import openssl-0.9.7-beta3

author: markus <> 2002-09-05 22:44:52 +0000
committer: markus <> 2002-09-05 22:44:52 +0000
commit: 715a204e4615e4a70a466fcb383a9a57cad5e6b8 (patch)
tree: 2d2e93c4a34d1f7f04aba73706353332d7700641 /src/lib/libssl
parent: 15b5d84f9da2ce4bfae8580e56e34a859f74ad71 (diff)
download: openbsd-715a204e4615e4a70a466fcb383a9a57cad5e6b8.tar.gz
openbsd-715a204e4615e4a70a466fcb383a9a57cad5e6b8.tar.bz2
openbsd-715a204e4615e4a70a466fcb383a9a57cad5e6b8.zip
29 files changed, 186 insertions, 75 deletions
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index b2be8340fb..019e9aecee 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -57,11 +57,11 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include "ssl_locl.h"
 static SSL_METHOD *ssl23_get_client_method(int ver);
 static int ssl23_client_hello(SSL *s);
diff --git a/src/lib/libssl/s23_pkt.c b/src/lib/libssl/s23_pkt.c
index f45e1ce3d8..4ca6a1b258 100644
--- a/src/lib/libssl/s23_pkt.c
+++ b/src/lib/libssl/s23_pkt.c
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <errno.h>
 #define USE_SOCKETS
+#include "ssl_locl.h"
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
-#include "ssl_locl.h"
 int ssl23_write_bytes(SSL *s)
        {
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 9e89cc7f9a..8743b61cbb 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -110,11 +110,11 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include "ssl_locl.h"
 static SSL_METHOD *ssl23_get_server_method(int ver);
 int ssl23_get_client_hello(SSL *s);
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index 58a24cd883..8864366f59 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -112,12 +112,12 @@
 #include <limits.h>
 #include <string.h>
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "ssl_locl.h"
 /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
 int ssl3_do_write(SSL *s, int type)
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index e5853ede95..2699b5863b 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -110,13 +110,14 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
 #include <openssl/md5.h>
+#include "cryptlib.h"
 static SSL_METHOD *ssl3_get_client_method(int ver);
 static int ssl3_client_hello(SSL *s);
@@ -545,6 +546,7 @@ static int ssl3_client_hello(SSL *s)
                *(p++)=i;
                if (i != 0)
                        {
+                        die(i <= sizeof s->session->session_id);
                        memcpy(p,s->session->session_id,i);
                        p+=i;
                        }
@@ -626,6 +628,14 @@ static int ssl3_get_server_hello(SSL *s)
        /* get the session-id */
        j= *(p++);
+       if(j > sizeof s->session->session_id)
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
+               goto f_err;
+               }
        if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
                {
                /* SSLref returns 16 :-( */
@@ -1588,6 +1598,7 @@ static int ssl3_send_client_key_exchange(SSL *s)
                                SSL_MAX_MASTER_KEY_LENGTH);
                        EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
                        outl += padl;
+                        die(outl <= sizeof epms);
                        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
                        /*  KerberosWrapper.EncryptedPreMasterSecret    */
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 686992406c..14b2f13ae2 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -129,7 +129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_NULL_MD5,
        SSL3_CK_RSA_NULL_MD5,
        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_MD5|SSL_SSLV3,
-        SSL_NOT_EXP,
+        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
@@ -142,7 +142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_NULL_SHA,
        SSL3_CK_RSA_NULL_SHA,
        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP,
+        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
@@ -490,7 +490,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_FZA_DMS_NULL_SHA,
        SSL3_CK_FZA_DMS_NULL_SHA,
        SSL_kFZA|SSL_aFZA |SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP,
