Loading CHANGES +4 −0 Original line number Diff line number Diff line Loading @@ -5,6 +5,10 @@ Changes between 0.9.1c and 0.9.2 *) Remarkably, export ciphers were totally broken and no-one had noticed! Fixed. [Ben Laurie] *) Cleaned up the LICENSE document: The official contact for any license questions now is the OpenSSL core team under openssl-core@openssl.org. And add a paragraph about the dual-license situation to make sure people Loading ssl/s3_lib.c +14 −3 Original line number Diff line number Diff line Loading @@ -845,11 +845,20 @@ STACK *have,*pref; sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); #ifdef CIPHER_DEBUG printf("Have:\n"); for(i=0 ; i < sk_num(pref) ; ++i) { c=(SSL_CIPHER *)sk_value(pref,i); printf("%p:%s\n",c,c->name); } #endif for (i=0; i<sk_num(have); i++) { c=(SSL_CIPHER *)sk_value(have,i); ssl_set_cert_masks(cert,c); ssl_set_cert_masks(cert,s->ctx->default_cert,c); mask=cert->mask; emask=cert->export_mask; Loading @@ -858,14 +867,16 @@ STACK *have,*pref; { ok=((alg & emask) == alg)?1:0; #ifdef CIPHER_DEBUG printf("%d:[%08lX:%08lX]%s (export)\n",ok,alg,mask,c->name); printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, c,c->name); #endif } else { ok=((alg & mask) == alg)?1:0; #ifdef CIPHER_DEBUG printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name); printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, c->name); #endif } Loading ssl/s3_srvr.c +1 −1 Original line number Diff line number Diff line Loading @@ -945,7 +945,7 @@ SSL *s; if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL)) { rsa=s->ctx->default_cert->rsa_tmp_cb(s, !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); cert->rsa_tmp=rsa; Loading ssl/ssl_lib.c +15 −12 Original line number Diff line number Diff line Loading @@ -1042,7 +1042,10 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) X509_STORE_set_verify_cb_func(ctx->cert_store,cb); } void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher) /* Need default_cert to check for callbacks, for now (see comment in CERT strucure) */ void ssl_set_cert_masks(CERT *c,CERT *default_cert,SSL_CIPHER *cipher) { CERT_PKEY *cpk; int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; Loading @@ -1050,20 +1053,20 @@ void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher) int rsa_tmp_export,dh_tmp_export,kl; unsigned long mask,emask; if ((c == NULL) || (c->valid)) return; if (c == NULL) return; kl=SSL_C_EXPORT_PKEYLENGTH(cipher); #ifndef NO_RSA rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); rsa_tmp_export=(c->rsa_tmp_cb != NULL || rsa_tmp=(c->rsa_tmp != NULL || default_cert->rsa_tmp_cb != NULL); rsa_tmp_export=(default_cert->rsa_tmp_cb != NULL || (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); #else rsa_tmp=rsa_tmp_export=0; #endif #ifndef NO_DH dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); dh_tmp_export=(c->dh_tmp_cb != NULL || dh_tmp=(c->dh_tmp != NULL || default_cert->dh_tmp_cb != NULL); dh_tmp_export=(default_cert->dh_tmp_cb != NULL || (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); #else dh_tmp=dh_tmp_export=0; Loading @@ -1088,14 +1091,14 @@ void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher) emask=0; #ifdef CIPHER_DEBUG printf("rt=%d dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n", rsa_tmp,dh_tmp, rsa_enc,rsa_sign,dsa_sign,dh_rsa,dh_dsa); printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", rsa_tmp,rsa_tmp_export,dh_tmp, rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa); #endif if (rsa_enc || (rsa_tmp && rsa_sign)) mask|=SSL_kRSA; if (rsa_enc_export || (rsa_tmp_export && rsa_sign)) if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) emask|=SSL_kRSA; #if 0 Loading Loading @@ -1150,7 +1153,7 @@ X509 *ssl_get_server_send_cert(SSL *s) int i,export; c=s->cert; ssl_set_cert_masks(c,s->s3->tmp.new_cipher); ssl_set_cert_masks(c,s->ctx->default_cert,s->s3->tmp.new_cipher); alg=s->s3->tmp.new_cipher->algorithms; export=SSL_IS_EXPORT(alg); mask=export?c->export_mask:c->mask; Loading ssl/ssl_locl.h +5 −1 Original line number Diff line number Diff line Loading @@ -275,6 +275,10 @@ typedef struct cert_st RSA *rsa_tmp; DH *dh_tmp; /* FIXME: Although rsa_tmp and dh_tmp are properties of the cert, callbacks probably aren't, and besides only the context default cert's callbacks are actually used. Too close to a release to fix this now - Ben 6 Mar 1999 */ RSA *(*rsa_tmp_cb)(SSL *ssl,int export,int keysize); DH *(*dh_tmp_cb)(SSL *ssl,int export,int keysize); CERT_PKEY pkeys[SSL_PKEY_NUM]; Loading Loading @@ -367,7 +371,7 @@ int ssl_undefined_function(SSL *s); X509 *ssl_get_server_send_cert(SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher); void ssl_set_cert_masks(CERT *c,CERT *default_cert,SSL_CIPHER *cipher); STACK *ssl_get_ciphers_by_id(SSL *s); int ssl_verify_alarm_type(long type); Loading Loading
