resolve conflicts.

This commit is contained in:
christos 2006-06-03 01:50:19 +00:00
parent 387e0d89ab
commit ed56312e8a
42 changed files with 886 additions and 627 deletions

View File

@ -2,13 +2,56 @@
OpenSSL CHANGES
_______________
Changes between 0.9.8a and 0.9.8b [04 May 2006]
*) When applying a cipher rule check to see if string match is an explicit
cipher suite and only match that one cipher suite if it is.
[Steve Henson]
*) Link in manifests for VC++ if needed.
[Austin Ziegler <halostatue@gmail.com>]
*) Update support for ECC-based TLS ciphersuites according to
draft-ietf-tls-ecc-12.txt with proposed changes (but without
TLS extensions, which are supported starting with the 0.9.9
branch, not in the OpenSSL 0.9.8 branch).
[Douglas Stebila]
*) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
opaque EVP_CIPHER_CTX handling.
[Steve Henson]
*) Fixes and enhancements to zlib compression code. We now only use
"zlib1.dll" and use the default __cdecl calling convention on Win32
to conform with the standards mentioned here:
http://www.zlib.net/DLL_FAQ.txt
Static zlib linking now works on Windows and the new --with-zlib-include
--with-zlib-lib options to Configure can be used to supply the location
of the headers and library. Gracefully handle case where zlib library
can't be loaded.
[Steve Henson]
*) Several fixes and enhancements to the OID generation code. The old code
sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
handle numbers larger than ULONG_MAX, truncated printing and had a
non standard OBJ_obj2txt() behaviour.
[Steve Henson]
*) Add support for building of engines under engine/ as shared libraries
under VC++ build system.
[Steve Henson]
*) Corrected the numerous bugs in the Win32 path splitter in DSO.
Hopefully, we will not see any false combination of paths any more.
[Richard Levitte]
Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
(part of SSL_OP_ALL). This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
idea. (CAN-2005-2969)
idea. (CVE-2005-2969)
[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
for Information Security, National Institute of Advanced Industrial
@ -858,13 +901,22 @@
differing sizes.
[Richard Levitte]
Changes between 0.9.7h and 0.9.7i [14 Oct 2005]
*) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
The value now differs depending on if you build for FIPS or not.
BEWARE! A program linked with a shared FIPSed libcrypto can't be
safely run with a non-FIPSed libcrypto, as it may crash because of
the difference induced by this change.
[Andy Polyakov]
Changes between 0.9.7g and 0.9.7h [11 Oct 2005]
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
(part of SSL_OP_ALL). This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
idea.
idea. (CVE-2005-2969)
[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
for Information Security, National Institute of Advanced Industrial
@ -1029,11 +1081,11 @@
Changes between 0.9.7c and 0.9.7d [17 Mar 2004]
*) Fix null-pointer assignment in do_change_cipher_spec() revealed
by using the Codenomicon TLS Test Tool (CAN-2004-0079)
by using the Codenomicon TLS Test Tool (CVE-2004-0079)
[Joe Orton, Steve Henson]
*) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
(CAN-2004-0112)
(CVE-2004-0112)
[Joe Orton, Steve Henson]
*) Make it possible to have multiple active certificates with the same
@ -1076,9 +1128,9 @@
*) Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CAN-2003-0543 and CAN-2003-0544).
invalid tags (CVE-2003-0543 and CVE-2003-0544).
Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
@ -1163,7 +1215,7 @@
via timing by performing a MAC computation even if incorrrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CAN-2003-0078)
between bad padding and a MAC verification error. (CVE-2003-0078)
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
@ -1380,7 +1432,7 @@
Remote buffer overflow in SSL3 protocol - an attacker could
supply an oversized master key in Kerberos-enabled versions.
(CAN-2002-0657)
(CVE-2002-0657)
[Ben Laurie (CHATS)]
*) Change the SSL kerb5 codes to match RFC 2712.
@ -3064,7 +3116,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Changes between 0.9.6l and 0.9.6m [17 Mar 2004]
*) Fix null-pointer assignment in do_change_cipher_spec() revealed
by using the Codenomicon TLS Test Tool (CAN-2004-0079)
by using the Codenomicon TLS Test Tool (CVE-2004-0079)
[Joe Orton, Steve Henson]
Changes between 0.9.6k and 0.9.6l [04 Nov 2003]
@ -3072,7 +3124,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Fix additional bug revealed by the NISCC test suite:
Stop bug triggering large recursion when presented with
certain ASN.1 tags (CAN-2003-0851)
certain ASN.1 tags (CVE-2003-0851)
[Steve Henson]
Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
@ -3080,7 +3132,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CAN-2003-0543 and CAN-2003-0544).
invalid tags (CVE-2003-0543 and CVE-2003-0544).
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
@ -3132,7 +3184,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
via timing by performing a MAC computation even if incorrrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CAN-2003-0078)
between bad padding and a MAC verification error. (CVE-2003-0078)
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
@ -3265,7 +3317,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Add various sanity checks to asn1_get_length() to reject
the ASN1 length bytes if they exceed sizeof(long), will appear
negative or the content length exceeds the length of the
supplied buffer. (CAN-2002-0659)
supplied buffer. (CVE-2002-0659)
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
*) Assertions for various potential buffer overflows, not known to
@ -3273,15 +3325,15 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Ben Laurie (CHATS)]
*) Various temporary buffers to hold ASCII versions of integers were
too small for 64 bit platforms. (CAN-2002-0655)
too small for 64 bit platforms. (CVE-2002-0655)
[Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
*) Remote buffer overflow in SSL3 protocol - an attacker could
supply an oversized session ID to a client. (CAN-2002-0656)
supply an oversized session ID to a client. (CVE-2002-0656)
[Ben Laurie (CHATS)]
*) Remote buffer overflow in SSL2 protocol - an attacker could
supply an oversized client master key. (CAN-2002-0656)
supply an oversized client master key. (CVE-2002-0656)
[Ben Laurie (CHATS)]
Changes between 0.9.6c and 0.9.6d [9 May 2002]

View File

@ -31,6 +31,7 @@ OpenSSL - Frequently Asked Questions
* Why does my browser give a warning about a mismatched hostname?
* How do I install a CA certificate into a browser?
* Why is OpenSSL x509 DN output not conformant to RFC2253?
* What is a "128 bit certificate"? Can I create one with OpenSSL?
[BUILD] Questions about building and testing OpenSSL
@ -48,6 +49,7 @@ OpenSSL - Frequently Asked Questions
* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
* Why does compiler fail to compile sha512.c?
* Test suite still fails, what to do?
[PROG] Questions about programming with OpenSSL
@ -72,7 +74,7 @@ OpenSSL - Frequently Asked Questions
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
OpenSSL 0.9.8a was released on October 11th, 2005.
OpenSSL 0.9.8b was released on May 4th, 2006.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
@ -386,6 +388,43 @@ interface, the "-nameopt" option could be introduded. See the manual
page of the "openssl x509" commandline tool for details. The old behaviour
has however been left as default for the sake of compatibility.
* What is a "128 bit certificate"? Can I create one with OpenSSL?
The term "128 bit certificate" is a highly misleading marketing term. It does
*not* refer to the size of the public key in the certificate! A certificate
containing a 128 bit RSA key would have negligible security.
There were various other names such as "magic certificates", "SGC
certificates", "step up certificates" etc.
You can't generally create such a certificate using OpenSSL but there is no
need to any more. Nowadays web browsers using unrestricted strong encryption
are generally available.
When there were tight export restrictions on the export of strong encryption
software from the US only weak encryption algorithms could be freely exported
(initially 40 bit and then 56 bit). It was widely recognised that this was
inadequate. A relaxation the rules allowed the use of strong encryption but
only to an authorised server.
Two slighly different techniques were developed to support this, one used by
Netscape was called "step up", the other used by MSIE was called "Server Gated
Cryptography" (SGC). When a browser initially connected to a server it would
check to see if the certificate contained certain extensions and was issued by
an authorised authority. If these test succeeded it would reconnect using
strong encryption.
Only certain (initially one) certificate authorities could issue the
certificates and they generally cost more than ordinary certificates.
Although OpenSSL can create certificates containing the appropriate extensions
the certificate would not come from a permitted authority and so would not
be recognized.
The export laws were later changed to allow almost unrestricted use of strong
encryption so these certificates are now obsolete.
[BUILD] =======================================================================
* Why does the linker complain about undefined symbols?
@ -617,6 +656,18 @@ the module in question. The recommendation is to disable SHA-512 by
adding no-sha512 to ./config [or ./Configure] command line. Another
possible alternative might be to switch to GCC.
* Test suite still fails, what to do?
Another common reason for failure to complete some particular test is
simply bad code generated by a buggy component in toolchain or deficiency
in run-time environment. There are few cases documented in PROBLEMS file,
consult it for possible workaround before you beat the drum. Even if you
don't find solution or even mention there, do reserve for possibility of
a compiler bug. Compiler bugs might appear in rather bizarre ways, they
never make sense, and tend to emerge when you least expect them. In order
to identify one, drop optimization level, e.g. by editing CFLAG line in
top-level Makefile, recompile and re-run the test.
[PROG] ========================================================================
* Is OpenSSL thread-safe?
@ -649,10 +700,10 @@ your application must link against the same by which OpenSSL was
built. If you are using MS Visual C++ (Studio) this can be changed
by:
1. Select Settings... from the Project Menu.
2. Select the C/C++ Tab.
3. Select "Code Generation from the "Category" drop down list box
4. Select the Appropriate library (see table below) from the "Use
1. Select Settings... from the Project Menu.
2. Select the C/C++ Tab.
3. Select "Code Generation from the "Category" drop down list box
4. Select the Appropriate library (see table below) from the "Use
run-time library" drop down list box. Perform this step for both
your debug and release versions of your application (look at the
top left of the settings panel to change between the two)
@ -672,16 +723,19 @@ Note that debug and release libraries are NOT interchangeable. If you
built OpenSSL with /MD your application must use /MD and cannot use /MDd.
As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
.DLLs compiled with some specific run-time option [we recommend the
.DLLs compiled with some specific run-time option [we insist on the
default /MD] can be deployed with application compiled with different
option or even different compiler. But there is a catch! Instead of
re-compiling OpenSSL toolkit, as you would have to with prior versions,
you have to compile small C snippet with compiler and/or options of
your choice. The snippet gets installed as
<install-root>/include/openssl/applink.c and should be either added to
your project or simply #include-d in one [and only one] of your source
files. Failure to do either manifests itself as fatal "no
OPENSSL_Applink" error.
your application project or simply #include-d in one [and only one]
of your application source files. Failure to link this shim module
into your application manifests itself as fatal "no OPENSSL_Applink"
run-time error. An explicit reminder is due that in this situation
[mixing compiler options] it is as important to add CRYPTO_malloc_init
prior first call to OpenSSL.
* How do I read or write a DER encoded buffer using the ASN1 functions?

