Fix export ciphersuites, again.
authorBen Laurie <ben@openssl.org>
Sat, 6 Mar 1999 14:09:36 +0000 (14:09 +0000)
committerBen Laurie <ben@openssl.org>
Sat, 6 Mar 1999 14:09:36 +0000 (14:09 +0000)
CHANGES
ssl/s3_lib.c
ssl/s3_srvr.c
ssl/ssl_lib.c
ssl/ssl_locl.h

diff --git a/CHANGES b/CHANGES
index 472f742..4a5bd9f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,10 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) Remarkably, export ciphers were totally broken and no-one had noticed!
+     Fixed.
+     [Ben Laurie]
+
   *) Cleaned up the LICENSE document: The official contact for any license
      questions now is the OpenSSL core team under openssl-core@openssl.org.
      And add a paragraph about the dual-license situation to make sure people
index 3687862..c32b716 100644 (file)
@@ -845,11 +845,20 @@ STACK *have,*pref;
 
        sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
 
+#ifdef CIPHER_DEBUG
+       printf("Have:\n");
+       for(i=0 ; i < sk_num(pref) ; ++i)
+           {
+           c=(SSL_CIPHER *)sk_value(pref,i);
+           printf("%p:%s\n",c,c->name);
+           }
+#endif
+
        for (i=0; i<sk_num(have); i++)
                {
                c=(SSL_CIPHER *)sk_value(have,i);
 
-               ssl_set_cert_masks(cert,c);
+               ssl_set_cert_masks(cert,s->ctx->default_cert,c);
                mask=cert->mask;
                emask=cert->export_mask;
                        
@@ -858,14 +867,16 @@ STACK *have,*pref;
                        {
                        ok=((alg & emask) == alg)?1:0;
 #ifdef CIPHER_DEBUG
-                       printf("%d:[%08lX:%08lX]%s (export)\n",ok,alg,mask,c->name);
+                       printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask,
+                              c,c->name);
 #endif
                        }
                else
                        {
                        ok=((alg & mask) == alg)?1:0;
 #ifdef CIPHER_DEBUG
-                       printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name);
+                       printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c,
+                              c->name);
 #endif
                        }
 
index 6fe489e..56d8dd4 100644 (file)
@@ -945,7 +945,7 @@ SSL *s;
                        if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
                                {
                                rsa=s->ctx->default_cert->rsa_tmp_cb(s,
-                                     !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
+                                     SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
                                      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
                                CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
                                cert->rsa_tmp=rsa;
index b99bb4e..8c11669 100644 (file)
@@ -181,7 +181,7 @@ SSL *SSL_new(SSL_CTX *ctx)
        if (ctx->default_cert != NULL)
                {
                CRYPTO_add(&ctx->default_cert->references,1,
-                       CRYPTO_LOCK_SSL_CERT);
+                          CRYPTO_LOCK_SSL_CERT);
                s->cert=ctx->default_cert;
                }
        else
@@ -1042,7 +1042,10 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
        X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
        }
 
-void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher)
+/* Need default_cert to check for callbacks, for now (see comment in CERT
+   strucure)
+*/
+void ssl_set_cert_masks(CERT *c,CERT *default_cert,SSL_CIPHER *cipher)
        {
        CERT_PKEY *cpk;
        int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
@@ -1050,20 +1053,20 @@ void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher)
        int rsa_tmp_export,dh_tmp_export,kl;
        unsigned long mask,emask;
 
-       if ((c == NULL) || (c->valid)) return;
+       if (c == NULL) return;
 
        kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
 
 #ifndef NO_RSA
-       rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL);
-       rsa_tmp_export=(c->rsa_tmp_cb != NULL ||
+       rsa_tmp=(c->rsa_tmp != NULL || default_cert->rsa_tmp_cb != NULL);
+       rsa_tmp_export=(default_cert->rsa_tmp_cb != NULL ||
                (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
 #else
        rsa_tmp=rsa_tmp_export=0;
 #endif
 #ifndef NO_DH
-       dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
-       dh_tmp_export=(c->dh_tmp_cb != NULL ||
+       dh_tmp=(c->dh_tmp != NULL || default_cert->dh_tmp_cb != NULL);
+       dh_tmp_export=(default_cert->dh_tmp_cb != NULL ||
                (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
 #else
        dh_tmp=dh_tmp_export=0;
@@ -1088,14 +1091,14 @@ void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher)
        emask=0;
 
 #ifdef CIPHER_DEBUG
-       printf("rt=%d dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n",
-               rsa_tmp,dh_tmp,
-               rsa_enc,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
+       printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
+               rsa_tmp,rsa_tmp_export,dh_tmp,
+               rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
 #endif
 
        if (rsa_enc || (rsa_tmp && rsa_sign))
                mask|=SSL_kRSA;
-       if (rsa_enc_export || (rsa_tmp_export && rsa_sign))
+       if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
                emask|=SSL_kRSA;
 
 #if 0
@@ -1150,7 +1153,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
        int i,export;
 
        c=s->cert;
-       ssl_set_cert_masks(c,s->s3->tmp.new_cipher);
+       ssl_set_cert_masks(c,s->ctx->default_cert,s->s3->tmp.new_cipher);
        alg=s->s3->tmp.new_cipher->algorithms;
        export=SSL_IS_EXPORT(alg);
        mask=export?c->export_mask:c->mask;
index 3317ecc..b573457 100644 (file)
@@ -275,6 +275,10 @@ typedef struct cert_st
 
        RSA *rsa_tmp;
        DH *dh_tmp;
+       /* FIXME: Although rsa_tmp and dh_tmp are properties of the cert,
+          callbacks probably aren't, and besides only the context default
+          cert's callbacks are actually used. Too close to a release to fix
+          this now - Ben 6 Mar 1999 */
        RSA *(*rsa_tmp_cb)(SSL *ssl,int export,int keysize);
        DH *(*dh_tmp_cb)(SSL *ssl,int export,int keysize);
        CERT_PKEY pkeys[SSL_PKEY_NUM];
@@ -367,7 +371,7 @@ int ssl_undefined_function(SSL *s);
 X509 *ssl_get_server_send_cert(SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
-void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher);
+void ssl_set_cert_masks(CERT *c,CERT *default_cert,SSL_CIPHER *cipher);
 STACK *ssl_get_ciphers_by_id(SSL *s);
 int ssl_verify_alarm_type(long type);