summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_clnt.c
diff options
context:
space:
mode:
authorbeck <>2000-03-19 11:13:58 +0000
committerbeck <>2000-03-19 11:13:58 +0000
commit796d609550df3a33fc11468741c5d2f6d3df4c11 (patch)
tree6c6d539061caa20372dad0ac4ddb1dfae2fbe7fe /src/lib/libssl/s3_clnt.c
parent5be3114c1fd7e0dfea1e38d3abb4cbba75244419 (diff)
downloadopenbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.tar.gz
openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.tar.bz2
openbsd-796d609550df3a33fc11468741c5d2f6d3df4c11.zip
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
-rw-r--r--src/lib/libssl/s3_clnt.c43
1 files changed, 21 insertions, 22 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index d3e6b4d1e5..279d2c0198 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -110,7 +110,7 @@ int ssl3_connect(SSL *s)
110 int ret= -1; 110 int ret= -1;
111 int new_state,state,skip=0;; 111 int new_state,state,skip=0;;
112 112
113 RAND_seed(&Time,sizeof(Time)); 113 RAND_add(&Time,sizeof(Time),0);
114 ERR_clear_error(); 114 ERR_clear_error();
115 clear_sys_error(); 115 clear_sys_error();
116 116
@@ -325,8 +325,8 @@ int ssl3_connect(SSL *s)
325 case SSL3_ST_CW_FINISHED_B: 325 case SSL3_ST_CW_FINISHED_B:
326 ret=ssl3_send_finished(s, 326 ret=ssl3_send_finished(s,
327 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 327 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
328 s->method->ssl3_enc->client_finished, 328 s->method->ssl3_enc->client_finished_label,
329 s->method->ssl3_enc->client_finished_len); 329 s->method->ssl3_enc->client_finished_label_len);
330 if (ret <= 0) goto end; 330 if (ret <= 0) goto end;
331 s->state=SSL3_ST_CW_FLUSH; 331 s->state=SSL3_ST_CW_FLUSH;
332 332
@@ -466,7 +466,7 @@ static int ssl3_client_hello(SSL *s)
466 p=s->s3->client_random; 466 p=s->s3->client_random;
467 Time=time(NULL); /* Time */ 467 Time=time(NULL); /* Time */
468 l2n(Time,p); 468 l2n(Time,p);
469 RAND_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); 469 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
470 470
471 /* Do the message type and length last */ 471 /* Do the message type and length last */
472 d=p= &(buf[4]); 472 d=p= &(buf[4]);
@@ -1053,15 +1053,15 @@ static int ssl3_get_key_exchange(SSL *s)
1053 q+=i; 1053 q+=i;
1054 j+=i; 1054 j+=i;
1055 } 1055 }
1056 i=RSA_public_decrypt((int)n,p,p,pkey->pkey.rsa, 1056 i=RSA_verify(NID_md5_sha1, md_buf, j, p, n,
1057 RSA_PKCS1_PADDING); 1057 pkey->pkey.rsa);
1058 if (i <= 0) 1058 if (i < 0)
1059 { 1059 {
1060 al=SSL_AD_DECRYPT_ERROR; 1060 al=SSL_AD_DECRYPT_ERROR;
1061 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 1061 SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
1062 goto f_err; 1062 goto f_err;
1063 } 1063 }
1064 if ((j != i) || (memcmp(p,md_buf,i) != 0)) 1064 if (i == 0)
1065 { 1065 {
1066 /* bad signature */ 1066 /* bad signature */
1067 al=SSL_AD_DECRYPT_ERROR; 1067 al=SSL_AD_DECRYPT_ERROR;
@@ -1225,7 +1225,7 @@ fclose(out);
1225 1225
1226 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL) 1226 if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
1227 { 1227 {
1228 /* If netscape tollerance is on, ignore errors */ 1228 /* If netscape tolerance is on, ignore errors */
1229 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG) 1229 if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
1230 goto cont; 1230 goto cont;
1231 else 1231 else
@@ -1258,7 +1258,7 @@ cont:
1258 ERR_clear_error(); 1258 ERR_clear_error();
1259 } 1259 }
1260 1260
1261 /* we should setup a certficate to return.... */ 1261 /* we should setup a certificate to return.... */
1262 s->s3->tmp.cert_req=1; 1262 s->s3->tmp.cert_req=1;
1263 s->s3->tmp.ctype_num=ctype_num; 1263 s->s3->tmp.ctype_num=ctype_num;
1264 if (s->s3->tmp.ca_names != NULL) 1264 if (s->s3->tmp.ca_names != NULL)
@@ -1341,7 +1341,8 @@ static int ssl3_send_client_key_exchange(SSL *s)
1341 1341
1342 tmp_buf[0]=s->client_version>>8; 1342 tmp_buf[0]=s->client_version>>8;
1343 tmp_buf[1]=s->client_version&0xff; 1343 tmp_buf[1]=s->client_version&0xff;
1344 RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2); 1344 if (RAND_bytes(&(tmp_buf[2]),SSL_MAX_MASTER_KEY_LENGTH-2) <= 0)
1345 goto err;
1345 1346
1346 s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH; 1347 s->session->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
1347 1348
@@ -1460,7 +1461,7 @@ static int ssl3_send_client_verify(SSL *s)
1460 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1461 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
1461 EVP_PKEY *pkey; 1462 EVP_PKEY *pkey;
1462#ifndef NO_RSA 1463#ifndef NO_RSA
1463 int i=0; 1464 unsigned u=0;
1464#endif 1465#endif
1465 unsigned long n; 1466 unsigned long n;
1466#ifndef NO_DSA 1467#ifndef NO_DSA
@@ -1481,17 +1482,15 @@ static int ssl3_send_client_verify(SSL *s)
1481 { 1482 {
1482 s->method->ssl3_enc->cert_verify_mac(s, 1483 s->method->ssl3_enc->cert_verify_mac(s,
1483 &(s->s3->finish_dgst1),&(data[0])); 1484 &(s->s3->finish_dgst1),&(data[0]));
1484 i=RSA_private_encrypt( 1485 if (RSA_sign(NID_md5_sha1, data,
1485 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 1486 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
1486 data,&(p[2]),pkey->pkey.rsa, 1487 &(p[2]), &u, pkey->pkey.rsa) <= 0 )
1487 RSA_PKCS1_PADDING);
1488 if (i <= 0)
1489 { 1488 {
1490 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 1489 SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
1491 goto err; 1490 goto err;
1492 } 1491 }
1493 s2n(i,p); 1492 s2n(u,p);
1494 n=i+2; 1493 n=u+2;
1495 } 1494 }
1496 else 1495 else
1497#endif 1496#endif
@@ -1689,13 +1688,13 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
1689#endif 1688#endif
1690#endif 1689#endif
1691 1690
1692 if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP)) 1691 if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
1693 { 1692 {
1694#ifndef NO_RSA 1693#ifndef NO_RSA
1695 if (algs & SSL_kRSA) 1694 if (algs & SSL_kRSA)
1696 { 1695 {
1697 if (rsa == NULL 1696 if (rsa == NULL
1698 || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs)) 1697 || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
1699 { 1698 {
1700 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); 1699 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
1701 goto f_err; 1700 goto f_err;
@@ -1707,7 +1706,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
1707 if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1706 if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
1708 { 1707 {
1709 if (dh == NULL 1708 if (dh == NULL
1710 || DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs)) 1709 || DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
1711 { 1710 {
1712 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); 1711 SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
1713 goto f_err; 1712 goto f_err;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 07:17:58 +0000