View File

@ -94,6 +94,9 @@ foreach (@ARGV) {
mkdir "${CATOP}/private", $DIRMODE;
open OUT, ">${CATOP}/index.txt";
close OUT;
open OUT, ">${CATOP}/crlnumber";
print OUT "01\n";
close OUT;
}
if ( ! -f "${CATOP}/private/$CAKEY" ) {
print "CA certificate filename (or enter to create)\n";
@ -113,6 +116,7 @@ foreach (@ARGV) {
system ("$CA -create_serial " .
"-out ${CATOP}/$CACERT $CADAYS -batch " .
"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
"-extensions v3_ca " .
"-infiles ${CATOP}/$CAREQ ");
$RET=$?;
}

View File

@ -2522,6 +2522,7 @@ static void print_result(int alg,int run_no,int count,double time_used)
results[alg][run_no]=((double)count)/time_used*lengths[run_no];
}
#ifdef HAVE_FORK
static char *sstrsep(char **string, const char *delim)
{
char isdelim[256];
@ -2553,7 +2554,6 @@ static char *sstrsep(char **string, const char *delim)
return token;
}
#ifdef HAVE_FORK
static int do_multi(int multi)
{
int n;

View File

@ -149,6 +149,7 @@ extern "C" {
#define B_ASN1_UTF8STRING 0x2000
#define B_ASN1_UTCTIME 0x4000
#define B_ASN1_GENERALIZEDTIME 0x8000
#define B_ASN1_SEQUENCE 0x10000
/* For use with ASN1_mbstring_copy() */
#define MBSTRING_FLAG 0x1000
@ -594,6 +595,7 @@ typedef struct BIT_STRING_BITNAME_st {
B_ASN1_UNIVERSALSTRING|\
B_ASN1_BMPSTRING|\
B_ASN1_UTF8STRING|\
B_ASN1_SEQUENCE|\
B_ASN1_UNKNOWN
#define B_ASN1_DIRECTORYSTRING \
@ -1045,7 +1047,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_F_ASN1_I2D_FP 117
#define ASN1_F_ASN1_INTEGER_SET 118
#define ASN1_F_ASN1_INTEGER_TO_BN 119
#define ASN1_F_ASN1_ITEM_D2I_FP 190
#define ASN1_F_ASN1_ITEM_D2I_FP 206
#define ASN1_F_ASN1_ITEM_DUP 191
#define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW 121
#define ASN1_F_ASN1_ITEM_EX_D2I 120

View File

@ -88,7 +88,10 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
BIO_snprintf(str,sizeof str,"cont [ %d ]",tag);
else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
BIO_snprintf(str,sizeof str,"appl [ %d ]",tag);
else p = ASN1_tag2str(tag);
else if (tag > 30)
BIO_snprintf(str,sizeof str,"<ASN1 %d>",tag);
else
p = ASN1_tag2str(tag);
if (p2 != NULL)
{

View File

@ -109,7 +109,7 @@ int RSA_print(BIO *bp, const RSA *x, int off)
char str[128];
const char *s;
unsigned char *m=NULL;
int ret=0;
int ret=0, mod_len = 0;
size_t buf_len=0, i;
if (x->n)
@ -143,27 +143,37 @@ int RSA_print(BIO *bp, const RSA *x, int off)
goto err;
}
if (x->n != NULL)
mod_len = BN_num_bits(x->n);
if (x->d != NULL)
{
if(!BIO_indent(bp,off,128))
goto err;
if (BIO_printf(bp,"Private-Key: (%d bit)\n",BN_num_bits(x->n))
if (BIO_printf(bp,"Private-Key: (%d bit)\n", mod_len)
<= 0) goto err;
}
if (x->d == NULL)
BIO_snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n));
BIO_snprintf(str,sizeof str,"Modulus (%d bit):", mod_len);
else
BUF_strlcpy(str,"modulus:",sizeof str);
if (!print(bp,str,x->n,m,off)) goto err;
s=(x->d == NULL)?"Exponent:":"publicExponent:";
if (!print(bp,s,x->e,m,off)) goto err;
if (!print(bp,"privateExponent:",x->d,m,off)) goto err;
if (!print(bp,"prime1:",x->p,m,off)) goto err;
if (!print(bp,"prime2:",x->q,m,off)) goto err;
if (!print(bp,"exponent1:",x->dmp1,m,off)) goto err;
if (!print(bp,"exponent2:",x->dmq1,m,off)) goto err;
if (!print(bp,"coefficient:",x->iqmp,m,off)) goto err;
if ((x->e != NULL) && !print(bp,s,x->e,m,off))
goto err;
if ((x->d != NULL) && !print(bp,"privateExponent:",x->d,m,off))
goto err;
if ((x->p != NULL) && !print(bp,"prime1:",x->p,m,off))
goto err;
if ((x->q != NULL) && !print(bp,"prime2:",x->q,m,off))
goto err;
if ((x->dmp1 != NULL) && !print(bp,"exponent1:",x->dmp1,m,off))
goto err;
if ((x->dmq1 != NULL) && !print(bp,"exponent2:",x->dmq1,m,off))
goto err;
if ((x->iqmp != NULL) && !print(bp,"coefficient:",x->iqmp,m,off))
goto err;
ret=1;
err:
if (m != NULL) OPENSSL_free(m);
@ -740,7 +750,7 @@ int DSAparams_print(BIO *bp, const DSA *x)
buf_len = (size_t)BN_num_bytes(x->p);
else
{
DSAerr(DSA_F_DSA_PRINT,DSA_R_MISSING_PARAMETERS);
DSAerr(DSA_F_DSAPARAMS_PRINT,DSA_R_MISSING_PARAMETERS);
goto err;
}
if (x->q)
@ -752,7 +762,7 @@ int DSAparams_print(BIO *bp, const DSA *x)
m=(unsigned char *)OPENSSL_malloc(buf_len+10);
if (m == NULL)
{
DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE);
DSAerr(DSA_F_DSAPARAMS_PRINT,ERR_R_MALLOC_FAILURE);
goto err;
}
@ -760,8 +770,8 @@ int DSAparams_print(BIO *bp, const DSA *x)
BN_num_bits(x->p)) <= 0)
goto err;
if (!print(bp,"p:",x->p,m,4)) goto err;
if (!print(bp,"q:",x->q,m,4)) goto err;
if (!print(bp,"g:",x->g,m,4)) goto err;
if ((x->q != NULL) && !print(bp,"q:",x->q,m,4)) goto err;
if ((x->g != NULL) && !print(bp,"g:",x->g,m,4)) goto err;
ret=1;
err:
if (m != NULL) OPENSSL_free(m);

