Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
9 个月 前同步成功

通知 8
Star 18
Fork 1
T
Third Party Openssl

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 f415fa32 编写于 作者: B Ben Laurie
浏览文件
操作

Fix export ciphersuites, again.

上级 dfca822f
隐藏空白更改
内联 并排
Showing with 39 addition and 17 deletion
CHANGES
浏览文件 @ f415fa32
...@@ -5,6 +5,10 @@ ...@@ -5,6 +5,10 @@
Changes between 0.9.1c and 0.9.2 Changes between 0.9.1c and 0.9.2
*) Remarkably, export ciphers were totally broken and no-one had noticed!
Fixed.
[Ben Laurie]
*) Cleaned up the LICENSE document: The official contact for any license *) Cleaned up the LICENSE document: The official contact for any license
questions now is the OpenSSL core team under openssl-core@openssl.org. questions now is the OpenSSL core team under openssl-core@openssl.org.
And add a paragraph about the dual-license situation to make sure people And add a paragraph about the dual-license situation to make sure people
......
ssl/s3_lib.c
浏览文件 @ f415fa32
...@@ -845,11 +845,20 @@ STACK *have,*pref; ...@@ -845,11 +845,20 @@ STACK *have,*pref;
sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp); sk_set_cmp_func(pref,ssl_cipher_ptr_id_cmp);
#ifdef CIPHER_DEBUG
printf("Have:\n");
for(i=0 ; i < sk_num(pref) ; ++i)
{
c=(SSL_CIPHER *)sk_value(pref,i);
printf("%p:%s\n",c,c->name);
}
#endif
for (i=0; i<sk_num(have); i++) for (i=0; i<sk_num(have); i++)
{ {
c=(SSL_CIPHER *)sk_value(have,i); c=(SSL_CIPHER *)sk_value(have,i);
ssl_set_cert_masks(cert,c); ssl_set_cert_masks(cert,s->ctx->default_cert,c);
mask=cert->mask; mask=cert->mask;
emask=cert->export_mask; emask=cert->export_mask;
...@@ -858,14 +867,16 @@ STACK *have,*pref; ...@@ -858,14 +867,16 @@ STACK *have,*pref;
{ {
ok=((alg & emask) == alg)?1:0; ok=((alg & emask) == alg)?1:0;
#ifdef CIPHER_DEBUG #ifdef CIPHER_DEBUG
printf("%d:[%08lX:%08lX]%s (export)\n",ok,alg,mask,c->name); printf("%d:[%08lX:%08lX]%p:%s (export)\n",ok,alg,emask,
c,c->name);
#endif #endif
} }
else else
{ {
ok=((alg & mask) == alg)?1:0; ok=((alg & mask) == alg)?1:0;
#ifdef CIPHER_DEBUG #ifdef CIPHER_DEBUG
printf("%d:[%08lX:%08lX]%s\n",ok,alg,mask,c->name); printf("%d:[%08lX:%08lX]%p:%s\n",ok,alg,mask,c,
c->name);
#endif #endif
} }
......
ssl/s3_srvr.c
浏览文件 @ f415fa32
...@@ -945,7 +945,7 @@ SSL *s; ...@@ -945,7 +945,7 @@ SSL *s;
if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL)) if ((rsa == NULL) && (s->ctx->default_cert->rsa_tmp_cb != NULL))
{ {
rsa=s->ctx->default_cert->rsa_tmp_cb(s, rsa=s->ctx->default_cert->rsa_tmp_cb(s,
!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA); CRYPTO_add(&rsa->references,1,CRYPTO_LOCK_RSA);
cert->rsa_tmp=rsa; cert->rsa_tmp=rsa;
......
ssl/ssl_lib.c
浏览文件 @ f415fa32
...@@ -181,7 +181,7 @@ SSL *SSL_new(SSL_CTX *ctx) ...@@ -181,7 +181,7 @@ SSL *SSL_new(SSL_CTX *ctx)
if (ctx->default_cert != NULL) if (ctx->default_cert != NULL)
{ {
CRYPTO_add(&ctx->default_cert->references,1, CRYPTO_add(&ctx->default_cert->references,1,
CRYPTO_LOCK_SSL_CERT); CRYPTO_LOCK_SSL_CERT);
s->cert=ctx->default_cert; s->cert=ctx->default_cert;
} }
else else
...@@ -1042,7 +1042,10 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) ...@@ -1042,7 +1042,10 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *))
X509_STORE_set_verify_cb_func(ctx->cert_store,cb); X509_STORE_set_verify_cb_func(ctx->cert_store,cb);
} }
void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher) /* Need default_cert to check for callbacks, for now (see comment in CERT
strucure)
*/
void ssl_set_cert_masks(CERT *c,CERT *default_cert,SSL_CIPHER *cipher)
{ {
CERT_PKEY *cpk; CERT_PKEY *cpk;
int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign; int rsa_enc,rsa_tmp,rsa_sign,dh_tmp,dh_rsa,dh_dsa,dsa_sign;
...@@ -1050,20 +1053,20 @@ void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher) ...@@ -1050,20 +1053,20 @@ void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher)