+        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
@@ -504,7 +504,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_FZA_DMS_FZA_SHA,
        SSL3_CK_FZA_DMS_FZA_SHA,
        SSL_kFZA|SSL_aFZA |SSL_eFZA |SSL_SHA1|SSL_SSLV3,
-        SSL_NOT_EXP,
+        SSL_NOT_EXP|SSL_STRONG_NONE,
        0,
        0,
        0,
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index 43e8502b66..6ccea9aee5 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -112,9 +112,9 @@
 #include <stdio.h>
 #include <errno.h>
 #define USE_SOCKETS
+#include "ssl_locl.h"
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
-#include "ssl_locl.h"
 static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
                         unsigned int len, int create_empty_fragment);
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 99b6a86983..782b57f57a 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -114,15 +114,16 @@
 #include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/krb5_asn.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
 #include <openssl/md5.h>
+#include "cryptlib.h"
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
@@ -964,6 +965,7 @@ static int ssl3_send_server_hello(SSL *s)
                        s->session->session_id_length=0;
                sl=s->session->session_id_length;
+                die(sl <= sizeof s->session->session_id);
                *(p++)=sl;
                memcpy(p,s->session->session_id,sl);
                p+=sl;
@@ -1559,8 +1561,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
                EVP_CIPHER              *enc = NULL;
                unsigned char           iv[EVP_MAX_IV_LENGTH];
                unsigned char           pms[SSL_MAX_MASTER_KEY_LENGTH
-                                                + EVP_MAX_IV_LENGTH + 1];
+                                               + EVP_MAX_BLOCK_LENGTH];
-                int                     padl, outl = sizeof(pms);
+                int                     padl, outl;
                krb5_timestamp          authtime = 0;
                krb5_ticket_times       ttimes;
@@ -1583,6 +1585,16 @@ static int ssl3_get_client_key_exchange(SSL *s)
                enc_pms.data = (char *)p;
                p+=enc_pms.length;
+                /* Note that the length is checked again below,
+                ** after decryption
+                */
+                if(enc.pms_length > sizeof pms)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
                if (n != enc_ticket.length + authenticator.length +
                                                enc_pms.length + 6)
                        {
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 833f761690..d9949e8eb2 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -253,7 +253,7 @@ extern "C" {
 #define SSL_TXT_RC4             "RC4"
 #define SSL_TXT_RC2             "RC2"
 #define SSL_TXT_IDEA            "IDEA"
-#define SSL_TXT_AES             "AESdraft" /* AES ciphersuites are not yet official (thus excluded from 'ALL') */
+#define SSL_TXT_AES             "AES"
 #define SSL_TXT_MD5             "MD5"
 #define SSL_TXT_SHA1            "SHA1"
 #define SSL_TXT_SHA             "SHA"
@@ -266,6 +266,23 @@ extern "C" {
 #define SSL_TXT_TLSV1           "TLSv1"
 #define SSL_TXT_ALL             "ALL"
+/*
+ * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
+ * ciphers normally not being used.
+ * Example: "RC4" will activate all ciphers using RC4 including ciphers
+ * without authentication, which would normally disabled by DEFAULT (due
+ * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
+ * will make sure that it is also disabled in the specific selection.
+ * COMPLEMENTOF* identifiers are portable between version, as adjustments
+ * to the default cipher setup will also be included here.
+ *
+ * COMPLEMENTOFDEFAULT does not experience the same special treatment that
+ * DEFAULT gets, as only selection is being done and no sorting as needed
+ * for DEFAULT.
+ */
+#define SSL_TXT_CMPALL          "COMPLEMENTOFALL"
+#define SSL_TXT_CMPDEF          "COMPLEMENTOFDEFAULT"
 /* The following cipher list is used by default.
