summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_lib.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_lib.c')
-rw-r--r--src/lib/libssl/ssl_lib.c74
1 files changed, 44 insertions, 30 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 46732791fd..497515f9ec 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1306,36 +1306,33 @@ int SSL_set_cipher_list(SSL *s,const char *str)
1306/* works well for SSLv2, not so good for SSLv3 */ 1306/* works well for SSLv2, not so good for SSLv3 */
1307char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) 1307char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
1308 { 1308 {
1309 char *p; 1309 char *end;
1310 STACK_OF(SSL_CIPHER) *sk; 1310 STACK_OF(SSL_CIPHER) *sk;
1311 SSL_CIPHER *c; 1311 SSL_CIPHER *c;
1312 size_t curlen = 0;
1312 int i; 1313 int i;
1313 1314
1314 if ((s->session == NULL) || (s->session->ciphers == NULL) || 1315 if ((s->session == NULL) || (s->session->ciphers == NULL) ||
1315 (len < 2)) 1316 (len < 2))
1316 return(NULL); 1317 return(NULL);
1317 1318
1318 p=buf;
1319 sk=s->session->ciphers; 1319 sk=s->session->ciphers;
1320 buf[0] = '\0';
1320 for (i=0; i<sk_SSL_CIPHER_num(sk); i++) 1321 for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
1321 { 1322 {
1322 int n;
1323
1324 c=sk_SSL_CIPHER_value(sk,i); 1323 c=sk_SSL_CIPHER_value(sk,i);
1325 n=strlen(c->name); 1324 end = buf + curlen;
1326 if (n+1 > len) 1325 if (strlcat(buf, c->name, len) >= len ||
1326 (curlen = strlcat(buf, ":", len)) >= len)
1327 { 1327 {
1328 if (p != buf) 1328 /* remove truncated cipher from list */
1329 --p; 1329 *end = '\0';
1330 *p='\0'; 1330 break;
1331 return buf;
1332 } 1331 }
1333 strcpy(p,c->name);
1334 p+=n;
1335 *(p++)=':';
1336 len-=n+1;
1337 } 1332 }
1338 p[-1]='\0'; 1333 /* remove trailing colon */
1334 if ((end = strrchr(buf, ':')) != NULL)
1335 *end = '\0';
1339 return(buf); 1336 return(buf);
1340 } 1337 }
1341 1338
@@ -1833,7 +1830,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1833#endif 1830#endif
1834 X509 *x = NULL; 1831 X509 *x = NULL;
1835 EVP_PKEY *ecc_pkey = NULL; 1832 EVP_PKEY *ecc_pkey = NULL;
1836 int signature_nid = 0, pk_nid = 0, md_nid = 0; 1833 int signature_nid = 0;
1837 1834
1838 if (c == NULL) return; 1835 if (c == NULL) return;
1839 1836
@@ -1963,15 +1960,18 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1963 EVP_PKEY_bits(ecc_pkey) : 0; 1960 EVP_PKEY_bits(ecc_pkey) : 0;
1964 EVP_PKEY_free(ecc_pkey); 1961 EVP_PKEY_free(ecc_pkey);
1965 if ((x->sig_alg) && (x->sig_alg->algorithm)) 1962 if ((x->sig_alg) && (x->sig_alg->algorithm))
1966 {
1967 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); 1963 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
1968 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
1969 }
1970#ifndef OPENSSL_NO_ECDH 1964#ifndef OPENSSL_NO_ECDH
1971 if (ecdh_ok) 1965 if (ecdh_ok)
1972 { 1966 {
1973 1967 const char *sig = OBJ_nid2ln(signature_nid);
1974 if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) 1968 if (sig == NULL)
1969 {
1970 ERR_clear_error();
1971 sig = "unknown";
1972 }
1973
1974 if (strstr(sig, "WithRSA"))
1975 { 1975 {
1976 mask_k|=SSL_kECDHr; 1976 mask_k|=SSL_kECDHr;
1977 mask_a|=SSL_aECDH; 1977 mask_a|=SSL_aECDH;
@@ -1982,7 +1982,7 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
1982 } 1982 }
1983 } 1983 }
1984 1984
1985 if (pk_nid == NID_X9_62_id_ecPublicKey) 1985 if (signature_nid == NID_ecdsa_with_SHA1)
1986 { 1986 {
1987 mask_k|=SSL_kECDHe; 1987 mask_k|=SSL_kECDHe;
