diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_enc.c | 41 |
1 files changed, 24 insertions, 17 deletions
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c index d21d9e1216..8e004fbe46 100644 --- a/src/lib/libssl/src/ssl/s3_enc.c +++ b/src/lib/libssl/src/ssl/s3_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_enc.c,v 1.46 2014/06/13 15:28:49 jsing Exp $ */ | 1 | /* $OpenBSD: s3_enc.c,v 1.47 2014/06/13 16:04:13 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -386,10 +386,10 @@ err2: | |||
| 386 | int | 386 | int |
| 387 | ssl3_setup_key_block(SSL *s) | 387 | ssl3_setup_key_block(SSL *s) |
| 388 | { | 388 | { |
| 389 | unsigned char *p; | 389 | int key_block_len, mac_len, key_len, iv_len; |
| 390 | const EVP_CIPHER *c; | 390 | unsigned char *key_block; |
| 391 | const EVP_MD *hash; | 391 | const EVP_CIPHER *cipher; |
| 392 | int num; | 392 | const EVP_MD *mac; |
| 393 | int ret = 0; | 393 | int ret = 0; |
| 394 | SSL_COMP *comp; | 394 | SSL_COMP *comp; |
| 395 | 395 | ||
| @@ -402,35 +402,42 @@ ssl3_setup_key_block(SSL *s) | |||
| 402 | return (0); | 402 | return (0); |
| 403 | } | 403 | } |
| 404 | 404 | ||
| 405 | if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL)) { | 405 | if (!ssl_cipher_get_evp(s->session, &cipher, &mac, NULL, NULL)) { |
| 406 | SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, | 406 | SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, |
| 407 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | 407 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); |
| 408 | return (0); | 408 | return (0); |
| 409 | } | 409 | } |
| 410 | 410 | ||
| 411 | s->s3->tmp.new_sym_enc = c; | 411 | s->s3->tmp.new_sym_enc = cipher; |
| 412 | s->s3->tmp.new_hash = hash; | 412 | s->s3->tmp.new_hash = mac; |
| 413 | s->s3->tmp.new_compression = comp; | 413 | s->s3->tmp.new_compression = comp; |
| 414 | 414 | ||
| 415 | num = EVP_MD_size(hash); | 415 | mac_len = EVP_MD_size(mac); |
| 416 | if (num < 0) | 416 | key_len = EVP_CIPHER_key_length(cipher); |
| 417 | iv_len = EVP_CIPHER_iv_length(cipher); | ||
| 418 | |||
| 419 | if (mac_len < 0) | ||
| 417 | return 0; | 420 | return 0; |
| 418 | 421 | ||
| 419 | num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c); | 422 | if (SSL_C_IS_EXPORT(s->session->cipher) && |
| 420 | num *= 2; | 423 | key_len > SSL_C_EXPORT_KEYLENGTH(s->session->cipher)) |
| 424 | key_len = SSL_C_EXPORT_KEYLENGTH(s->session->cipher); | ||
| 425 | |||
| 426 | key_block_len = (mac_len + key_len + iv_len) * 2; | ||
| 421 | 427 | ||
| 422 | ssl3_cleanup_key_block(s); | 428 | ssl3_cleanup_key_block(s); |
| 423 | 429 | ||
| 424 | if ((p = malloc(num)) == NULL) | 430 | if ((key_block = malloc(key_block_len)) == NULL) |
| 425 | goto err; | 431 | goto err; |
| 426 | 432 | ||
| 427 | s->s3->tmp.key_block_length = num; | 433 | s->s3->tmp.key_block_length = key_block_len; |
| 428 | s->s3->tmp.key_block = p; | 434 | s->s3->tmp.key_block = key_block; |
| 429 | 435 | ||
| 430 | ret = ssl3_generate_key_block(s, p, num); | 436 | ret = ssl3_generate_key_block(s, key_block, key_block_len); |
| 431 | 437 | ||
| 432 | if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { | 438 | if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { |
| 433 | /* enable vulnerability countermeasure for CBC ciphers with | 439 | /* |
| 440 | * Enable vulnerability countermeasure for CBC ciphers with | ||
| 434 | * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) | 441 | * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) |
| 435 | */ | 442 | */ |
| 436 | s->s3->need_empty_fragments = 1; | 443 | s->s3->need_empty_fragments = 1; |