Commit b948e2c5 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Update ssl library to support EVP_PKEY MAC API. Include generic MAC support.

parent 18096abb

CHANGES

+5 −0
Original line number Diff line number Diff line
@@ -4,6 +4,11 @@ 


 Changes between 0.9.8f and 0.9.9  [xx XXX xxxx]



  *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC

     support including streaming MAC support: this is required for GOST

     ciphersuite support.

     [Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson]



  *) Add option -stream to use PKCS#7 streaming in smime utility. New

     function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()

     to output in BER and PEM format.

ssl/d1_enc.c

+4 −4
Original line number Diff line number Diff line
@@ -132,8 +132,8 @@ int dtls1_enc(SSL *s, int send) 


	if (send)

		{

		if (s->write_hash != NULL)

			n=EVP_MD_size(s->write_hash);

		if (EVP_MD_CTX_md(s->write_hash))

			n=EVP_MD_CTX_size(s->write_hash);

		ds=s->enc_write_ctx;

		rec= &(s->s3->wrec);

		if (s->enc_write_ctx == NULL)
@@ -154,8 +154,8 @@ int dtls1_enc(SSL *s, int send) 
		}

	else

		{

		if (s->read_hash != NULL)

			n=EVP_MD_size(s->read_hash);

		if (EVP_MD_CTX_md(s->read_hash))

			n=EVP_MD_CTX_size(s->read_hash);

		ds=s->enc_read_ctx;

		rec= &(s->s3->rrec);

		if (s->enc_read_ctx == NULL)

ssl/d1_pkt.c

+3 −3
Original line number Diff line number Diff line
@@ -426,7 +426,7 @@ printf("\n"); 


	if (!clear)

		{

		mac_size=EVP_MD_size(s->read_hash);

		mac_size=EVP_MD_CTX_size(s->read_hash);



		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)

			{
@@ -1335,13 +1335,13 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, 


	if (	(sess == NULL) ||

		(s->enc_write_ctx == NULL) ||

		(s->write_hash == NULL))

		(EVP_MD_CTX_md(s->write_hash) == NULL))

		clear=1;



	if (clear)

		mac_size=0;

	else

		mac_size=EVP_MD_size(s->write_hash);

		mac_size=EVP_MD_CTX_size(s->write_hash);



	/* DTLS implements explicit IV, so no need for empty fragments */

#if 0

ssl/s2_clnt.c

+1 −1
Original line number Diff line number Diff line
@@ -621,7 +621,7 @@ static int client_master_key(SSL *s) 
	if (s->state == SSL2_ST_SEND_CLIENT_MASTER_KEY_A)

		{



		if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))

		if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))

			{

			ssl2_return_error(s,SSL2_PE_NO_CIPHER);

			SSLerr(SSL_F_CLIENT_MASTER_KEY,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);

ssl/s2_enc.c

+4 −5
Original line number Diff line number Diff line
@@ -68,15 +68,14 @@ int ssl2_enc_init(SSL *s, int client) 
	const EVP_MD *md;

	int num;



	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL))

	if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))

		{

		ssl2_return_error(s,SSL2_PE_NO_CIPHER);

		SSLerr(SSL_F_SSL2_ENC_INIT,SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS);

		return(0);

		}



	s->read_hash=md;

	s->write_hash=md;

	ssl_replace_hash(&s->read_hash,md);

	ssl_replace_hash(&s->write_hash,md);



	if ((s->enc_read_ctx == NULL) &&

		((s->enc_read_ctx=(EVP_CIPHER_CTX *)
@@ -176,7 +175,7 @@ void ssl2_mac(SSL *s, unsigned char *md, int send) 


	/* There has to be a MAC algorithm. */

	EVP_MD_CTX_init(&c);

	EVP_DigestInit_ex(&c, s->read_hash, NULL);

	EVP_MD_CTX_copy(&c, s->read_hash);

	EVP_DigestUpdate(&c,sec,

		EVP_CIPHER_CTX_key_length(s->enc_read_ctx));

	EVP_DigestUpdate(&c,act,len);