View File

@ -98,7 +98,7 @@ static unsigned long tag2bit[32] = {
B_ASN1_OCTET_STRING, 0, 0, B_ASN1_UNKNOWN,/* tags 4- 7 */
B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN, B_ASN1_UNKNOWN,/* tags 8-11 */
B_ASN1_UTF8STRING,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,B_ASN1_UNKNOWN,/* tags 12-15 */
0, 0, B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING, /* tags 16-19 */
B_ASN1_SEQUENCE,0,B_ASN1_NUMERICSTRING,B_ASN1_PRINTABLESTRING, /* tags 16-19 */
B_ASN1_T61STRING,B_ASN1_VIDEOTEXSTRING,B_ASN1_IA5STRING, /* tags 20-22 */
B_ASN1_UTCTIME, B_ASN1_GENERALIZEDTIME, /* tags 23-24 */
B_ASN1_GRAPHICSTRING,B_ASN1_ISO64STRING,B_ASN1_GENERALSTRING, /* tags 25-27 */
@ -158,7 +158,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
const ASN1_EXTERN_FUNCS *ef;
const ASN1_AUX *aux = it->funcs;
ASN1_aux_cb *asn1_cb;
const unsigned char *p, *q;
const unsigned char *p = NULL, *q;
unsigned char *wp=NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */
unsigned char imphack = 0, oclass;
char seq_eoc, seq_nolen, cst, isopt;
@ -283,6 +283,12 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
{
wp = *(unsigned char **)in;
imphack = *wp;
if (p == NULL)
{
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ERR_R_NESTED_ASN1_ERROR);
goto err;
}
*wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED)
| it->utype);
}
@ -924,6 +930,8 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
if (!*pval)
{
typ = ASN1_TYPE_new();
if (typ == NULL)
goto err;
*pval = (ASN1_VALUE *)typ;
}
else
@ -1167,7 +1175,7 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len,
return 0;
#endif
}
else if (!collect_data(buf, &p, plen))
else if (plen && !collect_data(buf, &p, plen))
return 0;
len -= p - q;
}

View File

@ -676,17 +676,20 @@ void BIO_copy_next_retry(BIO *b);
/*long BIO_ghbn_ctrl(int cmd,int iarg,char *parg);*/
#ifndef __GNUC__
#define __attribute__(x)
#ifdef __GNUC__
# define __bio_h__attr__ __attribute__
#else
# define __bio_h__attr__(x)
#endif
int BIO_printf(BIO *bio, const char *format, ...)
__attribute__((__format__(__printf__,2,3)));
__bio_h__attr__((__format__(__printf__,2,3)));
int BIO_vprintf(BIO *bio, const char *format, va_list args)
__attribute__((__format__(__printf__,2,0)));
__bio_h__attr__((__format__(__printf__,2,0)));
int BIO_snprintf(char *buf, size_t n, const char *format, ...)
__attribute__((__format__(__printf__,3,4)));
__bio_h__attr__((__format__(__printf__,3,4)));
int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
__attribute__((__format__(__printf__,3,0)));
__bio_h__attr__((__format__(__printf__,3,0)));
#undef __bio_h__attr__
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes

View File

@ -469,7 +469,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
break;
case BIO_C_DO_STATE_MACHINE:
/* use this one to start the connection */
if (!(data->state != BIO_CONN_S_OK))
if (data->state != BIO_CONN_S_OK)
ret=(long)conn_state(b,data);
else
ret=1;

View File

@ -128,7 +128,10 @@ BIO *BIO_new_file(const char *filename, const char *mode)
return(NULL);
}
if ((ret=BIO_new(BIO_s_file_internal())) == NULL)
{
fclose(file);
return(NULL);
}
BIO_clear_flags(ret,BIO_FLAGS_UPLINK); /* we did fopen -> we disengage UPLINK */
BIO_set_fp(ret,file,BIO_CLOSE);

View File

@ -412,9 +412,15 @@ int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
int BN_sqr(BIGNUM *r, const BIGNUM *a,BN_CTX *ctx);
/* BN_set_negative(): sets sign of a bignum */
/** BN_set_negative sets sign of a BIGNUM
* \param b pointer to the BIGNUM object
* \param n 0 if the BIGNUM b should be positive and a value != 0 otherwise
*/
void BN_set_negative(BIGNUM *b, int n);
/* BN_get_negative(): returns 1 if the bignum is < 0 and 0 otherwise */
/** BN_is_negative returns 1 if the BIGNUM is negative
* \param a pointer to the BIGNUM object
* \return 1 if a < 0 and 0 otherwise
*/
#define BN_is_negative(a) ((a)->neg != 0)
int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,

View File

@ -220,8 +220,8 @@ void ERR_load_DH_strings(void);
/* Reason codes. */
#define DH_R_BAD_GENERATOR 101
#define DH_R_NO_PRIVATE_VALUE 100
#define DH_R_INVALID_PUBKEY 102
#define DH_R_NO_PRIVATE_VALUE 100
#ifdef __cplusplus
}

View File

@ -307,6 +307,7 @@ static struct file_st *win32_splitter(DSO *dso, const char *filename,
struct file_st *result = NULL;
enum { IN_NODE, IN_DEVICE, IN_FILE } position;
const char *start = filename;
char last;
if (!filename)
{
@ -337,7 +338,8 @@ static struct file_st *win32_splitter(DSO *dso, const char *filename,
do
{
switch(filename[0])
last = filename[0];
switch(last)
{
case ':':
if(position != IN_DEVICE)
@ -362,10 +364,19 @@ static struct file_st *win32_splitter(DSO *dso, const char *filename,
start = ++filename;
result->dir = start;
}
else if(position == IN_DEVICE)
{
position = IN_FILE;
filename++;
result->dir = start;
result->dirlen = filename - start;
start = filename;
}
else
{
filename++;
result->dirlen += filename - start;
start = filename;
}
break;
case '\0':
@ -379,12 +390,19 @@ static struct file_st *win32_splitter(DSO *dso, const char *filename,
{
if (assume_last_is_dir)
{
result->devicelen += filename - start;
if (position == IN_DEVICE)
{
result->dir = start;
result->dirlen = 0;
}
result->dirlen +=
filename - start;
}
else
{
result->file = start;
result->filelen = filename - start;
result->filelen =
filename - start;
}
}
}
@ -394,7 +412,7 @@ static struct file_st *win32_splitter(DSO *dso, const char *filename,
break;
}
}
while(*filename);
while(last);
if(!result->nodelen) result->node = NULL;
if(!result->devicelen) result->device = NULL;
@ -482,10 +500,13 @@ static char *win32_joiner(DSO *dso, const struct file_st *file_split)
result[offset] = '\\'; offset++;
start = end + 1;
}
#if 0 /* Not needed, since the directory converter above already appeneded
a backslash */
if(file_split->predir && (file_split->dir || file_split->file))
{
result[offset] = '\\'; offset++;
}
#endif
start = file_split->dir;
while(file_split->dirlen > (start - file_split->dir))
{
@ -500,10 +521,13 @@ static char *win32_joiner(DSO *dso, const struct file_st *file_split)
result[offset] = '\\'; offset++;
start = end + 1;
}
#if 0 /* Not needed, since the directory converter above already appeneded
a backslash */
if(file_split->dir && file_split->file)
{
result[offset] = '\\'; offset++;
}
#endif
strncpy(&result[offset], file_split->file,
file_split->filelen); offset += file_split->filelen;
result[offset] = '\0';
@ -546,15 +570,15 @@ static char *win32_merger(DSO *dso, const char *filespec1, const char *filespec2
}
else
{
filespec1_split = win32_splitter(dso, filespec1, 1);
filespec1_split = win32_splitter(dso, filespec1, 0);
if (!filespec1_split)
{
DSOerr(DSO_F_WIN32_MERGER,
ERR_R_MALLOC_FAILURE);
return(NULL);
}
filespec2_split = win32_splitter(dso, filespec2, 0);
if (!filespec1_split)
filespec2_split = win32_splitter(dso, filespec2, 1);
if (!filespec2_split)
{
DSOerr(DSO_F_WIN32_MERGER,
ERR_R_MALLOC_FAILURE);

View File

@ -385,6 +385,7 @@ void ERR_load_EC_strings(void);
#define EC_F_EC_ASN1_GROUP2PKPARAMETERS 156
#define EC_F_EC_ASN1_PARAMETERS2GROUP 157
#define EC_F_EC_ASN1_PKPARAMETERS2GROUP 158
#define EC_F_EC_EX_DATA_SET_DATA 211
#define EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY 208
#define EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT 159
#define EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE 195
@ -428,7 +429,6 @@ void ERR_load_EC_strings(void);
#define EC_F_EC_GROUP_GET_ORDER 141
#define EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS 193
#define EC_F_EC_GROUP_GET_TRINOMIAL_BASIS 194
#define EC_F_EC_GROUP_GROUP2NID 147
#define EC_F_EC_GROUP_NEW 108
#define EC_F_EC_GROUP_NEW_BY_CURVE_NAME 174
#define EC_F_EC_GROUP_NEW_FROM_DATA 175

