Commit 413c4f45 authored by Mark J. Cox's avatar Mark J. Cox
Browse files

Updates to the new SSL compression code 

     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]

Fix so that the version number in the master secret, when passed
     via RSA, checks that if TLS was proposed, but we roll back to SSLv3
     (because the server will not accept higher), that the version number
     is 0x03,0x01, not 0x03,0x00
     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]

Submitted by:
Reviewed by:
PR:
parent a8236c8c

CHANGES

+9 −0
Original line number Diff line number Diff line
@@ -5,6 +5,15 @@ 


 Changes between 0.9.1c and 0.9.2



  *) Updates to the new SSL compression code

     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]



  *) Fix so that the version number in the master secret, when passed

     via RSA, checks that if TLS was proposed, but we roll back to SSLv3

     (because the server will not accept higher), that the version number

     is 0x03,0x01, not 0x03,0x00

     [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]



  *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory

     leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes

     in apps/ and an unrellated leak in crypto/dsa/dsa_vrf.c

ssl/s23_clnt.c

+11 −1
Original line number Diff line number Diff line
@@ -136,6 +136,13 @@ SSL *s; 
		case SSL_ST_BEFORE|SSL_ST_CONNECT:

		case SSL_ST_OK|SSL_ST_CONNECT:



			if (s->session != NULL)

				{

				SSLerr(SSL_F_SSL23_CONNECT,SSL_R_SSL23_DOING_SESSION_ID_REUSE);

				ret= -1;

				goto end;

				}

			s->server=0;

			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);



			/* s->version=TLS1_VERSION; */
@@ -161,7 +168,7 @@ SSL *s; 
			ssl3_init_finished_mac(s);



			s->state=SSL23_ST_CW_CLNT_HELLO_A;

			s->ctx->sess_connect++;

			s->ctx->stats.sess_connect++;

			s->init_num=0;

			break;
@@ -238,16 +245,19 @@ SSL *s; 
			{

			*(d++)=TLS1_VERSION_MAJOR;

			*(d++)=TLS1_VERSION_MINOR;

			s->client_version=TLS1_VERSION;

			}

		else if (!(s->options & SSL_OP_NO_SSLv3))

			{

			*(d++)=SSL3_VERSION_MAJOR;

			*(d++)=SSL3_VERSION_MINOR;

			s->client_version=SSL3_VERSION;

			}

		else if (!(s->options & SSL_OP_NO_SSLv2))

			{

			*(d++)=SSL2_VERSION_MAJOR;

			*(d++)=SSL2_VERSION_MINOR;

			s->client_version=SSL2_VERSION;

			}

		else

			{

ssl/s23_pkt.c

+1 −1
Original line number Diff line number Diff line
@@ -76,7 +76,7 @@ SSL *s; 
		{

		s->rwstate=SSL_WRITING;

		i=BIO_write(s->wbio,&(buf[tot]),num);

		if (i < 0)

		if (i <= 0)

			{

			s->init_off=tot;

			s->init_num=num;

ssl/s23_srvr.c

+8 −1
Original line number Diff line number Diff line
@@ -134,6 +134,7 @@ SSL *s; 
		case SSL_ST_BEFORE|SSL_ST_ACCEPT:

		case SSL_ST_OK|SSL_ST_ACCEPT:



			s->server=1;

			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);



			/* s->version=SSL3_VERSION; */
@@ -157,7 +158,7 @@ SSL *s; 
			ssl3_init_finished_mac(s);



			s->state=SSL23_ST_SR_CLNT_HELLO_A;

			s->ctx->sess_accept++;

			s->ctx->stats.sess_accept++;

			s->init_num=0;

			break;
@@ -203,8 +204,10 @@ SSL *s; 
	unsigned int csl,sil,cl;

	int n=0,j,tls1=0;

	int type=0,use_sslv2_strong=0;

	int v[2];



	/* read the initial header */

	v[0]=v[1]=0;

	if (s->state ==	SSL23_ST_SR_CLNT_HELLO_A)

		{

		if (!ssl3_setup_buffers(s)) goto err;
@@ -221,12 +224,14 @@ SSL *s; 
			/* SSLv2 header */

			if ((p[3] == 0x00) && (p[4] == 0x02))

				{

				v[0]=p[3]; v[1]=p[4];

				/* SSLv2 */

				if (!(s->options & SSL_OP_NO_SSLv2))

					type=1;

				}

			else if (p[3] == SSL3_VERSION_MAJOR)

				{

				v[0]=p[3]; v[1]=p[4];

				/* SSLv3/TLSv1 */

				if (p[4] >= TLS1_VERSION_MINOR)

					{
@@ -307,6 +312,7 @@ SSL *s; 
			 (p[1] == SSL3_VERSION_MAJOR) &&

			 (p[5] == SSL3_MT_CLIENT_HELLO))

			{

			v[0]=p[1]; v[1]=p[2];

			/* true SSLv3 or tls1 */

			if (p[2] >= TLS1_VERSION_MINOR)

				{
@@ -486,6 +492,7 @@ next_bit: 
			s->version=SSL3_VERSION;

			s->method=SSLv3_server_method();

			}

		s->client_version=(v[0]<<8)|v[1];

		s->handshake_func=s->method->ssl_accept;

		}

ssl/s2_clnt.c

+10 −6
Original line number Diff line number Diff line
@@ -146,6 +146,7 @@ SSL *s; 
		case SSL_ST_BEFORE|SSL_ST_CONNECT:

		case SSL_ST_OK|SSL_ST_CONNECT:



			s->server=0;

			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);



			s->version=SSL2_VERSION;
@@ -166,7 +167,7 @@ SSL *s; 
			s->init_buf=buf;

			s->init_num=0;

			s->state=SSL2_ST_SEND_CLIENT_HELLO_A;

			s->ctx->sess_connect++;

			s->ctx->stats.sess_connect++;

			s->handshake_func=ssl2_connect;

			BREAK;
@@ -249,8 +250,11 @@ SSL *s; 
			break;



		case SSL_ST_OK:

			if (s->init_buf != NULL)

				{

				BUF_MEM_free(s->init_buf);

				s->init_buf=NULL;

				}

			s->init_num=0;

		/*	ERR_clear_error();*/
@@ -261,11 +265,11 @@ SSL *s; 
			 */



			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);

			if (s->hit) s->ctx->sess_hit++;

			if (s->hit) s->ctx->stats.sess_hit++;



			ret=1;

			/* s->server=0; */

			s->ctx->sess_connect_good++;

			s->ctx->stats.sess_connect_good++;



			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
@@ -538,7 +542,7 @@ SSL *s; 
	if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A)

		{



		if (!ssl_cipher_get_evp(s->session->cipher,&c,&md))

		if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))

			{

			ssl2_return_error(s,SSL2_PE_NO_CIPHER);

			SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);