diff options
Diffstat (limited to 'src/lib/libssl/ssl_lib.c')
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 71 | 
1 files changed, 5 insertions, 66 deletions
| diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index f867daab0e..51772eb618 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.69 2014/06/19 21:29:51 tedu Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.70 2014/07/09 11:25:42 jsing Exp $ */ | 
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 
| 3 | * All rights reserved. | 3 | * All rights reserved. | 
| 4 | * | 4 | * | 
| @@ -1956,9 +1956,7 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 1956 | { | 1956 | { | 
| 1957 | CERT_PKEY *cpk; | 1957 | CERT_PKEY *cpk; | 
| 1958 | int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign; | 1958 | int rsa_enc, rsa_tmp, rsa_sign, dh_tmp, dh_rsa, dh_dsa, dsa_sign; | 
| 1959 | int rsa_enc_export, dh_rsa_export, dh_dsa_export; | 1959 | unsigned long mask_k, mask_a; | 
| 1960 | int rsa_tmp_export, dh_tmp_export, kl; | ||
| 1961 | unsigned long mask_k, mask_a, emask_k, emask_a; | ||
| 1962 | int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; | 1960 | int have_ecc_cert, ecdh_ok, ecdsa_ok, ecc_pkey_size; | 
| 1963 | int have_ecdh_tmp; | 1961 | int have_ecdh_tmp; | 
| 1964 | X509 *x = NULL; | 1962 | X509 *x = NULL; | 
| @@ -1968,39 +1966,25 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 1968 | if (c == NULL) | 1966 | if (c == NULL) | 
| 1969 | return; | 1967 | return; | 
| 1970 | 1968 | ||
| 1971 | kl = SSL_C_EXPORT_PKEYLENGTH(cipher); | ||
| 1972 | |||
| 1973 | rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); | 1969 | rsa_tmp = (c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); | 
| 1974 | rsa_tmp_export = (c->rsa_tmp_cb != NULL || | ||
| 1975 | (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); | ||
| 1976 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); | 1970 | dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL); | 
| 1977 | dh_tmp_export = (c->dh_tmp_cb != NULL || | ||
| 1978 | (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); | ||
| 1979 | 1971 | ||
| 1980 | have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); | 1972 | have_ecdh_tmp = (c->ecdh_tmp != NULL || c->ecdh_tmp_cb != NULL); | 
| 1981 | cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); | 1973 | cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); | 
| 1982 | rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); | 1974 | rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); | 
| 1983 | rsa_enc_export = (rsa_enc && EVP_PKEY_size(cpk->privatekey)*8 <= kl); | ||
| 1984 | cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); | 1975 | cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); | 
| 1985 | rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); | 1976 | rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); | 
| 1986 | cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); | 1977 | cpk = &(c->pkeys[SSL_PKEY_DSA_SIGN]); | 
| 1987 | dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); | 1978 | dsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); | 
| 1988 | cpk = &(c->pkeys[SSL_PKEY_DH_RSA]); | 1979 | cpk = &(c->pkeys[SSL_PKEY_DH_RSA]); | 
