The ssl_ciper_get_evp() function is currently overloaded to also return the

compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function. Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller. ok miod@
author: jsing <> 2014-05-25 13:27:38 +0000
committer: jsing <> 2014-05-25 13:27:38 +0000
commit: a26ab58294e030cd16e09f09139a602c114d495e (patch)
tree: 1981463f492523e729cbfd564646012bb0a6574c
parent: 4742830abc4156a69bf5e7e604c4087367c1ffb1 (diff)
download: openbsd-a26ab58294e030cd16e09f09139a602c114d495e.tar.gz
openbsd-a26ab58294e030cd16e09f09139a602c114d495e.tar.bz2
openbsd-a26ab58294e030cd16e09f09139a602c114d495e.zip
13 files changed, 107 insertions, 62 deletions
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 5a45cec1c1..119e7ce1f4 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -387,18 +387,21 @@ ssl3_setup_key_block(SSL *s)
        if (s->s3->tmp.key_block_length != 0)
                return (1);
-        if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
+        if (!ssl_cipher_get_comp(s->session, &comp)) {
-                SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+                SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,
+                    SSL_R_CIPHER_COMPRESSION_UNAVAILABLE);
+                return (0);
+        }
+        if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL)) {
+                SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,
+                    SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                return (0);
        }
        s->s3->tmp.new_sym_enc = c;
        s->s3->tmp.new_hash = hash;
-#ifdef OPENSSL_NO_COMP
-        s->s3->tmp.new_compression = NULL;
-#else
        s->s3->tmp.new_compression = comp;
-#endif
        num = EVP_MD_size(hash);
        if (num < 0)
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 9744d9783c..6765e3560a 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -2197,6 +2197,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_CERT_LENGTH_MISMATCH                       135
 #define SSL_R_CHALLENGE_IS_DIFFERENT                     136
 #define SSL_R_CIPHER_CODE_WRONG_LENGTH                   137
+#define SSL_R_CIPHER_COMPRESSION_UNAVAILABLE             371
 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE                 138
 #define SSL_R_CIPHER_TABLE_SRC_ERROR                     139
 #define SSL_R_CLIENTHELLO_TLSEXT                         226
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index 4ae3312a1a..bd939b7563 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -481,33 +481,45 @@ load_builtin_compressions(void)
 }
 #endif
+/* ssl_cipher_get_comp sets comp to the correct SSL_COMP for the given
+ * session and returns 1. On error it returns 0. */
 int
-ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp)
-    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size, SSL_COMP **comp)
 {
+        SSL_COMP ctmp;
        int i;
-        const SSL_CIPHER *c;
-        c = s->cipher;
-        if (c == NULL)
-                return (0);
-        if (comp != NULL) {
-                SSL_COMP ctmp;
 #ifndef OPENSSL_NO_COMP
-                load_builtin_compressions();
+        load_builtin_compressions();
 #endif
-                *comp = NULL;
+        *comp = NULL;
-                ctmp.id = s->compress_meth;
+        if (s->compress_meth == 0)
-                if (ssl_comp_methods != NULL) {
+                return 1;
-                        i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
+        if (ssl_comp_methods == NULL)
-                        if (i >= 0)
+                return 0;
-                                *comp = sk_SSL_COMP_value(ssl_comp_methods, i);
-                        else
+        ctmp.id = s->compress_meth;
-                                *comp = NULL;
+        i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
-                }
+        if (i >= 0) {
+                *comp = sk_SSL_COMP_value(ssl_comp_methods, i);
+                return 1;
        }
+        return 0;
+}
+int
+ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
+{
+        const SSL_CIPHER *c;
+        int i;
+        c = s->cipher;
+        if (c == NULL)
+                return (0);
        if ((enc == NULL) || (md == NULL))
                return (0);
@@ -732,8 +744,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
        *enc |= SSL_eNULL;
 #endif
        *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0;
        *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
        *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
@@ -1684,8 +1694,8 @@ ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
        SSL_COMP *ctmp;
        int i, nn;
-        if ((n == 0)
+        if ((n == 0) || (sk == NULL))
-                || (sk == NULL)) return (NULL);
+                return (NULL);
        nn = sk_SSL_COMP_num(sk);
        for (i = 0; i < nn; i++) {
                ctmp = sk_SSL_COMP_value(sk, i);
diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c
index 67ba3c7699..7bea7fafa1 100644
--- a/src/lib/libssl/src/ssl/ssl_err.c
+++ b/src/lib/libssl/src/ssl/ssl_err.c
@@ -344,6 +344,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
        {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH)  , "cert length mismatch"},
        {ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"},
        {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
+        {ERR_REASON(SSL_R_CIPHER_COMPRESSION_UNAVAILABLE), "cipher compression unavailable"},
        {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"},
        {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"},
        {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT)    , "clienthello tlsext"},
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 3a4656ef62..06f37b69e6 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -599,9 +599,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
    STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted,
    const char *rule_str);
 void ssl_update_cache(SSL *s, int mode);
+int ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp);
 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
-    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,
+    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size);
-    SSL_COMP **comp);
 int ssl_get_handshake_digest(int i, long *mask, const EVP_MD **md);
 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
diff --git a/src/lib/libssl/src/ssl/ssl_txt.c b/src/lib/libssl/src/ssl/ssl_txt.c
index 01dd846596..734e0c0755 100644
--- a/src/lib/libssl/src/ssl/ssl_txt.c
+++ b/src/lib/libssl/src/ssl/ssl_txt.c
@@ -190,7 +190,9 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
        if (x->compress_meth != 0) {
                SSL_COMP *comp = NULL;
-                ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp);
+                if (!ssl_cipher_get_comp(x, &comp))
+                        goto err;
                if (comp == NULL) {
                        if (BIO_printf(bp, "\n    Compression: %d", x->compress_meth) <= 0)
                                goto err;
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 2599122078..5f17a4a94a 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -532,12 +532,19 @@ tls1_setup_key_block(SSL *s)
        int mac_type = NID_undef, mac_secret_size = 0;
