projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Remove peer temp keys from SESS_CERT
[openssl.git]
/
ssl
/
s3_lib.c
diff --git
a/ssl/s3_lib.c
b/ssl/s3_lib.c
index c28c44761888a91deee831c9cf06f245e81d473d..ad413aa702145327c2050e79818aaa7b4f3f72ea 100644
(file)
--- a/
ssl/s3_lib.c
+++ b/
ssl/s3_lib.c
@@
-330,7
+330,7
@@
OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
/* The DH ciphers */
/* Cipher 0B */
{
/* The DH ciphers */
/* Cipher 0B */
{
-
1
,
+
0
,
SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
SSL3_CK_DH_DSS_DES_40_CBC_SHA,
SSL_kDHd,
SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
SSL3_CK_DH_DSS_DES_40_CBC_SHA,
SSL_kDHd,
@@
-378,7
+378,7
@@
OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
/* Cipher 0E */
{
/* Cipher 0E */
{
-
1
,
+
0
,
SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
SSL3_CK_DH_RSA_DES_40_CBC_SHA,
SSL_kDHr,
SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
SSL3_CK_DH_RSA_DES_40_CBC_SHA,
SSL_kDHr,
@@
-2894,11
+2894,17
@@
void ssl3_free(SSL *s)
return;
ssl3_cleanup_key_block(s);
return;
ssl3_cleanup_key_block(s);
+
+#ifndef OPENSSL_NO_RSA
+ RSA_free(s->s3->peer_rsa_tmp);
+#endif
#ifndef OPENSSL_NO_DH
DH_free(s->s3->tmp.dh);
#ifndef OPENSSL_NO_DH
DH_free(s->s3->tmp.dh);
+ DH_free(s->s3->peer_dh_tmp);
#endif
#ifndef OPENSSL_NO_EC
EC_KEY_free(s->s3->tmp.ecdh);
#endif
#ifndef OPENSSL_NO_EC
EC_KEY_free(s->s3->tmp.ecdh);
+ EC_KEY_free(s->s3->peer_ecdh_tmp);
#endif
sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
#endif
sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
@@
-2906,11
+2912,8
@@
void ssl3_free(SSL *s)
OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
OPENSSL_free(s->s3->tmp.peer_sigalgs);
BIO_free(s->s3->handshake_buffer);
OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
OPENSSL_free(s->s3->tmp.peer_sigalgs);
BIO_free(s->s3->handshake_buffer);
- if (s->s3->handshake_dgst)
- ssl3_free_digest_list(s);
-#ifndef OPENSSL_NO_TLSEXT
+ ssl3_free_digest_list(s);
OPENSSL_free(s->s3->alpn_selected);
OPENSSL_free(s->s3->alpn_selected);
-#endif
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_free(s);
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_free(s);
@@
-2932,32
+2935,35
@@
void ssl3_clear(SSL *s)
OPENSSL_free(s->s3->tmp.peer_sigalgs);
s->s3->tmp.peer_sigalgs = NULL;
OPENSSL_free(s->s3->tmp.peer_sigalgs);
s->s3->tmp.peer_sigalgs = NULL;
+#ifndef OPENSSL_NO_RSA
+ RSA_free(s->s3->peer_rsa_tmp);
+ s->s3->peer_rsa_tmp = NULL;
+#endif
+
#ifndef OPENSSL_NO_DH
DH_free(s->s3->tmp.dh);
s->s3->tmp.dh = NULL;
#ifndef OPENSSL_NO_DH
DH_free(s->s3->tmp.dh);
s->s3->tmp.dh = NULL;
+ DH_free(s->s3->peer_dh_tmp);
+ s->s3->peer_dh_tmp = NULL;
#endif
#ifndef OPENSSL_NO_EC
EC_KEY_free(s->s3->tmp.ecdh);
s->s3->tmp.ecdh = NULL;
#endif
#ifndef OPENSSL_NO_EC
EC_KEY_free(s->s3->tmp.ecdh);
s->s3->tmp.ecdh = NULL;
-#endif
-#ifndef OPENSSL_NO_TLSEXT
-# ifndef OPENSSL_NO_EC
+ EC_KEY_free(s->s3->peer_ecdh_tmp);
+ s->s3->peer_ecdh_tmp = NULL;
s->s3->is_probably_safari = 0;
s->s3->is_probably_safari = 0;
-# endif /* !OPENSSL_NO_EC */
-#endif /* !OPENSSL_NO_TLSEXT */
+#endif /* !OPENSSL_NO_EC */
init_extra = s->s3->init_extra;
BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL;