| 1989 | dh_rsa = (cpk->x509 != NULL && cpk->privatekey != NULL); | 1980 | dh_rsa = (cpk->x509 != NULL && cpk->privatekey != NULL); | 
| 1990 | dh_rsa_export = (dh_rsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); | ||
| 1991 | cpk = &(c->pkeys[SSL_PKEY_DH_DSA]); | 1981 | cpk = &(c->pkeys[SSL_PKEY_DH_DSA]); | 
| 1992 | /* FIX THIS EAY EAY EAY */ | 1982 | /* FIX THIS EAY EAY EAY */ | 
| 1993 | dh_dsa = (cpk->x509 != NULL && cpk->privatekey != NULL); | 1983 | dh_dsa = (cpk->x509 != NULL && cpk->privatekey != NULL); | 
| 1994 | dh_dsa_export = (dh_dsa && EVP_PKEY_size(cpk->privatekey)*8 <= kl); | ||
| 1995 | cpk = &(c->pkeys[SSL_PKEY_ECC]); | 1984 | cpk = &(c->pkeys[SSL_PKEY_ECC]); | 
| 1996 | have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); | 1985 | have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); | 
| 1997 | mask_k = 0; | 1986 | mask_k = 0; | 
| 1998 | mask_a = 0; | 1987 | mask_a = 0; | 
| 1999 | emask_k = 0; | ||
| 2000 | emask_a = 0; | ||
| 2001 | |||
| 2002 | |||
| 2003 | |||
| 2004 | 1988 | ||
| 2005 | cpk = &(c->pkeys[SSL_PKEY_GOST01]); | 1989 | cpk = &(c->pkeys[SSL_PKEY_GOST01]); | 
| 2006 | if (cpk->x509 != NULL && cpk->privatekey !=NULL) { | 1990 | if (cpk->x509 != NULL && cpk->privatekey !=NULL) { | 
| @@ -2015,38 +1999,23 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 2015 | 1999 | ||
| 2016 | if (rsa_enc || (rsa_tmp && rsa_sign)) | 2000 | if (rsa_enc || (rsa_tmp && rsa_sign)) | 
| 2017 | mask_k|=SSL_kRSA; | 2001 | mask_k|=SSL_kRSA; | 
| 2018 | if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) | ||
| 2019 | emask_k|=SSL_kRSA; | ||
| 2020 | |||
| 2021 | if (dh_tmp_export) | ||
| 2022 | emask_k|=SSL_kEDH; | ||
| 2023 | 2002 | ||
| 2024 | if (dh_tmp) | 2003 | if (dh_tmp) | 
| 2025 | mask_k|=SSL_kEDH; | 2004 | mask_k|=SSL_kEDH; | 
| 2026 | 2005 | ||
| 2027 | if (dh_rsa) | 2006 | if (dh_rsa) | 
| 2028 | mask_k|=SSL_kDHr; | 2007 | mask_k|=SSL_kDHr; | 
| 2029 | if (dh_rsa_export) | ||
| 2030 | emask_k|=SSL_kDHr; | ||
| 2031 | 2008 | ||
| 2032 | if (dh_dsa) | 2009 | if (dh_dsa) | 
| 2033 | mask_k|=SSL_kDHd; | 2010 | mask_k|=SSL_kDHd; | 
| 2034 | if (dh_dsa_export) | ||
| 2035 | emask_k|=SSL_kDHd; | ||
| 2036 | 2011 | ||
| 2037 | if (rsa_enc || rsa_sign) { | 2012 | if (rsa_enc || rsa_sign) | 
| 2038 | mask_a|=SSL_aRSA; | 2013 | mask_a|=SSL_aRSA; | 
| 2039 | emask_a|=SSL_aRSA; | ||
| 2040 | } | ||
| 2041 | 2014 | ||
| 2042 | if (dsa_sign) { | 2015 | if (dsa_sign) | 
| 2043 | mask_a|=SSL_aDSS; | 2016 | mask_a|=SSL_aDSS; | 
| 2044 | emask_a|=SSL_aDSS; | ||
| 2045 | } | ||
| 2046 | 2017 | ||
| 2047 | mask_a|=SSL_aNULL; | 2018 | mask_a|=SSL_aNULL; | 
| 2048 | emask_a|=SSL_aNULL; | ||
| 2049 | |||
| 2050 | 2019 | ||
| 2051 | /* | 2020 | /* | 
| 2052 | * An ECC certificate may be usable for ECDH and/or | 2021 | * An ECC certificate may be usable for ECDH and/or | 
| @@ -2069,47 +2038,30 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) | |||
| 2069 | OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); | 2038 | OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); | 
| 2070 | } | 2039 | } | 
| 2071 | if (ecdh_ok) { | 2040 | if (ecdh_ok) { | 
| 2072 | |||
| 2073 | if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { | 2041 | if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { | 
