_hash=hash; -#ifdef ZLIB - s->s3->tmp.new_compression=COMP_zlib(); -#endif -/* s->s3->tmp.new_compression=COMP_rle(); */ -/* s->session->compress_meth= xxxxx */ + s->s3->tmp.new_compression=comp; exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0; @@ -454,7 +455,7 @@ unsigned char *p; unsigned char md_buf[EVP_MAX_MD_SIZE]; EVP_MD_CTX ctx; - memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX)); + EVP_MD_CTX_copy(&ctx,in_ctx); n=EVP_MD_CTX_size(&ctx); npad=(48/n)*n; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 495c1c334..c64b760a4 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -486,6 +486,12 @@ SSL *s; if (s->s3->tmp.ca_names != NULL) sk_pop_free(s->s3->tmp.ca_names,X509_NAME_free); + if (s->s3->rrec.comp != NULL) + { + Free(s->s3->rrec.comp); + s->s3->rrec.comp=NULL; + } + rp=s->s3->rbuf.buf; wp=s->s3->wbuf.buf; @@ -493,11 +499,7 @@ SSL *s; if (rp != NULL) s->s3->rbuf.buf=rp; if (wp != NULL) s->s3->wbuf.buf=wp; - if (s->s3->rrec.comp != NULL) - { - Free(s->s3->rrec.comp); - s->s3->rrec.comp=NULL; - } + ssl_free_wbio_buffer(s); s->packet_length=0; s->s3->renegotiate=0; @@ -844,7 +846,6 @@ const char *buf; int len; { int ret,n; - BIO *under; #if 0 if (s->shutdown & SSL_SEND_SHUTDOWN) @@ -878,15 +879,12 @@ int len; if (n <= 0) return(n); s->rwstate=SSL_NOTHING; - /* We have flushed the buffer */ - under=BIO_pop(s->wbio); - s->wbio=under; - BIO_free(s->bbio); - s->bbio=NULL; + /* We have flushed the buffer, so remove it */ + ssl_free_wbio_buffer(s); + s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; + ret=s->s3->delay_buf_pop_ret; s->s3->delay_buf_pop_ret=0; - - s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; } else { @@ -987,4 +985,3 @@ need to go to SSL_ST_ACCEPT. return(ret); } - diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index b7edc8faf..f5350bf1b 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -872,7 +872,9 @@ start: if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { - s->state=SSL_ST_BEFORE; + s->state=SSL_ST_BEFORE|(s->server) + ?SSL_ST_ACCEPT + :SSL_ST_CONNECT; s->new_session=1; } n=s->handshake_func(s); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index a827a58d4..a4c074448 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -135,7 +135,6 @@ SSL *s; long num1; int ret= -1; CERT *ct; - BIO *under; int new_state,state,skip=0; RAND_seed(&Time,sizeof(Time)); @@ -178,6 +177,7 @@ SSL *s; case SSL_ST_BEFORE|SSL_ST_ACCEPT: case SSL_ST_OK|SSL_ST_ACCEPT: + s->server=1; if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); if ((s->version>>8) != 3) @@ -217,11 +217,11 @@ SSL *s; { s->state=SSL3_ST_SR_CLNT_HELLO_A; ssl3_init_finished_mac(s); - s->ctx->sess_accept++; + s->ctx->stats.sess_accept++; } else { - s->ctx->sess_accept_renegotiate++; + s->ctx->stats.sess_accept_renegotiate++; s->state=SSL3_ST_SW_HELLO_REQ_A; } break; @@ -240,15 +240,6 @@ SSL *s; break; case SSL3_ST_SW_HELLO_REQ_C: - /* remove buffering on output */ - under=BIO_pop(s->wbio); - if (under != NULL) - s->wbio=under; - else - abort(); /* ok */ - BIO_free(s->bbio); - s->bbio=NULL; - s->state=SSL_ST_OK; ret=1; goto end; @@ -480,20 +471,14 @@ SSL *s; s->init_buf=NULL; /* remove buffering on output */ - under=BIO_pop(s->wbio); - if (under != NULL) - s->wbio=under; - else - abort(); /* ok */ - BIO_free(s->bbio); - s->bbio=NULL; + ssl_free_wbio_buffer(s); s->new_session=0; s->init_num=0; ssl_update_cache(s,SSL_SESS_CACHE_SERVER); - s->ctx->sess_accept_good++; + s->ctx->stats.sess_accept_good++; /* s->server=1; */ s->handshake_func=ssl3_accept; ret=1; @@ -567,8 +552,9 @@ SSL *s; int i,j,ok,al,ret= -1; long n; unsigned long id; - unsigned char *p,*d; + unsigned char *p,*d,*q; SSL_CIPHER *c; + SSL_COMP *comp=NULL; STACK *ciphers=NULL; /* We do this so that we will respond with our native type. @@ -595,6 +581,7 @@ SSL *s; /* The version number has already been checked in ssl3_get_message. * I a native TLSv1/SSLv3 method, the match must be correct except * perhaps for the first message */ +/* s->client_version=(((int)p[0])<<8)|(int)p[1]; */ p+=2; /* load the client random */ @@ -653,9 +640,16 @@ SSL *s; j=0; id=s->session->cipher->id; +#ifdef CIPHER_DEBUG + printf("client sent %d ciphers\n",sk_num(ciphers)); +#endif for (i=0; iid == id) { j=1; @@ -683,8 +677,11 @@ SSL *s; /* compression */ i= *(p++); + q=p; for (j=0; j= i) @@ -695,6 +692,35 @@ SSL *s; goto f_err; } + /* Worst case, we will use the NULL compression, but if we have other + * options, we will now look for them. We have i-1 compression + * algorithms from the client, starting at q. */ + s->s3->tmp.new_compression=NULL; + if (s->ctx->comp_methods != NULL) + { /* See if we have a match */ + int m,nn,o,v,done=0; + + nn=sk_num(s->ctx->comp_methods); + for (m=0; mctx->comp_methods,m); + v=comp->id; + for (o=0; os3->tmp.new_compression=comp; + else + comp=NULL; + } + /* TLS does not mind if there is extra stuff */ if (s->version == SSL3_VERSION) { @@ -708,13 +734,12 @@ SSL *s; } } - /* do nothing with compression */ - /* Given s->session->ciphers and ssl_get_ciphers_by_id(s), we must * pick a cipher */ if (!s->hit) { + s->session->compress_meth=(comp == NULL)?0:comp->id; if (s->session->ciphers != NULL) sk_free(s->session->ciphers); s->session->ciphers=ciphers; @@ -835,7 +860,10 @@ SSL *s; p+=i; /* put the compression method */ - *(p++)=0; + if (s->s3->tmp.new_compression == NULL) + *(p++)=0; + else + *(p++)=s->s3->tmp.new_compression->id; /* do the header */ l=(p-d); @@ -1266,13 +1294,26 @@ SSL *s; #if 1 /* If a bad decrypt, use a random master key */ if ((i != SSL_MAX_MASTER_KEY_LENGTH) || - ((p[0] != (s->version>>8)) || - (p[1] != (s->version & 0xff)))) + ((p[0] != (s->client_version>>8)) || + (p[1] != (s->client_version & 0xff)))) { - p[0]=(s->version>>8); - p[1]=(s->version & 0xff); - RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2); - i=SSL_MAX_MASTER_KEY_LENGTH; + int bad=1; + + if ((i == SSL_MAX_MASTER_KEY_LENGTH) && + (p[0] == (s->version>>8)) && + (p[1] == 0)) + { + if (s->options & SSL_OP_TLS_ROLLBACK_BUG) + bad=0; + } + if (bad) + { + p[0]=(s->version>>8); + p[1]=(s->version & 0xff); + RAND_bytes(&(p[2]),SSL_MAX_MASTER_KEY_LENGTH-2); + i=SSL_MAX_MASTER_KEY_LENGTH; + } + /* else, an SSLeay bug, ssl only server, tls client */ } #else if (i != SSL_MAX_MASTER_KEY_LENGTH) diff --git a/ssl/ssl.err b/ssl/ssl.err index 10ca9c534..84256f905 100644 --- a/ssl/ssl.err +++ b/ssl/ssl.err @@ -65,52 +65,55 @@ #define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 #define SSL_F_SSL_CERT_NEW 162 #define SSL_F_SSL_CHECK_PRIVATE_KEY 163 -#define SSL_F_SSL_CREATE_CIPHER_LIST 164 -#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 165 -#define SSL_F_SSL_CTX_NEW 166 -#define SSL_F_SSL_CTX_SET_SSL_VERSION 167 -#define SSL_F_SSL_CTX_USE_CERTIFICATE 168 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 169 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 170 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY 171 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 172 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 173 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 174 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 175 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 176 -#define SSL_F_SSL_DO_HANDSHAKE 177 -#define SSL_F_SSL_GET_NEW_SESSION 178 -#define SSL_F_SSL_GET_SERVER_SEND_CERT 179 -#define SSL_F_SSL_GET_SIGN_PKEY 180 -#define SSL_F_SSL_INIT_WBIO_BUFFER 181 -#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 182 -#define SSL_F_SSL_NEW 183 -#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 184 -#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 185 -#define SSL_F_SSL_SESSION_NEW 186 -#define SSL_F_SSL_SESSION_PRINT_FP 187 -#define SSL_F_SSL_SET_CERT 188 -#define SSL_F_SSL_SET_FD 189 -#define SSL_F_SSL_SET_PKEY 190 -#define SSL_F_SSL_SET_RFD 191 -#define SSL_F_SSL_SET_SESSION 192 -#define SSL_F_SSL_SET_WFD 193 -#define SSL_F_SSL_UNDEFINED_FUNCTION 194 -#define SSL_F_SSL_USE_CERTIFICATE 195 -#define SSL_F_SSL_USE_CERTIFICATE_ASN1 196 -#define SSL_F_SSL_USE_CERTIFICATE_FILE 197 -#define SSL_F_SSL_USE_PRIVATEKEY 198 -#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 199 -#define SSL_F_SSL_USE_PRIVATEKEY_FILE 200 -#define SSL_F_SSL_USE_RSAPRIVATEKEY 201 -#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202 -#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203 -#define SSL_F_SSL_VERIFY_CERT_CHAIN 204 -#define SSL_F_SSL_WRITE 205 -#define SSL_F_TLS1_CHANGE_CIPHER_STATE 206 -#define SSL_F_TLS1_ENC 207 -#define SSL_F_TLS1_SETUP_KEY_BLOCK 208 -#define SSL_F_WRITE_PENDING 209 +#define SSL_F_SSL_CLEAR 164 +#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165 +#define SSL_F_SSL_CREATE_CIPHER_LIST 166 +#define SSL_F_SSL_CTX_ADD_COMPRESSION 167 +#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 +#define SSL_F_SSL_CTX_NEW 169 +#define SSL_F_SSL_CTX_SET_SSL_VERSION 170 +#define SSL_F_SSL_CTX_USE_CERTIFICATE 171 +#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172 +#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179 +#define SSL_F_SSL_DO_HANDSHAKE 180 +#define SSL_F_SSL_GET_NEW_SESSION 181 +#define SSL_F_SSL_GET_SERVER_SEND_CERT 182 +#define SSL_F_SSL_GET_SIGN_PKEY 183 +#define SSL_F_SSL_INIT_WBIO_BUFFER 184 +#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 +#define SSL_F_SSL_NEW 186 +#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 +#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 +#define SSL_F_SSL_SESSION_NEW 189 +#define SSL_F_SSL_SESSION_PRINT_FP 190 +#define SSL_F_SSL_SET_CERT 191 +#define SSL_F_SSL_SET_FD 192 +#define SSL_F_SSL_SET_PKEY 193 +#define SSL_F_SSL_SET_RFD 194 +#define SSL_F_SSL_SET_SESSION 195 +#define SSL_F_SSL_SET_WFD 196 +#define SSL_F_SSL_UNDEFINED_FUNCTION 197 +#define SSL_F_SSL_USE_CERTIFICATE 198 +#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 +#define SSL_F_SSL_USE_CERTIFICATE_FILE 200 +#define SSL_F_SSL_USE_PRIVATEKEY 201 +#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 +#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203 +#define SSL_F_SSL_USE_RSAPRIVATEKEY 204 +#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205 +#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 +#define SSL_F_SSL_VERIFY_CERT_CHAIN 207 +#define SSL_F_SSL_WRITE 208 +#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 +#define SSL_F_TLS1_ENC 210 +#define SSL_F_TLS1_SETUP_KEY_BLOCK 211 +#define SSL_F_WRITE_PENDING 212 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 @@ -201,39 +204,41 @@ #define SSL_R_NO_CIPHER_MATCH 185 #define SSL_R_NO_CLIENT_CERT_RECEIVED 186 #define SSL_R_NO_COMPRESSION_SPECIFIED 187 -#define SSL_R_NO_PRIVATEKEY 188 -#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 189 -#define SSL_R_NO_PROTOCOLS_AVAILABLE 190 -#define SSL_R_NO_PUBLICKEY 191 -#define SSL_R_NO_SHARED_CIPHER 192 -#define SSL_R_NO_VERIFY_CALLBACK 193 -#define SSL_R_NULL_SSL_CTX 194 -#define SSL_R_NULL_SSL_METHOD_PASSED 195 -#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 196 -#define SSL_R_PACKET_LENGTH_TOO_LONG 197 -#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 198 -#define SSL_R_PEER_ERROR 199 -#define SSL_R_PEER_ERROR_CERTIFICATE 200 -#define SSL_R_PEER_ERROR_NO_CERTIFICATE 201 -#define SSL_R_PEER_ERROR_NO_CIPHER 202 -#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 203 -#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 204 -#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 205 -#define SSL_R_PROTOCOL_IS_SHUTDOWN 206 -#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 207 -#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 208 -#define SSL_R_PUBLIC_KEY_NOT_RSA 209 -#define SSL_R_READ_BIO_NOT_SET 210 -#define SSL_R_READ_WRONG_PACKET_TYPE 211 -#define SSL_R_RECORD_LENGTH_MISMATCH 212 -#define SSL_R_RECORD_TOO_LARGE 213 -#define SSL_R_REQUIRED_CIPHER_MISSING 214 -#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 215 -#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 216 -#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 217 -#define SSL_R_SHORT_READ 218 -#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 219 -#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 220 +#define SSL_R_NO_METHOD_SPECIFIED 188 +#define SSL_R_NO_PRIVATEKEY 189 +#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 +#define SSL_R_NO_PROTOCOLS_AVAILABLE 191 +#define SSL_R_NO_PUBLICKEY 192 +#define SSL_R_NO_SHARED_CIPHER 193 +#define SSL_R_NO_VERIFY_CALLBACK 194 +#define SSL_R_NULL_SSL_CTX 195 +#define SSL_R_NULL_SSL_METHOD_PASSED 196 +#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 +#define SSL_R_PACKET_LENGTH_TOO_LONG 198 +#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 +#define SSL_R_PEER_ERROR 200 +#define SSL_R_PEER_ERROR_CERTIFICATE 201 +#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202 +#define SSL_R_PEER_ERROR_NO_CIPHER 203 +#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204 +#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205 +#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206 +#define SSL_R_PROTOCOL_IS_SHUTDOWN 207 +#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208 +#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209 +#define SSL_R_PUBLIC_KEY_NOT_RSA 210 +#define SSL_R_READ_BIO_NOT_SET 211 +#define SSL_R_READ_WRONG_PACKET_TYPE 212 +#define SSL_R_RECORD_LENGTH_MISMATCH 213 +#define SSL_R_RECORD_TOO_LARGE 214 +#define SSL_R_REQUIRED_CIPHER_MISSING 215 +#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 +#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 +#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218 +#define SSL_R_SHORT_READ 219 +#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 +#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 @@ -243,17 +248,17 @@ #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 221 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 222 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 223 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 -#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 225 +#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 -#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 226 -#define SSL_R_SSL_HANDSHAKE_FAILURE 227 -#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 228 -#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 229 +#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 +#define SSL_R_SSL_HANDSHAKE_FAILURE 229 +#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230 +#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 @@ -266,41 +271,41 @@ #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 #define SSL_R_TLSV1_ALERT_USER_CANCLED 1090 -#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 230 -#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231 -#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 232 -#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 233 -#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 234 -#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 235 -#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 236 -#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 237 -#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 238 -#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 239 -#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 240 -#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 241 -#define SSL_R_UNEXPECTED_MESSAGE 242 -#define SSL_R_UNEXPECTED_RECORD 243 -#define SSL_R_UNKNOWN_ALERT_TYPE 244 -#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 245 -#define SSL_R_UNKNOWN_CIPHER_RETURNED 246 -#define SSL_R_UNKNOWN_CIPHER_TYPE 247 -#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 248 -#define SSL_R_UNKNOWN_PKEY_TYPE 249 -#define SSL_R_UNKNOWN_PROTOCOL 250 -#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 251 -#define SSL_R_UNKNOWN_SSL_VERSION 252 -#define SSL_R_UNKNOWN_STATE 253 -#define SSL_R_UNSUPPORTED_CIPHER 254 -#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 255 -#define SSL_R_UNSUPPORTED_PROTOCOL 256 -#define SSL_R_UNSUPPORTED_SSL_VERSION 257 -#define SSL_R_WRITE_BIO_NOT_SET 258 -#define SSL_R_WRONG_CIPHER_RETURNED 259 -#define SSL_R_WRONG_MESSAGE_TYPE 260 -#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 261 -#define SSL_R_WRONG_SIGNATURE_LENGTH 262 -#define SSL_R_WRONG_SIGNATURE_SIZE 263 -#define SSL_R_WRONG_SSL_VERSION 264 -#define SSL_R_WRONG_VERSION_NUMBER 265 -#define SSL_R_X509_LIB 266 -#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 267 +#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 +#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 +#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 +#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 +#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236 +#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237 +#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238 +#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239 +#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240 +#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241 +#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242 +#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 +#define SSL_R_UNEXPECTED_MESSAGE 244 +#define SSL_R_UNEXPECTED_RECORD 245 +#define SSL_R_UNKNOWN_ALERT_TYPE 246 +#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247 +#define SSL_R_UNKNOWN_CIPHER_RETURNED 248 +#define SSL_R_UNKNOWN_CIPHER_TYPE 249 +#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250 +#define SSL_R_UNKNOWN_PKEY_TYPE 251 +#define SSL_R_UNKNOWN_PROTOCOL 252 +#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 +#define SSL_R_UNKNOWN_SSL_VERSION 254 +#define SSL_R_UNKNOWN_STATE 255 +#define SSL_R_UNSUPPORTED_CIPHER 256 +#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 +#define SSL_R_UNSUPPORTED_PROTOCOL 258 +#define SSL_R_UNSUPPORTED_SSL_VERSION 259 +#define SSL_R_WRITE_BIO_NOT_SET 260 +#define SSL_R_WRONG_CIPHER_RETURNED 261 +#define SSL_R_WRONG_MESSAGE_TYPE 262 +#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263 +#define SSL_R_WRONG_SIGNATURE_LENGTH 264 +#define SSL_R_WRONG_SIGNATURE_SIZE 265 +#define SSL_R_WRONG_SSL_VERSION 266 +#define SSL_R_WRONG_VERSION_NUMBER 267 +#define SSL_R_X509_LIB 268 +#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 diff --git a/ssl/ssl.h b/ssl/ssl.h index 92b7695e6..689122db0 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1,3 +1,15 @@ +#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb)) +#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb) +#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb)) +#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb) +#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb)) +#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb) +#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb)) +#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback) + +#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb)) +#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb) + /* ssl/ssl.h */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. @@ -193,6 +205,7 @@ typedef struct ssl_method_st struct ssl_method_st *(*get_ssl_method)(int version); long (*get_timeout)(void); struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ + int (*ssl_version)(); } SSL_METHOD; /* Lets make this into an ASN.1 type structure as follows @@ -238,11 +251,7 @@ typedef struct ssl_session_st long timeout; long time; -#ifdef HEADER_COMP_H - COMP_CTX *compress_meth; -#else - char *compress_meth; -#endif + int compress_meth; /* Need to lookup the method */ SSL_CIPHER *cipher; unsigned long cipher_id; /* when ASN.1 loaded, this @@ -267,6 +276,7 @@ typedef struct ssl_session_st #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L +#define SSL_OP_TLS_ROLLBACK_BUG 0x00000400L /* If set, only use tmp_dh parameters once */ #define SSL_OP_SINGLE_DH_USE 0x00100000L @@ -282,22 +292,32 @@ typedef struct ssl_session_st #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0x80000000L #define SSL_OP_ALL 0x000FFFFFL -#define SSL_CTX_set_options(ctx,op) ((ctx)->options|=(op)) -#define SSL_set_options(ssl,op) ((ssl)->options|=(op)) +#define SSL_CTX_set_options(ctx,op) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,op,NULL) +#define SSL_CTX_get_options(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL) +#define SSL_set_options(ssl,op) \ + SSL_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL) +#define SSL_get_options(ssl) \ + SSL_ctrl(ctx,SSL_CTRL_OPTIONS,0,NULL) #define SSL_OP_NO_SSLv2 0x01000000L #define SSL_OP_NO_SSLv3 0x02000000L #define SSL_OP_NO_TLSv1 0x04000000L -/* Normally you will only use these if your application wants to use - * the certificate store in other places, perhaps PKCS7 */ -#define SSL_CTX_get_cert_store(ctx) ((ctx)->cert_store) -#define SSL_CTX_set_cert_store(ctx,cs) \ - (X509_STORE_free((ctx)->cert_store),(ctx)->cert_store=(cs)) - - #define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024*20) +typedef struct ssl_comp_st +{ + int id; + char *name; +#ifdef HEADER_COMP_H + COMP_METHOD *method; +#else + char *method; +#endif +} SSL_COMP; + struct ssl_ctx_st { SSL_METHOD *method; @@ -347,46 +367,50 @@ struct ssl_ctx_st SSL_SESSION *(*get_session_cb)(); #endif - int sess_connect; /* SSL new connection - started */ - int sess_connect_renegotiate;/* SSL renegotiatene - requested */ - int sess_connect_good; /* SSL new connection/renegotiate - finished */ - int sess_accept; /* SSL new accept - started */ - int sess_accept_renegotiate;/* SSL renegotiatene - requested */ - int sess_accept_good; /* SSL accept/renegotiate - finished */ - int sess_miss; /* session lookup misses */ - int sess_timeout; /* session reuse attempt on timeouted session */ - int sess_cache_full; /* session removed due to full cache */ - int sess_hit; /* session reuse actually done */ - int sess_cb_hit; /* session-id that was not in the cache was - * passed back via the callback. This - * indicates that the application is supplying - * session-id's from other processes - - * spooky :-) */ + struct + { + int sess_connect; /* SSL new conn - started */ + int sess_connect_renegotiate;/* SSL reneg - requested */ + int sess_connect_good; /* SSL new conne/reneg - finished */ + int sess_accept; /* SSL new accept - started */ + int sess_accept_renegotiate;/* SSL reneg - requested */ + int sess_accept_good; /* SSL accept/reneg - finished */ + int sess_miss; /* session lookup misses */ + int sess_timeout; /* reuse attempt on timeouted session */ + int sess_cache_full; /* session removed due to full cache */ + int sess_hit; /* session reuse actually done */ + int sess_cb_hit; /* session-id that was not + * in the cache was + * passed back via the callback. This + * indicates that the application is + * supplying session-id's from other + * processes - spooky :-) */ + } stats; int references; - void (*info_callback)(); +/**/ void (*info_callback)(); /* if defined, these override the X509_verify_cert() calls */ - int (*app_verify_callback)(); - char *app_verify_arg; +/**/ int (*app_verify_callback)(); +/**/ char *app_verify_arg; /* default values to use in SSL structures */ - struct cert_st /* CERT */ *default_cert; - int default_read_ahead; - int default_verify_mode; - int (*default_verify_callback)(); +/**/ struct cert_st /* CERT */ *default_cert; +/**/ int read_ahead; +/**/ int verify_mode; +/**/ int (*default_verify_callback)(); /* Default password callback. */ - int (*default_passwd_callback)(); +/**/ int (*default_passwd_callback)(); /* get client cert callback */ - int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */); +/**/ int (*client_cert_cb)(/* SSL *ssl, X509 **x509, EVP_PKEY **pkey */); /* what we put in client requests */ STACK *client_CA; - int quiet_shutdown; +/**/ int quiet_shutdown; CRYPTO_EX_DATA ex_data; @@ -395,6 +419,7 @@ struct ssl_ctx_st EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ STACK *extra_certs; + STACK *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ }; #define SSL_SESS_CACHE_OFF 0x0000 @@ -407,41 +432,30 @@ struct ssl_ctx_st * defined, this will still get called. */ #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 -#define SSL_CTX_sessions(ctx) ((ctx)->sessions) -/* You will need to include lhash.h to access the following #define */ -#define SSL_CTX_sess_number(ctx) ((ctx)->sessions->num_items) -#define SSL_CTX_sess_connect(ctx) ((ctx)->sess_connect) -#define SSL_CTX_sess_connect_good(ctx) ((ctx)->sess_connect_good) -#define SSL_CTX_sess_accept(ctx) ((ctx)->sess_accept) -#define SSL_CTX_sess_accept_renegotiate(ctx) ((ctx)->sess_accept_renegotiate) -#define SSL_CTX_sess_connect_renegotiate(ctx) ((ctx)->sess_connect_renegotiate) -#define SSL_CTX_sess_accept_good(ctx) ((ctx)->sess_accept_good) -#define SSL_CTX_sess_hits(ctx) ((ctx)->sess_hit) -#define SSL_CTX_sess_cb_hits(ctx) ((ctx)->sess_cb_hit) -#define SSL_CTX_sess_misses(ctx) ((ctx)->sess_miss) -#define SSL_CTX_sess_timeouts(ctx) ((ctx)->sess_timeout) -#define SSL_CTX_sess_cache_full(ctx) ((ctx)->sess_cache_full) - -#define SSL_CTX_sess_set_cache_size(ctx,t) ((ctx)->session_cache_size=(t)) -#define