Make OPENSSL_NO_COMP compile again.
authorDr. Stephen Henson <steve@openssl.org>
Fri, 30 Sep 2005 23:35:33 +0000 (23:35 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 30 Sep 2005 23:35:33 +0000 (23:35 +0000)
15 files changed:
FAQ
apps/s_client.c
crypto/asn1/x_crl.c
ssl/d1_clnt.c
ssl/d1_srvr.c
ssl/s3_clnt.c
ssl/s3_enc.c
ssl/s3_pkt.c
ssl/s3_srvr.c
ssl/ssl3.h
ssl/ssl_ciph.c
ssl/ssl_lib.c
ssl/ssl_txt.c
ssl/ssltest.c
ssl/t1_enc.c

diff --git a/FAQ b/FAQ
index 82d8a6f..8fb4da5 100644 (file)
--- a/FAQ
+++ b/FAQ
@@ -31,6 +31,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why does my browser give a warning about a mismatched hostname?
 * How do I install a CA certificate into a browser?
 * Why is OpenSSL x509 DN output not conformant to RFC2253?
+* What is a "128 bit certificate"? Can I create one with OpenSSL?
 
 [BUILD] Questions about building and testing OpenSSL
 
@@ -386,6 +387,43 @@ interface, the "-nameopt" option could be introduded. See the manual
 page of the "openssl x509" commandline tool for details. The old behaviour
 has however been left as default for the sake of compatibility.
 
+* What is a "128 bit certificate"? Can I create one with OpenSSL?
+
+The term "128 bit certificate" is a highly misleading marketing term. It does
+*not* refer to the size of the public key in the certificate! A certificate
+containing a 128 bit RSA key would have negligible security.
+
+There were various other names such as "magic certificates", "SGC
+certificates", "step up certificates" etc.
+
+You can't generally create such a certificate using OpenSSL but there is no
+need to any more. Nowadays web browsers using unrestricted strong encryption
+are generally available.
+
+When there were tight export restrictions on the export of strong encryption
+software from the US only weak encryption algorithms could be freely exported
+(initially 40 bit and then 56 bit). It was widely recognised that this was
+inadequate. A relaxation the rules allowed the use of strong encryption but
+only to an authorised server.
+
+Two slighly different techniques were developed to support this, one used by
+Netscape was called "step up", the other used by MSIE was called "Server Gated
+Cryptography" (SGC). When a browser initially connected to a server it would
+check to see if the certificate contained certain extensions and was issued by
+an authorised authority. If these test succeeded it would reconnect using
+strong encryption.
+
+Only certain (initially one) certificate authorities could issue the
+certificates and they generally cost more than ordinary certificates.
+
+Although OpenSSL can create certificates containing the appropriate extensions
+the certificate would not come from a permitted authority and so would not
+be recognized.
+
+The export laws were later changed to allow almost unrestricted use of strong
+encryption so these certificates are now obsolete.
+
+
 [BUILD] =======================================================================
 
 * Why does the linker complain about undefined symbols?
index 6478ae3..96ae832 100644 (file)
@@ -1096,7 +1096,9 @@ static void print_stuff(BIO *bio, SSL *s, int full)
        SSL_CIPHER *c;
        X509_NAME *xn;
        int j,i;
+#ifndef OPENSSL_NO_COMP
        const COMP_METHOD *comp, *expansion;
+#endif
 
        if (full)
                {
@@ -1199,12 +1201,14 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                                                         EVP_PKEY_bits(pktmp));
                EVP_PKEY_free(pktmp);
        }
+#ifndef OPENSSL_NO_COMP
        comp=SSL_get_current_compression(s);
        expansion=SSL_get_current_expansion(s);
        BIO_printf(bio,"Compression: %s\n",
                comp ? SSL_COMP_get_name(comp) : "NONE");
        BIO_printf(bio,"Expansion: %s\n",
                expansion ? SSL_COMP_get_name(expansion) : "NONE");
+#endif
        SSL_SESSION_print(bio,SSL_get_session(s));
        BIO_printf(bio,"---\n");
        if (peer != NULL)
index 0f72711..382aed5 100644 (file)
@@ -102,6 +102,23 @@ ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = {
        ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)
 } ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)
 