| 2074 | mask_k|=SSL_kECDHr; | 2042 | mask_k|=SSL_kECDHr; | 
| 2075 | mask_a|=SSL_aECDH; | 2043 | mask_a|=SSL_aECDH; | 
| 2076 | if (ecc_pkey_size <= 163) { | ||
| 2077 | emask_k|=SSL_kECDHr; | ||
| 2078 | emask_a|=SSL_aECDH; | ||
| 2079 | } | ||
| 2080 | } | 2044 | } | 
| 2081 | |||
| 2082 | if (pk_nid == NID_X9_62_id_ecPublicKey) { | 2045 | if (pk_nid == NID_X9_62_id_ecPublicKey) { | 
| 2083 | mask_k|=SSL_kECDHe; | 2046 | mask_k|=SSL_kECDHe; | 
| 2084 | mask_a|=SSL_aECDH; | 2047 | mask_a|=SSL_aECDH; | 
| 2085 | if (ecc_pkey_size <= 163) { | ||
| 2086 | emask_k|=SSL_kECDHe; | ||
| 2087 | emask_a|=SSL_aECDH; | ||
| 2088 | } | ||
| 2089 | } | 2048 | } | 
| 2090 | } | 2049 | } | 
| 2091 | if (ecdsa_ok) { | 2050 | if (ecdsa_ok) | 
| 2092 | mask_a|=SSL_aECDSA; | 2051 | mask_a|=SSL_aECDSA; | 
| 2093 | emask_a|=SSL_aECDSA; | ||
| 2094 | } | ||
| 2095 | } | 2052 | } | 
| 2096 | 2053 | ||
| 2097 | if (have_ecdh_tmp) { | 2054 | if (have_ecdh_tmp) { | 
| 2098 | mask_k|=SSL_kEECDH; | 2055 | mask_k|=SSL_kEECDH; | 
| 2099 | emask_k|=SSL_kEECDH; | ||
| 2100 | } | 2056 | } | 
| 2101 | 2057 | ||
| 2102 | #ifndef OPENSSL_NO_PSK | 2058 | #ifndef OPENSSL_NO_PSK | 
| 2103 | mask_k |= SSL_kPSK; | 2059 | mask_k |= SSL_kPSK; | 
| 2104 | mask_a |= SSL_aPSK; | 2060 | mask_a |= SSL_aPSK; | 
| 2105 | emask_k |= SSL_kPSK; | ||
| 2106 | emask_a |= SSL_aPSK; | ||
| 2107 | #endif | 2061 | #endif | 
| 2108 | 2062 | ||
| 2109 | c->mask_k = mask_k; | 2063 | c->mask_k = mask_k; | 
| 2110 | c->mask_a = mask_a; | 2064 | c->mask_a = mask_a; | 
| 2111 | c->export_mask_k = emask_k; | ||
| 2112 | c->export_mask_a = emask_a; | ||
| 2113 | c->valid = 1; | 2065 | c->valid = 1; | 
| 2114 | } | 2066 | } | 
| 2115 | 2067 | ||
| @@ -2122,25 +2074,12 @@ int | |||
| 2122 | ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) | 2074 | ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) | 
| 2123 | { | 2075 | { | 
| 2124 | unsigned long alg_k, alg_a; | 2076 | unsigned long alg_k, alg_a; | 
| 2125 | EVP_PKEY *pkey = NULL; | ||
| 2126 | int keysize = 0; | ||
| 2127 | int signature_nid = 0, md_nid = 0, pk_nid = 0; | 2077 | int signature_nid = 0, md_nid = 0, pk_nid = 0; | 
| 2128 | const SSL_CIPHER *cs = s->s3->tmp.new_cipher; | 2078 | const SSL_CIPHER *cs = s->s3->tmp.new_cipher; | 
| 2129 | 2079 | ||
| 2130 | alg_k = cs->algorithm_mkey; | 2080 | alg_k = cs->algorithm_mkey; | 
| 2131 | alg_a = cs->algorithm_auth; | 2081 | alg_a = cs->algorithm_auth; | 
| 2132 | 2082 | ||
| 2133 | if (SSL_C_IS_EXPORT(cs)) { | ||
| 2134 | /* ECDH key length in export ciphers must be <= 163 bits */ | ||
| 2135 | pkey = X509_get_pubkey(x); | ||
| 2136 | if (pkey == NULL) | ||
| 2137 | return (0); | ||
| 2138 | keysize = EVP_PKEY_bits(pkey); | ||
| 2139 | EVP_PKEY_free(pkey); | ||
| 2140 | if (keysize > 163) | ||
| 2141 | return (0); | ||
| 2142 | } | ||
| 2143 | |||
| 2144 | /* This call populates the ex_flags field correctly */ | 2083 | /* This call populates the ex_flags field correctly */ | 
| 2145 | X509_check_purpose(x, -1, 0); | 2084 | X509_check_purpose(x, -1, 0); | 
| 2146 | if ((x->sig_alg) && (x->sig_alg->algorithm)) { | 2085 | if ((x->sig_alg) && (x->sig_alg->algorithm)) { | 