        int ret = 0;
        if (s->s3->tmp.key_block_length != 0)
                return (1);
-        if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) {
+        if (!ssl_cipher_get_comp(s->session, &comp)) {
-                SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+                SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
+                    SSL_R_CIPHER_COMPRESSION_UNAVAILABLE);
+                return (0);
+        }
+        if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type,
+            &mac_secret_size)) {
+                SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
+                    SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                return (0);
        }
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 9744d9783c..6765e3560a 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -2197,6 +2197,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_CERT_LENGTH_MISMATCH                       135
 #define SSL_R_CHALLENGE_IS_DIFFERENT                     136
 #define SSL_R_CIPHER_CODE_WRONG_LENGTH                   137
+#define SSL_R_CIPHER_COMPRESSION_UNAVAILABLE             371
 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE                 138
 #define SSL_R_CIPHER_TABLE_SRC_ERROR                     139
 #define SSL_R_CLIENTHELLO_TLSEXT                         226
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 4ae3312a1a..bd939b7563 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -481,33 +481,45 @@ load_builtin_compressions(void)
 }
 #endif
+/* ssl_cipher_get_comp sets comp to the correct SSL_COMP for the given
+ * session and returns 1. On error it returns 0. */
 int
-ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp)
-    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size, SSL_COMP **comp)
 {
+        SSL_COMP ctmp;
        int i;
-        const SSL_CIPHER *c;
-        c = s->cipher;
-        if (c == NULL)
-                return (0);
-        if (comp != NULL) {
-                SSL_COMP ctmp;
 #ifndef OPENSSL_NO_COMP
-                load_builtin_compressions();
+        load_builtin_compressions();
 #endif
-                *comp = NULL;
+        *comp = NULL;
-                ctmp.id = s->compress_meth;
+        if (s->compress_meth == 0)
-                if (ssl_comp_methods != NULL) {
+                return 1;
-                        i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
+        if (ssl_comp_methods == NULL)
-                        if (i >= 0)
+                return 0;
-                                *comp = sk_SSL_COMP_value(ssl_comp_methods, i);
-                        else
+        ctmp.id = s->compress_meth;
-                                *comp = NULL;
+        i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
-                }
+        if (i >= 0) {
+                *comp = sk_SSL_COMP_value(ssl_comp_methods, i);
+                return 1;
        }
+        return 0;
+}
+int
+ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
+{
+        const SSL_CIPHER *c;
+        int i;
+        c = s->cipher;
+        if (c == NULL)
+                return (0);
        if ((enc == NULL) || (md == NULL))
                return (0);
@@ -732,8 +744,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
        *enc |= SSL_eNULL;
 #endif
        *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0;
        *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
        *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
@@ -1684,8 +1694,8 @@ ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
        SSL_COMP *ctmp;
        int i, nn;
-        if ((n == 0)
+        if ((n == 0) || (sk == NULL))
-                || (sk == NULL)) return (NULL);
+                return (NULL);
        nn = sk_SSL_COMP_num(sk);
        for (i = 0; i < nn; i++) {
                ctmp = sk_SSL_COMP_value(sk, i);
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 67ba3c7699..7bea7fafa1 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -344,6 +344,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
        {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH)  , "cert length mismatch"},
        {ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"},
        {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
+        {ERR_REASON(SSL_R_CIPHER_COMPRESSION_UNAVAILABLE), "cipher compression unavailable"},
        {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"},
        {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"},
        {ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT)    , "clienthello tlsext"},
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 3a4656ef62..06f37b69e6 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -599,9 +599,9 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
    STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted,
    const char *rule_str);
 void ssl_update_cache(SSL *s, int mode);
+int ssl_cipher_get_comp(const SSL_SESSION *s, SSL_COMP **comp);
 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
-    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size,
+    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size);
-    SSL_COMP **comp);
 int ssl_get_handshake_digest(int i, long *mask, const EVP_MD **md);
 int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c
index 01dd846596..734e0c0755 100644
--- a/src/lib/libssl/ssl_txt.c
+++ b/src/lib/libssl/ssl_txt.c
@@ -190,7 +190,9 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
        if (x->compress_meth != 0) {
                SSL_COMP *comp = NULL;
-                ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp);
+                if (!ssl_cipher_get_comp(x, &comp))
+                        goto err;
                if (comp == NULL) {
                        if (BIO_printf(bp, "\n    Compression: %d", x->compress_meth) <= 0)
                                goto err;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 2599122078..5f17a4a94a 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -532,12 +532,19 @@ tls1_setup_key_block(SSL *s)
        int mac_type = NID_undef, mac_secret_size = 0;
        int ret = 0;
        if (s->s3->tmp.key_block_length != 0)
                return (1);
-        if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) {
+        if (!ssl_cipher_get_comp(s->session, &comp)) {
-                SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
+                SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
+                    SSL_R_CIPHER_COMPRESSION_UNAVAILABLE);
+                return (0);
+        }
+        if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type,
+            &mac_secret_size)) {
+                SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
+                    SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
                return (0);
        }
author	jsing <>	2014-05-25 13:27:38 +0000
committer	jsing <>	2014-05-25 13:27:38 +0000
commit	a26ab58294e030cd16e09f09139a602c114d495e (patch)
tree	1981463f492523e729cbfd564646012bb0a6574c
parent	4742830abc4156a69bf5e7e604c4087367c1ffb1 (diff)
download	openbsd-a26ab58294e030cd16e09f09139a602c114d495e.tar.gz openbsd-a26ab58294e030cd16e09f09139a602c114d495e.tar.bz2 openbsd-a26ab58294e030cd16e09f09139a602c114d495e.zip

diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c index 5a45cec1c1..119e7ce1f4 100644 --- a/src/lib/libssl/src/ssl/s3_enc.c +++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -387,18 +387,21 @@ ssl3_setup_key_block(SSL *s)
387	if (s->s3->tmp.key_block_length != 0)	387	if (s->s3->tmp.key_block_length != 0)
388	return (1);	388	return (1);
389		389
390	if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {	390	if (!ssl_cipher_get_comp(s->session, &comp)) {
391	SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);	391	SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,
		392	SSL_R_CIPHER_COMPRESSION_UNAVAILABLE);
		393	return (0);
		394	}
		395
		396	if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL)) {
		397	SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,
		398	SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
392	return (0);	399	return (0);
393	}	400	}
394		401
395	s->s3->tmp.new_sym_enc = c;	402	s->s3->tmp.new_sym_enc = c;
396	s->s3->tmp.new_hash = hash;	403	s->s3->tmp.new_hash = hash;
397	#ifdef OPENSSL_NO_COMP
398	s->s3->tmp.new_compression = NULL;
399	#else
400	s->s3->tmp.new_compression = comp;	404	s->s3->tmp.new_compression = comp;
401	#endif
402		405
403	num = EVP_MD_size(hash);	406	num = EVP_MD_size(hash);
404	if (num < 0)	407	if (num < 0)


diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index 9744d9783c..6765e3560a 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h
@@ -2197,6 +2197,7 @@ void ERR_load_SSL_strings(void);
2197	#define SSL_R_CERT_LENGTH_MISMATCH 135	2197	#define SSL_R_CERT_LENGTH_MISMATCH 135
2198	#define SSL_R_CHALLENGE_IS_DIFFERENT 136	2198	#define SSL_R_CHALLENGE_IS_DIFFERENT 136
2199	#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137	2199	#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
		2200	#define SSL_R_CIPHER_COMPRESSION_UNAVAILABLE 371
2200	#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138	2201	#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
2201	#define SSL_R_CIPHER_TABLE_SRC_ERROR 139	2202	#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
2202	#define SSL_R_CLIENTHELLO_TLSEXT 226	2203	#define SSL_R_CLIENTHELLO_TLSEXT 226


diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c index 4ae3312a1a..bd939b7563 100644 --- a/src/lib/libssl/src/ssl/ssl_ciph.c +++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -481,33 +481,45 @@ load_builtin_compressions(void)
481	}	481	}
482	#endif	482	#endif
483		483
		484	/* ssl_cipher_get_comp sets comp to the correct SSL_COMP for the given
		485	* session and returns 1. On error it returns 0. */
484	int	486	int
485	ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,	487	ssl_cipher_get_comp(const SSL_SESSION s, SSL_COMP *comp)
486	const EVP_MD *md, int mac_pkey_type, int mac_secret_size, SSL_COMP *comp)
487	{	488	{
		489	SSL_COMP ctmp;
488	int i;	490	int i;
489	const SSL_CIPHER *c;
490		491
491	c = s->cipher;
492	if (c == NULL)
493	return (0);
494	if (comp != NULL) {
495	SSL_COMP ctmp;
496	#ifndef OPENSSL_NO_COMP	492	#ifndef OPENSSL_NO_COMP
497	load_builtin_compressions();	493	load_builtin_compressions();
498	#endif	494	#endif
499		495
500	*comp = NULL;	496	*comp = NULL;
501	ctmp.id = s->compress_meth;	497	if (s->compress_meth == 0)
502	if (ssl_comp_methods != NULL) {	498	return 1;
503	i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);	499	if (ssl_comp_methods == NULL)
504	if (i >= 0)	500	return 0;
505	*comp = sk_SSL_COMP_value(ssl_comp_methods, i);	501
506	else	502	ctmp.id = s->compress_meth;
507	*comp = NULL;	503	i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
508	}	504	if (i >= 0) {
		505	*comp = sk_SSL_COMP_value(ssl_comp_methods, i);
		506	return 1;
509	}	507	}
510		508
		509	return 0;
		510	}
		511
		512	int
		513	ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
		514	const EVP_MD *md, int mac_pkey_type, int *mac_secret_size)
		515	{
		516	const SSL_CIPHER *c;
		517	int i;
		518
		519	c = s->cipher;
		520	if (c == NULL)
		521	return (0);
		522
511	if ((enc == NULL) \|\| (md == NULL))	523	if ((enc == NULL) \|\| (md == NULL))
512	return (0);	524	return (0);
513		525
@@ -732,8 +744,6 @@ ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth, unsigned long
732	*enc \|= SSL_eNULL;	744	*enc \|= SSL_eNULL;
733	#endif	745	#endif
734		746
735
736
737	*enc \|= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0;	747	*enc \|= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0;
738	*enc \|= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;	748	*enc \|= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
739	*enc \|= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;	749	*enc \|= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
@@ -1684,8 +1694,8 @@ ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
1684	SSL_COMP *ctmp;	1694	SSL_COMP *ctmp;
1685	int i, nn;	1695	int i, nn;
1686		1696
1687	if ((n == 0)	1697	if ((n == 0) \|\| (sk == NULL))
1688	\|\| (sk == NULL)) return (NULL);	1698	return (NULL);
1689	nn = sk_SSL_COMP_num(sk);	1699	nn = sk_SSL_COMP_num(sk);
1690	for (i = 0; i < nn; i++) {	1700	for (i = 0; i < nn; i++) {
1691	ctmp = sk_SSL_COMP_value(sk, i);	1701	ctmp = sk_SSL_COMP_value(sk, i);


diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c index 67ba3c7699..7bea7fafa1 100644 --- a/src/lib/libssl/src/ssl/ssl_err.c +++ b/src/lib/libssl/src/ssl/ssl_err.c
@@ -344,6 +344,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
344	{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) , "cert length mismatch"},	344	{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) , "cert length mismatch"},
345	{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"},	345	{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"},
346	{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},	346	{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
		347	{ERR_REASON(SSL_R_CIPHER_COMPRESSION_UNAVAILABLE), "cipher compression unavailable"},
347	{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"},	348	{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"},
348	{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"},	349	{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"},
349	{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) , "clienthello tlsext"},	350	{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) , "clienthello tlsext"},


diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h index 3a4656ef62..06f37b69e6 100644 --- a/src/lib/libssl/src/ssl/ssl_locl.h +++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -599,9 +599,9 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(const SSL_METHOD meth,
599	STACK_OF(SSL_CIPHER) pref, STACK_OF(SSL_CIPHER) sorted,	599	STACK_OF(SSL_CIPHER) pref, STACK_OF(SSL_CIPHER) sorted,
600	const char *rule_str);	600	const char *rule_str);
601	void ssl_update_cache(SSL *s, int mode);	601	void ssl_update_cache(SSL *s, int mode);
		602	int ssl_cipher_get_comp(const SSL_SESSION s, SSL_COMP *comp);
602	int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,	603	int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
603	const EVP_MD *md, int mac_pkey_type, int *mac_secret_size,	604	const EVP_MD *md, int mac_pkey_type, int *mac_secret_size);
604	SSL_COMP **comp);
605	int ssl_get_handshake_digest(int i, long mask, const EVP_MD *md);	605	int ssl_get_handshake_digest(int i, long mask, const EVP_MD *md);
606		606
607	int ssl_verify_cert_chain(SSL s, STACK_OF(X509) sk);	607	int ssl_verify_cert_chain(SSL s, STACK_OF(X509) sk);


diff --git a/src/lib/libssl/src/ssl/ssl_txt.c b/src/lib/libssl/src/ssl/ssl_txt.c index 01dd846596..734e0c0755 100644 --- a/src/lib/libssl/src/ssl/ssl_txt.c +++ b/src/lib/libssl/src/ssl/ssl_txt.c
@@ -190,7 +190,9 @@ SSL_SESSION_print(BIO bp, const SSL_SESSION x)
190	if (x->compress_meth != 0) {	190	if (x->compress_meth != 0) {
191	SSL_COMP *comp = NULL;	191	SSL_COMP *comp = NULL;
192		192
193	ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp);	193	if (!ssl_cipher_get_comp(x, &comp))
		194	goto err;
		195
194	if (comp == NULL) {	196	if (comp == NULL) {
195	if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <= 0)	197	if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <= 0)
196	goto err;	198	goto err;


diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c index 2599122078..5f17a4a94a 100644 --- a/src/lib/libssl/src/ssl/t1_enc.c +++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -532,12 +532,19 @@ tls1_setup_key_block(SSL *s)
532	int mac_type = NID_undef, mac_secret_size = 0;	532	int mac_type = NID_undef, mac_secret_size = 0;
533	int ret = 0;	533	int ret = 0;
534		534
535
536	if (s->s3->tmp.key_block_length != 0)	535	if (s->s3->tmp.key_block_length != 0)
537	return (1);	536	return (1);
538		537
539	if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) {	538	if (!ssl_cipher_get_comp(s->session, &comp)) {
540	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);	539	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
		540	SSL_R_CIPHER_COMPRESSION_UNAVAILABLE);
		541	return (0);
		542	}
		543
		544	if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type,
		545	&mac_secret_size)) {
		546	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
		547	SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
541	return (0);	548	return (0);
542	}	549	}
543		550


diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 9744d9783c..6765e3560a 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h
@@ -2197,6 +2197,7 @@ void ERR_load_SSL_strings(void);
2197	#define SSL_R_CERT_LENGTH_MISMATCH 135	2197	#define SSL_R_CERT_LENGTH_MISMATCH 135
2198	#define SSL_R_CHALLENGE_IS_DIFFERENT 136	2198	#define SSL_R_CHALLENGE_IS_DIFFERENT 136
2199	#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137	2199	#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
		2200	#define SSL_R_CIPHER_COMPRESSION_UNAVAILABLE 371
2200	#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138	2201	#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
2201	#define SSL_R_CIPHER_TABLE_SRC_ERROR 139	2202	#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
2202	#define SSL_R_CLIENTHELLO_TLSEXT 226	2203	#define SSL_R_CLIENTHELLO_TLSEXT 226


diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 4ae3312a1a..bd939b7563 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c
@@ -481,33 +481,45 @@ load_builtin_compressions(void)
481	}	481	}
482	#endif	482	#endif
483		483
		484	/* ssl_cipher_get_comp sets comp to the correct SSL_COMP for the given
		485	* session and returns 1. On error it returns 0. */
484	int	486	int
485	ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,	487	ssl_cipher_get_comp(const SSL_SESSION s, SSL_COMP *comp)
486	const EVP_MD *md, int mac_pkey_type, int mac_secret_size, SSL_COMP *comp)
487	{	488	{
		489	SSL_COMP ctmp;
488	int i;	490	int i;
489	const SSL_CIPHER *c;
490		491
491	c = s->cipher;
492	if (c == NULL)
493	return (0);
494	if (comp != NULL) {
495	SSL_COMP ctmp;
496	#ifndef OPENSSL_NO_COMP	492	#ifndef OPENSSL_NO_COMP
497	load_builtin_compressions();	493	load_builtin_compressions();
498	#endif	494	#endif
499		495
500	*comp = NULL;	496	*comp = NULL;
501	ctmp.id = s->compress_meth;	497	if (s->compress_meth == 0)
502	if (ssl_comp_methods != NULL) {	498	return 1;
503	i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);	499	if (ssl_comp_methods == NULL)
504	if (i >= 0)	500	return 0;
505	*comp = sk_SSL_COMP_value(ssl_comp_methods, i);	501
506	else	502	ctmp.id = s->compress_meth;
507	*comp = NULL;	503	i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
508	}	504	if (i >= 0) {
		505	*comp = sk_SSL_COMP_value(ssl_comp_methods, i);
		506	return 1;
509	}	507	}
510		508
		509	return 0;
		510	}
		511
		512	int
		513	ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
		514	const EVP_MD *md, int mac_pkey_type, int *mac_secret_size)
		515	{
		516	const SSL_CIPHER *c;
		517	int i;
		518
		519	c = s->cipher;
		520	if (c == NULL)
		521	return (0);
		522
511	if ((enc == NULL) \|\| (md == NULL))	523	if ((enc == NULL) \|\| (md == NULL))
512	return (0);	524	return (0);
513		525
@@ -732,8 +744,6 @@ ssl_cipher_get_disabled(unsigned long mkey, unsigned long auth, unsigned long
732	*enc \|= SSL_eNULL;	744	*enc \|= SSL_eNULL;
733	#endif	745	#endif
734		746
735
736
737	*enc \|= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0;	747	*enc \|= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0;
738	*enc \|= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;	748	*enc \|= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
739	*enc \|= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;	749	*enc \|= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
@@ -1684,8 +1694,8 @@ ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
1684	SSL_COMP *ctmp;	1694	SSL_COMP *ctmp;
1685	int i, nn;	1695	int i, nn;
1686		1696
1687	if ((n == 0)	1697	if ((n == 0) \|\| (sk == NULL))
1688	\|\| (sk == NULL)) return (NULL);	1698	return (NULL);
1689	nn = sk_SSL_COMP_num(sk);	1699	nn = sk_SSL_COMP_num(sk);
1690	for (i = 0; i < nn; i++) {	1700	for (i = 0; i < nn; i++) {
1691	ctmp = sk_SSL_COMP_value(sk, i);	1701	ctmp = sk_SSL_COMP_value(sk, i);


diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c index 67ba3c7699..7bea7fafa1 100644 --- a/src/lib/libssl/ssl_err.c +++ b/src/lib/libssl/ssl_err.c
@@ -344,6 +344,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
344	{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) , "cert length mismatch"},	344	{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) , "cert length mismatch"},
345	{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"},	345	{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT), "challenge is different"},
346	{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},	346	{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH), "cipher code wrong length"},
		347	{ERR_REASON(SSL_R_CIPHER_COMPRESSION_UNAVAILABLE), "cipher compression unavailable"},
347	{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"},	348	{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "cipher or hash unavailable"},
348	{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"},	349	{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR), "cipher table src error"},
349	{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) , "clienthello tlsext"},	350	{ERR_REASON(SSL_R_CLIENTHELLO_TLSEXT) , "clienthello tlsext"},


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 3a4656ef62..06f37b69e6 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -599,9 +599,9 @@ STACK_OF(SSL_CIPHER) ssl_create_cipher_list(const SSL_METHOD meth,
599	STACK_OF(SSL_CIPHER) pref, STACK_OF(SSL_CIPHER) sorted,	599	STACK_OF(SSL_CIPHER) pref, STACK_OF(SSL_CIPHER) sorted,
600	const char *rule_str);	600	const char *rule_str);
601	void ssl_update_cache(SSL *s, int mode);	601	void ssl_update_cache(SSL *s, int mode);
		602	int ssl_cipher_get_comp(const SSL_SESSION s, SSL_COMP *comp);
602	int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,	603	int ssl_cipher_get_evp(const SSL_SESSION s, const EVP_CIPHER *enc,
603	const EVP_MD *md, int mac_pkey_type, int *mac_secret_size,	604	const EVP_MD *md, int mac_pkey_type, int *mac_secret_size);
604	SSL_COMP **comp);
605	int ssl_get_handshake_digest(int i, long mask, const EVP_MD *md);	605	int ssl_get_handshake_digest(int i, long mask, const EVP_MD *md);
606		606
607	int ssl_verify_cert_chain(SSL s, STACK_OF(X509) sk);	607	int ssl_verify_cert_chain(SSL s, STACK_OF(X509) sk);


diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c index 01dd846596..734e0c0755 100644 --- a/src/lib/libssl/ssl_txt.c +++ b/src/lib/libssl/ssl_txt.c
@@ -190,7 +190,9 @@ SSL_SESSION_print(BIO bp, const SSL_SESSION x)
190	if (x->compress_meth != 0) {	190	if (x->compress_meth != 0) {
191	SSL_COMP *comp = NULL;	191	SSL_COMP *comp = NULL;
192		192
193	ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp);	193	if (!ssl_cipher_get_comp(x, &comp))
		194	goto err;
		195
194	if (comp == NULL) {	196	if (comp == NULL) {
195	if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <= 0)	197	if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <= 0)
196	goto err;	198	goto err;


diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 2599122078..5f17a4a94a 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -532,12 +532,19 @@ tls1_setup_key_block(SSL *s)
532	int mac_type = NID_undef, mac_secret_size = 0;	532	int mac_type = NID_undef, mac_secret_size = 0;
533	int ret = 0;	533	int ret = 0;
534		534
535
536	if (s->s3->tmp.key_block_length != 0)	535	if (s->s3->tmp.key_block_length != 0)
537	return (1);	536	return (1);
538		537
539	if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) {	538	if (!ssl_cipher_get_comp(s->session, &comp)) {
540	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);	539	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
		540	SSL_R_CIPHER_COMPRESSION_UNAVAILABLE);
		541	return (0);
		542	}
		543
		544	if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type,
		545	&mac_secret_size)) {
		546	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,
		547	SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
541	return (0);	548	return (0);
542	}	549	}
543		550