X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=ssl%2Fs3_lib.c;h=e7f1898e8130e126fb1e6340a43bc2758d3f703b;hb=55a9a16f1c02837058173c41fa26f36ec3acd22e;hp=9893930eef478d48eeaf634aaced9a42cb086560;hpb=d64070838ebba86f00fb3755df5d3e65106e1628;p=openssl.git diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 9893930eef..e7f1898e81 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -151,7 +151,6 @@ #include #include #include "ssl_locl.h" -#include "kssl_lcl.h" #include #ifndef OPENSSL_NO_DH # include @@ -159,7 +158,7 @@ const char ssl3_version_str[] = "SSLv3" OPENSSL_VERSION_PTEXT; -#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) +#define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers) /* list of available SSLv3 ciphers (sorted by id) */ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { @@ -601,233 +600,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 168, }, -#ifndef OPENSSL_NO_KRB5 -/* The Kerberos ciphers*/ -/* Cipher 1E */ - { - 1, - SSL3_TXT_KRB5_DES_64_CBC_SHA, - SSL3_CK_KRB5_DES_64_CBC_SHA, - SSL_kKRB5, - SSL_aKRB5, - SSL_DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, - }, - -/* Cipher 1F */ - { - 1, - SSL3_TXT_KRB5_DES_192_CBC3_SHA, - SSL3_CK_KRB5_DES_192_CBC3_SHA, - SSL_kKRB5, - SSL_aKRB5, - SSL_3DES, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, - }, - -/* Cipher 20 */ - { - 1, - SSL3_TXT_KRB5_RC4_128_SHA, - SSL3_CK_KRB5_RC4_128_SHA, - SSL_kKRB5, - SSL_aKRB5, - SSL_RC4, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - -/* Cipher 21 */ - { - 1, - SSL3_TXT_KRB5_IDEA_128_CBC_SHA, - SSL3_CK_KRB5_IDEA_128_CBC_SHA, - SSL_kKRB5, - SSL_aKRB5, - SSL_IDEA, - SSL_SHA1, - SSL_SSLV3, - SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - -/* Cipher 22 */ - { - 1, - SSL3_TXT_KRB5_DES_64_CBC_MD5, - SSL3_CK_KRB5_DES_64_CBC_MD5, - SSL_kKRB5, - SSL_aKRB5, - SSL_DES, - SSL_MD5, - SSL_SSLV3, - SSL_NOT_EXP | SSL_LOW, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 56, - }, - -/* Cipher 23 */ - { - 1, - SSL3_TXT_KRB5_DES_192_CBC3_MD5, - SSL3_CK_KRB5_DES_192_CBC3_MD5, - SSL_kKRB5, - SSL_aKRB5, - SSL_3DES, - SSL_MD5, - SSL_SSLV3, - SSL_NOT_EXP | SSL_HIGH, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 112, - 168, - }, - -/* Cipher 24 */ - { - 1, - SSL3_TXT_KRB5_RC4_128_MD5, - SSL3_CK_KRB5_RC4_128_MD5, - SSL_kKRB5, - SSL_aKRB5, - SSL_RC4, - SSL_MD5, - SSL_SSLV3, - SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - -/* Cipher 25 */ - { - 1, - SSL3_TXT_KRB5_IDEA_128_CBC_MD5, - SSL3_CK_KRB5_IDEA_128_CBC_MD5, - SSL_kKRB5, - SSL_aKRB5, - SSL_IDEA, - SSL_MD5, - SSL_SSLV3, - SSL_NOT_EXP | SSL_MEDIUM, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 128, - 128, - }, - -/* Cipher 26 */ - { - 1, - SSL3_TXT_KRB5_DES_40_CBC_SHA, - SSL3_CK_KRB5_DES_40_CBC_SHA, - SSL_kKRB5, - SSL_aKRB5, - SSL_DES, - SSL_SHA1, - SSL_SSLV3, - SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, - }, - -/* Cipher 27 */ - { - 1, - SSL3_TXT_KRB5_RC2_40_CBC_SHA, - SSL3_CK_KRB5_RC2_40_CBC_SHA, - SSL_kKRB5, - SSL_aKRB5, - SSL_RC2, - SSL_SHA1, - SSL_SSLV3, - SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, - }, - -/* Cipher 28 */ - { - 1, - SSL3_TXT_KRB5_RC4_40_SHA, - SSL3_CK_KRB5_RC4_40_SHA, - SSL_kKRB5, - SSL_aKRB5, - SSL_RC4, - SSL_SHA1, - SSL_SSLV3, - SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, - }, - -/* Cipher 29 */ - { - 1, - SSL3_TXT_KRB5_DES_40_CBC_MD5, - SSL3_CK_KRB5_DES_40_CBC_MD5, - SSL_kKRB5, - SSL_aKRB5, - SSL_DES, - SSL_MD5, - SSL_SSLV3, - SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 56, - }, - -/* Cipher 2A */ - { - 1, - SSL3_TXT_KRB5_RC2_40_CBC_MD5, - SSL3_CK_KRB5_RC2_40_CBC_MD5, - SSL_kKRB5, - SSL_aKRB5, - SSL_RC2, - SSL_MD5, - SSL_SSLV3, - SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, - }, - -/* Cipher 2B */ - { - 