init_extra = s->s3->init_extra;
BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL;
- if (s->s3->handshake_dgst) {
- ssl3_free_digest_list(s);
- }
-#if !defined(OPENSSL_NO_TLSEXT)
+ ssl3_free_digest_list(s);
+
if (s->s3->alpn_selected) {
if (s->s3->alpn_selected) {
- free(s->s3->alpn_selected);
+
OPENSSL_
free(s->s3->alpn_selected);
s->s3->alpn_selected = NULL;
}
s->s3->alpn_selected = NULL;
}
-#endif
+
memset(s->s3, 0, sizeof(*s->s3));
s->s3->init_extra = init_extra;
memset(s->s3, 0, sizeof(*s->s3));
s->s3->init_extra = init_extra;
@@
-2969,7
+2975,7
@@
void ssl3_clear(SSL *s)
s->s3->in_read_app_data = 0;
s->version = SSL3_VERSION;
s->s3->in_read_app_data = 0;
s->version = SSL3_VERSION;
-#if !defined(OPENSSL_NO_
TLSEXT) && !defined(OPENSSL_NO_
NEXTPROTONEG)
+#if !defined(OPENSSL_NO_NEXTPROTONEG)
OPENSSL_free(s->next_proto_negotiated);
s->next_proto_negotiated = NULL;
s->next_proto_negotiated_len = 0;
OPENSSL_free(s->next_proto_negotiated);
s->next_proto_negotiated = NULL;
s->next_proto_negotiated_len = 0;
@@
-3109,7
+3115,6
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
return (ret);
}
#endif /* !OPENSSL_NO_EC */
return (ret);
}
#endif /* !OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_NAMETYPE_host_name) {
OPENSSL_free(s->tlsext_hostname);
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_NAMETYPE_host_name) {
OPENSSL_free(s->tlsext_hostname);
@@
-3172,7
+3177,7
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
ret = 1;
break;
ret = 1;
break;
-#
ifndef OPENSSL_NO_HEARTBEATS
+#ifndef OPENSSL_NO_HEARTBEATS
case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT:
if (SSL_IS_DTLS(s))
ret = dtls1_heartbeat(s);
case SSL_CTRL_TLS_EXT_SEND_HEARTBEAT:
if (SSL_IS_DTLS(s))
ret = dtls1_heartbeat(s);
@@
-3191,9
+3196,7
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
s->tlsext_heartbeat &= ~SSL_TLSEXT_HB_DONT_RECV_REQUESTS;
ret = 1;
break;
s->tlsext_heartbeat &= ~SSL_TLSEXT_HB_DONT_RECV_REQUESTS;
ret = 1;
break;
-# endif
-
-#endif /* !OPENSSL_NO_TLSEXT */
+#endif
case SSL_CTRL_CHAIN:
if (larg)
case SSL_CTRL_CHAIN:
if (larg)
@@
-3342,28
+3345,26
@@
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
if (s->server || !s->session || !s->session->sess_cert)
return 0;
else {
if (s->server || !s->session || !s->session->sess_cert)
return 0;
else {
- SESS_CERT *sc;
EVP_PKEY *ptmp;
int rv = 0;
EVP_PKEY *ptmp;
int rv = 0;
- sc = s->session->sess_cert;
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DH) && !defined(OPENSSL_NO_EC)
- if (!s
c->peer_rsa_tmp && !sc->peer_dh_tmp && !sc
->peer_ecdh_tmp)
+ if (!s
->s3->peer_rsa_tmp && !s->s3->peer_dh_tmp && !s->s3
->peer_ecdh_tmp)
return 0;
#endif
ptmp = EVP_PKEY_new();
if (!ptmp)
return 0;
#ifndef OPENSSL_NO_RSA
return 0;
#endif
ptmp = EVP_PKEY_new();
if (!ptmp)
return 0;
#ifndef OPENSSL_NO_RSA
- else if (s
c
->peer_rsa_tmp)
- rv = EVP_PKEY_set1_RSA(ptmp, s
c
->peer_rsa_tmp);
+ else if (s
->s3
->peer_rsa_tmp)
+ rv = EVP_PKEY_set1_RSA(ptmp, s
->s3
->peer_rsa_tmp);
#endif
#ifndef OPENSSL_NO_DH
#endif
#ifndef OPENSSL_NO_DH
- else if (s
c
->peer_dh_tmp)
- rv = EVP_PKEY_set1_DH(ptmp, s
c
->peer_dh_tmp);
+ else if (s
->s3
->peer_dh_tmp)
+ rv = EVP_PKEY_set1_DH(ptmp, s
->s3
->peer_dh_tmp);
#endif
#ifndef OPENSSL_NO_EC
