#include <stdio.h>
#include <openssl/objects.h>
#include "ssl_locl.h"
-#include "kssl_lcl.h"
#include <openssl/md5.h>
#ifndef OPENSSL_NO_DH
# include <openssl/dh.h>
const char ssl3_version_str[] = "SSLv3" OPENSSL_VERSION_PTEXT;
-#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER))
+#define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers)
/* list of available SSLv3 ciphers (sorted by id) */
OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
168,
},
-#ifndef OPENSSL_NO_KRB5
-/* The Kerberos ciphers*/
-/* Cipher 1E */
- {
- 1,
- SSL3_TXT_KRB5_DES_64_CBC_SHA,
- SSL3_CK_KRB5_DES_64_CBC_SHA,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 56,
- 56,
- },
-
-/* Cipher 1F */
- {
- 1,
- SSL3_TXT_KRB5_DES_192_CBC3_SHA,
- SSL3_CK_KRB5_DES_192_CBC3_SHA,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_3DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
- },
-
-/* Cipher 20 */
- {
- 1,
- SSL3_TXT_KRB5_RC4_128_SHA,
- SSL3_CK_KRB5_RC4_128_SHA,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_RC4,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
- 128,
- },
-
-/* Cipher 21 */
- {
- 1,
- SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
- SSL3_CK_KRB5_IDEA_128_CBC_SHA,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_IDEA,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
- 128,
- },
-
-/* Cipher 22 */
- {
- 1,
- SSL3_TXT_KRB5_DES_64_CBC_MD5,
- SSL3_CK_KRB5_DES_64_CBC_MD5,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_DES,
- SSL_MD5,
- SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 56,
- 56,
- },
-
-/* Cipher 23 */
- {
- 1,
- SSL3_TXT_KRB5_DES_192_CBC3_MD5,
- SSL3_CK_KRB5_DES_192_CBC3_MD5,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_3DES,
- SSL_MD5,
- SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 112,
- 168,
- },
-
-/* Cipher 24 */
- {
- 1,
- SSL3_TXT_KRB5_RC4_128_MD5,
- SSL3_CK_KRB5_RC4_128_MD5,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_RC4,
- SSL_MD5,
- SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
- 128,
- },
-
-/* Cipher 25 */
- {
- 1,
- SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
- SSL3_CK_KRB5_IDEA_128_CBC_MD5,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_IDEA,
- SSL_MD5,
- SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 128,
- 128,
- },
-
-/* Cipher 26 */
- {
- 1,
- SSL3_TXT_KRB5_DES_40_CBC_SHA,
- SSL3_CK_KRB5_DES_40_CBC_SHA,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_DES,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 56,
- },
-
-/* Cipher 27 */
- {
- 1,
- SSL3_TXT_KRB5_RC2_40_CBC_SHA,
- SSL3_CK_KRB5_RC2_40_CBC_SHA,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_RC2,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 128,
- },
-
-/* Cipher 28 */
- {
- 1,
- SSL3_TXT_KRB5_RC4_40_SHA,
- SSL3_CK_KRB5_RC4_40_SHA,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_RC4,
- SSL_SHA1,
- SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 128,
- },
-
-/* Cipher 29 */
- {
- 1,
- SSL3_TXT_KRB5_DES_40_CBC_MD5,
- SSL3_CK_KRB5_DES_40_CBC_MD5,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_DES,
- SSL_MD5,
- SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 56,
- },
-
-/* Cipher 2A */
- {
- 1,
- SSL3_TXT_KRB5_RC2_40_CBC_MD5,
- SSL3_CK_KRB5_RC2_40_CBC_MD5,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_RC2,
- SSL_MD5,
- SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 128,
- },
-
-/* Cipher 2B */
- {
- 1,