View File

@ -637,7 +637,7 @@ typedef struct st_dynamic_fns {
* can be fully instantiated with IMPLEMENT_DYNAMIC_CHECK_FN(). */
typedef unsigned long (*dynamic_v_check_fn)(unsigned long ossl_version);
#define IMPLEMENT_DYNAMIC_CHECK_FN() \
unsigned long v_check(unsigned long v) { \
OPENSSL_EXPORT unsigned long v_check(unsigned long v) { \
if(v >= OSSL_DYNAMIC_OLDEST) return OSSL_DYNAMIC_VERSION; \
return 0; }
@ -659,6 +659,7 @@ typedef unsigned long (*dynamic_v_check_fn)(unsigned long ossl_version);
typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id,
const dynamic_fns *fns);
#define IMPLEMENT_DYNAMIC_BIND_FN(fn) \
OPENSSL_EXPORT \
int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \
if(ENGINE_get_static_state() == fns->static_state) goto skip_cbs; \
if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \

View File

@ -1108,7 +1108,7 @@ int ERR_pop_to_mark(void)
{
err_clear(es,es->top);
es->top-=1;
if (es->top == -1) es->top=ERR_NUM_ERRORS;
if (es->top == -1) es->top=ERR_NUM_ERRORS-1;
}
if (es->bottom == es->top) return 0;

View File

@ -580,6 +580,8 @@ int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n);
void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *a);
int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *c, int pad);
int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);

View File

@ -94,10 +94,11 @@ void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks)
}
}
void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk)
void idea_set_decrypt_key(const IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk)
{
int r;
register IDEA_INT *fp,*tp,t;
register IDEA_INT *tp,t;
const IDEA_INT *fp;
tp= &(dk->data[0][0]);
fp= &(ek->data[8][0]);

View File

@ -84,7 +84,7 @@ const char *idea_options(void);
void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
IDEA_KEY_SCHEDULE *ks);
void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
void idea_set_decrypt_key(IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
void idea_set_decrypt_key(const IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv,int enc);
void idea_cfb64_encrypt(const unsigned char *in, unsigned char *out,

View File

@ -58,6 +58,7 @@
#include <stdio.h>
#include <ctype.h>
#include <limits.h>
#include "cryptlib.h"
#include <openssl/lhash.h>
#include <openssl/asn1.h>
@ -413,8 +414,8 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
/* Work out size of content octets */
i=a2d_ASN1_OBJECT(NULL,0,s,-1);
if (i <= 0) {
/* Clear the error */
ERR_clear_error();
/* Don't clear the error */
/*ERR_clear_error();*/
return NULL;
}
/* Work out total size */
@ -436,66 +437,161 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
{
int i,idx=0,n=0,len,nid;
int i,n=0,len,nid, first, use_bn;
BIGNUM *bl;
unsigned long l;
unsigned char *p;
const char *s;
char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
if (buf_len <= 0) return(0);
if ((a == NULL) || (a->data == NULL)) {
buf[0]='\0';
return(0);
}
if (no_name || (nid=OBJ_obj2nid(a)) == NID_undef) {
len=a->length;
p=a->data;
idx=0;
l=0;
while (idx < a->length) {
l|=(p[idx]&0x7f);
if (!(p[idx] & 0x80)) break;
l<<=7L;
idx++;
}
idx++;
i=(int)(l/40);
if (i > 2) i=2;
l-=(long)(i*40);
BIO_snprintf(tbuf,sizeof tbuf,"%d.%lu",i,l);
i=strlen(tbuf);
BUF_strlcpy(buf,tbuf,buf_len);
buf_len-=i;
buf+=i;
n+=i;
l=0;
for (; idx<len; idx++) {
l|=p[idx]&0x7f;
if (!(p[idx] & 0x80)) {
BIO_snprintf(tbuf,sizeof tbuf,".%lu",l);
i=strlen(tbuf);
if (buf_len > 0)
BUF_strlcpy(buf,tbuf,buf_len);
buf_len-=i;
buf+=i;
n+=i;
l=0;
}
l<<=7L;
}
} else {
if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef)
{
const char *s;
s=OBJ_nid2ln(nid);
if (s == NULL)
s=OBJ_nid2sn(nid);
BUF_strlcpy(buf,s,buf_len);
if (buf)
BUF_strlcpy(buf,s,buf_len);
n=strlen(s);
}
return(n);
return n;
}
len=a->length;
p=a->data;
first = 1;
bl = NULL;
while (len > 0)
{
l=0;
use_bn = 0;
for (;;)
{
unsigned char c = *p++;
len--;
if ((len == 0) && (c & 0x80))
goto err;
if (use_bn)
{
if (!BN_add_word(bl, c & 0x7f))
goto err;
}
else
l |= c & 0x7f;
if (!(c & 0x80))
break;
if (!use_bn && (l > (ULONG_MAX >> 7L)))
{
if (!bl && !(bl = BN_new()))
goto err;
if (!BN_set_word(bl, l))
goto err;
use_bn = 1;
}
if (use_bn)
{
if (!BN_lshift(bl, bl, 7))
goto err;
}
else
l<<=7L;
}
if (first)
{
first = 0;
if (l >= 80)
{
i = 2;
if (use_bn)
{
if (!BN_sub_word(bl, 80))
goto err;
}
else
l -= 80;
}
else
{
i=(int)(l/40);
l-=(long)(i*40);
}
if (buf && (buf_len > 0))
{
*buf++ = i + '0';
buf_len--;
}
n++;
}
if (use_bn)
{
char *bndec;
bndec = BN_bn2dec(bl);
if (!bndec)
goto err;
i = strlen(bndec);
if (buf)
{
if (buf_len > 0)
{
*buf++ = '.';
buf_len--;
}
BUF_strlcpy(buf,bndec,buf_len);
if (i > buf_len)
{
buf += buf_len;
buf_len = 0;
}
else
{
buf+=i;
buf_len-=i;
}
}
n++;
n += i;
OPENSSL_free(bndec);
}
else
{
BIO_snprintf(tbuf,sizeof tbuf,".%lu",l);
i=strlen(tbuf);
if (buf && (buf_len > 0))
{
BUF_strlcpy(buf,tbuf,buf_len);
if (i > buf_len)
{
buf += buf_len;
buf_len = 0;
}
else
{
buf+=i;
buf_len-=i;
}
}
n+=i;
l=0;
}
}
if (bl)
BN_free(bl);
return n;
err:
if (bl)
BN_free(bl);
return -1;
}
int OBJ_txt2nid(const char *s)

View File

@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
#define OPENSSL_VERSION_NUMBER 0x0090801fL
#define OPENSSL_VERSION_NUMBER 0x0090802fL
#ifdef OPENSSL_FIPS
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8a-fips 11 Oct 2005"
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8b-fips 04 May 2006"
#else
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8a 11 Oct 2005"
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8b 04 May 2006"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT

View File

@ -105,10 +105,10 @@ OPENSSL_DECLARE_EXIT
#ifndef HZ
#ifndef CLK_TCK
#define HZ 100.0
#endif
#else /* CLK_TCK */
#else /* CLK_TCK */
#define HZ ((double)CLK_TCK)
#endif
#endif /* CLK_TCK */
#endif /* HZ */
#define BUFSIZE ((long)1024)
long run=0;

View File

@ -411,17 +411,17 @@ void ERR_load_RSA_strings(void);
#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
#define RSA_R_OAEP_DECODING_ERROR 121
#define RSA_R_SLEN_RECOVERY_FAILED 135
#define RSA_R_PADDING_CHECK_FAILED 114
#define RSA_R_P_NOT_PRIME 128
#define RSA_R_Q_NOT_PRIME 129
#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
#define RSA_R_SLEN_CHECK_FAILED 136
#define RSA_R_SLEN_RECOVERY_FAILED 135
#define RSA_R_SSLV3_ROLLBACK_ATTACK 115
#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
#define RSA_R_UNKNOWN_ALGORITHM_TYPE 117
#define RSA_R_UNKNOWN_PADDING_TYPE 118
#define RSA_R_WRONG_SIGNATURE_LENGTH 119
#define RSA_R_SLEN_CHECK_FAILED 136
#ifdef __cplusplus
}

View File

@ -412,6 +412,8 @@ err:
BN_CTX_end(ctx);
if (in_ctx == NULL)
BN_CTX_free(ctx);
if(rsa->e == NULL)
BN_free(e);
return ret;
}

View File

@ -18,7 +18,7 @@ authentication code
void HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
const EVP_MD *md);
void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
const EVP_MD *md);
const EVP_MD *md, ENGINE *impl);
void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);

View File

@ -4295,7 +4295,7 @@ X-Status:
Loading client certs into MSIE 3.01
===================================
This document conatains all the information necessary to succesfully set up
This document contains all the information necessary to successfully set up
some scripts to issue client certs to Microsoft Internet Explorer. It
includes the required knowledge about the model MSIE uses for client
certification and includes complete sample scripts ready to play with. The