 * It also is substituted when an application-defined cipher list string
 * starts with 'DEFAULT'. */
@@ -429,6 +446,7 @@ typedef struct ssl_session_st
        struct ssl_session_st *prev,*next;
        } SSL_SESSION;
 #define SSL_OP_MICROSOFT_SESS_ID_BUG                    0x00000001L
 #define SSL_OP_NETSCAPE_CHALLENGE_BUG                   0x00000002L
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x00000008L
@@ -439,6 +457,19 @@ typedef struct ssl_session_st
 #define SSL_OP_TLS_D5_BUG                               0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x00000200L
+/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
+ * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
+ * the workaround is not needed.  Unfortunately some broken SSL/TLS
+ * implementations cannot handle it at all, which is why we include
+ * it in SSL_OP_ALL. */
+#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L /* added in 0.9.6e */
+/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
+ *             This used to be 0x000FFFFFL before 0.9.7. */
+#define SSL_OP_ALL                                      0x00000FFFL
+/* As server, disallow session resumption on renegotiation */
+#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   0x00010000L
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE                            0x00100000L
 /* Set to always use the tmp_rsa key when doing RSA operations,
@@ -452,8 +483,10 @@ typedef struct ssl_session_st
 * (version 3.1) was announced in the client hello. Normally this is
 * forbidden to prevent version rollback attacks. */
 #define SSL_OP_TLS_ROLLBACK_BUG                         0x00800000L
-/* As server, disallow session resumption on renegotiation */
-#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   0x01000000L
+#define SSL_OP_NO_SSLv2                                 0x01000000L
+#define SSL_OP_NO_SSLv3                                 0x02000000L
+#define SSL_OP_NO_TLSv1                                 0x04000000L
 /* The next flag deliberately changes the ciphertest, this is a check
 * for the PKCS#1 attack */
@@ -461,11 +494,7 @@ typedef struct ssl_session_st
 #define SSL_OP_PKCS1_CHECK_2                            0x10000000L
 #define SSL_OP_NETSCAPE_CA_DN_BUG                       0x20000000L
 #define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x40000000L
-#define SSL_OP_ALL                                      0x000FFFFFL
-#define SSL_OP_NO_SSLv2                                 0x01000000L
-#define SSL_OP_NO_SSLv3                                 0x02000000L
-#define SSL_OP_NO_TLSv1                                 0x04000000L
 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
 * when just a single record has been written): */
@@ -479,6 +508,7 @@ typedef struct ssl_session_st
 * is blocking: */
 #define SSL_MODE_AUTO_RETRY 0x00000004L
 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
 * they cannot be used to clear bits. */
@@ -1637,6 +1667,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_INVALID_COMMAND                            280
 #define SSL_R_INVALID_PURPOSE                            278
 #define SSL_R_INVALID_TRUST                              279
+#define SSL_R_KEY_ARG_TOO_LONG                           1112
 #define SSL_R_KRB5                                       1104
 #define SSL_R_KRB5_C_CC_PRINC                            1094
 #define SSL_R_KRB5_C_GET_CRED                            1095
@@ -1716,6 +1747,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_SHORT_READ                                 219
 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE      220
 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE               221
+#define SSL_R_SSL3_SESSION_ID_TOO_LONG                   1113
 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT                  222
 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE                1042
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC                 1020
diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c
index c5eeeb6bc5..1638c6b525 100644
--- a/src/lib/libssl/ssl_asn1.c
+++ b/src/lib/libssl/ssl_asn1.c
@@ -58,10 +58,11 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include "ssl_locl.h"
 #include <openssl/asn1_mac.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#include "ssl_locl.h"
+#include "cryptlib.h"
 typedef struct ssl_session_asn1_st
        {
@@ -296,6 +297,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
                os.length=i;
        ret->session_id_length=os.length;
+        die(os.length <= sizeof ret->session_id);
        memcpy(ret->session_id,os.data,os.length);
        M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index cdd8dde128..37f58886a6 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -100,9 +100,10 @@ typedef struct cipher_order_st
        } CIPHER_ORDER;
 static const SSL_CIPHER cipher_aliases[]={
-        /* Don't include eNULL unless specifically enabled.