SSL_CTX_sess_get_cache_size(ctx) ((ctx)->session_cache_size) - -#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb)) -#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb) -#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb)) -#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb) -#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb)) -#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb) -#define SSL_CTX_set_session_cache_mode(ctx,m) ((ctx)->session_cache_mode=(m)) -#define SSL_CTX_get_session_cache_mode(ctx) ((ctx)->session_cache_mode) -#define SSL_CTX_set_timeout(ctx,t) ((ctx)->session_timeout=(t)) -#define SSL_CTX_get_timeout(ctx) ((ctx)->session_timeout) - -#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb)) -#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback) -#define SSL_CTX_set_default_read_ahead(ctx,m) (((ctx)->default_read_ahead)=(m)) - -#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb)) -#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb) +#define SSL_CTX_sess_number(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL) +#define SSL_CTX_sess_connect(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL) +#define SSL_CTX_sess_connect_good(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL) +#define SSL_CTX_sess_connect_renegotiate(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL) +#define SSL_CTX_sess_accept(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL) +#define SSL_CTX_sess_accept_renegotiate(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL) +#define SSL_CTX_sess_accept_good(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL) +#define SSL_CTX_sess_hits(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL) +#define SSL_CTX_sess_cb_hits(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL) +#define SSL_CTX_sess_misses(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL) +#define SSL_CTX_sess_timeouts(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL) +#define SSL_CTX_sess_cache_full(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) #define SSL_NOTHING 1 #define SSL_WRITING 2 @@ -449,11 +463,10 @@ struct ssl_ctx_st #define SSL_X509_LOOKUP 4 /* These will only be used when doing non-blocking IO */ -#define SSL_want(s) ((s)->rwstate) -#define SSL_want_nothing(s) ((s)->rwstate == SSL_NOTHING) -#define SSL_want_read(s) ((s)->rwstate == SSL_READING) -#define SSL_want_write(s) ((s)->rwstate == SSL_WRITING) -#define SSL_want_x509_lookup(s) ((s)->rwstate == SSL_X509_LOOKUP) +#define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) +#define SSL_want_read(s) (SSL_want(s) == SSL_READING) +#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) +#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) struct ssl_st { @@ -490,7 +503,7 @@ struct ssl_st int in_handshake; int (*handshake_func)(); -/* int server;*/ /* are we the server side? */ + int server; /* are we the server side? - mostly used by SSL_clear*/ int new_session;/* 1 if we are to use a new session */ int quiet_shutdown;/* don't send shutdown packets */ @@ -569,6 +582,8 @@ struct ssl_st int references; unsigned long options; int first_packet; + int client_version; /* what was passed, used for + * SSLv3/TLS rolback check */ }; #include "ssl2.h" @@ -634,6 +649,8 @@ struct ssl_st #define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 #define SSL_VERIFY_CLIENT_ONCE 0x04 +#define SSLeay_add_ssl_algorithms() SSL_library_init() + /* this is for backward compatablility */ #if 0 /* NEW_SSLEAY */ #define SSL_CTX_set_default_verify(a,b,c) SSL_CTX_set_verify(a,b,c) @@ -726,8 +743,29 @@ struct ssl_st #define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 9 #define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 10 #define SSL_CTRL_GET_FLAGS 11 +#define SSL_CTRL_EXTRA_CHAIN_CERT 12 -#define SSL_CTRL_EXTRA_CHAIN_CERT 11 +/* Stats */ +#define SSL_CTRL_SESS_NUMBER 20 +#define SSL_CTRL_SESS_CONNECT 21 +#define SSL_CTRL_SESS_CONNECT_GOOD 22 +#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23 +#define SSL_CTRL_SESS_ACCEPT 24 +#define SSL_CTRL_SESS_ACCEPT_GOOD 25 +#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26 +#define SSL_CTRL_SESS_HIT 27 +#define SSL_CTRL_SESS_CB_HIT 28 +#define SSL_CTRL_SESS_MISSES 29 +#define SSL_CTRL_SESS_TIMEOUTS 30 +#define SSL_CTRL_SESS_CACHE_FULL 31 +#define SSL_CTRL_OPTIONS 32 + +#define SSL_CTRL_GET_READ_AHEAD 40 +#define SSL_CTRL_SET_READ_AHEAD 41 +#define SSL_CTRL_SET_SESS_CACHE_SIZE 42 +#define SSL_CTRL_GET_SESS_CACHE_SIZE 43 +#define SSL_CTRL_SET_SESS_CACHE_MODE 44 +#define SSL_CTRL_GET_SESS_CACHE_MODE 45 #define SSL_session_reused(ssl) \ SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL) @@ -763,7 +801,13 @@ void BIO_ssl_shutdown(BIO *ssl_bio); int SSL_CTX_set_cipher_list(SSL_CTX *,char *str); SSL_CTX *SSL_CTX_new(SSL_METHOD *meth); void SSL_CTX_free(SSL_CTX *); -void SSL_clear(SSL *s); +long SSL_CTX_set_timeout(SSL_CTX *ctx,long t); +long SSL_CTX_get_timeout(SSL_CTX *ctx); +X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *); +void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *); +int SSL_want(SSL *s); +int SSL_clear(SSL *s); + void SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm); SSL_CIPHER *SSL_get_current_cipher(SSL *s); @@ -796,7 +840,7 @@ int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len); int SSL_use_certificate(SSL *ssl, X509 *x); -int SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d); +int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len); #ifndef NO_STDIO int SSL_use_RSAPrivateKey_file(SSL *ssl, char *file, int type); @@ -860,7 +904,6 @@ int SSL_CTX_check_private_key(SSL_CTX *ctx); int SSL_check_private_key(SSL *ctx); SSL * SSL_new(SSL_CTX *ctx); -void SSL_clear(SSL *s); void SSL_free(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); @@ -917,7 +960,7 @@ void SSL_set_accept_state(SSL *s); long SSL_get_default_timeout(SSL *s); -void SSLeay_add_ssl_algorithms(void ); +int SSL_library_init(void ); char *SSL_CIPHER_description(SSL_CIPHER *,char *buf,int size); STACK *SSL_dup_CA_list(STACK *sk); @@ -962,6 +1005,22 @@ int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func)(), int SSL_get_ex_data_X509_STORE_CTX_idx(void ); +#define SSL_CTX_sess_set_cache_size(ctx,t) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL) +#define SSL_CTX_sess_get_cache_size(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL) +#define SSL_CTX_set_session_cache_mode(ctx,m) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL) +#define SSL_CTX_get_session_cache_mode(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL) + +#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx) +#define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m) +#define SSL_CTX_get_read_ahead(ctx) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) +#define SSL_CTX_set_read_ahead(ctx,m) \ + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL) + /* For the next 2, the callbacks are * RSA *tmp_rsa_cb(SSL *ssl,int export) * DH *tmp_dh_cb(SSL *ssl,int export) @@ -970,6 +1029,12 @@ void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, RSA *(*cb)(SSL *ssl,int export)); void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,DH *(*dh)(SSL *ssl,int export)); +#ifdef HEADER_COMP_H +int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm); +#else +int SSL_COMP_add_compression_method(int id,char *cm); +#endif + #else BIO_METHOD *BIO_f_ssl(); @@ -979,6 +1044,12 @@ BIO *BIO_new_buffer_ssl_connect(); int BIO_ssl_copy_session_id(); void BIO_ssl_shutdown(); +long SSL_CTX_set_timeout(); +long SSL_CTX_get_timeout(); +X509_STORE *SSL_CTX_get_cert_store(); +void SSL_CTX_set_cert_store(); +int SSL_want(); + int SSL_CTX_set_cipher_list(); SSL_CTX *SSL_CTX_new(); void SSL_CTX_free(); @@ -1134,7 +1205,7 @@ void SSL_set_accept_state(); long SSL_get_default_timeout(); -void SSLeay_add_ssl_algorithms(); +int SSL_library_init(); char *SSL_CIPHER_description(); STACK *SSL_dup_CA_list(); @@ -1178,6 +1249,7 @@ char *SSL_CTX_get_ex_data(); int SSL_CTX_get_ex_new_index(); int SSL_get_ex_data_X509_STORE_CTX_idx(); +int SSL_COMP_add_compression_method(); /* For the next 2, the callbacks are * RSA *tmp_rsa_cb(SSL *ssl,int export) @@ -1258,52 +1330,55 @@ void SSL_CTX_set_tmp_dh_callback(); #define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 #define SSL_F_SSL_CERT_NEW 