View File

@ -84,6 +84,13 @@ extern "C" {
/* ---------------------- Microsoft operating systems ---------------------- */
/* Note that MSDOS actually denotes 32-bit environments running on top of
MS-DOS, such as DJGPP one. */
#if defined(OPENSSL_SYSNAME_MSDOS)
# undef OPENSSL_SYS_UNIX
# define OPENSSL_SYS_MSDOS
#endif
/* For 32 bit environment, there seems to be the CygWin environment and then
all the others that try to do the same thing Microsoft does... */
#if defined(OPENSSL_SYSNAME_UWIN)

View File

@ -140,7 +140,7 @@ IMPLEMENT_ssl23_meth_func(SSLv23_server_method,
int ssl23_accept(SSL *s)
{
BUF_MEM *buf;
unsigned long Time=time(NULL);
unsigned long Time=(unsigned long)time(NULL);
void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state;

View File

@ -144,7 +144,7 @@ IMPLEMENT_ssl2_meth_func(SSLv2_client_method,
int ssl2_connect(SSL *s)
{
unsigned long l=time(NULL);
unsigned long l=(unsigned long)time(NULL);
BUF_MEM *buf=NULL;
int ret= -1;
void (*cb)(const SSL *ssl,int type,int val)=NULL;

View File

@ -144,7 +144,7 @@ IMPLEMENT_ssl2_meth_func(SSLv2_server_method,
int ssl2_accept(SSL *s)
{
unsigned long l=time(NULL);
unsigned long l=(unsigned long)time(NULL);
BUF_MEM *buf=NULL;
int ret= -1;
long num1;

View File

@ -159,7 +159,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_client_method,
int ssl3_connect(SSL *s)
{
BUF_MEM *buf=NULL;
unsigned long Time=time(NULL),l;
unsigned long Time=(unsigned long)time(NULL),l;
long num1;
void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
@ -541,7 +541,7 @@ int ssl3_client_hello(SSL *s)
/* else use the pre-loaded session */
p=s->s3->client_random;
Time=time(NULL); /* Time */
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
goto err;
@ -1211,12 +1211,12 @@ int ssl3_get_key_exchange(SSL *s)
*/
/* XXX: For now we only support named (not generic) curves
* and the ECParameters in this case is just two bytes.
* and the ECParameters in this case is just three bytes.
*/
param_len=2;
param_len=3;
if ((param_len > n) ||
(*p != NAMED_CURVE_TYPE) ||
((curve_nid = curve_id2nid(*(p + 1))) == 0))
((curve_nid = curve_id2nid(*(p + 2))) == 0))
{
al=SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
@ -1246,7 +1246,7 @@ int ssl3_get_key_exchange(SSL *s)
goto f_err;
}
p+=2;
p+=3;
/* Next, get the encoded ECPoint */
if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) ||
@ -1614,22 +1614,6 @@ int ssl3_get_server_done(SSL *s)
}
#ifndef OPENSSL_NO_ECDH
static const int KDF1_SHA1_len = 20;
static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
{
#ifndef OPENSSL_NO_SHA
if (*outlen < SHA_DIGEST_LENGTH)
return NULL;
else
*outlen = SHA_DIGEST_LENGTH;
return SHA1(in, inlen, out);
#else
return NULL;
#endif /* OPENSSL_NO_SHA */
}
#endif /* OPENSSL_NO_ECDH */
int ssl3_send_client_key_exchange(SSL *s)
{
unsigned char *p,*d;
@ -2027,14 +2011,7 @@ int ssl3_send_client_key_exchange(SSL *s)
ERR_R_ECDH_LIB);
goto err;
}
/* If field size is not more than 24 octets, then use SHA-1 hash of result;
* otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt;
* this is new with this version of the Internet Draft).
*/
if (field_size <= 24 * 8)
n=ECDH_compute_key(p, KDF1_SHA1_len, srvr_ecpoint, clnt_ecdh, KDF1_SHA1);
else
n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
if (n <= 0)
{
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,

View File

@ -901,317 +901,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#ifndef OPENSSL_NO_ECDH
/* Cipher 47 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 48 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 49 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_DES_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_DES_CBC_SHA,
SSL_kECDH|SSL_aECDSA|SSL_DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 4A */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 4B */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 4C */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
256,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 4D */
{
1,
TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 4E */
{
1,
TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 4F */
{
1,
TLS1_TXT_ECDH_RSA_WITH_DES_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_DES_CBC_SHA,
SSL_kECDH|SSL_aRSA|SSL_DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 50 */
{
1,
TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 51 */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 52 */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
256,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 53 */
{
1,
TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_40_SHA,
TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_40_SHA,
SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_EXPORT|SSL_EXP40,
0,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 54 */
{
1,
TLS1_TXT_ECDH_RSA_EXPORT_WITH_RC4_56_SHA,
TLS1_CK_ECDH_RSA_EXPORT_WITH_RC4_56_SHA,
SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
0,
56,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 55 */
{
1,
TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
TLS1_CK_ECDH_anon_WITH_NULL_SHA,
SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 56 */
{
1,
TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 57 */
{
1,
TLS1_TXT_ECDH_anon_WITH_DES_CBC_SHA,
TLS1_CK_ECDH_anon_WITH_DES_CBC_SHA,
SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_LOW,
0,
56,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 58 */
{
1,
TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 59 */
{
1,
TLS1_TXT_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA,
TLS1_CK_ECDH_anon_EXPORT_WITH_DES_40_CBC_SHA,
SSL_kECDHE|SSL_aNULL|SSL_DES|SSL_SHA|SSL_TLSV1,
SSL_EXPORT|SSL_EXP40,
0,
40,
56,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 5A */
{
1,
TLS1_TXT_ECDH_anon_EXPORT_WITH_RC4_40_SHA,
TLS1_CK_ECDH_anon_EXPORT_WITH_RC4_40_SHA,
SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_EXPORT|SSL_EXP40,
0,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 5B */
/* XXX NOTE: The ECC/TLS draft has a bug and reuses 4B for this */
{
1,
TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_40_SHA,
SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_EXPORT|SSL_EXP40,
0,
40,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher 5C */
/* XXX NOTE: The ECC/TLS draft has a bug and reuses 4C for this */
{
1,
TLS1_TXT_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
TLS1_CK_ECDH_ECDSA_EXPORT_WITH_RC4_56_SHA,
SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_EXPORT|SSL_EXP56,
0,
56,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif /* OPENSSL_NO_ECDH */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
/* New TLS Export CipherSuites */
@ -1307,16 +996,120 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS
},
#endif
#ifndef OPENSSL_NO_ECDH
/* Cipher 77 XXX: ECC ciphersuites offering forward secrecy
* are not yet specified in the ECC/TLS draft but our code
* allows them to be implemented very easily. To add such
* a cipher suite, one needs to add two constant definitions
* to tls1.h and a new structure in this file as shown below. We
* illustrate the process for the made-up cipher
* ECDHE-ECDSA-AES128-SHA.
*/
/* Cipher C001 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA,
TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA,
SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C002 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA,
TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C003 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA,
SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C004 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C005 */
{
1,
TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
SSL_kECDH|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
256,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C006 */
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C007 */
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C008 */
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C009 */
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
@ -1330,9 +1123,133 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_STRENGTHS,
},
/* Cipher 78 XXX: Another made-up ECC cipher suite that
* offers forward secrecy (ECDHE-RSA-AES128-SHA).
*/
/* Cipher C00A */
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_kECDHE|SSL_aECDSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
256,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C00B */
{
1,
TLS1_TXT_ECDH_RSA_WITH_NULL_SHA,
TLS1_CK_ECDH_RSA_WITH_NULL_SHA,
SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C00C */
{
1,
TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA,
TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA,
SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C00D */
{
1,
TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA,
SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C00E */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C00F */
{
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_kECDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
256,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C010 */
{
1,
TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C011 */
{
1,
TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C012 */
{
1,
TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C013 */
{
1,
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
@ -1345,7 +1262,91 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif /* !OPENSSL_NO_ECDH */
/* Cipher C014 */
{
1,
TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_kECDHE|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
256,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C015 */
{
1,
TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
TLS1_CK_ECDH_anon_WITH_NULL_SHA,
SSL_kECDHE|SSL_aNULL|SSL_eNULL|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
0,
0,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C016 */
{
1,
TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
SSL_kECDHE|SSL_aNULL|SSL_RC4|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C017 */
{
1,
TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
SSL_kECDHE|SSL_aNULL|SSL_3DES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
168,
168,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C018 */
{
1,
TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
128,
128,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
/* Cipher C019 */
{
1,
TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
SSL_kECDHE|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
0,
256,
256,
SSL_ALL_CIPHERS,
SSL_ALL_STRENGTHS,
},
#endif /* OPENSSL_NO_ECDH */
/* end of list */
};