+        /* Don't include eNULL unless specifically enabled. */
-         * Similarly, don't include AES in ALL because these ciphers are not yet official. */
+        {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
-        {0,SSL_TXT_ALL, 0,SSL_ALL & ~SSL_eNULL & ~SSL_AES, SSL_ALL ,0,0,0,SSL_ALL,SSL_ALL}, /* must be first */
+        {0,SSL_TXT_CMPALL,0,SSL_eNULL,0,0,0,0,SSL_ENC_MASK,0},  /* COMPLEMENT OF ALL */
+        {0,SSL_TXT_CMPDEF,0,SSL_ADH, 0,0,0,0,SSL_AUTH_MASK,0},
        {0,SSL_TXT_kKRB5,0,SSL_kKRB5,0,0,0,0,SSL_MKEY_MASK,0},  /* VRS Kerberos5 */
        {0,SSL_TXT_kRSA,0,SSL_kRSA,  0,0,0,0,SSL_MKEY_MASK,0},
        {0,SSL_TXT_kDHr,0,SSL_kDHr,  0,0,0,0,SSL_MKEY_MASK,0},
@@ -999,10 +1000,10 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
        case SSL_AES:
                switch(cipher->strength_bits)
                        {
-                case 128: enc="AESdraft(128)"; break;
+                case 128: enc="AES(128)"; break;
-                case 192: enc="AESdraft(192)"; break;
+                case 192: enc="AES(192)"; break;
-                case 256: enc="AESdraft(256)"; break;
+                case 256: enc="AES(256)"; break;
-                default: enc="AESdraft(?""?""?)"; break;
+                default: enc="AES(?""?""?)"; break;
                        }
                break;
        default:
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index c32c4ef6e9..0cad32c855 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -275,6 +275,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_INVALID_COMMAND                   ,"invalid command"},
 {SSL_R_INVALID_PURPOSE                   ,"invalid purpose"},
 {SSL_R_INVALID_TRUST                     ,"invalid trust"},
+{SSL_R_KEY_ARG_TOO_LONG                  ,"key arg too long"},
 {SSL_R_KRB5                              ,"krb5"},
 {SSL_R_KRB5_C_CC_PRINC                   ,"krb5 client cc principal (no tkt?)"},
 {SSL_R_KRB5_C_GET_CRED                   ,"krb5 client get cred"},
@@ -354,6 +355,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {SSL_R_SHORT_READ                        ,"short read"},
 {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
 {SSL_R_SSL23_DOING_SESSION_ID_REUSE      ,"ssl23 doing session id reuse"},
+{SSL_R_SSL3_SESSION_ID_TOO_LONG          ,"ssl3 session id too long"},
 {SSL_R_SSL3_SESSION_ID_TOO_SHORT         ,"ssl3 session id too short"},
 {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE       ,"sslv3 alert bad certificate"},
 {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC        ,"sslv3 alert bad record mac"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index df307a80c5..ab172aeaec 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -116,11 +116,11 @@
 #  include <assert.h>
 #endif
 #include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
 #include <openssl/objects.h>
 #include <openssl/lhash.h>
 #include <openssl/x509v3.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 17e9bef832..fe4ac839cf 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -293,16 +293,17 @@
 #define SSL_NOT_EXP             0x00000001L
 #define SSL_EXPORT              0x00000002L
-#define SSL_STRONG_MASK         0x0000007cL
+#define SSL_STRONG_MASK         0x000000fcL
-#define SSL_EXP40               0x00000004L
+#define SSL_STRONG_NONE         0x00000004L
+#define SSL_EXP40               0x00000008L
 #define SSL_MICRO               (SSL_EXP40)
-#define SSL_EXP56               0x00000008L
+#define SSL_EXP56               0x00000010L
 #define SSL_MINI                (SSL_EXP56)
-#define SSL_LOW                 0x00000010L
+#define SSL_LOW                 0x00000020L
-#define SSL_MEDIUM              0x00000020L
+#define SSL_MEDIUM              0x00000040L
-#define SSL_HIGH                0x00000040L
+#define SSL_HIGH                0x00000080L
-/* we have used 0000007f - 25 bits left to go */
+/* we have used 000000ff - 24 bits left to go */
 /*
 * Macros to check the export status and cipher strength for export ciphers.