+static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+                                                               void *exarg)
+{
+       X509_CRL *a = (X509_CRL_INFO *)*pval;
+
+#ifndef OPENSSL_NO_SHA
+       switch(operation) {
+               /* Hash CRL here for rapid comparison in X509_digest_cmp()
+                */
+               case ASN1_OP_D2I_POST:
+               X509_CRL_digest(crl->digest, crl);
+               break;
+       }
+#endif
+       return 1;
+}
+
 ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = {
        ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),
        ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR),
index 7b38da0..f985afd 100644 (file)
@@ -371,11 +371,15 @@ int dtls1_connect(SSL *s)
                        s->init_num=0;
 
                        s->session->cipher=s->s3->tmp.new_cipher;
+#ifdef OPENSSL_NO_COMP
+                       s->session->compress_meth=0;
+#else
                        if (s->s3->tmp.new_compression == NULL)
                                s->session->compress_meth=0;
                        else
                                s->session->compress_meth=
                                        s->s3->tmp.new_compression->id;
+#endif
                        if (!s->method->ssl3_enc->setup_key_block(s))
                                {
                                ret= -1;
index 4847a86..2b0578f 100644 (file)
@@ -706,10 +706,14 @@ int dtls1_send_server_hello(SSL *s)
                p+=i;
 
                /* put the compression method */
+#ifdef OPENSSL_NO_COMP
+               *(p++)=0;
+#else
                if (s->s3->tmp.new_compression == NULL)
                        *(p++)=0;
                else
                        *(p++)=s->s3->tmp.new_compression->id;
+#endif
 
                /* do the header */
                l=(p-d);
index 34d0f34..cc9df91 100644 (file)
@@ -369,11 +369,15 @@ int ssl3_connect(SSL *s)
                        s->init_num=0;
 
                        s->session->cipher=s->s3->tmp.new_cipher;
+#ifdef OPENSSL_NO_COMP
+                       s->session->compress_meth=0;
+#else
                        if (s->s3->tmp.new_compression == NULL)
                                s->session->compress_meth=0;
                        else
                                s->session->compress_meth=
                                        s->s3->tmp.new_compression->id;
+#endif
                        if (!s->method->ssl3_enc->setup_key_block(s))
                                {
                                ret= -1;
@@ -517,9 +521,12 @@ int ssl3_client_hello(SSL *s)
        {
        unsigned char *buf;
        unsigned char *p,*d;
-       int i,j;
+       int i;
        unsigned long Time,l;
+#ifndef OPENSSL_NO_COMP
+       int j;
        SSL_COMP *comp;
+#endif
 
        buf=(unsigned char *)s->init_buf->data;
        if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
@@ -578,6 +585,9 @@ int ssl3_client_hello(SSL *s)
                p+=i;
 
                /* COMPRESSION */
+#ifdef OPENSSL_NO_COMP
+               *(p++)=1;
+#else
                if (s->ctx->comp_methods == NULL)
                        j=0;
                else
@@ -588,6 +598,7 @@ int ssl3_client_hello(SSL *s)
                        comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
                        *(p++)=comp->id;
                        }
+#endif
                *(p++)=0; /* Add the NULL method */
                
                l=(p-d);
@@ -615,7 +626,9 @@ int ssl3_get_server_hello(SSL *s)
        int i,al,ok;
        unsigned int j;
        long n;
+#ifndef OPENSSL_NO_COMP
        SSL_COMP *comp;
+#endif
 
        n=s->method->ssl_get_message(s,
                SSL3_ST_CR_SRVR_HELLO_A,
@@ -746,6 +759,14 @@ int ssl3_get_server_hello(SSL *s)
 
        /* lets get the compression algorithm */
        /* COMPRESSION */
+#ifdef OPENSSL_NO_COMP
+       if (*(p++) != 0)
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
+               goto f_err;
+               }
+#else
        j= *(p++);
        if (j == 0)
                comp=NULL;
@@ -762,6 +783,7 @@ int ssl3_get_server_hello(SSL *s)
                {
                s->s3->tmp.new_compression=comp;
                }
+#endif
 