View File

@ -164,7 +164,7 @@ IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
int ssl3_accept(SSL *s)
{
BUF_MEM *buf;
unsigned long l,Time=time(NULL);
unsigned long l,Time=(unsigned long)time(NULL);
void (*cb)(const SSL *ssl,int type,int val)=NULL;
long num1;
int ret= -1;
@ -1038,7 +1038,7 @@ int ssl3_send_server_hello(SSL *s)
{
buf=(unsigned char *)s->init_buf->data;
p=s->s3->server_random;
Time=time(NULL); /* Time */
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
return -1;
@ -1366,11 +1366,11 @@ int ssl3_send_server_key_exchange(SSL *s)
/* XXX: For now, we only support named (not
* generic) curves in ECDH ephemeral key exchanges.
* In this situation, we need three additional bytes
* In this situation, we need four additional bytes
* to encode the entire ServerECDHParams
* structure.
*/
n = 3 + encodedlen;
n = 4 + encodedlen;
/* We'll generate the serverKeyExchange message
* explicitly so we can set these to NULLs
@ -1378,6 +1378,7 @@ int ssl3_send_server_key_exchange(SSL *s)
r[0]=NULL;
r[1]=NULL;
r[2]=NULL;
r[3]=NULL;
}
else
#endif /* !OPENSSL_NO_ECDH */
@ -1428,12 +1429,14 @@ int ssl3_send_server_key_exchange(SSL *s)
{
/* XXX: For now, we only support named (not generic) curves.
* In this situation, the serverKeyExchange message has:
* [1 byte CurveType], [1 byte CurveName]
* [1 byte CurveType], [2 byte CurveName]
* [1 byte length of encoded point], followed by
* the actual encoded point itself
*/
*p = NAMED_CURVE_TYPE;
p += 1;
*p = 0;
p += 1;
*p = curve_id;
p += 1;
*p = encodedlen;
@ -1637,23 +1640,6 @@ err:
return(-1);
}
#ifndef OPENSSL_NO_ECDH
static const int KDF1_SHA1_len = 20;
static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
{
#ifndef OPENSSL_NO_SHA
if (*outlen < SHA_DIGEST_LENGTH)
return NULL;
else
*outlen = SHA_DIGEST_LENGTH;
return SHA1(in, inlen, out);
#else
return NULL;
#endif /* OPENSSL_NO_SHA */
}
#endif /* OPENSSL_NO_ECDH */
int ssl3_get_client_key_exchange(SSL *s)
{
int i,al,ok;
@ -2116,8 +2102,13 @@ int ssl3_get_client_key_exchange(SSL *s)
goto f_err;
}
EC_POINT_copy(clnt_ecpoint,
EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec));
if (EC_POINT_copy(clnt_ecpoint,
EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) == 0)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
ERR_R_EC_LIB);
goto err;
}
ret = 2; /* Skip certificate verify processing */
}
else
@ -2156,14 +2147,7 @@ int ssl3_get_client_key_exchange(SSL *s)
ERR_R_ECDH_LIB);
goto err;
}
/* If field size is not more than 24 octets, then use SHA-1 hash of result;
* otherwise, use result (see section 4.8 of draft-ietf-tls-ecc-03.txt;
* this is new with this version of the Internet Draft).
*/
if (field_size <= 24 * 8)
i = ECDH_compute_key(p, KDF1_SHA1_len, clnt_ecpoint, srvr_ecdh, KDF1_SHA1);
else
i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
i = ECDH_compute_key(p, (field_size+7)/8, clnt_ecpoint, srvr_ecdh, NULL);
if (i <= 0)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,