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 1cf8e20934..03828b6632 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -57,12 +57,12 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/bio.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
-#include "ssl_locl.h"
 static int ssl_set_cert(CERT *c, X509 *x509);
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index 6424f775e2..8bfc382bb6 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -60,6 +60,7 @@
 #include <openssl/lhash.h>
 #include <openssl/rand.h>
 #include "ssl_locl.h"
+#include "cryptlib.h"
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
 static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
@@ -250,6 +251,7 @@ int ssl_get_new_session(SSL *s, int session)
                ss->session_id_length=0;
                }
+        die(s->sid_ctx_length <= sizeof ss->sid_ctx);
        memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
        ss->sid_ctx_length=s->sid_ctx_length;
        s->session=ss;
diff --git a/src/lib/libssl/t1_clnt.c b/src/lib/libssl/t1_clnt.c
index 9745630a00..9ad518f9f4 100644
--- a/src/lib/libssl/t1_clnt.c
+++ b/src/lib/libssl/t1_clnt.c
@@ -57,11 +57,11 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
-#include "ssl_locl.h"
 static SSL_METHOD *tls1_get_client_method(int ver);
 static SSL_METHOD *tls1_get_client_method(int ver)
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index b80525f3ba..5290bf6665 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -110,10 +110,10 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/comp.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
-#include "ssl_locl.h"
 #include <openssl/md5.h>
 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
@@ -483,14 +483,25 @@ printf("\nkey block\n");
 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
 #endif
-        /* enable vulnerability countermeasure for CBC ciphers with
+        if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
-         * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */
+                {
-        s->s3->need_empty_fragments = 1;
+                /* enable vulnerability countermeasure for CBC ciphers with
-#ifndef NO_RC4
+                 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
-        if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
+                 */
-                s->s3->need_empty_fragments = 0;
+                s->s3->need_empty_fragments = 1;
+                if (s->session->cipher != NULL)
+                        {
+                        if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
+                                s->s3->need_empty_fragments = 0;
+                        
+#ifndef OPENSSL_NO_RC4
+                        if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
+                                s->s3->need_empty_fragments = 0;
 #endif
-                
+                        }
+                }
        return(1);
 err:
        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libssl/t1_srvr.c b/src/lib/libssl/t1_srvr.c
index 996b7ca8e2..6e765e587f 100644
--- a/src/lib/libssl/t1_srvr.c
+++ b/src/lib/libssl/t1_srvr.c
@@ -57,12 +57,12 @@
 */
 #include <stdio.h>
+#include "ssl_locl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include "ssl_locl.h"
 static SSL_METHOD *tls1_get_server_method(int ver);
 static SSL_METHOD *tls1_get_server_method(int ver)
diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl
index acaf8f3c47..f71ef7a863 100644
--- a/src/lib/libssl/test/tcrl
+++ b/src/lib/libssl/test/tcrl
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl crl'
diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca
index 88c186b6ab..8215ebb5d1 100644
--- a/src/lib/libssl/test/testca
+++ b/src/lib/libssl/test/testca
@@ -1,7 +1,11 @@
 #!/bin/sh
 SH="/bin/sh"
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=./apps\;../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export SH PATH
 SSLEAY_CONFIG="-config CAss.cnf"
diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen
index 6a4b6b9221..55c496f4bc 100644
--- a/src/lib/libssl/test/testgen
+++ b/src/lib/libssl/test/testgen
@@ -6,7 +6,11 @@ CA=../certs/testca.pem
 /bin/rm -f $T.1 $T.2 $T.key
-PATH=../apps:$PATH;
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH;
+else
+    PATH=../apps:$PATH;
+fi
 export PATH
 echo "generating certificate request"
diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7
index 15bbba42c0..cf3bd9fadb 100644
--- a/src/lib/libssl/test/tpkcs7
+++ b/src/lib/libssl/test/tpkcs7
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl pkcs7'
diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d
index 46e5aa2bd6..18f9311b06 100644
