generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

New option to enable/disable connection to unpatched servers

Browse Source
This commit is contained in:
Dr. Stephen Henson 2009-12-16 20:28:30 +00:00
parent 2456cd58c4
commit 675564835c
12 changed files with 48 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -827,6 +827,11 @@
[NTT] [NTT]
Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx] Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx]
*) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
connect (but not renegotiate) with servers which do not support RI.
Until RI is more widely deployed this option is enabled by default.
[Steve Henson]
*) Add "missing" ssl ctrls to clear options and mode. *) Add "missing" ssl ctrls to clear options and mode.
[Steve Henson] [Steve Henson]

9
apps/s_client.c
View File

@ -382,7 +382,7 @@ int MAIN(int, char **);
int MAIN(int argc, char **argv) int MAIN(int argc, char **argv)
{ {
int off=0; unsigned int off=0, clr=0;
SSL *con=NULL; SSL *con=NULL;
int s,k,width,state=0; int s,k,width,state=0;
char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL; char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
@ -661,6 +661,10 @@ int MAIN(int argc, char **argv)
off|=SSL_OP_CIPHER_SERVER_PREFERENCE; off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
else if (strcmp(*argv,"-legacy_renegotiation") == 0) else if (strcmp(*argv,"-legacy_renegotiation") == 0)
off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
else if (strcmp(*argv,"-legacy_server_connect") == 0)
{ off|=SSL_OP_LEGACY_SERVER_CONNECT; }
else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
{ clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
else if (strcmp(*argv,"-cipher") == 0) else if (strcmp(*argv,"-cipher") == 0)
{ {
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
@ -871,6 +875,9 @@ bad:
SSL_CTX_set_options(ctx,SSL_OP_ALL|off); SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
else else
SSL_CTX_set_options(ctx,off); SSL_CTX_set_options(ctx,off);
if (clr)
SSL_CTX_clear_options(ctx, clr);
/* DTLS: partial reads end up discarding unread UDP bytes :-( /* DTLS: partial reads end up discarding unread UDP bytes :-(
* Setting read ahead solves this problem. * Setting read ahead solves this problem.
*/ */

2
crypto/evp/evp.h
View File

@ -1289,6 +1289,8 @@ void ERR_load_EVP_strings(void);
#define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 #define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
#define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 #define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
#define EVP_R_PUBLIC_KEY_NOT_RSA 106 #define EVP_R_PUBLIC_KEY_NOT_RSA 106
#define EVP_R_UNKNOWN_CIPHER 160
#define EVP_R_UNKNOWN_DIGEST 161
#define EVP_R_UNKNOWN_PBE_ALGORITHM 121 #define EVP_R_UNKNOWN_PBE_ALGORITHM 121
#define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135
#define EVP_R_UNSUPPORTED_ALGORITHM 156 #define EVP_R_UNSUPPORTED_ALGORITHM 156

6
crypto/evp/evp_err.c
View File

@ -1,6 +1,6 @@
/* crypto/evp/evp_err.c */ /* crypto/evp/evp_err.c */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@ -85,7 +85,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
{ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"}, {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"}, {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"}, {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_SIZE"}, {ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"},
{ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"}, {ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"},
{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"}, {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"},
{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"}, {ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"},
@ -185,6 +185,8 @@ static ERR_STRING_DATA EVP_str_reasons[]=
{ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"}, {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"},
{ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"}, {ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"},
{ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"}, {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"},
{ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"},
{ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"},
{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"}, {ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
{ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"}, {ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
{ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"}, {ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"},

14
crypto/evp/evp_pbe.c
View File

@ -174,12 +174,26 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
if (cipher_nid == -1) if (cipher_nid == -1)
cipher = NULL; cipher = NULL;
else else
{
cipher = EVP_get_cipherbynid(cipher_nid); cipher = EVP_get_cipherbynid(cipher_nid);
if (!cipher)
{
EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_CIPHER);
return 0;
}
}
if (md_nid == -1) if (md_nid == -1)
md = NULL; md = NULL;
else else
{
md = EVP_get_digestbynid(md_nid); md = EVP_get_digestbynid(md_nid);
if (!md)
{
EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_DIGEST);
return 0;
}
}
if (!keygen(ctx, pass, passlen, param, cipher, md, en_de)) if (!keygen(ctx, pass, passlen, param, cipher, md, en_de))
{ {

3
demos/pkcs12/pkread.c
View File

@ -20,7 +20,8 @@ int main(int argc, char **argv)
fprintf(stderr, "Usage: pkread p12file password opfile\n"); fprintf(stderr, "Usage: pkread p12file password opfile\n");
exit (1); exit (1);
} }
SSLeay_add_all_algorithms(); /*SSLeay_add_all_algorithms();*/
OpenSSL_add_all_digests();
ERR_load_crypto_strings(); ERR_load_crypto_strings();
if (!(fp = fopen(argv[1], "rb"))) { if (!(fp = fopen(argv[1], "rb"))) {
fprintf(stderr, "Error opening file %s\n", argv[1]); fprintf(stderr, "Error opening file %s\n", argv[1]);

2
ssl/d1_clnt.c
View File

@ -698,7 +698,7 @@ int dtls1_client_hello(SSL *s)
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{ {
SSLerr(SSL_F_SSL3_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
#endif #endif

2
ssl/d1_srvr.c
View File

@ -814,7 +814,7 @@ int dtls1_send_server_hello(SSL *s)
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
{ {
SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
return -1; return -1;
} }
#endif #endif

2
ssl/ssl.h
View File

@ -517,6 +517,8 @@ typedef struct ssl_session_st
#define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L #define SSL_OP_MICROSOFT_SESS_ID_BUG 0x00000001L
#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L #define SSL_OP_NETSCAPE_CHALLENGE_BUG 0x00000002L
/* Allow initial connection to servers that don't support RI */
#define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L

2
ssl/ssl3.h
View File

@ -129,7 +129,9 @@ extern "C" {
#endif #endif
/* Magic Cipher Suite Value. NB: bogus value used for testing */ /* Magic Cipher Suite Value. NB: bogus value used for testing */
#ifndef SSL3_CK_MCSV
#define SSL3_CK_MCSV 0x03000FEC #define SSL3_CK_MCSV 0x03000FEC
#endif
#define SSL3_CK_RSA_NULL_MD5 0x03000001 #define SSL3_CK_RSA_NULL_MD5 0x03000001
#define SSL3_CK_RSA_NULL_SHA 0x03000002 #define SSL3_CK_RSA_NULL_SHA 0x03000002

4
ssl/ssl_lib.c
View File

@ -1677,6 +1677,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
} }
#endif #endif
#endif #endif
/* Default is to connect to non-RI servers. When RI is more widely
* deployed might change this.
*/
ret->options = SSL_OP_LEGACY_SERVER_CONNECT;
return(ret); return(ret);
err: err:

5
ssl/t1_lib.c
View File

@ -1157,8 +1157,9 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
* which doesn't support RI so for the immediate future tolerate RI * which doesn't support RI so for the immediate future tolerate RI
* absence on initial connect only. * absence on initial connect only.
*/ */
if (!renegotiate_seen && s->new_session && if (!renegotiate_seen &&
!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) (s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT))
&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{ {
/* FIXME: Spec currently doesn't give alert to use */ /* FIXME: Spec currently doesn't give alert to use */
*al = SSL_AD_ILLEGAL_PARAMETER; *al = SSL_AD_ILLEGAL_PARAMETER;