        if (p != (d+n))
                {
index 6d92050..d83d42e 100644 (file)
@@ -196,7 +196,9 @@ int ssl3_change_cipher_state(SSL *s, int which)
        unsigned char *ms,*key,*iv,*er1,*er2;
        EVP_CIPHER_CTX *dd;
        const EVP_CIPHER *c;
+#ifndef OPENSSL_NO_COMP
        COMP_METHOD *comp;
+#endif
        const EVP_MD *m;
        EVP_MD_CTX md;
        int is_exp,n,i,j,k,cl;
@@ -205,10 +207,12 @@ int ssl3_change_cipher_state(SSL *s, int which)
        is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
        c=s->s3->tmp.new_sym_enc;
        m=s->s3->tmp.new_hash;
+#ifndef OPENSSL_NO_COMP
        if (s->s3->tmp.new_compression == NULL)
                comp=NULL;
        else
                comp=s->s3->tmp.new_compression->method;
+#endif
        key_block=s->s3->tmp.key_block;
 
        if (which & SSL3_CC_READ)
@@ -219,6 +223,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
                        goto err;
                dd= s->enc_read_ctx;
                s->read_hash=m;
+#ifndef OPENSSL_NO_COMP
                /* COMPRESS */
                if (s->expand != NULL)
                        {
@@ -239,6 +244,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
                        if (s->s3->rrec.comp == NULL)
                                goto err;
                        }
+#endif
                memset(&(s->s3->read_sequence[0]),0,8);
                mac_secret= &(s->s3->read_mac_secret[0]);
                }
@@ -250,6 +256,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
                        goto err;
                dd= s->enc_write_ctx;
                s->write_hash=m;
+#ifndef OPENSSL_NO_COMP
                /* COMPRESS */
                if (s->compress != NULL)
                        {
@@ -265,6 +272,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
                                goto err2;
                                }
                        }
+#endif
                memset(&(s->s3->write_sequence[0]),0,8);
                mac_secret= &(s->s3->write_mac_secret[0]);
                }
@@ -350,7 +358,9 @@ int ssl3_setup_key_block(SSL *s)
        const EVP_MD *hash;
        int num;
        int ret = 0;
+#ifdef OPENSSL_NO_COMP
        SSL_COMP *comp;
+#endif
 
        if (s->s3->tmp.key_block_length != 0)
                return(1);
@@ -363,7 +373,11 @@ int ssl3_setup_key_block(SSL *s)
 
        s->s3->tmp.new_sym_enc=c;
        s->s3->tmp.new_hash=hash;
+#ifdef OPENSSL_NO_COMP
+       s->s3->tmp.new_compression=NULL;
+#else
        s->s3->tmp.new_compression=comp;
+#endif
 
        num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
        num*=2;
index f90bb77..d0f54e2 100644 (file)
@@ -476,6 +476,7 @@ err:
 
 int ssl3_do_uncompress(SSL *ssl)
        {
+#ifndef OPENSSL_NO_COMP
        int i;
        SSL3_RECORD *rr;
 
@@ -487,12 +488,13 @@ int ssl3_do_uncompress(SSL *ssl)
        else
                rr->length=i;
        rr->data=rr->comp;
-
+#endif
        return(1);
        }
 
 int ssl3_do_compress(SSL *ssl)
        {
+#ifndef OPENSSL_NO_COMP
        int i;
        SSL3_RECORD *wr;
 
@@ -506,6 +508,7 @@ int ssl3_do_compress(SSL *ssl)
                wr->length=i;
 
        wr->input=wr->data;
+#endif
        return(1);
        }
 
index 3e11cc4..775bac3 100644 (file)
@@ -666,7 +666,9 @@ int ssl3_get_client_hello(SSL *s)
        unsigned long id;
        unsigned char *p,*d,*q;
        SSL_CIPHER *c;
+#ifndef OPENSSL_NO_COMP
        SSL_COMP *comp=NULL;
+#endif
        STACK_OF(SSL_CIPHER) *ciphers=NULL;
 
        /* We do this so that we will respond with our native type.
@@ -897,6 +899,7 @@ int ssl3_get_client_hello(SSL *s)
         * options, we will now look for them.  We have i-1 compression
         * algorithms from the client, starting at q. */
        s->s3->tmp.new_compression=NULL;
+#ifndef OPENSSL_NO_COMP
        if (s->ctx->comp_methods != NULL)
                { /* See if we have a match */
                int m,nn,o,v,done=0;
@@ -921,6 +924,7 @@ int ssl3_get_client_hello(SSL *s)
                else
                        comp=NULL;
                }
+#endif
 