CHANGES +4 −0 Original line number Diff line number Diff line Loading @@ -5,6 +5,10 @@ Changes between 0.9.1c and 0.9.2 *) Remarkably, export ciphers were totally broken and no-one had noticed! Fixed. [Ben Laurie] *) Cleaned up the LICENSE document: The official contact for any license questions now is the OpenSSL core team under openssl-core@openssl.org. And add a paragraph about the dual-license situation to make sure people Loading
ssl/s3_lib.c +14 −3 Original line number Diff line number Diff line Loading @@ -845,11 +845,20 @@ STACK *have,*pref; sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); #ifdef CIPHER_DEBUG printf("Have:\n"); for(i=0 ; i < sk_num(pref) ; ++i) { c=(SSL_CIPHER *)sk_value(pref,i); printf("%p:%s\n",c,c->name); } #endif for (i=0; i<sk_num(have); i++) { c=(SSL_CIPHER *)sk_value(have,i); ssl_set_cert_masks(cert,c); ssl_set_cert_masks(cert,s->ctx->default_cert,c); mask=cert->mask; emask=cert->export_mask; Loading @@ -858,14 +867,16 @@ STACK *have,*pref; { ok=((alg & emask) == alg)?1:0; #ifdef CIPHER_DEBUG printf("%d:[%08lX:%08lX]%s (export)\n",ok,alg,mask,c->name); printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask, c,c->name); #endif } else { ok=((alg & mask) == alg)?1:0; #ifdef CIPHER_DEBUG printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name); printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c, c->name); #endif } Loading
ssl/s3_srvr.c +1 −1 Original line number Diff line number Diff line Loading @@ -945,7 +945,7 @@ SSL *s; if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL)) { rsa=s->ctx->default_cert->rsa_tmp_cb(s, !SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); cert->rsa_tmp=rsa; Loading
ssl/ssl_lib.c +15 −12 Original line number Diff line number Diff line Loading @@ -1042,7 +1042,10 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) X509_STORE_set_verify_cb_func(ctx->cert_store,cb); } void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher) /* Need default_cert to check for callbacks, for now (see comment in CERT strucure) */ void ssl_set_cert_masks(CERT *c,CERT *default_cert,SSL_CIPHER *cipher) { CERT_PKEY *cpk; int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; Loading @@ -1050,20 +1053,20 @@ void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher) int rsa_tmp_export,dh_tmp_export,kl; unsigned long mask,emask; if ((c == NULL) || (c->valid)) return; if (c == NULL) return; kl=SSL_C_EXPORT_PKEYLENGTH(cipher); #ifndef NO_RSA rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); rsa_tmp_export=(c->rsa_tmp_cb != NULL || rsa_tmp=(c->rsa_tmp != NULL || default_cert->rsa_tmp_cb != NULL); rsa_tmp_export=(default_cert->rsa_tmp_cb != NULL || (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); #else rsa_tmp=rsa_tmp_export=0; #endif #ifndef NO_DH dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); dh_tmp_export=(c->dh_tmp_cb != NULL || dh_tmp=(c->dh_tmp != NULL || default_cert->dh_tmp_cb != NULL); dh_tmp_export=(default_cert->dh_tmp_cb != NULL || (dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); #else dh_tmp=dh_tmp_export=0; Loading @@ -1088,14 +1091,14 @@ void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher) emask=0; #ifdef CIPHER_DEBUG printf("rt=%d dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n", rsa_tmp,dh_tmp, rsa_enc,rsa_sign,dsa_sign,dh_rsa,dh_dsa); printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n", rsa_tmp,rsa_tmp_export,dh_tmp, rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa); #endif if (rsa_enc || (rsa_tmp && rsa_sign)) mask|=SSL_kRSA; if (rsa_enc_export || (rsa_tmp_export && rsa_sign)) if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) emask|=SSL_kRSA; #if 0 Loading Loading @@ -1150,7 +1153,7 @@ X509 *ssl_get_server_send_cert(SSL *s) int i,export; c=s->cert; ssl_set_cert_masks(c,s->s3->tmp.new_cipher); ssl_set_cert_masks(c,s->ctx->default_cert,s->s3->tmp.new_cipher); alg=s->s3->tmp.new_cipher->algorithms; export=SSL_IS_EXPORT(alg); mask=export?c->export_mask:c->mask; Loading
ssl/ssl_locl.h +5 −1 Original line number Diff line number Diff line Loading @@ -275,6 +275,10 @@ typedef struct cert_st RSA *rsa_tmp; DH *dh_tmp; /* FIXME: Although rsa_tmp and dh_tmp are properties of the cert, callbacks probably aren't, and besides only the context default cert's callbacks are actually used. Too close to a release to fix this now - Ben 6 Mar 1999 */ RSA *(*rsa_tmp_cb)(SSL *ssl,int export,int keysize); DH *(*dh_tmp_cb)(SSL *ssl,int export,int keysize); CERT_PKEY pkeys[SSL_PKEY_NUM]; Loading Loading @@ -367,7 +371,7 @@ int ssl_undefined_function(SSL *s); X509 *ssl_get_server_send_cert(SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher); void ssl_set_cert_masks(CERT *c,CERT *default_cert,SSL_CIPHER *cipher); STACK *ssl_get_ciphers_by_id(SSL *s); int ssl_verify_alarm_type(long type); Loading