--- a/src/lib/libssl/test/tpkcs7d
+++ b/src/lib/libssl/test/tpkcs7d
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl pkcs7'
diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq
index 9f5eb7eea5..47a8273cde 100644
--- a/src/lib/libssl/test/treq
+++ b/src/lib/libssl/test/treq
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl req -config ../apps/openssl.cnf'
diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa
index bd6c07650a..413e2ec0a0 100644
--- a/src/lib/libssl/test/trsa
+++ b/src/lib/libssl/test/trsa
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 if ../apps/openssl no-rsa; then
diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid
index 9e0854516c..40a1dfa97c 100644
--- a/src/lib/libssl/test/tsid
+++ b/src/lib/libssl/test/tsid
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl sess_id'
diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509
index 35169f3a43..d380963abc 100644
--- a/src/lib/libssl/test/tx509
+++ b/src/lib/libssl/test/tx509
@@ -1,6 +1,10 @@
 #!/bin/sh
-PATH=../apps:$PATH
+if test "$OSTYPE" = msdosdjgpp; then
+    PATH=../apps\;$PATH
+else
+    PATH=../apps:$PATH
+fi
 export PATH
 cmd='../apps/openssl x509'
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index 88ec5fb527..38838ea9a5 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -96,7 +96,7 @@ extern "C" {
 #define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA      0x03000065
 #define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA                0x03000066
-  /* AES ciphersuites from draft ietf-tls-ciphersuite-03.txt */
+/* AES ciphersuites from RFC3268 */
 #define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
 #define TLS1_CK_DH_DSS_WITH_AES_128_SHA                 0x03000030
@@ -126,20 +126,21 @@ extern "C" {
 #define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA         "EXP1024-RC4-SHA"
 #define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA     "EXP1024-DHE-DSS-RC4-SHA"
 #define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA               "DHE-DSS-RC4-SHA"
-  /* AES ciphersuites from draft-ietf-tls-ciphersuite-06.txt */
-#define TLS1_TXT_RSA_WITH_AES_128_SHA                   "AESdraft128-SHA"
+/* AES ciphersuites from RFC3268 */
-#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA                "DH-DSS-AESdraft128-SHA"
+#define TLS1_TXT_RSA_WITH_AES_128_SHA                   "AES128-SHA"
-#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA                "DH-RSA-AESdraft128-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA                "DH-DSS-AES128-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA               "DHE-DSS-AESdraft128-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA                "DH-RSA-AES128-SHA"
-#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA               "DHE-RSA-AESdraft128-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA               "DHE-DSS-AES128-SHA"
-#define TLS1_TXT_ADH_WITH_AES_128_SHA                   "ADH-AESdraft128-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA               "DHE-RSA-AES128-SHA"
+#define TLS1_TXT_ADH_WITH_AES_128_SHA                   "ADH-AES128-SHA"
-#define TLS1_TXT_RSA_WITH_AES_256_SHA                   "AESdraft256-SHA"
-#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA                "DH-DSS-AESdraft256-SHA"
+#define TLS1_TXT_RSA_WITH_AES_256_SHA                   "AES256-SHA"
-#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA                "DH-RSA-AESdraft256-SHA"
+#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA                "DH-DSS-AES256-SHA"
-#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA               "DHE-DSS-AESdraft256-SHA"
+#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA                "DH-RSA-AES256-SHA"
-#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA               "DHE-RSA-AESdraft256-SHA"
+#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA               "DHE-DSS-AES256-SHA"
-#define TLS1_TXT_ADH_WITH_AES_256_SHA                   "ADH-AESdraft256-SHA"
+#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA               "DHE-RSA-AES256-SHA"
+#define TLS1_TXT_ADH_WITH_AES_256_SHA                   "ADH-AES256-SHA"
 #define TLS_CT_RSA_SIGN                 1
author	markus <>	2002-09-05 22:44:52 +0000
committer	markus <>	2002-09-05 22:44:52 +0000
commit	715a204e4615e4a70a466fcb383a9a57cad5e6b8 (patch)
tree	2d2e93c4a34d1f7f04aba73706353332d7700641 /src/lib/libssl
parent	15b5d84f9da2ce4bfae8580e56e34a859f74ad71 (diff)
download	openbsd-715a204e4615e4a70a466fcb383a9a57cad5e6b8.tar.gz openbsd-715a204e4615e4a70a466fcb383a9a57cad5e6b8.tar.bz2 openbsd-715a204e4615e4a70a466fcb383a9a57cad5e6b8.zip