- SSL3_TXT_KRB5_RC4_40_MD5,
- SSL3_CK_KRB5_RC4_40_MD5,
- SSL_kKRB5,
- SSL_aKRB5,
- SSL_RC4,
- SSL_MD5,
- SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 40,
- 128,
- },
-#endif /* OPENSSL_NO_KRB5 */
-
/* New AES ciphersuites */
/* Cipher 2F */
{
256,
256,
},
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- {
- 1,
- "SCSV",
- SSL3_CK_SCSV,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0},
-#endif
#ifndef OPENSSL_NO_CAMELLIA
/* TLS 1.2 Camellia SHA-256 ciphersuites from RFC5932 */
},
#endif
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+ /* Cipher FF */
+ {
+ 1,
+ "SCSV",
+ SSL3_CK_SCSV,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0},
+#endif
+
#ifndef OPENSSL_NO_EC
/* Cipher C001 */
{
return (NULL);
}
-int ssl3_pending(const SSL *s)
-{
- if (s->rstate == SSL_ST_READ_BODY)
- return 0;
-
- return (s->s3->rrec.type ==
- SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
-}
-
int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len)
{
unsigned char *p = (unsigned char *)s->init_buf->data;
{
SSL3_STATE *s3;
- if ((s3 = OPENSSL_malloc(sizeof *s3)) == NULL)
+ if ((s3 = OPENSSL_malloc(sizeof(*s3))) == NULL)
goto err;
- memset(s3, 0, sizeof *s3);
- memset(s3->rrec.seq_num, 0, sizeof(s3->rrec.seq_num));
- memset(s3->wrec.seq_num, 0, sizeof(s3->wrec.seq_num));
-
+ memset(s3, 0, sizeof(*s3));
s->s3 = s3;
-
+
#ifndef OPENSSL_NO_SRP
- if(!SSL_SRP_CTX_init(s))
+ if (!SSL_SRP_CTX_init(s))
goto err;
#endif
s->method->ssl_clear(s);
return;
ssl3_cleanup_key_block(s);
- if (s->s3->rbuf.buf != NULL)
- ssl3_release_read_buffer(s);
- if (s->s3->wbuf.buf != NULL)
- ssl3_release_write_buffer(s);
- if (s->s3->rrec.comp != NULL)
- OPENSSL_free(s->s3->rrec.comp);
#ifndef OPENSSL_NO_DH
DH_free(s->s3->tmp.dh);
#endif
#ifndef OPENSSL_NO_EC
- if (s->s3->tmp.ecdh != NULL)
- EC_KEY_free(s->s3->tmp.ecdh);
+ EC_KEY_free(s->s3->tmp.ecdh);
#endif
- if (s->s3->tmp.ca_names != NULL)
- sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
- if (s->s3->handshake_buffer) {
- BIO_free(s->s3->handshake_buffer);
- }
+ sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
+ BIO_free(s->s3->handshake_buffer);
if (s->s3->handshake_dgst)
ssl3_free_digest_list(s);
#ifndef OPENSSL_NO_TLSEXT
- if (s->s3->alpn_selected)
- OPENSSL_free(s->s3->alpn_selected);
+ OPENSSL_free(s->s3->alpn_selected);
#endif
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_free(s);
#endif
- OPENSSL_cleanse(s->s3, sizeof *s->s3);
- OPENSSL_free(s->s3);
+ OPENSSL_clear_free(s->s3, sizeof(*s->s3));
s->s3 = NULL;
}
void ssl3_clear(SSL *s)
{
- unsigned char *rp, *wp;
- size_t rlen, wlen;
int init_extra;
ssl3_cleanup_key_block(s);
- if (s->s3->tmp.ca_names != NULL)
- sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
+ sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
- if (s->s3->rrec.comp != NULL) {
- OPENSSL_free(s->s3->rrec.comp);
- s->s3->rrec.comp = NULL;
- }
#ifndef OPENSSL_NO_DH
DH_free(s->s3->tmp.dh);
s->s3->tmp.dh = NULL;
#endif
#ifndef OPENSSL_NO_EC
- if (s->s3->tmp.ecdh != NULL) {
- EC_KEY_free(s->s3->tmp.ecdh);
- s->s3->tmp.ecdh = NULL;
- }
+ EC_KEY_free(s->s3->tmp.ecdh);
+ s->s3->tmp.ecdh = NULL;
#endif
#ifndef OPENSSL_NO_TLSEXT
# ifndef OPENSSL_NO_EC
# endif /* !OPENSSL_NO_EC */
#endif /* !OPENSSL_NO_TLSEXT */
- rp = s->s3->rbuf.buf;
- wp = s->s3->wbuf.buf;
- rlen = s->s3->rbuf.len;
- wlen = s->s3->wbuf.len;
init_extra = s->s3->init_extra;
- if (s->s3->handshake_buffer) {
