diff options
| author | djm <> | 2009-01-09 12:14:11 +0000 |
|---|---|---|
| committer | djm <> | 2009-01-09 12:14:11 +0000 |
| commit | a0fdc9ec41594852f67ec77dfad9cb06bacc4186 (patch) | |
| tree | c43f6b3a4d93ad2cb3dcf93275295679d895a033 /src/lib/libssl/s3_clnt.c | |
| parent | 5a3c0a05c7f2c5d3c584b7c8d6aec836dd724c80 (diff) | |
| download | openbsd-a0fdc9ec41594852f67ec77dfad9cb06bacc4186.tar.gz openbsd-a0fdc9ec41594852f67ec77dfad9cb06bacc4186.tar.bz2 openbsd-a0fdc9ec41594852f67ec77dfad9cb06bacc4186.zip | |
import openssl-0.9.8j
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 52 |
1 files changed, 39 insertions, 13 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index f6864cdc50..5fd3520caf 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -130,10 +130,17 @@ | |||
| 130 | #include <openssl/objects.h> | 130 | #include <openssl/objects.h> |
| 131 | #include <openssl/evp.h> | 131 | #include <openssl/evp.h> |
| 132 | #include <openssl/md5.h> | 132 | #include <openssl/md5.h> |
| 133 | #ifdef OPENSSL_FIPS | ||
| 134 | #include <openssl/fips.h> | ||
| 135 | #endif | ||
| 136 | |||
| 133 | #ifndef OPENSSL_NO_DH | 137 | #ifndef OPENSSL_NO_DH |
| 134 | #include <openssl/dh.h> | 138 | #include <openssl/dh.h> |
| 135 | #endif | 139 | #endif |
| 136 | #include <openssl/bn.h> | 140 | #include <openssl/bn.h> |
| 141 | #ifndef OPENSSL_NO_ENGINE | ||
| 142 | #include <openssl/engine.h> | ||
| 143 | #endif | ||
| 137 | 144 | ||
| 138 | static SSL_METHOD *ssl3_get_client_method(int ver); | 145 | static SSL_METHOD *ssl3_get_client_method(int ver); |
| 139 | static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); | 146 | static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); |
| @@ -965,7 +972,7 @@ int ssl3_get_server_certificate(SSL *s) | |||
| 965 | } | 972 | } |
| 966 | 973 | ||
| 967 | i=ssl_verify_cert_chain(s,sk); | 974 | i=ssl_verify_cert_chain(s,sk); |
| 968 | if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) | 975 | if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) |
| 969 | #ifndef OPENSSL_NO_KRB5 | 976 | #ifndef OPENSSL_NO_KRB5 |
| 970 | && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) | 977 | && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) |
| 971 | != (SSL_aKRB5|SSL_kKRB5) | 978 | != (SSL_aKRB5|SSL_kKRB5) |
| @@ -999,7 +1006,7 @@ int ssl3_get_server_certificate(SSL *s) | |||
| 999 | == (SSL_aKRB5|SSL_kKRB5))? 0: 1; | 1006 | == (SSL_aKRB5|SSL_kKRB5))? 0: 1; |
| 1000 | 1007 | ||
| 1001 | #ifdef KSSL_DEBUG | 1008 | #ifdef KSSL_DEBUG |
| 1002 | printf("pkey,x = %p, %p\n", pkey,x); | 1009 | printf("pkey,x = %p, %p\n", (void *)pkey,(void *)x); |
| 1003 | printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); | 1010 | printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); |
| 1004 | printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name, | 1011 | printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name, |
| 1005 | s->s3->tmp.new_cipher->algorithms, need_cert); | 1012 | s->s3->tmp.new_cipher->algorithms, need_cert); |
| @@ -1415,6 +1422,8 @@ int ssl3_get_key_exchange(SSL *s) | |||
| 1415 | q=md_buf; | 1422 | q=md_buf; |
| 1416 | for (num=2; num > 0; num--) | 1423 | for (num=2; num > 0; num--) |
| 1417 | { | 1424 | { |
| 1425 | EVP_MD_CTX_set_flags(&md_ctx, | ||
| 1426 | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | ||
| 1418 | EVP_DigestInit_ex(&md_ctx,(num == 2) | 1427 | EVP_DigestInit_ex(&md_ctx,(num == 2) |
| 1419 | ?s->ctx->md5:s->ctx->sha1, NULL); | 1428 | ?s->ctx->md5:s->ctx->sha1, NULL); |
| 1420 | EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | 1429 | EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); |
| @@ -1450,7 +1459,7 @@ int ssl3_get_key_exchange(SSL *s) | |||
| 1450 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | 1459 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); |