        /* TLS does not mind if there is extra stuff */
 #if 0   /* SSL 3.0 does not mind either, so we should disable this test
@@ -944,7 +948,11 @@ int ssl3_get_client_hello(SSL *s)
 
        if (!s->hit)
                {
+#ifdef OPENSSL_NO_COMP
+               s->session->compress_meth=0;
+#else
                s->session->compress_meth=(comp == NULL)?0:comp->id;
+#endif
                if (s->session->ciphers != NULL)
                        sk_SSL_CIPHER_free(s->session->ciphers);
                s->session->ciphers=ciphers;
@@ -1070,10 +1078,14 @@ int ssl3_send_server_hello(SSL *s)
                p+=i;
 
                /* put the compression method */
+#ifdef OPENSSL_NO_COMP
+                       *(p++)=0;
+#else
                if (s->s3->tmp.new_compression == NULL)
                        *(p++)=0;
                else
                        *(p++)=s->s3->tmp.new_compression->id;
+#endif
 
                /* do the header */
                l=(p-d);
index 0684f05..f0fbf82 100644 (file)
@@ -253,7 +253,11 @@ extern "C" {
 #endif
 
 #define SSL3_RT_MAX_PLAIN_LENGTH               16384
+#ifdef OPENSSL_NO_COMP
+#define SSL3_RT_MAX_COMPRESSED_LENGTH  SSL3_RT_MAX_PLAIN_LENGTH
+#else
 #define SSL3_RT_MAX_COMPRESSED_LENGTH  (1024+SSL3_RT_MAX_PLAIN_LENGTH)
+#endif
 #define SSL3_RT_MAX_ENCRYPTED_LENGTH   (1024+SSL3_RT_MAX_COMPRESSED_LENGTH)
 #define SSL3_RT_MAX_PACKET_SIZE                (SSL3_RT_MAX_ENCRYPTED_LENGTH+SSL3_RT_HEADER_LENGTH)
 #define SSL3_RT_MAX_DATA_SIZE                  (1024*1024)
index 8c2e1c3..cdd7a9a 100644 (file)
@@ -192,6 +192,9 @@ void ssl_load_ciphers(void)
                EVP_get_digestbyname(SN_sha1);
        }
 
+
+#ifndef OPENSSL_NO_COMP
+
 static int sk_comp_cmp(const SSL_COMP * const *a,
                        const SSL_COMP * const *b)
        {
@@ -231,6 +234,7 @@ static void load_builtin_compressions(void)
                }
        CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
        }
+#endif
 
 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
             const EVP_MD **md, SSL_COMP **comp)
@@ -243,8 +247,9 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
        if (comp != NULL)
                {
                SSL_COMP ctmp;
-
+#ifndef OPENSSL_NO_COMP
                load_builtin_compressions();
+#endif
 
                *comp=NULL;
                ctmp.id=s->compress_meth;
@@ -1131,6 +1136,21 @@ SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
        return(NULL);
        }
 
+#ifdef OPENSSL_NO_COMP
+void *SSL_COMP_get_compression_methods(void)
+       {
+       return NULL;
+       }
+int SSL_COMP_add_compression_method(int id, void *cm)
+       {
+       return 1;
+       }
+
+const char *SSL_COMP_get_name(const void *comp)
+       {
+       return NULL;
+       }
+#else
 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
        {
        load_builtin_compressions();
@@ -1191,3 +1211,4 @@ const char *SSL_COMP_get_name(const COMP_METHOD *comp)
        return NULL;
        }
 
+#endif
index 9e18e77..6fb9364 100644 (file)
@@ -2246,6 +2246,7 @@ void ssl_clear_cipher_ctx(SSL *s)
                OPENSSL_free(s->enc_write_ctx);
                s->enc_write_ctx=NULL;
                }
+#ifndef OPENSSL_NO_COMP
        if (s->expand != NULL)
                {
                COMP_CTX_free(s->expand);
@@ -2256,6 +2257,7 @@ void ssl_clear_cipher_ctx(SSL *s)
                COMP_CTX_free(s->compress);
                s->compress=NULL;
                }
+#endif
        }
 
