From a0fdc9ec41594852f67ec77dfad9cb06bacc4186 Mon Sep 17 00:00:00 2001 From: djm <> Date: Fri, 9 Jan 2009 12:14:11 +0000 Subject: import openssl-0.9.8j --- src/lib/libssl/d1_clnt.c | 3 +-- src/lib/libssl/d1_enc.c | 19 ++++++++++------ src/lib/libssl/d1_lib.c | 1 + src/lib/libssl/d1_pkt.c | 22 +++++++++++++++---- src/lib/libssl/d1_srvr.c | 6 ++--- src/lib/libssl/dtls1.h | 7 ++++++ src/lib/libssl/s23_clnt.c | 16 ++++++++++++++ src/lib/libssl/s23_srvr.c | 9 ++++++++ src/lib/libssl/s3_clnt.c | 52 +++++++++++++++++++++++++++++++++----------- src/lib/libssl/s3_lib.c | 40 +++++++++++++++++----------------- src/lib/libssl/s3_pkt.c | 16 +++++++++++++- src/lib/libssl/s3_srvr.c | 42 ++++++++++++++++++++--------------- src/lib/libssl/ssl.h | 16 +++++++++++--- src/lib/libssl/ssl_asn1.c | 2 +- src/lib/libssl/ssl_ciph.c | 13 +++++++++++ src/lib/libssl/ssl_err.c | 5 ++++- src/lib/libssl/ssl_lib.c | 36 ++++++++++++++++++++++++++++++ src/lib/libssl/ssl_locl.h | 8 ++++++- src/lib/libssl/ssl_sess.c | 22 +++++++++++++++++++ src/lib/libssl/t1_enc.c | 42 ++++++++++++++++++++++------------- src/lib/libssl/t1_lib.c | 14 +++++++----- src/lib/libssl/test/CAss.cnf | 2 +- src/lib/libssl/test/Uss.cnf | 2 +- 23 files changed, 299 insertions(+), 96 deletions(-) (limited to 'src/lib/libssl') diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index 5e59dc845a..49c6760d19 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c @@ -1095,8 +1095,7 @@ int dtls1_send_client_certificate(SSL *s) * ssl->rwstate=SSL_X509_LOOKUP; return(-1); * We then get retied later */ i=0; - if (s->ctx->client_cert_cb != NULL) - i=s->ctx->client_cert_cb(s,&(x509),&(pkey)); + i = ssl_do_client_cert_cb(s, &x509, &pkey); if (i < 0) { s->rwstate=SSL_X509_LOOKUP; diff --git a/src/lib/libssl/d1_enc.c b/src/lib/libssl/d1_enc.c index cbff7495c5..cf3332e4e4 100644 --- a/src/lib/libssl/d1_enc.c +++ b/src/lib/libssl/d1_enc.c @@ -115,12 +115,16 @@ #include #include "ssl_locl.h" +#ifndef OPENSSL_NO_COMP #include +#endif #include #include #include #include - +#ifdef KSSL_DEBUG +#include +#endif int dtls1_enc(SSL *s, int send) { @@ -202,10 +206,11 @@ int dtls1_enc(SSL *s, int send) { unsigned long ui; printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", - ds,rec->data,rec->input,l); - printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", + (void *)ds,rec->data,rec->input,l); + printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%ld %ld], %d iv_len\n", ds->buf_len, ds->cipher->key_len, - DES_KEY_SZ, DES_SCHEDULE_SZ, + (unsigned long)DES_KEY_SZ, + (unsigned long)DES_SCHEDULE_SZ, ds->cipher->iv_len); printf("\t\tIV: "); for (i=0; icipher->iv_len; i++) printf("%02X", ds->iv[i]); @@ -230,10 +235,10 @@ int dtls1_enc(SSL *s, int send) #ifdef KSSL_DEBUG { - unsigned long i; + unsigned long ki; printf("\trec->data="); - for (i=0; idata[i]); printf("\n"); + for (ki=0; kidata[ki]); printf("\n"); } #endif /* KSSL_DEBUG */ diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c index fc088b4148..3568e97a87 100644 --- a/src/lib/libssl/d1_lib.c +++ b/src/lib/libssl/d1_lib.c @@ -106,6 +106,7 @@ int dtls1_new(SSL *s) pq_64bit_init(&(d1->bitmap.map)); pq_64bit_init(&(d1->bitmap.max_seq_num)); + d1->next_bitmap.length = d1->bitmap.length; pq_64bit_init(&(d1->next_bitmap.map)); pq_64bit_init(&(d1->next_bitmap.max_seq_num)); diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index 377696deac..eb56cf987b 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c @@ -597,6 +597,7 @@ again: /* check whether this is a repeat, or aged record */ if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) { + rr->length = 0; s->packet_length=0; /* dump this record */ goto again; /* get another record */ } @@ -811,6 +812,14 @@ start: * may be fragmented--don't always expect dest_maxlen bytes */ if ( rr->length < dest_maxlen) { +#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE + /* + * for normal alerts rr->length is 2, while + * dest_maxlen is 7 if we were to handle this + * non-existing alert... + */ + FIX