#endif
#ifndef OPENSSL_NO_EC
- else if (s
c
->peer_ecdh_tmp)
- rv = EVP_PKEY_set1_EC_KEY(ptmp, s
c
->peer_ecdh_tmp);
+ else if (s
->s3
->peer_ecdh_tmp)
+ rv = EVP_PKEY_set1_EC_KEY(ptmp, s
->s3
->peer_ecdh_tmp);
#endif
if (rv) {
*(EVP_PKEY **)parg = ptmp;
#endif
if (rv) {
*(EVP_PKEY **)parg = ptmp;
@@
-3443,12
+3444,11
@@
long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
}
break;
#endif
}
break;
#endif
-#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
s->tlsext_debug_cb = (void (*)(SSL *, int, int,
unsigned char *, int, void *))fp;
break;
case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
s->tlsext_debug_cb = (void (*)(SSL *, int, int,
unsigned char *, int, void *))fp;
break;
-#endif
+
case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
{
s->not_resumable_session_cb = (int (*)(SSL *, int))fp;
case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
{
s->not_resumable_session_cb = (int (*)(SSL *, int))fp;
@@
-3578,7
+3578,6
@@
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return (0);
}
#endif /* !OPENSSL_NO_EC */
return (0);
}
#endif /* !OPENSSL_NO_EC */
-#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
ctx->tlsext_servername_arg = parg;
break;
case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
ctx->tlsext_servername_arg = parg;
break;
@@
-3608,7
+3607,7
@@
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
ctx->tlsext_status_arg = parg;
return 1;
ctx->tlsext_status_arg = parg;
return 1;
-#
ifndef OPENSSL_NO_SRP
+#ifndef OPENSSL_NO_SRP
case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
ctx->srp_ctx.srp_Mask |= SSL_kSRP;
OPENSSL_free(ctx->srp_ctx.login);
case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
ctx->srp_ctx.srp_Mask |= SSL_kSRP;
OPENSSL_free(ctx->srp_ctx.login);
@@
-3638,9
+3637,9
@@
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
ctx->srp_ctx.strength = larg;
break;
case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
ctx->srp_ctx.strength = larg;
break;
-#
endif
+#endif
-#
ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_CURVES:
return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length,
case SSL_CTRL_SET_CURVES:
return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length,
@@
-3650,12
+3649,10
@@
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length,
parg);
return tls1_set_curves_list(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length,
parg);
-# ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_ECDH_AUTO:
ctx->cert->ecdh_tmp_auto = larg;
return 1;
case SSL_CTRL_SET_ECDH_AUTO:
ctx->cert->ecdh_tmp_auto = larg;
return 1;
-# endif
-# endif
+#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
@@
-3680,8
+3677,6
@@
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
case SSL_CTRL_SET_CHAIN_CERT_STORE:
return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
case SSL_CTRL_SET_CHAIN_CERT_STORE:
return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
-#endif /* !OPENSSL_NO_TLSEXT */
-
/* A Thawte special :-) */
case SSL_CTRL_EXTRA_CHAIN_CERT:
if (ctx->extra_certs == NULL) {
/* A Thawte special :-) */
case SSL_CTRL_EXTRA_CHAIN_CERT:
if (ctx->extra_certs == NULL) {
@@
-3759,7
+3754,6
@@
long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