- BIO_free(s->s3->handshake_buffer);
- s->s3->handshake_buffer = NULL;
- }
+ BIO_free(s->s3->handshake_buffer);
+ s->s3->handshake_buffer = NULL;
if (s->s3->handshake_dgst) {
ssl3_free_digest_list(s);
}
s->s3->alpn_selected = NULL;
}
#endif
- memset(s->s3, 0, sizeof *s->s3);
- s->s3->rbuf.buf = rp;
- s->s3->wbuf.buf = wp;
- s->s3->rbuf.len = rlen;
- s->s3->wbuf.len = wlen;
+ memset(s->s3, 0, sizeof(*s->s3));
s->s3->init_extra = init_extra;
ssl_free_wbio_buffer(s);
- s->packet_length = 0;
s->s3->renegotiate = 0;
s->s3->total_renegotiations = 0;
s->s3->num_renegotiations = 0;
s->version = SSL3_VERSION;
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
- if (s->next_proto_negotiated) {
- OPENSSL_free(s->next_proto_negotiated);
- s->next_proto_negotiated = NULL;
- s->next_proto_negotiated_len = 0;
- }
+ OPENSSL_free(s->next_proto_negotiated);
+ s->next_proto_negotiated = NULL;
+ s->next_proto_negotiated_len = 0;
#endif
}
return (ret);
}
}
- if (s->cert->ecdh_tmp != NULL)
- EC_KEY_free(s->cert->ecdh_tmp);
+ EC_KEY_free(s->cert->ecdh_tmp);
s->cert->ecdh_tmp = ecdh;
ret = 1;
}
#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_NAMETYPE_host_name) {
- if (s->tlsext_hostname != NULL)
- OPENSSL_free(s->tlsext_hostname);
+ OPENSSL_free(s->tlsext_hostname);
s->tlsext_hostname = NULL;
ret = 1;
return s->tlsext_ocsp_resplen;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
- if (s->tlsext_ocsp_resp)
- OPENSSL_free(s->tlsext_ocsp_resp);
+ OPENSSL_free(s->tlsext_ocsp_resp);
s->tlsext_ocsp_resp = parg;
s->tlsext_ocsp_resplen = larg;
ret = 1;
ptmp = EVP_PKEY_new();
if (!ptmp)
return 0;
- if (0) ;
#ifndef OPENSSL_NO_RSA
else if (sc->peer_rsa_tmp)
rv = EVP_PKEY_set1_RSA(ptmp, sc->peer_rsa_tmp);
}
}
- if (cert->ecdh_tmp != NULL) {
- EC_KEY_free(cert->ecdh_tmp);
- }
+ EC_KEY_free(cert->ecdh_tmp);
cert->ecdh_tmp = ecdh;
return 1;
}
# ifndef OPENSSL_NO_SRP
case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
ctx->srp_ctx.srp_Mask |= SSL_kSRP;
- if (ctx->srp_ctx.login != NULL)
- OPENSSL_free(ctx->srp_ctx.login);
+ OPENSSL_free(ctx->srp_ctx.login);
ctx->srp_ctx.login = NULL;
if (parg == NULL)
break;
break;
case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
- if (ctx->extra_certs) {
- sk_X509_pop_free(ctx->extra_certs, X509_free);
- ctx->extra_certs = NULL;
- }
+ sk_X509_pop_free(ctx->extra_certs, X509_free);
+ ctx->extra_certs = NULL;
break;
case SSL_CTRL_CHAIN:
}
#endif
-#ifdef KSSL_DEBUG
- /*
- * fprintf(stderr,"ssl3_choose_cipher %d alg= %lx\n",
- * i,c->algorithms);
- */
-#endif /* KSSL_DEBUG */
-
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
-#ifndef OPENSSL_NO_KRB5
- if (alg_k & SSL_kKRB5) {
- if (!kssl_keytab_is_available(s->kssl_ctx))
- continue;
- }
-#endif /* OPENSSL_NO_KRB5 */
#ifndef OPENSSL_NO_PSK
/* with PSK there must be server callback set */
if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL)
static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len)
{
- if (c->ctypes) {
- OPENSSL_free(c->ctypes);
- c->ctypes = NULL;
- }
+ OPENSSL_free(c->ctypes);
+ c->ctypes = NULL;
if (!p || !len)
return 1;
if (len > 0xff)
int ret = 0;
if (s->s3->renegotiate) {
- if ((s->s3->rbuf.left == 0) &&
- (s->s3->wbuf.left == 0) && !SSL_in_init(s)) {
+ if (!RECORD_LAYER_read_pending(&s->rlayer)
+ && !RECORD_LAYER_write_pending(&s->rlayer)
+ && !SSL_in_init(s)) {
/*
* if we are the server, and we have sent a 'RENEGOTIATE'
* message, we need to go to SSL_ST_ACCEPT.