| 1451 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); | 1460 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); |
| 1452 | EVP_VerifyUpdate(&md_ctx,param,param_len); | 1461 | EVP_VerifyUpdate(&md_ctx,param,param_len); |
| 1453 | if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) | 1462 | if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) |
| 1454 | { | 1463 | { |
| 1455 | /* bad signature */ | 1464 | /* bad signature */ |
| 1456 | al=SSL_AD_DECRYPT_ERROR; | 1465 | al=SSL_AD_DECRYPT_ERROR; |
| @@ -1468,7 +1477,7 @@ int ssl3_get_key_exchange(SSL *s) | |||
| 1468 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | 1477 | EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); |
| 1469 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); | 1478 | EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); |
| 1470 | EVP_VerifyUpdate(&md_ctx,param,param_len); | 1479 | EVP_VerifyUpdate(&md_ctx,param,param_len); |
| 1471 | if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) | 1480 | if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) |
| 1472 | { | 1481 | { |
| 1473 | /* bad signature */ | 1482 | /* bad signature */ |
| 1474 | al=SSL_AD_DECRYPT_ERROR; | 1483 | al=SSL_AD_DECRYPT_ERROR; |
| @@ -1768,7 +1777,7 @@ int ssl3_get_cert_status(SSL *s) | |||
| 1768 | goto f_err; | 1777 | goto f_err; |
| 1769 | } | 1778 | } |
| 1770 | n2l3(p, resplen); | 1779 | n2l3(p, resplen); |
| 1771 | if (resplen + 4 != n) | 1780 | if (resplen + 4 != (unsigned long)n) |
| 1772 | { | 1781 | { |
| 1773 | al = SSL_AD_DECODE_ERROR; | 1782 | al = SSL_AD_DECODE_ERROR; |
| 1774 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); | 1783 | SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); |
| @@ -2061,12 +2070,12 @@ int ssl3_send_client_key_exchange(SSL *s) | |||
| 2061 | { | 2070 | { |
| 2062 | DH *dh_srvr,*dh_clnt; | 2071 | DH *dh_srvr,*dh_clnt; |
| 2063 | 2072 | ||
| 2064 | if (s->session->sess_cert == NULL) | 2073 | if (s->session->sess_cert == NULL) |
| 2065 | { | 2074 | { |
| 2066 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); | 2075 | ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); |
| 2067 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); | 2076 | SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); |
| 2068 | goto err; | 2077 | goto err; |
| 2069 | } | 2078 | } |
| 2070 | 2079 | ||
| 2071 | if (s->session->sess_cert->peer_dh_tmp != NULL) | 2080 | if (s->session->sess_cert->peer_dh_tmp != NULL) |
| 2072 | dh_srvr=s->session->sess_cert->peer_dh_tmp; | 2081 | dh_srvr=s->session->sess_cert->peer_dh_tmp; |
| @@ -2448,8 +2457,7 @@ int ssl3_send_client_certificate(SSL *s) | |||
| 2448 | * ssl->rwstate=SSL_X509_LOOKUP; return(-1); | 2457 | * ssl->rwstate=SSL_X509_LOOKUP; return(-1); |
| 2449 | * We then get retied later */ | 2458 | * We then get retied later */ |
| 2450 | i=0; | 2459 | i=0; |
| 2451 | if (s->ctx->client_cert_cb != NULL) | 2460 | i = ssl_do_client_cert_cb(s, &x509, &pkey); |
| 2452 | i=s->ctx->client_cert_cb(s,&(x509),&(pkey)); | ||
| 2453 | if (i < 0) | 2461 | if (i < 0) |
| 2454 | { | 2462 | { |
| 2455 | s->rwstate=SSL_X509_LOOKUP; | 2463 | s->rwstate=SSL_X509_LOOKUP; |
| @@ -2716,3 +2724,21 @@ static int ssl3_check_finished(SSL *s) | |||
| 2716 | return 1; | 2724 | return 1; |
| 2717 | } | 2725 | } |
| 2718 | #endif | 2726 | #endif |
| 2727 | |||
| 2728 | int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) | ||
| 2729 | { | ||
| 2730 | int i = 0; | ||
| 2731 | #ifndef OPENSSL_NO_ENGINE | ||
| 2732 | if (s->ctx->client_cert_engine) | ||
| 2733 | { | ||
| 2734 | i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, | ||
| 2735 | SSL_get_client_CA_list(s), | ||
| 2736 | px509, ppkey, NULL, NULL, NULL); | ||
| 2737 | if (i != 0) | ||
| 2738 | return i; | ||
| 2739 | } | ||
| 2740 | #endif | ||
| 2741 | if (s->ctx->client_cert_cb) | ||
| 2742 | i = s->ctx->client_cert_cb(s,px509,ppkey); | ||
| 2743 | return i; | ||
| 2744 | } | ||