ME +#endif s->rstate=SSL_ST_READ_HEADER; rr->length = 0; goto start; @@ -1251,7 +1260,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len) else s->s3->wnum += i; - return tot + i; + return i; } int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment) @@ -1576,7 +1585,7 @@ int dtls1_dispatch_alert(SSL *s) { int i,j; void (*cb)(const SSL *ssl,int type,int val)=NULL; - unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */ + unsigned char buf[DTLS1_AL_HEADER_LENGTH]; unsigned char *ptr = &buf[0]; s->s3->alert_dispatch=0; @@ -1585,6 +1594,7 @@ int dtls1_dispatch_alert(SSL *s) *ptr++ = s->s3->send_alert[0]; *ptr++ = s->s3->send_alert[1]; +#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { s2n(s->d1->handshake_read_seq, ptr); @@ -1600,6 +1610,7 @@ int dtls1_dispatch_alert(SSL *s) #endif l2n3(s->d1->r_msg_hdr.frag_off, ptr); } +#endif i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); if (i <= 0) @@ -1609,8 +1620,11 @@ int dtls1_dispatch_alert(SSL *s) } else { - if ( s->s3->send_alert[0] == SSL3_AL_FATAL || - s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) + if (s->s3->send_alert[0] == SSL3_AL_FATAL +#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE + || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE +#endif + ) (void)BIO_flush(s->wbio); if (s->msg_callback) diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 927b01f3c4..0bbf8ae7f3 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c @@ -732,7 +732,7 @@ int dtls1_send_server_hello(SSL *s) d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l); - s->state=SSL3_ST_CW_CLNT_HELLO_B; + s->state=SSL3_ST_SW_SRVR_HELLO_B; /* number of bytes to write */ s->init_num=p-buf; s->init_off=0; @@ -741,7 +741,7 @@ int dtls1_send_server_hello(SSL *s) dtls1_buffer_message(s, 0); } - /* SSL3_ST_CW_CLNT_HELLO_B */ + /* SSL3_ST_SW_SRVR_HELLO_B */ return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); } @@ -765,7 +765,7 @@ int dtls1_send_server_done(SSL *s) dtls1_buffer_message(s, 0); } - /* SSL3_ST_CW_CLNT_HELLO_B */ + /* SSL3_ST_SW_SRVR_DONE_B */ return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); } diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h index a663cf85f2..f159d37110 100644 --- a/src/lib/libssl/dtls1.h +++ b/src/lib/libssl/dtls1.h @@ -70,7 +70,10 @@ extern "C" { #define DTLS1_VERSION 0xFEFF #define DTLS1_BAD_VER 0x0100 +#if 0 +/* this alert description is not specified anywhere... */ #define DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 110 +#endif /* lengths of messages */ #define DTLS1_COOKIE_LENGTH 32 @@ -84,7 +87,11 @@ extern "C" { #define DTLS1_CCS_HEADER_LENGTH 1 +#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE #define DTLS1_AL_HEADER_LENGTH 7 +#else +#define DTLS1_AL_HEADER_LENGTH 2 +#endif typedef struct dtls1_bitmap_st diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index c45a8e0a04..bc918170e1 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c @@ -257,6 +257,14 @@ static int ssl23_client_hello(SSL *s) version_major = TLS1_VERSION_MAJOR; version_minor = TLS1_VERSION_MINOR; } +#ifdef OPENSSL_FIPS + else if(FIPS_mode()) + { + SSLerr(SSL_F_SSL23_CLIENT_HELLO, + SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + return -1; + } +#endif else if (version == SSL3_VERSION) { version_major = SSL3_VERSION_MAJOR; @@ -536,6 +544,14 @@ static int ssl23_get_server_hello(SSL *s) if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { +#ifdef OPENSSL_FIPS + if(FIPS_mode()) + { + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, + SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + goto err; + } +#endif s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index 6637bb9549..ba06e7ae2e 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c @@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s) } } +#ifdef OPENSSL_FIPS + if (FIPS_mode() && (s->version < TLS1_VERSION)) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, + SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + goto err; + } +#endif + if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { /* we have SSLv3/TLSv1 in an SSLv2 header diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index f6864cdc50..5fd3520caf 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c @@ -130,10 +130,17 @@ #include #include #include +#ifdef OPENSSL_FIPS +#include +#endif + #ifndef OPENSSL_NO_DH #include #endif #include +#ifndef OPENSSL_NO_ENGINE +#include +#endif static SSL_METHOD *ssl3_get_client_method(int ver); static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); @@ -965,7 +972,7 @@ int ssl3_get_server_certificate(SSL *s) } i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) + if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) #ifndef OPENSSL_NO_KRB5 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) != (SSL_aKRB5|SSL_kKRB5) @@ -999,7 +1006,7 @@ int ssl3_get_server_certificate(SSL *s) == (SSL_aKRB5|SSL_kKRB5))? 0: 1; #ifdef KSSL_DEBUG - printf("pkey,x = %p, %p\n", pkey,x); + printf("pkey,x = %p, %p\n", (void *)pkey,(void *)x); printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey)); printf("cipher, alg, nc = %s, %lx, %d\n", s->s3->tmp.new_cipher->name, s->s3->tmp.new_cipher->algorithms, need_cert); @@ -1415,6 +1422,8 @@ int ssl3_get_key_exchange(SSL *s) q=md_buf; for (num=2; num > 0; num--) { + EVP_MD_CTX_set_flags(&md_ctx, + EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); @@ -1450,7 +1459,7 @@ int ssl3_get_key_exchange(SSL *s) EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); - if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) + if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; @@ -1468,7 +1477,7 @@ int ssl3_get_key_exchange(SSL *s) EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); - if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) + if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; @@ -1768,7 +1777,7 @@ int ssl3_get_cert_status(SSL *s) goto f_err; } n2l3(p, resplen); - if (resplen + 4 != n) + if (resplen + 4 != (unsigned long)n) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CERT_STATUS,SSL_R_LENGTH_MISMATCH); @@ -2061,12 +2070,12 @@ int ssl3_send_client_key_exchange(SSL *s) { DH *dh_srvr,*dh_clnt; - if (s->session->sess_cert == NULL) - { - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); - goto err; - } + if (s->session->sess_cert == NULL) + { + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); + goto err; + } if (s->session->sess_cert->peer_dh_tmp != NULL) dh_srvr=s->session->sess_cert->peer_dh_tmp; @@ -2448,8 +2457,7 @@ int ssl3_send_client_certificate(SSL *s) * ssl->rwstate=SSL_X509_LOOKUP; return(-1); * We then get retied later */ i=0; - if (s->ctx->client_cert_cb != NULL) - i=s->ctx->client_cert_cb(s,&(x509),&(pkey)); + i = ssl_do_client_cert_cb(s, &x509, &pkey); if (i < 0) { s->rwstate=SSL_X509_LOOKUP; @@ -2716,3 +2724,21 @@ static int ssl3_check_finished(SSL *s) return 1; } #endif + +int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) + { + int i = 0; +#ifndef OPENSSL_NO_ENGINE + if (s->ctx->client_cert_engine) + { + i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s, + SSL_get_client_CA_list(s), + px509, ppkey, NULL, NULL, NULL); + if (i != 0) + return i; + } +#endif + if (s->ctx->client_cert_cb) + i = s->ctx->client_cert_cb(s,px509,ppkey); + return i; + } diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index bdbcd44f27..8916a0b1b3 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -158,7 +158,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_NULL_SHA, SSL3_CK_RSA_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_STRONG_NONE, + SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS, 0, 0, 0, @@ -264,7 +264,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_DH_DSS_DES_192_CBC3_SHA, SSL3_CK_DH_DSS_DES_192_CBC3_SHA, SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -343,7 +343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_DH_RSA_DES_192_CBC3_SHA, SSL3_CK_DH_RSA_DES_192_CBC3_SHA, SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, SSL3_CK_EDH_DSS_DES_192_CBC3_SHA, SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -423,7 +423,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, SSL3_CK_EDH_RSA_DES_192_CBC3_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -488,7 +488,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_ADH_DES_192_CBC_SHA, SSL3_CK_ADH_DES_192_CBC_SHA, SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -563,7 +563,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL3_TXT_KRB5_DES_192_CBC3_SHA, SSL3_CK_KRB5_DES_192_CBC3_SHA, SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 168, 168, @@ -747,7 +747,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -760,7 +760,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_DSS_WITH_AES_128_SHA, TLS1_CK_DH_DSS_WITH_AES_128_SHA, SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -773,7 +773,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_RSA_WITH_AES_128_SHA, TLS1_CK_DH_RSA_WITH_AES_128_SHA, SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -786,7 +786,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_DSS_WITH_AES_128_SHA, TLS1_CK_DHE_DSS_WITH_AES_128_SHA, SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -799,7 +799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA, SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -812,7 +812,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 128, 128, @@ -826,7 +826,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -839,7 +839,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_DSS_WITH_AES_256_SHA, TLS1_CK_DH_DSS_WITH_AES_256_SHA, SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -852,7 +852,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DH_RSA_WITH_AES_256_SHA, TLS1_CK_DH_RSA_WITH_AES_256_SHA, SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -865,7 +865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_DSS_WITH_AES_256_SHA, TLS1_CK_DHE_DSS_WITH_AES_256_SHA, SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -878,7 +878,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA, SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, @@ -891,7 +891,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1, - SSL_NOT_EXP|SSL_HIGH, + SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, 0, 256, 256, diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c index 44c7c143fe..9476dcddf6 100644 --- a/src/lib/libssl/s3_pkt.c +++ b/src/lib/libssl/s3_pkt.c @@ -753,8 +753,15 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, s->rwstate=SSL_NOTHING; return(s->s3->wpend_ret); } - else if (i <= 0) + else if (i <= 0) { + if (s->version == DTLS1_VERSION || + s->version == DTLS1_BAD_VER) { + /* For DTLS, just drop it. That's kind of the whole + point in using a datagram service */ + s->s3->wbuf.left = 0; + } return(i); + } s->s3->wbuf.offset+=i; s->s3->wbuf.left-=i; } @@ -1225,6 +1232,13 @@ int ssl3_do_change_cipher_spec(SSL *s) if (s->s3->tmp.key_block == NULL) { + if (s->session == NULL) + { + /* might happen if dtls1_read_bytes() calls this */ + SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); + return (0); + } + s->session->cipher=s->s3->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) return(0); } diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 903522ab59..80b45eb86f 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c @@ -902,22 +902,28 @@ int ssl3_get_client_hello(SSL *s) break; } } - if (j == 0) - { - if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) - { - /* Very bad for multi-threading.... */ - s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0); - } - else + if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) + { + /* Special case as client bug workaround: the previously used cipher may + * not be in the current list, the client instead might be trying to + * continue using a cipher that before wasn't chosen due to server + * preferences. We'll have to reject the connection if the cipher is not + * enabled, though. */ + c = sk_SSL_CIPHER_value(ciphers, 