1988 mask_a|=SSL_aECDH; 1988 mask_a|=SSL_aECDH;
@@ -2036,7 +2036,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
2036 unsigned long alg_k, alg_a; 2036 unsigned long alg_k, alg_a;
2037 EVP_PKEY *pkey = NULL; 2037 EVP_PKEY *pkey = NULL;
2038 int keysize = 0; 2038 int keysize = 0;
2039 int signature_nid = 0, md_nid = 0, pk_nid = 0; 2039 int signature_nid = 0;
2040 2040
2041 alg_k = cs->algorithm_mkey; 2041 alg_k = cs->algorithm_mkey;
2042 alg_a = cs->algorithm_auth; 2042 alg_a = cs->algorithm_auth;
@@ -2054,10 +2054,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
2054 /* This call populates the ex_flags field correctly */ 2054 /* This call populates the ex_flags field correctly */
2055 X509_check_purpose(x, -1, 0); 2055 X509_check_purpose(x, -1, 0);
2056 if ((x->sig_alg) && (x->sig_alg->algorithm)) 2056 if ((x->sig_alg) && (x->sig_alg->algorithm))
2057 {
2058 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); 2057 signature_nid = OBJ_obj2nid(x->sig_alg->algorithm);
2059 OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid);
2060 }
2061 if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) 2058 if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr)
2062 { 2059 {
2063 /* key usage, if present, must allow key agreement */ 2060 /* key usage, if present, must allow key agreement */
@@ -2069,7 +2066,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
2069 if (alg_k & SSL_kECDHe) 2066 if (alg_k & SSL_kECDHe)
2070 { 2067 {
2071 /* signature alg must be ECDSA */ 2068 /* signature alg must be ECDSA */
2072 if (pk_nid != NID_X9_62_id_ecPublicKey) 2069 if (signature_nid != NID_ecdsa_with_SHA1)
2073 { 2070 {
2074 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE); 2071 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE);
2075 return 0; 2072 return 0;
@@ -2079,7 +2076,13 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
2079 { 2076 {
2080 /* signature alg must be RSA */ 2077 /* signature alg must be RSA */
2081 2078
2082 if (pk_nid != NID_rsaEncryption && pk_nid != NID_rsa) 2079 const char *sig = OBJ_nid2ln(signature_nid);
2080 if (sig == NULL)
2081 {
2082 ERR_clear_error();
2083 sig = "unknown";
2084 }
2085 if (strstr(sig, "WithRSA") == NULL)
2083 { 2086 {
2084 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE); 2087 SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE);
2085 return 0; 2088 return 0;
@@ -2104,12 +2107,23 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
2104/* THIS NEEDS CLEANING UP */ 2107/* THIS NEEDS CLEANING UP */
2105X509 *ssl_get_server_send_cert(SSL *s) 2108X509 *ssl_get_server_send_cert(SSL *s)
2106 { 2109 {
2107 unsigned long alg_k,alg_a; 2110 unsigned long alg_k,alg_a,mask_k,mask_a;
2108 CERT *c; 2111 CERT *c;
2109 int i; 2112 int i,is_export;
2110 2113
2111 c=s->cert; 2114 c=s->cert;
2112 ssl_set_cert_masks(c, s->s3->tmp.new_cipher); 2115 ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
2116 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
2117 if (is_export)
2118 {
2119 mask_k = c->export_mask_k;
2120 mask_a = c->export_mask_a;
2121 }
2122 else
2123 {
2124 mask_k = c->mask_k;
2125 mask_a = c->mask_a;
2126 }
2113 2127
2114 alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 2128 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2115 alg_a = s->s3->tmp.new_cipher->algorithm_auth; 2129 alg_a = s->s3->tmp.new_cipher->algorithm_auth;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-23 07:00:05 +0000