1, - SSL3_TXT_KRB5_RC4_40_MD5, - SSL3_CK_KRB5_RC4_40_MD5, - SSL_kKRB5, - SSL_aKRB5, - SSL_RC4, - SSL_MD5, - SSL_SSLV3, - SSL_EXPORT | SSL_EXP40, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 40, - 128, - }, -#endif /* OPENSSL_NO_KRB5 */ - /* New AES ciphersuites */ /* Cipher 2F */ { @@ -1839,21 +1611,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { 256, 256, }, -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - { - 1, - "SCSV", - SSL3_CK_SCSV, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0}, -#endif #ifndef OPENSSL_NO_CAMELLIA /* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */ @@ -2051,6 +1808,23 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { }, #endif +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + /* Cipher FF */ + { + 1, + "SCSV", + SSL3_CK_SCSV, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0}, +#endif + #ifndef OPENSSL_NO_EC /* Cipher C001 */ { @@ -3078,15 +2852,6 @@ const SSL_CIPHER *ssl3_get_cipher(unsigned int u) return (NULL); } -int ssl3_pending(const SSL *s) -{ - if (s->rstate == SSL_ST_READ_BODY) - return 0; - - return (s->s3->rrec.type == - SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; -} - int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len) { unsigned char *p = (unsigned char *)s->init_buf->data; @@ -3107,16 +2872,13 @@ int ssl3_new(SSL *s) { SSL3_STATE *s3; - if ((s3 = OPENSSL_malloc(sizeof *s3)) == NULL) + if ((s3 = OPENSSL_malloc(sizeof(*s3))) == NULL) goto err; - memset(s3, 0, sizeof *s3); - memset(s3->rrec.seq_num, 0, sizeof(s3->rrec.seq_num)); - memset(s3->wrec.seq_num, 0, sizeof(s3->wrec.seq_num)); - + memset(s3, 0, sizeof(*s3)); s->s3 = s3; - + #ifndef OPENSSL_NO_SRP - if(!SSL_SRP_CTX_init(s)) + if (!SSL_SRP_CTX_init(s)) goto err; #endif s->method->ssl_clear(s); @@ -3131,63 +2893,42 @@ void ssl3_free(SSL *s) return; ssl3_cleanup_key_block(s); - if (s->s3->rbuf.buf != NULL) - ssl3_release_read_buffer(s); - if (s->s3->wbuf.buf != NULL) - ssl3_release_write_buffer(s); - if (s->s3->rrec.comp != NULL) - OPENSSL_free(s->s3->rrec.comp); #ifndef OPENSSL_NO_DH DH_free(s->s3->tmp.dh); #endif #ifndef OPENSSL_NO_EC - if (s->s3->tmp.ecdh != NULL) - EC_KEY_free(s->s3->tmp.ecdh); + EC_KEY_free(s->s3->tmp.ecdh); #endif - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); - if (s->s3->handshake_buffer) { - BIO_free(s->s3->handshake_buffer); - } + sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + BIO_free(s->s3->handshake_buffer); if (s->s3->handshake_dgst) ssl3_free_digest_list(s); #ifndef OPENSSL_NO_TLSEXT - if (s->s3->alpn_selected) - OPENSSL_free(s->s3->alpn_selected); + OPENSSL_free(s->s3->alpn_selected); #endif #ifndef OPENSSL_NO_SRP SSL_SRP_CTX_free(s); #endif - OPENSSL_cleanse(s->s3, sizeof *s->s3); - OPENSSL_free(s->s3); + OPENSSL_clear_free(s->s3, sizeof(*s->s3)); s->s3 = NULL; } void ssl3_clear(SSL *s) { - unsigned char *rp, *wp; - size_t rlen, wlen; int init_extra; ssl3_cleanup_key_block(s); - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); - if (s->s3->rrec.comp != NULL) { - OPENSSL_free(s->s3->rrec.comp); - s->s3->rrec.comp = NULL; - } #ifndef OPENSSL_NO_DH DH_free(s->s3->tmp.dh); s->s3->tmp.dh = NULL; #endif #ifndef OPENSSL_NO_EC - if (s->s3->tmp.ecdh != NULL) { - EC_KEY_free(s->s3->tmp.ecdh); - s->s3->tmp.ecdh = NULL; - } + EC_KEY_free(s->s3->tmp.ecdh); + s->s3->tmp.ecdh = NULL; #endif #ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_EC @@ -3195,15 +2936,9 @@ void ssl3_clear(SSL *s) # endif /* !OPENSSL_NO_EC */ #endif /* !OPENSSL_NO_TLSEXT */ - rp = s->s3->rbuf.buf; - wp = s->s3->wbuf.buf; - rlen = s->s3->rbuf.len; - wlen = s->s3->wbuf.len; init_extra = s->s3->init_extra; - if (s->s3->handshake_buffer) { - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - } + BIO_free(s->s3->handshake_buffer); + s->s3->handshake_buffer = NULL; if (s->s3->handshake_dgst) { ssl3_free_digest_list(s); } @@ -3213,16 +2948,11 @@ void ssl3_clear(SSL *s) s->s3->alpn_selected = NULL; } #endif - memset(s->s3, 0, sizeof *s->s3); - s->s3->rbuf.buf = rp; - s->s3->wbuf.buf = wp; - s->s3->rbuf.len = rlen; - s->s3->wbuf.len = wlen; + memset(s->s3, 0, sizeof(*s->s3)); s->s3->init_extra = init_extra; ssl_free_wbio_buffer(s); - s->packet_length = 0; s->s3->renegotiate = 0; s->s3->total_renegotiations = 0; s->s3->num_renegotiations = 0; @@ -3230,11 +2960,9 @@ void ssl3_clear(SSL *s) s->version = SSL3_VERSION; #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) - if (s->next_proto_negotiated) { - OPENSSL_free(s->next_proto_negotiated); - s->next_proto_negotiated = NULL; - s->next_proto_negotiated_len = 0; - } + OPENSSL_free(s->next_proto_negotiated); + s->next_proto_negotiated = NULL; + s->next_proto_negotiated_len = 0; #endif } @@ -3360,8 +3088,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return (ret); } } - if (s->cert->ecdh_tmp != NULL) - EC_KEY_free(s->cert->ecdh_tmp); + EC_KEY_free(s->cert->ecdh_tmp); s->cert->ecdh_tmp = ecdh; ret = 1; } @@ -3375,8 +3102,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { - if (s->tlsext_hostname != NULL) - OPENSSL_free(s->tlsext_hostname); + OPENSSL_free(s->tlsext_hostname); s->tlsext_hostname = NULL; ret = 1; @@ -3430,8 +3156,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) return s->tlsext_ocsp_resplen; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: - if (s->tlsext_ocsp_resp) - OPENSSL_free(s->tlsext_ocsp_resp); + OPENSSL_free(s->tlsext_ocsp_resp); s->tlsext_ocsp_resp = parg; s->tlsext_ocsp_resplen = larg; ret = 1; @@ -3618,7 +3343,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ptmp = EVP_PKEY_new(); if (!ptmp) return 0; - if (0) ; #ifndef OPENSSL_NO_RSA else if (sc->peer_rsa_tmp) rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp); @@ -3833,9 +3557,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) } } - if (cert->ecdh_tmp != NULL) { - EC_KEY_free(cert->ecdh_tmp); - } + EC_KEY_free(cert->ecdh_tmp); cert->ecdh_tmp = ecdh; return 1; } @@ -3879,8 +3601,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) # ifndef OPENSSL_NO_SRP case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME: ctx->srp_ctx.srp_Mask |= SSL_kSRP; - if (ctx->srp_ctx.login != NULL) - OPENSSL_free(ctx->srp_ctx.login); + OPENSSL_free(ctx->srp_ctx.login); ctx->srp_ctx.login = NULL; if (parg == NULL) break; @@ -3968,10 +3689,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: - if (ctx->extra_certs) { - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - } + sk_X509_pop_free(ctx->extra_certs, X509_free); + ctx->extra_certs = NULL; break; case SSL_CTRL_CHAIN: @@ -4177,22 +3896,9 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, } #endif -#ifdef KSSL_DEBUG - /* - * fprintf(stderr,"ssl3_choose_cipher %d alg= %lx\n", - * i,c->algorithms); - */ -#endif /* KSSL_DEBUG */ - alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; -#ifndef OPENSSL_NO_KRB5 - if (alg_k & SSL_kKRB5) { - if (!kssl_keytab_is_available(s->kssl_ctx)) - continue; - } -#endif /* OPENSSL_NO_KRB5 */ #ifndef OPENSSL_NO_PSK /* with PSK there must be server callback set */ if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL) @@ -4329,10 +4035,8 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len) { - if (c->ctypes) { - OPENSSL_free(c->ctypes); - c->ctypes = NULL; - } + OPENSSL_free(c->ctypes); + c->ctypes = NULL; if (!p || !len) return 1; if (len > 0xff) @@ -4504,8 +4208,9 @@ int ssl3_renegotiate_check(SSL *s) int ret = 0; if (s->s3->renegotiate) { - if ((s->s3->rbuf.left == 0) && - (s->s3->wbuf.left == 0) && !SSL_in_init(s)) { + if (!RECORD_LAYER_read_pending(&s->rlayer) + && !RECORD_LAYER_write_pending(&s->rlayer) + && !SSL_in_init(s)) { /* * if we are the server, and we have sent a 'RENEGOTIATE' * message, we need to go to SSL_ST_ACCEPT.