0); + if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) { - /* we need to have the cipher in the cipher - * list if we are asked to reuse it */ - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); - goto f_err; + s->session->cipher = c; + j = 1; } } + if (j == 0) + { + /* we need to have the cipher in the cipher + * list if we are asked to reuse it */ + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); + goto f_err; + } } /* compression */ @@ -1172,13 +1178,13 @@ int ssl3_send_server_hello(SSL *s) *(d++)=SSL3_MT_SERVER_HELLO; l2n3(l,d); - s->state=SSL3_ST_CW_CLNT_HELLO_B; + s->state=SSL3_ST_SW_SRVR_HELLO_B; /* number of bytes to write */ s->init_num=p-buf; s->init_off=0; } - /* SSL3_ST_CW_CLNT_HELLO_B */ + /* SSL3_ST_SW_SRVR_HELLO_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } @@ -1202,7 +1208,7 @@ int ssl3_send_server_done(SSL *s) s->init_off=0; } - /* SSL3_ST_CW_CLNT_HELLO_B */ + /* SSL3_ST_SW_SRVR_DONE_B */ return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); } @@ -1540,6 +1546,8 @@ int ssl3_send_server_key_exchange(SSL *s) j=0; for (num=2; num > 0; num--) { + EVP_MD_CTX_set_flags(&md_ctx, + EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); @@ -2558,7 +2566,7 @@ int ssl3_get_client_certificate(SSL *s) else { i=ssl_verify_cert_chain(s,sk); - if (!i) + if (i <= 0) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 6df921f3c1..ff8a128d3c 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -252,6 +252,7 @@ extern "C" { #define SSL_TXT_LOW "LOW" #define SSL_TXT_MEDIUM "MEDIUM" #define SSL_TXT_HIGH "HIGH" +#define SSL_TXT_FIPS "FIPS" #define SSL_TXT_kFZA "kFZA" #define SSL_TXT_aFZA "aFZA" #define SSL_TXT_eFZA "eFZA" @@ -361,9 +362,6 @@ typedef struct ssl_cipher_st DECLARE_STACK_OF(SSL_CIPHER) -typedef struct ssl_st SSL; -typedef struct ssl_ctx_st SSL_CTX; - /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ typedef struct ssl_method_st { @@ -760,6 +758,12 @@ struct ssl_ctx_st int quiet_shutdown; +#ifndef OPENSSL_ENGINE + /* Engine to pass requests for client certs to + */ + ENGINE *client_cert_engine; +#endif + #ifndef OPENSSL_NO_TLSEXT /* TLS extensions servername callback */ int (*tlsext_servername_callback)(SSL*, int *, void *); @@ -829,6 +833,9 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type, void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val); void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); +#ifndef OPENSSL_NO_ENGINE +int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e); +#endif void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)); void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)); @@ -1702,6 +1709,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL3_CONNECT 132 #define SSL_F_SSL3_CTRL 213 #define SSL_F_SSL3_CTX_CTRL 133 +#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 279 #define SSL_F_SSL3_ENC 134 #define SSL_F_SSL3_GENERATE_KEY_BLOCK 238 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135 @@ -1755,6 +1763,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 #define SSL_F_SSL_CTX_NEW 169 #define SSL_F_SSL_CTX_SET_CIPHER_LIST 269 +#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 278 #define SSL_F_SSL_CTX_SET_PURPOSE 226 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219 #define SSL_F_SSL_CTX_SET_SSL_VERSION 170 @@ -1935,6 +1944,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_NO_CIPHERS_SPECIFIED 183 #define SSL_R_NO_CIPHER_LIST 184 #define SSL_R_NO_CIPHER_MATCH 185 +#define SSL_R_NO_CLIENT_CERT_METHOD 317 #define SSL_R_NO_CLIENT_CERT_RECEIVED 186 #define SSL_R_NO_COMPRESSION_SPECIFIED 187 #define SSL_R_NO_METHOD_SPECIFIED 188 diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c index 6e14f4d834..0f9a3489dd 100644 --- a/src/lib/libssl/ssl_asn1.c +++ b/src/lib/libssl/ssl_asn1.c @@ -353,7 +353,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, memcpy(ret->session_id,os.data,os.length); M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING); - if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH) + if (os.length > SSL_MAX_MASTER_KEY_LENGTH) ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH; else ret->master_key_length=os.length; diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c index 725f7f3c1f..0c2aa249b4 100644 --- a/src/lib/libssl/ssl_ciph.c +++ b/src/lib/libssl/ssl_ciph.c @@ -115,7 +115,10 @@ */ #include #include +#ifndef OPENSSL_NO_COMP #include +#endif + #include "ssl_locl.h" #define SSL_ENC_DES_IDX 0 @@ -222,6 +225,7 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_LOW, 0, 0, SSL_LOW, 0,0,0,0,SSL_STRONG_MASK}, {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK}, {0,SSL_TXT_HIGH, 0, 0, SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK}, + {0,SSL_TXT_FIPS, 0, 0, SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE}, }; void ssl_load_ciphers(void) @@ -515,7 +519,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, c = ssl_method->get_cipher(i); #define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask)) /* drop those that use any of that is not available */ +#ifdef OPENSSL_FIPS + if ((c != NULL) && c->valid && !IS_MASKED(c) + && (!FIPS_mode() || (c->algo_strength & SSL_FIPS))) +#else if ((c != NULL) && c->valid && !IS_MASKED(c)) +#endif { co_list[co_list_num].cipher = c; co_list[co_list_num].next = NULL; @@ -1054,7 +1063,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, */ for (curr = head; curr != NULL; curr = curr->next) { +#ifdef OPENSSL_FIPS + if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) +#else if (curr->active) +#endif { sk_SSL_CIPHER_push(cipherstack, curr->cipher); #ifdef CIPHER_DEBUG diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c index 50779c1632..24a994fe01 100644 --- a/src/lib/libssl/ssl_err.c +++ b/src/lib/libssl/ssl_err.c @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -138,6 +138,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"}, {ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"}, {ERR_FUNC(SSL_F_SSL3_CTX_CTRL), "SSL3_CTX_CTRL"}, +{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"}, {ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"}, {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"}, {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"}, @@ -191,6 +192,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"}, {ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"}, {ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"}, +{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_set_client_cert_engine"}, {ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"}, {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"}, {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"}, @@ -374,6 +376,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) ,"no ciphers specified"}, {ERR_REASON(SSL_R_NO_CIPHER_LIST) ,"no cipher list"}, {ERR_REASON(SSL_R_NO_CIPHER_MATCH) ,"no cipher match"}, +{ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) ,"no client cert method"}, {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"}, {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"}, {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"}, diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 065411aea8..68eee77e6f 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -130,6 +130,9 @@ #ifndef OPENSSL_NO_DH #include #endif +#ifndef OPENSSL_NO_ENGINE +#include +#endif const char *SSL_version_str=OPENSSL_VERSION_TEXT; @@ -1393,6 +1396,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) return(NULL); } +#ifdef OPENSSL_FIPS + if (FIPS_mode() && (meth->version < TLS1_VERSION)) + { + SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + return NULL; + } +#endif + if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); @@ -1511,6 +1522,27 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) ret->tlsext_status_cb = 0; ret->tlsext_status_arg = NULL; +#endif + +#ifndef OPENSSL_NO_ENGINE + ret->client_cert_engine = NULL; +#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO +#define eng_strx(x) #x +#define