View File

@ -1543,35 +1543,35 @@ void ERR_load_SSL_strings(void);
/* Function codes. */
#define SSL_F_CLIENT_CERTIFICATE 100
#define SSL_F_CLIENT_FINISHED 238
#define SSL_F_CLIENT_FINISHED 167
#define SSL_F_CLIENT_HELLO 101
#define SSL_F_CLIENT_MASTER_KEY 102
#define SSL_F_D2I_SSL_SESSION 103
#define SSL_F_DO_DTLS1_WRITE 1003
#define SSL_F_DO_DTLS1_WRITE 245
#define SSL_F_DO_SSL3_WRITE 104
#define SSL_F_DTLS1_ACCEPT 1004
#define SSL_F_DTLS1_BUFFER_RECORD 1005
#define SSL_F_DTLS1_CLIENT_HELLO 1006
#define SSL_F_DTLS1_CONNECT 1007
#define SSL_F_DTLS1_ENC 1008
#define SSL_F_DTLS1_GET_HELLO_VERIFY 1009
#define SSL_F_DTLS1_GET_MESSAGE 1010
#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 1011
#define SSL_F_DTLS1_GET_RECORD 1012
#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 1013
#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 1014
#define SSL_F_DTLS1_PROCESS_RECORD 1015
#define SSL_F_DTLS1_READ_BYTES 1016
#define SSL_F_DTLS1_READ_FAILED 1001
#define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 1017
#define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 1018
#define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 1019
#define SSL_F_DTLS1_SEND_CLIENT_VERIFY 1020
#define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST 1002
#define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE 1021
#define SSL_F_DTLS1_SEND_SERVER_HELLO 1022
#define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 1023
#define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 1024
#define SSL_F_DTLS1_ACCEPT 246
#define SSL_F_DTLS1_BUFFER_RECORD 247
#define SSL_F_DTLS1_CLIENT_HELLO 248
#define SSL_F_DTLS1_CONNECT 249
#define SSL_F_DTLS1_ENC 250
#define SSL_F_DTLS1_GET_HELLO_VERIFY 251
#define SSL_F_DTLS1_GET_MESSAGE 252
#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253
#define SSL_F_DTLS1_GET_RECORD 254
#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
#define SSL_F_DTLS1_PROCESS_RECORD 257
#define SSL_F_DTLS1_READ_BYTES 258
#define SSL_F_DTLS1_READ_FAILED 259
#define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST 260
#define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE 261
#define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE 262
#define SSL_F_DTLS1_SEND_CLIENT_VERIFY 263
#define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST 264
#define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE 265
#define SSL_F_DTLS1_SEND_SERVER_HELLO 266
#define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 267
#define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 268
#define SSL_F_GET_CLIENT_FINISHED 105
#define SSL_F_GET_CLIENT_HELLO 106
#define SSL_F_GET_CLIENT_MASTER_KEY 107
@ -1655,7 +1655,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL_CTRL 232
#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
#define SSL_F_SSL_CTX_NEW 169
#define SSL_F_SSL_CTX_SET_CIPHER_LIST 1026
#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269
#define SSL_F_SSL_CTX_SET_PURPOSE 226
#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
@ -1678,7 +1678,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL_INIT_WBIO_BUFFER 184
#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
#define SSL_F_SSL_NEW 186
#define SSL_F_SSL_PEEK 1025
#define SSL_F_SSL_PEEK 270
#define SSL_F_SSL_READ 223
#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
@ -1686,7 +1686,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL_SESSION_PRINT_FP 190
#define SSL_F_SSL_SESS_CERT_NEW 225
#define SSL_F_SSL_SET_CERT 191
#define SSL_F_SSL_SET_CIPHER_LIST 1027
#define SSL_F_SSL_SET_CIPHER_LIST 271
#define SSL_F_SSL_SET_FD 192
#define SSL_F_SSL_SET_PKEY 193
#define SSL_F_SSL_SET_PURPOSE 227
@ -1729,9 +1729,9 @@ void ERR_load_SSL_strings(void);
#define SSL_R_BAD_DH_P_LENGTH 110
#define SSL_R_BAD_DIGEST_LENGTH 111
#define SSL_R_BAD_DSA_SIGNATURE 112
#define SSL_R_BAD_ECC_CERT 1117
#define SSL_R_BAD_ECDSA_SIGNATURE 1112
#define SSL_R_BAD_ECPOINT 1113
#define SSL_R_BAD_ECC_CERT 304
#define SSL_R_BAD_ECDSA_SIGNATURE 305
#define SSL_R_BAD_ECPOINT 306
#define SSL_R_BAD_HELLO_REQUEST 105
#define SSL_R_BAD_LENGTH 271
#define SSL_R_BAD_MAC_DECODE 113
@ -1763,50 +1763,49 @@ void ERR_load_SSL_strings(void);
#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 140
#define SSL_R_COMPRESSION_FAILURE 141
#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 1120
#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 307
#define SSL_R_COMPRESSION_LIBRARY_ERROR 142
#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143
#define SSL_R_CONNECTION_TYPE_NOT_SET 144
#define SSL_R_COOKIE_MISMATCH 2002
#define SSL_R_COOKIE_MISMATCH 308
#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145
#define SSL_R_DATA_LENGTH_TOO_LONG 146
#define SSL_R_DECRYPTION_FAILED 147
#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 1109
#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
#define SSL_R_DIGEST_CHECK_FAILED 149
#define SSL_R_DUPLICATE_COMPRESSION_ID 1121
#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 1119
#define SSL_R_DUPLICATE_COMPRESSION_ID 309
#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310
#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 1092
#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
#define SSL_R_HTTPS_PROXY_REQUEST 155
#define SSL_R_HTTP_REQUEST 156
#define SSL_R_ILLEGAL_PADDING 1110
#define SSL_R_ILLEGAL_PADDING 283
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
#define SSL_R_INVALID_COMMAND 280
#define SSL_R_INVALID_PURPOSE 278
#define SSL_R_INVALID_TRUST 279
#define SSL_R_KEY_ARG_TOO_LONG 1112
#define SSL_R_KRB5 1104
#define SSL_R_KRB5_C_CC_PRINC 1094
#define SSL_R_KRB5_C_GET_CRED 1095
#define SSL_R_KRB5_C_INIT 1096
#define SSL_R_KRB5_C_MK_REQ 1097
#define SSL_R_KRB5_S_BAD_TICKET 1098
#define SSL_R_KRB5_S_INIT 1099
#define SSL_R_KRB5_S_RD_REQ 1108
#define SSL_R_KRB5_S_TKT_EXPIRED 1105
#define SSL_R_KRB5_S_TKT_NYV 1106
#define SSL_R_KRB5_S_TKT_SKEW 1107
#define SSL_R_KEY_ARG_TOO_LONG 284
#define SSL_R_KRB5 285
#define SSL_R_KRB5_C_CC_PRINC 286
#define SSL_R_KRB5_C_GET_CRED 287
#define SSL_R_KRB5_C_INIT 288
#define SSL_R_KRB5_C_MK_REQ 289
#define SSL_R_KRB5_S_BAD_TICKET 290
#define SSL_R_KRB5_S_INIT 291
#define SSL_R_KRB5_S_RD_REQ 292
#define SSL_R_KRB5_S_TKT_EXPIRED 293
#define SSL_R_KRB5_S_TKT_NYV 294
#define SSL_R_KRB5_S_TKT_SKEW 295
#define SSL_R_LENGTH_MISMATCH 159
#define SSL_R_LENGTH_TOO_SHORT 160
#define SSL_R_LIBRARY_BUG 274
#define SSL_R_LIBRARY_HAS_NO_CIPHERS 161
#define SSL_R_MASTER_KEY_TOO_LONG 1112
#define SSL_R_MESSAGE_TOO_LONG 1111
#define SSL_R_MESSAGE_TOO_LONG 296
#define SSL_R_MISSING_DH_DSA_CERT 162
#define SSL_R_MISSING_DH_KEY 163
#define SSL_R_MISSING_DH_RSA_CERT 164
@ -1817,7 +1816,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
#define SSL_R_MISSING_RSA_SIGNING_CERT 170
#define SSL_R_MISSING_TMP_DH_KEY 171
#define SSL_R_MISSING_TMP_ECDH_KEY 1114
#define SSL_R_MISSING_TMP_ECDH_KEY 311
#define SSL_R_MISSING_TMP_RSA_KEY 172
#define SSL_R_MISSING_TMP_RSA_PKEY 173
#define SSL_R_MISSING_VERIFY_MESSAGE 174
@ -1844,6 +1843,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_NULL_SSL_CTX 195
#define SSL_R_NULL_SSL_METHOD_PASSED 196
#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197
#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 297
#define SSL_R_PACKET_LENGTH_TOO_LONG 198
#define SSL_R_PATH_TOO_LONG 270
#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199
@ -1859,11 +1859,11 @@ void ERR_load_SSL_strings(void);
#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 209
#define SSL_R_PUBLIC_KEY_NOT_RSA 210
#define SSL_R_READ_BIO_NOT_SET 211
#define SSL_R_READ_TIMEOUT_EXPIRED 2001
#define SSL_R_READ_TIMEOUT_EXPIRED 312
#define SSL_R_READ_WRONG_PACKET_TYPE 212
#define SSL_R_RECORD_LENGTH_MISMATCH 213
#define SSL_R_RECORD_TOO_LARGE 214
#define SSL_R_RECORD_TOO_SMALL 1093
#define SSL_R_RECORD_TOO_SMALL 298
#define SSL_R_REQUIRED_CIPHER_MISSING 215
#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 216
#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 217
@ -1872,8 +1872,8 @@ void ERR_load_SSL_strings(void);
#define SSL_R_SHORT_READ 219
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 1114
#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113
#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299
#define SSL_R_SSL3_SESSION_ID_TOO_LONG 300
#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
@ -1884,20 +1884,15 @@ void ERR_load_SSL_strings(void);
#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040
#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047
#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041
#define SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE 223
#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE 224
#define SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER 225
#define SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 226
#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
#define SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE 227
#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043
#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 228
#define SSL_R_SSL_HANDSHAKE_FAILURE 229
#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 230
#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 1102
#define SSL_R_SSL_SESSION_ID_CONFLICT 1103
#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301
#define SSL_R_SSL_SESSION_ID_CONFLICT 302
#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 1101
#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303
#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 231
#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
@ -1916,10 +1911,10 @@ void ERR_load_SSL_strings(void);
#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 1115
#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 237
#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 1116
#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 314
#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 240
#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 241
@ -1940,8 +1935,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_UNKNOWN_STATE 255
#define SSL_R_UNSUPPORTED_CIPHER 256
#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 1118
#define SSL_R_UNSUPPORTED_OPTION 1091
#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 315
#define SSL_R_UNSUPPORTED_PROTOCOL 258
#define SSL_R_UNSUPPORTED_SSL_VERSION 259
#define SSL_R_WRITE_BIO_NOT_SET 260

View File

@ -344,7 +344,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
OPENSSL_free(ai.data); ai.data=NULL; ai.length=0;
}
else
ret->time=time(NULL);
ret->time=(unsigned long)time(NULL);
ai.length=0;
M_ASN1_D2I_get_EXP_opt(aip,d2i_ASN1_INTEGER,2);

View File

@ -296,7 +296,7 @@ CERT *ssl_cert_dup(CERT *cert)
return(ret);
#ifndef OPENSSL_NO_DH /* avoid 'unreferenced label' warning if OPENSSL_NO_DH is defined */
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
err:
#endif
#ifndef OPENSSL_NO_RSA

View File

@ -482,7 +482,8 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
*ca_curr = NULL; /* end of list */
}
static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
static void ssl_cipher_apply_rule(unsigned long cipher_id,
unsigned long algorithms, unsigned long mask,
unsigned long algo_strength, unsigned long mask_strength,
int rule, int strength_bits, CIPHER_ORDER *co_list,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
@ -508,11 +509,19 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask,
cp = curr->cipher;
/* If explicit cipher suite match that one only */
if (cipher_id)
{
if (cp->id != cipher_id)
continue;
}
/*
* Selection criteria is either the number of strength_bits
* or the algorithm used.
*/
if (strength_bits == -1)
else if (strength_bits == -1)
{
ma = mask & cp->algorithms;
ma_s = mask_strength & cp->algo_strength;
@ -625,7 +634,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
*/
for (i = max_strength_bits; i >= 0; i--)
if (number_uses[i] > 0)
ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i,
ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i,
co_list, head_p, tail_p);
OPENSSL_free(number_uses);
@ -639,6 +648,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
unsigned long algorithms, mask, algo_strength, mask_strength;
const char *l, *start, *buf;
int j, multi, found, rule, retval, ok, buflen;
unsigned long cipher_id;
char ch;
retval = 1;
@ -728,6 +738,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
* use strcmp(), because buf is not '\0' terminated.)
*/
j = found = 0;
cipher_id = 0;
while (ca_list[j])
{
if (!strncmp(buf, ca_list[j]->name, buflen) &&
@ -742,6 +753,12 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
if (!found)
break; /* ignore this entry */
if (ca_list[j]->valid)
{
cipher_id = ca_list[j]->id;
break;
}
/* New algorithms:
* 1 - any old restrictions apply outside new mask
* 2 - any new restrictions apply outside old mask
@ -785,7 +802,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
}
else if (found)
{
ssl_cipher_apply_rule(algorithms, mask,
ssl_cipher_apply_rule(cipher_id, algorithms, mask,
algo_strength, mask_strength, rule, -1,
co_list, head_p, tail_p);
}