162 #define SSL_F_SSL_CHECK_PRIVATE_KEY 163 -#define SSL_F_SSL_CREATE_CIPHER_LIST 164 -#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 165 -#define SSL_F_SSL_CTX_NEW 166 -#define SSL_F_SSL_CTX_SET_SSL_VERSION 167 -#define SSL_F_SSL_CTX_USE_CERTIFICATE 168 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 169 -#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 170 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY 171 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 172 -#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 173 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 174 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 175 -#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 176 -#define SSL_F_SSL_DO_HANDSHAKE 177 -#define SSL_F_SSL_GET_NEW_SESSION 178 -#define SSL_F_SSL_GET_SERVER_SEND_CERT 179 -#define SSL_F_SSL_GET_SIGN_PKEY 180 -#define SSL_F_SSL_INIT_WBIO_BUFFER 181 -#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 182 -#define SSL_F_SSL_NEW 183 -#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 184 -#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 185 -#define SSL_F_SSL_SESSION_NEW 186 -#define SSL_F_SSL_SESSION_PRINT_FP 187 -#define SSL_F_SSL_SET_CERT 188 -#define SSL_F_SSL_SET_FD 189 -#define SSL_F_SSL_SET_PKEY 190 -#define SSL_F_SSL_SET_RFD 191 -#define SSL_F_SSL_SET_SESSION 192 -#define SSL_F_SSL_SET_WFD 193 -#define SSL_F_SSL_UNDEFINED_FUNCTION 194 -#define SSL_F_SSL_USE_CERTIFICATE 195 -#define SSL_F_SSL_USE_CERTIFICATE_ASN1 196 -#define SSL_F_SSL_USE_CERTIFICATE_FILE 197 -#define SSL_F_SSL_USE_PRIVATEKEY 198 -#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 199 -#define SSL_F_SSL_USE_PRIVATEKEY_FILE 200 -#define SSL_F_SSL_USE_RSAPRIVATEKEY 201 -#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 202 -#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 203 -#define SSL_F_SSL_VERIFY_CERT_CHAIN 204 -#define SSL_F_SSL_WRITE 205 -#define SSL_F_TLS1_CHANGE_CIPHER_STATE 206 -#define SSL_F_TLS1_ENC 207 -#define SSL_F_TLS1_SETUP_KEY_BLOCK 208 -#define SSL_F_WRITE_PENDING 209 +#define SSL_F_SSL_CLEAR 164 +#define SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD 165 +#define SSL_F_SSL_CREATE_CIPHER_LIST 166 +#define SSL_F_SSL_CTX_ADD_COMPRESSION 167 +#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 +#define SSL_F_SSL_CTX_NEW 169 +#define SSL_F_SSL_CTX_SET_SSL_VERSION 170 +#define SSL_F_SSL_CTX_USE_CERTIFICATE 171 +#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172 +#define SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY 174 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175 +#define SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178 +#define SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179 +#define SSL_F_SSL_DO_HANDSHAKE 180 +#define SSL_F_SSL_GET_NEW_SESSION 181 +#define SSL_F_SSL_GET_SERVER_SEND_CERT 182 +#define SSL_F_SSL_GET_SIGN_PKEY 183 +#define SSL_F_SSL_INIT_WBIO_BUFFER 184 +#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 +#define SSL_F_SSL_NEW 186 +#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 +#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 +#define SSL_F_SSL_SESSION_NEW 189 +#define SSL_F_SSL_SESSION_PRINT_FP 190 +#define SSL_F_SSL_SET_CERT 191 +#define SSL_F_SSL_SET_FD 192 +#define SSL_F_SSL_SET_PKEY 193 +#define SSL_F_SSL_SET_RFD 194 +#define SSL_F_SSL_SET_SESSION 195 +#define SSL_F_SSL_SET_WFD 196 +#define SSL_F_SSL_UNDEFINED_FUNCTION 197 +#define SSL_F_SSL_USE_CERTIFICATE 198 +#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 +#define SSL_F_SSL_USE_CERTIFICATE_FILE 200 +#define SSL_F_SSL_USE_PRIVATEKEY 201 +#define SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 +#define SSL_F_SSL_USE_PRIVATEKEY_FILE 203 +#define SSL_F_SSL_USE_RSAPRIVATEKEY 204 +#define SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205 +#define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 +#define SSL_F_SSL_VERIFY_CERT_CHAIN 207 +#define SSL_F_SSL_WRITE 208 +#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 +#define SSL_F_TLS1_ENC 210 +#define SSL_F_TLS1_SETUP_KEY_BLOCK 211 +#define SSL_F_WRITE_PENDING 212 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 @@ -1394,39 +1469,41 @@ void SSL_CTX_set_tmp_dh_callback(); #define SSL_R_NO_CIPHER_MATCH 185 #define SSL_R_NO_CLIENT_CERT_RECEIVED 186 #define SSL_R_NO_COMPRESSION_SPECIFIED 187 -#define SSL_R_NO_PRIVATEKEY 188 -#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 189 -#define SSL_R_NO_PROTOCOLS_AVAILABLE 190 -#define SSL_R_NO_PUBLICKEY 191 -#define SSL_R_NO_SHARED_CIPHER 192 -#define SSL_R_NO_VERIFY_CALLBACK 193 -#define SSL_R_NULL_SSL_CTX 194 -#define SSL_R_NULL_SSL_METHOD_PASSED 195 -#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 196 -#define SSL_R_PACKET_LENGTH_TOO_LONG 197 -#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 198 -#define SSL_R_PEER_ERROR 199 -#define SSL_R_PEER_ERROR_CERTIFICATE 200 -#define SSL_R_PEER_ERROR_NO_CERTIFICATE 201 -#define SSL_R_PEER_ERROR_NO_CIPHER 202 -#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 203 -#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 204 -#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 205 -#define SSL_R_PROTOCOL_IS_SHUTDOWN 206 -#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 207 -#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 208 -#define SSL_R_PUBLIC_KEY_NOT_RSA 209 -#define SSL_R_READ_BIO_NOT_SET 210 -#define SSL_R_READ_WRONG_PACKET_TYPE 211 -#define SSL_R_RECORD_LENGTH_MISMATCH 212 -#define SSL_R_RECORD_TOO_LARGE 213 -#define SSL_R_REQUIRED_CIPHER_MISSING 214 -#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 215 -#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 216 -#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 217 -#define SSL_R_SHORT_READ 218 -#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 219 -#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 220 +#define SSL_R_NO_METHOD_SPECIFIED 188 +#define SSL_R_NO_PRIVATEKEY 189 +#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 +#define SSL_R_NO_PROTOCOLS_AVAILABLE 191 +#define SSL_R_NO_PUBLICKEY 192 +#define SSL_R_NO_SHARED_CIPHER 193 +#define SSL_R_NO_VERIFY_CALLBACK 194 +#define SSL_R_NULL_SSL_CTX 195 +#define SSL_R_NULL_SSL_METHOD_PASSED 196 +#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 +#define SSL_R_PACKET_LENGTH_TOO_LONG 198 +#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 +#define SSL_R_PEER_ERROR 200 +#define SSL_R_PEER_ERROR_CERTIFICATE 201 +#define SSL_R_PEER_ERROR_NO_CERTIFICATE 202 +#define SSL_R_PEER_ERROR_NO_CIPHER 203 +#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 204 +#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 205 +#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 206 +#define SSL_R_PROTOCOL_IS_SHUTDOWN 207 +#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 208 +#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209 +#define SSL_R_PUBLIC_KEY_NOT_RSA 210 +#define SSL_R_READ_BIO_NOT_SET 211 +#define SSL_R_READ_WRONG_PACKET_TYPE 212 +#define SSL_R_RECORD_LENGTH_MISMATCH 213 +#define SSL_R_RECORD_TOO_LARGE 214 +#define SSL_R_REQUIRED_CIPHER_MISSING 215 +#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216 +#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217 +#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 218 +#define SSL_R_SHORT_READ 219 +#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 +#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 #define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045 @@ -1436,17 +1513,17 @@ void SSL_CTX_set_tmp_dh_callback(); #define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040 #define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047 #define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 221 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 222 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 223 -#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 224 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225 +#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 -#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 225 +#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227 #define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043 -#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 226 -#define SSL_R_SSL_HANDSHAKE_FAILURE 227 -#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 228 -#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 229 +#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228 +#define SSL_R_SSL_HANDSHAKE_FAILURE 229 +#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230 +#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231 #define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049 #define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 @@ -1459,44 +1536,44 @@ void SSL_CTX_set_tmp_dh_callback(); #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 #define SSL_R_TLSV1_ALERT_USER_CANCLED 1090 -#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 230 -#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 231 -#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 232 -#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 233 -#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 234 -#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 235 -#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 236 -#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 237 -#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 238 -#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 239 -#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 240 -#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 241 -#define SSL_R_UNEXPECTED_MESSAGE 242 -#define SSL_R_UNEXPECTED_RECORD 243 -#define SSL_R_UNKNOWN_ALERT_TYPE 244 -#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 245 -#define SSL_R_UNKNOWN_CIPHER_RETURNED 246 -#define SSL_R_UNKNOWN_CIPHER_TYPE 247 -#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 248 -#define SSL_R_UNKNOWN_PKEY_TYPE 249 -#define SSL_R_UNKNOWN_PROTOCOL 250 -#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 251 -#define SSL_R_UNKNOWN_SSL_VERSION 252 -#define SSL_R_UNKNOWN_STATE 253 -#define SSL_R_UNSUPPORTED_CIPHER 254 -#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 255 -#define SSL_R_UNSUPPORTED_PROTOCOL 256 -#define SSL_R_UNSUPPORTED_SSL_VERSION 257 -#define SSL_R_WRITE_BIO_NOT_SET 258 -#define SSL_R_WRONG_CIPHER_RETURNED 259 -#define SSL_R_WRONG_MESSAGE_TYPE 260 -#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 261 -#define SSL_R_WRONG_SIGNATURE_LENGTH 262 -#define SSL_R_WRONG_SIGNATURE_SIZE 263 -#define SSL_R_WRONG_SSL_VERSION 264 -#define SSL_R_WRONG_VERSION_NUMBER 265 -#define SSL_R_X509_LIB 266 -#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 267 +#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 +#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 +#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 +#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235 +#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236 +#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237 +#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238 +#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239 +#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240 +#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241 +#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242 +#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 +#define SSL_R_UNEXPECTED_MESSAGE 244 +#define SSL_R_UNEXPECTED_RECORD 245 +#define SSL_R_UNKNOWN_ALERT_TYPE 246 +#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247 +#define SSL_R_UNKNOWN_CIPHER_RETURNED 248 +#define SSL_R_UNKNOWN_CIPHER_TYPE 249 +#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250 +#define SSL_R_UNKNOWN_PKEY_TYPE 251 +#define SSL_R_UNKNOWN_PROTOCOL 252 +#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 +#define SSL_R_UNKNOWN_SSL_VERSION 254 +#define SSL_R_UNKNOWN_STATE 255 +#define SSL_R_UNSUPPORTED_CIPHER 256 +#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 +#define SSL_R_UNSUPPORTED_PROTOCOL 258 +#define SSL_R_UNSUPPORTED_SSL_VERSION 259 +#define SSL_R_WRITE_BIO_NOT_SET 260 +#define SSL_R_WRONG_CIPHER_RETURNED 261 +#define SSL_R_WRONG_MESSAGE_TYPE 262 +#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263 +#define SSL_R_WRONG_SIGNATURE_LENGTH 264 +#define SSL_R_WRONG_SIGNATURE_SIZE 265 +#define SSL_R_WRONG_SSL_VERSION 266 +#define SSL_R_WRONG_VERSION_NUMBER 267 +#define SSL_R_X509_LIB 268 +#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 #ifdef __cplusplus } diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 7c5c94d7c..cf8238c1e 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -341,12 +341,13 @@ typedef struct ssl3_ctx_st EVP_CIPHER *new_sym_enc; EVP_MD *new_hash; #ifdef HEADER_COMP_H - COMP_METHOD *new_compression; + SSL_COMP *new_compression; #else char *new_compression; #endif int cert_request; } tmp; + } SSL3_CTX; /* SSLv3 */ diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index 92ec322da..31809582b 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -61,7 +61,7 @@ #include "lhash.h" #include "ssl_locl.h" -void SSLeay_add_ssl_algorithms() +int SSL_library_init() { #ifndef NO_DES EVP_add_cipher(EVP_des_cbc()); @@ -98,5 +98,6 @@ void SSLeay_add_ssl_algorithms() EVP_add_digest(EVP_sha()); EVP_add_digest(EVP_dss()); #endif + return(1); } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 87e384f8f..30501cb70 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -58,6 +58,7 @@ #include #include "objects.h" +#include "comp.h" #include "ssl_locl.h" #define SSL_ENC_DES_IDX 0 @@ -73,6 +74,8 @@ static EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX]={ NULL,NULL,NULL,NULL,NULL,NULL, }; +static STACK /* SSL_COMP */ *ssl_comp_methods=NULL; + #define SSL_MD_MD5_IDX 0 #define SSL_MD_SHA1_IDX 1 #define SSL_MD_NUM_IDX 2 @@ -180,14 +183,41 @@ static void load_ciphers() EVP_get_digestbyname(SN_sha1); } -int ssl_cipher_get_evp(c,enc,md) -SSL_CIPHER *c; +int ssl_cipher_get_evp(s,enc,md,comp) +SSL_SESSION *s; EVP_CIPHER **enc; EVP_MD **md; +SSL_COMP **comp; { int i; + SSL_CIPHER *c; + c=s->cipher; if (c == NULL) return(0); + if (comp != NULL) + { + SSL_COMP ctmp; + + if (s->compress_meth == 0) + *comp=NULL; + else if (ssl_comp_methods == NULL) + { + /* bad */ + *comp=NULL; + } + else + { + + ctmp.id=s->compress_meth; + i=sk_find(ssl_comp_methods,(char *)&ctmp); + if (i >= 0) + *comp=(SSL_COMP *)sk_value(ssl_comp_methods,i); + else + *comp=NULL; + } + } + + if ((enc == NULL) || (md == NULL)) return(0); switch (c->algorithms & SSL_ENC_MASK) { @@ -730,10 +760,12 @@ int *alg_bits; int ret=0,a=0; EVP_CIPHER *enc; EVP_MD *md; + SSL_SESSION ss; if (c != NULL) { - if (!ssl_cipher_get_evp(c,&enc,&md)) + ss.cipher=c; + if (!ssl_cipher_get_evp(&ss,&enc,&md,NULL)) return(0); a=EVP_CIPHER_key_length(enc)*8; @@ -756,3 +788,55 @@ int *alg_bits; return(ret); } +SSL_COMP *ssl3_comp_find(sk,n) +STACK *sk; +int n; + { + SSL_COMP *ctmp; + int i,nn; + + if ((n == 0) || (sk == NULL)) return(NULL); + nn=sk_num(sk); + for (i=0; iid == n) + return(ctmp); + } + return(NULL); + } + +static int sk_comp_cmp(a,b) +SSL_COMP **a,**b; + { + return((*a)->id-(*b)->id); + } + +STACK *SSL_COMP_get_compression_methods() + { + return(ssl_comp_methods); + } + +int SSL_COMP_add_compression_method(id,cm) +int id; +COMP_METHOD *cm; + { + SSL_COMP *comp; + STACK *sk; + + comp=(SSL_COMP *)Malloc(sizeof(SSL_COMP)); + comp->id=id; + comp->method=cm; + if (ssl_comp_methods == NULL) + sk=ssl_comp_methods=sk_new(sk_comp_cmp); + else + sk=ssl_comp_methods; + if ((sk == NULL) || !sk_push(sk,(char *)comp)) + { + SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE); + return(0); + } + else + return(1); + } + diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 847f0f3f8..5f3d94d49 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -127,7 +127,10 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL_BYTES_TO_CIPHER_LIST,0), "SSL_BYTES_TO_CIPHER_LIST"}, {ERR_PACK(0,SSL_F_SSL_CERT_NEW,0), "SSL_CERT_NEW"}, {ERR_PACK(0,SSL_F_SSL_CHECK_PRIVATE_KEY,0), "SSL_check_private_key"}, +{ERR_PACK(0,SSL_F_SSL_CLEAR,0), "SSL_clear"}, +{ERR_PACK(0,SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,0), "SSL_COMP_add_compression_method"}, {ERR_PACK(0,SSL_F_SSL_CREATE_CIPHER_LIST,0), "SSL_CREATE_CIPHER_LIST"}, +{ERR_PACK(0,SSL_F_SSL_CTX_ADD_COMPRESSION,0), "SSL_CTX_ADD_COMPRESSION"}, {ERR_PACK(0,SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,0), "SSL_CTX_check_private_key"}, {ERR_PACK(0,SSL_F_SSL_CTX_NEW,0), "SSL_CTX_new"}, {ERR_PACK(0,SSL_F_SSL_CTX_SET_SSL_VERSION,0), "SSL_CTX_set_ssl_version"}, @@ -266,6 +269,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_NO_CIPHER_MATCH ,"no cipher match"}, {SSL_R_NO_CLIENT_CERT_RECEIVED ,"no client cert received"}, {SSL_R_NO_COMPRESSION_SPECIFIED ,"no compression specified"}, +{SSL_R_NO_METHOD_SPECIFIED ,"no method specified"}, {SSL_R_NO_PRIVATEKEY ,"no privatekey"}, {SSL_R_NO_PRIVATE_KEY_ASSIGNED ,"no private key assigned"}, {SSL_R_NO_PROTOCOLS_AVAILABLE ,"no protocols available"}, @@ -298,6 +302,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_REUSE_CIPHER_LIST_NOT_ZERO ,"reuse cipher list not zero"}, {SSL_R_SHORT_READ ,"short read"}, {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, +{SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c9a228519..2019a400f 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -77,30 +77,37 @@ SSL3_ENC_METHOD ssl3_undef_enc_method={ ssl_undefined_function, }; -void SSL_clear(s) +int SSL_clear(s) SSL *s; { int state; - if (s->method == NULL) return; + if (s->method == NULL) + { + SSLerr(SSL_F_SSL_CLEAR,SSL_R_NO_METHOD_SPECIFIED); + return(0); + } s->error=0; s->hit=0; + s->shutdown=0; +#if 0 /* This is set if we are doing dynamic renegotiation so keep * the old cipher. It is sort of a SSL_clear_lite :-) */ - if (s->new_session) return; + if (s->new_session) return(1); +#endif state=s->state; /* Keep to check if we throw away the session-id */ s->type=0; - s->version=s->method->version; - s->rwstate=SSL_NOTHING; - s->state=SSL_ST_BEFORE; - s->rstate=SSL_ST_READ_HEADER; - s->read_ahead=s->ctx->default_read_ahead; + s->state=SSL_ST_BEFORE|((s->server)?SSL_ST_ACCEPT:SSL_ST_CONNECT); -/* s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); */ + s->version=s->method->version; + s->client_version=s->version; + s->rwstate=SSL_NOTHING; + s->rstate=SSL_ST_READ_HEADER; + s->read_ahead=s->ctx->read_ahead; if (s->init_buf != NULL) { @@ -116,10 +123,22 @@ SSL *s; s->session=NULL; } - s->shutdown=(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); s->first_packet=0; - s->method->ssl_clear(s); +#if 1 + /* Check to see if we were changed into a different method, if + * so, revert back if we are not doing session-id reuse. */ + if ((s->session == NULL) && (s->method != s->ctx->method)) + { + s->method->ssl_free(s); + s->method=s->ctx->method; + if (!s->method->ssl_new(s)) + return(0); + } + else +#endif + s->method->ssl_clear(s); + return(1); } /* Used to change an SSL_CTXs default SSL method type */ @@ -169,7 +188,7 @@ SSL_CTX *ctx; } else s->cert=NULL; - s->verify_mode=ctx->default_verify_mode; + s->verify_mode=ctx->verify_mode; s->verify_callback=ctx->default_verify_callback; CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); s->ctx=ctx; @@ -187,6 +206,7 @@ SSL_CTX *ctx; s->quiet_shutdown=ctx->quiet_shutdown; s->references=1; + s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; s->options=ctx->options; SSL_clear(s); @@ -251,11 +271,6 @@ SSL *s; ssl_clear_cipher_ctx(s); - if (s->expand != NULL) - COMP_CTX_free(s->expand); - if (s->compress != NULL) - COMP_CTX_free(s->compress); - if (s->cert != NULL) ssl_cert_free(s->cert); /* Free up if allocated */ @@ -402,7 +417,7 @@ SSL *s; int SSL_CTX_get_verify_mode(ctx) SSL_CTX *ctx; { - return(ctx->default_verify_mode); + return(ctx->verify_mode); } int (*SSL_CTX_get_verify_callback(ctx))() @@ -623,7 +638,22 @@ int cmd; long larg; char *parg; { - return(s->method->ssl_ctrl(s,cmd,larg,parg)); + long l; + + switch (cmd) + { + case SSL_CTRL_GET_READ_AHEAD: + return(s->read_ahead); + case SSL_CTRL_SET_READ_AHEAD: + l=s->read_ahead; + s->read_ahead=larg; + return(l); + case SSL_CTRL_OPTIONS: + return(s->options|=larg); + default: + return(s->method->ssl_ctrl(s,cmd,larg,parg)); + } + return(0); } long SSL_CTX_ctrl(ctx,cmd,larg,parg) @@ -632,7 +662,60 @@ int cmd; long larg; char *parg; { - return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); + long l; + + switch (cmd) + { + case SSL_CTRL_GET_READ_AHEAD: + return(ctx->read_ahead); + case SSL_CTRL_SET_READ_AHEAD: + l=ctx->read_ahead; + ctx->read_ahead=larg; + return(l); + + case SSL_CTRL_SET_SESS_CACHE_SIZE: + l=ctx->session_cache_size; + ctx->session_cache_size=larg; + return(l); + case SSL_CTRL_GET_SESS_CACHE_SIZE: + return(ctx->session_cache_size); + case SSL_CTRL_SET_SESS_CACHE_MODE: + l=ctx->session_cache_mode; + ctx->session_cache_mode=larg; + return(l); + case SSL_CTRL_GET_SESS_CACHE_MODE: + return(ctx->session_cache_mode); + + case SSL_CTRL_SESS_NUMBER: + return(ctx->sessions->num_items); + case SSL_CTRL_SESS_CONNECT: + return(ctx->stats.sess_connect); + case SSL_CTRL_SESS_CONNECT_GOOD: + return(ctx->stats.sess_connect_good); + case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: + return(ctx->stats.sess_connect_renegotiate); + case SSL_CTRL_SESS_ACCEPT: + return(ctx->stats.sess_accept); + case SSL_CTRL_SESS_ACCEPT_GOOD: + return(ctx->stats.sess_accept_good); + case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: + return(ctx->stats.sess_accept_renegotiate); + case SSL_CTRL_SESS_HIT: + return(ctx->stats.sess_hit); + case SSL_CTRL_SESS_CB_HIT: + return(ctx->stats.sess_cb_hit); + case SSL_CTRL_SESS_MISSES: + return(ctx->stats.sess_miss); + case SSL_CTRL_SESS_TIMEOUTS: + return(ctx->stats.sess_timeout); + case SSL_CTRL_SESS_CACHE_FULL: + return(ctx->stats.sess_cache_full); + case SSL_CTRL_OPTIONS: + return(ctx->options|=larg); + default: + return(ctx->method->ssl_ctx_ctrl(ctx,cmd,larg,parg)); + } + return(0); } int ssl_cipher_id_cmp(a,b) @@ -903,17 +986,7 @@ SSL_METHOD *meth; ret->remove_session_cb=NULL; ret->get_session_cb=NULL; - ret->sess_connect=0; - ret->sess_connect_good=0; - ret->sess_accept=0; - ret->sess_accept_renegotiate=0; - ret->sess_connect_renegotiate=0; - ret->sess_accept_good=0; - ret->sess_miss=0; - ret->sess_timeout=0; - ret->sess_cache_full=0; - ret->sess_hit=0; - ret->sess_cb_hit=0; + memset((char *)&ret->stats,0,sizeof(ret->stats)); ret->references=1; ret->quiet_shutdown=0; @@ -929,8 +1002,8 @@ SSL_METHOD *meth; ret->app_verify_callback=NULL; ret->app_verify_arg=NULL; - ret->default_read_ahead=0; - ret->default_verify_mode=SSL_VERIFY_NONE; + ret->read_ahead=0; + ret->verify_mode=SSL_VERIFY_NONE; ret->default_verify_callback=NULL; if ((ret->default_cert=ssl_cert_new()) == NULL) goto err; @@ -974,6 +1047,7 @@ SSL_METHOD *meth; CRYPTO_new_ex_data(ssl_ctx_meth,(char *)ret,&ret->ex_data); ret->extra_certs=NULL; + ret->comp_methods=SSL_COMP_get_compression_methods(); return(ret); err: @@ -1021,6 +1095,8 @@ SSL_CTX *a; sk_pop_free(a->client_CA,X509_NAME_free); if (a->extra_certs != NULL) sk_pop_free(a->extra_certs,X509_free); + if (a->comp_methods != NULL) + sk_pop_free(a->comp_methods,free); Free((char *)a); } @@ -1049,7 +1125,7 @@ int (*cb)(int, X509_STORE_CTX *); int (*cb)(); #endif { - ctx->default_verify_mode=mode; + ctx->verify_mode=mode; ctx->default_verify_callback=cb; /* This needs cleaning up EAY EAY EAY */ X509_STORE_set_verify_cb_func(ctx->cert_store,cb); @@ -1246,8 +1322,8 @@ int mode; ((i & mode) == mode)) { if ( (((mode & SSL_SESS_CACHE_CLIENT) - ?s->ctx->sess_connect_good - :s->ctx->sess_accept_good) & 0xff) == 0xff) + ?s->ctx->stats.sess_connect_good + :s->ctx->stats.sess_accept_good) & 0xff) == 0xff) { SSL_CTX_flush_sessions(s->ctx,time(NULL)); } @@ -1294,12 +1370,20 @@ SSL *s; int i; { int reason; + unsigned long l; BIO *bio; if (i > 0) return(SSL_ERROR_NONE); - if (ERR_peek_error() != 0) - return(SSL_ERROR_SSL); + /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake + * etc, where we do encode the error */ + if ((l=ERR_peek_error()) != 0) + { + if (ERR_GET_LIB(l) == ERR_LIB_SYS) + return(SSL_ERROR_SYSCALL); + else + return(SSL_ERROR_SSL); + } if ((i < 0) && SSL_want_read(s)) { @@ -1381,6 +1465,7 @@ SSL *s; void SSL_set_accept_state(s) SSL *s; { + s->server=1; s->shutdown=0; s->state=SSL_ST_ACCEPT|SSL_ST_BEFORE; s->handshake_func=s->method->ssl_accept; @@ -1391,6 +1476,7 @@ SSL *s; void SSL_set_connect_state(s) SSL *s; { + s->server=0; s->shutdown=0; s->state=SSL_ST_CONNECT|SSL_ST_BEFORE; s->handshake_func=s->method->ssl_connect; @@ -1498,6 +1584,7 @@ SSL *s; ret->shutdown=s->shutdown; ret->state=s->state; ret->handshake_func=s->handshake_func; + ret->server=s->server; if (0) { @@ -1523,6 +1610,16 @@ SSL *s; Free(s->enc_write_ctx); s->enc_write_ctx=NULL; } + if (s->expand != NULL) + { + COMP_CTX_free(s->expand); + s->expand=NULL; + } + if (s->compress != NULL) + { + COMP_CTX_free(s->compress); + s->compress=NULL; + } } /* Fix this function so that it takes an optional type parameter */ @@ -1590,6 +1687,26 @@ int push; } return(1); } + +void ssl_free_wbio_buffer(s) +SSL *s; + { + BIO *under; + + if (s->bbio == NULL) return; + + if (s->bbio == s->wbio) + { + /* remove buffering */ + under=BIO_pop(s->wbio); + if (under != NULL) + s->wbio=under; + else + abort(); /* ok */ + } + BIO_free(s->bbio); + s->bbio=NULL; + } void SSL_CTX_set_quiet_shutdown(ctx,mode) SSL_CTX *ctx; @@ -1750,6 +1867,27 @@ SSL *s; return(1); } +X509_STORE *SSL_CTX_get_cert_store(ctx) +SSL_CTX *ctx; + { + return(ctx->cert_store); + } + +void SSL_CTX_set_cert_store(ctx,store) +SSL_CTX *ctx; +X509_STORE *store; + { + if (ctx->cert_store != NULL) + X509_STORE_free(ctx->cert_store); + ctx->cert_store=store; + } + +int SSL_want(s) +SSL *s; + { + return(s->rwstate); + } + void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,RSA *(*cb)(SSL *ssl,int export)) { SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_RSA_CB,0,(char *)cb); } diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index f2442544e..1a907514d 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -348,7 +348,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK *sk,unsigned char *p); STACK *ssl_create_cipher_list(SSL_METHOD *meth,STACK **pref, STACK **sorted,char *str); void ssl_update_cache(SSL *s, int mode); -int ssl_cipher_get_evp(SSL_CIPHER *c, EVP_CIPHER **enc, EVP_MD **md); +int ssl_cipher_get_evp(SSL_SESSION *s, EVP_CIPHER **enc, EVP_MD **md, + SSL_COMP **comp); int ssl_verify_cert_chain(SSL *s,STACK *sk); int ssl_undefined_function(SSL *s); X509 *ssl_get_server_send_cert(SSL *); @@ -442,6 +443,7 @@ long tls1_ctrl(SSL *s,int cmd, long larg, char *parg); SSL_METHOD *tlsv1_base_method(void ); int ssl_init_wbio_buffer(SSL *s, int push); +void ssl_free_wbio_buffer(SSL *s); int tls1_change_cipher_state(SSL *s, int which); int tls1_setup_key_block(SSL *s); @@ -456,6 +458,9 @@ int tls1_alert_code(int code); int ssl3_alert_code(int code); int ssl_ok(SSL *s); +SSL_COMP *ssl3_comp_find(STACK *sk, int n); +STACK *SSL_COMP_get_compression_methods(void); + #else @@ -562,10 +567,8 @@ int ssl23_read_bytes(); int ssl23_write_bytes(); int ssl_init_wbio_buffer(); +void ssl_free_wbio_buffer(); -#endif - -#endif int ssl3_cert_verify_mac(); int ssl3_alert_code(); int tls1_new(); @@ -582,3 +585,9 @@ int tls1_mac(); int tls1_generate_master_secret(); int tls1_alert_code(); int ssl_ok(); +SSL_COMP *ssl3_comp_find(); +STACK *SSL_COMP_get_compression_methods(); + +#endif + +#endif diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 745a8ec24..43c51bc2b 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -152,10 +152,10 @@ end: } #endif -int SSL_use_certificate_ASN1(ssl, len, d) +int SSL_use_certificate_ASN1(ssl, d,len) SSL *ssl; -int len; unsigned char *d; +int len; { X509 *x; int ret; diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 95cd7fed8..adaab3545 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -123,6 +123,7 @@ SSL_SESSION *SSL_SESSION_new() ss->time=time(NULL); ss->prev=NULL; ss->next=NULL; + ss->compress_meth=0; CRYPTO_new_ex_data(ssl_session_meth,(char *)ss,&ss->ex_data); return(ss); } @@ -136,8 +137,10 @@ int session; if ((ss=SSL_SESSION_new()) == NULL) return(0); /* If the context has a default timeout, use it */ - if (s->ctx->session_timeout != 0) + if (s->ctx->session_timeout == 0) ss->timeout=SSL_get_default_timeout(s); + else + ss->timeout=s->ctx->session_timeout; if (s->session != NULL) { @@ -218,13 +221,13 @@ int len; { int copy=1; - s->ctx->sess_miss++; + s->ctx->stats.sess_miss++; ret=NULL; if ((s->ctx->get_session_cb != NULL) && ((ret=s->ctx->get_session_cb(s,session_id,len,©)) != NULL)) { - s->ctx->sess_cb_hit++; + s->ctx->stats.sess_cb_hit++; /* The following should not return 1, otherwise, * things are very strange */ @@ -260,14 +263,14 @@ int len; if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */ { - s->ctx->sess_timeout++; + s->ctx->stats.sess_timeout++; /* remove it from the cache */ SSL_CTX_remove_session(s->ctx,ret); SSL_SESSION_free(ret); /* again to actually Free it */ return(0); } - s->ctx->sess_hit++; + s->ctx->stats.sess_hit++; /* ret->time=time(NULL); */ /* rezero timeout? */ /* again, just leave the session @@ -318,7 +321,7 @@ SSL_SESSION *c; ctx->session_cache_tail)) break; else - ctx->sess_cache_full++; + ctx->stats.sess_cache_full++; } } } @@ -413,7 +416,10 @@ SSL_SESSION *session; { if (!SSL_set_ssl_method(s,meth)) return(0); - session->timeout=SSL_get_default_timeout(s); + if (s->ctx->session_timeout == 0) + session->timeout=SSL_get_default_timeout(s); + else + session->timeout=s->ctx->session_timeout; } /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ @@ -431,6 +437,14 @@ SSL_SESSION *session; SSL_SESSION_free(s->session); s->session=NULL; } + + meth=s->ctx->method; + if (meth != s->method) + { + if (!SSL_set_ssl_method(s,meth)) + return(0); + } + ret=1; } return(ret); } @@ -467,6 +481,24 @@ long t; return(t); } +long SSL_CTX_set_timeout(s,t) +SSL_CTX *s; +long t; + { + long l; + if (s == NULL) return(0); + l=s->session_timeout; + s->session_timeout=t; + return(l); + } + +long SSL_CTX_get_timeout(s) +SSL_CTX *s; + { + if (s == NULL) return(0); + return(s->session_timeout); + } + typedef struct timeout_param_st { SSL_CTX *ctx; @@ -499,7 +531,7 @@ long t; TIMEOUT_PARAM tp; tp.ctx=s; - tp.cache=SSL_CTX_sessions(s); + tp.cache=s->sessions; if (tp.cache == NULL) return; tp.time=t; CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index ce60e1a6d..e41b738f5 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -133,6 +133,23 @@ SSL_SESSION *x; sprintf(str,"%02X",x->key_arg[i]); if (BIO_puts(bp,str) <= 0) goto err; } + if (x->compress_meth != 0) + { + SSL_COMP *comp; + + ssl_cipher_get_evp(x,NULL,NULL,&comp); + if (comp == NULL) + { + sprintf(str,"\n Compression: %d",x->compress_meth); + if (BIO_puts(bp,str) <= 0) goto err; + } + else + { + sprintf(str,"\n Compression: %d (%s)", + comp->id,comp->method->name); + if (BIO_puts(bp,str) <= 0) goto err; + } + } if (x->time != 0L) { sprintf(str,"\n Start Time: %ld",x->time); diff --git a/ssl/ssltest.c b/ssl/ssltest.c index ff686913d..4662770e3 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -243,7 +243,7 @@ bad: /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ - SSLeay_add_ssl_algorithms(); + SSL_library_init(); SSL_load_error_strings(); #if !defined(NO_SSL2) && !defined(NO_SSL3) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index ac9da4da3..f228295bb 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -57,6 +57,7 @@ */ #include +#include "comp.h" #include "evp.h" #include "hmac.h" #include "ssl_locl.h" @@ -175,7 +176,7 @@ int which; int client_write; EVP_CIPHER_CTX *dd; EVP_CIPHER *c; - COMP_METHOD *comp; + SSL_COMP *comp; EVP_MD *m; int exp,n,i,j,k,exp_label_len,cl; @@ -200,14 +201,15 @@ int which; } if (comp != NULL) { - s->expand=COMP_CTX_new(comp); + s->expand=COMP_CTX_new(comp->method); if (s->expand == NULL) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } - s->s3->rrec.comp=(unsigned char *) - Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); + if (s->s3->rrec.comp == NULL) + s->s3->rrec.comp=(unsigned char *) + Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } @@ -229,7 +231,7 @@ int which; } if (comp != NULL) { - s->compress=COMP_CTX_new(comp); + s->compress=COMP_CTX_new(comp->method); if (s->compress == NULL) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); @@ -346,11 +348,12 @@ SSL *s; EVP_CIPHER *c; EVP_MD *hash; int num,exp; + SSL_COMP *comp; if (s->s3->tmp.key_block_length != 0) return(1); - if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash)) + if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) { SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return(0); @@ -504,7 +507,7 @@ unsigned char *out; unsigned int ret; EVP_MD_CTX ctx; - memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX)); + EVP_MD_CTX_copy(&ctx,in_ctx); EVP_DigestFinal(&ctx,out,&ret); return((int)ret); } @@ -525,10 +528,10 @@ unsigned char *out; memcpy(q,str,slen); q+=slen; - memcpy(&ctx,in1_ctx,sizeof(EVP_MD_CTX)); + EVP_MD_CTX_copy(&ctx,in1_ctx); EVP_DigestFinal(&ctx,q,&i); q+=i; - memcpy(&ctx,in2_ctx,sizeof(EVP_MD_CTX)); + EVP_MD_CTX_copy(&ctx,in2_ctx); EVP_DigestFinal(&ctx,q,&i); q+=i;