 /* Fix this function so that it takes an optional type parameter */
@@ -2282,6 +2284,16 @@ SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
                return(s->session->cipher);
        return(NULL);
        }
+#ifdef OPENSSL_NO_COMP
+const void *SSL_get_current_compression(SSL *s)
+       {
+       return NULL;
+       }
+const void *SSL_get_current_expansion(SSL *s)
+       {
+       return NULL;
+       }
+#else
 
 const COMP_METHOD *SSL_get_current_compression(SSL *s)
        {
@@ -2296,6 +2308,7 @@ const COMP_METHOD *SSL_get_current_expansion(SSL *s)
                return(s->expand->meth);
        return(NULL);
        }
+#endif
 
 int ssl_init_wbio_buffer(SSL *s,int push)
        {
index 39cf55c..4eb0867 100644 (file)
@@ -151,6 +151,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
                        if (BIO_printf(bp,"%02X",x->krb5_client_princ[i]) <= 0) goto err;
                        }
 #endif /* OPENSSL_NO_KRB5 */
+#ifndef OPENSSL_NO_COMP
        if (x->compress_meth != 0)
                {
                SSL_COMP *comp = NULL;
@@ -165,6 +166,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
                        if (BIO_printf(bp,"\n   Compression: %d (%s)", comp->id,comp->method->name) <= 0) goto err;
                        }
                }       
+#endif
        if (x->time != 0L)
                {
                if (BIO_printf(bp, "\n    Start Time: %ld",x->time) <= 0) goto err;
index 3818bf3..4f7ec37 100644 (file)
@@ -420,7 +420,9 @@ int main(int argc, char *argv[])
        int print_time = 0;
        clock_t s_time = 0, c_time = 0;
        int comp = 0;
+#ifndef OPENSSL_NO_COMP
        COMP_METHOD *cm = NULL;
+#endif
        STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
        int test_cipherlist = 0;
 
@@ -652,6 +654,7 @@ bad:
        SSL_library_init();
        SSL_load_error_strings();
 
+#ifndef OPENSSL_NO_COMP
        if (comp == COMP_ZLIB) cm = COMP_zlib();
        if (comp == COMP_RLE) cm = COMP_rle();
        if (cm != NULL)
@@ -675,6 +678,7 @@ bad:
                        ERR_print_errors_fp(stderr);
                        }
                }
+#endif
        ssl_comp_methods = SSL_COMP_get_compression_methods();
        fprintf(stderr, "Available compression methods:\n");
        {
index cfcfeda..c544c76 100644 (file)
@@ -231,7 +231,9 @@ int tls1_change_cipher_state(SSL *s, int which)
        int client_write;
        EVP_CIPHER_CTX *dd;
        const EVP_CIPHER *c;
+#ifndef OPENSSL_NO_COMP
        const SSL_COMP *comp;
+#endif
        const EVP_MD *m;
        int is_export,n,i,j,k,exp_label_len,cl;
        int reuse_dd = 0;
@@ -239,7 +241,9 @@ int tls1_change_cipher_state(SSL *s, int which)
        is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
        c=s->s3->tmp.new_sym_enc;
        m=s->s3->tmp.new_hash;
+#ifndef OPENSSL_NO_COMP
        comp=s->s3->tmp.new_compression;
+#endif
        key_block=s->s3->tmp.key_block;
 
 #ifdef KSSL_DEBUG
@@ -265,6 +269,7 @@ int tls1_change_cipher_state(SSL *s, int which)
                        goto err;
                dd= s->enc_read_ctx;
                s->read_hash=m;
+#ifndef OPENSSL_NO_COMP
                if (s->expand != NULL)
                        {
                        COMP_CTX_free(s->expand);
@@ -284,6 +289,7 @@ int tls1_change_cipher_state(SSL *s, int which)
                        if (s->s3->rrec.comp == NULL)
                                goto err;
                        }
+#endif
                /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
                if (s->version != DTLS1_VERSION)
                        memset(&(s->s3->read_sequence[0]),0,8);
@@ -301,6 +307,7 @@ int tls1_change_cipher_state(SSL *s, int which)
                        goto err;
                dd= s->enc_write_ctx;
                s->write_hash=m;
+#ifndef OPENSSL_NO_COMP
                if (s->compress != NULL)
                        {
                        COMP_CTX_free(s->compress);
@@ -315,6 +322,7 @@ int tls1_change_cipher_state(SSL *s, int which)
                                goto err2;
                                }
                        }
+#endif
                /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
                if (s->version != DTLS1_VERSION)
                        memset(&(s->s3->write_sequence[0]),0,8);