View File

@ -204,7 +204,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"},
{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"},
{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_LOAD_CLIENT_CA_FILE"},
{ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"},
{ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"},
{ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
@ -336,7 +336,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_LENGTH_TOO_SHORT) ,"length too short"},
{ERR_REASON(SSL_R_LIBRARY_BUG) ,"library bug"},
{ERR_REASON(SSL_R_LIBRARY_HAS_NO_CIPHERS),"library has no ciphers"},
{ERR_REASON(SSL_R_MASTER_KEY_TOO_LONG) ,"master key too long"},
{ERR_REASON(SSL_R_MESSAGE_TOO_LONG) ,"message too long"},
{ERR_REASON(SSL_R_MISSING_DH_DSA_CERT) ,"missing dh dsa cert"},
{ERR_REASON(SSL_R_MISSING_DH_KEY) ,"missing dh key"},
@ -375,6 +374,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
{ERR_REASON(SSL_R_NULL_SSL_METHOD_PASSED),"null ssl method passed"},
{ERR_REASON(SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED),"old session cipher not returned"},
{ERR_REASON(SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE),"only tls allowed in fips mode"},
{ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG),"packet length too long"},
{ERR_REASON(SSL_R_PATH_TOO_LONG) ,"path too long"},
{ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE),"peer did not return a certificate"},
@ -415,12 +415,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE),"sslv3 alert handshake failure"},
{ERR_REASON(SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER),"sslv3 alert illegal parameter"},
{ERR_REASON(SSL_R_SSLV3_ALERT_NO_CERTIFICATE),"sslv3 alert no certificate"},
{ERR_REASON(SSL_R_SSLV3_ALERT_PEER_ERROR_CERTIFICATE),"sslv3 alert peer error certificate"},
{ERR_REASON(SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CERTIFICATE),"sslv3 alert peer error no certificate"},
{ERR_REASON(SSL_R_SSLV3_ALERT_PEER_ERROR_NO_CIPHER),"sslv3 alert peer error no cipher"},
{ERR_REASON(SSL_R_SSLV3_ALERT_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE),"sslv3 alert peer error unsupported certificate type"},
{ERR_REASON(SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE),"sslv3 alert unexpected message"},
{ERR_REASON(SSL_R_SSLV3_ALERT_UNKNOWN_REMOTE_ERROR_TYPE),"sslv3 alert unknown remote error type"},
{ERR_REASON(SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE),"sslv3 alert unsupported certificate"},
{ERR_REASON(SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION),"ssl ctx has no default ssl version"},
{ERR_REASON(SSL_R_SSL_HANDSHAKE_FAILURE) ,"ssl handshake failure"},
@ -472,7 +467,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
{ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
{ERR_REASON(SSL_R_UNSUPPORTED_ELLIPTIC_CURVE),"unsupported elliptic curve"},
{ERR_REASON(SSL_R_UNSUPPORTED_OPTION) ,"unsupported option"},
{ERR_REASON(SSL_R_UNSUPPORTED_PROTOCOL) ,"unsupported protocol"},
{ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION),"unsupported ssl version"},
{ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) ,"write bio not set"},

View File

@ -118,7 +118,7 @@ SSL_SESSION *SSL_SESSION_new(void)
ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */
ss->references=1;
ss->timeout=60*5+4; /* 5 minute timeout by default */
ss->time=time(NULL);
ss->time=(unsigned long)time(NULL);
ss->prev=NULL;
ss->next=NULL;
ss->compress_meth=0;
@ -389,7 +389,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)
CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION);
#endif
if ((long)(ret->time+ret->timeout) < (long)time(NULL)) /* timeout */
if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */
{
s->ctx->stats.sess_timeout++;
/* remove it from the cache */

View File

@ -2234,6 +2234,7 @@ static DH *get_dh1024dsa()
dh->length = 160;
return(dh);
}
#endif
static int do_test_cipherlist(void)
{
@ -2241,6 +2242,7 @@ static int do_test_cipherlist(void)
const SSL_METHOD *meth;
SSL_CIPHER *ci, *tci = NULL;
#ifndef OPENSSL_NO_SSL2
fprintf(stderr, "testing SSLv2 cipher list order: ");
meth = SSLv2_method();
while ((ci = meth->get_cipher(i++)) != NULL)
@ -2254,7 +2256,8 @@ static int do_test_cipherlist(void)
tci = ci;
}
fprintf(stderr, "ok\n");
#endif
#ifndef OPENSSL_NO_SSL3
fprintf(stderr, "testing SSLv3 cipher list order: ");
meth = SSLv3_method();
tci = NULL;
@ -2269,7 +2272,8 @@ static int do_test_cipherlist(void)
tci = ci;
}
fprintf(stderr, "ok\n");
#endif
#ifndef OPENSSL_NO_TLS1
fprintf(stderr, "testing TLSv1 cipher list order: ");
meth = TLSv1_method();
tci = NULL;
@ -2284,7 +2288,7 @@ static int do_test_cipherlist(void)
tci = ci;
}
fprintf(stderr, "ok\n");
#endif
return 1;
}
#endif

View File

@ -145,6 +145,8 @@ foreach (@ARGV, split(/ /, $options))
$do_crypto=1;
$libname=$_;
}
$no_static_engine=1 if $_ eq "no-static-engine";
$no_static_engine=0 if $_ eq "enable-static-engine";
$do_update=1 if $_ eq "update";
$do_rewrite=1 if $_ eq "rewrite";
$do_ctest=1 if $_ eq "ctest";
@ -450,17 +452,22 @@ sub do_defs
next;
}
$cpp = 1 if /^\#.*ifdef.*cplusplus/;
if(/\/\*/) {
if (not /\*\//) { # multiline comment...
$line = $_; # ... just accumulate
next;
} else {
s/\/\*.*?\*\///gs;# wipe it
}
}
if ($cpp) {
$cpp = 0 if /^\#.*endif/;
$cpp++ if /^#\s*if/;
$cpp-- if /^#\s*endif/;
next;
}
$cpp = 1 if /^#.*ifdef.*cplusplus/;
s/\/\*.*?\*\///gs; # ignore comments
if (/\/\*/) { # if we have part
$line = $_; # of a comment,
next; # continue reading
}
s/{[^{}]*}//gs; # ignore {} blocks
print STDERR "DEBUG: \$def=\"$def\"\n" if $debug && $def ne "";
print STDERR "DEBUG: \$_=\"$_\"\n" if $debug;
@ -738,6 +745,12 @@ sub do_defs
$def .= "int i2d_$1_NDEF(void);";
} elsif (/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) {
next;
} elsif (/^\s*DECLARE_ASN1_PRINT_FUNCTION\s*\(\s*(\w*)\s*\)/) {
$def .= "int $1_print_ctx(void);";
next;
} elsif (/^\s*DECLARE_ASN1_PRINT_FUNCTION_name\s*\(\s*(\w*)\s*,\s*(\w*)\s*\)/) {
$def .= "int $2_print_ctx(void);";
next;
} elsif (/^\s*DECLARE_PKCS12_STACK_OF\s*\(\s*(\w*)\s*\)/) {
next;
} elsif (/^DECLARE_PEM_rw\s*\(\s*(\w*)\s*,/ ||
@ -830,6 +843,17 @@ sub do_defs
next if(/typedef\W/);
next if(/\#define/);
# Reduce argument lists to empty ()
# fold round brackets recursively: (t(*v)(t),t) -> (t{}{},t) -> {}
while(/\(.*\)/s) {
s/\([^\(\)]+\)/\{\}/gs;
s/\(\s*\*\s*(\w+)\s*\{\}\s*\)/$1/gs; #(*f{}) -> f
}
# pretend as we didn't use curly braces: {} -> ()
s/\{\}/\(\)/gs;
s/STACK_OF\(\)/void/gs;
print STDERR "DEBUG: \$_ = \"$_\"\n" if $debug;
if (/^\#INFO:([^:]*):(.*)$/) {
$plats = $1;
@ -840,25 +864,11 @@ sub do_defs
$s = $1;
$k = "VARIABLE";
print STDERR "DEBUG: found external variable $s\n" if $debug;
} elsif (/\(\*(\w*(\{[0-9]+\})?)\([^\)]+/) {
$s = $1;
print STDERR "DEBUG: found ANSI C function $s\n" if $debug;
} elsif (/\w+\W+(\w+)\W*\(\s*\)(\s*__attribute__\(.*\)\s*)?$/s) {
# K&R C
print STDERR "DEBUG: found K&R C function $s\n" if $debug;
} elsif (/TYPEDEF_\w+_OF/s) {
next;
} elsif (/\w+\W+\w+(\{[0-9]+\})?\W*\(.*\)(\s*__attribute__\(.*\)\s*)?$/s) {
while (not /\(\)(\s*__attribute__\(.*\)\s*)?$/s) {
s/[^\(\)]*\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
s/\([^\(\)]*\)\)(\s*__attribute__\(.*\)\s*)?$/\)/s;
}
s/\(void\)//;
/(\w+(\{[0-9]+\})?)\W*\(\)/s;
$s = $1;
} elsif (/(\w+)\s*\(\).*/s) { # first token prior [first] () is
$s = $1; # a function name!
print STDERR "DEBUG: found function $s\n" if $debug;
} elsif (/TYPEDEF_\w+_OF/) {
next;
} elsif (/\(/ and not (/=/)) {
print STDERR "File $file: cannot parse: $_;\n";
next;