int rsa_tmp_export,dh_tmp_export,kl; int rsa_tmp_export,dh_tmp_export,kl;
unsigned long mask,emask; unsigned long mask,emask;
if ((c == NULL) || (c->valid)) return; if (c == NULL) return;
kl=SSL_C_EXPORT_PKEYLENGTH(cipher); kl=SSL_C_EXPORT_PKEYLENGTH(cipher);
#ifndef NO_RSA #ifndef NO_RSA
rsa_tmp=(c->rsa_tmp != NULL || c->rsa_tmp_cb != NULL); rsa_tmp=(c->rsa_tmp != NULL || default_cert->rsa_tmp_cb != NULL);
rsa_tmp_export=(c->rsa_tmp_cb != NULL || rsa_tmp_export=(default_cert->rsa_tmp_cb != NULL ||
(rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl)); (rsa_tmp && RSA_size(c->rsa_tmp)*8 <= kl));
#else #else
rsa_tmp=rsa_tmp_export=0; rsa_tmp=rsa_tmp_export=0;
#endif #endif
#ifndef NO_DH #ifndef NO_DH
dh_tmp=(c->dh_tmp != NULL || c->dh_tmp_cb != NULL); dh_tmp=(c->dh_tmp != NULL || default_cert->dh_tmp_cb != NULL);
dh_tmp_export=(c->dh_tmp_cb != NULL || dh_tmp_export=(default_cert->dh_tmp_cb != NULL ||
(dh_tmp && DH_size(c->dh_tmp)*8 <= kl)); (dh_tmp && DH_size(c->dh_tmp)*8 <= kl));
#else #else
dh_tmp=dh_tmp_export=0; dh_tmp=dh_tmp_export=0;
...@@ -1088,14 +1091,14 @@ void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher) ...@@ -1088,14 +1091,14 @@ void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher)
emask=0; emask=0;
#ifdef CIPHER_DEBUG #ifdef CIPHER_DEBUG
printf("rt=%d dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n", printf("rt=%d rte=%d dht=%d re=%d ree=%d rs=%d ds=%d dhr=%d dhd=%d\n",
rsa_tmp,dh_tmp, rsa_tmp,rsa_tmp_export,dh_tmp,
rsa_enc,rsa_sign,dsa_sign,dh_rsa,dh_dsa); rsa_enc,rsa_enc_export,rsa_sign,dsa_sign,dh_rsa,dh_dsa);
#endif #endif
if (rsa_enc || (rsa_tmp && rsa_sign)) if (rsa_enc || (rsa_tmp && rsa_sign))
mask|=SSL_kRSA; mask|=SSL_kRSA;
if (rsa_enc_export || (rsa_tmp_export && rsa_sign)) if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
emask|=SSL_kRSA; emask|=SSL_kRSA;
#if 0 #if 0
...@@ -1150,7 +1153,7 @@ X509 *ssl_get_server_send_cert(SSL *s) ...@@ -1150,7 +1153,7 @@ X509 *ssl_get_server_send_cert(SSL *s)
int i,export; int i,export;
c=s->cert; c=s->cert;
ssl_set_cert_masks(c,s->s3->tmp.new_cipher); ssl_set_cert_masks(c,s->ctx->default_cert,s->s3->tmp.new_cipher);
alg=s->s3->tmp.new_cipher->algorithms; alg=s->s3->tmp.new_cipher->algorithms;
export=SSL_IS_EXPORT(alg); export=SSL_IS_EXPORT(alg);
mask=export?c->export_mask:c->mask; mask=export?c->export_mask:c->mask;
......
ssl/ssl_locl.h
浏览文件 @ f415fa32
...@@ -275,6 +275,10 @@ typedef struct cert_st ...@@ -275,6 +275,10 @@ typedef struct cert_st
RSA *rsa_tmp; RSA *rsa_tmp;
DH *dh_tmp; DH *dh_tmp;
/* FIXME: Although rsa_tmp and dh_tmp are properties of the cert,
callbacks probably aren't, and besides only the context default
cert's callbacks are actually used. Too close to a release to fix
this now - Ben 6 Mar 1999 */
RSA *(*rsa_tmp_cb)(SSL *ssl,int export,int keysize); RSA *(*rsa_tmp_cb)(SSL *ssl,int export,int keysize);
DH *(*dh_tmp_cb)(SSL *ssl,int export,int keysize); DH *(*dh_tmp_cb)(SSL *ssl,int export,int keysize);
CERT_PKEY pkeys[SSL_PKEY_NUM]; CERT_PKEY pkeys[SSL_PKEY_NUM];
...@@ -367,7 +371,7 @@ int ssl_undefined_function(SSL *s); ...@@ -367,7 +371,7 @@ int ssl_undefined_function(SSL *s);
X509 *ssl_get_server_send_cert(SSL *); X509 *ssl_get_server_send_cert(SSL *);
EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
int ssl_cert_type(X509 *x,EVP_PKEY *pkey); int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
void ssl_set_cert_masks(CERT *c,SSL_CIPHER *cipher); void ssl_set_cert_masks(CERT *c,CERT *default_cert,SSL_CIPHER *cipher);
STACK *ssl_get_ciphers_by_id(SSL *s); STACK *ssl_get_ciphers_by_id(SSL *s);
int ssl_verify_alarm_type(long type); int ssl_verify_alarm_type(long type);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册