eng_str(x) eng_strx(x) + /* Use specific client engine automatically... ignore errors */ + { + ENGINE *eng; + eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); + if (!eng) + { + ERR_clear_error(); + ENGINE_load_builtin_engines(); + eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO)); + } + if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng)) + ERR_clear_error(); + } +#endif #endif return(ret); @@ -1582,6 +1614,10 @@ void SSL_CTX_free(SSL_CTX *a) sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free); #else a->comp_methods = NULL; +#endif +#ifndef OPENSSL_NO_ENGINE + if (a->client_cert_engine) + ENGINE_finish(a->client_cert_engine); #endif OPENSSL_free(a); } diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index de94c0d0c7..ed4ddbbae6 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h @@ -124,7 +124,9 @@ #include "e_os.h" #include +#ifndef OPENSSL_NO_COMP #include +#endif #include #include #ifndef OPENSSL_NO_RSA @@ -330,8 +332,9 @@ #define SSL_LOW 0x00000020L #define SSL_MEDIUM 0x00000040L #define SSL_HIGH 0x00000080L +#define SSL_FIPS 0x00000100L -/* we have used 000000ff - 24 bits left to go */ +/* we have used 000001ff - 23 bits left to go */ /* * Macros to check the export status and cipher strength for export ciphers. @@ -499,6 +502,7 @@ typedef struct ssl3_enc_method int (*alert_value)(int); } SSL3_ENC_METHOD; +#ifndef OPENSSL_NO_COMP /* Used for holding the relevant compression methods loaded into SSL_CTX */ typedef struct ssl3_comp_st { @@ -506,6 +510,7 @@ typedef struct ssl3_comp_st char *name; /* Text name used for the compression type */ COMP_METHOD *method; /* The method :-) */ } SSL3_COMP; +#endif extern SSL3_ENC_METHOD ssl3_undef_enc_method; OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[]; @@ -874,6 +879,7 @@ int ssl3_get_new_session_ticket(SSL *s); int ssl3_get_cert_status(SSL *s); int ssl3_get_server_done(SSL *s); int ssl3_send_client_verify(SSL *s); +int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey); int ssl3_send_client_certificate(SSL *s); int ssl3_send_client_key_exchange(SSL *s); int ssl3_get_key_exchange(SSL *s); diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index ee88be2b88..8391d62212 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -59,6 +59,9 @@ #include #include #include +#ifndef OPENSSL_NO_ENGINE +#include +#endif #include "ssl_locl.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); @@ -870,6 +873,25 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PK return ctx->client_cert_cb; } +#ifndef OPENSSL_NO_ENGINE +int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) + { + if (!ENGINE_init(e)) + { + SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB); + return 0; + } + if(!ENGINE_get_ssl_client_cert_function(e)) + { + SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD); + ENGINE_finish(e); + return 0; + } + ctx->client_cert_engine = e; + return 1; + } +#endif + void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)) { diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index ed5a4a7255..7cb3e29a41 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c @@ -111,10 +111,15 @@ #include #include "ssl_locl.h" +#ifndef OPENSSL_NO_COMP #include +#endif #include #include #include +#ifdef KSSL_DEBUG +#include +#endif static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, unsigned char *seed, int seed_len, @@ -131,6 +136,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, HMAC_CTX_init(&ctx); HMAC_CTX_init(&ctx_tmp); + HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); HMAC_Update(&ctx,seed,seed_len); @@ -249,15 +256,15 @@ int tls1_change_cipher_state(SSL *s, int which) #ifdef KSSL_DEBUG printf("tls1_change_cipher_state(which= %d) w/\n", which); printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms, - comp); - printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); + (void *)comp); + printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", (void *)c); printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", c->nid,c->block_size,c->key_len,c->iv_len); printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); { - int i; - for (i=0; is3->tmp.key_block_length; i++) - printf("%02x", key_block[i]); printf("\n"); + int ki; + for (ki=0; kis3->tmp.key_block_length; ki++) + printf("%02x", key_block[ki]); printf("\n"); } #endif /* KSSL_DEBUG */ @@ -413,11 +420,13 @@ printf("which = %04X\nmac key=",which); s->session->key_arg_length=0; #ifdef KSSL_DEBUG { - int i; + int ki; printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); - printf("\tkey= "); for (i=0; ikey_len; i++) printf("%02x", key[i]); + printf("\tkey= "); + for (ki=0; kikey_len; ki++) printf("%02x", key[ki]); printf("\n"); - printf("\t iv= "); for (i=0; iiv_len; i++) printf("%02x", iv[i]); + printf("\t iv= "); + for (ki=0; kiiv_len; ki++) printf("%02x", iv[ki]); printf("\n"); } #endif /* KSSL_DEBUG */ @@ -590,10 +599,11 @@ int tls1_enc(SSL *s, int send) { unsigned long ui; printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", - ds,rec->data,rec->input,l); - printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", + (void *)ds,rec->data,rec->input,l); + printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%ld %ld], %d iv_len\n", ds->buf_len, ds->cipher->key_len, - DES_KEY_SZ, DES_SCHEDULE_SZ, + (unsigned long)DES_KEY_SZ, + (unsigned long)DES_SCHEDULE_SZ, ds->cipher->iv_len); printf("\t\tIV: "); for (i=0; icipher->iv_len; i++) printf("%02X", ds->iv[i]); @@ -618,10 +628,10 @@ int tls1_enc(SSL *s, int send) #ifdef KSSL_DEBUG { - unsigned long i; + unsigned long ki; printf("\trec->data="); - for (i=0; idata[i]); printf("\n"); + for (ki=0; kidata[ki]); printf("\n"); } #endif /* KSSL_DEBUG */ @@ -805,7 +815,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; #ifdef KSSL_DEBUG - printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len); + printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", (void *)s,out, p,len); #endif /* KSSL_DEBUG */ /* Setup the stuff to munge */ @@ -852,8 +862,10 @@ int tls1_alert_code(int code) case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); +#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); +#endif default: return(-1); } } diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index 35f04afa4a..9ce726996d 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c @@ -734,6 +734,13 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, /* Point after session ID in client hello */ const unsigned char *p = session_id + len; unsigned short i; + + /* If tickets disabled behave as if no ticket present + * to permit stateful resumption. + */ + if (SSL_get_options(s) & SSL_OP_NO_TICKET) + return 1; + if ((s->version <= SSL3_VERSION) || !limit) return 1; if (p >= limit) @@ -761,12 +768,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, return 1; if (type == TLSEXT_TYPE_session_ticket) { - /* If tickets disabled indicate cache miss which will - * trigger a full handshake - */ - if (SSL_get_options(s) & SSL_OP_NO_TICKET) - return 0; - /* If zero length not client will accept a ticket + /* If zero length note client will accept a ticket * and indicate cache miss to trigger full handshake */ if (size == 0) diff --git a/src/lib/libssl/test/CAss.cnf b/src/lib/libssl/test/CAss.cnf index 20f8f05e3d..546e660626 100644 --- a/src/lib/libssl/test/CAss.cnf +++ b/src/lib/libssl/test/CAss.cnf @@ -7,7 +7,7 @@ RANDFILE = ./.rnd #################################################################### [ req ] -default_bits = 512 +default_bits = 1024 default_keyfile = keySS.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no diff --git a/src/lib/libssl/test/Uss.cnf b/src/lib/libssl/test/Uss.cnf index 0c0ebb5f67..98b2e054b7 100644 --- a/src/lib/libssl/test/Uss.cnf +++ b/src/lib/libssl/test/Uss.cnf @@ -7,7 +7,7 @@ RANDFILE = ./.rnd #################################################################### [ req ] -default_bits = 512 +default_bits = 1024 default_keyfile = keySS.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no -- cgit v1.2.3-55-g6feb