}
break;
#endif
}
break;
#endif
-#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp;
break;
case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp;
break;
@@
-3775,7
+3769,7
@@
long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
HMAC_CTX *, int))fp;
break;
HMAC_CTX *, int))fp;
break;
-#
ifndef OPENSSL_NO_SRP
+#ifndef OPENSSL_NO_SRP
case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
ctx->srp_ctx.srp_Mask |= SSL_kSRP;
ctx->srp_ctx.SRP_verify_param_callback = (int (*)(SSL *, void *))fp;
case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
ctx->srp_ctx.srp_Mask |= SSL_kSRP;
ctx->srp_ctx.SRP_verify_param_callback = (int (*)(SSL *, void *))fp;
@@
-3790,7
+3784,6
@@
long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
(char *(*)(SSL *, void *))fp;
break;
ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
(char *(*)(SSL *, void *))fp;
break;
-# endif
#endif
case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
{
#endif
case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
{
@@
-3843,11
+3836,9
@@
SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
SSL_CIPHER *c, *ret = NULL;
STACK_OF(SSL_CIPHER) *prio, *allow;
int i, ii, ok;
SSL_CIPHER *c, *ret = NULL;
STACK_OF(SSL_CIPHER) *prio, *allow;
int i, ii, ok;
- CERT *cert;
unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a;
/* Let's see which ciphers we can support */
unsigned long alg_k, alg_a, mask_k, mask_a, emask_k, emask_a;
/* Let's see which ciphers we can support */
- cert = s->cert;
#if 0
/*
#if 0
/*
@@
-3893,10
+3884,10
@@
SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
continue;
ssl_set_masks(s, c);
continue;
ssl_set_masks(s, c);
- mask_k =
cert->
mask_k;
- mask_a =
cert->
mask_a;
- emask_k =
cert->
export_mask_k;
- emask_a =
cert->
export_mask_a;
+ mask_k =
s->s3->tmp.
mask_k;
+ mask_a =
s->s3->tmp.
mask_a;
+ emask_k =
s->s3->tmp.
export_mask_k;
+ emask_a =
s->s3->tmp.
export_mask_a;
#ifndef OPENSSL_NO_SRP
if (s->srp_ctx.srp_Mask & SSL_kSRP) {
mask_k |= SSL_kSRP;
#ifndef OPENSSL_NO_SRP
if (s->srp_ctx.srp_Mask & SSL_kSRP) {
mask_k |= SSL_kSRP;
@@
-3929,7
+3920,6
@@
SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
#endif
}
#endif
}
-#ifndef OPENSSL_NO_TLSEXT
# ifndef OPENSSL_NO_EC
/*
* if we are considering an ECC cipher suite that uses an ephemeral
# ifndef OPENSSL_NO_EC
/*
* if we are considering an ECC cipher suite that uses an ephemeral
@@
-3938,7
+3928,6
@@
SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (alg_k & SSL_kECDHE)
ok = ok && tls1_check_ec_tmp_key(s, c->id);
# endif /* OPENSSL_NO_EC */
if (alg_k & SSL_kECDHE)
ok = ok && tls1_check_ec_tmp_key(s, c->id);
# endif /* OPENSSL_NO_EC */
-#endif /* OPENSSL_NO_TLSEXT */
if (!ok)
continue;
if (!ok)
continue;
@@
-3948,7
+3937,7
@@
SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
c->strength_bits, 0, c))
continue;
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
c->strength_bits, 0, c))
continue;
-#if !defined(OPENSSL_NO_EC)
&& !defined(OPENSSL_NO_TLSEXT)
+#if !defined(OPENSSL_NO_EC)
if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
&& s->s3->is_probably_safari) {
if (!ret)
if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
&& s->s3->is_probably_safari) {
if (!ret)