X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fd1_srvr.c;h=0fc40078f4fc8d13db4da21c643fcc168b22261d;hp=6d07dd47928fa1bb54e2ab3982a2477b41311a4c;hb=7e69565fe680b8bf244a076f0b069f8937b6c7b8;hpb=02c5ddf91e337fe7a6103c89dc3b3d3972a59b42 diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 6d07dd4792..0fc40078f4 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -4,7 +4,7 @@ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. */ /* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -121,11 +121,15 @@ #include #include #include +#include +#ifndef OPENSSL_NO_DH +#include +#endif -static SSL_METHOD *dtls1_get_server_method(int ver); +static const SSL_METHOD *dtls1_get_server_method(int ver); static int dtls1_send_hello_verify_request(SSL *s); -static SSL_METHOD *dtls1_get_server_method(int ver) +static const SSL_METHOD *dtls1_get_server_method(int ver) { if (ver == DTLS1_VERSION) return(DTLSv1_server_method()); @@ -133,35 +137,18 @@ static SSL_METHOD *dtls1_get_server_method(int ver) return(NULL); } -SSL_METHOD *DTLSv1_server_method(void) - { - static int init=1; - static SSL_METHOD DTLSv1_server_data; - - if (init) - { - CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); - - if (init) - { - memcpy((char *)&DTLSv1_server_data,(char *)dtlsv1_base_method(), - sizeof(SSL_METHOD)); - DTLSv1_server_data.ssl_accept=dtls1_accept; - DTLSv1_server_data.get_ssl_method=dtls1_get_server_method; - init=0; - } - - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); - } - return(&DTLSv1_server_data); - } +IMPLEMENT_dtls1_meth_func(DTLSv1_server_method, + dtls1_accept, + ssl_undefined_function, + dtls1_get_server_method) int dtls1_accept(SSL *s) { BUF_MEM *buf; - unsigned long l,Time=time(NULL); + unsigned long Time=(unsigned long)time(NULL); void (*cb)(const SSL *ssl,int type,int val)=NULL; long num1; + unsigned long alg_k; int ret= -1; int new_state,state,skip=0; @@ -251,11 +238,11 @@ int dtls1_accept(SSL *s) s->state=SSL3_ST_SW_HELLO_REQ_A; } - if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) - s->d1->send_cookie = 1; - else - s->d1->send_cookie = 0; - + if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) + s->d1->send_cookie = 1; + else + s->d1->send_cookie = 0; + break; case SSL3_ST_SW_HELLO_REQ_A: @@ -284,7 +271,7 @@ int dtls1_accept(SSL *s) if (ret <= 0) goto end; s->new_session = 2; - if ( s->d1->send_cookie) + if (s->d1->send_cookie) s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; else s->state = SSL3_ST_SW_SRVR_HELLO_A; @@ -317,7 +304,7 @@ int dtls1_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: /* Check if it is anon DH */ - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { ret=dtls1_send_server_certificate(s); if (ret <= 0) goto end; @@ -330,13 +317,13 @@ int dtls1_accept(SSL *s) case SSL3_ST_SW_KEY_EXCH_A: case SSL3_ST_SW_KEY_EXCH_B: - l=s->s3->tmp.new_cipher->algorithms; + alg_k = s->s3->tmp.new_cipher->algorithm_mkey; /* clear this, it may get reset by * send_server_key_exchange */ if ((s->options & SSL_OP_EPHEMERAL_RSA) #ifndef OPENSSL_NO_KRB5 - && !(l & SSL_KRB5) + && !(alg_k & SSL_kKRB5) #endif /* OPENSSL_NO_KRB5 */ ) /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key @@ -347,11 +334,11 @@ int dtls1_accept(SSL *s) else s->s3->tmp.use_rsa_tmp=0; - /* only send if a DH key exchange, fortezza or + /* only send if a DH key exchange or * RSA but we have a sign only certificate */ if (s->s3->tmp.use_rsa_tmp - || (l & (SSL_DH|SSL_kFZA)) - || ((l & SSL_kRSA) + || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) + || ((alg_k & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) @@ -381,12 +368,12 @@ int dtls1_accept(SSL *s) /* never request cert in anonymous ciphersuites * (see section "Certificate request" in SSL 3 drafts * and in RFC 2246): */ - ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && + ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && /* ... except when the application insists on verification * (against the specs, but s3_clnt.c accepts this for SSL 3) */ !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || - /* never request cert in Kerberos ciphersuites */ - (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) + /* never request cert in Kerberos ciphersuites */ + (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)) { /* no cert request */ skip=1; @@ -639,15 +626,15 @@ int dtls1_send_hello_verify_request(SSL *s) *(p++) = s->version & 0xFF; *(p++) = (unsigned char) s->d1->cookie_len; - if ( s->ctx->app_gen_cookie_cb != NULL && - s->ctx->app_gen_cookie_cb(s, s->d1->cookie, - &(s->d1->cookie_len)) == 0) - { - SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR); - return 0; - } - /* else the cookie is assumed to have - * been initialized by the application */ + if (s->ctx->app_gen_cookie_cb != NULL && + s->ctx->app_gen_cookie_cb(s, s->d1->cookie, + &(s->d1->cookie_len)) == 0) + { + SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR); + return 0; + } + /* else the cookie is assumed to have + * been initialized by the application */ memcpy(p, s->d1->cookie, s->d1->cookie_len); p += s->d1->cookie_len; @@ -673,14 +660,15 @@ int dtls1_send_server_hello(SSL *s) { unsigned char *buf; unsigned char *p,*d; - int i,sl; + int i; + unsigned int sl; unsigned long l,Time; if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { buf=(unsigned char *)s->init_buf->data; p=s->s3->server_random; - Time=time(NULL); /* Time */ + Time=(unsigned long)time(NULL); /* Time */ l2n(Time,p); RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); /* Do the message type and length last */ @@ -719,10 +707,14 @@ int dtls1_send_server_hello(SSL *s) p+=i; /* put the compression method */ +#ifdef OPENSSL_NO_COMP + *(p++)=0; +#else if (s->s3->tmp.new_compression == NULL) *(p++)=0; else *(p++)=s->s3->tmp.new_compression->id; +#endif /* do the header */ l=(p-d); @@ -793,7 +785,7 @@ int dtls1_send_server_key_exchange(SSL *s) EVP_MD_CTX_init(&md_ctx); if (s->state == SSL3_ST_SW_KEY_EXCH_A) { - type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; + type=s->s3->tmp.new_cipher->algorithm_mkey; cert=s->cert; buf=s->init_buf; @@ -898,7 +890,7 @@ int dtls1_send_server_key_exchange(SSL *s) n+=2+nr[i]; } - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) == NULL) @@ -1116,14 +1108,15 @@ int dtls1_send_server_certificate(SSL *s) if (s->state == SSL3_ST_SW_CERT_A) { x=ssl_get_server_send_cert(s); - if (x == NULL && - /* VRS: allow null cert if auth == KRB5 */ - (s->s3->tmp.new_cipher->algorithms - & (SSL_MKEY_MASK|SSL_AUTH_MASK)) - != (SSL_aKRB5|SSL_kKRB5)) + if (x == NULL) { - SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); - return(0); + /* VRS: allow null cert if auth == KRB5 */ + if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) || + (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5)) + { + SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); + return(0); + } } l=dtls1_output_cert_chain(s,x);